A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.
A resource-level assignment limits permissions to VM1 and does not extend to unrelated resources.
Why this answer
Option A is correct because assigning the Contributor role at the VM1 resource scope grants the contractor permissions exclusively to that virtual machine, leaving all other resources in rg-prod and other scopes untouched. This meets the requirement of limiting access to only VM1 and VM2 within rg-prod.
Exam trap
The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, forgetting that this grants access to all resources in that group, not just the specified VMs.