Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-103 topic 4 question 2 discussion

Actual exam question from Microsoft's AZ-103
Question #: 2
Topic #: 4
[All AZ-103 Questions]

HOTSPOT -
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
riffark
Highly Voted 3 years, 10 months ago
Answer is Network Contributor on RG for both
upvoted 27 times
bobbywilly
3 years, 6 months ago
Net Contr. on RG for both IS CORRECT. Tested. 1 - If you use net cont role on LB1, you receive an error "You do not have sufficient permissions for Resource ID /blahblah. Correct Answer is Net Cont Role on RG1. 2 - If you use net conr role on LB2, you receive an error that says "Failed to create Probe. The client with object ID 'blahblahblah' has permission to perform write action on scope lb; however, it does not have permission to perform join/action... correct answer is net contr. on RG1
upvoted 10 times
...
...
DeadHead
Highly Voted 4 years ago
Here is the catch. The solution must follow the principle of least privilege. That's why network contributor.
upvoted 23 times
...
Amir1909
Most Recent 1 month, 2 weeks ago
Correct
upvoted 1 times
...
kamalpur
8 months, 1 week ago
This question is explained in below video https://youtu.be/GP9DRSOgssM
upvoted 1 times
...
selaiba1986
9 months, 4 weeks ago
For Health Probe also, without having access to RG1, no health probe can be added. If only Network Contributor role is assigned to LB then the user would not be able to access the IP addresses of the member pools. Owner/Contributor can give the user access for everything. So it will not fit into the the principle of least privilege. Hence Owner and contributor role is incorrect choices for the question.
upvoted 1 times
...
maria_saprykina
1 year, 3 months ago
Got a nice explanation from Az-104 udemy practise tests Answer: Network Contributor on RG for both 1. To add to the backend pool, write permission is required on the Resource Group because it writes deployment information. To add a backend pool, you need network contributor role on the LB and on the VMs that will be part of the backend pool. For this reason the network contributor role must be assigned to the RG where the LB and the VM resides. So the correct answer is Network Contributor on RG1. 2. For Health Probe also, without having access to RG1, no health probe can be added. If only Network Contributor role is assigned to LB then the user would not be able to access the IP addresses of the member pools. Owner/Contributor can give the user access for everything. So it will not fit into the the principle of least privilege. Hence Owner and contributor role is incorrect choices for the question. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 2 times
...
aKalyan911
1 year, 4 months ago
As per the question, an administrator named Admin1 can manage LB1 and LB2. network contributor on LB1 and LB2 is correct. kindly suggest.
upvoted 1 times
...
rupayan87
1 year, 4 months ago
should contributor for LB1 as it is internal LB. Why give RG NW contributor? NW contributor for RG1 as LB2 is external and has a public IP that will belong to the RG.
upvoted 1 times
...
melatocaroca
2 years, 6 months ago
Network Contributor Lets you manage networks, but not access to them. Permission include Microsoft.Network/* Create and manage networks, so Network contributor in both Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Network/* Create and manage networks Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
upvoted 1 times
...
creator
2 years, 11 months ago
I tested it. Both are NW Contributor on RG1. If the user have the only for LB, failed to create error.
upvoted 2 times
...
Thi
3 years, 5 months ago
first Network contributor for RG1 2nd :Network contributor for RG1
upvoted 4 times
KenZx
3 years, 4 months ago
Yes Agree
upvoted 4 times
...
...
Gbala
3 years, 7 months ago
Tested with my environment: First I assigned the user as a N/W contributor for both LB1 and LB2 which failed to create a backend pool or health probe... Next I assigned the N/W contributor role for both RG and I was able to create backend pools and health probe without any issues.. Answer is : Network Contributor on RG for both
upvoted 12 times
KsToff
3 years, 4 months ago
I did exactly the same test I have the same result ! ! ! answer are false the good answer is "Network Contributor on RG"
upvoted 2 times
...
daerlnaxe
1 year, 4 months ago
I just made the same thing, and exactly the same behavior, answer is wrong.
upvoted 1 times
...
...
Amit0808
3 years, 7 months ago
should be network contributors on RG1 for both. I checked this on whizlab practise set as well, they have given the same answer . to add LB on Backend pool , user need to have access to VM Ips and Vnet. So NC on RG1 To setup probe , user need to have access to VM Public IP , so NC on RG1 is correct
upvoted 2 times
yicim24216
3 years, 7 months ago
i think it's not on the RG1 bc RG1 could have other network resources the person shouldn't be able to modify
upvoted 1 times
...
...
dreamweaver
3 years, 8 months ago
in what role would you be where the only access you need is to add a backend pool or a health probe. Do companies really have so many people that they have people dedicated to just this? Answer is, I would google it to be sure at the time I need it.
upvoted 1 times
...
[Removed]
3 years, 8 months ago
I tested this out and N.C. was required on RG1 for the 1st one, N.C. on LB2 was required for the 2nd one.
upvoted 1 times
...
Shades
3 years, 8 months ago
Given answer is wrong. with Network admin on Load balancer , I was not able to create the Backend Pool. It just would not show the available Vnet. I tried giving it contributor/owner at LB level.It wont help. Needed to have Network contributor role at RG Level to be able to create BE Pool
upvoted 2 times
Shades
3 years, 8 months ago
We cant even add probe without Network Contributor role In RG: This is error I get even though I had owner access at LB level: User has permission to perform action 'Microsoft.Network/loadBalancers/write' on scope 'LB'; however, it does not have permission to perform action 'Microsoft.Network/publicIPAddresses/join/action' on the linked scope(s) '/subscriptions/594358eb-2e75-4ac8-b165-45d3853feaf6/resourceGroups/rg/providers/Microsoft.Network/publicIPAddresses/LBIP' or the linked scope(s) are invalid.
upvoted 2 times
...
...
yicim24216
3 years, 8 months ago
100% Network Contributor on the RG for both.
upvoted 13 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...