Microsoft Azure Security Technologies — Question 20

You have an Azure subscription named Subcription1 that contains an Azure Active Directory (Azure AD) tenant named contoso.com and a resource group named
RG1.
You create a custom role named Role1 for contoso.com.
Where you can use Role1 for permission delegation?

Answer options

• A. contoso.com only
• B. contoso.com and RG1 only
• C. contoso.com and Subscription1 only
• D. contoso.com, RG1, and Subscription1

Correct answer: A

Explanation

The correct answer is A because custom roles created in Azure AD are scoped specifically to the tenant in which they are created, which is contoso.com in this case. The other options incorrectly imply that Role1 can be used at the resource group or subscription level, which is not permitted since it only applies to the Azure AD tenant.