HOTSPOT
A company uses Azure for several virtual machine (VM) and website workloads. The company plans
to assign administrative roles to a specific group of users. You have a resource group named
GROUP1 and a virtual machine named VM2.
The users have the following responsibilities:
You need to assign the appropriate level of privileges to each of the administrators by using the
principle of least privilege.
What should you do? To answer, select the appropriate target objects and permission levels in the
answer area.
Answer: 
Explanation:
* Owner can manage everything, including access.
* Contributors can manage everything except access.
Note: Azure role-based access control allows you to grant appropriate access to Azure AD users,
groups, and services, by assigning roles to them on a subscription or resource group or individual
resource level.
Role-based access control in the Microsoft Azure portal
http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
I dont’t agree with this. It is seems like Admin2 could get away with contributor access and not owner.
No he must be an owner, here is the key word: “control access” – only owner can do that.
Admin2 should be either contributor or reader even. Subscrtiption Contributor can create resource groups too… as per a comment by Dushyant Gill in https://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/. It’s a comment in the blog, so not sure if it’s true.
However, going by principal of least privileges, subscription reader should be able to “read” the billing and usage information and prepare the report right?
I’d go with Reader for Admin2.
admin 2 is reader