Home › Azure AZ-500 › cloudcomputing › az500identityaccess › Which Azure RBAC concept lets an engineer assign…
Which Azure RBAC concept lets an engineer assign a narrowly-scoped permission set (e.g. 'Reader' on one resource group) to a Microsoft Entra principal — instead of a broad subscription Owner role?
ADisabling RBAC entirely
BSharing the subscription Owner credentials with the engineer
CGranting Owner on the management group
DAn Azure role assignment scoped to the resource group (using a built-in or custom Azure role)
Answer & Solution
Correct answer: D. An Azure role assignment scoped to the resource group (using a built-in or custom Azure role)
Scoped role assignments are Azure's least-privilege primitive (per AZ-500 §1 identity). The others are textbook insecurity.
Related questions
Which Microsoft Entra ID feature lets a security engineer detect risky user behaviour (impWhich Microsoft Entra capability lets an admin enforce per-user MFA via a Conditional AcceWhich Microsoft Entra ID feature lets a developer register an app and obtain a CLIENT ID aWhich Azure / Microsoft Entra feature lets an admin enforce 'block sign-in from countries Which Microsoft Entra ID feature lets an admin enforce 'every privileged role activation mWhich Microsoft Entra ID feature lets an admin define a custom role with EXACTLY the actioWhich Microsoft Entra ID feature should an admin use to require user CONSENT to specific OWhich Azure resource feature lets an Azure VM / App Service / Function App authenticate to