ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 47 discussion

Actual exam question from Microsoft's AZ-500
Question #: 47
Topic #: 2
[All AZ-500 Questions]

You have an Azure subscription named Subcription1 that contains an Azure Active Directory (Azure AD) tenant named contoso.com and a resource group named
RG1.
You create a custom role named Role1 for contoso.com.
Where you can use Role1 for permission delegation?

  • A. contoso.com only
  • B. contoso.com and RG1 only
  • C. contoso.com and Subscription1 only
  • D. contoso.com, RG1, and Subscription1
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by jpons at June 30, 2021, 12:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jpons
Highly Voted 3 years, 11 months ago
A - contoso.com only Azure AD role permissions can't be used in Azure custom roles and vice versa. https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview
upvoted 41 times
rawrkadia
3 years, 10 months ago
This is correct. Azure AD roles and Azure RBAC are totally different. If you create an AAD role it won't work for subscriptions/MG/RG
upvoted 3 times
...
Jacquesvz
3 years, 11 months ago
I agree with you, answer A. AD roles are different to RBAC roles. AD roles for domain, RBAC for Subscription and RG's. Still unsure about this one though, anyone else that have more concrete evidence?
upvoted 4 times
shnz03
3 years, 3 months ago
Just to add on the concept of access control for Azure AD and Azure resources. Both are using RBAC model. To think that Azure AD method is NOT using RBAC is wrong. https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview The difference between these two role-based access control systems is: Azure AD roles control access to Azure AD resources such as users, groups, and applications using the Microsoft Graph API Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management
upvoted 5 times
...
...
...
Rahulbard
Highly Voted 3 years, 11 months ago
Answer is D .. once a custom role is assinged to a user, the access can be at any level
upvoted 26 times
pentium75
10 months, 3 weeks ago
You created a role in contoso.com (the Azure AD tenant), NOT Subscription1 (the Azure subscription). Thus it is an Azure AD role. You can't assign an Azure AD role to an Azure resource.
upvoted 1 times
...
duffrice
1 year, 8 months ago
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
upvoted 1 times
...
orcnylmz
2 years, 8 months ago
Agree with D. Every resource created in Azure associates with a tenant. In this questions it says custom role created for contoso.com, I understood it like a RBAC role in contoso.com tenant. But question is not so clear. I think you can understand vice versa also.
upvoted 2 times
pentium75
10 months, 3 weeks ago
No, contoso.com is the name of the Azure AD tenant, it is NOT an RBAC role in the Azure subscription
upvoted 1 times
...
...
...
mmmyo
Most Recent 1 month, 1 week ago
Selected Answer: A
When you create a custom role in Azure AD, it is scoped at the directory level (contoso.com) and can only be assigned within the Azure AD tenant. Unlike Azure RBAC roles, which apply to subscriptions, resource groups, and individual resources, Azure AD roles are specific to identity management and directory permissions.
upvoted 1 times
...
gauravwagh16193
2 months, 2 weeks ago
Selected Answer: D
You can use a custom role created for an Azure AD tenant across various scopes within that tenant. Specifically, custom roles can be assigned at the following levels: Tenant level (contoso.com) Resource group level (RG1) Subscription level (Subscription1) Therefore, the correct answer is: D. contoso.com, RG1, and Subscription1
upvoted 1 times
...
rreghioua
4 months, 3 weeks ago
Selected Answer: D
Custom roles in Azure can be scoped to different levels: Azure AD tenant (contoso.com): A role could be scoped to an Azure AD tenant, allowing permissions to be granted at the directory level. Resource Group (RG1): You can also assign roles at the resource group level, allowing permissions to resources within that specific group. Subscription (Subscription1): Similarly, roles can be assigned at the subscription level, applying to all resources in that subscription. In this case, since you created a custom role for the Azure AD tenant contoso.com, it can be used at all levels—contoso.com (Azure AD tenant), RG1 (resource group), and Subscription1 (subscription level). Therefore, D is the most comprehensive option.
upvoted 1 times
...
Lanwan
6 months, 2 weeks ago
Selected Answer: D
Copilot and chatgpt says D
upvoted 2 times
...
mrt007
1 year, 2 months ago
D. contoso.com, RG1, and Subscription1 This is because in Azure, the scope of access for a custom role is at the directory level, and it can be assigned to users, groups, and service principals at subscription, resource group, and resource scopes. Therefore, Role1 can be used for permission delegation not only at contoso.com but also at RG1 and Subscription1.
upvoted 2 times
...
jacqs101
1 year, 4 months ago
A contoso.com only. Why? Because the role was created in that tenant and Azure AD roles are a flat hierarchy
upvoted 2 times
...
Adt3ster
1 year, 5 months ago
Selected Answer: A
I choose A since the current description is : Add permissions for this custom role. Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. It's only possible to assign at the directory level
upvoted 1 times
...
[Removed]
1 year, 5 months ago
AzureAD roles can be scoped into Administrative Units-> Application
upvoted 1 times
...
ESAJRR
1 year, 11 months ago
Selected Answer: D
D. contoso.com, RG1, and Subscription1
upvoted 1 times
...
Ario
1 year, 11 months ago
Selected Answer: A
there is nothing about RBAC in this question i will choose A
upvoted 1 times
...
zellck
2 years, 1 month ago
Selected Answer: A
A is the answer. https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create The role can be assigned either at the directory-level scope or an app registration resource scope only.
upvoted 3 times
...
majstor86
2 years, 3 months ago
Selected Answer: A
A. contoso.com only
upvoted 3 times
...
Marc_Azure
2 years, 4 months ago
Selected Answer: D
delegation
upvoted 1 times
...
samimshaikh
2 years, 4 months ago
it says that the custom role is created for contoso.com - that its for Azure AD.... if this was asked that a custom role created for subscription than we would have option in a answer list that "Subscription, Resource Group" . Since there is no answer in listed a pair of "Subscription, Resource Group" and I am confident that is question is for Azure AD contoso.com answer : A
upvoted 1 times
...
ltjones12
2 years, 5 months ago
It says "custom role" but doesn't elaborate on whether it's an RBAC ROle or an Azure AD Role. Not a valid question as it lacks a critical detail
upvoted 6 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel