You are an administrator of an Azure subscription for your company.
Management asks you to configure Azure permissions for a user in your Azure Active Directory (Azure AD).
The user must be able to perform all actions on the virtual machines (VMs). The user must not be allowed to
create and manage availability sets for the Vms.
You need to implement the required permissions with the least administrative effort.
How should you assign permissions?
A.
Use Windows PowerShell to assign the Classic Virtual Machine Contributor role to the user.
B.
Use Windows PowerShell to create a custom role from the Virtual Machine Contributor role and then use
NotActions to customize the role permissions.
C.
Implement a custom role through the Azure Portal and customize the role by adding the appropriate
permissions.
D.
Assign the Virtual Machine Contributor role to the user.
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#classic-virtualmachine-contributor
I would prefer B
least administrative effort so A
Why Classic? Why not D?
It does’n mention anything about classic virtual machines.
B
B
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#classic-virtualmachine-contributor
Under Classic, the user cannot manage availability sets. This is the least administrative effort.
Creating custom roles is very tedious!
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
it asks, ” The user must not be allowed to
create and manage availability sets for the Vms.”
Virtual Machine Contributor role can do that
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets