Az-104 Question

[JackVeneno]

What’s the correct answer:

44. Question

You have created a new Microsoft Entra user named TD-Juan.

You need to make sure that TD-Juan is able to assign an Azure policy to the root management group.

Which of the following options should you do?

-Create a management group and assign the role of Contributor.

-Create a management group and assign the role of Owner.

-Assign the role of Global Administrator and enable access management for Azure resources. –Assign the role of Owner and enable access management for Azure resources.

****
CHATGPT shows Assign the role of Owner and enable access management for Azure resources as the correct answer.

Please help.

[Irene-TutorialsDojo]

Hi JackVeneno,

Thank you for your question.

To allow the user TD-Juan to assign an Azure policy to the root management group, TD-Juan must have the Microsoft Entra ID role of Global Administrator and enable access management for Azure resources.

The root management group is the highest level in Azure’s management hierarchy, and no user has access to it by default. Only Global Administrators can enable access management, which lets them manage all Azure subscriptions and management groups, including the root management group. Once access management is enabled, the Global Administrator can assign roles and policies at the root scope.

Assigning the Owner role alone, even with access management enabled, does not grant access to the root management group unless the user is a Global Administrator who has elevated their access. Creating a new management group and assigning Owner or Contributor roles does not provide permissions at the root level.

Therefore, the correct step is to assign TD-Juan the Global Administrator role in Microsoft Entra ID and enable access management for Azure resources.

Please let me know if you need further assistance.

Best,

Irene @ Tutorials Dojo