-
Review Mode Set 1 – AZ-305 Designing Microsoft Azure Infrastructure Solutions
updated 2 months, 1 week ago
2 Members
·
4
Posts
-
Question No. 23
You have been assigned to implement the following requirements: Grant the VM Contributor role to Group3 for MG3. Grant the Contributor role to Group1 for Tenant Root Group. Grant the Contributor role to User1 for Subs3. For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.
Option
User3 is able to provision a new VM in RG3. — YES
User2 is able to assign roles to Group2. — NO
User1 is able to deploy a storage account in RG2.– YES — this should be YES but its showing me No is correct.
-
Hi BK83,
Thank you for reaching out regarding Question No. 23. We understand why it might seem that the answer for “User1 is able to deploy a storage account in RG2” should be YES, but based on the latest Azure documentation, the correct answer is NO.
Here’s why: User1 was granted the Contributor role only for Subs3, which allows management of resources within that subscription (and its resource groups like RG3). RG2, however, belongs to Subs2, which does not have any role assignment for User1. Additionally, although Group1 was granted Contributor at the Tenant Root Group level, User1’s membership in Group1 is indirect via nested groups (Group3 → Group1). Azure role-based access control (RBAC) does not support nested group membership for role assignments.
Microsoft explicitly states: “Group nesting isn’t supported. A group can’t be added as a member of a role-assignable group.”
– http://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-conceptTherefore, User1 does not have permissions on RG2, and it correctly shows the answer as NO.
We hope this clarifies the behavior and why the exam answer is accurate.
Best,
Irene @ Tutorials Dojo
-
Thanks ! That make sense !
-
Glad that cleared things up! Always here if you need more clarification 👍
-
Log in to reply.