Exam AZ-305 All QuestionsBrowse all questions from this exam
Go to Exam
Question 209

HOTSPOT

-

You have two Azure AD tenants named contoso.com and fabrikam.com. Each tenant is linked to 50 Azure subscriptions. Contoso.com contains two users named User1 and User2.

You need to meet the following requirements:

• Ensure that User1 can change the Azure AD tenant linked to specific Azure subscriptions.

• If an Azure subscription is liked to a new Azure AD tenant, and no available Azure AD accounts have full subscription-level permissions to the subscription, elevate the access of User2 to the subscription.

The solution must use the principle of least privilege.

Which role should you assign to each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
zellck

1. Owner 2. Owner https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory#before-you-begin Before you can associate or add your subscription, do the following steps: - Sign in using an account that: Has an Owner role assignment for the subscription.

NotMeAnyWay

User1: b. Owner User2: b. Owner For User1 who needs to change the Azure AD tenant linked to specific Azure subscriptions, they need to be assigned the role of "Owner". This is because to change the Azure AD tenant linked to a subscription, the user must have enough permissions, which are available at the Owner level. For User2 who needs to have the access elevated to the subscription if no available Azure AD accounts have full subscription-level permissions to the subscription, they need to be assigned the "Owner" role as well. This role provides full access to all resources, including the right to delegate access to others. In this scenario, the "Owner" role would allow User2 to gain access to the subscription in the absence of any other account with full permissions.

upwork

From ChatGPT: An Azure AD Service Administrator role is designed to manage user, groups and other resources within an Azure AD tenant. While they can manage the users and groups, they don't have the permission to move a subscription from one tenant to another. To move a subscription from one tenant to another, you need to have the "Subscription Owner" or "Global Administrator" role within the Azure AD tenant to which you want to move the subscription. So I think the answer should be "Owner" x 2

upwork

Not sure about the GPT answer, but I find this link useful https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators It suggests the answer would be the Service Admin and the Co-Admin in the old-school days, but today perhaps we should rely on the Owner's role.

sawanti

Both Service Administrator and Co-something are legacy roles and will be retired, hence Microsoft will NEVER intentionally mark them as a correct answer. Owner is the only valid answer

VBK8579

Owner Owner

tfulanchan

There are only four "Azure roles", and "Owner" is the only "role" in the answers, the other two are "Classic subscription administrator". The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles

ageorgieva

User1: Owner User2: Co-administrator Reason why it is co-admin is because it states that the user should be able to elevate access, which can be done with admin role. https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal

Lazylinux

Given answer is correct, Owner-Owner or Global admin but GA is not part of the solution

randy0077

owner owner is correct answer.

MichaelMelb

User1: Service Admin Service Admin fits to all the requirements whereas Owner has more than required permissions "By default, for a new subscription, the Account Administrator is also the Service Administrator. The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. The Service Administrator has full access to the Azure portal." https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles User2: Owner

Trillionairejeffe

1.Service administrator 2.Co-administrator reference : https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles

sawanti

Both roles are a LEGACY roles. Do you really believe that Microsoft is proposing something that it takes them years to retire? Both roles will be retired on August 31, 2024 (https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles)

betterthanlife

- Co-Administrator "can't change the association of subs to Azure AD directories so it's out. - Given that the tenants & some subs exist then, & since we live in the real world (as strange as it's become) & there's no mention otherwise, & given the options we can presume User 1 to have the Service Administrator role, which provides full access to the Azure portal. - Given "elevate the access" is a requirement for User, the only deduction in this whole madness of stupidity mess possible is Owner. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

ctlearn

Service Administrator and Co-Administrator are classic subscription roles that have the equivalent access of a user who is assigned the Owner role at the subscription scope. The answer for both is Owner. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

RandomNickname

Based on the requirements in the question given answer looks correct to me.

OPT_001122

Owner Owner

LeeVee

Service Administrator and Co-Administrator were a classic subscription role. These to Roles equivalent is current role assignment is Owner. So I think answer is correct. you don't want to use classic RBAC as Microsoft will move away on this classic roles in the future. do future proofing a bit on this.

Mo22

The answer is correct to me: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory

Kernelv5

They are talking about role Owner : The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope Applies to all resource types.