ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 77 discussion

Actual exam question from Microsoft's AZ-104
Question #: 77
Topic #: 2
[All AZ-104 Questions]

HOTSPOT
-

You have three Azure subscriptions named Sub1, Sub2, and Sub3 that are linked to an Azure AD tenant.

The tenant contains a user named User1, a security group named Group1, and a management group named MG1. User is a member of Group1.

Sub1 and Sub2 are members of MG1. Sub1 contains a resource group named RG1. RG1 contains five Azure functions.

You create the following role assignments for MG1:

• Group1: Reader
• User1: User Access Administrator

You assign User the Virtual Machine Contributor role for Sub1 and Sub2.

Show Suggested Answer Hide Answer
Suggested Answer:
by dotseree at March 12, 2023, 12:56 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Shadowner
Highly Voted 2 years, 3 months ago
Personally I think its YYN. 1) GROUP1 Reader access, provides access to view all items, except secrets https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader 2) To Assign OWNER role, you need to either Owner role or User Administrator Access Role https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin#prerequisites 3) Neither User Access Admin Role nor the Reader Role allows to create new resources. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps
upvoted 80 times
Slimus
2 years, 1 month ago
3rd - Yes. it's says "You assign User the Virtual Machine Contributor role for Sub1 and Sub2."
upvoted 5 times
kam1122
8 months, 1 week ago
No, user cannot create RG
upvoted 3 times
...
090200f
1 year, 1 month ago
neither and nor.. so not able to create new resources
upvoted 1 times
...
Simplon
1 year, 3 months ago
No, User has only the Virtual Machine Contributor role for Sub1 and Sub2 but not to create a new RG before.
upvoted 6 times
...
Load full discussion...
...
Chris76
2 years, 2 months ago
Group1 is not said to be under MG1. And not associated with any subscriptions. So why you think first answer is Y ?
upvoted 6 times
AN79
2 years, 2 months ago
It clearly states Group1 is assigned Reader role at the MG1 Scope
upvoted 14 times
...
...
Indy429
1 year, 6 months ago
I agree
upvoted 2 times
...
...
garmatey
Highly Voted 2 years, 3 months ago
So a User Access Administrator can't create new resource groups but they can assign a user with the Owner role, and the user with the Owner role *can* create new resource groups? I feel like Im missing something.
upvoted 17 times
josola
1 year, 8 months ago
That's why there are data breaches. A user doesn't have direct to create resources, but that account to give access to another account to create a resource (give owner role). It happens all the time.
upvoted 2 times
...
ajdann
1 year, 10 months ago
That is exactly the point of User Access Administrator
upvoted 2 times
...
skeleto11
2 years ago
The owner role can create resource groups, but in this case he owns only one Resource Group called RG1, so he cannot create new groups.
upvoted 1 times
...
sardonique
1 year, 10 months ago
it is not odd, access is always logged, so if the user access administrator were to perform shady stuff, his activity would be traceable
upvoted 1 times
...
Load full discussion...
...
Abhisk127
Most Recent 5 months, 3 weeks ago
Who are these people, who says it was appeared in exam on the particular date but never mentioned what answers they selected/ticked on it.
upvoted 3 times
...
Riz504
6 months, 3 weeks ago
Added one "NOT" in answer 2 what you have missed.
upvoted 1 times
...
Chuong0810
8 months, 1 week ago
All are YES A - The Group1 have Reader role on MG1 B - User1 has User Access Administrator role on MG1. C - As User1 has User Access Administrator role, User1 can assign any roles necessarily itself to create a new resource group and deploy a virtual machine to the new group.
upvoted 1 times
...
etrop
11 months, 1 week ago
I"m going to say NYN here. No because even though the user has reader if you try to go and actually view the configuraiton of the function in the portal with this you don't see much. In fact what you do see is mostly an error or some fields that have names, but not any of their values and even the fields are wrong in most cases so N, the user needs a data level access perm to see the configuration itself. It can see the function for sure, it can see all of its data plane settings yes, but not its configuration. 2.) Y Because the user has User Access Administrator so can see it. 3.) N Because the user can't create a new resource group with those perms.
upvoted 2 times
...
3c5adce
1 year, 2 months ago
ChatGPT4 says all yes
upvoted 1 times
Mentalfloss
11 months, 3 weeks ago
ChatGPT appears to be wrong quite often.
upvoted 5 times
...
...
3c5adce
1 year, 2 months ago
All are YES / TRUE - vetted out by ChatGPT4 on 05/10/24 A - The Group1 members can view the configurations of the Azure functions. B - User1 can assign the Owner role for RG1. C - User1 can create a new resource group and deploy a virtual machine to the new group.
upvoted 1 times
GlixRox
1 year ago
User1 doesn't have contributor or owner roles for any level. VM contributor is specifically just for VM deployment, so while they can deploy a new VM, it can NOT deploy a *new* resource group, only a VM to the already existing RG1, since it is a contributor at the sub1 level which is 1 level above RG1, giving it inherited role permissions.
upvoted 3 times
...
...
Wassel_Laouini
1 year, 2 months ago
is just me or the information given about User didn't serve any purpose? the questions are only about User1
upvoted 1 times
...
Amir1909
1 year, 3 months ago
Given answer is right
upvoted 1 times
...
18c2076
1 year, 3 months ago
Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Microsoft Entra ID: Reader: Use this role to give read access to the App Configuration resource. This does not grant access to the resource's access keys, nor to the data stored in App Configuration. In short: Reader role is sufficient to view the configurations - just not the data that lives inside them.
upvoted 1 times
etrop
11 months, 1 week ago
Try it. once I created a function I was not able to view the configuration with that user. It showed some fields, but not their values and even the fields it got all wrong. This is because reader is not good enough to see configuration which is a data level thing.
upvoted 1 times
...
...
1828b9d
1 year, 4 months ago
This question was in exam 01/03/2024
upvoted 3 times
...
Amir1909
1 year, 4 months ago
Correct Yes Yes No
upvoted 1 times
...
User65567473
1 year, 5 months ago
Was on exam 11/2 /2024
upvoted 5 times
...
MGJG
1 year, 10 months ago
YYN 3.- Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 1 times
...
oopspruu
1 year, 10 months ago
People here are not paying attention to a clever wording of the question. "User1" and "User" are 2 different users. Read the question again. User1 is independent and User is a part of Group1. So YYN is true.
upvoted 2 times
jackill
1 year, 10 months ago
Regarding the sentences “User is a member of Group1.” and “You assign User the Virtual Machine Contributor role for Sub1 and Sub2.”. It is very strange the presence of "User" user... usually all the questions have a number in the users names (User1, User2, …). It could be a typo… but also in this case (User -> User1) the correct response will be YYN, because User1 is always User Access Administrator at MG1 level that contains Sub1 and RG1. And also having User1 the Virtual Machine Contributor role, does not give him permission to create a resource group as requested by the third statement (it requires the Microsoft.Resources/subscriptions/resourceGroups/write permission).
upvoted 4 times
...
...
blackwhites
2 years, 1 month ago
Answer YYN "The Group1 members can view the configurations of the Azure functions." - True. As Group1 members have Reader access at the management group level, they can view all resources in the management group, including the Azure functions in RG1. "User1 can assign the Owner role for RG1." - True. As a User Access Administrator for MG1, User1 can manage access to all resources in the management group. This includes assigning any role, including the Owner role, to any resource within MG1, which includes RG1. "User1 can create a new resource group and deploy a virtual machine to the new group." - False. The Virtual Machine Contributor role allows User1 to manage virtual machines, but it does not provide permissions to create new resource groups. Additionally, User Access Administrator and Reader roles do not grant permission to create resources or resource groups. To perform this task, User1 would need to be assigned a role with resource creation permissions, such as the Contributor role.
upvoted 8 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel