Technical Lab: Manage Built-in Azure Roles
Questionsβ
Question 1 β Multiple Choiceβ
A development team needs to read and list resources in an Azure subscription, but cannot modify any resources or manage access. The administrator is considering assigning one of the following roles.
Which built-in role meets exactly this requirement without granting permissions beyond what's necessary?
A) Contributor
B) Reader
C) Owner
D) User Access Administrator
Question 2 β Technical Scenarioβ
An administrator runs the following command to verify a user's permissions:
az role assignment list --assignee user@contoso.com --all
The output shows that the user has the Contributor role assigned at the subscription scope. However, when trying to delete a resource in a specific resource group, the user receives an authorization error.
What is the most likely cause of this behavior?
A) The Contributor role does not include resource deletion permissions by default
B) There is a deny assignment applied at the resource group scope that blocks the action
C) The Contributor role assigned at the subscription does not propagate to child resource groups
D) The user's authentication token has expired and needs to be renewed
Question 3 β True or Falseβ
The Owner role grants all permissions over resources in the assigned scope, including the ability to assign roles to other users, and this combination of permissions cannot be restricted by any native Azure RBAC mechanism.
True or False?
Question 4 β Technical Scenarioβ
An organization needs an external service to manage access assignments within a specific resource group, but without having permission to create, modify, or delete resources in that group.
The administrator is considering the following built-in roles:
| Role | Manages role assignments? | Modifies resources? |
|---|---|---|
| Owner | Yes | Yes |
| Contributor | No | Yes |
| User Access Administrator | Yes | No |
| Reader | No | No |
Which role should be assigned to meet the requirement with the least privilege possible?
A) Owner, with scope restricted to the resource group
B) Contributor, as it allows managing group members
C) User Access Administrator, with scope restricted to the resource group
D) Reader combined with Contributor in the same scope
Question 5 β Multiple Choiceβ
When assigning a built-in role in Azure, the broadest available scope in the default resource hierarchy is:
A) Resource Group
B) Subscription
C) Management Group
D) Tenant Root Group
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The Reader role grants exclusively read permissions (*/read) over all resources in the assigned scope, without any write, delete, or access management capabilities. It's the choice that applies the principle of least privilege for this scenario.
The main misconception represented by the distractors is the confusion between roles that include read as a subset of broader permissions. Contributor allows read and write, but not access management. Owner includes everything, including access management. User Access Administrator focuses on managing role assignments, not reading resources in general. Choosing Contributor, for example, exposes resources to accidental or intentional modifications, violating the read-only requirement.
Answer Key β Question 2β
Answer: B
Azure RBAC supports deny assignments, which explicitly block specific actions regardless of assigned roles. A deny assignment applied at the resource group takes precedence over the Contributor role inherited from the subscription, since deny permissions have precedence over grant permissions in Azure RBAC evaluation.
Alternative C represents a frequent misconception: roles assigned at parent scopes are inherited by child scopes, so Contributor at the subscription does apply to the resource group. Alternative A is incorrect because Contributor includes */write and */delete (except for roles and policies). Alternative D is technically possible in any scenario, but is not the most likely cause described in the statement and doesn't explain a persistent authorization error.
Answer Key β Question 3β
Answer: False
The statement is false. While Owner grants complete permissions including access management, this set of permissions can be restricted by native Azure mechanisms, such as deny assignments and Azure Policy. Deny assignments can block specific actions even for an Owner in the affected scope. Additionally, in the context of Microsoft Entra PIM, Owner role activation can be conditioned on approvals and time windows, limiting its exercise in practice.
The conceptual error that the statement induces is treating Owner as an absolute and unrestricted privilege, when in reality Azure's authorization model has layers that can override role assignments.
Answer Key β Question 4β
Answer: C
The User Access Administrator role grants exclusively the Microsoft.Authorization/*/write permission, which allows creating and managing role assignments, without including permissions to create, modify, or delete data plane or control plane resources outside the authorization scope. Assigned at the resource group scope, it limits its operation to that specific context.
Owner would meet the functional requirement, but violates the principle of least privilege by including permissions over resources. Contributor does not manage role assignments, so it doesn't meet the functional requirement. Combining Reader with Contributor doesn't make sense because Contributor already includes Reader permissions, and neither manages assignments.
Answer Key β Question 5β
Answer: C
The broadest scope in the Azure resource hierarchy available for role assignment is the Management Group. The hierarchy, from broadest to most restrictive, is: Management Group > Subscription > Resource Group > Resource.
Alternative D, Tenant Root Group, is technically the tenant's root Management Group and represents the absolute top of the hierarchy, but is not a distinct scope type in role assignment options: it's a Management Group like any other. The confusion between Subscription and Management Group is the most common misconception in this question, as many small environments don't use Management Groups, leading to the incorrect perception that subscription is the maximum scope.