nerdexam
ExamsAZ-104Questions#605
MicrosoftMicrosoft

AZ-104 · Question #605

AZ-104 Question #605: Real Exam Question with Answer & Explanation

The correct answer is B: Statement 1: The Group1 members can view the configurations of the Azure functions. (Yes), Statement 2: User1 can assign the Owner role for RG1. (Yes), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (No). B is correct because Azure RBAC inheritance flows downward: Group1's Reader role on MG1 propagates to Sub1 → RG1 → Azure functions (Statement 1: Yes); User1's User Access Administrator role on MG1 also inherits to RG1, and UAA explicitly grants the ability to assign any roleâ

Submitted by olafpl· Mar 4, 2026Manage Azure identities and governance

Question

Hotspot Question You have three Azure subscriptions named Sub1, Sub2, and Sub3 that are linked to an Azure AD tenant. The tenant contains a user named User1, a security group named Group1, and a management group named MG1. User is a member of Group1. Sub1 and Sub2 are members of MG1. Sub1 contains a resource group named RG1. RG1 contains five Azure functions. You create the following role assignments for MG1: - Group1: Reader - User1: User Access Administrator You assign User the Virtual Machine Contributor role for Sub1 and Sub2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Options

  • AStatement 1: The Group1 members can view the configurations of the Azure functions. (Yes), Statement 2: User1 can assign the Owner role for RG1. (Yes), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (Yes)
  • BStatement 1: The Group1 members can view the configurations of the Azure functions. (Yes), Statement 2: User1 can assign the Owner role for RG1. (Yes), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (No)
  • CStatement 1: The Group1 members can view the configurations of the Azure functions. (Yes), Statement 2: User1 can assign the Owner role for RG1. (No), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (Yes)
  • DStatement 1: The Group1 members can view the configurations of the Azure functions. (Yes), Statement 2: User1 can assign the Owner role for RG1. (No), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (No)
  • EStatement 1: The Group1 members can view the configurations of the Azure functions. (No), Statement 2: User1 can assign the Owner role for RG1. (Yes), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (Yes)
  • FStatement 1: The Group1 members can view the configurations of the Azure functions. (No), Statement 2: User1 can assign the Owner role for RG1. (Yes), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (No)
  • GStatement 1: The Group1 members can view the configurations of the Azure functions. (No), Statement 2: User1 can assign the Owner role for RG1. (No), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (Yes)
  • HStatement 1: The Group1 members can view the configurations of the Azure functions. (No), Statement 2: User1 can assign the Owner role for RG1. (No), Statement 3: User1 can create a new resource group and deploy a virtual machine to the new group. (No)

Explanation

B is correct because Azure RBAC inheritance flows downward: Group1's Reader role on MG1 propagates to Sub1 → RG1 → Azure functions (Statement 1: Yes); User1's User Access Administrator role on MG1 also inherits to RG1, and UAA explicitly grants the ability to assign any role—including Owner—at the inherited scope (Statement 2: Yes); however, Virtual Machine Contributor does not include Microsoft.Resources/subscriptions/resourceGroups/write, so User1 cannot create a new resource group, even though they could deploy a VM into an existing one (Statement 3: No).

The most common trap is Statement 3—candidates conflate "can manage VMs in a subscription" with "can create resource groups," but resource group creation requires at least Contributor at the subscription scope. The other trap is Statement 2—some candidates assume UAA can only assign roles up to UAA's own level, but UAA is specifically designed to grant full role-assignment authority regardless of role level.

Memory tip: Think of UAA as a "delegation key"—it unlocks the door to assign any role at that scope, but it doesn't give you the content permissions (like creating resources) that come with those roles. Separately, always ask "does this role include resource group write?" for VM-related questions—the answer for VM Contributor is no.

Topics

#Azure RBAC#Management Groups#Role Assignments#Built-in Roles

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-104 PracticeBrowse All AZ-104 Questions