ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-300 All Questions

View all questions & answers for the AZ-300 exam
Go to Exam

Exam AZ-300 topic 4 question 12 discussion

Actual exam question from Microsoft's AZ-300
Question #: 12
Topic #: 4
[All AZ-300 Questions]

SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.






When you are finished performing all the tasks, click the "˜Next' button.
Note that you cannot return to the lab once you click the "˜Next' button. Scoring occur in the background while you complete the rest of the exam.

Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

To start the lab -
You may start the lab by clicking the Next button.
You plan to grant the members of a new Azure AD group named corp8548987 the rights to delegate administrative access to any resource in the resource group named corp8548987.
You need to create the Azure AD group, and then to assign the correct role to the group. The solution must use the principle of least privilege and minimize the number of role assignments.
What should you do from the Azure portal?

Show Suggested Answer Hide Answer
Suggested Answer: See explanation below.
Step 1:
Click Resource groups from the menu of services to access the Resource Groups blade

Step 2:
Click Add (+) to create a new resource group. The Create Resource Group blade appears. Enter corp8548987 as the Resource group name, and click the Create button.

Step 3:
Select Create.
Your group is created and ready for you to add members.
Now we need to assign a role to this resource group scope.
Step 4:
Choose the newly created Resource group, and Access control (IAM) to see the current list of role assignments at the resource group scope. Click +Add to open the Add permissions pane.

Step 5:
In the Role drop-down list, select a role Delegate administration, and select Assign access to: resource group corp8548987

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-azure-marketplace-resource-group.html
by mm2 at Oct. 22, 2019, 11:36 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mm2
Highly Voted 5 years, 8 months ago
the role is called User Access Administration
upvoted 28 times
...
PS36363
Highly Voted 5 years, 3 months ago
You need to create AD group named corp8548987 You also need to create resource group named corp8548987. Then go to the IAM from RG corp8548987 and select role “User Access Administrator” Under ‘Select’ your AD group corp8548987 will appear, now select this and click on ‘Save’.
upvoted 21 times
praveen97
4 years, 11 months ago
Assign 'User Access Administrator' Role for AD group 'corp8548987' in the Resource Group 'corp8548987'. To give admin permissions to any user to resources in the Resource Group, we need to provide 'User Access Administrator' access to the Security Group. Then that security members can add any user (developers/testers) with required administrative access to the resources in the Resource Group. I have tested this in my lab. Even 'Owner' role can do this but as per the question we need to follow the principle of least Privileges, so 'User Access Administrator' role is suitable answer for this question.
upvoted 1 times
...
...
aillusionist
Most Recent 4 years, 9 months ago
rights to "delegate administrative access" - means to delegate the access only "User Access Admin" - this only gives them access to gain further access "Owner" - access would be replacing Administrator access not delegating Hence answer can only be "Contributor" as that is by design to delegate Admin Access.
upvoted 1 times
arunpaul
4 years, 4 months ago
downvoted
upvoted 1 times
...
...
valdu
4 years, 12 months ago
it should be Global Administrator Role. "Only Global administrators and Privileged Role administrators can delegate administrator roles." https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
upvoted 1 times
prabhjot
4 years, 11 months ago
No Global Administrator role is most powerfull and not least privileged one
upvoted 2 times
...
...
roman20
5 years ago
1. Create AD security group XXX 2. Assign AD group XXX access to RG group BBB as User Access Administrator
upvoted 1 times
...
MukeshKhamparia
5 years, 1 month ago
If you’re interested in delegating access to Azure resources instead of administrative access in Azure AD, see Assign a Role-based access control (RBAC) role - --> https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal To add or remove role assignments, you must have: Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner
upvoted 1 times
...
TYT
5 years, 2 months ago
Least privilege - User Access Admin to delegate access. That being said, you need to create both RG and AD group. Then go to the RG, IAM then Click on Add, Add Role Assignment where the Role will be User Access Administrator which lets you manage the resources, select the AD group.
upvoted 3 times
...
manhattan
5 years, 2 months ago
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview Owner - Has full access to all resources including the right to delegate access to others. Contributor - Can create and manage all types of Azure resources but can't grant access to others. Reader - Can view existing Azure resources. User Access Administrator - Lets you manage user access to Azure resources AD group and "User Access Administrator" for me is the correct answer
upvoted 3 times
...
silverdeath
5 years, 3 months ago
it's the contributor role
upvoted 1 times
macco455
4 years, 10 months ago
Contributor role does not allow the user to add/change nor update user access to the resource group
upvoted 1 times
...
...
mihlo74
5 years, 4 months ago
let's say that the lab is asking to provide LEAST (minimun) permission to a group and that group could "delegate access" it means, they are able to provide permissions to specific resources to any user... SO... IMHO... I think the role should (RBAC) "User Access Administrator" -> Lets you manage user access to Azure resources. This is more restrictive that owner in the sense that you are not asked in the lab to allow full access but "delegate admin access" so, better option is to choose "User Access Administrator" as the role. Make sense?
upvoted 18 times
Andy001
5 years, 4 months ago
Yes, "User Access Administrator" is a right answer
upvoted 2 times
...
Jt909
5 years, 3 months ago
Tested in a lab. Azure AD User1 added to corp8548987 AD group. Assigned "User Access Administrator" role to the group in IAM of the corp RG. Logon in-private with User1 and assigned owner permission to corp RG using Azure AD User2. All OK
upvoted 7 times
...
...
raju11
5 years, 4 months ago
Create a new AD group called corp8548987 in "azure AD portal" and switch to the resource group page and in that under "AccessControl", do the role of assignment of Owner/Contributor. I believe it should be "Owner" as the ask is to delegate administrative access.
upvoted 2 times
...
Karls
5 years, 5 months ago
The question said: " delegate administrative access to any resource in the resource group named" The Permissions of "User Access Administrator" by example "Compute" are READ access, so you don't have administrative access. In my opinion: 1) Create Security Group corp8548987 2) Create AD group named corp8548987 3) In corp8548987 select IAM / +Add / Add Role Assigment / Select Owner Role / Select Now only corp8548987 resource group can be administrated by corp8548987 segurity groyp members.
upvoted 19 times
ipvaid
4 years, 10 months ago
Which security group? I think you mean Security type AD grouo called "corp8548987".
upvoted 1 times
...
...
Ekramy_Elnaggar
5 years, 6 months ago
1) Create Security Group 2) On the RG Assign the "User Access Administrator" role to the newly created group
upvoted 16 times
...
Rakeshsuryawanshi
5 years, 6 months ago
There is no role ''Delegated Admin..." available in azure
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel