AZ-500 · Question #274
AZ-500 Question #274: Real Exam Question with Answer & Explanation
This question tests knowledge of custom Azure RBAC role definitions, specifically how to configure Actions and AssignableScopes to manage tags across all resources within a Management Group.
Question
Hotspot Question You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-1111111111. You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1. What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of custom Azure RBAC role definitions, specifically how to configure Actions and AssignableScopes to manage tags across all resources within a Management Group.
Approach. For Actions, you should include 'Microsoft.Resources/tags/' (or 'Microsoft.Resources/subscriptions/resourcegroups/write' and tag-specific actions) to grant permission to read, write, and delete tags on all resources. The wildcard '' after 'Microsoft.Resources/tags/' covers all tag operations. For AssignableScopes, you must specify the Management Group scope using the format '/providers/Microsoft.Management/managementGroups/Group1' - NOT a subscription-level scope like '/subscriptions/11111111-1234-1234-1234-1111111111', because the requirement is to manage tags on ALL objects in Group1, which encompasses the entire management group and any subscriptions beneath it. Using the management group scope ensures the role can be assigned at the Group1 level and inherited downward.
Concept tested. Custom Azure RBAC role definitions, specifically the correct Actions for tag management (Microsoft.Resources/tags/*) and the correct AssignableScopes syntax for Management Groups (/providers/Microsoft.Management/managementGroups/{groupName}) versus subscription scopes. A common mistake is using the subscription ID scope instead of the management group scope when the requirement explicitly covers all objects in the management group.
Reference. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles and https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Topics
Community Discussion
No community discussion yet for this question.