AZ-500 · Question #427
AZ-500 Question #427: Real Exam Question with Answer & Explanation
This question tests knowledge of Azure RBAC custom role permissions required to manage Application Security Groups (ASGs). You must identify the two specific Microsoft.Network permissions needed to both read/list and create/manage ASGs.
Question
Hotspot Question You have an Azure subscription that contains a user named User1. User1 is assigned the Reader role for the subscription. You plan to create a custom role named Role1 and assign Role1 to User1. You need to ensure that User1 can create and manage application security groups by using Azure portal. Which two permissions should you add to Role1? To answer, select the appropriate permissions in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantyes_no
Explanation
This question tests knowledge of Azure RBAC custom role permissions required to manage Application Security Groups (ASGs). You must identify the two specific Microsoft.Network permissions needed to both read/list and create/manage ASGs.
Approach. To create and manage Application Security Groups in Azure, User1 needs two permissions added to Role1: (1) Microsoft.Network/applicationSecurityGroups/write – This permission allows the user to create and update (manage) Application Security Groups. Without write permission, the user cannot create new ASGs or modify existing ones. (2) Microsoft.Network/applicationSecurityGroups/read – This permission (or alternatively listed as part of broader read access) allows the user to view and list Application Security Groups in the Azure portal. Without read permission, the user cannot see existing ASGs in the portal UI. Since User1 already has the Reader role at the subscription level (which grants read access broadly), the most critical missing permission is the write permission. However, for the custom role to explicitly grant management capability, both read and write on the applicationSecurityGroups resource type should be included. Some exam versions also list Microsoft.Network/applicationSecurityGroups/delete as needed for full management, but the two core permissions are read and write.
Concept tested. Azure RBAC custom role creation and the specific Microsoft.Network resource provider permissions required to create and manage Application Security Groups (ASGs). Understanding the difference between read (view) and write (create/update) permissions at the resource type level within Azure's RBAC model.
Reference. https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork - specifically the applicationSecurityGroups operations: Microsoft.Network/applicationSecurityGroups/read and Microsoft.Network/applicationSecurityGroups/write
Community Discussion
No community discussion yet for this question.