Exam AZ-104 topic 2 question 36 discussion

Should the answer be C. Contributor? Answer B, only allows the managing of the VM's and not the Virtual Networks as stated in the question.

Correct Answer: C Only Owner and Contributor can perform the actions, but we need to follow the least privilege principal, so Contributor. A: Owner- Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. B: Virtual Machine Contributor - Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. C: Contributor - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. D: Virtual Machine Administrator Login - View Virtual Machines in the portal and login as administrator. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

You want User1 to: Deploy virtual machines Manage virtual networks But only give the minimum required permissions (least privilege) ✅ Contributor Role Allows creating and managing all types of Azure resources, including virtual machines and virtual networks Does NOT allow managing access (i.e., assigning roles) Fits the principle of least privilege for the tasks mentioned ❌ Why the other options are incorrect: A. Owner Too much access – includes full permissions plus the ability to manage RBAC (assign roles), which violates least privilege B. Virtual Machine Contributor Only allows management of virtual machines Does not grant permissions for virtual networks, so this doesn’t meet the requirement D. Virtual Machine Administrator Login Only allows login to virtual machines with administrative privileges Does not allow deploying or managing VMs or networks

Virtual Machine Contributor (Option B): Permissions: Create and manage virtual machines. Manage virtual networks (e.g., create, update, delete virtual networks and subnets). Manage network interfaces and disks. Limitations: Does not allow User1 to manage other Azure resources (e.g., storage accounts, databases).

Virtual Machine Contributor: This role only allows the user to manage VMs but not virtual networks, so it would not provide the ability to manage virtual networks.

C is corerct

Question is tricky, but it states "Least privilege" So answer C is correct

C is correct

The correct answer is B. Virtual Machine Contributor1. The Virtual Machine Contributor role allows a user to create and manage virtual machines, manage disks, install and run software, reset the password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions1. However, this role does not grant management access to the virtual network or storage account the virtual machines are connected to1. For managing virtual networks, User1 would also need the Network Contributor role1. This role lets you manage all networking resources, but not access to them1.

Contributor

Virtual Machine Contributor > B: Wrong Answer. Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. Correct answer > C. Contributor

'Contributor': because both vm and vnet need to be managed. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries

C. Contributor To ensure that User1 can deploy virtual machines and manage virtual networks with the principle of least privilege, you should assign the Contributor role to User1. The Contributor role provides permissions to create and manage Azure resources but does not grant excessive privileges like the Owner role. By assigning the Contributor role, User1 will have the necessary permissions to deploy virtual machines and manage virtual networks without having unrestricted access to other resources or the subscription management. The Virtual Machine Contributor role is more limited and focuses specifically on managing virtual machines. It does not include permissions to manage virtual networks, so it is not the most appropriate choice for this scenario. The Virtual Machine Administrator Login role is specific to Windows Virtual Desktop and grants permissions to manage the administrative accounts for virtual machines in a virtual desktop infrastructure. Therefore, the best option in this scenario is to assign the Contributor role to User1.

Keyword here is & Networks. Only the contributor role can manage the VM's and the Networks.

B. Virtual Machine Contributor. To meet the requirement of allowing User1 to deploy virtual machines and manage virtual networks with the principle of least privilege, the Virtual Machine Contributor role should be assigned to User1. This role allows User1 to manage virtual machines, but only those virtual machines for which they have been granted access. Additionally, this role provides permissions to manage the virtual network resources required to support the virtual machines. Assigning the Owner or Contributor role to User1 would provide more permissions than necessary, and therefore, does not follow the principle of least privilege. The Virtual Machine Administrator Login role does not provide the necessary permissions to deploy virtual machines or manage virtual networks.

Answer is C. Because having user1 has role of "VirtualMachineContributor", User1 can Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. But we cannot create VM as this role as dosen't having write access to Microsoft.Network/virtualNetworks Microsoft.Network/publicIPAddresses Microsoft.Network/networkSecurityGroups which stops VM creation.