AZ-800 Exam QuestionsBrowse all questions from this exam

AZ-800 Exam - Question 72


You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The domain contains two servers named Server1 and Server2.

A user named Admin1 is a member of the local Administrators group on Server1 and Server2.

You plan to manage Server1 and Server2 by using Azure Arc. Azure Arc objects will be added to a resource group named RG1.

You need to ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc.

What should you do first?

Show Answer
Correct Answer: B

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, the first step is to assign Admin1 the Azure Connected Machine Onboarding role for the resource group RG1. This role grants the necessary permissions to onboard the machines to Azure Arc. Admin1 needs to have these permissions within the Azure environment before they can generate and execute any onboarding scripts required to configure the servers for Azure Arc management.

Discussion

29 comments
Sign in to comment
MiMojoOption: A
Apr 20, 2023

The Answer is "A". Hear me out. The question asks that "Admin1", a user account, has the appropriate permissions. The role of Azure Connected Machine Onboarding can only be assigned to a service principal, as confirmed by the link given to justify the wrong answer. Admin1 cannot be assigned this role, it's impossible, check it for yourself. Admin1, as a local server admin, has all the rights he/she needs. The correct answer is "A", generate a new onboarding script. One can onboard more than one server with the same script. Onboarding two certainly doesn't impose an administrative burden to use this method.

phi3nix
May 1, 2023

This is the correct answer. 1. I tested this in LAB. 2. Documentation: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal ---snap--- You can enable Azure Arc-enabled servers for one or a small number of Windows or Linux machines in your environment by performing a set of steps manually. Or you can use an automated method by running a template script that we provide. This script automates the download and installation of both agents. This method requires that you have administrator permissions on the machine to install and configure the agent. On Linux, by using the root account, and on Windows, you are member of the Local Administrators group. --snap--

phi3nix
May 1, 2023

A is the answer!

phi3nix
May 1, 2023

A is the answer!

SantaClaws
Dec 3, 2023

It's not exclusive to service principals. But more importantly, OptionA simply doesn't satisfy the requirement of the question. The question is not how to add resources to RG1. The question is explicitly about ensuring that Admin1 has the correct permissions. So option A can be completely disregarded as a possibility, because it's answering a completely different question.

JPO2021
Sep 22, 2024

OBS: -"Admin1" is user in ADDS, and member of the local Administrators group on Server1 and Server2. -ADDS is domain that syncs with an Azure Active Directory (Azure AD) tenant. Answer is B "Assign Admin1 the Azure Connected Machine Onboarding role for RG1"

BojanaOption: B
May 11, 2022

correct

airfrog
Jul 15, 2022

I think B is incorrect. You can only assign the "Azure Connected Machine Onboarding" role to Service Principals, not users; so you can't assign it to Admin1. I think A is correct. You just need to generate an onboarding script for a local admin to run. You also need to know the ID and Secret of the Service Principal which is assigned the "Azure Connected Machine Onboarding" role in order to run the script, but that isn't mentioned in the question.

bastien95
Jul 18, 2022

https://docs.microsoft.com/en-us/azure/azure-arc/servers/prerequisites o onboard machines, you must have the Azure Connected Machine Onboarding or Contributor role for the resource group in which the machines will be managed.

DonChevoDeLaPaca
Jul 20, 2023

The "Azure Connected Machine Onboarding" can be assigned to users: https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-overview Users as a member of the Azure Connected Machine Resource Administrator role can read, modify, reonboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription.

miminya
Jun 17, 2022

correct

Burnie
Nov 9, 2022

B: To limit the privilege of a user and only allow them to onboard servers to Azure, the Azure Connected Machine Onboarding role is suitable. This role can only be used to onboard servers and cannot reonboard or delete the server resource. Make sure to review the Azure Arc-enabled servers security overview for more information about access controls. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management

PrasadMP
Jan 15, 2023

B: correct

syu31svcOption: B
Mar 21, 2023

From the link provided You will need to have the Azure Connected Machine Onboarding role or the Contributor role for the resource group of the machine B is the answer

Shnash
Jul 29, 2023

1st point On-Prem AD is synced with Azure AD. 2nd point Admin1 looks a like AD User Account which is already available in Azure AD. Which is also a member of Local Admin group on both servers. 4th point we need to on board multiple servers and in order to avoid interaction with the script we need to have service principle which is Admin1 and it should have On Boarding Role before we create, download and run the script. so Option "B" makes sense.

tomasek88Option: A
Aug 7, 2023

A is correct --> because Admin1 is local account

afridi43Option: C
Sep 16, 2023

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, you should perform the following steps: C. Hybrid Azure AD join Server1 and Server2.

afridi43
Sep 16, 2023

1. Hybrid Azure AD Join: When you hybrid Azure AD join Server1 and Server2, it means that these on-premises servers become part of both your on-premises Active Directory Domain Services (AD DS) domain and your Azure Active Directory (Azure AD) tenant. This is a fundamental requirement for Azure Arc because it establishes the necessary identity integration between your on-premises environment and Azure. 2. Azure Arc Connectivity: Once the servers are hybrid Azure AD joined, you can then proceed to configure Azure Arc for these servers. Azure Arc allows you to manage on-premises servers as if they were Azure resources. Azure Arc-enabled servers can be managed, configured, and monitored from the Azure portal. The other options mentioned (A, B, and D) are not the first steps you should take in this scenario:

NazerRazerOption: B
Oct 19, 2023

So the correct answer is: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1. Having a local admin account on the server is helpful for running scripts and performing server-level tasks, but it's the Azure role and the onboarding process that grant the necessary permissions to configure the server for Azure Arc management. So, a local admin account is a component of the process but not sufficient on its own to perform the Azure Arc onboarding action. You need the proper Azure role assigned to enable the integration between the local server and Azure Arc. Here's why the option is not the first step. A. From the Azure portal, generate a new onboarding script: This is typically done after you've assigned the necessary role permissions to the user. You generate the script to onboard the machines once the user has the required permissions.

RickySmithOption: B
Dec 26, 2023

B Assign Admin1 the Azure Connected Machine Onboarding role for RG1. https://learn.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#required-permissions https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal refer point 2

RemmyTOption: B
Jun 20, 2024

Tested in lab: Admin1 without Azure Connected Machine onboarding role assigned on RG1 are unable to onboard any server to Azure. Also are unable to see any machine in Azure Arc | Machines and and as a result it cannot manage any server. After assigning it the Azure Connected Machine onboarding role on RG1, Admin1 can see all the machines in Azure Arc, can manage the servers and can onboard the servers with the generated script. Note: Follow best security practices and avoid using an Azure account with Owner access to onboard servers. Instead, use an account that only has the Azure Connected Machine onboarding or Azure Connected Machine resource administrator role assignment. See Azure Identity Management and access control security best practices for more information. https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

RemmyT
Jun 20, 2024

You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. That means Admin1 is synced in Azure Entra ID and we can assigned him the role Azure Connected Machine Onboarding on RG1 (where all Azure ARC servers will reside).

KrayzrOption: B
Jul 4, 2024

B. Reason: Azure Arc allows you to manage your servers as if they are running in Azure. To onboard a machine to Azure Arc, the user needs the Azure Connected Machine Onboarding role. This role gives the user the necessary permissions to register the machine with Azure Arc. In this case, Admin1 needs to be assigned this role for the resource group RG1, so they can configure Server1 and Server2 to be managed by Azure Arc. The other options do not directly address the requirement of enabling Admin1 to configure the servers with Azure Arc. Therefore, option B is the most appropriate first step.

starseed
Sep 16, 2024

answer is B

MR_Eliot
Sep 21, 2023

Answer is B. "UserA" is a domain user, who is added to the local administrator group. Prerequisites: Consider the following basic requirements when planning your deployment: - Your machines must run a supported operating system for the Connected Machine agent. - Your machines must have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server. - To install and configure the Azure Connected Machine agent, you must have an account with elevated privileges (that is, an administrator or as root)on the machines. - To onboard machines, you must have the >>Azure Connected Machine Onboarding Azure built-in role<<. - To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator Azure built-in role. Link: https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment#prerequisites

Tayhull2023
Apr 16, 2025

I don't see anywhere in this question where it says that User1 is a "domain user". He is just a local administrator on the servers. There is no sync between his account and ADDS or Azure. "A user named Admin1 is a member of the local Administrators group on Server1 and Server2."

MR_EliotOption: B
Sep 21, 2023

B is the answer.

fabiloOption: A
Oct 20, 2023

A is the right one

Payday123
Nov 15, 2023

Is Admin1 a local user or domain user added to local admins?

boapaulo
Dec 14, 2023

Selected Answer:B Generating a new integration script in the Azure portal is an important step in adding servers to Azure Arc, but it's not the first step when it comes to ensuring that a specific user, such as Admin1, has permission to configure the servers to be managed by Azure Arc. The first step is to ensure that Admin1 has the necessary permissions within the Azure environment. This is done by assigning the correct role to the user. In the case of Admin1, assigning the Azure Connected Machine Integration role to resource group RG1 is essential for them to be able to perform the required actions in Azure Arc.Once Admin1 has the proper permissions, they can then proceed with generating and running the integration script to add Server1 and Server2 to Azure Arc.

SIAMIANJIOption: B
Apr 30, 2024

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, you should first assign Admin1 the necessary permissions in Azure, specifically the Azure Connected Machine Onboarding role for the resource group RG1. Therefore, the correct answer is: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1.

SIAMIANJIOption: B
May 22, 2024

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, the first step should be to assign Admin1 the appropriate role that grants the necessary permissions to onboard machines to Azure Arc. Specifically, Admin1 needs the Azure Connected Machine Onboarding role for the resource group RG1. Here’s the correct step to take: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1. This role grants the necessary permissions to onboard servers to Azure Arc, allowing Admin1 to generate the required onboarding script and complete the onboarding process.

nawtitooOption: B
May 30, 2024

with the appropriate role to Admin1 in the RG1 resource group, Admin1 will have the necessary permissions to configure Server1 and Server2 to be managed by Azure Arc.

sardonique
Aug 12, 2024

Admin1 is an onpremises account, it does not exist in Azure AD therefore it cannot be assigned any role within the Azure Portal. Admin1 has enough power to configure Server1 and Server2 though. So A is the answer IMO

JPO2021
Sep 22, 2024

(AD DS) domain that "syncs" with an Azure Active Directory tenant....(Admin1 exist in Azure AD) Answer is B

004b54bOption: A
Sep 18, 2024

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal#install-with-the-scripted-method Install with the scripted method 1. Log in to the server. 2. Open an elevated PowerShell command prompt. > local admin rights are required but sufficient 3. Change to the folder or share that you copied the script to, and execute it on the server by running the ./OnboardingScript.ps1 script.

JPO2021Option: B
Sep 22, 2024

-"Admin1" is user in ADDS, and member of the local Administrators group on Server1 and Server2. -ADDS is domain that syncs with an Azure Active Directory (Azure AD) tenant. Answer is B "Assign Admin1 the Azure Connected Machine Onboarding role for RG1"

Ksk08
Oct 28, 2024

Correct answer b

ltkillerOption: B
Jan 28, 2025

Link from Phi3nix: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal States its also best practice, that ends the discussion right there! Follow best security practices and avoid using an Azure account with Owner access to onboard servers. Instead, use an account that only has the Azure Connected Machine onboarding or Azure Connected Machine resource administrator role assignment. See Azure Identity Management and access control security best practices for more information. Role rights: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Search for: Azure Connected Machine Onboarding

RobBotOption: D
Mar 5, 2025

Although it does say the domain is sync'd the question doesn't mention whether Admin1 is a domain account. Best practice is for privileged users to have separate cloud only admin accounts, so D?