Discover the permissions of User1, User2, and User3 in an Azure environment with multiple subscriptions, management groups, and resources. Learn about role assignments and their impact on resource management in the AZ-104 certification exam.
Table of Contents
Question
You have a Microsoft Entra tenant that is linked to the subscriptions shown in the following table.
| Name | Management group | Parent management group |
|---|---|---|
| Sub1 | Tenant Root Group | Not applicable |
| Sub2 | MG1 | Tenant Root Group |
| Sub3 | MG2 | Tenant Root Group |
You have the resource groups shown in the following table.
| Name | Subscription | Description |
|---|---|---|
| RG1 | Sub1 | Contains a storage account named storage1 |
| RG2 | Sub2 | Contains a web app named App1 |
| RG3 | Sub3 | Contains a virtual machine named VM1 |
You assign roles to users as shown in the following table.
| Name | Role | Scope |
|---|---|---|
| User1 | Contributor | MG2 |
| User2 | Storage Account Contributor | storage1 |
| User3 | User Access Administrator | Tenant Root Group |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
- User1 can resize VM1.
- User2 can create a new storage account in RG1.
- User3 can assign User1 the Owner role for RG3.
Answer
- User1 can resize VM1: Yes
- User2 can create a new storage account in RG1: No
- User3 can assign User1 the Owner role for RG3: Yes
Explanation
User1 can resize VM1: Yes
Explanation: User1 is assigned the Contributor role at the MG2 management group scope, which includes Sub3. VM1 is located in RG3, which is part of Sub3. The Contributor role allows User1 to manage resources, including resizing virtual machines, within the assigned scope.
User2 can create a new storage account in RG1: No
Explanation: User2 is assigned the Storage Account Contributor role, but this role is scoped specifically to storage1. The Storage Account Contributor role grants permissions to manage storage accounts, but only for the storage account specified in the scope. As a result, User2 cannot create a new storage account in RG1.
User3 can assign User1 the Owner role for RG3: Yes
Explanation: User3 is assigned the User Access Administrator role at the Tenant Root Group scope, which encompasses all subscriptions and management groups in the tenant. The User Access Administrator role allows User3 to manage user access and role assignments for all resources within the tenant, including assigning User1 the Owner role for RG3.
In summary, User1 can resize VM1 due to the Contributor role assigned at the MG2 scope, User2 cannot create a new storage account in RG1 because the Storage Account Contributor role is scoped to storage1, and User3 can assign User1 the Owner role for RG3 thanks to the User Access Administrator role assigned at the Tenant Root Group scope.
Microsoft AZ-104 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.