Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 77

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.

The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Access

Control tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: No -

    Only Admin3, the owner, can assign ownership.

    Box 2: Yes -

    Box 3: No -

    Reference:

    https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator

Discussion
mlantonis

Correct Answer: Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD. However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope. All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC). Admin1 has elevated access, so he is also User Access Admin (RBAC). To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner. Box 1: Yes Admin1 has elevated access, so he is User Access Admin. This is valid. Box 2: Yes Admi3 is Owner of the Subscription. This is valid. Box 3: No Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin

Takloy

Unless configure the elevated access for Admin 2 right? making admin2 user access administrator.

schvantz

crystal clear

kastanov

Global Administrators can create resource groups in the subscription. How you work like this in your?

franekfranek

I'm not sure if Microsoft guys are aware of this elevated access to be honest lol

Grande

They surely know, and it was done for many reasons .As you must be a Global Admin to have the elevation ability. so its assume if you are a GA you are qualified

ashish2201

Answer is correct, tested in Lab 1. No : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription therefore cannot assign Owner Roles 2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user. 3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription thereofore cannot create resources in it.

ashish2201

Kindly ignore my previous comment, below is the correct one 1. Yes : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription but as per exibit it has taken control to manage access to all Azure subscriptions therefore it now has access to manage subscription therefore can assign role to other users. 2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user. 3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription therefore cannot create resources in it.

Praveen66

Even if your a global administrator at the Tenant level you can grant the access of owner to any other user to in tenant for the subscription. Simple example is the default account through which you have registered is global admin, if you have created another user account you can very well assign a owner role to him for a sub

mihir25

ANSWER IS YES YES NO VERIFIED AND DONE R&D DON'T WASTE MUCH TIME

Aquintero

La respuesta simple es: si, si, no.

LGWJ12

Excelente , tambien pienzo lo mismo ,despues de leer casi todos los comentarios.

itguyeu

I used free version access for this site and it helped me pass the exam. Some questions that I had on the exams, I took the exam more than once, are not available under the free tier access, but 80% of the questions came from here. I do recommend investing a bit of money and getting full access to this site. I didn't memorise answers but analysed them and studied as Microsoft does tweak them a bit. This Q was on the exam.

RanaYasirAleem

Admin1 can add Admin 2 as an owner of the subscription. Yes: Admin1 is a global administrator, and based on the tenant settings, global administrators can manage access to all Azure subscriptions and management groups in this directory. Admin3 can add Admin 2 as an owner of the subscription. Yes: Admin3 is already assigned the "Owner" role for the subscription. An owner has full access, including the ability to assign roles to other users. Admin2 can create a resource group in the subscription. Yes: Admin2 is a global administrator. Global administrators have the highest level of permissions in Azure AD and can manage all aspects of the directory and subscription.

SofiaLorean

Answer should be : Yes Yes No

3c5adce

I believe the more recent and tested answer which is YYN

3c5adce

Answer is YYN

sjsaran

As same as Admin 1, why can't admin 2 take Access management for Azure resources, as admin 2 is also a global admin

Makoporosh

The answer is NYN: Global Administrators in Azure AD have the highest level of access in the Azure Active Directory, allowing them to manage users, groups, and other directory-related functions. However, this role does not automatically grant them access to manage Azure subscriptions and resources within those subscriptions.

Nateramj

My thought here is Box1:Admin1 even with Global admin permissions, User Administrator refers to the 365 admin console, and not Azure resources. They would need RBAC control to the subscription in the form of User Access Admin/Owner to add themselves to be able to add RBAC controls for others-NO is correct Box 2:Admin 3 is an Owner of the subscription, subsequently meaning the ability to add RBAC controls for other Admins-YES is the correct Answer Box 3: whilst Admin 2 is a GA they do not possess the correct RBAC role for the subscription resource meaning they cannot hand out permissions-Correct answer is NO

_gio_

YES YES NO Admin3 can elevate his permissions but in this question only Admin 1 has elevated his permissions

tashakori

No no no

allyou

I tested them in the lab, the answers are Y, Y, Y. the questions are somewhat nuanced, if I rephrase it like this: is the AdminX user capable/has the possibility of... It becomes obvious to answer with Y, Y, Y because Admin2 can elevate access like Admin1 to control the subscription. https://learn.microsoft.com/fr-fr/azure/role-based-access-control/elevate-access-global-admin

Trs223333

Yes, Yes, and No

Nicknamefordiscussions69

Yes, yes, no