Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains a resource group named RG1.
You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.
You need to recommend a solution that meets the following requirements:
-> The researchers must be allowed to create Azure virtual machines.
-> The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.
Solution: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.A
The recommended solution appears to partially meet the stated requirements, but it does not fully meet all of the requirements.
Assigning the Contributor role to the ResearchUsers group in RG1 would allow the researchers to create Azure virtual machines in RG1. However, this would also give them permission to perform other actions in RG1 that might not be desirable.
Creating a custom Azure Policy definition and assigning the policy to RG1 could help restrict the researchers' ability to create Azure virtual machines by using specific Azure Resource Manager templates. Azure Policy allows administrators to enforce rules and regulations over resources in Azure. By creating a custom policy definition, the administrator can specify which Azure Resource Manager templates the researchers are allowed to use.
However, the solution as described does not explicitly restrict the researchers from using any other method to create virtual machines in RG1, other than the specific Azure Resource Manager templates that are allowed by the custom policy. This means that the researchers may still be able to create virtual machines in other ways, potentially causing unexpected costs or security risks.
Therefore, the recommended solution appears to partially meet the requirements but may not fully meet all the requirements. As an alternative, a better solution might be to create a custom role in Azure that only allows the creation of virtual machines using specific Azure Resource Manager templates, and then assign that custom role to the ResearchUsers group in RG1. This would more explicitly meet the requirement of allowing researchers to create virtual machines only by using specific Azure Resource Manager templates.