Skills Learned
- Describe the functionality and usage of Role-Based Access Control (RBAC)
Study Guide

Practice Test

Question 1

Role definition represents a …

Question 2

Colloquially Speaking role definition answers to a question …

Question 3

Scope is a … that the access is applied to.

Question 4

Security Principal objects (identities) can represent. Choose 4.

Question 5

Role assignment represents a …

Question 6

Colloquially Speaking scope assignment answers to a question …

Question 7

Colloquially Speaking service principal assignment answers to a question …

Question 8

RBAC is an authorization system built on Azure Resource Manager. True or false?

Question 9

Scope can be a …

❌ ✔ ⚪ 🔵 ⬜ 🟦 A. Management Group

❌ ✔ ⚪ 🔵 ⬜ 🟦 B. Subscription

❌ ✔ ⚪ 🔵 ⬜ 🟦 C. Resource Group

❌ ✔ ⚪ 🔵 ⬜ 🟦 D. Resource

❌ ✔ ⚪ 🔵 ⬜ 🟦 A, B and C

❌ ✔ ⚪ 🔵 ⬜ 🟦 A, B and D

❌ ✔ ⚪ 🔵 ⬜ 🟦 C and D

❌ ✔ ⚪ 🔵 ⬜ 🟦 A, B, C and D

✔ That's correct

❌ That's not correct

👨‍🦱 💬 A Scope can be applied to any Azure Resource Manager (ARM) governed object. So it includes management groups, subscriptions, resource groups, and individual resources.

Question 10

What is the proper order of actions that must be taken to grant a role in Azure Portal
A. Click Add Role Assignment button
B. Open Access Management (IAM) blade
C. Navigate to Azure resource, resource group, subscription, or management group
D. Click Save button
E. Select Role and Sercurity Principal

❌ ✔ ⚪ 🔵 ⬜ 🟦 A > B > D > C > E

❌ ✔ ⚪ 🔵 ⬜ 🟦 E > D > C > B > A

❌ ✔ ⚪ 🔵 ⬜ 🟦 A > B > C > E > D

❌ ✔ ⚪ 🔵 ⬜ 🟦 C > B > A > E > D

❌ ✔ ⚪ 🔵 ⬜ 🟦 C > A > B > E > D

✔ That's correct

❌ That's not correct

👨‍🦱 💬 C > B > A > E > D is the proper order. You need to navigate to a resource for which you want to assign permissions and open access control blade (this will be your scope). Then you need to select add role assignment button and select user/group and/or application and a role definition. And finish by clicking on the save button.

Question 11

Jessica works for Contoso company as an Azure administrator. As part of her role, she needs to be able to view all Azure resources in the Azure subscription called AZ-SUB-01. But additionally, she needs to be able to perform any actions on a resource group named AZ-ADMIN-RG within that subscription. What is the best strategy to grant her appropriate privileges to perform her tasks?

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a owner role on Azure subscription AZ-SUB-01

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a owner role on Azure subscription AZ-SUB-01 and owner role on AZ-ADMIN-RG resource group

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a reader role on Azure subscription AZ-SUB-01

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a owner role on Azure subscription AZ-SUB-01 and reader role on AZ-ADMIN-RG resource group

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a reader role on Azure subscription AZ-SUB-01 and owner role on AZ-ADMIN-RG resource group

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a reader role on AZ-ADMIN-RG resource group

❌ ✔ ⚪ 🔵 ⬜ 🟦 Grant a owner role on AZ-ADMIN-RG resource group

❌ ✔ ⚪ 🔵 ⬜ 🟦 Create a custom role and grant it on Azure subscription AZ-SUB-01

❌ ✔ ⚪ 🔵 ⬜ 🟦 Create a custom role and grant it on Azure resource group AZ-ADMIN-RG

✔ That's correct

❌ That's not correct

👨‍🦱 💬 In order to view all resources on Azure subscription, Jessica will need a reader role applied to the scope of the entire subscription AZ-SUB-01. In order to allow full access to Jessica on a specific resource group, she needs to be granted another role, in this case, owner role to allow her full access on the AZ-ADMIN-RG resource group

Question 12

Contoso company wants to allow their development team to deploy web application to Azure App Service. What is the best strategy to do this following least-privilege required principle and that requires the least amount of effort?
Hint: All specified roles allow for web app deployments.

❌ ✔ ⚪ 🔵 ⬜ 🟦
1.Assign an Owner role to all individual members of the development team on the resource group where Azure App Service is located

❌ ✔ ⚪ 🔵 ⬜ 🟦
1.Assign a Owner role to all individual members of the development team on the Azure App Service resource

❌ ✔ ⚪ 🔵 ⬜ 🟦
1.Create Azure AD group for the development team
2.Assign a Website Contributor role to that group to the resource group where Azure App Service is located

❌ ✔ ⚪ 🔵 ⬜ 🟦
1.Create Azure AD group for the development team
2.Assign a Website Contributor role to the Azure App Service resource

❌ ✔ ⚪ 🔵 ⬜ 🟦
1.Create Azure AD group for the development team
2.Assign an Owner role to that group to the resource group where Azure App Service is located

✔ That's correct

❌ That's not correct

👨‍🦱 💬 A Website Contributor role is much less privileged than an Owner as it’s only targeting Azure Websites. So this role should be our priority. The Creation of Azure AD group will reduce maintenance and role assignment effort by having to do it only once for entire group. Applying the role to a specific Azure App Service ensures that the developers have access only to the target app service. If applied on resource group level developers would have access to other app services in that group too.

◀ Previous Episode Next Episode ▶

Adam Marczak

Programmer, architect, trainer, blogger, evangelist are just a few of my titles. What I really am, is a passionate technology enthusiast. I take great pleasure in learning new technologies and finding ways in which this can aid people every day. My latest passion is running an Azure 4 Everyone YouTube channel, where I show that Azure really is for everyone!

AZ-900 Episode 28 - Practice Test

Best time to start was yesterday. The next best is NOW!

Navigation

Practice Test

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Adam Marczak

Did you enjoy the article?

Share it!

More tagged posts