Exam AZ-500 topic 2 question 92 discussion

This exam question test about role-assignable group feature in Azure Active Directory. Refer to Microsoft document on role-assignable group: “Group nesting is not supported. A group can't be added as a member of a role-assignable group.” Reference Create a role-assignable group in Azure Active Directory https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible Use Azure AD groups to manage role assignments https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept

Answer Is A. Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept

It seems that things have changed. group nesting is supported for security groups in Azure, but with some limitations: 1. Security groups can be nested within other security groups. 2. Nesting is not supported for all scenarios. For example, it's not supported for application access. 3. You can create dynamic groups that include members of other security groups using the 'memberOf' attribute. 4. There are restrictions on nesting: • You can't add security groups to Microsoft 365 groups. • You can't add Microsoft 365 groups to security groups or other Microsoft 365 groups. • You can't add distribution groups in nesting scenarios. • You can't add security groups as members of mail-enabled security groups

user 1 only - made a quick test in lab with the following outcome: user1- can be added group1 - it says, MS 365 groups are not allowed group2 - does not even appear in the list when i wanted to add into group4 group3 - can be selected to add, but it gives the message: group nesting not supported

First, we can not add Microsoft365 group into Security group, we can skip Group1. Nesting is not supported for Role Assignable groups it means if group is role assignable, we cannot add any group there, so we need to skip other groups as well. We can only keep User1.

Only User1 and Group2 can be added to Group4. Note: Nesting is currently not supported for groups that can be assigned to a role. Hence not Group 1 and 3.

A. User 1 only. Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept

The question asks which identities can be added to Group4 as members. The table shows the following information about the relevant groups: Group1: Microsoft 365 group - Azure AD roles can be assigned to the group. This means Group1 itself can be assigned roles, but users cannot be directly added to it. Group2: Security group - No - Azure AD roles cannot be assigned to this group, and users cannot be directly added to it. Group3: Security group - Yes - Azure AD roles can be assigned to this group, and users can be added as members. Group4: Security group - Yes - Azure AD roles can be assigned to this group, and users can be added as members. Since Group1 and Group2 cannot have users added directly as members, they are not valid options. User1 and Group3 can be added to Group4 because they are both security groups that allow adding members.

Tested in lab. When trying to add a Security group with Azure AD roles assigned, I got this error: Failed to add group member. Nesting is currently not supported for groups that can be assigned to a role. Those that claimed to have tested in lab, you might want test twice before posting ...

B is okay; https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-assign-role?tabs=ms-powershell

Contributor is an RBAC role if it was Azure AD role then nested group are not allowed

User1,Group2,Group3 only M365 cannot be nested

The correct answer is: D. User1, Group2, and Group3 only. Reasoning: User1 is an individual user and can be added to security groups without restrictions. Group2 is a security group, and security groups can be nested within other security groups in Azure AD. Group3 is also a security group and can be nested as well. Group1 is a Microsoft 365 group which cannot be nested within other security groups, hence it cannot be added to Group4. Azure AD roles assigned to the group are irrelevant in the context of which members can be added to Group4. The key factor is whether the type of identity (user or group) can be nested within another group.

The question was: "What identities can you add to Group4 as members?" At no point is there any talk of assigning inherited functions between groups. Therefore, the answer is the letter: E. User1, Group1, Group2 and Group3.

Answer: A Explanation: This exam question test about role-assignable group feature in Azure Active Directory. Refer to Microsoft document on role-assignable group: “Group nesting is not supported. A group can't be added as a member of a role-assignable group.” Reference Create a role-assignable group in Azure Active Directory https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible Use Azure AD groups to manage role assignments https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept

This exam question test about role-assignable group feature in Azure Active Directory. Refer to Microsoft document on role-assignable group: “Group nesting is not supported. A group can't be added as a member of a role-assignable group.”

Answer is B Group 3 option is Yes for AAD role can be assigned to the group. Group 4 has this option also yes. Hence, when you go to Group4 and try to add the groups, you will be able to add the groups that has the option YES. Group1 is M365 group which is not supported. Group2 has the option set to NO, hence, won't be available.