A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.
Trap 1: Microsoft.Compute/virtualMachines/delete gives the ability to…
Delete is far too permissive for a support-only role. It would allow destruction of the virtual machine, which is explicitly not required and would create unnecessary risk. This option is the opposite of least privilege for routine operations.
Trap 2: Microsoft.Network/networkInterfaces/write is needed because a VM…
Starting or restarting a VM does not require permission to change the network interface. Granting NIC write access would broaden the role into network administration, which the requirement explicitly excludes. That would be excessive and unrelated to the task.
Trap 3: Microsoft.Authorization/roleAssignments/write would let the…
Role assignment write permissions are administrative access-control rights, not VM operations. Including them would let the engineer modify authorization for many resources, which is not needed and would violate the requirement to avoid granting access-management capabilities.
- A
Microsoft.Compute/virtualMachines/start/action grants the ability to start the VM without broader management permissions.
This action is the precise permission needed to power on a virtual machine. It is narrower than Contributor and does not expose unrelated capabilities such as deleting the VM or changing attached resources. Using this action supports least privilege for operational support tasks.
- B
Microsoft.Compute/virtualMachines/restart/action permits a controlled restart operation on the target VM.
This action authorizes the restart operation specifically, which is separate from generic write or delete permissions. It allows the support engineer to perform the required maintenance task while keeping the role tightly scoped and avoiding access to networking or access-control operations.
- C
Microsoft.Compute/virtualMachines/delete gives the ability to remove the VM from the subscription.
Why wrong: Delete is far too permissive for a support-only role. It would allow destruction of the virtual machine, which is explicitly not required and would create unnecessary risk. This option is the opposite of least privilege for routine operations.
- D
Microsoft.Network/networkInterfaces/write is needed because a VM start or restart always requires NIC modification rights.
Why wrong: Starting or restarting a VM does not require permission to change the network interface. Granting NIC write access would broaden the role into network administration, which the requirement explicitly excludes. That would be excessive and unrelated to the task.
- E
Microsoft.Authorization/roleAssignments/write would let the engineer grant access to other users and manage permissions.
Why wrong: Role assignment write permissions are administrative access-control rights, not VM operations. Including them would let the engineer modify authorization for many resources, which is not needed and would violate the requirement to avoid granting access-management capabilities.