AZ-800 / Q4 / T2

MiMojo

Highly Voted 1 year, 7 months ago 

Selected Answer: A

The Answer is "A". Hear me out. The question asks that "Admin1", a user account, has the appropriate permissions. The role of Azure Connected Machine Onboarding can only be assigned to a service principal, as confirmed by the link given to justify the wrong answer. Admin1 cannot be assigned this role, it's impossible, check it for yourself. Admin1, as a local server admin, has all the rights he/she needs. The correct answer is "A", generate a new onboarding script. One can onboard more than one server with the same script. Onboarding two certainly doesn't impose an administrative burden to use this method.

upvoted 20 times 

JPO2021

1 month, 4 weeks ago 

OBS: -"Admin1" is user in ADDS, and member of the local Administrators group on Server1 and Server2. -ADDS is domain that syncs with an Azure Active Directory (Azure AD) tenant. Answer is B "Assign Admin1 the Azure Connected Machine Onboarding role for RG1"

upvoted 1 times 

phi3nix

1 year, 6 months ago 

This is the correct answer. 1. I tested this in LAB. 2. 

Documentation: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

 ---snap--- You can enable Azure Arc-enabled servers for one or a small number of Windows or Linux machines in your environment by performing a set of steps manually. Or you can use an automated method by running a template script that we provide. This script automates the download and installation of both agents. This method requires that you have administrator permissions on the machine to install and configure the agent. On Linux, by using the root account, and on Windows, you are member of the Local Administrators group. --snap--

upvoted 8 times 

phi3nix

1 year, 6 months ago 

A is the answer!

upvoted 2 times 

SantaClaws

11 months, 3 weeks ago 

It's not exclusive to service principals. But more importantly, OptionA simply doesn't satisfy the requirement of the question. The question is not how to add resources to RG1. The question is explicitly about ensuring that Admin1 has the correct permissions. So option A can be completely disregarded as a possibility, because it's answering a completely different question.

upvoted 4 times 

Bojana

Highly Voted 2 years, 6 months ago 

Selected Answer: B

correct

upvoted 13 times 

Ksk08

Most Recent 3 weeks, 1 day ago 

Correct answer b

upvoted 1 times 

JPO2021

1 month, 4 weeks ago 

Selected Answer: B

-"Admin1" is user in ADDS, and member of the local Administrators group on Server1 and Server2. -ADDS is domain that syncs with an Azure Active Directory (Azure AD) tenant. Answer is B "Assign Admin1 the Azure Connected Machine Onboarding role for RG1"

upvoted 1 times 

004b54b

2 months ago 

Selected Answer: A

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal#install-with-the-scripted-method

Install with the scripted method 1. Log in to the server. 2. Open an elevated PowerShell command prompt. > local admin rights are required but sufficient 3. Change to the folder or share that you copied the script to, and execute it on the server by running the ./OnboardingScript.ps1 script.

upvoted 1 times 

starseed

2 months ago 

answer is B

upvoted 2 times 

sardonique

3 months, 1 week ago 

Admin1 is an onpremises account, it does not exist in Azure AD therefore it cannot be assigned any role within the Azure Portal. Admin1 has enough power to configure Server1 and Server2 though. So A is the answer IMO

upvoted 1 times 

JPO2021

1 month, 4 weeks ago 

(AD DS) domain that "syncs" with an Azure Active Directory tenant....(Admin1 exist in Azure AD) Answer is B

upvoted 1 times 

Krayzr

4 months, 2 weeks ago 

Selected Answer: B

B. Reason: Azure Arc allows you to manage your servers as if they are running in Azure. To onboard a machine to Azure Arc, the user needs the Azure Connected Machine Onboarding role. This role gives the user the necessary permissions to register the machine with Azure Arc. In this case, Admin1 needs to be assigned this role for the resource group RG1, so they can configure Server1 and Server2 to be managed by Azure Arc. The other options do not directly address the requirement of enabling Admin1 to configure the servers with Azure Arc. Therefore, option B is the most appropriate first step.

upvoted 1 times 

RemmyT

5 months ago 

Selected Answer: B

Tested in lab: Admin1 without Azure Connected Machine onboarding role assigned on RG1 are unable to onboard any server to Azure. Also are unable to see any machine in Azure Arc | Machines and and as a result it cannot manage any server. After assigning it the Azure Connected Machine onboarding role on RG1, Admin1 can see all the machines in Azure Arc, can manage the servers and can onboard the servers with the generated script. Note: Follow best security practices and avoid using an Azure account with Owner access to onboard servers. Instead, use an account that only has the Azure Connected Machine onboarding or Azure Connected Machine resource administrator role assignment. See Azure Identity Management and access control security best practices for more information. https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

upvoted 2 times 

RemmyT

5 months ago 

You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. That means Admin1 is synced in Azure Entra ID and we can assigned him the role Azure Connected Machine Onboarding on RG1 (where all Azure ARC servers will reside).

upvoted 1 times 

nawtitoo

5 months, 3 weeks ago 

Selected Answer: B

with the appropriate role to Admin1 in the RG1 resource group, Admin1 will have the necessary permissions to configure Server1 and Server2 to be managed by Azure Arc.

upvoted 1 times 

SIAMIANJI

6 months ago 

Selected Answer: B

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, the first step should be to assign Admin1 the appropriate role that grants the necessary permissions to onboard machines to Azure Arc. Specifically, Admin1 needs the Azure Connected Machine Onboarding role for the resource group RG1. Here’s the correct step to take: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1. This role grants the necessary permissions to onboard servers to Azure Arc, allowing Admin1 to generate the required onboarding script and complete the onboarding process.

upvoted 1 times 

SIAMIANJI

6 months, 3 weeks ago 

Selected Answer: B

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, you should first assign Admin1 the necessary permissions in Azure, specifically the Azure Connected Machine Onboarding role for the resource group RG1. Therefore, the correct answer is: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1.

upvoted 1 times 

RickySmith

10 months, 4 weeks ago 

Selected Answer: B

B Assign Admin1 the Azure Connected Machine Onboarding role for RG1. 

https://learn.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#required-permissions

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal

refer point 2

upvoted 2 times 

boapaulo

11 months, 1 week ago 

Selected Answer:B Generating a new integration script in the Azure portal is an important step in adding servers to Azure Arc, but it's not the first step when it comes to ensuring that a specific user, such as Admin1, has permission to configure the servers to be managed by Azure Arc. The first step is to ensure that Admin1 has the necessary permissions within the Azure environment. This is done by assigning the correct role to the user. In the case of Admin1, assigning the Azure Connected Machine Integration role to resource group RG1 is essential for them to be able to perform the required actions in Azure Arc.Once Admin1 has the proper permissions, they can then proceed with generating and running the integration script to add Server1 and Server2 to Azure Arc.

upvoted 1 times 

Payday123

1 year ago 

Is Admin1 a local user or domain user added to local admins?

upvoted 1 times 

fabilo

1 year, 1 month ago 

Selected Answer: A

A is the right one

upvoted 1 times 

NazerRazer

1 year, 1 month ago 

Selected Answer: B

So the correct answer is: B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1. Having a local admin account on the server is helpful for running scripts and performing server-level tasks, but it's the Azure role and the onboarding process that grant the necessary permissions to configure the server for Azure Arc management. So, a local admin account is a component of the process but not sufficient on its own to perform the Azure Arc onboarding action. You need the proper Azure role assigned to enable the integration between the local server and Azure Arc. Here's why the option is not the first step. A. From the Azure portal, generate a new onboarding script: This is typically done after you've assigned the necessary role permissions to the user. You generate the script to onboard the machines once the user has the required permissions.

upvoted 2 times 

MR_Eliot

1 year, 2 months ago 

Selected Answer: B

B is the answer.

upvoted 1 times 

MR_Eliot

1 year, 2 months ago 

Answer is B. "UserA" is a domain user, who is added to the local administrator group. Prerequisites: Consider the following basic requirements when planning your deployment: - Your machines must run a supported operating system for the Connected Machine agent. - Your machines must have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server. - To install and configure the Azure Connected Machine agent, you must have an account with elevated privileges (that is, an administrator or as root)on the machines. - To onboard machines, you must have the >>Azure Connected Machine Onboarding Azure built-in role<<. - To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator Azure built-in role. Link: https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment#prerequisites

upvoted 1 times 

afridi43

1 year, 2 months ago 

Selected Answer: C

To ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc, you should perform the following steps: C. Hybrid Azure AD join Server1 and Server2.

upvoted 2 times 

afridi43

1 year, 2 months ago 

1. Hybrid Azure AD Join: When you hybrid Azure AD join Server1 and Server2, it means that these on-premises servers become part of both your on-premises Active Directory Domain Services (AD DS) domain and your Azure Active Directory (Azure AD) tenant. This is a fundamental requirement for Azure Arc because it establishes the necessary identity integration between your on-premises environment and Azure. 2. Azure Arc Connectivity: Once the servers are hybrid Azure AD joined, you can then proceed to configure Azure Arc for these servers. Azure Arc allows you to manage on-premises servers as if they were Azure resources. Azure Arc-enabled servers can be managed, configured, and monitored from the Azure portal. The other options mentioned (A, B, and D) are not the first steps you should take in this scenario:

upvoted 1 times 

tomasek88

1 year, 3 months ago 

Selected Answer: A

A is correct --> because Admin1 is local account

upvoted 2 times 

Shnash

1 year, 3 months ago 

1st point On-Prem AD is synced with Azure AD. 2nd point Admin1 looks a like AD User Account which is already available in Azure AD. Which is also a member of Local Admin group on both servers. 4th point we need to on board multiple servers and in order to avoid interaction with the script we need to have service principle which is Admin1 and it should have On Boarding Role before we create, download and run the script. so Option "B" makes sense.

upvoted 2 times 

syu31svc

1 year, 8 months ago 

Selected Answer: B

From the link provided You will need to have the Azure Connected Machine Onboarding role or the Contributor role for the resource group of the machine B is the answer

upvoted 2 times 

PrasadMP

1 year, 10 months ago 

B: correct

upvoted 3 times 

Burnie

2 years ago 

B: To limit the privilege of a user and only allow them to onboard servers to Azure, the Azure Connected Machine Onboarding role is suitable. This role can only be used to onboard servers and cannot reonboard or delete the server resource. Make sure to review the Azure Arc-enabled servers security overview for more information about access controls. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management

upvoted 3 times 

airfrog

2 years, 4 months ago 

I think B is incorrect. You can only assign the "Azure Connected Machine Onboarding" role to Service Principals, not users; so you can't assign it to Admin1. I think A is correct. You just need to generate an onboarding script for a local admin to run. You also need to know the ID and Secret of the Service Principal which is assigned the "Azure Connected Machine Onboarding" role in order to run the script, but that isn't mentioned in the question.

upvoted 5 times 

bastien95

2 years, 4 months ago 

https://docs.microsoft.com/en-us/azure/azure-arc/servers/prerequisites o onboard machines, you must have the Azure Connected Machine Onboarding or Contributor role for the resource group in which the machines will be managed.

upvoted 3 times 

DonChevoDeLaPaca

1 year, 4 months ago 

The "Azure Connected Machine Onboarding" can be assigned to users: https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-overview Users as a member of the Azure Connected Machine Resource Administrator role can read, modify, reonboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription.

upvoted 2 times 

miminya

2 years, 5 months ago 

correct

upvoted 4 times