Exam AZ-500 topic 3 question 60 discussion

Actual exam question from Microsoft's AZ-500

Question #: 60
Topic #: 3

DRAG DROP -
You have an Azure subscription named Sub1.
You have an Azure Active Directory (Azure AD) group named Group1 that contains all the members of your IT team.
You need to ensure that the members of Group1 can stop, start, and restart the Azure virtual machines in Sub1. The solution must use the principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Show Suggested Answer

Suggested Answer:

References:
https://www.petri.com/cloud-security-create-custom-rbac-role-microsoft-azure

by LJack at March 15, 2021, 1:02 a.m.

Comments

Submit Cancel

teehex

Highly Voted 2 years, 8 months ago

Three steps you need: - Create a json file that contains role definition (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#what-are-service-principals-and-where-do-they-come-from). - Create a new role definitoon by running New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole1.json" (https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell#create-a-custom-role-with-json-template) - Assigning a new role definition to the Group1 in subscription scope by running New-AzRoleAssignment https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell#step-4-assign-role

upvoted 47 times

LHU

1 month, 2 weeks ago

Why is the answer correct? 1) We need a new role because of the ''least privileged'' requirement. And to create a role, you need a JSON file outlining what it is about. This is why the JSON file comes first. 2) New-AzRoleDefinition uses the -InputFile (the JSON we just made) to get the role created. 3) And then we assign it.

upvoted 1 times

...