You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?
This is the most scalable and maintainable approach.
Why this answer
Option A is correct because assigning a single RBAC role to a Microsoft Entra group allows you to manage permissions centrally. When membership changes, you only need to add or remove users from the group, and the role assignment automatically applies to the new members. This minimizes ongoing administrative effort compared to managing individual role assignments.
Exam trap
The trap here is confusing resource locks (which prevent changes) with RBAC role assignments (which grant permissions), leading candidates to incorrectly select option C as a way to control access.
How to eliminate wrong answers
Option B is wrong because creating a separate custom role assignment for each administrator increases administrative overhead; any membership change requires modifying each individual assignment, which is inefficient and error-prone. Option C is wrong because a resource lock prevents accidental deletion or modification of resources but does not grant permissions to manage backups; it is a protection mechanism, not an authorization mechanism. Option D is wrong because a policy exemption allows certain resources to be excluded from Azure Policy compliance evaluation; it does not assign RBAC roles or grant permissions to manage backups.