How should you assign permissions?

You are an administrator of an Azure subscription for your company.
Management asks you to configure Azure permissions for a user in your Azure Active Directory (Azure AD).
The user must be able to perform all actions on the virtual machines (VMs). The user must not be allowed to
create and manage availability sets for the Vms.
You need to implement the required permissions with the least administrative effort.
How should you assign permissions?

You are an administrator of an Azure subscription for your company.
Management asks you to configure Azure permissions for a user in your Azure Active Directory (Azure AD).
The user must be able to perform all actions on the virtual machines (VMs). The user must not be allowed to
create and manage availability sets for the Vms.
You need to implement the required permissions with the least administrative effort.
How should you assign permissions?

A.
Use Windows PowerShell to assign the Classic Virtual Machine Contributor role to the user.

B.
Use Windows PowerShell to create a custom role from the Virtual Machine Contributor role and then use
NotActions to customize the role permissions.

C.
Implement a custom role through the Azure Portal and customize the role by adding the appropriate
permissions.

D.
Assign the Virtual Machine Contributor role to the user.

Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#classic-virtualmachine-contributor

← Previous question

Next question →

Leave a Reply 4

$fracks$

fracks

I think answer is wrong.
Classic Virtual Machine Contributor can manage Classic virtual machines, but not the virtual network or storage account to which they are connected
Virtual Machine Contributor can manage virtual machines, but not the virtual network or storage account to which they are connected.
The question does not mention classic VMs so my answer is D.

Reply

von

answer is correct as the “Classic” Virtual Machine Contributor cannot manage availability Set. The Virtual Machine Contributor can manage
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#virtual-machine-contributor

custom role by ARM templates should work 2 but is more “work”

Reply

Jack

I would go with B.

A is for Classic VMs, the exam is based on ARM VMs and it does not state on the question that the VMs are classic.

C. Custom role is more work.

D. Will give permissions to Microsoft.Compute/availabilitySets/* Create and manage compute availability sets which is not what the question ask for. The “The user must not be allowed to
create and manage availability sets for the Vms.”

Reply

Gman

Perhaps the question is updated, and now contains a matching answer from ARM? (Although I can’t find one.)

B is definately more correct than A!

Reply