Exam SC-300 topic 1 question 51 discussion

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#how-are-role-assignable-groups-protected The membership type for role-assignable groups must be Assigned and can't be a Microsoft Entra dynamic group. Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role. Group1 is dynamic an to those groups you can't assign role. So answer is: User1, VM1, App1

Tested in-lab, fyi user-assigned managed identity works also

You can assign the Contributor role for RG1 to User1, VM1, and App1 because they are all security principals (User account, system-assigned managed identity, and service principal) that Azure Role-Based Access Control (RBAC) can assign roles to. Group1 is a dynamic group, which is not supported for role assignments in RBAC, making it ineligible

To determine which identities can be assigned the Contributor role for Resource Group RG1, we need to understand which types of identities are eligible for Azure role-based access control (RBAC) assignments. ✅ Eligible identities for RBAC role assignments: Users – e.g., User1 Groups – e.g., Group1 Managed identities for Azure resources – e.g., VM1 (if it has a system-assigned or user-assigned managed identity) Service principals / Enterprise applications – e.g., App1 🔍 Contributor Role: The Contributor role allows full management of Azure resources, excluding access management. ✅ Correct Answer: E. User1, Group1, VM1, and App1 All four types of identities can be assigned the Contributor role at the resource group level. Would you like help assigning the Contributor role to one of these identities using the Azure portal or PowerShell?

"🔐 You cannot directly assign an Azure RBAC role (like Contributor) to a security group with dynamic membership if that group is not marked as role-assignable—and here's the catch: dynamic groups cannot be made role-assignable. 🧩 Why This Limitation Exists To assign Azure roles to a group, the group must be: Security-enabled Role-assignable (a special setting at creation time)" now these notes are via copilot btw

Answer) E

D is the only answer that fits here. You CANNOT assign a Azure resource role to a group that has dynamic group membership. What does qualify for role assignments are users, groups, service principals, and managed identities.

Dynamic groups cannot be assigned roles in Azure RBAC. Only static groups, individual users, service principals, and managed identities are supported for role assignments.

Answer) E In Azure, you can assign the Contributor role to users, groups, service principals, or managed identities. This means you can give a user, a group of users, an application (service principal), or a system-assigned identity the ability to create and manage most Azure resources within a specified scope.

Tested in my tenant. Dynamically assigned groups allow CONTRIBUTOR assignment for Azure resources. It is only AzureAD roles that are not allowed for dynamically assigned security groups

If you go to IAM in a Resource Group, you can choose a dynamic user assigned group. The limitation is only with Entra Roles. Tested in my tenant.

D. User1, VM1, App1

You can't assign role to dynamic group. That's what I studied.

Answer: D. User1, VM1, and App1 only Explanation: In Azure, the Contributor role for a resource group like RG1 can be assigned to the following types of identities: User accounts (such as User1). System-assigned managed identities for Azure resources (such as VM1). Service principals associated with enterprise applications (such as App1). Here’s why each option qualifies or does not qualify: User1: A user account can be assigned the Contributor role, so User1 is eligible. VM1: Since VM1 has a system-assigned managed identity, it can be assigned roles like Contributor for RG1. App1: As an enterprise application (service principal), App1 can also be assigned the Contributor role. However: Group1 cannot be assigned the Contributor role because dynamic groups (such as those with the Dynamic user membership type) are not supported for Azure role-based access control (RBAC) assignments. Only static groups or individual users, service principals, and managed identities can be assigned roles.

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals. So, you can assign a role to - User - Group (Assigned) - Service Principal - Managed Identity https://learn.microsoft.com/en-us/azure/role-based-access-control/overview However, it says in another doc: The membership type for role-assignable groups must be Assigned and CAN'T be a Microsoft Entra dynamic group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#how-are-role-assignable-groups-protected

User, group and appllication (Service principal) with no doubt : https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-1-determine-who-needs-access VM (system assigned) : https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access?pivots=windows-vm-access-wvm so E is correct

Copilot In Azure, you can assign the Contributor role for a resource group (RG1 in this case) to the following identities: User Accounts: You can assign the role to individual user accounts, such as user1 in your table. Security Groups: You can also assign the role to security groups, such as group1. All members of the group, including those dynamically added due to the group’s dynamic membership rules, will inherit the role. Managed Identities: Managed identities for Azure resources, such as the system-assigned managed identity for VM1, can also be assigned the role. This allows the VM to manage resources in the resource group. Enterprise Applications: Enterprise applications, such as app1, can be assigned the role if they have an associated service principal. This allows the application to manage resources in the resource group. Remember, the Contributor role allows the assigned identity to create and manage all types of Azure resources, but it does not allow them to grant access to other users. For that, you would need the Owner role or User Access Administrator role.