You have an Azure subscription that contains the identities shown in the following table.
User1, Principal1, and Group1 are assigned the Monitoring Reader role.
An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role.
You create an alert rule named Alert1 that uses AG1.
You need to identity who will receive an email notification when Alert1 is triggered.
Who should you identify?
The alert rule is set to use the action group AG1, which is configured to email the Monitoring Reader role. Both User1 and User2 will receive the email notification. User1 is directly assigned the Monitoring Reader role, while User2 inherits this role through membership in Group1, which is assigned the Monitoring Reader role. Managed identities, such as Principal1 and Principal2, do not have associated email addresses and thus cannot receive email notifications. Therefore, emails will only be sent to Azure AD user members of the Monitoring Reader role directly or through group membership, making User1 and User2 the recipients.
Correct Answer: C Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
Did you actually test this? The question doesn't involve sending an email to a group but is instead concerned with role assignment inheritance from the group. The link you're all posting isn't necessarily relevant. User 2 should inherit the role assignment from the group, you can easily validate that in the portal. I am waiting out the 24hr lag period before testing. Alert group scoped to email on VM creation or deletion, one user assigned role directly and one via group. Will report back.
result?
Thanks for this Info
Agree answer C: Email Azure Resource Manager Role Send email to the members of the subscription's role. Email will only be sent to Azure AD user members of the role. Email won't be sent to Azure AD groups or service principals.
When you set up the Resource Manager role: Assign an entity of type User to the role. Make the assignment at the subscription level. Make sure an email address is configured for the user in their Azure AD profile.
Answer is D. AG sends to users that have 'reader' role, User2 inherits that role through Group1 membership.
I'm agree
Hello agree. Hope you're doing well.
Anwser c: User1 only Can't be true, just send 10 seconds reading this from MS Docs: https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role Only the users in the Manager Role receive the email alert, not the group members or Principals.
You should not confuse group email (generated on group creation) with individual emails for group members.
Folks that do say it's D are saying that's the answer because User 2 inherits Manager Role through Group 1. The AG is configured to send alert on the role which User 2 will have.
why does this have 6 upvotes?
Now 8? Yall, this person is wrong. No where in that documentation does it say "not the group ***members*** or Principals." It does however say "The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD ***groups*** or service principals."
Correct answer is D. I have tested it in a lab. Logic of this alert is very simple. User1 received an email because he is directly assigned to the Monitoring Reader role (which is in Action group). User2 received alert because he has the same role as a User1, because he inherited this role from the Group1 assignment. It means, that notification was received not because Group1 was selected as a target of notifications in AG1 (1. Cuz it's not; 2. Group can't be assigned as an email receiver, because groups physically have no emails. Service Principals also can't have email address), but because of AG1 condition is set for Monitoring Reader role. Email was sent to User2, because User2 has the same role as a User1. Even if User1 is assigned directly and User2 inherit this role from his Group in AAD.
Tested in lab, correct answer is D.
Managed identities (such as Principal1 and Principal2) do not have associated email addresses and cannot receive email notifications. Therefore, only Azure AD users who are part of the Monitoring Reader role and have valid email addresses will receive the email notifications.
D is correct
Tested in lab, correct answer is D. User2 inherits the role from Group1, hence he will also receive an email besides User1.
mlantonis Highly Voted 2 years, 6 months ago Correct Answer: C Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Things changes alot in Azure within 2 years, Im still confused whether its C or D but since someone has more like doesn't mean right answer .
User1 and User2 are Azure AD users. User1 is directly assigned the Monitoring Reader role, and User2 is a member of Group1, which is also assigned the Monitoring Reader role. However, since emails are not sent to groups, we would not consider User2 despite their membership in Group1. Furthermore, since emails are not sent to service principals (like Principal1 and Principal2), they would also not receive the email. Thus, only the direct user members of the Monitoring Reader role will receive the email. Based on the information provided: The correct answer is: C. User1 only
User2 has Monitoring Reader role
Yes. That is exactly what everyone who puts C forward as the right answer needs to understand: User2 has Monitoring Reader role and WILL receive that email...
This might have changed or is depricated, but now for Entra it is "Email Azure Resource Manager When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID user or group members of the role. This includes support for roles assigned through Azure Lighthouse." https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups
When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID user or group members of the role. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager
Email Azure Resource Manager role - Send an email to the subscription members, based on their role. A notification email is sent only to the primary email address configured for the Microsoft Entra user. - The email is only sent to Microsoft Entra ID user members of the selected role, not to Microsoft Entra groups or service principals. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role:~:text=Fields-,Email%20Azure%20Resource%20Manager%20role,-Send%20an%20email https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/monitor#monitoring-reader
C is correct Check mlantonis links. Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals. A user has to be assigned that role hence User 1 is. User 2 (We are not told that this user was assigned) is a member of a group that has the role enabled, but that doesn't mean that User 2 has that role.
mail will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Makes sure the email addresses added to the group are AAD user members not any groups, see Email Azure Resource Manager role for more info. If the members not receiving emails are not in a group and indeed member roles at the subscription level, then your issue will require more investigation.
"Send an email to the subscription members, based on their role. A notification email is sent only to the primary email address configured for the Azure AD user. The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD groups or service principals. See Email." https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role