Free sampleManage Azure Identities and Governancehard
A resource has both a role assignment granting a user access and a deny assignment that applies to the same user and action. When Azure Resource Manager evaluates the request, the role assignment is checked first and grants access, so the deny assignment is ignored. Is this statement correct?
- AYes
- BNo Correct
Deny assignments are evaluated first and override role assignments. The grounding states deny assignments are evaluated before role assignments and that if a deny assignment applies, access is blocked regardless of role assignments. Deny assignments take precedence, so the request is blocked, not allowed.
Why A is wrong: Answering Yes assumes role assignments are checked first and win, but the grounding gives deny assignments precedence and evaluates them before role assignments.
Why B is correct: Correct. The grounding states deny assignments are evaluated before role assignments and that if a deny assignment applies, access is blocked regardless of role assignments.