ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-300 All Questions

View all questions & answers for the AZ-300 exam
Go to Exam

Exam AZ-300 topic 2 question 13 discussion

Actual exam question from Microsoft's AZ-300
Question #: 13
Topic #: 2
[All AZ-300 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Exhibit tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Exhibit tab.)

For each of the following statement, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer: Explanation
by MaheshBeeravelli at Nov. 17, 2019, 3:01 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
anotherman88
Highly Voted 5 years, 6 months ago
Options and answers are: Admin 1 can add Admin 2 as owner of the subscription = YES Admin 2 can add Admin 1 as owner of the subscription = NO Admin 2 can create a resource group in the subscription = NO
upvoted 22 times
Cern77
5 years, 4 months ago
Only admin3 is owner, then admin1 and 2 cannot add someone as owner. It seems nor admin1 and 2 have rights on the subscription, then cannot even create a resource group. Isn't it ? Then answer is 3 times NO.
upvoted 2 times
tartar
4 years, 9 months ago
Yes Yes No
upvoted 1 times
tartar
4 years, 9 months ago
No No No
upvoted 1 times
Madhu1
4 years, 9 months ago
https://www.examtopics.com/assets/media/exam-media/02629/0001200001.png
upvoted 3 times
...
...
...
...
cacasodo
5 years, 1 month ago
Pretty sure this answer is correct based upon info in this documentation: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 1 times
...
Gianlucag77
4 years, 12 months ago
just tested in my LAB so I agree with: YES,NO,NO admin1 has "Global admin can manage AS & MG"** = YES (the default for each global admin is = NO) so he can see and modify Roles in Azure AD, and add admin2 the owner role. admin2 cannot do the same because ** = NO also global admincannot create resource group by default (I've just tested that they can do only after granted the owner role)
upvoted 5 times
...
...
Corona_Virus
Highly Voted 5 years, 2 months ago
Answer Area https://www.examtopics.com/discussions/microsoft/view/5902-exam-az-103-topic-1-question-9-discussion/
upvoted 10 times
...
azurecert2021
Most Recent 4 years, 5 months ago
"This setting is not a global property and applies only to the currently signed in user. You can't elevate access for all members of the Global Administrator role.", which means Admin1 only granted access to a subscription to himself.
upvoted 1 times
Aghora
4 years, 5 months ago
other users are admins , so they can elevate themselves and do it . if we follow the graphs then it means they have not , but they can . the question can be answered as yes no no or yes yes yes
upvoted 1 times
...
...
azurecert2021
4 years, 5 months ago
if a Global Admin elevates his access by activating the Global Admin can manage Azure Subscriptions and Management Groups switch in the Azure portal, he will, as a result, be granted the User Access Administrator role, which is, in fact, an RBAC role. He'll be granted this role on all subscriptions for the tenant. This is important to understand, because the User Access Administrator role allows the user to, in turn, grant other users access to Azure resources. Got from https://cloudacademy.com/course/managing-azure-ad-user-roles/azure-rbac-roles-and-azure-ad-administrator-roles/
upvoted 1 times
...
azurecert2021
4 years, 5 months ago
given answer is correct Agree 100% -Correct Answer is :YES , NO , NO .I just tested this out. Admin3 was already owner but not mentioned. Exhibit only shows Admin1 elevating his permission and as you pointed out,its specific to user logged in so in the context of Admin1 -only he has user access admin(by elevation) + plus global admin. Admin2 is only global admin and doesn't have access to the subscription so he cant perform role assignments on anyone as the feature is disabled to him and cannot create any resources because he doesn't have access on a subscription.
upvoted 1 times
...
davili
4 years, 7 months ago
YES YES NO Gloable administrator is an Azure AD roles. Azure AD roles can do nothing with Azure resources. You should know the difference between Azure roles and Azure AD roles. https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 1 times
...
prince_norman_maximus
4 years, 9 months ago
NO, NO, NO Enabling "Global admin can manage Azure subscriptions and Management groups" does NOT allow you to make a user an owner of the subscription. https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
upvoted 1 times
...
BOC
4 years, 9 months ago
Came in the Exam - correct answers are: Admin 1 can add Admin 2 as owner of the subscription = YES Admin 2 can add Admin 1 as owner of the subscription = NO Admin 2 can create a resource group in the subscription = NO
upvoted 3 times
...
saran1987
4 years, 10 months ago
The answer is YES, YES, NO. 1. Admin1 can assign role as owner to any user in the subscription after he elevated his access so YES 2. Admin 2 is a global admin so anytime he can elevate himself as subscription user access administrator and assign the role as owner to admin 1 or any other user so the answer is YES 3. Though the global admin can elevate themself to the subscription, they can't create resources (resource groups ) in the subscription.
upvoted 2 times
...
cttay71
4 years, 10 months ago
Hi, I created 2 users (test1 and test2) and assigned them as Global Admin. then I login as test1. i go to the properties and see that the Access Management for Azure Resources is disabled. Any idea why?
upvoted 1 times
hybridpro
4 years, 10 months ago
That will happen only if test1 didn't actually have a global administrator role on that Azure AD tenant.
upvoted 1 times
...
...
swip
4 years, 11 months ago
The picture is outdated. In AAD it no longer says "global admins can manage" it explicitly refers to the user which you are signed in as. The rocker switch simply gives you User administrator access which allows you to then goto subscriptions and edit the permissions on the subscription. This is how it always worked but the wording was ambiguous, now corrected in the portal. Correct Answer is Yes, No, No (as most people have explained)
upvoted 2 times
...
kelo
4 years, 11 months ago
The answer is Yes, Yes, No. From the exhibit, the option "Global Admins can Manage Subscriptions and management Groups" has been activated. With that option any Global Admin previously without an RBAC role to the subscription, automatically has the User Access Administrator role on that tenant. With this role the Admin can assign the owner role to anyone. However with that role (i.e. User Access Administrator) you will be unable to create any resource unless you grant yourself that permission (i.e. owner or contributor)
upvoted 2 times
...
Len
4 years, 11 months ago
Options can be found here https://www.examtopics.com/discussions/microsoft/view/5902-exam-az-103-topic-1-question-9-discussion/
upvoted 6 times
...
gboyega
4 years, 11 months ago
NO NO NO is the correct answer
upvoted 3 times
...
monkeyexam
5 years ago
AnshMan, I believe your test is incorrect. The current portal does not have the Option Global Admin can manage Azure subscription and Management Groups (Old view). Instead it is enable per individual user. Therefore you need to login admin1, admin2 and admin3 to activate the access management for Azure resources. Once you have turn that on (re-login portal), admin can assigned anyone as an owner role to subscription but not create resources as the admin only have user access administrator.
upvoted 1 times
tmurfet
5 years ago
I agree, it's YES, NO, NO according to my testing. Bear in mind that we are working with the state as described in the question, not some future state where "Admin1 has added Admin 2 as an owner of the subscription." admin1 can access subscription due to enabled "Global admin can manage Azure Subscriptions and Management Groups." admin2 cannot access subscription due to disabled "Global admin can manage Azure Subscriptions and Management Groups." admin2 cannot create resource group for same reason. So.. Yes. No. (but yes if enabled "Global admin can manage Azure Subscriptions and Management Groups.") No. (but yes if in the future Admin2 is added as an owner).
upvoted 4 times
praveen97
4 years, 11 months ago
Agree with tmurfet
upvoted 2 times
...
...
...
AnshMan
5 years, 1 month ago
All the three admins are global administrators, it doesn't mean they have full access to subscription. But Admin3 is the owner of subscription. So, only admin3 can add other two users as owners and also he is the only one that can create RG in the subscription. Once the other two Admins get owner or any particular role assigned, they can do other things. Overall below is the answers and I have tested them in my Subscription: Admin 1 can add Admin 2 as owner of the subscription = NO Admin 2 can add Admin 1 as owner of the subscription = NO Admin 2 can create a resource group in the subscription = NO
upvoted 8 times
...
ArulLivingston
5 years, 1 month ago
Options and answers are: Admin 1 can add Admin 2 as owner of the subscription = YES Admin 2 can add Admin 1 as owner of the subscription = YES Admin 2 can create a resource group in the subscription = NO
upvoted 10 times
2cool2touch
5 years, 1 month ago
Upvoting Global Admins can elevate themselves so Admin1 and Admin2 should be yes. Global Admin (User Access Administrator) dont have rights to create (https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access). Admin2 cant create a resource group without getting additional rights which is not mentioned in the scenario. so Y/Y/N
upvoted 3 times
...
bharatgudu
5 years ago
To me it is Yes, Yes, and No. The below link say: "Manage access to all administrative features in Azure Active Directory..." the subscription is part of that Azure AD and Global administrators can add owner role to any user from that subscription. In this case Admin 1 and 2 should be able to assign each other Azure AD owner role to the subscription level. https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 1 times
...
ExamWynner
4 years, 11 months ago
Agreed, YES,YES,NO. All the three admins are global administrators.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel