Microsoft Identity and Access Administrator — Question 80

You have a management group named Group1 that contains two Azure subscriptions named Sub1 and Sub2. The subscriptions are linked to a Microsoft Entra tenant that contains a user named User1.

You need to ensure that User1 can onboard Sub1 to Permissions Management. The solution must follow the principle of least privilege.

Which permission should you grant to User1?

Answer options

• A. Microsoft.Authorization/roleAssignments/read for Sub1
• B. Microsoft.Authorization/roleAssignments/write for Group1
• C. MicrosoftAuthorization/roleAssignments/write for Sub1
• D. Microsoft.Authorization/roleAssignments/read for Group1

Correct answer: C

Explanation

The correct answer is C, as granting MicrosoftAuthorization/roleAssignments/write for Sub1 allows User1 to onboard the subscription to Permissions Management. Options A and D provide read access, which is insufficient for onboarding. Option B grants write access at the management group level, which is broader than necessary for the task at hand.