Lab 02: Practice Questions

---

Scenario-Based Questions

Question 1

Scenario: A developer has the Contributor role assigned at the subscription level. They try to grant another developer Reader access to a resource group but receive an "Authorization failed" error.

Why did this happen?

A) Contributor role doesn't include subscription-level permissions
B) Contributor role cannot manage role assignments
C) The developer needs Owner role on the specific resource group
D) Reader role can only be assigned by Global Administrators

Answer

B) Contributor role cannot manage role assignments

Explanation: The Contributor role has a NotActions entry that blocks:

• Microsoft.Authorization/*/Write
• Microsoft.Authorization/*/Delete

This prevents Contributors from creating, modifying, or deleting role assignments. Only Owner or User Access Administrator can assign roles.

---

Question 2

Scenario: You assign a user the Storage Account Contributor role on a storage account. The user reports they can manage the storage account settings but cannot download files from blob containers.

What additional role should you assign?

A) Storage Account Key Operator
B) Storage Blob Data Contributor
C) Reader
D) Owner

Answer

B) Storage Blob Data Contributor

Explanation:

• Storage Account Contributor = Control plane (manage the resource)
• Storage Blob Data Contributor = Data plane (access the data)

These are separate permission sets. Control plane lets you configure the storage account. Data plane lets you read/write the actual blobs.

---

Question 3

Scenario: You have the following role assignments:

• User A: Owner on Subscription
• User A: Reader on Resource Group "Production"

What effective permissions does User A have on the Production resource group?

A) Reader only (more specific scope wins)
B) Owner (inherited from subscription)
C) Both Owner and Reader combined
D) No access (conflicting roles cancel out)

Answer

B) Owner (inherited from subscription)

Explanation: Azure RBAC is additive (cumulative). User A has:

• Owner inherited from subscription (includes all permissions)
• Reader at resource group level (subset of Owner)

The effective permission is the UNION of all assignments = Owner. The Reader assignment is redundant but doesn't reduce permissions.

---

Question 4

Scenario: Your organization requires that NO ONE should be able to delete resources in the production resource group, even users with Owner role.

How can you implement this?

A) Create a custom role that excludes delete permissions
B) Use Azure Policy to deny delete operations
C) Remove Owner role from all users
D) Use Azure Blueprints to create a deny assignment

Answer

D) Use Azure Blueprints to create a deny assignment

Explanation:

• Deny assignments block actions even if a role would allow them
• You CANNOT create deny assignments directly - only Azure Blueprints can create them
• Azure Policy can audit or deny NEW deployments but doesn't block delete operations on existing resources the same way
• Custom roles and removing Owner don't guarantee protection from other Owners

Blueprint with deny assignment is the only way to absolutely block an action.

---

Question 5

Scenario: You create a custom role with these permissions:

{
  "Actions": ["Microsoft.Compute/virtualMachines/*"],
  "NotActions": ["Microsoft.Compute/virtualMachines/delete"]
}

A user with this role tries to delete a VM. What happens?

A) Delete succeeds because * includes delete
B) Delete fails because NotActions takes precedence
C) Error occurs due to conflicting permissions
D) Delete succeeds but is logged as violation

Answer

B) Delete fails because NotActions takes precedence

Explanation:

• Actions: ["*/virtualMachines/*"] grants all VM operations
• NotActions: ["*/virtualMachines/delete"] removes delete from that set
• Final permissions = All VM operations EXCEPT delete

NotActions subtracts from Actions. It doesn't deny (that would be a deny assignment), it just excludes from the allowed set.

---

Question 6

Scenario: You need to grant access to a Key Vault for different purposes:

User	Need
User A	View Key Vault properties in portal
User B	Retrieve secret values from application
User C	Create and update secrets
User D	Manage Key Vault settings (firewall, access policies)

Match each user to the correct role:

Answer

User	Role
User A	Key Vault Reader (view properties, NOT secret values)
User B	Key Vault Secrets User (read secret values)
User C	Key Vault Secrets Officer (full secret lifecycle)
User D	Key Vault Contributor (manage KV settings, NOT secrets)

Key insight: Key Vault Contributor is CONTROL PLANE - they can configure the Key Vault but cannot read any secrets!

---

Question 7

Scenario: A user has Reader role assigned at the management group level. The management group contains 5 subscriptions, each with multiple resource groups.

What access does the user have?

A) Read access to the management group only
B) Read access to all 5 subscriptions and their resources
C) No access until explicitly granted at subscription level
D) Read access only to resources, not subscription settings

Answer

B) Read access to all 5 subscriptions and their resources

Explanation: Role assignments at management group level inherit down to:

• All subscriptions in the management group
• All resource groups in those subscriptions
• All resources in those resource groups

This is powerful for granting org-wide access but dangerous if not used carefully.

---

Question 8

Scenario: You need to create a custom role that can ONLY be assigned within a specific resource group, not at subscription level.

How do you achieve this?

A) Set NotActions to block subscription-level operations
B) Configure AssignableScopes to only include the resource group
C) This is not possible - custom roles work at all scopes
D) Use Azure Policy to restrict where the role can be assigned

Answer

B) Configure AssignableScopes to only include the resource group

Explanation: Custom roles have an AssignableScopes property that limits where they can be assigned:

"AssignableScopes": [
    "/subscriptions/xxx/resourceGroups/rg-production"
]

The role will only appear as an option when assigning at that scope or below.

---

Quick Knowledge Check

1. What is the maximum number of custom roles per tenant?

   Answer

   5,000 custom roles per Azure AD tenant

2. What role is needed to assign roles to others?

   Answer

   Owner OR User Access Administrator

3. Can you assign roles to service principals?

   Answer

   Yes - service principals are valid security principals

4. What happens if a user has NO role assignments?

   Answer

   Implicit deny - they cannot see or access any resources

5. Can a Contributor create Azure Blueprints?

   Answer

   No - Blueprints require Owner or Blueprint Contributor role

6. What's the difference between Actions and DataActions in a role definition?

   Answer

   Actions = control plane (manage resources), DataActions = data plane (access data within resources)

---

Advanced Scenario

Scenario: You're designing RBAC for a company with:

• 3 environments: Dev, Test, Prod
• 4 teams: Platform, AppTeam1, AppTeam2, Security
• Requirements:
  • Platform team manages networking across ALL environments
  • App teams manage their own resources in all environments
  • Security team needs read access everywhere + security-specific permissions
  • No app team should be able to access another team's resources
  • No one except Platform team should touch networking

Design the RBAC structure:

Suggested Solution

Scope Structure:

Management Group: "Production"
├── Subscription: "Shared-Networking"  
│   └── RG: networking-hub
├── Subscription: "AppTeam1"
│   ├── RG: appteam1-dev
│   ├── RG: appteam1-test
│   └── RG: appteam1-prod
├── Subscription: "AppTeam2"
│   ├── RG: appteam2-dev
│   ├── RG: appteam2-test
│   └── RG: appteam2-prod

Role Assignments:

Team	Scope	Role
Platform	Shared-Networking subscription	Owner
Platform	Management Group	Network Contributor
AppTeam1	AppTeam1 subscription	Contributor
AppTeam2	AppTeam2 subscription	Contributor
Security	Management Group	Reader
Security	Management Group	Security Reader
Security	Management Group	Security Admin (custom with audit permissions)

Key decisions:

• Separate subscriptions = hard boundary between teams
• Platform owns networking subscription, has network role everywhere else
• Security has read + security-specific at highest level for visibility
• Each app team is Contributor in their subscription only