Exam AZ-104 topic 2 question 25 discussion

Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”

The Answer is Wrong. First part should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" . You can specify either a subscription, specific resource group, management group or specific resource. for example it should "/subcription/subcription_id/resourceGroups/resource_group_name" Check https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-structure For second box. It is correct but missing "*". It should be "Microsoft.Authorization/*" . if you try this on az cli without "*". you will get an error

The given answer is correct. As the standard format for a resource ID is : '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}' It clearly contains '/subscriptions/{subscriptionId}/resourceGroups/' which should be the proper assignable scope. In order to prevents the management of the access permissions for the resource groups (requirement 2), you need to select 'Microsoft.Authorization/' under permissions, notActions. If the assignable scope is '/subscriptions/{subscriptionId}/' the notAction permission 'Microsoft.Authorization/' would prevent the management of access permission at the subscription level, which is not asked in the question. This link validates the resource ID structure - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

WRONG "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e" "Microsoft.Authorization/*"

Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”

In Azure, the correct format for specifying a resource group's path within a subscription is as follows: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>

The answer shown for the first part seems to be incorrect, per https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes

Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”

Correct Answer : “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/” Came out in my exam today 8th April 2023. Passed 830.

Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”

It should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" Note: You can specify either a subscription, specific resource group, management group or specific resource. For example, it should be "/subcription/subcription_id/resourceGroups/resource_group_name" “Microsoft.Authorization/” is right

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal

The answers provided are actually correct. Look at the syntax of the JSON command below. { "properties": { "roleName": "Billing Reader Plus", "description": "Read billing data and download invoices", "assignableScopes": [ "/subscriptions/11111111-1111-1111-1111-111111111111" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Support/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }

Why are wrong answers not corrected? This site is sometimes more confused than helpful.

1) "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e" 2) "Microsoft.Authorization/*" "assignableScopes" must be the Subscription, so that this Custom Role can be only assignable to Resources Groups under the same Subscription. "notActions" must deny only the actions that interact with the Authorization API Endpoints. Everything else must\can be allowed.

Regarding the assignable scopes part of the question: THERE IS NO WAY TO WILDCARD RESOURCEGROUPS AS AN ASSIGNABLE SCOPE! You can add all of the resource groups in the subscription individually, but you cannot wildcard all of them using /resourceGroups. If you go into Azure Portal and create a custom role under a subscription, you will see clearly that it is not possible - you must select a resource group when using the /resourceGroups type of assignable scope. The result will look similar to: /subscriptions/xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/RG1

Given Answer is Wrong.. as RG name need be specified and even then applies to one particular RG but questions ask for all RGs and subsc can have multiple RGs and hence should be applied at Subsc level as per below “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e” “Microsoft.Authorization/”