Assign Reader Role for Azure Virtual Network (VNet1) to Other Users | Exam AZ-100 | Microsoft Azure

Assigning Reader Role for VNet1 in Azure Subscription1 to Other Users

Prev Question Next Question

Question

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

-> Reader

-> Security Admin

-> Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

Answers

A. Assign User1 the Owner role for VNet1

B. Assign User1 the Network Contributor role for VNet1

C. Assign User1 the Network Contributor role for RG1

D. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

To enable User1 to assign the Reader role for VNet1 to other users, you need to grant User1 appropriate permissions for VNet1 or the resource group RG1 containing VNet1. Here are the options available to accomplish this:

Option A: Assign User1 the Owner role for VNet1 If you assign User1 the Owner role for VNet1, User1 will have full access to VNet1 and will be able to perform any operation, including assigning roles to other users. However, this option grants too much privilege to User1, and may not be necessary if you only want User1 to assign the Reader role.

Option B: Assign User1 the Network Contributor role for VNet1 Assigning User1 the Network Contributor role for VNet1 will grant User1 permissions to create and manage network resources in VNet1, including assigning the Reader role to other users. However, this option limits User1's access to only VNet1 and not other resources in RG1. This may be sufficient if User1 only needs to manage network resources in VNet1.

Option C: Assign User1 the Network Contributor role for RG1 Assigning User1 the Network Contributor role for RG1 will grant User1 permissions to create and manage network resources in any virtual network in RG1, including assigning the Reader role to other users. This option grants User1 a higher level of privilege than option B, as User1 can manage all virtual networks in RG1. However, this option is still more restrictive than option A, as User1 does not have full access to all resources in RG1.

Option D: Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1. Removing User1 from the Security Reader role for Subscription1 and assigning User1 the Contributor role for RG1 will grant User1 permissions to manage all resources in RG1, including VNet1. This option grants User1 a higher level of privilege than option A, as User1 can manage all resources in RG1, but is still more restrictive than option B or C, as User1 cannot manage other virtual networks in RG1 unless explicitly granted permissions to do so.

Therefore, the best option to ensure that User1 can assign the Reader role for VNet1 to other users while limiting User1's privilege is to assign User1 the Network Contributor role for VNet1 (option B).

Prev Question Next Question