nerdexam
ExamsAZ-104Questions#216
MicrosoftMicrosoft

AZ-104 · Question #216

AZ-104 Question #216: Real Exam Question with Answer & Explanation

Azure RBAC permissions flow downward through the hierarchy, meaning roles assigned at a higher scope (like a subscription) are inherited by child resources (like resource groups and individual resources).

Submitted by certguy· Mar 4, 2026Manage Azure identities and governance

Question

Hotspot Question You have the role assignment file shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Answer:

Options

  • __typehotspot
  • variantdropdown

Explanation

Azure RBAC permissions flow downward through the hierarchy, meaning roles assigned at a higher scope (like a subscription) are inherited by child resources (like resource groups and individual resources).

Approach. To solve this, you must apply the principles of Azure RBAC inheritance.

  1. For the first statement ('assigned the Owner role for VM1'): User3 has an explicit Owner assignment at the VM1 scope. User1 has an Owner assignment at the Subscription scope. Because permissions inherit downward, User1 is also effectively an Owner of VM1. Therefore, 'User1 and User3 are' is correct.

  2. For the second statement ('can create a virtual machine in RG1'): To create a VM in a resource group, a user needs at least Contributor access at that Resource Group scope or higher. User4 is explicitly a Contributor on RG1. User1 is an Owner at the Subscription level, inheriting Owner rights (which include Contributor capabilities) on RG1. User3 only has access to a specific VM, not the RG level required to create new resources. User2 is assigned to a completely different resource group (RG2). Thus, 'User1 and User4' is correct.

Common mistakes.

  • common_mistake. A common error is ignoring inheritance and only looking for explicit assignments. For example, a candidate might select 'User3 is' for the first statement, forgetting that User1's subscription-level role cascades down. Another mistake is misunderstanding role capabilities, such as assuming only Owners can create VMs, which would incorrectly exclude User4 from the second statement.

Concept tested. Azure Role-Based Access Control (RBAC) scope inheritance and the specific privileges granted by the Owner and Contributor built-in roles.

Reference. https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#multiple-role-assignments

Topics

#Azure RBAC#Role assignments#Azure permissions

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-104 PracticeBrowse All AZ-104 Questions