In Azure RBAC, what does a role assignment link together?
Think about what three things must be connected to grant permissions.
In Azure RBAC, a role assignment connects a security principal (like a user), a role definition (which defines permissions), and a scope (where the permissions apply).
You want to follow the least privilege principle in Azure RBAC. Which approach best supports this principle?
Least privilege means giving only the permissions needed, no more.
Custom roles with only necessary permissions at the smallest scope help enforce least privilege by limiting access strictly to what is needed.
If a user has two role assignments on the same resource: Reader and Contributor, what effective permissions does the user have?
Think about how Azure combines permissions from multiple roles.
Azure RBAC combines permissions from all assigned roles, so the user effectively has the combined permissions, which in this case is Contributor.
You assign a user the Reader role at the resource group level. Which resources can the user read?
Consider what 'scope' means in Azure RBAC.
Assigning a role at the resource group level grants permissions on the resource group and all resources contained within it.
You manage an Azure environment hosting multiple tenants. Each tenant has its own subscription and resource groups. You want to allow tenant admins to manage only their subscription resources without affecting others. Which RBAC design best achieves this?
Think about isolating permissions per tenant subscription.
Assigning Owner role at the subscription level for each tenant admin limits their control to only their subscription, preventing cross-tenant access.