exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam

Exam AZ-305 topic 4 question 75 discussion

Actual exam question from Microsoft's AZ-305
Question #: 75
Topic #: 4
[All AZ-305 Questions]

HOTSPOT
-

You have two Azure AD tenants named contoso.com and fabrikam.com. Each tenant is linked to 50 Azure subscriptions. Contoso.com contains two users named User1 and User2.

You need to meet the following requirements:

• Ensure that User1 can change the Azure AD tenant linked to specific Azure subscriptions.
• If an Azure subscription is liked to a new Azure AD tenant, and no available Azure AD accounts have full subscription-level permissions to the subscription, elevate the access of User2 to the subscription.

The solution must use the principle of least privilege.

Which role should you assign to each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
zellck
Highly Voted 1 year, 9 months ago
1. Owner 2. Owner https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory#before-you-begin Before you can associate or add your subscription, do the following steps: - Sign in using an account that: Has an Owner role assignment for the subscription.
upvoted 18 times
...
NotMeAnyWay
Highly Voted 1 year, 5 months ago
User1: b. Owner User2: b. Owner For User1 who needs to change the Azure AD tenant linked to specific Azure subscriptions, they need to be assigned the role of "Owner". This is because to change the Azure AD tenant linked to a subscription, the user must have enough permissions, which are available at the Owner level. For User2 who needs to have the access elevated to the subscription if no available Azure AD accounts have full subscription-level permissions to the subscription, they need to be assigned the "Owner" role as well. This role provides full access to all resources, including the right to delegate access to others. In this scenario, the "Owner" role would allow User2 to gain access to the subscription in the absence of any other account with full permissions.
upvoted 11 times
...
SeMo0o0o0o
Most Recent 3 weeks, 1 day ago
CORRECT
upvoted 1 times
...
ageorgieva
5 months ago
User1: Owner User2: Co-administrator Reason why it is co-admin is because it states that the user should be able to elevate access, which can be done with admin role. https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal
upvoted 2 times
...
Lazylinux
7 months, 2 weeks ago
Given answer is correct, Owner-Owner or Global admin but GA is not part of the solution
upvoted 1 times
...
randy0077
1 year ago
owner owner is correct answer.
upvoted 1 times
...
MichaelMelb
1 year, 1 month ago
User1: Service Admin Service Admin fits to all the requirements whereas Owner has more than required permissions "By default, for a new subscription, the Account Administrator is also the Service Administrator. The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. The Service Administrator has full access to the Azure portal." https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles User2: Owner
upvoted 1 times
...
Trillionairejeffe
1 year, 5 months ago
1.Service administrator 2.Co-administrator reference : https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles
upvoted 1 times
sawanti
1 year, 3 months ago
Both roles are a LEGACY roles. Do you really believe that Microsoft is proposing something that it takes them years to retire? Both roles will be retired on August 31, 2024 (https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles)
upvoted 5 times
...
...
betterthanlife
1 year, 7 months ago
- Co-Administrator "can't change the association of subs to Azure AD directories so it's out. - Given that the tenants & some subs exist then, & since we live in the real world (as strange as it's become) & there's no mention otherwise, & given the options we can presume User 1 to have the Service Administrator role, which provides full access to the Azure portal. - Given "elevate the access" is a requirement for User, the only deduction in this whole madness of stupidity mess possible is Owner. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 1 times
...
ctlearn
1 year, 9 months ago
Service Administrator and Co-Administrator are classic subscription roles that have the equivalent access of a user who is assigned the Owner role at the subscription scope. The answer for both is Owner. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 1 times
...
VBK8579
1 year, 10 months ago
Owner Owner
upvoted 2 times
...
RandomNickname
1 year, 10 months ago
Based on the requirements in the question given answer looks correct to me.
upvoted 1 times
...
OPT_001122
1 year, 10 months ago
Owner Owner
upvoted 1 times
...
upwork
1 year, 10 months ago
From ChatGPT: An Azure AD Service Administrator role is designed to manage user, groups and other resources within an Azure AD tenant. While they can manage the users and groups, they don't have the permission to move a subscription from one tenant to another. To move a subscription from one tenant to another, you need to have the "Subscription Owner" or "Global Administrator" role within the Azure AD tenant to which you want to move the subscription. So I think the answer should be "Owner" x 2
upvoted 8 times
upwork
1 year, 10 months ago
Not sure about the GPT answer, but I find this link useful https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators It suggests the answer would be the Service Admin and the Co-Admin in the old-school days, but today perhaps we should rely on the Owner's role.
upvoted 1 times
sawanti
1 year, 3 months ago
Both Service Administrator and Co-something are legacy roles and will be retired, hence Microsoft will NEVER intentionally mark them as a correct answer. Owner is the only valid answer
upvoted 2 times
...
...
...
tfulanchan
1 year, 10 months ago
There are only four "Azure roles", and "Owner" is the only "role" in the answers, the other two are "Classic subscription administrator". The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope. https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles
upvoted 2 times
...
LeeVee
1 year, 10 months ago
Service Administrator and Co-Administrator were a classic subscription role. These to Roles equivalent is current role assignment is Owner. So I think answer is correct. you don't want to use classic RBAC as Microsoft will move away on this classic roles in the future. do future proofing a bit on this.
upvoted 1 times
...
Mo22
1 year, 10 months ago
The answer is correct to me: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...