
This question tests your understanding of Azure RBAC (Role-Based Access Control) and the principle of least privilege when delegating permissions to manage specific load balancers.
???? Scenario Summary
You have:
Resource group: RG1
Two Load Balancers:
LB1 (Internal)
LB2 (Public)
You must allow Admin1 to manage configuration tasks on both load balancers individually:
Add a backend pool to LB1
Add a health probe to LB2
The goal is to assign the minimal required permissions (least privilege) needed for each operation.
???? Understanding the Role Requirements
1️⃣ Adding a Backend Pool to a Load Balancer
To add or modify a backend pool, you need permissions to:
Update the load balancer’s configuration
Modify the associated NIC or VM backend association
The Network Contributor role includes these permissions.
Microsoft Learn – Network Contributor role permissions:
“Grants full access to manage network resources, including virtual networks, load balancers, network interfaces, and public IP addresses. Does not grant access to manage virtual machines or storage accounts.”
This means Network Contributor on LB1 (the load balancer resource itself) is sufficient to:
Add or remove backend pools
Configure load-balancing rules
Update frontend or backend associations
✅ Correct Role: Network Contributor on LB1
No need for Contributor or Owner at the resource group level because that would grant more privileges than necessary (violates least privilege principle).
2️⃣ Adding a Health Probe to a Load Balancer
A health probe is a property of the load balancer resource itself.
To add or modify a health probe, you only need permissions to update the Load Balancer configuration.
Again, the Network Contributor role includes the required permissions to create or modify health probes.
✅ Correct Role: Network Contributor on LB2
No additional access to RG1 or global resources is required.
???? Why Not Other Roles?
Role
Description
Too much / Too little
Contributor on RG1
Full access to all resources in the group
❌ Too broad
Owner on LB1/LB2
Includes delete and permission management rights
❌ Overprivileged
Network Contributor on RG1
Manage all network resources in RG1
❌ Broader than needed
Network Contributor on LB1/LB2
Manage only the specified load balancer
✅ Least privilege, correct
✅ Final Verified Answers
Task
Role Assignment
To add a backend pool to LB1
✅ Network Contributor on LB1
To add a health probe to LB2
✅ Network Contributor on LB2
Microsoft Official Documentation Extracts (Azure RBAC & Load Balancer):
“The Network Contributor role can manage network resources but not grant access to others.”
“To configure backend pools, health probes, and load balancing rules, assign the Network Contributor role on the load balancer resource itself.”
“Follow the principle of least privilege by assigning resource-level roles instead of group- or subscription-level roles.”
✅ Final Verified Answer Summary:
Backend pool (LB1): Network Contributor on LB1
Health probe (LB2): Network Contributor on LB2
Submit