Microsoft Azure Architect Design (AZ-304) Practice Test

What should be assigned to the ResearchUsers group to limit them to creating Azure virtual machines via specific Resource Manager templates?

• A. A standard role-based access control (RBAC) role
• B. A custom role-based access control (RBAC) role
• C. A built-in Azure role
• D. A network security group (NSG)

The correct answer is: A custom role-based access control (RBAC) role

Assigning a custom role-based access control (RBAC) role to the ResearchUsers group is the most effective way to limit them to creating Azure virtual machines using specific Resource Manager templates. Custom RBAC roles are particularly useful when the default built-in roles do not meet the specific requirements of a scenario. By defining a custom role, you can specify the exact permissions needed for the group, such as creating and managing virtual machines while restricting access to other resources or actions that are not relevant to their work. This flexibility allows for a very precise definition of what actions the ResearchUsers group can perform, ensuring that they have all the necessary permissions to utilize the designated Resource Manager templates while maintaining control over the broader Azure environment by preventing access to other functionalities that could lead to unintentional changes or security risks. In contrast, standard RBAC roles and built-in Azure roles might encompass a wider set of permissions than what is required for this particular use case, potentially allowing access to resources or actions that should be restricted. Network security groups (NSGs) are focused on controlling inbound and outbound traffic to Azure resources and do not facilitate the management of virtual machines. Thus, creating and assigning a custom RBAC role is the most suitable approach in this context.