Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 464

HOTSPOT -

You need to delegate the creation of RG2 and the management of permissions for RG1.

Which users can perform each task? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Admin3 only -

    The Contributor role has the necessary write permissions to create the resource group.

    Box 2: Admin4 only -

    You need Owner level access to be able to manage permissions. The Contributor role can do most things but cannot modify permissions on existing objects.

Discussion
Patchfox

Answer two is not correct. Admin 1 (User Access Administrator = can manage User access to resources) can also set permissions on the resource group 1 because of the inheritance

waqas

Mentioned Answer is correct. Admin1 is AD role and here we are talking abt RBAC so Admin1 .i.e User Admin. cannot modify permissions on existing objects. Hence 1) Admin3 2) Admin4

waqas

I take back my comment. User access admin. is also a RBAC apart from main 03 roles, however i am not sure wether Admin1 that has User access admin role will be right or not......

TJ001

I agree with you

kanag1

Agree. The answer must be : Box1: Admin3 Only Box2: Admin1 and Admin4 only

Ajdlfasudfo0

Box2: Admin1 only, Admin 4 is owner only for RG1

JL15546

1) Admin 3 2) Admin 1 and Admin4 User Access Administrator : Manage user access to Azure resources https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

nqwang

Box 1: Create RG2 - Admin3 Only. 1. Admin4 is Owner in RG1, so Admin4 doesn't have any permission on RG2, so option3 to option 5 are wrong. 2. Admin2 is Security Administrator, it has "View and update permissions for Microsoft Defender for Cloud. " not have permission to create resource group. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Box 2: Manage RG1 permissions - Admin1 and Admin4 only. 1. Admin1 is User Access Administrator, it can manage user access to Azure resource. So Admin1 should be selected. 2. Admin3 is Contributor, it does not allow to assign roles in Azure RBAC, so Admin3 should not be selected. 3. Admin2 is Security Administrator, it is for Microsoft Defender for Cloud, so Admin2 should not be selected.

wsrudmen

Perfect!

koreshio

correct, thanks

zellck

1. Admin 3 2. Admin 1 and Admin4 only https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator Lets you manage user access to Azure resources.

erikdran

In exam today. Only 52 questions including this case study, no lab. Easier than I thought.

rockyc05

In Exam , 31st Jan 23 54 Question 1 Case Study No Simulation

rockyc05

In Exam , 31st Jan 23 54 Question 1 Case Study No Simulation

Eltooth

Admin 3 Admin 1 and Admin 4

Jimmy500

Tricky part of question is where it asks how can create resource group2 as we see owner role exists in under only rg1 that is why Admin4 can not create rg2 as he has this right under only rg1 , instead Admin3 who has Contributor role under Subscription can do it but we must know that it can not manage permissions.User access admin can manage permissions for Azure resource and Owner of resource can manage permissions here that is why for the box2 answer will be Admin 1 and Admin4 . For the box-1 Admin 3 only BR

2c7fd04

Taking test in less than 2hrs...thank you.

wardy1983

Box 1: Admin3 only - The Contributor role has the necessary write permissions to create the resource group. Box 2: Admin1 and 4 only -

haitao1234

For 2nd box, should be user 1 and user 4. User Access Administrator Lets you manage user access to Azure resources.

TheProfessor

Box1: Admin3 only Box2: Admin1 and Admin4 Only User Access Administrator (Which is Admin1) can: Manage user access to Azure resources Assign roles in Azure RBAC Assign themselves or others the Owner role Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

hello2tomoki

What is the user access administrator role in azure? When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope ( / ). This allows you to view all resources and assign access in any subscription or management group in the directory.

heatfan900

TO CREATE AN RG: OWNER or CONTRIBUTOR To create a resource group in Azure, you need to have the appropriate permission on the subscription level. There are two built-in roles that can do this: Owner and Contributor. However, these roles also grant many other permissions that may not be necessary or desirable for your scenario. If you want to create a custom role that only allows creating resource groups, you can use the Azure PowerShell cmdlet TO MANAGE THE RBAC PERMISSIONS: OWNER FROM MICROSOFT: -The Owner grants full access to manage all resources, including the ability to assign roles in Azure RBAC. -The Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. -Role Based Access Control Administrator allows one to manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.

massnonn

agree with patchfox Box2: Admin1 and Admin4 only The User Access Administrator role enables the user to grant other users access to Azure resources.

Nick66

Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources. When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (/). This allows you to view all resources and assign access in any subscription or management group in the directory. https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

FaTDawG

Given answers are correct. Without explicit permissions on the subscription (Which the role can grant, but would need to be in place) the User Access Administrator cannot modify RBAC on an object which just having that role on the Tenant Root Management Group.

VonKellus

I tested it, and assigned User access Administrator at the root mgmt group and it allows the user to edit rbac on existing resources without explicit sub permissions. Permission show ing inherited from mgmt group