AZ-400 Question #492: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have a project in Azure DevOps that includes two users named User1 and User2. You plan to use Azure Monitor to manage logs. You need to ensure that the users can perform the actions shown in following the table. The solution must follow the principle of least privilege. Which role should you assign to each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

This question tests knowledge of Azure Monitor RBAC roles and the principle of least privilege for managing Log Analytics workspaces and monitoring configurations.

Approach. User1, who needs to create and manage Log Analytics workspaces, should be assigned the 'Log Analytics Contributor' role, which grants full access to manage Log Analytics workspaces including creating them. User2, who only needs to view monitoring data and query logs without making changes, should be assigned the 'Log Analytics Reader' role, which provides read-only access to view all monitoring data and settings. This follows the principle of least privilege by giving each user only the permissions required for their specific tasks - Contributor for management tasks and Reader for read-only access. Assigning User2 a Contributor role would violate least privilege since they only need to read data.

Concept tested. Azure Monitor and Log Analytics RBAC roles: understanding the difference between 'Log Analytics Contributor' (create/manage workspaces, run queries, configure data sources) and 'Log Analytics Reader' (view and query log data in read-only mode), and applying the principle of least privilege to assign the minimum necessary permissions.

Reference. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal#azure-rbac

No community discussion yet for this question.