In Microsoft Azure, Role-Based Access Control (RBAC) defines what actions users can perform on resources. The Contributor role is one of the built-in Azure roles that provides extensive permissions but excludes access management rights.
According to the Microsoft Azure Administrator documentation under “Built-in roles for Azure resources”, the Contributor role has the following definition:
“Grants full access to manage all Azure resources, including the ability to create and manage resources, but does not grant permission to assign roles or manage access rights.”
This means that a Contributor can perform any configuration or management task on a resource (such as starting, stopping, resizing, or modifying a virtual machine) but cannot grant or modify permissions for other users.
Let’s analyze each option in this context:
A. Add a data disk — ✅ Correct
A Contributor can attach, detach, or manage data disks for the VM.
These actions involve resource management operations under the Microsoft.Compute/virtualMachines namespace, which are permitted to the Contributor role.
Microsoft Documentation Reference (Compute Resource Provider Operations):
Contributors can “create, update, and delete virtual machines, disks, and configurations.”
B. Configure a daily backup — ❌ Incorrect
Configuring a daily backup requires permissions within the Recovery Services vault or Backup vault resource type (Microsoft.RecoveryServices/vaults/*).
The Contributor role on the VM does not automatically grant access to vault-level resources.
Hence, User1 cannot configure or schedule a daily backup without additional permissions on the vault.
C. Assign User2 the Contributor role for VM1 — ❌ Incorrect
Assigning or modifying RBAC roles requires the Owner or User Access Administrator role because it involves operations under the Microsoft.Authorization/roleAssignments/* permission.
The Contributor role does not include these permissions.
Therefore, User1 cannot assign roles to others.
D. Upload an image of VM1 to an Azure compute gallery — ✅ Correct
The Contributor can capture or generalize a VM and upload its image to an Azure Compute Gallery, as this operation falls under the VM and image management permissions (Microsoft.Compute/galleries/images/*).
This action is considered a resource management operation and does not require ownership or RBAC rights beyond Contributor.
E. Assign User2 the Reader role for VM1 — ❌ Incorrect
Similar to option C, assigning RBAC roles is a management operation restricted to users with Owner or User Access Administrator privileges.
Contributors cannot modify or assign access control permissions.
