AZ-301 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-301 Exam - Question 14

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory

(Azure AD) group named App2Dev.

You identify the following requirements for Application2:

✑ The members of App2Dev must be prevented from changing the role assignments in Azure.

✑ The members of App2Dev must be able to create new Azure resources required by Application2.

✑ All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: In Project1, create a resource group named Application2RG. Assign Project1admins the Owner role for Application2RG. Assign App2Dev the Contributor role for Application2RG.

Does this meet the goal?

Show Answer
Correct Answer: A

Assigning the Project1admins the Owner role for Application2RG and App2Dev the Contributor role for Application2RG meets the goals. The Contributor role grants the App2Dev team the ability to create new Azure resources required by Application2 without the ability to change role assignments, aligning with the requirement to prevent App2Dev members from changing role assignments. The Owner role given to Project1admins allows them to manage role assignments as required. Therefore, this solution addresses all the outlined requirements.

Discussion

36 comments
Sign in to comment
Anindya
Aug 1, 2019

SHould be yes as access can be provided as RG level as well

spidy
May 25, 2020

The answer is no, because the Resource Group Owner will not have permission to register for Azure Resource Provider which will need Subscription Level access. Contributor can create any resource that is already registered in Azure Resource Provider however not the ones that are not. So this is the tricky part of this question. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types

juri
Jun 25, 2020

thanks, spidy, for this insight! really deep. initially voted for yes, now switching to no.

TinyTrexArmz
Jul 26, 2020

I too agree with Spidy. The requirements say that App2Dev be able to create all resources needed without defining what those requirements are. So you must assume any and all resource types. You cannot do with this without having contributor role at the subscription level in order to register a new Azure Resource Provider. Thanks Spidy for writing that up. It was helpful

aMaineCloud
Jul 30, 2020

Exactly!! Resource/RG like NetworkWatcher need subscription level access. App2Dev with contributor role to just that RG will not be able to create this resource.

tmurfet
Aug 31, 2020

Q: How did the resource owner register Application1? A: They must already have have Subscription Level access. So the answer is still yes.

kiwi123
Jun 24, 2021

quite reasonable, agree

deepak
Aug 16, 2019

should be yes. recommended solution is creating RG over Subscription unless you have certain needs like applying poliicies where subsccription is a better solution

KaiW
Aug 22, 2019

I think the answer should be 'yes' too. unless there are some other groups have owner / contributor access in the subscription and they don't want them to be able to access the RG?

Ekramy_Elnaggar
Jan 8, 2020

it should be A , as it is fulfilling the requirements

chan76
Aug 1, 2019

why the answer is not yes?

onlyfunmails
Jan 4, 2020

he members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev App2 users are belong to differ AD, as we can have one AD attached to any subscription, we have make use of other subcription to support this new AD users.

Famous_Guy
Apr 28, 2020

Where do you see ??? "App2 users are belong to differ AD". correct ans is - YES

kasemz
May 3, 2020

the members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

kasemz
May 3, 2020

the members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

Famous_Guy
Apr 28, 2020

Where do you see ??? "App2 users are belong to differ AD". correct ans is - YES

kasemz
May 3, 2020

the members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

kasemz
May 3, 2020

the members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

Avanade2023
May 10, 2020

Do you mean "the App2Dev is in a different Azure AD"?, cannot you consider "the App2Dev is a Azure AD group in the same Tenant"?

tartar
Sep 18, 2020

A is ok

Harvard
Aug 5, 2020

This is so wrong. Different group doesn't mean different AD

tartar
Sep 18, 2020

A is ok

Screebie
Aug 1, 2019

Why is this no?

teresam
Oct 23, 2019

Should be yes..

akamal
Jun 1, 2020

it should be yes, because if we considered app2dev belongs to different AD tenant, this means that project1admins group isn't available on this new AD tenant which isn't the case here on this question

Jake__
Nov 8, 2019

"You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1." It then changes the application to app2, doesnt tell us what subscription its in, so how would we know if its in subsciription 1 or another? We dont, hopefully if question is on exam it elaborates these details.

azlearn
Jan 22, 2020

I think because of this statement " The members of App2Dev must be able to create new Azure resources required by Application2" the answer is NO, if you assign App2Dev group Contributor for only RG, they are limited only to that RG.

mykolaantoniv
Feb 11, 2020

Subscription's owner can create resources in the particular Subscription. It is enough for other resources required by Application2

RiteshAg
Jun 13, 2020

A contributor role assigned to RG will allow to create any resource within RG. Only constraint will be that the people in this role will not be able to create any resource outside of the RG which is not the case here.

Rajuuu
Apr 24, 2020

The Answer is Yes…Using a Single Subscription , one can create 2 resource group and assign the Contributor role to the new Resource group.. https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/resource-consistency/governance-multiple-teams

Neetiniti
Jul 18, 2020

Answer:-A. Yes, If you assign the Contributor role to an application at the resource group scope, it can manage resources of all types in that resource group, but not other resource groups in the subscription. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

dumbu
Aug 1, 2020

I tend to agree with the No reason the subscription has "Only a group named Project1admins is assigned roles in the Project1 subscription". App2Dev is part of diff AD group so it must be in diff subscription.

toja1234
Sep 28, 2020

No is correct. The DevTeam should be able to create ALL Resources required for Application2. This could include a new ResourceGroup, which is not possible if its on RG level. We need a new Subscription.

pradjhun
Dec 13, 2019

"Only a group named Project1admins is assigned roles in the Project1 subscription." this statement say no other group can be assigned role in Project1sebscrption so how we achieve this with RG

Ekramy_Elnaggar
Jan 17, 2020

This is not a requirement, it is a description of the current status

bolbol
Feb 12, 2020

it's wrong, as the user cannot create resources that requires the creation of another resource groups like network watcher

bolbol
Feb 12, 2020

it's wrong, as the user cannot create resources that requires the creation of another resource groups like network watcher

DJ_IL
Mar 11, 2020

Should be a Yes

Jt909
Apr 6, 2020

To me it's Yes as clearly defined here (just 20/25 minutes to read all the examples) https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/resource-consistency/governance-multiple-teams

rpasrija
Apr 8, 2020

should be Yes

milind8451
May 15, 2020

Tested in lab. In my views "Yes" is right ans.

cj93s3
Aug 12, 2020

if this question comes up, i am going with yes

cozzy
Sep 26, 2020

The answer is yes, read the requirements properly, there is nothing saying is has to be in a different subscription, this may be a "recommended" practice but is not a requirement of this solution.. the correct answer is yes

AhmedAL
Oct 30, 2020

answer should be A

glam
Jan 29, 2021

A. Yes

kondapaturi
Nov 6, 2019

Yes is also right..not sure why it is No. Becuase RBAC can be applied on Resource group also.

P0d
May 31, 2020

In a question there is no requirement for the different subscription. So we can create app2 in same subscription and assign proj1 admins as the owner of App2RG. and assign App2den group as contributor. The answer should be Yes.

yilpiz
Jun 7, 2020

I think it should be yes. App2Dev has only Contributor role which satisfy the requirements of not being able to change assignment and being able to create resources in RG2

kumar123
Jun 11, 2020

My vote is also yes. "Only a group named Project1admins is assigned roles in the Project1 subscription" - They did not mention anything about AD for Project1admins. For this reason they are recommending to create a subscription? not sure.

mtb123
Jun 16, 2020

They do not share resources, so a contributor would not be able to create these resources in a single subscribtion The answer is correct. If it was implied that they use the same resources then they could be created in the same subscription and app 2users would then be given contributor access. But thats not the case so the answer is correct.

jonnybugaloo
Jun 23, 2020

I agree it should be Yes. There is no mention about different AD tenant, so, we can't consider this as an eliminatory point. The explicity requirenments are: The members of App2Dev must be prevented from changing the role assignments in Azure. - Contributor role doesn't aloow this The members of App2Dev must be able to create new Azure resources required by Application2. - Contributor role aloows this All the required role assignments for Application2 will be performed by the members of Project1admins. - Owner can do this Contributor - Can create and manage all types of Azure resources but can't grant access to others. Owner - Has full access to all resources including the right to delegate access to others. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

HemantArora
Jun 27, 2020

If I read this carefully, the ask is App2Dev group should be able to create any resource required for the app- which could include RG as well and if you are limiting this to RG, it would defy the objective

am20
Jun 27, 2020

agree with you. depends how important is each person point of view for the following two items, answer can be either yes or no 1. With provided solution, App2Dev are restricted to use only one (Application2)RG for their app. so if they need more RG, the answer can be No. otherwise, the answer can be Yes 2. May not be as critical as the first point, but now 2.a: "Project1admins" is not the only group in Project1 Subscription 2.b: Project1 Subscription now contains more resources than just application1 if subscription is used as a way to isolate app1 and app2, then the answer can be no, otherwise, answer is yes

am20
Jun 27, 2020

agree with you. depends how important is each person point of view for the following two items, answer can be either yes or no 1. With provided solution, App2Dev are restricted to use only one (Application2)RG for their app. so if they need more RG, the answer can be No. otherwise, the answer can be Yes 2. May not be as critical as the first point, but now 2.a: "Project1admins" is not the only group in Project1 Subscription 2.b: Project1 Subscription now contains more resources than just application1 if subscription is used as a way to isolate app1 and app2, then the answer can be no, otherwise, answer is yes

DeveshSolanki
Jun 26, 2020

Yes should be

Andy_Lee
Jul 22, 2020

Should be yes. It fulfillment request

eug45
Jul 26, 2020

the answer is A.

sanketshah
Jan 1, 2021

A is correct

varunthakur84
Mar 9, 2021

Correct answer is YES Access can be granted at subscription as well as RG levels In this question main point to set right role (owner/contributor) to the correct ADD group. Owner - can do user assignment Contributor can create new resources

omth
Sep 28, 2021

jfhkjw