Role Assignments for Azure Application2
Question
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.
Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory
(Azure AD) group named App2Dev.
You identify the following requirements for Application2:
-> The members of App2Dev must be prevented from changing the role assignments in Azure.
-> The members of App2Dev must be able to create new Azure resources required by Application2.
-> All the required role assignments for Application2 will be performed by the members of Project1admins.
You need to recommend a solution for the role assignments of Application2.
Solution: Create a new Azure subscription named Project2. Assign Project1admins the User Access Administrator role for the Project2 subscription. Assign
App2Dev the Owner role for the Project2 subscription.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
Instead, assign Project1admins the Owner role for the Project2 subscription. Assign App2Dev the Contributor role for the Project2 subscription.
The proposed solution does not meet the stated requirements for Application2. The solution is suggesting to create a new Azure subscription named Project2 and assigning the User Access Administrator role to Project1admins and the Owner role to App2Dev for the Project2 subscription.
However, the requirement is to prevent App2Dev members from changing the role assignments in Azure. By assigning the Owner role to App2Dev, they will have full control over the subscription and can modify the role assignments for any user or group in the subscription. This would violate the requirement of preventing App2Dev from changing the role assignments.
Instead, a better solution would be to create a new resource group within the existing Project1 subscription specifically for Application2 resources. Then, assign the Project1admins the Contributor role for the new resource group, allowing them to perform all the required role assignments for Application2. Finally, assign the App2Dev group the Owner role for the new resource group, enabling them to create new Azure resources required by Application2 while preventing them from modifying role assignments for Azure resources outside the new resource group.
Therefore, the correct answer is "No".
