Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
Contoso Ltd. employs 30 first-line support engineers who must be able to restart any virtual machine in the company's three Azure subscriptions during their 8-hour shift. Security policy requires that:
Engineers receive only the minimum permissions necessary.
Access must expire automatically at the end of each shift.
A shift lead must approve the access request before it is granted. You need to recommend an authorization solution that meets the requirements while minimizing administrative effort. What should you recommend?
Create a custom Azure RBAC role that includes only the Microsoft.Compute/virtualMachines/restart/action permission, onboard each subscription to Azure AD Privileged Identity Management, and assign the role as eligible directly to every engineer at the subscription scope. Configure PIM to require shift-lead approval and set the activation duration to eight hours.
Create an Azure Automation runbook that restarts virtual machines and grant the engineers permission to invoke the runbook through an Azure DevOps pipeline.
Add the engineers to the built-in Contributor role at each subscription scope and configure Azure AD Access Reviews to run once per month.
Use Azure AD PIM to make each engineer eligible for the built-in Virtual Machine Contributor role at the resource-group level with no approval workflow and a permanent assignment.
Azure AD Privileged Identity Management (PIM) for Azure RBAC allows you to create eligible, time-bound assignments that can require approval and automatically expire after a maximum of eight hours. By defining a custom RBAC role that contains only the Microsoft.Compute/virtualMachines/restart/action permission, you enforce least privilege. Assigning that role as eligible directly to each engineer at the subscription scope avoids the limitation that group assignments cannot be made eligible, yet still requires only a one-time setup per engineer. The PIM settings let a shift lead approve each activation request. The Contributor and Virtual Machine Contributor roles grant unnecessary permissions, and monthly access reviews or automation pipelines do not deliver the required per-shift, approval-based, time-bound access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure RBAC and how does it work?
Open an interactive chat with Bash
What is Azure AD Privileged Identity Management (PIM) and why is it useful?
Open an interactive chat with Bash
How does using a custom RBAC role enforce least privilege?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .