Microsoft Azure Architect Design (legacy) — Question 24

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.
Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory
(Azure AD) group named App2Dev.
You identify the following requirements for Application2:
✑ The members of App2Dev must be prevented from changing the role assignments in Azure.
✑ The members of App2Dev must be able to create new Azure resources required by Application2.
✑ All the required role assignments for Application2 will be performed by the members of Project1admins.
You need to recommend a solution for the role assignments of Application2.
Solution: In Project1, create a network security group (NSG) named NSG1. Assign Project1admins the Owner role for NSG1. Assign the App2Dev the Contributor role for NSG1.
Does this meet the goal?

Answer options

• A. Yes
• B. No

Correct answer: B

Explanation

The proposed solution does not meet the requirements because assigning the Contributor role to App2Dev allows them to create resources, but it also grants them the ability to change role assignments, which is against the requirement. Since the goal is to prevent App2Dev from changing role assignments while still allowing resource creation, this solution fails to address that critical aspect.