ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 57 discussion

Actual exam question from Microsoft's AZ-500
Question #: 57
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-
1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignable-scopes
by thienvupt at June 30, 2021, 2:52 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
NarenderSingh
Highly Voted 3 years, 8 months ago
Assignable Scope is Management Group Now which is /Group1 https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignable-scopes On the Assignable scopes tab, you specify where your custom role is available for assignment, such as management group, subscriptions, or resource groups.
upvoted 25 times
asodataone
8 months, 1 week ago
Resource Provider: Microsoft.Resources Assignable Scope: /providers/Microsoft.Management/managementGroups/Group1 Key Concepts: Resource Provider: The resource provider for managing tags in Azure is Microsoft.Resources. Tags are a resource management feature provided by this provider, so your role should have permissions related to this resource provider. Assignable Scope: The assignable scope should be the management group Group1, and it can include the subscriptions and resources within that management group, since the goal is to manage tags across all objects in Group1. Therefore, you would assign the scope to Group1 and ensure that it can cascade to all the resources inside Group1.
upvoted 1 times
ITFranz
7 months, 2 weeks ago
The resource provider for managing tags in Azure is Microsoft.Resources. While this isn't explicitly stated in the search results, it can be inferred from the context: Tags are a feature of Azure Resource Manager (ARM), which is part of the Microsoft.Resources namespace. Tags can be applied to various Azure resources across different resource providers, but the underlying functionality for tag management is handled by Azure Resource Manager. The search results mention using Azure Resource Manager JSON templates for tagging, which indicates that the tag management is part of the ARM functionality. Tags in Azure can be managed through various methods, including: Azure Portal Azure PowerShell Azure CLI Azure Resource Manager templates These methods all interact with the Microsoft.Resources provider to manage tags across different Azure resources and resource groups.
upvoted 1 times
...
...
TiredofTesting
3 years, 8 months ago
Concurred and tested. You can assign this to a subscription, management group or resource group.
upvoted 2 times
...
maxsh3
3 years, 3 months ago
Adding a management group to assignable scopes is currently in (preview).
upvoted 2 times
...
...
thienvupt
Highly Voted 4 years, 1 month ago
Correct Answer Setting assignable scope to root scope ("/") is not supported. Currently, you cannot add a management group as an assignable scope.
upvoted 14 times
...
schpeter_091
Most Recent 9 months, 3 weeks ago
From MS site: "You can't assign the custom role at the management group scope itself; however, you can assign the custom role at the scope of the subscriptions within the management group." https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
upvoted 2 times
...
410ns0
1 year ago
*/Group1
upvoted 2 times
...
ITFranz
1 year ago
To support the answer: Resource provider: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources#required-access There are two ways to get the required access to tag resources. You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any resource, even if you don't have access to the resource itself https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignable-scopes On the Assignable scopes tab, you specify where your custom role is available for assignment, such as management group, subscriptions, or resource groups. Depending on how you chose to start, this tab might already list the scope where you opened the Access control (IAM) page.
upvoted 1 times
...
Jimmy500
1 year ago
Hi guys, I think here answer will be as like this: Box-1 Microsoft.Resources Box-2 /subscription/id of subcsction. Most of us mixed up with box2 in the second option of it with the /Group1. Let tell why not (please refer here:https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview#scope-examples. According to this in order to assign role to management group structure needs to be like this: /providers/Microsoft.Management/managementGroups/marketing-group in our case in it should have been like this: /providers/Microsoft.Management/managementGroups/Group1, that is why we need choose 3 rd option for Box-2 which is /subscriptions/id of subscription
upvoted 1 times
pentium75
1 year ago
We don't know which syntax is used here. "/Group1" is what we need to assign the permission to. Assigning it to a subscription will not apply it to 'all objects in Group1' as required, even if CURRENTLY there are no other subscriptions.
upvoted 1 times
...
...
Adt3ster
1 year, 7 months ago
Correct and tested. The right answer is resources provider and subscription level since if that was for MG level the name should be /providers/Microsoft.Management/managementGroups/Group1
upvoted 2 times
...
wardy1983
1 year, 9 months ago
Explanation: Microsoft resourcews Assignable Scope is Management Group Now which is /Group1 On the Assignable scopes tab, you specify where your custom role is available for assignment, such as management group, subscriptions, or resource groups.
upvoted 2 times
...
wardy1983
1 year, 9 months ago
Microsoft resourcews Assignable Scope is Management Group Now which is /Group1 On the Assignable scopes tab, you specify where your custom role is available for assignment, such as management group, subscriptions, or resource groups. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignablescopes
upvoted 2 times
...
ESAJRR
1 year, 10 months ago
1. Microsfot.resources 2. Group?
upvoted 4 times
...
_fvt
2 years ago
Seems that you can now assign custom roles to a Management group and it's not in Preview anymore. However you need to specify the resourceID, not the name (so it would look like /providers/Microsoft.Management/managementGroups/Group1). https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#azure-custom-role-definition-and-assignment https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview#scope-examples So the answer given is Right, you need to assign it to the Sub.
upvoted 2 times
...
Troublemaker
2 years ago
In Exam - 28/7/2023
upvoted 1 times
...
Holii
2 years, 2 months ago
https://learn.microsoft.com/en-us/azure/templates/microsoft.resources/tags?pivots=deployment-language-bicep It can be either Management Scope (/Group1) or Subscription (/subscription) Since the Management Group isn't fleshed out I am leaning on /subscription. Otherwise the answer would follow a similar naming convention: (/providers/Microsoft.Management/managementGroups/Group1) but instead it just states /Group1, rather than giving context that this actually is a Management Group.
upvoted 2 times
...
zellck
2 years, 3 months ago
1. Micosoft.Resources 2. /Group1 https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources#required-access https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.
upvoted 12 times
...
majstor86
2 years, 5 months ago
1. Microsfot.resources 2. \group?
upvoted 3 times
...
Muaamar_Alsayyad
2 years, 10 months ago
Microsfot.resources \group https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview
upvoted 4 times
...
wsrudmen
2 years, 10 months ago
Correct answers should be Microsoft.resources (as it's manage Tags) / Because /Group1 is not a valid assignment scope. Check how should be structured the path for Management Group "/providers/Microsoft.Management/managementGroups/{groupId1}" Also using subscription path is KO because it's at management group level and not subscription
upvoted 1 times
koreshio
2 years, 10 months ago
why not /Group as a valid assignment scope? example: "/providers/Microsoft.Management/managementGroups/marketing-group" from here: https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview#scope-examples
upvoted 1 times
koreshio
2 years, 10 months ago
according to it the /{managementGroupName} is allowed: /providers /Microsoft.Management /managementGroups /{managmentGroupName} ref: https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview#scope-examples
upvoted 1 times
Bill831231
2 years, 10 months ago
seems assign a cusom role to MG still in preview
upvoted 1 times
...
...
...
Holii
2 years, 2 months ago
Subscription scope is not "KO", it's an acceptable scope assignment for this: https://learn.microsoft.com/en-us/azure/templates/microsoft.resources/tags?pivots=deployment-language-bicep Valid deployment scopes for the tags resource are: Resource groups - See resource group deployment commands Subscriptions - See subscription deployment commands Management groups - See management group deployment commands
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel