Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?
Trap 1: Assign the custom role to VMOperators at the subscription scope.
This grants the permissions across the entire subscription, which is broader than required.
Trap 2: Assign the Virtual Machine Contributor role to VMOperators at the…
This built-in role is too broad because it allows more actions than restarting VMs.
Trap 3: Assign the custom role to VMOperators at the management group scope.
This would make the permissions available to a wider set of subscriptions and resources than needed.
- A
Assign the custom role to VMOperators at the subscription scope.
Why wrong: This grants the permissions across the entire subscription, which is broader than required.
- B
Assign the custom role to VMOperators at the RG-Prod scope.
This applies the permissions only to resources in the RG-Prod resource group and follows least privilege.
- C
Assign the Virtual Machine Contributor role to VMOperators at the RG-Prod scope.
Why wrong: This built-in role is too broad because it allows more actions than restarting VMs.
- D
Assign the custom role to VMOperators at the management group scope.
Why wrong: This would make the permissions available to a wider set of subscriptions and resources than needed.