Exam AZ-104 topic 2 question 53 discussion

B. Owner correct Owner = Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. Contributor = Grants full access to manage all resources, but does NOT allow you to assign roles in Azure RBAC. (you cannot add users or changes their rights) User Access Administrator = Lets you manage user access to Azure resources. Reader = View all resources, but does not allow you to make any changes. Security Admin = View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. Network Contributor = Lets you manage networks, but not access to them. (so you can add VNET, subnet, etc)

B) "Assign User1 the Owner role for VNet1." From the provided options, only the Owner role scoped at the resource level gives the ability to assign other roles to other users.

Anything with 'Contributor' in the role cannot do anything with users.

B is corerct

https://learn.microsoft.com/en-us/entra/identity/users/licensing-group-advanced#limitations-and-known-issues The feature can only be used with security groups, and Microsoft 365 groups that have securityEnabled=TRUE.

D. Assign User1 the Network Contributor role for VNet1. Explanation: Assigning User1 the Network Contributor role for VNet1 would enable them to assign the Reader role for VNet1 to other users. The Network Contributor role grants permissions to manage network resources, including the ability to assign roles within the scope of the virtual network (VNet1). This role aligns with the requirement to allow User1 to assign the Reader role for VNet1 to other users.

This is what ChatGPT says: To ensure that User1 can assign the Reader role for VNet1 to other users, you should assign User1 the "Network Contributor" role for VNet1. This role grants the necessary permissions to manage all aspects of virtual networks, including assigning roles to other users. So, the correct action is: D. Assign User1 the Network Contributor role for VNet1.

the Contributor role in Azure does not have the permission to assign roles to other users or manage access control for other users. The Contributor role can perform actions such as creating, modifying, and deleting resources within the scope of a resource group or subscription, but it cannot manage access control. To grant the ability to assign roles and manage access control for Azure resources, you would typically need to assign the User Access Administrator or Owner roles to a user or group. These roles have the necessary permissions to manage access control, including the assignment of roles to other users.

This question comes up so often and is easy to answer: Only owners or User Access Administrators can assign roles to other users

"Grants full access to manage all resources, including the ability to assign roles in Azure RBAC." https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner

within provided solution , the Owner role can assign role for other users B. Owner is answer

C. Assign User1 the Contributor role for VNet1. To ensure that User1 can assign the Reader role for VNet1 to other users, you should assign User1 the Contributor role for VNet1. The Contributor role grants permissions to manage all resources within a specific scope, including the ability to assign roles to other users. By assigning User1 the Contributor role for VNet1, User1 will have the necessary permissions to assign the Reader role for VNet1 to other users. Assigning User1 the Owner role for VNet1 (option B) would grant excessive permissions, allowing User1 to make any changes to VNet1 and its resources, which may not be desired.

B. Owner correct Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. User Access Administrator: Lets you manage user access to Azure resources. Conributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Reader: View all resources, but does not allow you to make any changes. Network Contributor: Lets you manage networks, but not access to them.

B is the answer.

Correct Answer: B

Answer B is correct. Owner Has full access to all resources including the right to delegate access to others.

Answer is B. Contributor can't grant access to others