Microsoft 365 RBAC Role for Resource Group Management | Exam MS-500

Which RBAC Role Should You Assign to Enable Resource Group Management?

Prev Question Next Question

Question

You are an IT-administrator with Microsoft 365 E5 licenses assigned to your users.

You are the owner of a subscription in Azure that consists of several resource groups.

You need to enable a new employee to be able to manage and create all resources within one resource group, but he is not permitted to grant others access to the resource group or the resources within it.

Which RBAC role should you assign him?

Answers

A. Owner-role on the subscription level

B. Owner-role on the resource group level

C. Contributor-role on the subscription level

D. Contributor-role on the resource group level.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D

You should assign the new employee the Contributor RBAC-role on the Azure resource group he is to manage.

BQ Whizlabs-RG | Access control (IAM)

Resource group

P Search (Ctrl+/) « ++ add Download role assignments
Overview ‘Add role assignment

ate ls Roles (Classic
Activity log ‘Add role assignment (Pre Add role assignment

2 Access control (AM) ‘Add co-administrator r this subscription (

Edit columns

© Tags 29 2000

& events

Add role assignment

Role ©

{ select a role

Grants full access to manage all resources, but does not allow you to assign roles in
‘Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

GoD

Option A is incorrect.

This will give the user access to manage all aspects within the subscription AND assign roles within the subscription.

The user should only manage one resource group.

Option B is incorrect.

This will give the user access to manager AND assign roles within the resource group.

This is not permitted.

Option C is incorrect.

This will give the user access to manage all aspects within the subscription.

The user should only manage one resource group.

To know more about the built-in RBAC roles, please refer to the link below:

RBAC (Role-Based Access Control) is a security methodology that enables administrators to manage permissions and access to resources in Azure. When a user is assigned an RBAC role, it provides a set of permissions that allow the user to perform specific actions within Azure resources.

In this scenario, the IT administrator needs to enable a new employee to manage and create all resources within a particular resource group, but restrict the employee from granting access to others to the same resource group or resources within it.

To achieve this, the IT administrator should assign the Contributor role on the resource group level (Option D) to the new employee.

Option A - Owner role on the subscription level is not recommended because it would give the employee excessive permissions to manage all resources and resource groups within the subscription.

Option B - Owner role on the resource group level would provide the employee with full control over the resource group and its resources, which includes permissions to grant access to others.

Option C - Contributor role on the subscription level would provide the employee with access to manage resources across all resource groups in the subscription, which is not what is required.

Therefore, option D is the best solution as it provides the employee with necessary permissions to manage and create resources within a specific resource group, but limits their ability to grant access to others to the same resource group or resources within it.

Prev Question Next Question