Exam AZ-303 topic 2 question 5 discussion

Correct answer is N, Y, Y. First box is No because User1 didn't get contributor role on RG1 directly. It was given to user1 as an inheritance from Management Group1. An inherited permission can be revoked only at the level where it was granted (Management Group1 in this case). So, there is no way to revoke this permission from user1 except revoking it at Management group level. I've tried this in my lab and this is the error received - "Inherited role assignments cannot be removed. Open the scope where the role was assigned and remove it from there."

Answer should No: As owner, you cannot remove inherited RBAC permission assignment. Yes: Contributor can action on resources on subscription Yes: Even if we have inherited role assignment, as owner you can provide higher (i.e. contributor) role to user and process role assignment to children resource (i.e resource group).

N - Inherited permission needs to be revoked at Management Group Y - Contributor role can delete VM Y- Owner can assign higher role than inherited

An inherited permission can be revoked only at the level where it was granted (Management Group1 in this case). "Inherited role assignments cannot be removed. Open the scope where the role was assigned and remove it from there."

On Exam, 28-03-2022

In the exam on 12-03-2022. Total 50 questions including case study. "Litware Acquired Fabricam" case study.

For box 1: Inherited permission needs to be revoked at Management Group and can't be deleted but can't we explicitly deny User 1 access on this RG. This will overwrite the contributor access . And change the answer to Y. Any comments ?

NYY, tested

The answer is No, Yes, Yes

The answer is NYY. The first is N because you can block an inherited permission only if you remove it from the level where it was defined.

I would say No Yes Yes

I would say No Yes Yes 1. Contributor role for User1 is inherited from ManagementGroup1. So, we cannot remove at the resource group level. 2. User2 is contributor for RG2. So, User2 can delete the VM2 that is inside RG2. 3. You can add a role at resource level though user has different inherited access

If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. You should open Access control (IAM) at the scope where the role was assigned and try again. A quick way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited). https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove

Pass exam, come today in my exam 6/7/2021, answered NYY

N - Inherited permission needs to be revoked at Management Group Y - Contributor role can delete VM Y- Owner can assign higher role than inherited

Yes, Yes, Yes 1. Yes : Going between the question its stats that " You have the Owner role. You assign roles to users as shown in the following table." owner assigned the role, so owner can remove it 2. Yes : Since user 2 is having Contributor 3. Yes : Being a owner, You can also assigned Contributor role

The answer is N,Y,Y. Thats what I understood. 1) Inherited permission cannot be removed from the level which has inherited it from it's parent. 2) Contributor role on Management group, so yes, can delete VM 3) Azure says RBAC is additive , broader/higher access on parent level would be effective for all child, but a higher privilege in granular level/child level can overwrite parents least privilege. That means, Management Group has reader access for user A but we can assign User A contributor role in Subscription level and contributor would be effective role from Subscription and it's childs. Betamode is right I see.