Exam AZ-104 topic 2 question 56 discussion

B) " Assign Group1 the User Access Administrator role for the root management group." To be able to assign licenses to all current and future subscriptions, while minimizing the administrative effort, one should apply the role to the Root Management Group. And because we should use the principle of least privilege we should chose the User Access Administrator role instead of the Owner one.

B or C depending on which requirement you're prioritizing. - B if you're minimizing the administrative effort - C if you're following principle of least privilege

B is corerct

A. to manage subscriptions required Owner role, https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator

ChatGPT4: Option B focuses on assigning the User Access Administrator role at the root management group level. This role specifically allows members to manage user access to Azure resources, which includes managing role assignments. Assigning this role at the root management group level ensures that the permissions apply across all existing and future subscriptions under that root. This approach adheres to the principle of least privilege by providing only the necessary permissions to manage access without broader management permissions that come with the Owner role.

B is correct

The answer is B you are providing access administrator to the Root Manangment group per Microsoft's documentation "All subscriptions and management groups fold up into one root management group within the directory. All resources in the directory fold up to the root management group for global management. New subscriptions are automatically defaulted to the root management group when created." https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

I think the key here is " existing subscriptions and the planned [all future] subscriptions" OpenAI says: "Option C is not the best choice because it requires creating a new management group which is not necessary for the given scenario. " If we were to go the route of C we would need to do considerations for all further added subsciptions (more administrative thought) which we don't need with B and the group is said that it should have the role of all further subscriptions to there's no point to it.

Answer: B Explanation: To be able to assign licenses to all current and future subscriptions, while minimizing the administrative effort, one should apply the role to the Root Management Group. And because we should use the principle of least privilege we should chose the User Access Administrator role instead of the Owner one.

The following 2 choices are possible: A. Assign Group1 the Owner role for the root management group. B. Assign Group1 the User Access Administrator role for the root management group. Requested condition is Use the principle of least privilege. Answer A is eliminated Answer B: is correct

B: looks correct as per URL below. Any new/planned subscriptions will fold up into the root management group by default. See section; Important facts about the root management group "All subscriptions and management groups fold up to the one root management group within the directory. All resources in the directory fold up to the root management group for global management. New subscriptions are automatically defaulted to the root management group when created." https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

Answer should be C. This uses the least-privilege principle - Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Create a new management group and assign Group1 the User Access Administrator role for the group

OpenAi "Option C is the correct answer. Assigning Group1 the Owner role for the root management group (Option A) would give the group unrestricted access to all resources in all subscriptions and management groups under the root management group. This goes against the principle of least privilege and could potentially result in unintended changes or deletions of resources. Assigning Group1 the User Access Administrator role for the root management group (Option B) would give the group permission to manage user access to Azure resources, but not to manage role assignments for subscriptions and management groups. Creating a new management group and assigning Group1 the Owner role for the group (Option D) would give the group the same unrestricted access as assigning them the Owner role for the root management group. Therefore, the best option would be to create a new management group and assign Group1 the User Access Administrator role for the group (Option C). This would allow the group to manage role assignments for all subscriptions and management groups within the new management group without granting them unnecessary permissions."

B is correct.

While Assigning the User Access Administrator role for the root management group to Group1 will provide Group1 with the ability to manage role assignments for all subscriptions within the root management group, it does not adhere to the principle of least privilege as it grants full administrative access to all Azure resources under the root management group. It is recommended to create a new management group and assign the User Access Administrator role for that specific group to Group1, in order to meet the requirements of using the principle of least privilege and minimizing administrative effort. while still adhering to the principle of least privilege. why not B.

B is the answer. https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#root-management-group-for-each-directory Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator Lets you manage user access to Azure resources.