Managed Identities (1 / 31): What is the effect of assigning the Reader role at the subscription scope to a user who already has the Contributor role at a resource group scope within that subscription?
Answer:
Azure RBAC is an additive model, so a user's effective permissions are the sum of their role assignments. However, a more specific scope (like a resource group) takes precedence over a broader scope (like a subscription). So in this case, the user would have Contributor access to the resource group and Reader access to the rest of the subscription.