Technical Lab: Interpret Access Assignments
Questionsβ
Question 1 β Multiple Choiceβ
An administrator needs to ensure that a security group called Finance-Team has read access to all resources within a subscription, but without permission to modify access policies for other users. Which combination of scope and built-in role meets this requirement with the least possible privilege?
A) Owner role at subscription scope
B) Reader role at subscription scope
C) Contributor role at subscription scope
D) Reader role at parent management group scope
Question 2 β Technical Scenarioβ
A developer named Ana has the Contributor role assigned at the scope of a resource group called rg-producao. The administrator, checking access rights, notices that Ana also appears with read permissions on an individual resource within that resource group, despite no direct assignment having been made to her on that specific resource.
What is the most accurate explanation for this behavior?
A) The Contributor role includes read permissions only on virtual machine type resources by default
B) Azure RBAC uses scope inheritance, so assignments at a parent scope automatically propagate to child scopes
C) The individual resource has a default access policy that grants read access to all resource group members
D) Ana has a hidden Reader assignment automatically applied by Microsoft Entra ID when detecting the Contributor role
Question 3 β Multiple Choiceβ
When executing the command below, what information is the administrator querying?
az role assignment list --assignee ana@contoso.com --all
A) All role definitions available in Microsoft Entra ID that Ana can assume
B) All Azure RBAC role assignments associated with Ana's principal across all accessible scopes
C) Only role assignments at the active subscription scope in the CLI context
D) Ana's effective permissions calculated after applying deny assignments
Question 4 β Technical Scenarioβ
An administrator analyzes the Access Control (IAM) screen of a Storage Account resource and observes the following assignment:
| Principal | Type | Role | Assigned Scope |
|---|---|---|---|
| Ops-Team | Group | Storage Blob Data Reader | Subscription |
| Carlos | User | Storage Blob Data Owner | Storage Account |
| Ops-Team | Group | Reader | Resource Group |
Carlos is a member of the Ops-Team group. When attempting to delete a blob, what effective permission level does Carlos have over the blobs in this Storage Account?
A) Read only, as the group's Reader role prevails over individual assignments
B) Read only, as group assignments always override individual assignments
C) Storage Blob Data Owner, as Azure RBAC is additive and the most permissive individual assignment at the most specific scope applies
D) No permissions, as there is a conflict between group assignments and individual assignment
Question 5 β True or Falseβ
In Azure RBAC, a deny assignment applied to a user at a specific scope blocks the denied permissions even if the user has an Owner role assignment at that same scope.
True or False?
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The Reader role grants read permission to all resources within the scope where it's assigned, without allowing modifications or access management. Applying it at the subscription level ensures coverage of all child resources through scope inheritance, meeting the least privilege requirement.
Alternative A (Owner) grants full control, including access management, which violates the requirement. Alternative C (Contributor) allows creating and modifying resources, also beyond what's necessary. Alternative D applies the scope at the parent management group, which would extrapolate beyond the subscription boundaries and violate the principle of least privilege by encompassing other child subscriptions.
Answer Key β Question 2β
Answer: B
Azure RBAC works with a hierarchical scope inheritance model: management group > subscription > resource group > resource. An assignment made at a parent scope is automatically inherited by all child scopes. Since Ana has Contributor at the resource group level, this permission propagates to all individual resources contained within it, without needing explicit assignment at the resource level.
The other alternatives describe non-existent behaviors: there's no type-based resource restriction in inheritance, no implicit default read policy exists, and Microsoft Entra ID doesn't automatically create hidden assignments based on other roles.
Answer Key β Question 3β
Answer: B
The --assignee parameter filters assignments by the specified principal, and the --all flag expands the query beyond the active subscription scope, including resource groups and individual resources. The result lists role assignment objects, not role definitions.
Alternative A confuses assignments with role definitions. Alternative C describes the behavior without the --all flag, which would limit the query to the default scope. Alternative D confuses the concept of calculated effective permissions with what the command actually returns; for effective permissions, the correct resource would be az role assignment list combined with manual analysis or the Effective permissions panel in the portal.
Answer Key β Question 4β
Answer: C
Azure RBAC is additive: all role assignments applicable to a principal are combined. Since Carlos is a member of the Ops-Team group, he inherits Storage Blob Data Reader (scope: subscription) and Reader (scope: resource group). Additionally, he has a direct assignment of Storage Blob Data Owner on the Storage Account. The resulting set includes all these permissions. The blob Owner role allows reading, writing, and deleting blobs, being the determining permission for the requested operation.
The conceptual error in distractors A and B is assuming there's precedence or override between group and individual assignments, which doesn't exist in the standard RBAC model. Distractor D describes non-existent behavior; additive assignment conflicts don't result in denial, only deny assignments cause explicit blocking.
Answer Key β Question 5β
Answer: True
Deny assignments take precedence over any role assignment, including Owner. This is intentional and fundamental behavior of the Azure RBAC authorization model: while role assignments grant access additively, deny assignments explicitly block specific permissions and cannot be overridden by roles, regardless of the privilege level of the assigned role.
This is especially relevant in contexts where Azure Blueprints or governance policies create deny assignments to protect critical configurations. An administrator with Owner who encounters unexpectedly blocked operations should check deny assignments as the first hypothesis, as they don't appear as common role assignments in the IAM tab.