exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam

Exam AZ-305 topic 1 question 46 discussion

Actual exam question from Microsoft's AZ-305
Question #: 46
Topic #: 1
[All AZ-305 Questions]

HOTSPOT
-

You have an Azure AD tenant that contains a management group named MG1.

You have the Azure subscriptions shown in the following table.



The subscriptions contain the resource groups shown in the following table.



The subscription contains the Azure AD security groups shown in the following table.



The subscription contains the user accounts shown in the following table.



You perform the following actions:

Assign User3 the Contributor role for Sub1.
Assign Group1 the Virtual Machine Contributor role for MG1.
Assign Group3 the Contributor role for the Tenant Root Group.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
JBTC
Highly Voted 1 year, 7 months ago
Answers are correct. Since Group 1 is assigned VM contributor to MG1, it will be able to create a new VM in RG1. User 2 is not able to grant permission to Group 2 because it is just a member with contributor role. Since Group 3 has Contributor role for the Tenant Root Group, User3 can create storage account in RG2
upvoted 31 times
fongode
1 year, 3 months ago
Answer is correct: Add or remove a group from another group You can add an existing Security group to another Security group (also known as nested groups). Depending on the group types, you can add a group as a member of another group, just like a user, which applies settings like roles and access to the nested groups. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups
upvoted 6 times
...
Ameet9
1 year ago
User 3 is not in Group 3, its a member of Group 1 and 2
upvoted 7 times
Javipr
3 months ago
Yes, but group 2 is member of group3
upvoted 1 times
...
...
...
[Removed]
Highly Voted 1 year, 7 months ago
A : YES User1 member of Group1 which is Contributor VM to MG1 (Sub1). B : NO Granting access cannot be done with contributor role C : NO User3 has Contributor role only for Sub1 and Sub3 (through group1/2 member of group3 which is Contributor of Tenant Root Group (Sub3) )
upvoted 22 times
Lluk10
7 months ago
Somebody remove this guy from this group. How can you answer NO to point C?!
upvoted 3 times
...
yonie
1 year, 7 months ago
But since User3 is a member of Group 3, User 3 has contributor role to everything, since the contributor role is inherited to anything under the Tenant Root Group
upvoted 12 times
betterthanlife
1 year, 7 months ago
I done checked it in my Azure lab & the user I have permissioned at the Tenant Root Group does have the permission propagated down to everything subordinate, and everything is subordinate to the Tenant Root Group so User 3 has Contributor role to everything within the tenant. Answer is correct: Y N Y
upvoted 10 times
Javipr
3 months ago
User 2 is member of group 2, and group 2 is member of group 3, and group 3 is assigned with contributor role for the tenant root group. So, it should be Y, Y, Y
upvoted 1 times
...
...
BeastSlayer
1 year, 5 months ago
User 3 is a member of Group 1 and Group 2. And hence the answer is Y,N,N
upvoted 3 times
iGhostEverywhere
1 year, 2 months ago
Group 1 is a member of group 3 - Answer is YNY
upvoted 3 times
...
...
...
...
SeMo0o0o0o
Most Recent 3 weeks, 2 days ago
CORRECT
upvoted 1 times
...
Teerawee
2 months, 2 weeks ago
Yes No No
upvoted 2 times
...
23169fd
5 months, 2 weeks ago
Y N Y User1 can create a new virtual machine in RG1. Yes Reason: User1 is a member of Group1, which has the Virtual Machine Contributor role for MG1. RG1 is part of Sub1, which falls under MG1, thus granting User1 VM creation permissions in RG1. User2 can grant permissions to Group2. No Reason: There is no indication that User2 has been assigned any role that allows granting permissions. User3 can create a storage account in RG2. Yes Reason: User3 is part of Group3, which has the Contributor role at the Tenant Root Group level. This role allows User3 to create resources, including storage accounts, in any resource group within the tenant, including RG2.
upvoted 3 times
...
flafernan
6 months ago
Group3 has the Contributor role in the Tenant Root Group. User3 is a member of Group1 and Group2, which are members of Group3. Therefore, User3 inherits Group3's Contributor permissions in the Tenant Root Group. This means that User3 has Contributor permissions on all subscriptions (Sub1, Sub2, Sub3) and all resource groups (RG1, RG2, RG3) within the tenant.
upvoted 2 times
DavidTa
6 months ago
I think so. The answer should be YYY
upvoted 1 times
...
...
Lazylinux
7 months, 1 week ago
I would go for YNY there is something being misinterpreted and that is Group 3 is NOT member of anything is different from Group 3 has members in it, Group 1&2 are members of group 3 and hence permissions are inheritable and can create storage account. I wish MS made is as clear as on-prem AD group/user permissions
upvoted 2 times
...
varinder82
8 months, 2 weeks ago
Final Answer: Y N Y
upvoted 2 times
...
dejedi
8 months, 4 weeks ago
YNY answers given are correct
upvoted 2 times
...
MichaelMelb
9 months, 1 week ago
YYN the 3rd answer should be NO because Group 3 doesn't have members, so nobody has permissions to create storage accounts in MG2 / SUB2 / RG2
upvoted 1 times
Lazylinux
7 months, 1 week ago
You are missing interrupting it, Group 3 is NOT member of anything is different from Group 3 has members in it, Group 1&2 are members of group 3 and hence permissions are inheritable and can create storage account. so my answer is YNY
upvoted 1 times
...
rishisoft1
9 months ago
I can understand, user 3 is member of group 1 & 2, however, Group 1 & 2 inherits the permission and access from Group3, means contributor role propagated to group 1 & 2 members so they can create the resource. So answer should be YNY
upvoted 1 times
...
...
profesorklaus
10 months ago
Regarding a third point it is wrong answer. Here is an explanation: RG2 is under Sub2, and User3 has the Contributor role on Sub1. No direct role assignment is given to User3 for Sub2. User3 is a member of Group1, which has the Virtual Machine Contributor role on MG1, not on Sub2, and this role does not include permissions for creating storage accounts. Even though User3 is also a member of Group2, there is no direct indication that Group2 has any role assignments. Group3 has the Contributor role for the Tenant Root Group, but User3 is not a member of Group3. Based on the information provided, User3 does not have the necessary permissions to create a storage account in RG2 because they have not been granted any role that would allow them to manage resources in Sub2. User3 would need the Contributor role (or a custom role with the necessary permissions) assigned either directly to them or to a group they are a member of that has scope over Sub2 or RG2 to be able to create a storage account in RG2.
upvoted 1 times
JonHanes
9 months, 3 weeks ago
I'm inclined to believe the answer is still correct due to the indirect permissions assigned from Group3. The answer from Bing AI. ---- Let’s break down the explanation provided: ... “Group3 has the Contributor role for the Tenant Root Group, but User3 is not a member of Group3.” *This is where the misunderstanding lies. While it’s true that User3 is not directly a member of Group3, User3 is a member of Group1 and Group2, both of which are members of Group3. Therefore, User3 is indirectly a member of Group3 and would inherit the permissions assigned to Group3.
upvoted 3 times
...
...
ManosCaptain
1 year ago
Appeared on 11/21/2023
upvoted 4 times
...
MeisAdriano
1 year, 1 month ago
User3 can create a storage account in RG2? My answer: Assign Group3 the -Contributor role- for the -Tenant Root Group- Tenant Root Group includes - Sub3 that includes: - RG3 that includes: - Group3 that includes: -Security Group1 and Security Group2, both includes: User3 But the "Tenant Root Group" includes implicitly also MG1 and MG2, that's why: YES -> User3 can create a storage account in RG2
upvoted 2 times
...
ntma3b
1 year, 2 months ago
Tested - members in the nested group do inherit roles granted the parent group. So answers are correct.
upvoted 6 times
CharlesS76
5 months, 2 weeks ago
This is the most important contribution in this thread. Roles in Azure: SUPPORTS NESTED GROUPS. This is why the 3rd question has an answer of YES.
upvoted 2 times
...
...
kenneth12
1 year, 2 months ago
This is correct. for the drop down 3 option its No. and I Test this in my production. I created a SG name SG1 nad SG.Root. User1 is a member of SG1 and member of SG.Root. then I assign SG.Root a contributor role in Root MG after waiting for several minutes the user can create a VM to any subscription. so the permission from SG.Root is inherited to SG1
upvoted 3 times
kenneth12
1 year, 2 months ago
sorry there's no edit here. User1 is Member of SG1. and SG1 is a member of SG.Root
upvoted 2 times
...
...
MichaelMelb
1 year, 3 months ago
YES NO NO First 2 are clear. The last one: The last one: User3 canno0t create storage because Nested Group permissions are neglected in AAD. TO be able to create a storage User3 has to be a member of the Group3.
upvoted 8 times
sawanti
1 year, 3 months ago
Exactly, people forget that the permissions in the groups are not inherited from other groups; only permissions of the group they are DIRECTLY assigned are valid, hence it should be Y, N, N
upvoted 5 times
...
...
InvalidNickname
1 year, 4 months ago
Got this on Aug 5th, 2023.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago