nerdexam
ExamsAZ-104Questions#735
MicrosoftMicrosoft

AZ-104 · Question #735

AZ-104 Question #735: Real Exam Question with Answer & Explanation

Azure RBAC permissions determine user capabilities based on their assigned roles and the scopes of those assignments.

Submitted by omar99· Mar 4, 2026Manage identities and governance

Question

Hotspot Question You have a Microsoft Entra tenant that is linked to the subscriptions shown in the following table. You have the resource groups shown in the following table. You assign roles to users as shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Options

  • __typehotspot
  • variantyes_no

Explanation

Azure RBAC permissions determine user capabilities based on their assigned roles and the scopes of those assignments.

Approach. Although the explicit configuration tables are not provided in the exhibit, the answers logically rely on standard Azure RBAC role definitions: 1) User1 resizing VM1 is 'Yes', meaning User1 has been assigned at least the Virtual Machine Contributor or Contributor role at the scope of VM1, its parent Resource Group, or Subscription. 2) User2 creating a storage account in RG1 is 'No', indicating User2 holds a restricted role (such as Reader or Virtual Machine Contributor) at the applicable scope, which lacks the 'Microsoft.Storage/storageAccounts/write' permission needed to deploy storage resources. 3) User3 assigning User1 the Owner role for RG3 is 'Yes', meaning User3 holds either the Owner or User Access Administrator role at the RG3 or parent Subscription scope, granting them the 'Microsoft.Authorization/roleAssignments/write' permission to manage access.

Common mistakes.

  • common_mistake. A frequent error is misunderstanding the boundaries of built-in roles. For example, assuming the Contributor role allows a user to manage role assignments (only Owner and User Access Administrator can do this), or assuming that resource-specific contributor roles (like Virtual Machine Contributor) grant permissions to create unrelated resources (like Storage Accounts) within the same scope.

Concept tested. Azure Role-Based Access Control (RBAC) roles, permissions, and assignment scopes

Reference. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Topics

#Azure RBAC#Azure Subscriptions#Resource Groups#Microsoft Entra ID

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-104 PracticeBrowse All AZ-104 Questions