A company has a resource group named 'RG-Prod' that contains critical virtual machines (VMs), virtual networks, and a SQL database. The infrastructure team needs to grant a group of developers the ability to start, stop, and restart only the VMs in RG-Prod. The developers must not be able to create new VMs, delete existing VMs, modify the virtual networks, or access the database. The company wants to follow the principle of least privilege. Which Azure role-based access control (RBAC) approach should the company use?
A custom RBAC role allows you to define a precise set of allowed actions. By including only the start, deallocate, and restart actions, you grant exactly the permissions needed. The role does not include write or delete actions, so developers cannot create or delete VMs. Since VNet and database actions are not included, those resources are also protected. This meets the least privilege requirement.
Why this answer
Option B is correct because the principle of least privilege requires granting only the exact permissions needed. The built-in Virtual Machine Contributor role includes permissions beyond start/stop/restart (e.g., it allows creating and deleting VMs), which violates the requirement. A custom RBAC role scoped to RG-Prod with only the specific actions (Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, and Microsoft.Compute/virtualMachines/restart/action) meets the need precisely.
Exam trap
The trap here is that candidates often assume built-in roles like Virtual Machine Contributor are sufficiently restrictive, but they actually include broader permissions (e.g., create, delete, modify) that violate the principle of least privilege when only start/stop/restart is needed.
How to eliminate wrong answers
Option A is wrong because the Virtual Machine Contributor built-in role includes permissions to create, delete, and modify VMs (e.g., Microsoft.Compute/virtualMachines/write and delete), which exceeds the required scope and violates least privilege. Option C is wrong because the Contributor built-in role grants full management access to all resources in the resource group, including the ability to modify virtual networks and access the SQL database; Azure Policies can deny specific actions but do not remove the underlying permissions, and the developers would still have Contributor-level access that could be exploited through other means, making this approach insecure and not following least privilege.