Exam AZ-800 topic 2 question 4 discussion

The Answer is "A". Hear me out. The question asks that "Admin1", a user account, has the appropriate permissions. The role of Azure Connected Machine Onboarding can only be assigned to a service principal, as confirmed by the link given to justify the wrong answer. Admin1 cannot be assigned this role, it's impossible, check it for yourself. Admin1, as a local server admin, has all the rights he/she needs. The correct answer is "A", generate a new onboarding script. One can onboard more than one server with the same script. Onboarding two certainly doesn't impose an administrative burden to use this method.

correct

Although it does say the domain is sync'd the question doesn't mention whether Admin1 is a domain account. Best practice is for privileged users to have separate cloud only admin accounts, so D?

Link from Phi3nix: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal States its also best practice, that ends the discussion right there! Follow best security practices and avoid using an Azure account with Owner access to onboard servers. Instead, use an account that only has the Azure Connected Machine onboarding or Azure Connected Machine resource administrator role assignment. See Azure Identity Management and access control security best practices for more information. Role rights: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Search for: Azure Connected Machine Onboarding

Correct answer b

-"Admin1" is user in ADDS, and member of the local Administrators group on Server1 and Server2. -ADDS is domain that syncs with an Azure Active Directory (Azure AD) tenant. Answer is B "Assign Admin1 the Azure Connected Machine Onboarding role for RG1"

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal#install-with-the-scripted-method Install with the scripted method 1. Log in to the server. 2. Open an elevated PowerShell command prompt. > local admin rights are required but sufficient 3. Change to the folder or share that you copied the script to, and execute it on the server by running the ./OnboardingScript.ps1 script.

answer is B

Admin1 is an onpremises account, it does not exist in Azure AD therefore it cannot be assigned any role within the Azure Portal. Admin1 has enough power to configure Server1 and Server2 though. So A is the answer IMO

B. Reason: Azure Arc allows you to manage your servers as if they are running in Azure. To onboard a machine to Azure Arc, the user needs the Azure Connected Machine Onboarding role. This role gives the user the necessary permissions to register the machine with Azure Arc. In this case, Admin1 needs to be assigned this role for the resource group RG1, so they can configure Server1 and Server2 to be managed by Azure Arc. The other options do not directly address the requirement of enabling Admin1 to configure the servers with Azure Arc. Therefore, option B is the most appropriate first step.

Tested in lab: Admin1 without Azure Connected Machine onboarding role assigned on RG1 are unable to onboard any server to Azure. Also are unable to see any machine in Azure Arc | Machines and and as a result it cannot manage any server. After assigning it the Azure Connected Machine onboarding role on RG1, Admin1 can see all the machines in Azure Arc, can manage the servers and can onboard the servers with the generated script. Note: Follow best security practices and avoid using an Azure account with Owner access to onboard servers. Instead, use an account that only has the Azure Connected Machine onboarding or Azure Connected Machine resource administrator role assignment. See Azure Identity Management and access control security best practices for more information. https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

with the appropriate role to Admin1 in the RG1 resource group, Admin1 will have the necessary permissions to configure Server1 and Server2 to be managed by Azure Arc.

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, the first step should be to assign Admin1 the appropriate role that grants the necessary permissions to onboard machines to Azure Arc. Specifically, Admin1 needs the Azure Connected Machine Onboarding role for the resource group RG1. Here’s the correct step to take: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1. This role grants the necessary permissions to onboard servers to Azure Arc, allowing Admin1 to generate the required onboarding script and complete the onboarding process.

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, you should first assign Admin1 the necessary permissions in Azure, specifically the Azure Connected Machine Onboarding role for the resource group RG1. Therefore, the correct answer is: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1.

B Assign Admin1 the Azure Connected Machine Onboarding role for RG1. https://learn.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#required-permissions https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal refer point 2

Selected Answer:B Generating a new integration script in the Azure portal is an important step in adding servers to Azure Arc, but it's not the first step when it comes to ensuring that a specific user, such as Admin1, has permission to configure the servers to be managed by Azure Arc. The first step is to ensure that Admin1 has the necessary permissions within the Azure environment. This is done by assigning the correct role to the user. In the case of Admin1, assigning the Azure Connected Machine Integration role to resource group RG1 is essential for them to be able to perform the required actions in Azure Arc.Once Admin1 has the proper permissions, they can then proceed with generating and running the integration script to add Server1 and Server2 to Azure Arc.

Is Admin1 a local user or domain user added to local admins?