Exam AZ-305 topic 1 question 46 discussion

Answers are correct. Since Group 1 is assigned VM contributor to MG1, it will be able to create a new VM in RG1. User 2 is not able to grant permission to Group 2 because it is just a member with contributor role. Since Group 3 has Contributor role for the Tenant Root Group, User3 can create storage account in RG2

A : YES User1 member of Group1 which is Contributor VM to MG1 (Sub1). B : NO Granting access cannot be done with contributor role C : NO User3 has Contributor role only for Sub1 and Sub3 (through group1/2 member of group3 which is Contributor of Tenant Root Group (Sub3) )

CORRECT

Yes No No

Y N Y User1 can create a new virtual machine in RG1. Yes Reason: User1 is a member of Group1, which has the Virtual Machine Contributor role for MG1. RG1 is part of Sub1, which falls under MG1, thus granting User1 VM creation permissions in RG1. User2 can grant permissions to Group2. No Reason: There is no indication that User2 has been assigned any role that allows granting permissions. User3 can create a storage account in RG2. Yes Reason: User3 is part of Group3, which has the Contributor role at the Tenant Root Group level. This role allows User3 to create resources, including storage accounts, in any resource group within the tenant, including RG2.

Group3 has the Contributor role in the Tenant Root Group. User3 is a member of Group1 and Group2, which are members of Group3. Therefore, User3 inherits Group3's Contributor permissions in the Tenant Root Group. This means that User3 has Contributor permissions on all subscriptions (Sub1, Sub2, Sub3) and all resource groups (RG1, RG2, RG3) within the tenant.

I would go for YNY there is something being misinterpreted and that is Group 3 is NOT member of anything is different from Group 3 has members in it, Group 1&2 are members of group 3 and hence permissions are inheritable and can create storage account. I wish MS made is as clear as on-prem AD group/user permissions

Final Answer: Y N Y

YNY answers given are correct

YYN the 3rd answer should be NO because Group 3 doesn't have members, so nobody has permissions to create storage accounts in MG2 / SUB2 / RG2

Regarding a third point it is wrong answer. Here is an explanation: RG2 is under Sub2, and User3 has the Contributor role on Sub1. No direct role assignment is given to User3 for Sub2. User3 is a member of Group1, which has the Virtual Machine Contributor role on MG1, not on Sub2, and this role does not include permissions for creating storage accounts. Even though User3 is also a member of Group2, there is no direct indication that Group2 has any role assignments. Group3 has the Contributor role for the Tenant Root Group, but User3 is not a member of Group3. Based on the information provided, User3 does not have the necessary permissions to create a storage account in RG2 because they have not been granted any role that would allow them to manage resources in Sub2. User3 would need the Contributor role (or a custom role with the necessary permissions) assigned either directly to them or to a group they are a member of that has scope over Sub2 or RG2 to be able to create a storage account in RG2.

Appeared on 11/21/2023

User3 can create a storage account in RG2? My answer: Assign Group3 the -Contributor role- for the -Tenant Root Group- Tenant Root Group includes - Sub3 that includes: - RG3 that includes: - Group3 that includes: -Security Group1 and Security Group2, both includes: User3 But the "Tenant Root Group" includes implicitly also MG1 and MG2, that's why: YES -> User3 can create a storage account in RG2

Tested - members in the nested group do inherit roles granted the parent group. So answers are correct.

This is correct. for the drop down 3 option its No. and I Test this in my production. I created a SG name SG1 nad SG.Root. User1 is a member of SG1 and member of SG.Root. then I assign SG.Root a contributor role in Root MG after waiting for several minutes the user can create a VM to any subscription. so the permission from SG.Root is inherited to SG1

YES NO NO First 2 are clear. The last one: The last one: User3 canno0t create storage because Nested Group permissions are neglected in AAD. TO be able to create a storage User3 has to be a member of the Group3.

Got this on Aug 5th, 2023.