Your company has decided to implement Azure role-based access control (RBAC) to secure their resources and manage user access. You’re reviewing the scenarios to support, and have a list of issues to address:
- Not all users have access to the same resources. A new employee should have only limited resource access.
- Most administrators require full access to all corporate resources. A few admins need limited access to specific resources so they can read the settings, but not make changes.
- How are scopes and permissions applied for Azure resources, including the custom role definition?
- Your manager has asked if there are differences between Azure roles and Microsoft Entra roles.
Question 1
You have three virtual machines (VM1, VM2, VM3) in a resource group. A new admin is hired, and they need to be able to modify settings on VM3. They shouldn’t be able to make changes to VM1 or VM2. How can you implement RBAC to minimize administrative overhead?
A. Assign the admin to the Contributor role on the resource group.
B. Assign the admin to the Contributor role on VM3.
C. Move VM3 to a new resource group, and then assign the admin to the Owner role on VM3.
Answer
B. Assign the admin to the Contributor role on VM3.
Explanation
When you assign the Contributor role to the specific resource, the admin can change the settings on that resource; in this case, VM3.
A is incorrect. The Contributor role assignment on the resource group allows the admin to modify all VMs in the resource group.
C is incorrect. The Owner role gives the admin more permissions than they need. It’s best to give only the permissions required.
Question 2
What is the purpose of the ‘AssignableScopes’ permissions in a role definition?
A. Specifies the actions that aren’t allowed
B. Specifies the scopes where a role definition can be assigned
C. Specifies the actions that are allowed
Answer
B. Specifies the scopes where a role definition can be assigned
Explanation
The ‘AssignableScopes’ permissions specify the scopes where a role definition can be assigned.
A is incorrect. The ‘AssignableScopes’ permissions don’t specify the actions that aren’t allowed.
C is incorrect. The ‘AssignableScopes’ permissions don’t specify the actions that are allowed.
Question 3
Explain the main differences between Azure roles and Microsoft Entra roles.
A. Azure roles apply to Azure resources. Microsoft Entra roles apply to Microsoft Entra resources such as users, groups, and domains.
B. Azure roles can be assigned at the root level.
C. Microsoft Entra roles are used to manage access to Azure resources.
Answer
A. Azure roles apply to Azure resources. Microsoft Entra roles apply to Microsoft Entra resources such as users, groups, and domains.
Explanation
Azure roles are used to manage access to VMs, storage, and other Azure resources. Microsoft Entra roles are used to manage access to Microsoft Entra resources like user accounts and passwords.
B is incorrect. Azure roles can only be assigned at the management groups, subscriptions, resource groups, or resources scope.
C is incorrect. Azure roles are used to view and manage Azure resources. Azure roles are used to manage access to VMs, storage, and other Azure resources. Microsoft Entra roles are used to manage access to Microsoft Entra resources like user accounts and passwords.
Microsoft Azure Administrator AZ-104 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft Azure Administrator AZ-104 exam and earn Microsoft Azure Administrator AZ-104 certification.