Domain 1.3: Design Governance — AZ-305 Practice Question 13

How to approach this question

When built-in roles grant too much permission, the solution is always a custom RBAC role tailored to the exact actions needed.

Full Answer

A.Create a custom RBAC role with Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/powerOff/action permissions.✓ Correct

Create a custom RBAC role with Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/powerOff/action permissions.

When built-in Azure RBAC roles do not meet your specific requirements, you should create a custom RBAC role. By specifying only the exact actions needed (start and powerOff/deallocate), you adhere to the principle of least privilege. Assigning 'Virtual Machine Contributor' would give them too much power (create/delete).

Common mistakes

Thinking that a ReadOnly lock allows starting/stopping VMs. Starting a VM changes its state and requires write/action permissions.

How to approach this question

Full Answer

Common mistakes

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 1

More questions from this exam