AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 103

You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that ServerAdmins can perform the following tasks:

✑ Create virtual machines in RG1 only.

✑ Connect the virtual machines to the existing virtual networks in RG2 only.

The solution must use the principle of least privilege.

Which two role-based access control (RBAC) roles should you assign to ServerAdmins? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Show Answer
Correct Answer: ABF

To allow ServerAdmins to create virtual machines in RG1, the Virtual Machine Contributor role is appropriate because it grants permissions to manage virtual machines without allowing broader administrative access. For connecting the virtual machines to the existing virtual networks in RG2, the Network Contributor role for RG2 should be assigned. This role provides the necessary permissions to manage network interfaces and virtual networks without granting excessive permissions beyond what is required.

Discussion

17 comments
Sign in to comment
EltoothOptions: AF
Mar 23, 2022

A. a custom RBAC role for RG2 - would provide least priv over RG2 B. the Network Contributor role for RG2 - provides too much priv over RG2 C. the Contributor role for the subscription - Cannot be C D. a custom RBAC role for the subscription - to much permission E. the Network Contributor role for RG1 - Cannot be E F. the Virtual Machine Contributor role for RG1 - required to create VM's Therefore A and F would provide least priv to perform tasks.

machado
Apr 11, 2023

How can D. be too much permission if it's custom and you can select scopes?

in_da_cloud
May 29, 2023

Because the scope is bigger than required - it would apply the permission on subscription instead of only RG.

thienvuptOptions: BF
Oct 4, 2021

BF for my choose

xavi1
Oct 8, 2021

not B, seems does not include virtual machine connection: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor

BillBaits
Oct 13, 2021

For me this is part of Microsoft.Network/* https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor So I think BF is correct

AS179Options: AF
Dec 23, 2021

correct

Payday123Options: AD
Feb 17, 2022

We can create custom RBAC role for the subscription and give it assignable scope to the resource group. Then assign it to this resource group. This will give users "least privileges".

machado
Apr 11, 2023

I thought the same and selected A. and D.

zellckOptions: AF
May 7, 2023

AF is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

zellck
May 11, 2023

Gotten this in May 2023 exam.

Innovite
Mar 27, 2022

Least priv.. so provided answer is right..

somenickOptions: AF
Oct 2, 2022

B is not ok because it allows to create networks, support tickets, manage monitoring - so too much.

stepman
Apr 27, 2023

I forgot what I chose, but this was On exam 4/27 with the new exam experience. No Sim or lab.

Ivan80
Jan 30, 2024

In exam 1/28/24

rasmartOptions: BF
Mar 6, 2022

RBAC have too much privileged

starnbOptions: BF
Mar 11, 2022

The correct answer is B and F

BigShot0Options: AF
Sep 20, 2023

Not B - Network Contributor does not have Microsoft.Network/networkInterfaces/*

rameezali
Mar 3, 2024

Although network contributor is not the right answer because it gives you way more permissions than to attach a NIC, but the role network contributor does have Microsoft.Network/* https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#permissions

mrt007Options: BF
Mar 30, 2024

The correct answers are F. the Virtual Machine Contributor role for RG1 and B. the Network Contributor role for RG2. Assigning the Virtual Machine Contributor role for RG1 will allow ServerAdmins to create virtual machines in RG1. Assigning the Network Contributor role for RG2 will allow ServerAdmins to connect the virtual machines to the existing virtual networks in RG2

tath
Dec 20, 2022

need guidance for clearing az-500 exam

Ajdlfasudfo0
Dec 23, 2022

step one: learn step two: pass exam step three: profit

chikorita
Feb 16, 2023

step four: renew certification (REPEATTT)

_fvtOptions: DF
Aug 8, 2023

You cannot create a VM without being able to attach it's network Interfaces to a VNet. The only working option in definitive is: D - A Custom role for attaching the network cards on the Subscription level, F - VM contributor on RG1.

CHIEF101HOptions: AF
Feb 27, 2024

A. a custom RBAC role for RG2 - would provide least priv over RG2 & F.the Virtual Machine Contributor role for RG1 - required to create VM's

xRiot007Options: AF
Jul 17, 2024

Correct answers are : A - a custom RBAC role for RG2, providing least privilege - any other answer/explanations are incorrect. F - the virtual Machine Contributor on RG1 - this is the best option from the listed ones, any other answer is incorrect. An even better option than this would be a custom RBAC role on RG1.