Discover which Azure AD admin roles have the permissions to assign custom security attributes to users, security groups, and Microsoft 365 groups in this AZ-104 certification exam question. Learn about the capabilities of the Attribute Assignment Administrator role.
Table of Contents
Question
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
| Name | Kind | Location | Hierarchical namespace | Container | File share |
|---|---|---|---|---|---|
| storage1 | StorageV2 | West US | Yes | cont1 | share1 |
| storage2 | StorageV2 | West US | No | cont2 | share2 |
The subscription contains the virtual machines shown in the following table.
| Name | Size | Operating system | Description |
|---|---|---|---|
| VM1 | A | Red Hat Enterprise Linux (RHEL) | Uses ephemeral OS disks |
| VM2 | D | Windows Server 2022 | Has a basic volume |
| VM3 | B | Red Hat Enterprise Linux (RHEL) | Uses a standard SSDs |
| VM4 | M | Windows Server 2022 | Uses Write Accelerator disks |
| VM5 | E | Windows Server 2022 | Has a dynamic volume |
The subscription has an Azure container registry that contains the images shown in the following table.
| Name | Operating system |
|---|---|
| Image1 | Windows Server |
| Image2 | Linux |
The subscription contains the resources shown in the following table.
| Name | Description | In resource group |
|---|---|---|
| Workspace1 | Log Analytics workspace | RG1 |
| WebApp1 | Azure App Service web app | RG1 |
| VNet1 | Virtual network | RG2 |
| zone1.com | Azure Private DNS zone | RG3 |
Azure Key Vault
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
| Name | Content type | Key type | Key size |
|---|---|---|---|
| Cert1 | PKCS#12 | RSA | 2048 |
| Cert2 | PKCS#12 | RSA | 4096 |
| Cert3 | PEM | RSA | 2048 |
| Cert4 | PEM | RSA | 4096 |
Vault1 contains the keys shown in the following table.
| Name | Type | Description |
|---|---|---|
| Key1 | RSA | Has a key size of 4096 |
| Key2 | EC | Has Elliptic curve name set to P-256 |
Microsoft Entra Environment
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
| Name | Microsoft Entra role | Azure role |
|---|---|---|
| Admin1 | Global Administrator | None |
| Admin2 | Attribute Definition Administrator | None |
| Admin3 | Attribute Assignment Administrator | None |
| User1 | None | Reader for RG2 and RG3 |
The tenant contains the groups shown in the following table.
| Name | Type |
|---|---|
| Group1 | Security group |
| Group2 | Microsoft 365 group |
The adatum.com tenant has a custom security attribute named Attribute1.
Planned Changes
ADatum plans to implement the following changes:
- Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
- In storage1, create a new container named cont2 that has the following access policies:
- Three stored access policies named Stored1, Stored2, and Stored3
- A legal hold for immutable blob storage
- Whenever possible, use directories to organize storage account content.
- Grant User1 the permissions required to link Zone1 to VNet1.
- Assign Attribute1 to supported adatum.com resources.
- In storage2, create an encryption scope named Scope1.
- Deploy new containers by using Image1 or Image2.
Technical Requirements
ADatum must meet the following technical requirements:
- Use TLS for WebApp1.
- Follow the principle of least privilege.
- Grant permissions at the required scope only.
- Ensure that Scope1 is used to encrypt storage services.
- Use Azure Backup to back up cont1 and share1 as frequently as possible.
- Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You need to implement the planned change for Attribute1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
- Admin1 can assign Attribute1 to Group1.
- Admin2 can assign Attribute1 to User1.
- Admin3 can assign Attribute1 to Group2.
Answer
- Admin1 can assign Attribute1 to Group1: No
- Admin2 can assign Attribute1 to User1: No
- Admin3 can assign Attribute1 to Group2: Yes
Explanation
According to the information provided in the case study:
Admin1 has the Global Administrator role in the Microsoft Entra tenant (Azure AD). However, the Global Administrator role does not have the permissions to assign custom security attributes like Attribute1 to security groups such as Group1. Therefore, the statement “Admin1 can assign Attribute1 to Group1” is false.
Admin2 has the Attribute Definition Administrator role in the Microsoft Entra tenant. This role allows Admin2 to create and manage custom security attributes, but it does not grant permissions to assign those attributes to users or groups. As a result, the statement “Admin2 can assign Attribute1 to User1” is false.
Admin3 has the Attribute Assignment Administrator role in the Microsoft Entra tenant. This role grants Admin3 the permissions to assign custom security attributes to users and groups, including Microsoft 365 groups like Group2. Therefore, the statement “Admin3 can assign Attribute1 to Group2” is true.
In summary:
- Admin1 (Global Administrator) cannot assign Attribute1 to Group1 (security group).
- Admin2 (Attribute Definition Administrator) cannot assign Attribute1 to User1.
- Admin3 (Attribute Assignment Administrator) can assign Attribute1 to Group2 (Microsoft 365 group).
The Attribute Assignment Administrator role is specifically designed to manage the assignment of custom security attributes to users and groups in Azure AD, while other roles like Global Administrator and Attribute Definition Administrator do not have these permissions.
Microsoft AZ-104 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.