You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?
A.
Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B.
Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C.
Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D.
Create a new management group and delegate User1 as the owner of the new management group.
Correct Answer: C
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
Why would you assume that USER1 needs to be the Global Administrator, or is a Global Administrator, rather than assuming that I am the Global Administrator? Assuming I am the Global Administrator, and that I have granted myself User Access Administrator, then using the least privileged best practice I would pick B and assign User1 any other role, like Owner, rather than Global Administrator. Granting everyone/anyone GA to assign policies seems like a horrible idea. The Owner role is enough to assign policy to the root management group. There is no need to assign User1 Global Administrator so that User1 can grant themselves the role.
It cannot be A or B simply because subscriptions are underneath Management groups. So doing any thing to those does not fix the issue. Cannot be D since that is creating a new management group. B is the only answer that comes close. Your concerns about assigning a GA noted but no other answer is provided that would alleviate your concerns.
mlantonis is correct - the answer here should be C. Assign the Global administrator...
Assigning the owner role to the "tenant root" (not the subscription) or the resource policy contributor role wouldve been enough access for user1 but that is not one of the options in the choices. so the only choice that works is C.
Ans C:
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage
it.
No, the correctly answer is B.
C is to control Azure AD (Global Administrators), not to control Management group.
If you need to control Management group, use: Access control (IAM)> Add role assignment> Role> Owner or Contributor (in this case you will use Owner). Don't exist "Global Administrators" inside of Access control (IAM)> Add role assignment.
The link between Azure AD and Management group will allow that you choose an user of your Azure AD, but not will inherit Azure AD role.
How can it be right when the question specifies the root management group and B specifies a child subscription? The only way to ensure they can make changes to the root management group is to make them a GA on the tenant and then they can assign themselves the owner permissions to that group.
Is D the correct option.
The question is about applying a policy on the root management group. You cannot apply a policy on the root management group directly, so you need to create a new management group and assign user1 the "owner" role, because Entra ID roles do not apply to policies.
Based on principle of least privileges, Owner access is sufficient to assign access policies, however point A mention using default conditional access that is wrong. Hence, the other possible answer will be Azure AD Global admin.
The reason Option C is the correct answer is that the Global administrator role grants the highest level of access to Azure AD, which includes the ability to manage all aspects of the directory, including access management for Azure resources and management of the root management group.
To assign a policy to the tenant root management group, the user needs to be able to access and manage the root management group in Azure AD. By assigning the Global administrator role to User1, they will have the necessary permissions to manage the root management group and assign policies to it.
Once User1 has the Global administrator role, they can navigate to the Azure portal and configure access management for Azure resources, including the root management group. From there, they can assign policies to the root management group and manage access to Azure resources.
In summary, assigning the Global administrator role to User1 is the most appropriate solution because it grants them the necessary permissions to manage the root management group and assign policies to it.
Out of the available options, only C will work since the root management group is higher than the subscription in the hierarchy, and the user must be either made an Owner of the management group (option not provided), or be able to make themselves an Owner on it.
D. Create a new management group and delegate User1 as the owner of the new management group.
Assigning ownership of a new management group to User1 allows them to manage policies and access controls within that management group, including assigning policies to the tenant root management group if necessary. This approach provides User1 with the necessary permissions to manage policies effectively while maintaining proper governance over Azure resources.
To ensure that User1 can assign a policy to the tenant root management group, you should choose Option C: Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
The Global Administrator role in Azure Active Directory has permissions to all administrative features. This role is the most powerful role, and it can assign policies to the tenant root management group. The Owner role for the Azure subscription does not have this level of access. Therefore, options A and B would not meet the requirements. Option D is not relevant as it involves creating a new management group, which is not necessary in this case.
Just verified this. Owner of the subscription is not enough to assign a policy at the root management group.
The user needs to have at least the "Microsoft.Authorization/policyAssignments/write"-Permission and probably a couple more read permissions at the root management group.
So given the options answer C fulfills this.
By assigning the Owner role for the Azure subscription to User1, they will have the necessary permissions to manage resources within the subscription, including assigning policies to management groups. Then, instructing User1 to configure access management for Azure resources will allow them to assign policies to the tenant root management group.
It depends. If the subscription is attached to a subgroup manager, the user cannot modify the root group's IAM. If a subscription is attached to the root, the user can modify IAM.
If the user is global, then he can gain access across all subscriptions using an "Elevate access" option.
I would go with option C because it doesn't say what level the subscription is at.
The correct answer is B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources12.
To assign a policy to the tenant root management group, User1 needs to have the Microsoft.Authorization/roleAssignments/write permission, such as those provided by the Owner role12. Once User1 has the Owner role, they can configure access management for Azure resources, including assigning policies to the tenant root management group12.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mlantonis
Highly Voted 3 years, 9 months agoJoeGuan
1 year, 5 months agoAlscoran
1 year, 3 months agoTecho1980
9 months, 2 weeks agoSunitaMaurya
8 months, 1 week agoitgg11
3 years, 2 months agomumu_myk
3 years, 2 months agoRajash
Highly Voted 3 years, 10 months agobrainmind
3 years, 8 months agoNegrinho
3 years, 10 months agoshnz03
3 years, 9 months agoRamanAgarwal
3 years, 9 months agomdyck
3 years, 9 months agorawrkadia
3 years, 8 months agoadanit2011
Most Recent 3 weeks, 5 days agohapppieee
4 months, 2 weeks agoMadbo
5 months, 2 weeks ago[Removed]
6 months agoamurp35
8 months, 1 week ago3c5adce
9 months, 3 weeks ago3c5adce
10 months agoNushin
10 months, 3 weeks agoMelKr
11 months, 1 week agotashakori
11 months, 3 weeks agoCg007
12 months agobacana
1 year agoPringlesucka
1 year agostanislaus450
1 year agoHdiaOwner
1 year ago