Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 77 discussion

Actual exam question from Microsoft's AZ-104
Question #: 77
Topic #: 2
[All AZ-104 Questions]

HOTSPOT
-

You have three Azure subscriptions named Sub1, Sub2, and Sub3 that are linked to an Azure AD tenant.

The tenant contains a user named User1, a security group named Group1, and a management group named MG1. User is a member of Group1.

Sub1 and Sub2 are members of MG1. Sub1 contains a resource group named RG1. RG1 contains five Azure functions.

You create the following role assignments for MG1:

• Group1: Reader
• User1: User Access Administrator

You assign User the Virtual Machine Contributor role for Sub1 and Sub2.

Show Suggested Answer Hide Answer
Suggested Answer:
by dotseree at March 12, 2023, 12:56 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Shadowner
Highly Voted 1 year, 6 months ago
Personally I think its YYN. 1) GROUP1 Reader access, provides access to view all items, except secrets https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader 2) To Assign OWNER role, you need to either Owner role or User Administrator Access Role https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin#prerequisites 3) Neither User Access Admin Role nor the Reader Role allows to create new resources. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps
upvoted 65 times
Slimus
1 year, 4 months ago
3rd - Yes. it's says "You assign User the Virtual Machine Contributor role for Sub1 and Sub2."
upvoted 4 times
090200f
4 months ago
neither and nor.. so not able to create new resources
upvoted 1 times
...
Simplon
6 months, 2 weeks ago
No, User has only the Virtual Machine Contributor role for Sub1 and Sub2 but not to create a new RG before.
upvoted 2 times
...
[Removed]
1 year ago
No, User1 cannot create a new resource group and deploy a virtual machine to the new group. While User1 has the User Access Administrator role at the management group level (MG1), this role does not grant the user permissions to create resource groups or deploy virtual machines directly. The User Access Administrator role allows User1 to manage access to Azure resources but does not provide the necessary permissions for resource creation or deployment. To create a new resource group and deploy a virtual machine, User1 would need appropriate permissions at the subscription or resource group level, such as the Contributor role. In this scenario, User1 has been assigned the Virtual Machine Contributor role for Sub1 and Sub2, so they have the necessary permissions to work within those specific subscriptions but not at the management group or Azure AD tenant level.
upvoted 7 times
...
...
Chris76
1 year, 5 months ago
Group1 is not said to be under MG1. And not associated with any subscriptions. So why you think first answer is Y ?
upvoted 4 times
AN79
1 year, 5 months ago
It clearly states Group1 is assigned Reader role at the MG1 Scope
upvoted 13 times
...
...
Indy429
9 months, 3 weeks ago
I agree
upvoted 2 times
...
...
garmatey
Highly Voted 1 year, 6 months ago
So a User Access Administrator can't create new resource groups but they can assign a user with the Owner role, and the user with the Owner role *can* create new resource groups? I feel like Im missing something.
upvoted 16 times
josola
11 months, 3 weeks ago
That's why there are data breaches. A user doesn't have direct to create resources, but that account to give access to another account to create a resource (give owner role). It happens all the time.
upvoted 1 times
...
ajdann
1 year, 1 month ago
That is exactly the point of User Access Administrator
upvoted 1 times
...
skeleto11
1 year, 3 months ago
The owner role can create resource groups, but in this case he owns only one Resource Group called RG1, so he cannot create new groups.
upvoted 1 times
...
sardonique
1 year ago
it is not odd, access is always logged, so if the user access administrator were to perform shady stuff, his activity would be traceable
upvoted 1 times
...
Load full discussion...
...
SeMo0o0o0o
Most Recent 1 month ago
CORRECT
upvoted 1 times
...
etrop
1 month, 4 weeks ago
I"m going to say NYN here. No because even though the user has reader if you try to go and actually view the configuraiton of the function in the portal with this you don't see much. In fact what you do see is mostly an error or some fields that have names, but not any of their values and even the fields are wrong in most cases so N, the user needs a data level access perm to see the configuration itself. It can see the function for sure, it can see all of its data plane settings yes, but not its configuration. 2.) Y Because the user has User Access Administrator so can see it. 3.) N Because the user can't create a new resource group with those perms.
upvoted 1 times
...
3c5adce
4 months, 3 weeks ago
ChatGPT4 says all yes
upvoted 1 times
Mentalfloss
2 months, 2 weeks ago
ChatGPT appears to be wrong quite often.
upvoted 4 times
...
...
3c5adce
4 months, 4 weeks ago
All are YES / TRUE - vetted out by ChatGPT4 on 05/10/24 A - The Group1 members can view the configurations of the Azure functions. B - User1 can assign the Owner role for RG1. C - User1 can create a new resource group and deploy a virtual machine to the new group.
upvoted 1 times
GlixRox
3 months, 2 weeks ago
User1 doesn't have contributor or owner roles for any level. VM contributor is specifically just for VM deployment, so while they can deploy a new VM, it can NOT deploy a *new* resource group, only a VM to the already existing RG1, since it is a contributor at the sub1 level which is 1 level above RG1, giving it inherited role permissions.
upvoted 2 times
...
...
Wassel_Laouini
5 months ago
is just me or the information given about User didn't serve any purpose? the questions are only about User1
upvoted 1 times
...
Amir1909
6 months, 2 weeks ago
Given answer is right
upvoted 1 times
...
18c2076
6 months, 3 weeks ago
Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Microsoft Entra ID: Reader: Use this role to give read access to the App Configuration resource. This does not grant access to the resource's access keys, nor to the data stored in App Configuration. In short: Reader role is sufficient to view the configurations - just not the data that lives inside them.
upvoted 1 times
etrop
1 month, 4 weeks ago
Try it. once I created a function I was not able to view the configuration with that user. It showed some fields, but not their values and even the fields it got all wrong. This is because reader is not good enough to see configuration which is a data level thing.
upvoted 1 times
...
...
1828b9d
7 months, 1 week ago
This question was in exam 01/03/2024
upvoted 3 times
...
Amir1909
7 months, 3 weeks ago
Correct Yes Yes No
upvoted 1 times
...
User65567473
7 months, 4 weeks ago
Was on exam 11/2 /2024
upvoted 4 times
...
MGJG
1 year, 1 month ago
YYN 3.- Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 1 times
...
oopspruu
1 year, 1 month ago
People here are not paying attention to a clever wording of the question. "User1" and "User" are 2 different users. Read the question again. User1 is independent and User is a part of Group1. So YYN is true.
upvoted 2 times
jackill
1 year, 1 month ago
Regarding the sentences “User is a member of Group1.” and “You assign User the Virtual Machine Contributor role for Sub1 and Sub2.”. It is very strange the presence of "User" user... usually all the questions have a number in the users names (User1, User2, …). It could be a typo… but also in this case (User -> User1) the correct response will be YYN, because User1 is always User Access Administrator at MG1 level that contains Sub1 and RG1. And also having User1 the Virtual Machine Contributor role, does not give him permission to create a resource group as requested by the third statement (it requires the Microsoft.Resources/subscriptions/resourceGroups/write permission).
upvoted 4 times
...
...
blackwhites
1 year, 3 months ago
Answer YYN "The Group1 members can view the configurations of the Azure functions." - True. As Group1 members have Reader access at the management group level, they can view all resources in the management group, including the Azure functions in RG1. "User1 can assign the Owner role for RG1." - True. As a User Access Administrator for MG1, User1 can manage access to all resources in the management group. This includes assigning any role, including the Owner role, to any resource within MG1, which includes RG1. "User1 can create a new resource group and deploy a virtual machine to the new group." - False. The Virtual Machine Contributor role allows User1 to manage virtual machines, but it does not provide permissions to create new resource groups. Additionally, User Access Administrator and Reader roles do not grant permission to create resources or resource groups. To perform this task, User1 would need to be assigned a role with resource creation permissions, such as the Contributor role.
upvoted 8 times
...
TestKingTW
1 year, 4 months ago
the answer is YYY. the last one is because user has Virtual Machine Contributor role, which is sufficient to create VM and resource group. It has "Microsoft.Resources/deployments/*"permission, see the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 2 times
Yodao
1 year, 4 months ago
Yup you are right, whole thing changes with that line of virtual contributor role.
upvoted 1 times
Mahbus
1 year, 4 months ago
Virtual Machine Contributor role can't create Resource Groups. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 2 times
...
...
aws_arn_name
1 year, 4 months ago
i think here is the action can create resource group "Microsoft.Resources/subscriptions/resourcegroups/deployments/*" . Action "Microsoft.Resources/deployments/*" only state "Create and manage a deployment"
upvoted 1 times
...
...
RandomNickname
1 year, 4 months ago
Agree with YYN after reading MS articles and commends relating to them.
upvoted 2 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel