HOTSPOT
-
You have an Azure subscription that contains the users shown in the following table.
The groups are configured as shown in the following table.
You have a resource group named RG1 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Just tested in my Azure test environment. Answer is: 1. No 2. No 3. Yes Don't know where rpalanivel83 got his answers from
me too but... where you found yours instead?
Nesting is currently not supported for groups that can be assigned to a role. and the screen grab shows that the groups are assigned a role as YES. Answers are correct
Just test and did not have your results. 1- Yes 2- No 3- No
agree, i tested first point is yes, 2&3 Office 365 not supporting membership
My test had this results too
Confirmed by ChatGPT4
All 3 statements tested: Yes It is possible to add Group2 to Group1, after checking the effective access the user in Group2 is owner. No M365 groups cant be added to membership of another group Yes the statement is not complete but if it states to assign the role to Group3 directly it is possible
i'm going with Y,N,Y also Group nesting of Sec groups is possible. Nesting of a M365 group to a Sec group is however not possible.
they are azure ad role enabled. nesting is not supported
There is a difference with adding a group and assigning a role by adding a group.
The first is NO. Role assignment property that can only be used with Plan 1 and Plan 2, it was just created to not allow erroneous nesting of permission roles. Without it you can use any group to assigned role and nesting, but taking the risk.
I tested and confirm it
I have tested this and I am not sure where you guys are getting Y N N. When you assign Group1 to RG1 as Owner, the members of Group1 (in this case User1) will have Owner access. When you assign Group2 to Group1 and check access for User2, this user doesn't inherit the access from Group1. When you try to assign User3 as the owner of RG1 by adding Group3 as a member of Group1 you simply can't, the option is greyed out and it tells you M365 groups are not supported. If you assign Group3 the Owner role directly on RG1, User3 will then inherit the access. It is supported, do not mistake thinking M365 groups cannot be assigned access levels via IAM. So the correct answer is N, N, Y. Do yourself a favor and ignore everyone saying anything else.
1. Yes: you can use nested security group to assign RBAC roles in Azure (don't confuse this with Entra) - tested and verified in the lab 2. No: you can not nest Microsoft 365 group in a security group (it will be grayed out) 3. Yes: you can assign an owner role directly to a Microsoft 365 group in Azure
Yes - Nesting is indeed possible for Azure RBAC, not to be confused to Entra Id RBAC. No. Microsoft 365 groups cannot be nested under a security group in Entra Id. No Microsoft 365 groups cannot be added in Role assignment in Azure.
That's is the correct one!
@@@@@ Answers @@@ 1. Yes { Support nested roles} 2. No {M365 dont support nested roles} 3. No { M365 dont support Azure Owner roles}
1. NO 2. NO 3. YES Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#restrictions-for-role-assignable-groups
YNY Y - One group can be added as a member of another group, and you can achieve group nesting. Adding Group2 into Group1 will grant User2 Owner access. N - Microsoft 365 Groups are not supported in a nested configuration so permissions won't apply. Y - Microsoft 365 Groups support role assignment in AAD. https://learn.microsoft.com/en-us/entra/identity/users/directory-service-limits-restrictions
I was wrong here, see my updated answer.
Just tested this again for a sanity check. It's YNY. Adding security groups to security groups does pass on ownership rights BUT M365 groups cannot be added to security groups. However they can be made owners of the Resource Group.
1. NO 2. NO 3. YES Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#restrictions-for-role-assignable-groups
1. N - Adding as a member to a group won't inherit/share access privileges. 2. N - Adding as a member to a group won't inherit/share access privileges. 3. Y
well first one is yes second one is no cuz the group3 type is not security so it can not be used for the assigning roles in azure RBAC. last one is yes if you want to modify the assigning role to the user3 as the owner and assign the group3 as the security type then of course in th RG1 you can assign user3 the owner role by assigning the owner role to group3 . i tested but here in this site there are many questions which are wrong so you have to test by yourself before proceeding to the answer.
point to note: group => assign anything to GROUP => inherit anything about group => all false => because of Nested-Group Inheritance is currently not support
1. N - Adding as a member to a group won't inherit/share access privileges. 2. N - Adding as a member to a group won't inherit/share access privileges. 3. Y
No No Yes
Given answer is right
Who knows if they truly test it? We don't need to trust anyone, only documentation is truly trustable. The answer is No No Yes for this simple reason: Adding groups as members of a role-assignable group is not supported. So we don't need to understand nested group assignment or everything else. Those group has role-assignable set to true, so this group can't have other groups inside of it. So the first 2 are false because you can't. https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group