SC-300 · Question #193
SC-300 Question #193: Real Exam Question with Answer & Explanation
Azure Custom Roles — Resource Provider Permissions > Note: The "Correct: None" in the dropdown metadata appears to be a formatting artifact. Based on Azure's resource provider structure, both Role1 and Role2 require Microsoft.Network. The explanation below covers that. --- Drop
Question
Hotspot Question You have an Azure subscription. You need to create two custom roles named Role1 and Role2. The solution must meet the following requirements: - Users that are assigned Role1 can manage application security groups. - Users that are assigned Role2 can manage Azure Firewall. Which resource provider permissions are required for each role? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
Azure Custom Roles — Resource Provider Permissions
Note: The "Correct: None" in the dropdown metadata appears to be a formatting artifact. Based on Azure's resource provider structure, both Role1 and Role2 require
Microsoft.Network. The explanation below covers that.
Dropdown 1 — Role1 (Manage Application Security Groups)
Correct: Microsoft.Network
Application Security Groups (ASGs) are a networking construct in Azure that allow you to group virtual machine NICs and define network security policies based on those groups. They live under the Microsoft.Network namespace:
Microsoft.Network/applicationSecurityGroups
The required RBAC actions would be something like:
Microsoft.Network/applicationSecurityGroups/read
Microsoft.Network/applicationSecurityGroups/write
Microsoft.Network/applicationSecurityGroups/delete
Why the others are wrong:
| Option | Why Wrong |
|---|---|
Microsoft.App | Container Apps platform — unrelated to networking security groups |
Microsoft.Compute | VMs, disks, scale sets — not security group management |
Microsoft.Security | Microsoft Defender for Cloud / security posture — not ASGs |
Dropdown 2 — Role2 (Manage Azure Firewall)
Correct: Microsoft.Network
Azure Firewall is also a networking resource, residing under:
Microsoft.Network/azureFirewalls
Microsoft.Network/firewallPolicies (associated policies)
Why the others are wrong:
| Option | Why Wrong |
|---|---|
Microsoft.App | Container Apps — unrelated to firewalls |
Microsoft.Management | Management groups / governance — not firewall resources |
Microsoft.Security | Defender for Cloud — not the Azure Firewall service itself |
Key Concept
Azure resource providers follow a Namespace/ResourceType pattern. Both Application Security Groups and Azure Firewall are networking primitives managed through the Microsoft.Network resource provider. When creating custom roles via ARM/JSON, the actions array must reference the correct provider namespace — using the wrong namespace means the permissions simply won't apply to those resources.
Topics
Community Discussion
No community discussion yet for this question.