Exam SC-300 topic 2 question 40 discussion

YYN. You can use user assigned managed identities in more than one Azure region.

YYN Ref first two questions - both are Y because you can assign managed identity to a VM regardless of which region the identity or VM is located - I tested it. Ref the third one - I think N. The catch here is that you cannot assign a role directly to a VM but only to an identity, system or user managed.

Yes Yes No VM1 can be assigned the Owner role for RG1 but only with System-assigned managed identity enabled. If System-assigned managed identity is enabld the role can be assigned to VM directly or to the System-assigned managed identity associated with VM1. In both cases we only can see the ID of system identity.

- Y - Y - N

YES YES YES

The first two are definite yes / yes. For the third, it depends on the scenario; Scenario 1: I give one of the user assinged identities the owner role. Problem: Every service with the identity would be owern. This would possibly contradict the principle of least privilege. But then it would be Y/ Y /Y Scenario 2: I want only the VM to be Owner and assume that I don't want to give the permission to a User assigned Identity. I don't have a System Assinged Identity, so then: Y /Y / N Since it is not directly stated here whether the assignment of the authorization to a Managed Identity (User assigned) is allowed, I assume an authorization of the VM directly. Therefore I feel more comfortable with Y /Y / N.

You can assign Managed2 to V1 (Yes), but you cannot assign Managed3 to V1 (No). You can assign the owner role for RG1 to V1 (Yes), but there is no VM1 mentioned in the message.

YES YES YES

Just tested this in my lab - the answer is YYY: vm1 created with system assigned identity off (vm1 is in North Europe) useridentity1 created in NorthEurope can be assigned to the VM useridentity2 created in EastUS can be assigned to the VM Adding useridentity1 as an owner to a resource group in Brazil worked fine

As long as the system-assigned managed identity is disabled on an Azure VM resource, then there is no way to add any user-assigned managed identity. However, the question does tell us that managed-assigned identities get created which it doesn't specify, but they should be USER-assigned managed identities (system-assigned identities cannot be created as stand-alone they are tied to a resource that you deploy), anyhow, then we are told that Managed1 is added to the VM which would mean that the system-assigned identity has been enabled (otherwise it wouldn't work). If so, then all 3 Managed Identities can be added to the VM. Regarding the last statement, it's YES, you can assign the VM with the owner role for the RG, it doesn't impact due to region. In conclusion I say it should be YYY.

can anyone help me understand why 3rd box is marked as NO? i mean it doesnt make sense but its possible to have VM's MI to have roles of its own correct me if wrong plz

bad question the table does not see if it is user or system assigned and that makes the difference cross region is only supported for user-assigned since with system assigned each region would have to create its own identity since it's tied to the resource itself

I believe VM1 should be Managed 1 here. So answer is No.

I think it should be YNN