Microsoft Azure Architect Design (AZ-304) Practice Test

If members of a development team must create resources but cannot change role assignments, what is the most effective Azure solution?

• A. Assign the Contributor role to the development team
• B. Assign the Owner role to the development team
• C. Create a new Azure subscription
• D. Assign a limited custom role to the development team

The correct answer is: Assign a limited custom role to the development team

Assigning a limited custom role to the development team is the most effective Azure solution in this scenario because it allows for fine-grained access control tailored specifically to the team's needs. A custom role can be defined to grant permissions for creating and managing resources without providing the ability to change role assignments or permissions. This approach promotes security and adherence to the principle of least privilege, ensuring the team can perform their development tasks effectively without the risk of inadvertently altering access controls. Custom roles can be tailored to include only necessary permissions, allowing flexibility in governance and compliance. The other options introduce excess permissions that do not align with the requirement. For instance, assigning the Contributor role would enable the team to create and manage resources but also permit them to modify role assignments, thus violating the constraint in the question. Similarly, the Owner role grants full management permissions, including the ability to assign roles, which is not desirable. Creating a new Azure subscription does not directly address the issue of role management and might complicate the development environment unnecessarily.