Exam AZ-104 topic 2 question 37 discussion

Correct Answer: Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD. However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope. All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC). Admin1 has elevated access, so he is also User Access Admin (RBAC). To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner. Box 1: Yes Admin1 has elevated access, so he is User Access Admin. This is valid. Box 2: Yes Admi3 is Owner of the Subscription. This is valid. Box 3: No Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.

Answer is correct, tested in Lab 1. No : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription therefore cannot assign Owner Roles 2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user. 3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription thereofore cannot create resources in it.

**Answer:** | Statements | Yes | No | | Admin1 can add Admin2 as an owner of the subscription. | ○ | **✓** | | Admin3 can add Admin2 as an owner of the subscription. | **✓** | ○ | | Admin4 can create a resource group in the subscription. | ○ | **✓** | **Explanation:** - **Admin3** has the **Owner** role at the subscription scope, granting full permissions to manage access (including adding other owners). - **Admin1**, despite being a Global Administrator, lacks explicit RBAC roles (e.g., Owner, User Access Administrator) on the subscription, so they cannot modify role assignments. - **Admin4** is not listed in the RBAC assignments and has no permissions to create resource groups (requires Contributor/Owner role).

Box 1: Yes Admin1 is configured to manage access to all Azure subscriptions and management groups in the directory, they can add another user as the Owner of an Azure subscription associated with the tenant B. Yes Box 3: No

Correct answers : Box 1 = YES Box 2 = YES Box 3 = YES , as a Global Admin, you can elavate access, and give your account Subscription Owner permissions ( tested successful in my own tenant ). See MS article "Elevate access to manage all Azure subscriptions and management groups" ( https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal )

qiestion 1 is indeed a Yes, User Access Administrator: Manage user access to Azure resources, Assign roles in Azure RBAC, Assign themselves or others the Owner role. source: https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription. For more information, see Elevate access to manage all Azure subscriptions and management groups. Several Azure AD roles span Azure AD and Microsoft 365, such as the Global Administrator and User Administrator roles. For example, if you are a member of the Global Administrator role, you have global administrator capabilities in Azure AD and Microsoft 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources. Box 1: YES Box 2: YES Box 3: NO

Guys i was convinced NYN and only Bill Gates would have convinced me otherwise!!!!! until i read those two links below i than realized it is YYN for sure So answer is YYN Also as point admin2 can assigned themselves the user admin by click YES to the Access management for Azure resources Below is snippet but i encourage you read all When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD. When you set the toggle to No, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access. will continue in reply as txt too large

wrong Yes Yes No

The answer is NYN: Global Administrators in Azure AD have the highest level of access in the Azure Active Directory, allowing them to manage users, groups, and other directory-related functions. However, this role does not automatically grant them access to manage Azure subscriptions and resources within those subscriptions.

Admin1 can add Admin 2 as an owner of the subscription. Yes: Admin1 is a global administrator, and based on the tenant settings, global administrators can manage access to all Azure subscriptions and management groups in this directory. Admin3 can add Admin 2 as an owner of the subscription. Yes: Admin3 is already assigned the "Owner" role for the subscription. An owner has full access, including the ability to assign roles to other users. Admin2 can create a resource group in the subscription. Yes: Admin2 is a global administrator. Global administrators have the highest level of permissions in Azure AD and can manage all aspects of the directory and subscription.

Answer should be : Yes Yes No

I believe the more recent and tested answer which is YYN

Answer is YYN

My thought here is Box1:Admin1 even with Global admin permissions, User Administrator refers to the 365 admin console, and not Azure resources. They would need RBAC control to the subscription in the form of User Access Admin/Owner to add themselves to be able to add RBAC controls for others-NO is correct Box 2:Admin 3 is an Owner of the subscription, subsequently meaning the ability to add RBAC controls for other Admins-YES is the correct Answer Box 3: whilst Admin 2 is a GA they do not possess the correct RBAC role for the subscription resource meaning they cannot hand out permissions-Correct answer is NO

YES YES NO Admin3 can elevate his permissions but in this question only Admin 1 has elevated his permissions

No no no