Exam AZ-500 topic 2 question 88 discussion

I thought the answers could be No Yes No Box1: User1 can delete VM1 - No User1 only has Role1, and Roles has notActions of VM delete. Box2: User2 can delete VM - Yes User2 has both Role1 and Role2 assigned. Role2 gives User2 the ability to delete VM. Box3: User3 can sign in to VM by using Azure AD credentials - No To be able to sign in to VM by using Azure AD credentials, User3 needs to have either Virtual Machine Administrator Login or Virtual Machine User Login. Those logins have actions defined in the dataActions section. For example, Microsoft.Compute/virtualMachines/login/action provides Log in to a virtual machine as a regular user. In both Role1 and Role2, the dataActions is not defined. Refs: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-administrator-login

N-Y-N https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#notactions If a user is assigned a role that excludes an action in NotActions, and is assigned a second role that grants access to the same action, the user is allowed to perform that action. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed actions when specific actions need to be excluded.

NYY Permission required for login: Microsoft.Compute/virtualMachines/login/action User has Microsoft.Compute/virtualMachines/*

following this https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource evaluation is for user over a resource once deny is defined - you cannot overdrive it regardless of how much allow actions are added no-no-no

No - has only Role1 which forbids deletion Yes - Role2 allows it No - No data actions

How Roles are Processed Aggregation: Azure RBAC aggregates all the Actions and NotActions from the roles assigned to the user. Most Restrictive Wins: Any action explicitly denied (NotActions) by any role will be denied, regardless of other roles granting that action. No Order or Priority: There is no specific order in which roles are processed, nor is there a predefined priority among roles. The system evaluates the combined set of permissions and applies the most restrictive policy. This cumulative and restrictive evaluation ensures that any specific denial of permissions (NotActions) is respected, thereby providing a secure and predictable access control mechanism.

You need "dataActions": [ "Microsoft.Compute/virtualMachines/login/action", "Microsoft.HybridCompute/machines/login/action" ], to be able to login a vm

As per this: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane Logging into the server is an action on the data plane for which the user 3 does not have permission. So no for User 3 logging into the VM Overall: No, Yes, NO

Box1: User1 can delete VM1 - No User1 only has Role1, and Roles has notActions of VM delete. Box2: User2 can delete VM - Yes User2 has both Role1 and Role2 assigned. Role2 gives User2 the ability to delete VM. Box3: User3 can sign in to VM by using Azure AD credentials - No To be able to sign in to VM by using Azure AD credentials, User3 needs to have either Virtual Machine Administrator Login or Virtual Machine User Login. Those logins have actions defined in the dataActions section. For example, Microsoft.Compute/virtualMachines/login/action provides Log in to a virtual machine as a regular user. In both Role1 and Role2, the dataActions is not defined.

Box1: User1 can delete VM1 - No User1 only has Role1, and Roles has notActions of VM delete. Box2: User2 can delete VM - Yes User2 has both Role1 and Role2 assigned. Role2 gives User2 the ability to delete VM. Box3: User3 can sign in to VM by using Azure AD credentials - No To be able to sign in to VM by using Azure AD credentials, User3 needs to have either Virtual Machine Administrator Login or Virtual Machine User Login. Those logins have actions defined in the dataActions section. For example, Microsoft.Compute/virtualMachines/login/action provides Log in to a virtual machine as a regular user. In both Role1 and Role2, the dataActions is not defined.

Y, Y, N USER 1 CAN DELETE THE VM AS THEY HAVE THE RIGHT TO DO SO AS PER THE WILDCARD IN THE 'ACTIONS' SECTION. WHEN THERE IS A CONFLICT BETWEEN 'ACTIONS' AND 'NOT ACTIONS' THE PRIOR ALWAYS WINS. THIS IS NOT LIKE ALLOW/DENY WHERE DENY ALWAYS WINS OUT DURING A CONFLICT. USER 2 CAN DO SO AS WELL AS THE PERMISSIONS CLEARLY STATE. USER 3 CANNOT AUTHENTICATE TO THE VM WITH AZURE BECAUSE THE ROLES DO NOT HAVE THE PERMISSIONS SET TO DO THIS.

On exam 7/8/23. NYN for me.

No YEs NO

NYN is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#notactions If a user is assigned a role that excludes an action in NotActions, and is assigned a second role that grants access to the same action, the user is allowed to perform that action. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed actions when specific actions need to be excluded.

I tried to replicate this scenario in my lab and I got No for all three options. However maybe I was missing something and I'm wrong. I created 2 custom roles with the same permissions and assigned them to the users, none of them even could see the VM. Then I assigned them Reader role and tried again but I was not able to either delete or login to the VM with either of these three users.

I think N-N-Y. "Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access." - https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments

NO YES NO