A support desk needs to reset the local administrator password on specific virtual machines by using the VMAccess extension and restart those VMs. They must not be able to resize the machines, change networking, or manage disks. What should the administrator create?

Assign the Virtual Machine Contributor built-in role at the subscription scope

This built-in role is broader than needed and would allow many VM management actions the team should not have.

Assign the Contributor role at the resource group scope

This grants far too much access, including management of unrelated resources in the same resource group.

Use an Azure Policy assignment to allow the VMAccess extension

Policy can enforce or deny configurations, but it does not grant operational permissions to users or groups.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Create a custom role with only the required VM actions and assign it at the virtual machine scope — A custom RBAC role assigned at the virtual machine scope is the best fit when the built-in roles expose too many permissions. The support desk can get only the exact management actions required for password reset and restart, while all other VM, disk, and network operations remain blocked. Scoping it to the individual VM also prevents the role from being reused on unrelated servers in the same resource group or subscription. Why others are wrong: Virtual Machine Contributor and Contributor both include many additional actions that violate least privilege. A Policy assignment cannot provide user permissions; it only evaluates or modifies resource compliance. The question is about access control, so RBAC and custom scope are the correct tools.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.