Exam AZ-104 topic 2 question 54 discussion

the answer is wrong. you are not defining a policy but a custom role. You need to provide either of the following in DataActions: Microsoft.Compute/virtualMachines/login/action Microsoft.Compute/virtualMachines/loginAsAdmin/action correct answer is dataActions and assignableScopes

The key to understanding the first option is to understand the Control plane VS Data plane Action/notAction is the control plane, and DataAction/notDataAction is the data plane. Logging into a VM is data plane - So it should be defined at the DataAction https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane

Option1: actions, options2: assignableScopes

Should be Action and AssignableScope. " The Microsoft.Compute/virtualMachines/login/action permission is a control plane operation, so it should be included in the Actions array, not the DataActions array. This permission allows users to log in to virtual machines, which is part of managing the VM itself rather than accessing or modifying data within the VM" by Copilot

Ensuring Users Can Sign In to Virtual Machines: Adding Microsoft.Compute/virtualMachines/login/action in the actions section Assigning role1 Only to RG1: Editing /subscriptions/{subscriptionId}/resourceGroups/RG1 in the assignableScopes section The DataActions section in a role definition specifies permissions to perform actions on data within your resources (like Azure Storage or Cosmos DB...)

To log in to a virtual machine (VM), you typically need to configure actions in a custom role. Specifically, for logging into a VM using Azure, you need to ensure the role includes the necessary actions for accessing the VM, such as: Microsoft.Compute/virtualMachines/login/action: This action allows users to log in to the VM. Microsoft.Compute/virtualMachines/read: This action allows users to read the VM properties. Data actions are generally used for accessing data within Azure resources, such as reading or writing data in a storage account, and are not typically required for logging into a VM.

all the AIs (ChatGPT, Google's whatever it's called) say actions

{ "Name": "Custom VM Login Role", "IsCustom": true, "Description": "Allows users to log in to assigned virtual machines", "Actions": [ "Microsoft.Compute/virtualMachines/login/action", "Microsoft.Compute/virtualMachines/read" ], "NotActions": [], "AssignableScopes": [ "/subscriptions/<subscription-id>" ] }

Data Actions and assignableScopes

To ensure that users can sign in to virtual machines (VMs) when assigned a custom role in Azure, the RBAC JSON template needs to include the appropriate actions that grant access to the VM's management and sign-in capabilities. Key properties to modify in the custom role definition JSON: Actions: To allow users to sign in to the VM, you need to add the following permissions in the Actions property: "Microsoft.Compute/virtualMachines/login/action": Grants permission to log in to virtual machines. "Microsoft.Compute/virtualMachines/read": Allows read access to the virtual machine's configuration. "Microsoft.Network/networkInterfaces/read": Provides read access to network interface configurations (necessary for understanding network settings related to the VM).

WRONG dataActions assignableScopes

first one is dataActions. proof is in here: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/compute

ANSWER IS dataactions and Assignable Scope

For the first requirement: actions For the second requirement: assignableScopes

tested: Actions and Assignable Scope "Microsoft.Compute/virtualMachines/login/action"

It is very time consuming and causing confusion to decide which is correct answer as the examtopic has not assured their answer is 100% correct. Also for some questions mostly voted % is missing so not able to judge the correct answer. I have exam scheduled by end of June, please teach me how to arrive at the correct answer

Correct answer: Actions and Assignable Scope. "Microsoft.Compute/virtualMachines/login/action"