Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
Your company runs several Azure subscriptions that host production App Service web apps. A group of support engineers must be able to restart any web app during an incident. They must not have permissions to change configuration or deploy code. Access must be requested on demand, limited to two hours per activation, and all activations must be auditable. Which authorization approach should you recommend?
Generate a user-delegation SAS token for each web app's deployment slot and give the tokens to the support engineers.
Create and assign an Azure Policy initiative that allows the Restart action on App Service resources.
Create a custom Azure RBAC role that contains only the restart and stop actions for Microsoft.Web sites and assign it to the support engineers as an eligible assignment by using Azure AD Privileged Identity Management with a two-hour maximum activation.
Permanently assign the built-in Website Contributor role to the support engineers at the subscription scope.
Using a least-privilege model, you should grant only the restart permission and make it time-bound. Creating a custom Azure RBAC role that includes the single management actions Microsoft.Web/sites/restart/action and Microsoft.Web/sites/stop/action meets the permission scope requirement. Assigning that role through Azure AD Privileged Identity Management as an eligible role allows each engineer to activate it only when needed, for a configured maximum of two hours, and records every activation for audit. The built-in Website Contributor role grants many additional write permissions, violating least privilege, and assigning it permanently would not be time-bound. Azure Policy can enforce or deny resource configurations but does not grant operational permissions. A user-delegation SAS token applies to storage resources and cannot restart App Service instances.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure AD Privileged Identity Management (PIM)?
Open an interactive chat with Bash
What is an Azure Role-Based Access Control (RBAC) custom role?
Open an interactive chat with Bash
How is 'least privilege' applied within Azure?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .