An administrator wants to let a help desk group start, stop, and restart virtual machines in one resource group, but the group must not be able to delete the VMs or any other resource in the group. Which two actions should the administrator take? Select two.

Assign Virtual Machine Contributor to the help desk group.

Virtual Machine Contributor includes far more capabilities than start, stop, and restart. It would violate the requirement to prevent deletion and other management actions.

Apply a CanNotDelete lock to the resource group.

A CanNotDelete lock blocks deletions, but it does not grant the operational permissions needed to start or stop VMs. RBAC is still required.

Use Azure Policy to block VM deletion and leave RBAC unchanged.

Policy is not a substitute for the required operational permissions. The group still needs a role assignment that allows the start, stop, and restart actions.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Create a custom RBAC role with only VM start, stop, restart, and read actions. — The help desk needs a custom RBAC role that includes only the VM read, start, stop, and restart actions, assigned at the resource group scope. This is the cleanest least-privilege design because it grants just the operational tasks the team performs and nothing more. Scope to the resource group keeps the access limited to the intended application boundary. Why others are wrong: Virtual Machine Contributor is too broad for this scenario. A CanNotDelete lock can prevent deletion, but it does not provide the permissions to perform power operations. Azure Policy can help govern configuration, but it does not replace the required RBAC role assignment.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.