You are an administrator of an Azure subscription for your company.
Management asks you to configure Azure permissions for a user in your Azure Active Directory (Azure AD).
The user must be able to perform all actions on the virtual machines (VMs). The user must not be allowed to
create and manage availability sets for the Vms.
You need to implement the required permissions with the least administrative effort.
How should you assign permissions?
A.
Use Windows PowerShell to assign the Classic Virtual Machine Contributor role to the user.
B.
Use Windows PowerShell to create a custom role from the Virtual Machine Contributor role and then use
NotActions to customize the role permissions.
C.
Implement a custom role through the Azure Portal and customize the role by adding the appropriate
permissions.
D.
Assign the Virtual Machine Contributor role to the user.
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#classic-virtualmachine-contributor
I think answer is wrong.
Classic Virtual Machine Contributor can manage Classic virtual machines, but not the virtual network or storage account to which they are connected
Virtual Machine Contributor can manage virtual machines, but not the virtual network or storage account to which they are connected.
The question does not mention classic VMs so my answer is D.
1
0
answer is correct as the “Classic” Virtual Machine Contributor cannot manage availability Set. The Virtual Machine Contributor can manage
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#virtual-machine-contributor
custom role by ARM templates should work 2 but is more “work”
0
0
I would go with B.
A is for Classic VMs, the exam is based on ARM VMs and it does not state on the question that the VMs are classic.
C. Custom role is more work.
D. Will give permissions to Microsoft.Compute/availabilitySets/* Create and manage compute availability sets which is not what the question ask for. The “The user must not be allowed to
create and manage availability sets for the Vms.”
1
0
Perhaps the question is updated, and now contains a matching answer from ARM? (Although I can’t find one.)
B is definately more correct than A!
0
0
Yes B is correct answer
1
0
What about this:https://docs.microsoft.com/en-gb/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
Virtual Machine Contributor
Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
Actions
Microsoft.Authorization/*/read Read authorization
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets
0
0
https://docs.microsoft.com/en-gb/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
Virtual Machine Contributor
Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
Actions
Microsoft.Authorization/*/read Read authorization
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets
0
1
Unless there’s an error in the question it seems to be correct
according to this link, virtual contributor role can access availability sets.
https ocs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
0
0
Correction* answer is B.
0
0