Exam AZ-500 topic 2 question 67 discussion

NO NO NO

It's correct. NO NO NO */Read ==> User1 can read anything Micrososft.Compute/* ==> doesn't provide anything. It will will reference all resourceTypes but without action Reminder on action format: {Company}.{ProviderName}/{resourceType}/{action} https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions

No, No, No.

User1 can add VM1 to VNET1. No: Adding a virtual machine to a virtual network requires permissions beyond read access, such as Microsoft.Network/virtualNetworks/*. The custom role only includes Microsoft.Compute/*, which does not cover virtual network modifications. User1 can start and stop App1. No: App1 is an App Service app, which is not a Microsoft.Compute resource. Starting and stopping App Services requires permissions on Microsoft.Web resources, which are not included in the role. User1 can start and stop cont1. No: cont1 is a Container instance, which falls under Microsoft.ContainerInstance. The custom role does not include permissions for container instances, only Microsoft.Compute/*.

No - user does not have any network permissions (= he cannot do anything with VNET1) No - "Microsoft.Compute" provider is not including app service No - "Microsoft.Compute" provider is not including containers

YES, NO, NO */read -> Grants access to read actions for all resource types of all Azure resource providers. Microsoft.Compute/* -> Grants access to all actions for all resource types in the Microsoft.Compute resource provider. User can create virtual machines because they can perform any action for VMs, and read VNet to attach it to the VM. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#actions

Ok, it is all NO's because that custom role has a bad format. Action format is {Company}.{ProviderName}/{resourceType}/{action} where action is *, read, write, action or delete. We miss ResorceType or ProviderName. Tested and it does not allowed to save it

I do not get the respond. Adding Microsoft.Compute/*, it is including Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine Microsoft.Compute/virtualMachines/start/action So, we may start and create a new VM

Tested in the Lab NO NO NO

Why the second option is NO? Microsoft.Compute/virtualMachines/* Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines.

*/read allows read access to all resource types across all resource providers in Azure. Microsoft.Compute/* allows all actions for all resource types specifically within the Microsoft.Compute resource provider. If a user is assigned this custom role, they will have read access to all resource types across all resource providers (due to */read) and full access (read, write, delete, etc.) to all resource types within the Microsoft.Compute resource provider. For example, if this user tries to interact with a virtual machine (which is part of the Microsoft.Compute resource provider), they will have full control (create, update, delete, etc.) over that virtual machine because of the second action. For resources in other resource providers, they would only have read access.

It's correct. NO NO NO

No - VNET - You need Microsoft.Network/networkInterfaces/* Yes - Start Machine - That is included in Microsoft.Compute/virtualMachines/* No - Container - Would be under the Microsoft.ContainerService/* https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#containers

For the first question, I think this is missing and that;s why it is a NO. Microsoft.Network/networkInterfaces/write Creates a network interface or updates an existing network interface.

No No No, read is only read..

In Exam - 28/7/2023

Not sure why everyone is saying user only has read access to VNET1 User 1 is assigned Role 1 on Rg1 which contains VNET1 User 1 has read permission to everything in RG1 User 1 has all access to Microsoft.Compute in RG1 which includes Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine Hence 1.Yes 2. No - - > no such permissions are granted. 3. No - - > as others have mentioned. Container is a different resource provider, its not a part of Microsoft.Compute.