Microsoft Azure Security Technologies (AZ-500)

What is the least privilege solution to allow User1 to create managed identities in Azure?

• A. Create a management group and assign User1 the Hybrid Identity Administrator role.
• B. Create a management group and assign User1 the Managed Identity Operator role.
• C. Create a resource group and assign User1 to the Managed Identity Contributor role.
• D. Create an organizational unit and assign User1 the User administrator role.

The correct answer is: Create a resource group and assign User1 to the Managed Identity Contributor role.

Assigning User1 the Managed Identity Contributor role within a resource group is the least privilege solution for allowing the creation of managed identities in Azure. The Managed Identity Contributor role is specifically designed to permit users to create and manage managed identities for Azure resources. This role effectively provides the necessary permissions without granting excessive access to other resources or management capabilities within the Azure environment, aligning with the principle of least privilege. The context of this role is important; it focuses specifically on the management of identities rather than broader permissions that could impact the security and governance of Azure resources. By placing the user within a resource group, the permissions are scoped, ensuring that User1 can only operate within that specific resource group's context, further enhancing the security posture by limiting the exposure to other critical resources. In contrast, other options provide either roles that are too broad in scope or entirely unrelated to managing identities. For instance, roles like Hybrid Identity Administrator and User Administrator cover a wide range of permissions concerning overall identity management or user account creation without focusing solely on managed identities. Therefore, the Managed Identity Contributor role serves as the most appropriate and restricted option for the requirements stated in the question.