ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 61 discussion

Actual exam question from Microsoft's AZ-500
Question #: 61
Topic #: 2
[All AZ-500 Questions]

You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that ServerAdmins can perform the following tasks:
✑ Create virtual machines in RG1 only.
✑ Connect the virtual machines to the existing virtual networks in RG2 only.
The solution must use the principle of least privilege.
Which two role-based access control (RBAC) roles should you assign to ServerAdmins? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. a custom RBAC role for RG2
  • B. the Network Contributor role for RG2
  • C. the Contributor role for the subscription
  • D. a custom RBAC role for the subscription
  • E. the Network Contributor role for RG1
  • F. the Virtual Machine Contributor role for RG1
Show Suggested Answer Hide Answer
Suggested Answer: AF 🗳️
by Nuxx at Sept. 29, 2021, 8:56 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Eltooth
Highly Voted 3 years ago
Selected Answer: AF
A. a custom RBAC role for RG2 - would provide least priv over RG2 B. the Network Contributor role for RG2 - provides too much priv over RG2 C. the Contributor role for the subscription - Cannot be C D. a custom RBAC role for the subscription - to much permission E. the Network Contributor role for RG1 - Cannot be E F. the Virtual Machine Contributor role for RG1 - required to create VM's Therefore A and F would provide least priv to perform tasks.
upvoted 17 times
machado
1 year, 12 months ago
How can D. be too much permission if it's custom and you can select scopes?
upvoted 1 times
in_da_cloud
1 year, 10 months ago
Because the scope is bigger than required - it would apply the permission on subscription instead of only RG.
upvoted 8 times
...
...
...
thienvupt
Highly Voted 3 years, 6 months ago
BF for my choose
upvoted 8 times
xavi1
3 years, 6 months ago
not B, seems does not include virtual machine connection: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
upvoted 2 times
BillBaits
3 years, 5 months ago
For me this is part of Microsoft.Network/* https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor So I think BF is correct
upvoted 2 times
pentium75
8 months, 1 week ago
But Network Contributor can do all kinds of stuff, they are not supposed to do anything except connect VMs to existing networks
upvoted 1 times
...
...
...
...
Sabr_
Most Recent 20 hours, 17 minutes ago
Selected Answer: AF
Exam question 6th April 2025
upvoted 1 times
...
Nhadipour
2 months ago
Selected Answer: BF
Network Contributor is the most appropriate built-in role for this! grants enough necessary permissions to manage virtual networks within RG2. While you could create custom roles, it's not necessary to violate the principle of least privilege. Built-in roles provide the required permissions.
upvoted 1 times
...
Tom_tank
2 months ago
Selected Answer: BF
Virtual Machine Contributor role for RG1: This role will allow ServerAdmins to create and manage virtual machines in RG1. Network Contributor role for RG2: This role will enable ServerAdmins to connect the virtual machines to the existing virtual networks in RG2.
upvoted 1 times
...
xRiot007
8 months, 3 weeks ago
Correct answers are : A - a custom RBAC role for RG2, providing least privilege - any other answer/explanations are incorrect. F - the virtual Machine Contributor on RG1 - this is the best option from the listed ones, any other answer is incorrect. An even better option than this would be a custom RBAC role on RG1.
upvoted 1 times
...
mrt007
1 year ago
The correct answers are F. the Virtual Machine Contributor role for RG1 and B. the Network Contributor role for RG2. Assigning the Virtual Machine Contributor role for RG1 will allow ServerAdmins to create virtual machines in RG1. Assigning the Network Contributor role for RG2 will allow ServerAdmins to connect the virtual machines to the existing virtual networks in RG2
upvoted 3 times
...
CHIEF101H
1 year, 1 month ago
Selected Answer: AF
A. a custom RBAC role for RG2 - would provide least priv over RG2 & F.the Virtual Machine Contributor role for RG1 - required to create VM's
upvoted 1 times
...
Ivan80
1 year, 2 months ago
In exam 1/28/24
upvoted 3 times
...
BigShot0
1 year, 6 months ago
Selected Answer: AF
Not B - Network Contributor does not have Microsoft.Network/networkInterfaces/*
upvoted 2 times
rameezali
1 year, 1 month ago
Although network contributor is not the right answer because it gives you way more permissions than to attach a NIC, but the role network contributor does have Microsoft.Network/* https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#permissions
upvoted 1 times
...
...
_fvt
1 year, 8 months ago
Selected Answer: DF
You cannot create a VM without being able to attach it's network Interfaces to a VNet. The only working option in definitive is: D - A Custom role for attaching the network cards on the Subscription level, F - VM contributor on RG1.
upvoted 1 times
pentium75
8 months, 1 week ago
Wouldn't a custom role in RG2 allow you to attach your VM's network to a VNet?
upvoted 1 times
...
...
zellck
1 year, 11 months ago
Selected Answer: AF
AF is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.
upvoted 4 times
zellck
1 year, 11 months ago
Gotten this in May 2023 exam.
upvoted 5 times
...
...
stepman
1 year, 11 months ago
I forgot what I chose, but this was On exam 4/27 with the new exam experience. No Sim or lab.
upvoted 3 times
...
tath
2 years, 3 months ago
need guidance for clearing az-500 exam
upvoted 1 times
Ajdlfasudfo0
2 years, 3 months ago
step one: learn step two: pass exam step three: profit
upvoted 18 times
chikorita
2 years, 1 month ago
step four: renew certification (REPEATTT)
upvoted 9 times
...
...
...
somenick
2 years, 6 months ago
Selected Answer: AF
B is not ok because it allows to create networks, support tickets, manage monitoring - so too much.
upvoted 3 times
...
Innovite
3 years ago
Least priv.. so provided answer is right..
upvoted 3 times
...
starnb
3 years ago
Selected Answer: BF
The correct answer is B and F
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago