You are using Azure AD B2B to collaborate with external partners. An external user cannot access a resource. Where should you check permissions?

  1. Storage account access keys
  2. Azure AD group membership
  3. Azure AD roles for the external user
  4. RBAC role assignments at the resource scope ✓

Correct answer: RBAC role assignments at the resource scope

Option D is correct because in Azure, access to resources such as storage accounts, key vaults, or subscriptions is governed by Role-Based Access Control (RBAC) role assignments scoped to the resource, resource group, or subscription, and an external B2B guest user must have an appropriate RBAC assignment at the correct scope to access the resource. Option A is wrong because storage account access keys grant full data-plane access to storage and are not the mechanism used to grant or deny Azure B2B guest access to general resources. Option B is wrong because Azure AD group membership alone does not grant resource access unless that group has been assigned an RBAC role at the relevant scope. Option C is wrong because Azure AD directory roles (such as Global Administrator or User Administrator) govern tenant-level administrative actions, not access to individual Azure resources, which is controlled by RBAC.

Topic: · azure ad b2b, rbac, role assignment, external users

Practice Microsoft Azure Administrator (AZ-104) Questions Free