Exam AZ-700 topic 4 question 20 discussion

It seems the provided answer to be correct: "To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks." https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#who-can-create-or-delete-locks * The question is about placing a lock, not about using Network Watcher

Well, after reviewing more, I think I was premature in saying the answer was 100% C. I was 100% wrong!! The correct answer is absolutely, 100% A. User Access Administrator The key to the questions is that we're being asked what permissions are required to place a __lock__ (resource lock) on the Network Watcher resource. To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You can create a custom role with the required permissions. Source: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#who-can-create-or-delete-locks

User Access Administrator. Its a az-104 question

A. User Access Administrator The User Access Administrator role allows users to manage user access to Azure resources, which includes placing locks on resources to prevent accidental deletion or modification. This role provides the necessary permissions to create and manage locks without granting excessive permissions over the resources themselves.

Who can create or delete locks To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You can create a custom role with the required permissions. Network Contributor Microsoft.Authorization/*/read Read roles and role assignments

This question really has nothing to do with Network Watcher or Azure Networking. What they want you to know is that you need the User Access Administrator role in order to make changes to create/delete management locks to ANY resource, not just Network Watcher. I doubt this question would be on the test

A is the correct answer. Network Contributor cannot add lock

Tested. User Access Administrator is right answer.

The correct answer is 100% C. Network Contributor To use Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles, or assigned to a custom role that is assigned the actions listed for each Network Watcher capability in the sections that follow. Source: https://learn.microsoft.com/en-us/azure/network-watcher/required-rbac-permissions

A is right answer

C. Network Contributor

Assigning the "User Access Administrator" role to Admin1 would allow them to manage access to all resources in the Azure subscription, including managing role assignments for all users, groups, and service principals. This would be excessive and not in line with the principle of least privilege since Admin1 only needs to be able to place a lock on the Azure Network Watcher instance named NW1. Assigning the "User Access Administrator" role to Admin1 would provide them with more permissions than necessary and could potentially lead to accidental or intentional misuse of the additional privileges. Therefore, it is not recommended to assign the "User Access Administrator" role to Admin1 for placing a lock on NW1. The "Network Contributor" role would be more appropriate in this scenario. C. Network Contributor

agree with Answer A

Who can create or delete locks: To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You can create a custom role with the required permissions. Answer: A https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

"To use Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles" https://learn.microsoft.com/en-us/azure/network-watcher/required-rbac-permissions