This question tests your understanding of Azure RBAC (Role-Based Access Control) and the principle of least privilege when delegating permissions to manage specific load balancers.

???? Scenario Summary

You have:

Resource group: RG1

Two Load Balancers:

LB1 (Internal)

LB2 (Public)

You must allow Admin1 to manage configuration tasks on both load balancers individually:

Add a backend pool to LB1

Add a health probe to LB2

The goal is to assign the minimal required permissions (least privilege) needed for each operation.

???? Understanding the Role Requirements

1️⃣ Adding a Backend Pool to a Load Balancer

To add or modify a backend pool, you need permissions to:

Update the load balancer’s configuration

Modify the associated NIC or VM backend association

The Network Contributor role includes these permissions.

Microsoft Learn – Network Contributor role permissions:

“Grants full access to manage network resources, including virtual networks, load balancers, network interfaces, and public IP addresses. Does not grant access to manage virtual machines or storage accounts.”

This means Network Contributor on LB1 (the load balancer resource itself) is sufficient to:

Add or remove backend pools

Configure load-balancing rules

Update frontend or backend associations

✅ Correct Role: Network Contributor on LB1

No need for Contributor or Owner at the resource group level because that would grant more privileges than necessary (violates least privilege principle).

2️⃣ Adding a Health Probe to a Load Balancer

A health probe is a property of the load balancer resource itself.

To add or modify a health probe, you only need permissions to update the Load Balancer configuration.

Again, the Network Contributor role includes the required permissions to create or modify health probes.

✅ Correct Role: Network Contributor on LB2

No additional access to RG1 or global resources is required.

???? Why Not Other Roles?

Role

Description

Too much / Too little

Contributor on RG1

Full access to all resources in the group

❌ Too broad

Owner on LB1/LB2

Includes delete and permission management rights

❌ Overprivileged

Network Contributor on RG1

Manage all network resources in RG1

❌ Broader than needed

Network Contributor on LB1/LB2

Manage only the specified load balancer

✅ Least privilege, correct

✅ Final Verified Answers

Task

Role Assignment

To add a backend pool to LB1

✅ Network Contributor on LB1

To add a health probe to LB2

✅ Network Contributor on LB2

Microsoft Official Documentation Extracts (Azure RBAC & Load Balancer):

“The Network Contributor role can manage network resources but not grant access to others.”

“To configure backend pools, health probes, and load balancing rules, assign the Network Contributor role on the load balancer resource itself.”

“Follow the principle of least privilege by assigning resource-level roles instead of group- or subscription-level roles.”

✅ Final Verified Answer Summary:

Backend pool (LB1): Network Contributor on LB1

Health probe (LB2): Network Contributor on LB2