Microsoft Azure Architect Design (AZ-304) Practice Test

What is the best method to prevent an admin user from modifying resources in a specific resource group while still allowing management of resources in other groups?

• A. Implement an Azure policy
• B. Utilize role-based access control (RBAC)
• C. Create an Azure blueprint
• D. Set up a management group

The correct answer is: Utilize role-based access control (RBAC)

Utilizing role-based access control (RBAC) is the best method to prevent an admin user from modifying resources in a specific resource group while still allowing management of resources in other groups. RBAC allows you to define fine-grained access permissions for users, groups, and applications at different scopes including management groups, subscriptions, resource groups, and individual resources. By assigning specific roles to the admin user at the resource group level, you can restrict their permissions. For example, you could assign a role that grants the user access to manage resources in other resource groups but does not grant permission to modify or delete specific resources in the targeted resource group. This method is highly flexible and directly addresses the need to control resource management privileges. In contrast, implementing an Azure policy is more about enforcing rules for resource compliance across subscriptions and resource groups, rather than specifically controlling access permissions for users. Azure blueprints are used for setting up configurations and compliance mechanisms, involving a collection of resources and policies, but they do not directly manage user permissions. Furthermore, setting up a management group organizes subscriptions and provides a way to apply policies or permissions across multiple subscriptions but does not target permissions at a specific resource group level directly.