A company has a resource group named 'RG-Prod' that contains critical virtual machines (VMs), virtual networks, and a SQL database. The infrastructure team needs to grant a group of developers the ability to start, stop, and restart only the VMs in RG-Prod. The developers must not be able to create new VMs, delete existing VMs, modify the virtual networks, or access the database. The company wants to follow the principle of least privilege. Which Azure role-based access control (RBAC) approach should the company use?

Assign the Virtual Machine Contributor built-in role to the developers.

Virtual Machine Contributor provides full management of VMs, including creating, deleting, and modifying VMs, as well as managing networking resources (like virtual networks and network interfaces) attached to VMs. This is too permissive and violates the principle of least privilege because it allows actions beyond starting, stopping, and restarting, and it could also allow modification of virtual networks.

Assign the Contributor built-in role and then create an Azure Policy to deny any VM creation or deletion and VNet modifications in RG-Prod.

The Contributor role grants write permissions to all resources, including the ability to create and delete VMs and modify VNets. While Azure Policy can deny the actual creation of resources, it cannot revoke permissions already granted by an RBAC role. Users with Contributor would still have the permission to create resources, and even though the policy denies the action, the user could potentially bypass or the policy might not cover all scenarios. Moreover, the principle of least privilege should be enforced at the RBAC level, not through additional policies. This approach is not a clean RBAC solution.

Assign the Reader role to the developers and use Azure Policy to automatically start, stop, and restart VMs on their behalf.

The Reader role only allows read access to resources; it does not grant any permissions to perform actions like starting, stopping, or restarting VMs. Azure Policy does not grant permissions to execute actions; it enforces rules on resource configuration. To perform actions, users need the appropriate RBAC role assignments. This approach would not give developers the ability to start/stop VMs.

What does this AZ-900 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Create a custom RBAC role that includes only the specific actions required (e.g., Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action) and assign it to the developers. — The principle of least privilege requires granting only the exact permissions needed for a task. Built-in roles like Virtual Machine Contributor are too broad because they include write and delete permissions for VMs, and they do not restrict access to other resource types like virtual networks. Azure RBAC does not support deny permissions within roles; instead, you define a custom role that explicitly lists only the actions you want to allow (e.g., start, stop, restart) and omits any actions for creating, deleting, or modifying VMs or networking resources. Azure Policy cannot grant RBAC permissions; it only enforces rules on resources. Therefore, creating a custom RBAC role with the specific VM actions (Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, Microsoft.Compute/virtualMachines/restart/action) is the correct approach.

What should I do if I get this AZ-900 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.