Exam AZ-104 topic 2 question 56 discussion

B) " Assign Group1 the User Access Administrator role for the root management group." To be able to assign licenses to all current and future subscriptions, while minimizing the administrative effort, one should apply the role to the Root Management Group. And because we should use the principle of least privilege we should chose the User Access Administrator role instead of the Owner one.

B or C depending on which requirement you're prioritizing. - B if you're minimizing the administrative effort - C if you're following principle of least privilege

The correct answer is: B. Assign Group1 the User Access Administrator role for the root management group. Why not the others? A. Owner at root management group ➤ Too much privilege. The Owner role allows full management of resources, violating the least privilege principle. C. User Access Administrator at a new management group ➤ A new management group won't include existing subscriptions unless you move them manually. More effort. D. Owner at a new management group ➤ Same as above, and again, the Owner role exceeds what's required (violates least privilege).

The key here is: "manage role assignments" which requires: Microsoft.Authorization/* Owner and User Access Admin can both do it - but least privilege is UAA

C is incorrect because... - it did not mention anything about move existing subscription to the new mgt group - even if it would tell to move existing subs, the action would MAXIMIZE administrative task(which does not meet second requirement)

A. to manage subscriptions required Owner role, https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator

ChatGPT4: Option B focuses on assigning the User Access Administrator role at the root management group level. This role specifically allows members to manage user access to Azure resources, which includes managing role assignments. Assigning this role at the root management group level ensures that the permissions apply across all existing and future subscriptions under that root. This approach adheres to the principle of least privilege by providing only the necessary permissions to manage access without broader management permissions that come with the Owner role.

B is correct

The answer is B you are providing access administrator to the Root Manangment group per Microsoft's documentation "All subscriptions and management groups fold up into one root management group within the directory. All resources in the directory fold up to the root management group for global management. New subscriptions are automatically defaulted to the root management group when created." https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

I think the key here is " existing subscriptions and the planned [all future] subscriptions" OpenAI says: "Option C is not the best choice because it requires creating a new management group which is not necessary for the given scenario. " If we were to go the route of C we would need to do considerations for all further added subsciptions (more administrative thought) which we don't need with B and the group is said that it should have the role of all further subscriptions to there's no point to it.

Answer: B Explanation: To be able to assign licenses to all current and future subscriptions, while minimizing the administrative effort, one should apply the role to the Root Management Group. And because we should use the principle of least privilege we should chose the User Access Administrator role instead of the Owner one.

B: looks correct as per URL below. Any new/planned subscriptions will fold up into the root management group by default. See section; Important facts about the root management group "All subscriptions and management groups fold up to the one root management group within the directory. All resources in the directory fold up to the root management group for global management. New subscriptions are automatically defaulted to the root management group when created." https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

Answer should be C. This uses the least-privilege principle - Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Create a new management group and assign Group1 the User Access Administrator role for the group

OpenAi "Option C is the correct answer. Assigning Group1 the Owner role for the root management group (Option A) would give the group unrestricted access to all resources in all subscriptions and management groups under the root management group. This goes against the principle of least privilege and could potentially result in unintended changes or deletions of resources. Assigning Group1 the User Access Administrator role for the root management group (Option B) would give the group permission to manage user access to Azure resources, but not to manage role assignments for subscriptions and management groups. Creating a new management group and assigning Group1 the Owner role for the group (Option D) would give the group the same unrestricted access as assigning them the Owner role for the root management group. Therefore, the best option would be to create a new management group and assign Group1 the User Access Administrator role for the group (Option C). This would allow the group to manage role assignments for all subscriptions and management groups within the new management group without granting them unnecessary permissions."

B is correct.

While Assigning the User Access Administrator role for the root management group to Group1 will provide Group1 with the ability to manage role assignments for all subscriptions within the root management group, it does not adhere to the principle of least privilege as it grants full administrative access to all Azure resources under the root management group. It is recommended to create a new management group and assign the User Access Administrator role for that specific group to Group1, in order to meet the requirements of using the principle of least privilege and minimizing administrative effort. while still adhering to the principle of least privilege. why not B.