Exam SC-300 topic 1 question 72 discussion

You need two role assignments, one for RG1 and other for RG2. If you make just one assignment for both of the Resource groups, User1 will have Virtual machine & Storage account creating rights in both resource groups. If you put the scope on Subscription or Management group that has these Resource groups, the resource groups will inherit the role assignment from higher level (parent) resource. You can make a custom role for RG1 with permissions shown below: */read - View all resources Microsoft.Compute/virtualMachines/restart/action - Restart virtual machines. Microsoft.Compute/virtualMachines/write - Creates a new virtual machine or updates an existing virtual machine. Microsoft.Storage/storageAccounts/write - Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. For RG2 you should make custom role with these permissions: */read - View all resources Microsoft.Compute/virtualMachines/restart/action - Restart virtual machines.

Answer has to be C View all resources: READER role Restart virtual machines (it means RG1 and RG2 machines): VM contributor role Create VM/Storage accounts in RG1: Contributor role for RG1

C. 3 yues

Create two custom roles: - Role 1 can view any resource type and restart virtual machines; - Role 2 can create virtual machines and storage accounts. Assign Role 1 to User1 at the subscription. Assign Role 2 to User1 at RG1. Keep in mind that they ask for the MINIMUM number of assignments, and they don't say that you can only use standard role definitions.

Reader View all resources Virtual Machine Contributor Restart VMs across all resource groups Contributor Create VMs and storage accounts in RG1

what a dumb question that I hope I don't see on the exam. The question does not state if they had to be built in or custom roles but the one common thing I think we can all agree on is least privileged. One custom role at the subscription level to read all resources and restart virtual machines A second custom role for RG1 for storage and compute

Reader Role at the subscription level: Allows User1 to view all resources. Virtual Machine Contributor Role at the subscription level: Allows User1 to restart virtual machines in any resource group. Custom Role at the RG1 level: Includes permissions to create virtual machines and storage accounts in RG1.

Reader at the subscription level Lets User1 see all resources (every RG, every resource type). Virtual Machine Operator at the subscription level Lets User1 start, stop, and restart VMs anywhere in the subscription—but not create or delete them. Contributor on RG1 Lets User1 create (and manage) any resource in RG1 (including VMs, storage accounts, etc.) Does not give them creation rights in RG2 or other resource groups.

To meet the requirements for User1, you will need to assign three RBAC roles: Reader role at the subscription level to allow User1 to view all resources. Virtual Machine Contributor role at the subscription level to allow User1 to restart virtual machines. Contributor role at the RG1 level to allow User1 to create virtual machines and storage accounts in RG1 only. Therefore, the minimum number of RBAC role assignments required is C. 3

Answer B) 2 You can create just one custom role to create VM, restart them and the create storage account....and apply it to only RG1. Assign READER role at top level to view all resources outside of RG1.

Can be done with 2 custom role assignments. The question doesn't explicitly state that only in-built roles can be used.

This is a retarded question. It can be either 3 or 4

Minimum Number of Role Assignments: To meet these requirements, User1 needs a combination of Reader, Virtual Machine Contributor, and Storage Account Contributor roles. Since there is overlap in the roles that allow User1 to restart VMs and create VMs, we can optimize the number of role assignments. Reader role at the subscription level. Virtual Machine Contributor role at RG1 (to allow both VM creation and VM restart in RG1). Storage Account Contributor role at RG1. Conclusion: The minimum number of role assignments required is 3. Thus, the correct answer is: C. 3

2 RBAC roles are sufficient to perform what in case.

2 roles are sufficient: - Reader on the subscription level. It fulfills the 1st requirement. - Contributor or Owner on RG1, which fulfills the 2nd requirement - There is nothing to do with RG2 because it's empty (I assume). So, no role should be assigned.

To enable User1 to perform the specified tasks in Azure, you would need at least three role-based access control (RBAC) role assignments: Reader Role: This role allows User1 to view all resources in both resource groups, RG1 and RG2. Virtual Machine Contributor Role: This role permits User1 to restart virtual machines. It should be assigned at the scope of both RG1 and RG2 to cover all virtual machines. Contributor Role for RG1: This role allows User1 to create virtual machines and storage accounts, but it should be assigned specifically to RG1 only. Therefore, the minimum number of RBAC role assignments required is 3, making option C the correct answer.

It's 2 (B), by adding custom role/s.