Exam AZ-303 topic 6 question 23 discussion

Question 1-2: Y Y -> Global admins can assign owner to other users in IAM (tested). Question 3: N -> since it's not specified that Admin 2 is contributor of the subscription that user can't create a resource group. Of course he can give himself the permission.

When you check "Global admin can manage ..." you elevate currently logged in admin to User Access Administrator, not the all admins. So, answer for 2 is no because Admin1 is User Access Administrator, Admin 2 is noone, and Admin 3 is an owner. YES NO NO

Answer is Y Y Y. simple!

Actual setting in AAD is called "can manage access to all Azure subscriptions and management groups in this tenant" - if this is set to yes, all GAs can manage user permissions on Azure. By doing so they can delegate all RBAC roles on the Subscriptions associated with given Tenant. SO it would be Yes, Yes and Yes (third answer would require two steps, first grant yourself Owner on Subscription, then deploy a Resource Group).

Yes No No https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope -> means you have the full complete permission

if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory

Given answer is correct : Y, N, N When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD. Admin2 don't config as Admin1 do so N and N Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

From other user: I think, Yes, No, No. https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Admin1 grants itself such access, so he can manage any user and any group/role and user assignment to any group/role.

From another user: When you check "Global admin can manage ..." you elevate currently logged in admin to User Access Administrator, not the all admins. So, answer for 2 is no because Admin1 is User Access Administrator, Admin 2 is noone, and Admin 3 is an owner. YES NO NO

https://www.examtopics.com/discussions/microsoft/view/5902-exam-az-103-topic-1-question-9-discussion/

I think answer is Y Y Y ... Owner role engulfs all Contributor access and user access management role, therefore admin2 can create the RG.