Exam AZ-104 topic 2 question 72 discussion

Just tested in my Azure test environment. Answer is: 1. No 2. No 3. Yes Don't know where rpalanivel83 got his answers from

All 3 statements tested: Yes It is possible to add Group2 to Group1, after checking the effective access the user in Group2 is owner. No M365 groups cant be added to membership of another group Yes the statement is not complete but if it states to assign the role to Group3 directly it is possible

1. Yes. It now (March 19, 2025) appears that you can inherit RBAC roles through nested group membership. Tested on Azure Portal. 2. No. As others have indicated, Azure Portal does not allow adding a MS 365 Group to a Security group. Did not try CLI. 3. User3 is a member user (assumed). The fact that he belongs to a MS 365 group does not change this status. As a member user, we can assign RBAC (including privileged) roles to User 3. Tested on Azure Portal.

The answer is actually correct: 1- Children groups will inherit the permissions of the parent. But the question mentions that the group is set to "azure ad roles can be assigned to this group". This option prevents nesting. So the parent can't actually have any sub-groups. 2- Microsoft 365 groups can't be added a child to a security group 3- You actually can assign a Microsoft 365 group a role on an azure resource

The answer is: No - nesting does not work No - you cannot mix m635 groups with security groups No - M365 groups do not work in azure RBAC environment Learn or Perish

1. Yes 2. No 3. Yes "Nesting is currently not supported for groups " <-- I guess it was true in the past, but not anymore. You can add Group2 as a member of Group1 and members of Group2 inherit the RBAC roles assigned to Group1. (I tested this today)

no no Yes

all the questions ask 'You can assign..." but it doesn't tell me what permissions I have. Not enough info in this question. I hate these types of questions. I am supposed to assume I can assign I guess?

You can use nested security groups to assign RBAC roles in Azure (not Microsoft 365 group). Nested groups are not currently supported for all Azure services and features. Directly assigning an Azure RBAC role to a Microsoft 365 group is not possible. This is because Microsoft 365 groups are primarily designed for collaboration within Microsoft 365 services and do not have the necessary security attributes to be directly assigned Azure RBAC roles. So the answers are: 1. Yes, 2. No, 3. No

so many confusion. Many people saying "Nesting is supported in Azure subscription roles. The question clearly shows that it is referencing an Azure subcription role. The link you have supplied is about unsupported nested groups in Azure Active Directory." Forget about roles, or RBAC or whatever :-) Nested Group Support in RBAC is irrelevant. think about nested groups. the point is , you can't create a nested group anyways. you will NOT be able to include any group to a role-assignable group, they are all assignable groups so those groups can't have child... So there is no point about whether nested group is supported by X or Y, because... there is NO nested group! so it's N-N for the 2 first questions

i think this one explicitly addresses questions 1 https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#groups So the answers are Y for the nested group RBAC role inheritance

1. NO 2. NO 3. YES Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#restrictions-for-role-assignable-groups

CORRECT

1. No, role assignments do not automatically propagate to nested groups in Azure. Azure Role-Based Access Control (RBAC) does not support the automatic inheritance of role assignments for nested groups. 2. No, a Microsoft 365 group cannot be a member of a security group in Azure AD. Microsoft 365 groups (formerly known as Office 365 groups) are designed primarily for collaboration purposes and integrate with tools like Outlook, Teams, SharePoint, and others. They are different from security groups, which are used for managing permissions to resources within Azure and other Microsoft services. 3.Yes, a Microsoft 365 group can be assigned as the owner of a resource group in Azure. In Azure Role-Based Access Control (RBAC), you can assign roles, including the "Owner" role, to users, security groups, or Microsoft 365 groups.

Who knows if they truly test it? We don't need to trust anyone, only documentation is truly trustable. The answer is No No Yes for this simple reason: Adding groups as members of a role-assignable group is not supported. So we don't need to understand nested group assignment or everything else. Those group has role-assignable set to true, so this group can't have other groups inside of it. So the first 2 are false because you can't. https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group

1. Yes: you can use nested security group to assign RBAC roles in Azure (don't confuse this with Entra) - tested and verified in the lab 2. No: you can not nest Microsoft 365 group in a security group (it will be grayed out) 3. Yes: you can assign an owner role directly to a Microsoft 365 group in Azure

Given answer is right