Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 75

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Reader role at the subscription level to Admin1.

Does this meet the goal?

    Correct Answer: B

    Assigning the Reader role at the subscription level to Admin1 does not meet the goal. The Reader role provides read-only access to resources, which allows viewing information but not configuring or enabling features such as Traffic Analytics. To enable Traffic Analytics, Admin1 would need the Network Contributor, Contributor, or Owner role, which have the necessary permissions to configure and manage network resources.

Discussion
asmodeusOption: A

Traffic Analytics requires the following prerequisites: A Network Watcher enabled subscription. Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor. An Azure Storage account, to store raw flow logs. An Azure Log Analytics workspace, with read and write access. Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

visave

As per your description the answer is A. could you please paste the source of the information.

Nicodebian

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

visave

got it. https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.

MountainW

The key is to enable, not to use. The article is about to use. The answer is not correct.

JayBee65

The requirements above state.. Your account must meet one of the following to ***enable**** traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, ***reader***, or network contributor. So it is correct

jot2

The article is wrong in this case. I tried it out. A user with Reader role can't enable Traffic Analytics.

NadirM_18

According to this link, they can enable Traffic Analytics: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

xMilkyMan123

https://github.com/MicrosoftDocs/azure-docs/issues/77499 Dont believe everything you read on the internet. Go and test things for yourself. Even Microsoft official articles can misword things sometimes

juniorccs

I agree with you

IAGirl

Pls don't believe everything you read on the internet! To Enable Traffic Analytics your account must be a member of one of the following Azure built-in roles: Owner, Contributor, Reader, Network Contributor or you can create a custom role with the following actions at the subscription level: "Microsoft.Network/applicationGateways/read" "Microsoft.Network/connections/read" "Microsoft.Network/loadBalancers/read" "Microsoft.Network/localNetworkGateways/read" "Microsoft.Network/networkInterfaces/read" "Microsoft.Network/networkSecurityGroups/read" "Microsoft.Network/publicIPAddresses/read" "Microsoft.Network/routeTables/read" "Microsoft.Network/virtualNetworkGateways/read" "Microsoft.Network/virtualNetworks/read" "Microsoft.Network/expressRouteCircuits/read" https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics TESTED

mbaybarsk

That's not what the link you've provided say anymore: It now refers to "access" which is not the same thing as "enable".

Chang401

agree we can enable TA. use the below link for answer. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-

mlantonisOption: A

Correct Answer: A - Yes Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor. Reader role - View all resources, but does not allow you to make any changes. Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

xupiter

"Reader role - View all resources, but does not allow you to make any changes." So that means this role doesn't allow you to enable traffic analytics. So it cannot be "Yes".

Mozbius_

Yet it is "Yes". You can blame Microsoft for the confusion. https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

GoldenDisciple2

According to Microsoft, the sky is up, but the answer is down. To Microsoft, the ocean is wet but the answer is dry, the desert is dry but on the exam you must select wet or you'll get it wrong... According to Microsoft, the air in space is breathable... Let me explain. The earth has breathable air and the earth is in space, therefor, the air in space is breathable...

shahidsayyed

You should try standup comedy as an alternative career. Got into wrong profession.

hercu

I think the answer is correct as it's assumed that the prerequisites to use traffic analytics are already met. Refering to: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics- As a result, as stated just few lines below, all following roles: Owner, Contributor, Reader, or Network Contributor are sufficient to enable Traffic Analytics.

3ba6d0bOption: B

Assigning the Reader role at the subscription level to Admin1 does not meet the goal. The Reader role provides read-only access to Azure resources, which allows viewing information but not configuring or enabling features like Traffic Analytics. To enable Traffic Analytics, Admin1 would need more permissions, typically provided by roles such as Network Contributor or Contributor. These roles allow configuring network resources and settings necessary to enable Traffic Analytics.

Annie_5Option: B

It seems reader role cannot enable traffic analytics. It can view it.

_gio_Option: B

No as explained here: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

MatsaneOption: B

No, assigning the Reader role to Admin1 does not meet the goal. The Reader role only provides read-only access to resources and does not grant the necessary permissions to enable Traffic Analytics. To enable Traffic Analytics, Admin1 requires the Network Contributor role or a higher role like the Contributor or Owner role, which grants the necessary permissions to configure and manage network resources, including Traffic Analytics. You should assign the Network Contributor role (or a higher role) at the subscription level to Admin1 to meet the goal.

amurp35Option: B

Please see the actual doc: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites Reader role is not enough: One of the following Azure built-in roles needs to be assigned to your account: Deployment model Role Resource Manager Owner Contributor Network contributor 1 and Monitoring contributor 2

SofiaLoreanOption: B

B. No Assigning the Reader role at the subscription level to Admin1 does not meet the goal of enabling Traffic Analytics for an Azure subscription. The Reader role has permissions to view resources but does not allow for any write operations, which are required to enable Traffic Analytics. To enable Traffic Analytics, Admin1 would need to be assigned a role that has write permissions, such as the Owner, Contributor, or a custom role with specific permissions for Traffic Analytics

SinopsysHKOption: B

Hello, seems that there was a typo in Azure documentation and Reader (read only, cannot make any change) cannot enable Traffic Analytics: cf https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites "One of the following Azure built-in roles needs to be assigned to your account: Owner, Contributor, Network contributor,and Monitoring contributor" Hence answer is B.

pverma20Option: B

Correct Answer - No (Confirmed, check below documentation) If you enable Traffic Analytics for sure, it require some write access to capture and write the logs. We need to be Logical. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics Prerequisites Traffic analytics requires the following prerequisites: A Network Watcher enabled subscription. For more information, see Enable or disable Azure Network Watcher. NSG flow logs enabled for the network security groups you want to monitor or VNet flow logs enabled for the virtual network you want to monitor. For more information, see Create a flow log or Enable VNet flow logs. An Azure Log Analytics workspace with read and write access. For more information, see Create a Log Analytics workspace. One of the following Azure built-in roles needs to be assigned to your account: Expand table Deployment model Role Resource Manager Owner Contributor Network contributor 1 and Monitoring contributor 2

MelKrOption: B

According to current documentation B is correct. https://learn.microsoft.com/en-us/azure/network-watcher/required-rbac-permissions#traffic-analytic: "Since traffic analytics is enabled as part of the Flow log resource, the following permissions are required in addition to all the required permissions for Flow logs". I believe that the permission "Microsoft.Network/networkWatchers/configureFlowLog/action" is not part of the Reader role. Also, "Microsoft.OperationalInsights/workspaces/sharedkeys/action" is not in the Reader role.

frvrOption: B

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites:~:text=Deployment%20model-,Role,-Resource%20Manager

3c5adceOption: B

No. Access but not enable.

3c5adceOption: B

NO - to enable Traffic Analytics for an Azure subscription, Admin1 should be assigned the Network Watcher Contributor or Owner, Contributor, User Access Administrator, Security Administrator

6f80f6cOption: B

Answer is B, NO. supporting : https://learn.microsoft.com/en-us/answers/questions/1330227/what-role-is-required-to-be-enabled-at-subscriptio

Nushin

Owner Contributor Network contributor 1 and Monitoring contributor 2

Jobalos009Option: B

The answer is B https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics