Microsoft Azure Administrator Associate AZ-104 Practice Question

Creating a custom role in the Azure portal by cloning the 'Virtual Machine Contributor' role and removing network permissions allows you to grant developers the exact permissions needed. This approach ensures they can manage virtual machines without the ability to modify virtual networks, adhering to the principle of least privilege. Using Azure PowerShell to create a custom role is an alternative, but the portal offers a more user-friendly and direct method in this scenario. Assigning the 'Contributor' role would grant excessive permissions beyond what is necessary, including network modifications. Azure Active Directory custom roles manage permissions within Azure AD and do not control access to Azure resources like virtual machines and networks.