Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains a resource group named RG1.
You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.
You need to recommend a solution that meets the following requirements:
-> The researchers must be allowed to create Azure virtual machines.
-> The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.
Solution: On RG1, assign a custom role-based access control (RBAC) role to the ResearchUsers group.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.B
Instead: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.
The solution mentioned in the question appears to meet the stated requirements. Assigning a custom role-based access control (RBAC) role to the Azure AD group would provide the necessary permissions to create Azure virtual machines. Furthermore, the custom role can be configured to limit access to specific Azure Resource Manager templates, ensuring that researchers can only create virtual machines using those templates.
RBAC is a built-in feature of Azure that provides a flexible and scalable way to manage access to Azure resources. It allows you to assign permissions to users, groups, or applications at a granular level. RBAC roles are predefined or custom-made and include a set of permissions that determine the actions that can be performed on Azure resources.
Assigning a custom RBAC role to the Azure AD group would involve creating a custom role definition that includes the necessary permissions to create virtual machines and restricting access to specific Resource Manager templates. Once the custom role definition is created, it can be assigned to the ResearchUsers group. This would provide the researchers with the ability to create virtual machines while ensuring that they can only use specific templates.
In summary, the proposed solution of assigning a custom RBAC role to the ResearchUsers group appears to meet the stated requirements. It provides the necessary permissions to create virtual machines and can be configured to limit access to specific Azure Resource Manager templates.