ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam
Go to Exam

Exam AZ-301 topic 2 question 6 discussion

Actual exam question from Microsoft's AZ-301
Question #: 6
Topic #: 2
[All AZ-301 Questions]

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains a resource group named RG1.
You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.
You need to recommend a solution that meets the following requirements:
✑ The researchers must be allowed to create Azure virtual machines.
✑ The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.
Solution: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by mykolaantoniv at Feb. 16, 2020, 12:28 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Avanade2023
Highly Voted 5 years, 1 month ago
Can anyone tell me how to realize "The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates." by a custom Azure Policy? I think that Azure Policy can be used to restrict VM's status like SKU sizes, location or adding a tag. But Azure Policy cannot be used to restrict any actions like above. Wouldn't we use RBAC?
upvoted 8 times
milind8451
5 years, 1 month ago
Ans for your ques - https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition
upvoted 1 times
Test_Taker
4 years, 10 months ago
I dont think that link answers the question. That link uses ARM templates as a means to find the name of the property on a resource that you want to control via Azure Policy. It doesn't say that you can or how you can restrict to a specific ARM template. At least as far as i can find.
upvoted 2 times
...
...
...
mykolaantoniv
Highly Voted 5 years, 4 months ago
"Yes" is the correct answer
upvoted 7 times
tartar
4 years, 9 months ago
A is ok
upvoted 3 times
...
...
Aghora
Most Recent 4 years, 4 months ago
No - read my comments on previous questions
upvoted 1 times
Aghora
4 years, 4 months ago
after further research . this will work too . but the better option is to have a dev test lab . but by using a policy , you can allow them to deploy templates .
upvoted 1 times
levo017
4 years, 4 months ago
thanks. the correct answer should be YES for "ContributorRole + Policy" AND "DevLab Test" options.
upvoted 1 times
...
...
...
glam
4 years, 5 months ago
A. Yes
upvoted 1 times
...
arseyam
4 years, 5 months ago
As akamal mentioned, an Azure Policy will restrict deployments based on specific business logic like deny specific regions, SKUs, resources, etc. but it won't restrict the deployments to specific ARM templates! The best option is to create a DevTest lab and assign the Azure AD group the User role. For those who don't understand how the DevTest lab allows Users to deploy specific ARM templates then better watch this video https://www.youtube.com/watch?v=i473iSlltjI
upvoted 1 times
...
sanketshah
4 years, 5 months ago
A is correct answer
upvoted 2 times
...
On09
4 years, 9 months ago
It is still no, the best thing is assigning "Virtual machine contributor role" since it says The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.
upvoted 1 times
...
akamal
5 years ago
it should be: NO As contributor can use all types of templates instead you need to create a lab and assign dev/test lab user role https://docs.microsoft.com/en-us/azure/lab-services/devtest-lab-use-resource-manager-template As per this article it says that there are two types of templates: 1- Resource Manager templates that use a Microsoft.DevTestLab/labs/virtualmachines resource type.....and this can't be used by DevTest Labs user role 2- Resource Manager templates that use a Microsoft.Compute/virtualmachines resource type .... Users who are assigned with a DevTest Labs user role can create environments using those templates as long as the administrator has configured the lab that way. so this should achieve the target of using only specific templates
upvoted 5 times
mtb123
5 years ago
"Create a custom Azure Policy definition and assign the policy to RG1." " This should be where the restrictions on templates are set
upvoted 3 times
...
...
yefeimail
5 years, 1 month ago
yes for sure it is yes. no doubt
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel