Assign built-in Azure AD roles

Practice Test

True or False: “Azure AD roles can be used to help manage Azure resources.”

• True
• False

Answer: True

Explanation: Azure AD roles can indeed be used for managing Azure resources. They provide fine-grained access management for Azure resources.

Can you assign multiple roles to a single user in Azure AD?

• Yes
• No

Answer: Yes

Explanation: A single user in Azure AD can have multiple roles assigned to them. By assigning multiple roles, you can ensure that a user has all the permissions they need to perform their job.

Which of the following is not a built-in Azure AD role?

• a) User Administrator
• b) Security Admin
• c) Owner
• d) Global Administrator

Answer: c) Owner

Explanation: Owner is not a built-in Azure AD role. The built-in Azure AD roles include User Administrator, Security Admin, and Global Administrator among others.

True or False: “Azure AD roles cannot be assigned at the management group level.”

• True
• False

Answer: False

Explanation: Azure AD roles can be assigned at the management group level as well as other levels such as subscriptions, resource groups, and individual resources.

The Global Administrator role in Azure AD has what level of access?

• a) Access to all administrative features
• b) Access limited to user-level tasks
• c) No administrative access, only access to user-level tasks
• d) Limited administrative access and user-level tasks

Answer: a) Access to all administrative features

Explanation: A Global Administrator has access to all administrative features in Azure AD. This is the highest level of access.

True or False: “You can delegate the task of assigning Azure AD roles.”

• True
• False

Answer: True

Explanation: Azure AD allows you to delegate the task of assigning roles to others, providing flexibility and shared responsibility in role management.

Which of the following tasks could a User Administrator in Azure AD perform?

• a) Adding or deleting users
• b) Managing licenses
• c) Setting up groups
• d) All of the above

Answer: d) All of the above

Explanation: A User Administrator can perform all of these actions: adding or deleting users, managing licenses, and setting up groups.

True or False: “In Azure AD, you cannot create custom roles.”

• True
• False

Answer: False

Explanation: It is possible to create custom roles in Azure AD. This is especially useful when the built-in roles do not suit your specific requirements.

Multiple roles assigned to a single user always result in additive permissions:

• True
• False

Answer: True

Explanation: Azure AD follows an additive model for roles and permissions. This means that if a user is assigned multiple roles, the permissions granted are the sum of the permissions of all assigned roles.

What does RBAC stand for in Azure AD?

• a) Role-Based Access Control
• b) Resource-Based Access Control
• c) Role-Based Audit Control
• d) Resource-Based Audit Control

Answer: a) Role-Based Access Control

Explanation: RBAC in Azure AD stands for Role-Based Access Control. It is a method for managing access and permissions in Azure.

Interview Questions

What is the purpose of built-in Azure AD roles?

Built-in Azure AD roles are designed to help manage Azure resources and provide access to various functionalities. These roles allow organizational teams to easily manage Azure resources that belong to a business department, project, or application.

What are some common examples of built-in Azure AD roles?

Some common examples of built-in Azure AD roles include the Global Administrator, User Administrator, Directory Reader, Application Administrator, and Security Administrator roles.

What is the function of the Global Administrator Azure AD role?

The Global Administrator role in Azure AD is the most powerful role, and it allows individuals to manage virtually every aspect of Azure AD. This includes managing user accounts, setting security measures, and configuring all integral aspects of Azure AD.

How many Global Administrators should you have in an organization’s Azure AD setting?

As a best security practice, you should limit the number of Global Administrators in your Azure AD to two or three.

What is the purpose of the User Administrator role in Azure AD?

The User Administrator role in Azure AD allows individuals to manage user groups, passwords, and support tickets, but has limited access to high-level settings within the AD.

What permissions does the Directory Reader role provide?

The Directory Reader role in Azure AD permits users to view nearly all information stored in the directory, including users, group, and application details, but cannot make modifications.

How do Azure AD roles differ from Azure roles?

Azure AD roles are used for identity-related functions like managing users, groups, billing, licensing, and domain name settings. Azure roles, on the other hand, are used for managing resources in Azure like virtual machines, databases, and storage accounts.

How can an administrator assign built-in Azure AD roles?

An administrator can assign roles through the Azure portal, Azure AD PowerShell, and Graph Explorer.

Can you create custom Azure AD roles?

Yes, Azure AD supports the creation and assignment of custom roles if the built-in roles do not meet specific organization’s needs.

What are the benefits of assigning built-in Azure AD roles?

Assigning built-in Azure AD roles helps enforce the principle of least privilege, reduce security risks, provide granular access controls. It also helps an organization align with regulatory, auditing, and compliance requirements.

What is the scope of Azure AD roles?

The scope of Azure AD roles can vary from global to directory to administrative units depending on the requirement, providing flexibility in assigning access rights to users.

Who should have the ability to assign Azure AD roles?

As a best practice, only trusted administrators with the right expertise should have the ability to assign Azure AD roles.

Is it possible to assign multiple Azure AD roles to a single user?

Yes, it is possible to assign multiple Azure AD roles to a single user if the user’s responsibilities require them to perform tasks associated with multiple roles.

Can you remove an Azure AD role assignment?

Yes, you can remove Azure AD role assignments when the role is no longer needed for a user.

What is the function of the Security Administrator role in Azure AD?

The Security Administrator role in Azure AD allows users to manage security-related features such as managing alerts, conducting investigations, and managing security settings.