Correct Answer: C Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role

Answer is D. AG sends to users that have 'reader' role, User2 inherits that role through Group1 membership.

Correct answer is D. I have tested it in a lab. Logic of this alert is very simple. User1 received an email because he is directly assigned to the Monitoring Reader role (which is in Action group). User2 received alert because he has the same role as a User1, because he inherited this role from the Group1 assignment. It means, that notification was received not because Group1 was selected as a target of notifications in AG1 (1. Cuz it's not; 2. Group can't be assigned as an email receiver, because groups physically have no emails. Service Principals also can't have email address), but because of AG1 condition is set for Monitoring Reader role. Email was sent to User2, because User2 has the same role as a User1. Even if User1 is assigned directly and User2 inherit this role from his Group in AAD.

mlantonis Highly Voted 2 years, 6 months ago Correct Answer: C Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.

User1 and User2 are Azure AD users. User1 is directly assigned the Monitoring Reader role, and User2 is a member of Group1, which is also assigned the Monitoring Reader role. However, since emails are not sent to groups, we would not consider User2 despite their membership in Group1. Furthermore, since emails are not sent to service principals (like Principal1 and Principal2), they would also not receive the email. Thus, only the direct user members of the Monitoring Reader role will receive the email. Based on the information provided: The correct answer is: C. User1 only

User2 has Monitoring Reader role

"Send an email to the subscription members, based on their role. A notification email is sent only to the primary email address configured for the Azure AD user. The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD groups or service principals. See Email." https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role

Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role

Agree with C as per explanation mlantonis. See; https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role "Send an email to the subscription members, based on their role. A notification email is sent only to the primary email address configured for the Azure AD user. The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD groups or service principals. See Email."

When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is only sent to Azure Active Directory (Azure AD) user members of the role. Email isn't sent to Azure AD groups or service principals.

Correct Answer is C - User1 Only User1: User1 is assigned the Monitoring Reader role, so they will receive the email notification when Alert1 is triggered. User2: Although User2 is a user and a member of Group1, which is assigned the Monitoring Reader role, individual users take precedence over groups for email notifications. Therefore, User2 will not receive the email notification. Principal1: Principal1 is a Managed Identity and is not a member of any group. Therefore, Principal1 will not receive the email notification. Principal2: Principal2 is a Managed Identity and a member of Group1, which is assigned the Monitoring Reader role. However, individual users take precedence over groups for email notifications. Therefore, Principal2 will not receive the email notification. To summarize, only User1 will receive the email notification when Alert1 is triggered because they have the Monitoring Reader role assigned directly.

User1 and User2 only

I Lab'd this by creating a test user account and adding that test user to an azure group that had an Azure Role assignment setup against it (i happened to use the Contributor role, but it can be any role). The test user did NOT have any direct azure role assigned it it. I then setup an action group with the action to email the azure resource manager role (and selected contributor). I then tested the action group and a few minutes later the test email popped into the test users mailbox. This to me indicates that even though the role assignment is to a group, the users nested in that group would receive the alert from the action group. I would therefore suggest it is User 1 and User 2 in this scenario

in this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring Reader role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.

If an email is not going to be sent to group1 in the first place ,so how is user2 as a member of the group going to receive the email?

Everyone be like "Email will not be sent to Azure AD groups or service principals." I be like, "What about Azure AD groups MEMBERS" Mail enabled groups exist, so they definitely wouldn't get any notification email from the above, but what about the members of the group, they inherit the assignment that would qualify them for the email? I think I have to assume it means both, the Group and its members leaving C the answer.

Correct Answer: D User1 and User2 only. To be precise, Managed Identities (Principal1 and Principal2)DO NOT HAVE an email address associated with them and therefore CANNOT receive email notifications from Azure Alerts. In this scenario, only User1 and User2 (as members of Group1) will receive email notifications when the Alert1 is triggered. User2 inherits the Monitoring Reader role from his group, Group1. In Azure Active Directory (Azure AD), you can assign roles to groups, and then add users as members to those groups. Members of a group will inherit the role assignments of the group, allowing you to manage role assignments for multiple users in a centralized way. So, in this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring Reader role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.