Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.
Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory
(Azure AD) group named App2Dev.
You identify the following requirements for Application2:
-> The members of App2Dev must be prevented from changing the role assignments in Azure.
-> The members of App2Dev must be able to create new Azure resources required by Application2.
-> All the required role assignments for Application2 will be performed by the members of Project1admins.
You need to recommend a solution for the role assignments of Application2.
Solution: In Project1, create a network security group (NSG) named NSG1. Assign Project1admins the Owner role for NSG1. Assign the App2Dev the Contributor role for NSG1.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.B
You should use a separate subscription for Project2.
The proposed solution to create an NSG named NSG1 in Project1 and assign the Project1admins the Owner role and the App2Dev group the Contributor role for NSG1, does not meet the stated goals for the following reasons:
The solution does not prevent the App2Dev group from changing the role assignments in Azure. By granting the Contributor role to the App2Dev group for the NSG, they will have the ability to modify the NSG resource and potentially modify or delete role assignments for other resources in the Project1 subscription.
The solution does not provide the App2Dev group with the ability to create new resources required by Application2. By only assigning the Contributor role to the NSG, the App2Dev group can only modify the existing NSG resource, but cannot create new resources required by Application2.
A better solution to meet the stated requirements would be to create a custom role that includes the permissions required for the App2Dev group to create new resources for Application2, but does not include the ability to modify role assignments in Azure. The Project1admins group would then be responsible for performing all required role assignments for Application2. This solution would meet both of the stated requirements while also ensuring that role assignments in Azure are managed by a single trusted group.
To implement this solution, follow these steps:
Create a custom Azure role using Azure PowerShell, Azure CLI, or the Azure portal. Include the permissions required for the App2Dev group to create new resources required by Application2. For example, the role might include permissions to create and manage virtual machines, storage accounts, and network resources. However, do not include permissions to modify role assignments.
Assign the custom role to the App2Dev group at the appropriate scope (such as a resource group or subscription). This will allow them to create and manage the required resources for Application2, but will not allow them to modify role assignments.
Ensure that the Project1admins group is assigned the Owner or Contributor role at the subscription or management group scope. This will allow them to perform all required role assignments for Application2.
With this solution, the App2Dev group can create and manage the resources required for Application2, while the Project1admins group is responsible for managing role assignments in Azure. This separation of duties ensures that role assignments are managed by a trusted group and helps to prevent accidental or malicious changes to role assignments.