Exam AZ-140 topic 3 question 11 discussion

Answer is correct it's B and E if you read the microsoft document properly you will get to know. https://docs.microsoft.com/en-us/azure/virtual-desktop/rbac

Correct A and E since - Desktop Virtualization Session Host Operator: This role lets you view and remove session hosts, and change drain mode. You CAN'T ADD session hosts using the Azure portal because you don't have write permission for host pool objects.

must have the following RBAC: Desktop Virtualization Host Pool Contributor -> to generate reg key Virtual Machine Contributor -> to add session hosts [already had] definitely A & E https://learn.microsoft.com/en-us/azure/virtual-desktop/add-session-hosts-host-pool?tabs=portal%2Cgui&pivots=host-pool-standard#prerequisites:~:text=The%20Azure%20account,Expand%20table

Answer is A & E.

The Desktop Virtualization Session Host Operator role allows viewing and removing session hosts, and changing drain mode. This role can't add session hosts using the Azure portal because it doesn't have write permission for host pool objects. For adding session hosts outside of the Azure portal, if the registration token is valid (generated and not expired), this role can add session hosts to the host pool "if the Virtual Machine Contributor role is also assigned." (which it states in the question)

Option B, Assign Admin1 the Desktop Virtualization Session Host Operator role for Pool1, is not necessary in this case because this role primarily allows a user to manage session hosts, including starting, stopping, and restarting them. However, it does not grant the permissions needed to add new session hosts to the pool. The Desktop Virtualization Host Pool Contributor role (Option A) specifically includes the ability to manage the host pool, which encompasses adding session hosts. Therefore, combining this role with the registration token (Option E) ensures Admin1 has the precise permissions required to add session hosts without granting additional, unnecessary privileges.

Option B, Assign Admin1 the Desktop Virtualization Session Host Operator role for Pool1, is not necessary in this case because this role primarily allows a user to manage session hosts, including starting, stopping, and restarting them. However, it does not grant the permissions needed to add new session hosts to the pool. The Desktop Virtualization Host Pool Contributor role (Option A) specifically includes the ability to manage the host pool, which encompasses adding session hosts. Therefore, combining this role with the registration token (Option E) ensures Admin1 has the precise permissions required to add session hosts without granting additional, unnecessary privileges.

Desktop Virtualization Session Host Operator role: This role can't add session hosts using the Azure portal because it doesn't have write permission for host pool objects. For adding session hosts outside of the Azure portal, if the registration token is valid (generated and not expired), this role can add session hosts to the host pool if the Virtual Machine Contributor role is also assigned. https://learn.microsoft.com/en-us/azure/virtual-desktop/rbac#desktop-virtualization-session-host-operator The answer must be A & E

A & E Not B because, The Desktop Virtualization User Session Operator role allows sending messages, disconnecting sessions, and using the logoff function to sign users out of a session host. However, this role doesn't allow host pool or session host management like removing a session host, changing drain mode, and so on.

I'll go for A&E because the user has already the "Virtual Machine Contributor" role and as the MS doc clearly states that: "The Desktop Virtualization Session Host Operator role allows viewing and removing session hosts, and changing drain mode. This role can't add session hosts using the Azure portal because it doesn't have write permission for host pool objects. For adding session hosts outside of the Azure portal, if the registration token is valid (generated and not expired), this role can add session hosts to the host pool if the Virtual Machine Contributor role is also assigned" Also the question demands that the solution must use the principle of least privilege. https://learn.microsoft.com/en-us/azure/virtual-desktop/rbac#desktop-virtualization-session-host-operator

Answer BE is correct. Microsoft article clearly states that: The Desktop Virtualization Session Host Operator role allows viewing and removing session hosts, and changing drain mode So it mandatory to have operator role assigned.

B. Assign Admin1 the Desktop Virtualization Session Host Operator role for Pool1 E. Generate a registration token

"You assign the Virtual Machine Contributor role for the Azure subscription to a user named Admin1. You need to ensure that Admin1 can add session hosts to Pool1. The solution must use the principle of least privilege." - To follow this principle B+E are the correct ones. Check the link I've put below and you will come to the same conclusion. https://learn.microsoft.com/en-us/azure/virtual-desktop/rbac#desktop-virtualization-session-host-operator:~:text=If%20the%20registration%20token%20is%20valid%20(generated%20and%20not%20expired)%2C%20users%20assigned%20this%20role%20can%20add%20session%20hosts%20to%20the%20host%20pool%20outside%20of%20the%20Azure%20portal%20if%20they%20also%20have%20the%20Virtual%20Machine%20Contributor%20role.

E. Generate a registration token. is required. and to generate a registration token, A. Desktop Virtualization Session Host Operator is required role. (Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action is the required action and B. Desktop Virtualization Session Host Operator dont have this action) https://learn.microsoft.com/azure/virtual-desktop/rbac#desktop-virtualization-host-pool-contributor https://learn.microsoft.com/azure/role-based-access-control/resource-provider-operations#microsoftdesktopvirtualization https://learn.microsoft.com/azure/virtual-desktop/rbac#desktop-virtualization-session-host-operator

Answer B and E meets the requirement of Least Privilege. Very tricky question! Question states that you have assigned the "Virtual Machine Contributor" role for the subscription to Admin1. So with a valid token and "Desktop Virtualization Session Host operator" role Admin1 can add session hosts outside of the Azure Portal. (PowerShell or CLI) https://docs.microsoft.com/en-us/azure/virtual-desktop/rbac Desktop Virtualization Session Host Operator The Desktop Virtualization Session Host Operator role allows users to view and remove session hosts, as well as change drain mode. Users can't add session hosts using the Azure portal because they don't have write permission for host pool objects. ****If the registration token is valid (generated and not expired), users assigned this role can add session hosts to the host pool outside of the Azure portal**** if they also have the ****Virtual Machine Contributor role****.

A. Assign Admin1 the "Desktop Virtualization Host Pool Contributor" role for Pool1. This role provides permissions to create and manage host pools and session hosts in Azure Virtual Desktop. E. Generate a registration token. The registration token is required for adding session hosts to a host pool in Azure Virtual Desktop. The Admin1 can use this token to register new session hosts to Pool1. Option B would allow for management of individual session hosts, but not for adding new hosts to the pool. Option C is not required for managing Azure Virtual Desktop, as it pertains to Azure AD DS administration. Option D involves assigning a license which is not directly related to the task of adding session hosts to an Azure Virtual Desktop host pool.

BE - Resposta Correta. Desktop Virtualization Session Host Operator → "If the registration token is valid (generated and not expired), users assigned this role can add session hosts to the host pool outside of the Azure portal if they also have the Virtual Machine Contributor role" https://learn.microsoft.com/pt-br/azure/virtual-desktop/rbac