Assigning Role Assignments for Application2 in Azure
Question
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.
Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory
(Azure AD) group named App2Dev.
You identify the following requirements for Application2:
-> The members of App2Dev must be prevented from changing the role assignments in Azure.
-> The members of App2Dev must be able to create new Azure resources required by Application2.
-> All the required role assignments for Application2 will be performed by the members of Project1admins.
You need to recommend a solution for the role assignments of Application2.
Solution: In Project1, create a resource group named Application2RG. Assign Project1admins the Owner role for Application2RG. Assign App2Dev the Contributor role for Application2RG.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
You should use a separate subscription for Project2.
Yes, the recommended solution meets all the stated requirements for Application2.
Explanation:
The recommended solution involves creating a new resource group named Application2RG within the Project1 subscription. This resource group will contain all the resources required for Application2.
The first requirement is to prevent the members of App2Dev from changing the role assignments in Azure. By assigning them the Contributor role for the Application2RG resource group, they will be able to create and manage resources within that resource group, but they will not have the permissions to modify role assignments at the subscription level. The Owner role assigned to Project1admins at the resource group level does not affect the ability of App2Dev members to modify role assignments at the subscription level.
The second requirement is to allow the members of App2Dev to create new Azure resources required by Application2. By assigning them the Contributor role for the Application2RG resource group, they will have the permissions to create and manage resources within that resource group.
The third requirement is that all the required role assignments for Application2 will be performed by the members of Project1admins. By assigning them the Owner role for the Application2RG resource group, they will have full permissions to manage resources within that resource group, including assigning roles to App2Dev members or other users who need access to the resources in Application2RG.
Therefore, the recommended solution meets all the stated requirements for Application2.
