HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You create an Azure role by using the following JSON file.
You assign Role1 to User1 for RG1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#compute
I think answer is correct, YES NO NO. Azure custom roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles Available permissions (e.g. “Microsoft.Compute/*”): https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations User1 can create new virtual machine in RG1: YES (Permission needed is: Microsoft.Compute/virtualMachines/write, Creates a new virtual machine or updates an existing virtual machine) User1 can modify the properties of storage1: NO (Microsoft.Storage/storageAccounts/write, Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account.) User1 can attach the network interface of VM1 to VNET1: NO (I’m not sure of the exact resource provider operation here, but from the docs it looks like it’s not possible from Microsoft.Compute/*, so I’m pretty sure answer is NO. The relevant operation should be in Microsoft.Network/virtualNetworks/*, I guess.)
Microsoft.Network/virtualNetworks/read
VM Creation Requires Network access also
adding NIC to VNET is a different story tho
NO NO NO Just tested and VM creation fails because you need further permissions to join a subnet. My JSON: { "id": "/subscriptions/16ea6f64-d8b2-4fb4-a7c4-4e6aaad4d751/providers/Microsoft.Authorization/roleDefinitions/f40893f6-07cc-476d-9b74-75fbf3499s47", "properties": { "roleName": "rbac1", "description": "", "assignableScopes": [ "/subscriptions/16ea6f64-d8b2-4fb4-a7c4-4e6aaad4d751", "/subscriptions/16ea6f64-d8b2-4fb4-a7c4-4e6aaad4d751/resourceGroups/rbac1" ], "permissions": [ { "actions": [ "Microsoft.Compute/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
Very helpful, thank you Stuart (changed my mind/now agree with this).
Tested in lab.... all answers should be NO, NO, NO
You are not required to do anything with the VM, just create it. Box 1 is YES.
NO NO NO Virtual Machine contributor does require basic network permissions to launch the VMs. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
First question asks if we can create VMs. We have `Microsoft.Compute/virtualMachines/*` which allows VM creation (also allows us to update, delete, start, restart, and power off VM. And to execute scripts on virtual machines.) Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
Correction: See stuart563214's answer below, my initial assumption was incorrect. It appears we do need basic network permissions even to create a virtual machine.
Box 1 is YES. You are required to create the VM and nothing else, which Compute/* will suffice.
No , No , No Minimum requirements: "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/write", "Microsoft.Network/*/read", "Microsoft.Storage/*/read", "Microsoft.Authorization/*/read", "Microsoft.Resources/*/read", "Microsoft.Compute/virtualMachines/extensions/write"
Above comment is just minimum requirements for creating vm.
Just testd on LAB NO NO NO
No, No , No - Adding the compute/* role to the resource group will grant that permission to new resources but will not modify permissions on existing resources. You will not be able to attach the virtual machine to the existing virtual network so the VM creation will fail.
NO NO NO
YES NO NO
Answer: for sure. N,N,N
Microsoft.Compute/* Grants access to all actions for all resource types in the Microsoft.Compute resource provider
Action string Description */read Grants access to read actions for all resource types of all Azure resource providers. Microsoft.Compute/* Grants access to all actions for all resource types in the Microsoft.Compute resource provider. Microsoft.Network/*/read Grants access to read actions for all resource types in the Microsoft.Network resource provider. Microsoft.Compute/virtualMachines/* Grants access to all actions of virtual machines and its child resource types. microsoft.web/sites/restart/Action Grants access to restart a web app.
NNN is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
Microsoft.Compute/* includes everything under it, including Microsoft.Compute/virtualMachines/write, which says “ Creates a new virtual machine or updates an existing virtual machine”. So the first one is YES YES NO NO
Even if users here claim they can't create a VM. Obviously microsoft's documentation says you can: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor virtual machine contributor falls under compute and you have computer/* permissions
YES-NO-NO is correct. Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources:~:text=Microsoft.Compute/virtualMachines/write
Correct Answer -- Yes, No, No
Answer is correct YNN If existing vents we can create virtual machine https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
correct answer