-
Hi BK83,
Thank you for reaching out regarding Question No. 23. We understand why it might seem that the answer for “User1 is able to deploy a storage account in RG2” should be YES, but based on the latest Azure documentation, the correct answer is NO.
Here’s why: User1 was granted the Contributor role only for Subs3, which allows management of resources within that subscription (and its resource groups like RG3). RG2, however, belongs to Subs2, which does not have any role assignment for User1. Additionally, although Group1 was granted Contributor at the Tenant Root Group level, User1’s membership in Group1 is indirect via nested groups (Group3 → Group1). Azure role-based access control (RBAC) does not support nested group membership for role assignments.
Microsoft explicitly states: “Group nesting isn’t supported. A group can’t be added as a member of a role-assignable group.”
– http://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-conceptTherefore, User1 does not have permissions on RG2, and it correctly shows the answer as NO.
We hope this clarifies the behavior and why the exam answer is accurate.
Best,
Irene @ Tutorials Dojo
