Q: 9
You have an Azure subscription that contains a user named Admin1 and a resource group named
RG1.
RG1 contains an Azure Network Watcher instance named NW1.
You need to ensure that Admin1 can place a lock on NW1. The solution must use the principle of
least privilege.
Which role should you assign to Admin1?
Options
Discussion
A, not B. Network Contributor (B) looks tempting but it doesn't let you manage locks, that's a classic exam trap. From what I've seen in similar questions, User Access Administrator (A) is the least privilege option for locks specifically. If I'm missing something let me know.
Gotta be A here. User Access Administrator includes lock management without broader resource permissions, which fits the least privilege requirement. Network Contributor (B) can't manage locks. Pretty sure that's right but open if someone disagrees.
Gotta agree with A, only User Access Administrator gives permissions for locks without over-provisioning. The others are too limited or unrelated. Unless something's changed in Azure roles lately, A's the safe bet here.
Maybe A, but if Admin1 already has RBAC-specific rights at a higher scope, wouldn't that change things? Pretty sure User Access Administrator is right for locks but only if it's narrow enough.
Its A for this, since User Access Administrator is the only listed role with just enough rights to put a lock on NW1. Network Contributor always sounds close but doesn't have lock permission I think. Agree?
A
Argh, Microsoft and their RBAC roles again. It's A, User Access Administrator, since that's the least privilege role with lock management allowed without giving away full control.
Not B. Network Contributor lets you manage networks but doesn't give the lock permission, that's a common trap. A is the one that gives just enough to place locks from what I've seen in exam reports.
B not A. Network Contributor can manage networking but I think it covers locks too, so why not B?
A tbh
Be respectful. No spam.
