ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 67 discussion

Actual exam question from Microsoft's AZ-500
Question #: 67
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

You create a custom RBAC role in Subscription1 by using the following JSON file.

You assign Role1 to User1 on RG1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
by o2091 at Dec. 15, 2021, 9:42 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Eltooth
Highly Voted 3 years, 4 months ago
NO NO NO
upvoted 21 times
slimjago
2 years, 8 months ago
what about this? https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#actions
upvoted 2 times
...
stepman
2 years, 3 months ago
I chose this NNN and this was On exam 4/27 with the new exam experience. No Sim or lab.
upvoted 14 times
...
...
wsrudmen
Highly Voted 2 years, 10 months ago
It's correct. NO NO NO */Read ==> User1 can read anything Micrososft.Compute/* ==> doesn't provide anything. It will will reference all resourceTypes but without action Reminder on action format: {Company}.{ProviderName}/{resourceType}/{action} https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions
upvoted 12 times
koreshio
2 years, 10 months ago
no. see this: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#actions Microsoft.Compute/* --> "Grants access to all actions for all resource types in the Microsoft.Compute resource provider."
upvoted 5 times
koreshio
2 years, 10 months ago
but overall, its seems: No, No, No. as you've stated: Permissions on Microsoft.Compute are here: https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
upvoted 3 times
...
...
...
SofiaLorean
Most Recent 5 months ago
No, No, No.
upvoted 1 times
...
codeunit
10 months ago
User1 can add VM1 to VNET1. No: Adding a virtual machine to a virtual network requires permissions beyond read access, such as Microsoft.Network/virtualNetworks/*. The custom role only includes Microsoft.Compute/*, which does not cover virtual network modifications. User1 can start and stop App1. No: App1 is an App Service app, which is not a Microsoft.Compute resource. Starting and stopping App Services requires permissions on Microsoft.Web resources, which are not included in the role. User1 can start and stop cont1. No: cont1 is a Container instance, which falls under Microsoft.ContainerInstance. The custom role does not include permissions for container instances, only Microsoft.Compute/*.
upvoted 7 times
shadad
9 months, 2 weeks ago
well done! what i like on this site is the discussion part only. make understand why right answers is right answers and why wrong is wrong is wrong. we are here not to answer blindly like other sites dumps but to know why. Thank you.
upvoted 3 times
...
...
pentium75
1 year ago
No - user does not have any network permissions (= he cannot do anything with VNET1) No - "Microsoft.Compute" provider is not including app service No - "Microsoft.Compute" provider is not including containers
upvoted 1 times
...
danielgil
1 year, 8 months ago
YES, NO, NO */read -> Grants access to read actions for all resource types of all Azure resource providers. Microsoft.Compute/* -> Grants access to all actions for all resource types in the Microsoft.Compute resource provider. User can create virtual machines because they can perform any action for VMs, and read VNet to attach it to the VM. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#actions
upvoted 2 times
bob_sez
1 year, 8 months ago
You need additional permission for creating VM cause you have to assign the VM to a subnet and that is not possible without a network specific permission.
upvoted 2 times
...
...
xxavimr
1 year, 8 months ago
Ok, it is all NO's because that custom role has a bad format. Action format is {Company}.{ProviderName}/{resourceType}/{action} where action is *, read, write, action or delete. We miss ResorceType or ProviderName. Tested and it does not allowed to save it
upvoted 4 times
...
xxavimr
1 year, 8 months ago
I do not get the respond. Adding Microsoft.Compute/*, it is including Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine Microsoft.Compute/virtualMachines/start/action So, we may start and create a new VM
upvoted 3 times
Obama_boy
1 year, 8 months ago
I agree with you, the answer to whether user1 can add VM1 to VNET1 should be YES
upvoted 1 times
...
...
TheProfessor
1 year, 9 months ago
Why the second option is NO? Microsoft.Compute/virtualMachines/* Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines.
upvoted 1 times
...
sadsad
1 year, 9 months ago
*/read allows read access to all resource types across all resource providers in Azure. Microsoft.Compute/* allows all actions for all resource types specifically within the Microsoft.Compute resource provider. If a user is assigned this custom role, they will have read access to all resource types across all resource providers (due to */read) and full access (read, write, delete, etc.) to all resource types within the Microsoft.Compute resource provider. For example, if this user tries to interact with a virtual machine (which is part of the Microsoft.Compute resource provider), they will have full control (create, update, delete, etc.) over that virtual machine because of the second action. For resources in other resource providers, they would only have read access.
upvoted 2 times
sadsad
1 year, 9 months ago
So Yes / Yes /Yes due to Microsoft.Compute/*
upvoted 3 times
...
ubiquituz
1 year, 9 months ago
the options are not for vms, you can not configure vnet1, start app1 and container1 with ms.compute/*...
upvoted 1 times
...
...
ESAJRR
1 year, 10 months ago
It's correct. NO NO NO
upvoted 1 times
...
BigShot0
1 year, 10 months ago
No - VNET - You need Microsoft.Network/networkInterfaces/* Yes - Start Machine - That is included in Microsoft.Compute/virtualMachines/* No - Container - Would be under the Microsoft.ContainerService/* https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#containers
upvoted 7 times
...
adminpack
1 year, 11 months ago
For the first question, I think this is missing and that;s why it is a NO. Microsoft.Network/networkInterfaces/write Creates a network interface or updates an existing network interface.
upvoted 1 times
...
ServerBrain
2 years ago
No No No, read is only read..
upvoted 1 times
...
Troublemaker
2 years ago
In Exam - 28/7/2023
upvoted 1 times
...
Malikusmanrasheed
2 years, 2 months ago
Not sure why everyone is saying user only has read access to VNET1 User 1 is assigned Role 1 on Rg1 which contains VNET1 User 1 has read permission to everything in RG1 User 1 has all access to Microsoft.Compute in RG1 which includes Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine Hence 1.Yes 2. No - - > no such permissions are granted. 3. No - - > as others have mentioned. Container is a different resource provider, its not a part of Microsoft.Compute.
upvoted 2 times
...
Shashprasad
2 years, 4 months ago
YES --> VM access and Read to Network NO --> No access YES --> Container instance is VM
upvoted 1 times
zellck
2 years, 3 months ago
Container Instances is a separate resource provider. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcontainerinstance
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel