You are an administrator of an Azure subscription for your company.
Management asks you to configure Azure permissions for a user in your Azure Active Directory (Azure AD).
The user must be able to perform all actions on the virtual machines (VMs). The user must not be allowed to
create and manage availability sets for the Vms.
You need to implement the required permissions with the least administrative effort.
How should you assign permissions?
A.
Use Windows PowerShell to assign the Classic Virtual Machine Contributor role to the user.
B.
Use Windows PowerShell to create a custom role from the Virtual Machine Contributor role and then use
NotActions to customize the role permissions.
C.
Implement a custom role through the Azure Portal and customize the role by adding the appropriate
permissions.
D.
Assign the Virtual Machine Contributor role to the user.
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#classic-virtualmachine-contributor
I would prefer B
1
1
least administrative effort so A
2
0
Why Classic? Why not D?
It does’n mention anything about classic virtual machines.
0
0
B
1
1
B
0
0
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#classic-virtualmachine-contributor
Under Classic, the user cannot manage availability sets. This is the least administrative effort.
Creating custom roles is very tedious!
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
2
0
it asks, ” The user must not be allowed to
create and manage availability sets for the Vms.”
Virtual Machine Contributor role can do that
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets
0
0
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Read only. so A is correct.
0
0
YES A is correct. And do azure allows customisation of inbuilt roles?
0
0
It specifies that the user should not be able to create and manage availability sets. Virtual Machine Contributor can do manage availability sets whereas Classic Virtual Machine Contributor cannot. Hence, the answer A is correct.
0
0
Classic VM Contributor can manage Microsoft.ClassicCompute. Does the question ask about CLASSIC VM? – no!
VM Contributor can manage Microsoft.Compute/virtualMachines and virtualMachineScaleSets. This fits except of virtualMachineScaleSets. So, either B or C. The questions states ‘all actions … except virtualMachineScaleSets’. There bunch of actions related to vm, not only Microsoft.Compute/virtualMachines, so it’s easier to remove virtualMachines rather than adding all of them. B it is.
0
0