Use Role1 for Permission Delegation in Azure AD

D

The custom role created in Azure AD can be used to delegate permissions across various resources in Azure, such as resource groups, subscriptions, or management groups.

In this scenario, the custom role named Role1 is created for the Azure AD tenant contoso.com, and the resource group RG1 is present in the subscription named Subscription1.

To identify where Role1 can be used for permission delegation, we need to understand the scope of the custom role.

The scope of the custom role determines the level at which the permissions granted by the role can be applied. The available scope options are:

• Management Group
• Subscription
• Resource Group
• Resource

When creating the custom role, you can specify the scope at which the role will be applied. If you do not specify a scope, the role is created at the tenant level by default, which means it can be used to delegate permissions across the entire Azure AD tenant.

In this scenario, the question does not provide information about the scope specified for Role1. Therefore, we need to assume that the default scope was used, which means Role1 is created at the tenant level.

Based on this assumption, the answer to the question is A. contoso.com only. This means that Role1 can be used to delegate permissions across the Azure AD tenant contoso.com but cannot be applied to resources such as the resource group RG1 or the subscription Subscription1.

If a different scope was specified for Role1, the answer could be different. For example, if Role1 was created with a scope of RG1, the answer would be B. contoso.com and RG1 only. This means that Role1 can be used to delegate permissions across the resource group RG1 and the Azure AD tenant contoso.com but cannot be applied to other resources or subscriptions.