Exam AZ-104 topic 2 question 72 discussion

Just tested in my Azure test environment. Answer is: 1. No 2. No 3. Yes Don't know where rpalanivel83 got his answers from

All 3 statements tested: Yes It is possible to add Group2 to Group1, after checking the effective access the user in Group2 is owner. No M365 groups cant be added to membership of another group Yes the statement is not complete but if it states to assign the role to Group3 directly it is possible

CORRECT

1. No, role assignments do not automatically propagate to nested groups in Azure. Azure Role-Based Access Control (RBAC) does not support the automatic inheritance of role assignments for nested groups. 2. No, a Microsoft 365 group cannot be a member of a security group in Azure AD. Microsoft 365 groups (formerly known as Office 365 groups) are designed primarily for collaboration purposes and integrate with tools like Outlook, Teams, SharePoint, and others. They are different from security groups, which are used for managing permissions to resources within Azure and other Microsoft services. 3.Yes, a Microsoft 365 group can be assigned as the owner of a resource group in Azure. In Azure Role-Based Access Control (RBAC), you can assign roles, including the "Owner" role, to users, security groups, or Microsoft 365 groups.

Who knows if they truly test it? We don't need to trust anyone, only documentation is truly trustable. The answer is No No Yes for this simple reason: Adding groups as members of a role-assignable group is not supported. So we don't need to understand nested group assignment or everything else. Those group has role-assignable set to true, so this group can't have other groups inside of it. So the first 2 are false because you can't. https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group

1. Yes: you can use nested security group to assign RBAC roles in Azure (don't confuse this with Entra) - tested and verified in the lab 2. No: you can not nest Microsoft 365 group in a security group (it will be grayed out) 3. Yes: you can assign an owner role directly to a Microsoft 365 group in Azure

Given answer is right

No No Yes

well first one is yes second one is no cuz the group3 type is not security so it can not be used for the assigning roles in azure RBAC. last one is yes if you want to modify the assigning role to the user3 as the owner and assign the group3 as the security type then of course in th RG1 you can assign user3 the owner role by assigning the owner role to group3 . i tested but here in this site there are many questions which are wrong so you have to test by yourself before proceeding to the answer.

Yes - Nesting is indeed possible for Azure RBAC, not to be confused to Entra Id RBAC. No. Microsoft 365 groups cannot be nested under a security group in Entra Id. No Microsoft 365 groups cannot be added in Role assignment in Azure.

1. N - Adding as a member to a group won't inherit/share access privileges. 2. N - Adding as a member to a group won't inherit/share access privileges. 3. Y

I have tested this and I am not sure where you guys are getting Y N N. When you assign Group1 to RG1 as Owner, the members of Group1 (in this case User1) will have Owner access. When you assign Group2 to Group1 and check access for User2, this user doesn't inherit the access from Group1. When you try to assign User3 as the owner of RG1 by adding Group3 as a member of Group1 you simply can't, the option is greyed out and it tells you M365 groups are not supported. If you assign Group3 the Owner role directly on RG1, User3 will then inherit the access. It is supported, do not mistake thinking M365 groups cannot be assigned access levels via IAM. So the correct answer is N, N, Y. Do yourself a favor and ignore everyone saying anything else.

YNY Y - One group can be added as a member of another group, and you can achieve group nesting. Adding Group2 into Group1 will grant User2 Owner access. N - Microsoft 365 Groups are not supported in a nested configuration so permissions won't apply. Y - Microsoft 365 Groups support role assignment in AAD. https://learn.microsoft.com/en-us/entra/identity/users/directory-service-limits-restrictions

1. NO 2. NO 3. YES Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#restrictions-for-role-assignable-groups

1. NO 2. NO 3. YES Group nesting isn't supported. A group can't be added as a member of a role-assignable group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#restrictions-for-role-assignable-groups

Just tested this again for a sanity check. It's YNY. Adding security groups to security groups does pass on ownership rights BUT M365 groups cannot be added to security groups. However they can be made owners of the Resource Group.

@@@@@ Answers @@@ 1. Yes { Support nested roles} 2. No {M365 dont support nested roles} 3. No { M365 dont support Azure Owner roles}