Create a new Azure Active Directory role | Microsoft Azure Infrastructure and Deployment | Exam AZ-100

Create a new Azure Active Directory role

Prev Question Next Question

Question

HOTSPOT -

You plan to create a new Azure Active Directory (Azure AD) role.

You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.

How should you complete the JSON definition? To answer, select the appropriate options in the answer area.

Hot Area:

Show Answer

Explanations

Explanation

Box 1: "*/read",

*/read lets you view everything, but not make any changes.

Box 2: " Microsoft.Support/*"

The action Microsoft.Support/* enables creating and management of support tickets.

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

To create a new Azure AD role that can view all the resources in the Azure subscription and issue support requests to Microsoft while following the principle of least privilege, you should complete the JSON definition as follows:

json
{   "Name": "Support Request Contributor",   "Description": "Can view all resources and create support requests.",   "Actions": [     "Microsoft.Support/*",     "Microsoft.Resources/subscriptions/resourceGroups/read",     "Microsoft.Resources/subscriptions/resourceGroups/resources/read"   ],   "AssignableScopes": [     "/subscriptions/<subscriptionId>"   ] }

In the Actions section, we are assigning the following actions to the role:

Microsoft.Support/*: This action grants the role permissions to create and manage support requests with Microsoft.
Microsoft.Resources/subscriptions/resourceGroups/read: This action grants the role permissions to view the names and properties of resource groups in the subscription.
Microsoft.Resources/subscriptions/resourceGroups/resources/read: This action grants the role permissions to view the resources within the resource groups in the subscription.

In the AssignableScopes section, we are limiting the scope of the role to the specified subscription. This ensures that the role has access only to the resources in that subscription and not others. Replace <subscriptionId> with the actual ID of the subscription.

The resulting JSON definition creates a new Azure AD role called Support Request Contributor that can view all resources in the subscription and issue support requests to Microsoft while following the principle of least privilege.

Prev Question Next Question