D. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps "You can assign a role to a user, group, service principal, or managed identity. " App1 has service principal. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

The Contributor role can be assigned to any Azure resource, including users, groups, service principals, and managed identities. • Group1 is a dynamic device security group in Azure AD. Dynamic groups are not role-assignable, so Group1 cannot be assigned the Contributor role for VM1. • Managed1 is a managed identity. Managed identities can be assigned the Contributor role for VM1. • VM1 is a virtual machine. Virtual machines can be assigned the Contributor role for themselves. • App1 is an enterprise application in Azure AD. Enterprise applications can be assigned the Contributor role for VM1. Therefore, the only resources that can be assigned the Contributor role for VM1 are Managed1, VM1, and App1.

Answer is A; You can assign a role to a user, group, service principal, or managed identity. This is also called a security principal. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-1-determine-who-needs-access Cannot be a dynamic group; https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are-role-assignable-groups-protected

Tested, D is correct

Tested. When creating a group, if you choose dynamic user "Microsoft Entra roles can be assigned to the group" option turns to NO automatically. So when you eliminate group1, answer is A.

You can assign Contributor/Reader or any Subscription role to User, Group, Managed Identity and Service Principle. Correct Answer in this case is "Group1 and Managed1 Only"

D. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps "You can assign a role to a user, group, service principal, or managed identity. "

Correct answer is A role-assignable groups is limited to AD Azure roles https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#restrictions-for-role-assignable-groups

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept Only Global Administrators and Privileged Role Administrators can create a role-assignable group. The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group.Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.

Confirmed in my lab. I think VM1 in D should change to VM2 though.

Answer is D

Tested for user, group, VM and App. All of them can be assigned Contributor role for VM.

This question is weird, because it should have a choice for: Managed ID, App1 and VM. Dynamic Entra Sec Groups cannot have roles assigned, all the other can have. The closet answer to truth is A.

Difference between Azure AD roles and Azure RBAC is as follows: RBAC can have a User, group, or service principal, Managed identity (group nesting is allowed and the group can dynamic as well Azure AD roles only users and groups (group nesting is not allowed as soon as you enable entra roles can be enabled the membership type greys out to assign and group nesting is not allowed. Here contributor is a RBAC role not azure ad role

Answer: D Explanation: Confirmed in my lab. I think VM1 in D should change to VM2 though.

Correct answer is A

what is the correct answer?