AZ-500 Exam - Question 136

D. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps "You can assign a role to a user, group, service principal, or managed identity. " App1 has service principal. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

The Contributor role can be assigned to any Azure resource, including users, groups, service principals, and managed identities. • Group1 is a dynamic device security group in Azure AD. Dynamic groups are not role-assignable, so Group1 cannot be assigned the Contributor role for VM1. • Managed1 is a managed identity. Managed identities can be assigned the Contributor role for VM1. • VM1 is a virtual machine. Virtual machines can be assigned the Contributor role for themselves. • App1 is an enterprise application in Azure AD. Enterprise applications can be assigned the Contributor role for VM1. Therefore, the only resources that can be assigned the Contributor role for VM1 are Managed1, VM1, and App1.

Answer is A; You can assign a role to a user, group, service principal, or managed identity. This is also called a security principal. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-1-determine-who-needs-access Cannot be a dynamic group; https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are-role-assignable-groups-protected

You can assign Contributor/Reader or any Subscription role to User, Group, Managed Identity and Service Principle. Correct Answer in this case is "Group1 and Managed1 Only"

Tested. When creating a group, if you choose dynamic user "Microsoft Entra roles can be assigned to the group" option turns to NO automatically. So when you eliminate group1, answer is A.

Tested, D is correct

Answer is D

Confirmed in my lab. I think VM1 in D should change to VM2 though.

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept Only Global Administrators and Privileged Role Administrators can create a role-assignable group. The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group.Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.

Correct answer is A role-assignable groups is limited to AD Azure roles https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#restrictions-for-role-assignable-groups

D. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps "You can assign a role to a user, group, service principal, or managed identity. "

what is the correct answer?

Correct answer is A

Answer: D Explanation: Confirmed in my lab. I think VM1 in D should change to VM2 though.

Difference between Azure AD roles and Azure RBAC is as follows: RBAC can have a User, group, or service principal, Managed identity (group nesting is allowed and the group can dynamic as well Azure AD roles only users and groups (group nesting is not allowed as soon as you enable entra roles can be enabled the membership type greys out to assign and group nesting is not allowed. Here contributor is a RBAC role not azure ad role

This question is weird, because it should have a choice for: Managed ID, App1 and VM. Dynamic Entra Sec Groups cannot have roles assigned, all the other can have. The closet answer to truth is A.

Tested for user, group, VM and App. All of them can be assigned Contributor role for VM.