Manage Azure Identities and Governance tests Azure AD users and groups, RBAC role assignments, management groups, subscriptions, and Azure Policy.
Start practicing
Manage Azure Identities and Governance — choose a session length
Free · No account required
Domain overview
Identity and governance is the foundation of AZ-104. The RBAC scope hierarchy and the difference between Azure AD roles and Azure RBAC roles cause the most confusion — get these right before exam day.
Exam objectives
Azure AD objects: users, groups, service principals, and managed identities.
RBAC: built-in roles (Owner, Contributor, Reader), custom roles, and scope hierarchy.
Management groups, subscriptions, resource groups, and how policy inheritance flows down.
Azure Policy effects: Deny, Audit, Append, DeployIfNotExists, and Modify.
Assuming Owner at the resource group level grants Owner access to the subscription — roles do not inherit upward.
Confusing Azure AD roles (directory-level) with Azure RBAC roles (resource-level).
Forgetting that Azure Policy can only enforce compliance going forward — existing non-compliant resources require a remediation task.
Mixing up Deny (blocks creation) and Audit (logs non-compliance) policy effects.
Click any question to see the full explanation and answer options, or start a focused practice session above.
Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?
2Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?
3A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?
4You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?
5A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?
6Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?
7Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?
8You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?
9Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?
10You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?
11You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?
12You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?
13Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?
14An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?
15An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?
16Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?
17You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?
18You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?
19You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?
20You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?
21Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?
22You need to ensure that administrators cannot accidentally delete a production virtual network, but they must still be able to update subnet settings. Which Azure feature should you apply?
23You need to allow a support engineer to restart virtual machines in the RG-App resource group, but the engineer must not be able to create, delete, or resize the virtual machines. What should you do?
24You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which Azure lock should you apply?
25You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?
26Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?
27You need to let a junior administrator manage virtual machines only in the RG-Dev resource group. The administrator must not be able to change role assignments or manage other resource groups. Which role assignment should you use?
28An Azure application and an Azure Automation account need Azure access without any stored secrets. The same identity should be reusable and should not require manual secret rotation. Which two identity choices meet the requirement? Select two.
29You need to ensure engineers cannot delete a production resource group, but they must still be able to start and stop VMs and change network rules during maintenance. Which resource lock should you apply to the resource group?
30An administrator added a user to an Entra security group that already has Contributor on a resource group. The role assignment is correct, but the user still gets 'You do not have access' in the Azure portal 5 minutes later. What is the most likely next step?
31A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.
32A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?
33A user had a direct Reader assignment on a virtual machine, but that assignment was removed. The user can still open the VM blade and view its properties. Which two sources could still be granting access? Select two.
34A resource group has a ReadOnly lock applied to it. An operator can view the resources, but several portal changes fail. Which two operations will fail because of the lock? Select two.
35A support engineer must start, stop, and restart only one virtual machine named vm-app01. The engineer should not gain permissions on any other virtual machine in the subscription. What is the best scope for the role assignment?
36An enterprise wants one governance package to be applied automatically to every production subscription that is added in the future. The package contains several policy definitions that should be managed together. Which two actions are required? Select two.
37Your company has separate subscriptions for development, test, and production. Security wants one baseline policy and one RBAC assignment to apply automatically to every production subscription now and in the future. What should you use?
38A developer has the Contributor role on a subscription. Their ARM deployment of a virtual machine with a public IP fails, and the error message says the request is denied by policy. The developer can create other resources successfully. What should you change to allow this deployment while keeping the Contributor role unchanged?
39A developer has the Contributor role on a resource group and tries to deploy a Windows VM with a public IP address. The deployment fails, even though the role assignment is active. Which two checks should you perform first to confirm why the deployment failed? Select two.
40An Azure Automation account runs PowerShell runbooks that must authenticate to Azure resources without embedded secrets. The automation account is recreated periodically during deployment, and the identity must continue to work after recreation without reissuing credentials. Which identity should you use?
41Your company wants one governance baseline to apply automatically to all current and future production subscriptions, and finance wants cost reporting by application across many resource groups. Which two design choices best satisfy the requirements? Select two.
42A contractor is a member of an Entra security group that has a PIM-eligible Contributor assignment on a resource group. The contractor sees the role in the portal, but deployment fails with a role not active message. The activation policy requires justification, MFA, and manager approval. Which two actions are required before the deployment succeeds? Select two.
43Your company has multiple applications deployed across separate production and nonproduction subscriptions. Finance wants cost reporting by application, and each app team should manage only its own resources. Which two design choices best satisfy both requirements? Select two.
44An Azure Automation account is recreated periodically during a migration project. Runbooks must authenticate to Azure resources without embedded secrets, and the identity must continue to work after the account is rebuilt. Which two choices should you make? Select two.
45A contractor is a member of an Entra security group that has the Contributor role on a resource group. When the contractor tries to deploy, the portal says the role is not active. The activation request requires approver approval, and the previous activation window has expired. What should the contractor do?
46A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?
47You want to let a support engineer restart only the virtual machines in the Prod-Apps resource group, and any VM added later to that group should also be covered. Where should you assign the role?
48A developer already has permission to create resource groups. The company wants to allow deployments only in the East US and West US regions. Which service should enforce this rule?
49A user is assigned the Reader role on a resource group named RG1. Later, a new storage account is created in RG1. What access will the user have to that storage account without any new role assignment?
50A bootstrap script must install software on three VMs, then download configuration files from Blob Storage. Security forbids secrets in templates or scripts, and the same authentication method must work after the VMs are rebuilt. Which two choices should you make? Select two.
51A company wants development and production workloads for the same application to have separate budgets, separate subscription administrators, and different access controls. The central IT team still wants to apply the same security policies to both environments. What is the best design?
52An administrator assigns Contributor at the RG-Apps resource group scope and Reader at the subscription scope. A developer opens a VM inside RG-Apps and can change its settings, but a different VM in RG-Shared is read-only. Which statement best explains this behavior?
53Security wants one assignment that enforces all of these controls across several subscriptions: allowed Azure regions, required tags, and disabling public network access on specific resources. Which Azure feature should you use?
54A policy that requires secure transfer for storage accounts has been assigned to a subscription with the DeployIfNotExists effect. Several existing storage accounts are still noncompliant and have not changed. What should you do next to update those existing resources automatically?
55A company has three business units. Each business unit needs its own subscription for billing and admin delegation. Corporate security wants one policy assignment to cover all current and future subscriptions in each business unit. What structure should you implement?
56A production resource group contains VMs, public IP addresses, and a storage account. During a migration window, administrators must still be able to change settings and resize VMs, but nobody should accidentally delete any resource. Which lock should you apply to the resource group?
57A support engineer needs to restart only one virtual machine named VM-App01. The engineer must not gain access to any other VM, storage account, or network resource in the resource group. At which scope should you assign the required RBAC role?
58A developer has the Reader role assigned at the subscription scope. Later, the developer is assigned Contributor at the RG-Web resource group scope. Which permission is inherited by a storage account inside RG-Web?
59A change-freeze requires that no one can modify the settings of a subscription's resource group for six hours. Deletion is not the main concern; the priority is to block changes to existing resources during the freeze. Which lock should you apply?
60A deny policy blocks creation of storage accounts with public network access enabled. A legacy application in RG-Legacy must keep one existing storage account publicly reachable for 45 days while the rest of the subscription remains governed by the policy. What should the administrator configure?
61A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?
62A VM-hosted automation tool must call Azure APIs without storing a password or certificate on disk. The identity should disappear automatically when the VM is deleted. Which identity should the administrator assign?
63A web app and a VM scale set both need the same Azure identity to read secrets from Key Vault. The identity must survive redeployment, and the team wants to remove it centrally without changing each resource individually. Which identity type should they use?
64Based on the exhibit, a compliance dashboard shows that several storage accounts are marked noncompliant because they do not have the required tag. The policy itself is correct, but one business unit needs a temporary exception for a single resource group during a merger. What should the administrator configure?
65Based on the exhibit, a contractor must be able to restart only one virtual machine named vm-pay-01 and read its properties. The contractor must not be able to manage any other VM in the resource group. Where should the role assignment be created?
66A cloud operations team in the Corp business unit needs to read all Azure resources in every current and future subscription under the Corp management group to prepare monthly governance reports. They must not gain access to subscriptions that belong to other business units. What scope should the administrator use when assigning the Reader role?
67An organization wants to enforce two governance controls on all subscriptions under a management group: only approved Azure regions can be used, and every resource must have a costCenter tag. Central IT wants one assignment that can grow as more controls are added later. What should they use?
68Based on the exhibit, which Azure construct should the administrator create to group these related policy rules into one assignment?
69A shared resource group contains a critical virtual machine and a storage account. Administrators must still be able to update settings, but nobody should accidentally delete either resource during routine maintenance. Which lock should be applied?
70A shared resource group contains a VM and a storage account used by payroll. Administrators still need to modify configuration and apply patches, but accidental deletion of either resource must be prevented. What should the administrator apply?
71A compliance team wants to bundle three policy definitions—allowed locations, required cost center tags, and approved VM sizes—so they can assign them together to a management group and review compliance in one place. Later they want to exempt one pilot subscription from the entire set for 60 days. What should they use?
72Based on the exhibit, an automation account must restart virtual machines and read network interface settings in RG-App. Built-in roles are too broad because they also allow actions the team does not want. What should the administrator do?
73Central IT wants to apply three related policy definitions—allowed Azure regions, required owner tag, and approved VM sizes—to all subscriptions in the Corp management group and report compliance as one package. What should the administrator create?
74An operations team needs to start and deallocate every virtual machine in RG-App and read VM settings, but they must not be able to delete VMs or manage networking resources. What is the best Azure RBAC solution?
75Based on the exhibit, three Azure virtual machines run the same automation script. The VMs are rebuilt often, and the team wants one identity that can be reused across all three VMs and retained even if a VM is replaced. Which identity type should the administrator use?
76A build server hosted in a company datacenter must deploy ARM templates to a target resource group in Azure without storing a user password. The server is not running in Azure, and the team wants to authorize deployments with Azure RBAC. What should be configured?
77Based on the exhibit, a shared resource group contains a production virtual machine and a storage account. Administrators must be able to update settings, but they must not be able to delete either resource by mistake. Which lock should be applied at the resource group scope?
78An operations team needs to let helpdesk staff restart virtual machines and view their properties only in RG-Dev. The staff must not be able to manage virtual networks, disks, or delete any resources. What is the best built-in role assignment?
79Based on the exhibit, which identity type should be used so the on-premises build server can authenticate to Azure without using a human account password?
80A policy at the management group denies storage accounts that allow public network access. One legacy storage account in RG-Legacy must stay public for 30 days while a migration runs, and the team does not want to change the policy for everyone else. What should the administrator create?
81A scheduled script runs on several Azure VMs. The VMs are rebuilt often, and the script must always use the same Azure identity across every rebuild without storing secrets on disk. Which two steps should the administrator take? Select two.
82An enterprise wants to enforce three governance controls for all subscriptions under a management group: allowed locations, required tags, and permitted VM sizes. The team wants a single place to assign and track compliance for all three controls. What should the administrator use?
83A scheduled script runs on several Azure virtual machines that are created and replaced over time. The script must use the same Azure identity on every VM, and the identity should continue to exist even if one VM is deleted and recreated. What should the administrator use?
84Based on the exhibit, the governance team wants to assign three related policy definitions together: allowed regions, required tags, and approved VM SKUs. What should the administrator create first?
85Based on the exhibit, an auditor needs to view all resources in RG-Finance but must not be able to make any changes. The auditor also should not have access to other resource groups. Which RBAC assignment best meets the requirement?
86Two Azure virtual machines run the same automation script and both need access to Key Vault and Storage. The script must keep working if one VM is redeployed, and the team wants the same identity to be usable by both VMs. What should the administrator use?
87Based on the exhibit, which identity should the administrator enable to remove the secret from app settings and have the identity disappear automatically when the app is deleted?
88An enterprise has 30 Azure subscriptions. Production subscriptions need a common baseline of allowed regions, required tags, and approved SKU rules, and any new production subscription must inherit those rules automatically. Sandbox subscriptions should follow a separate, lighter baseline. Which Azure construct should the team use to organize this governance model?
89A team in RG-Apps must be able to start, stop, and deallocate virtual machines and read their properties. Built-in roles available to the team are broader than necessary. What should the administrator do?
90An organization has one Azure subscription with separate resource groups for Development and Operations. A contractor must start, stop, and read the properties of virtual machines only in RG-Operations. The contractor must not have access to virtual machines in RG-Development. Where should the role assignment be created?
91A build server in an on-premises datacenter must deploy ARM templates to Azure. The automation must not use a human account password, and Microsoft Entra conditional access for device sign-in is not available because the server is outside Azure. The security team allows a non-human credential but wants the strongest practical option for this scenario. What should the administrator configure?
92A system-assigned managed identity is attached to an Azure VM to call Key Vault. The VM is frequently reimaged and sometimes redeployed to a different name during scale events, but the application must keep the same identity and secretless access. What should the administrator use instead?
93An App Service application needs to read secrets from Azure Key Vault. The security team does not want any password, certificate, or client secret stored in application settings, and they want the identity removed automatically if the app is deleted. What should the administrator enable?
94A VM-hosted automation tool must call Azure Resource Manager APIs, but the team will not store a password, certificate, or client secret on the VM. The identity should also disappear automatically when the VM is deleted. Which identity should be assigned?
95Based on the exhibit, a policy assigned at the subscription denies storage accounts that allow public network access. One existing storage account in RG-Legacy must remain publicly reachable for 30 days while a migration is completed. What should the administrator use?
96A company has 18 Azure subscriptions. Production subscriptions must inherit stricter governance than sandbox subscriptions, and central IT wants one place to target future policy assignments to each group. What should the administrator do?
97A policy assignment denies storage accounts unless public network access is disabled. One legacy storage account in a pilot resource group must remain publicly reachable for 60 days while the application team remediates dependencies. Compliance reporting must continue to show the policy as enforced everywhere else. What should the administrator do?
98Based on the exhibit, what should the administrator create to let Alex restart one VM and read its properties without giving broader permissions?
99New Azure subscriptions are created every month. Production subscriptions require stricter governance than sandbox subscriptions, and central IT wants those rules to apply automatically to any future production subscription without reconfiguring each one. What should they set up?
100A platform team runs an internal automation tool that must restart VMs and read network interface settings in one resource group. Built-in roles available to the team are broader than the access they want to grant. What should the administrator create?
101Based on the exhibit, which lock should the administrator apply so resources can still be updated but cannot be deleted by mistake?
102A company creates new Azure subscriptions every month. Central IT wants all production subscriptions to inherit the same governance baseline automatically, while sandbox subscriptions remain separate. What should the administrator implement?
103Based on the exhibit, where should the new subscription be placed so it inherits the production governance baseline automatically?
104Based on the exhibit, where should the administrator assign the role so the contractor can start and stop virtual machines only in RG-App and nothing else?
105Three Azure VMs run the same scheduled script and must access both Storage and Key Vault. The team wants one identity that can be reused if a VM is rebuilt, and they do not want the identity tied to a single machine. What should the administrator create?
106A company wants to enforce three controls across all current and future subscriptions under a management group: allowed Azure regions, a required cost center tag, and approved VM SKUs. Central IT wants a single assignment and consolidated compliance reporting. What should they use?
107A support engineer must restart and view the properties of virtual machines only in RG-Dev. The engineer must not gain access to other resource groups in the subscription. What should the administrator do?
108Several Azure VMs need the same Azure identity so they can access a shared resource without storing passwords. The identity should be reusable across VMs and removable centrally. Which identity type should the administrator use?
109A shared resource group contains a VPN gateway and several virtual machines used by the finance department. Administrators must still be able to resize the VMs and update NSG rules, but no one should be able to delete the resource group or anything in it during the quarter-end freeze. Which lock should be applied?
110Based on the exhibit, what should the administrator use to temporarily allow the legacy storage account to remain noncompliant without changing the policy for everyone?
111A company wants to stop users from creating resources in regions that are not approved and also require a Department tag on new resources. Which two tasks are best handled by Azure Policy? Select two.
112A production storage account must remain available for updates, but administrators want to prevent accidental deletion during maintenance windows. Which lock should be applied to the storage account?
113A single Azure virtual machine must read blobs from a storage account without storing any passwords, keys, or connection strings. The identity should be removed automatically if the VM is deleted. Which option should you use?
114Based on the exhibit, which Azure Policy effect should be used so new resources without an Environment tag are blocked at deployment time?
115An operations team must apply three related policies to all subscriptions in a department: require a cost-center tag, allow only approved locations, and block certain VM SKUs. They want to assign and track these rules as one unit. What should they create?
116Based on the exhibit, which identity approach should be used so all three virtual machines can reuse the same Azure access without sharing secrets?
117An operations team wants to label resources by Department and Environment so they can search and report on ownership across many resource groups. Which two statements are correct? Select two.
118A production resource group contains application VMs and databases. Operators must be able to update resources inside the group, but nobody should be able to delete the whole group by accident. Finance also wants ownership data to remain with the resources if they are moved to another resource group. Which two actions should you take? Select two.
119Three application VMs in different resource groups must use the same Azure identity to read blobs from a storage account. The identity must continue to work if the VMs are redeployed. What should you use?
120Finance, HR, and Engineering each have their own subscriptions, and one production resource group must not be deleted by mistake. Which two Azure features should be used? Select two.
121A service desk must grant and revoke access to an internal application for a changing group of employees. The service desk must not receive any Azure subscription or resource permissions. Which two actions should you take? Select two.
122A web application is made up of several Azure resources that are deployed, updated, and retired together. The team wants one container for applying access control, tags, and deletion protection consistently to the whole application. What should they use?
123An external consultant from another company needs read-only access to a resource group and must sign in with their own work account. What should be created in Microsoft Entra ID?
124Based on the exhibit, which identity should be granted the Contributor role so access can be managed centrally as team members change?
125A company has many subscriptions arranged under a management group named Corp. The audit team needs Reader access to every current and future subscription in Corp, and the administrator wants only one role assignment to maintain. Which two actions should be taken? Select two.
126A project team adds and removes contractors every few weeks. The team needs Azure access to follow membership changes without updating role assignments for each person. What should the administrator use to delegate the access?
127A department has 12 subscriptions under a management group named Corp. New resources must be deployed only in East US or West US and must include a CostCenter tag. A pilot subscription must be exempt from these rules during testing. Which two actions should you take? Select two.
128Based on the exhibit, where should the Network Contributor role be assigned so the engineer can manage only VNet-vm and its subnets, but not other resources in rg-platform?
129A contractor pool changes every month. The operations team wants Azure role access to stay the same when people join or leave, without editing role assignments for each person. Which two actions should the administrator take? Select two.
130Based on the exhibit, which Azure feature should the administrator add so ownership and chargeback information remains visible even if resources are moved between resource groups?
131A company wants to group several subscriptions for Finance, HR, and Engineering so that the same governance settings can be applied above the subscription level. What should the administrator create?
132A contractor must manage only VM1 and VM2 in rg-prod. The contractor must not be able to manage any other resource in the resource group. Which two role assignment scopes should you create? Select two.
133A production resource group must not be deleted accidentally, but administrators still need to update resources inside it. Which lock should you apply to the resource group?
134A finance application is deployed in a single resource group named rg-finance-app. The team must manage only the resources in that group and must not receive permissions for other resource groups in the subscription. Where should the Contributor role be assigned?
135A company wants to stop users from deploying resources in any region except East US and West US. Users still need to be able to create resources if they choose an approved region. Which Azure feature should the administrator use?
136A project team adds and removes contractors every month. The admin wants Azure access to update automatically when membership changes without editing role assignments for each person. Which two actions should the admin take? Select two.
137A team needs to understand Azure RBAC inheritance. Which two statements are correct? Select two.
138An application team needs Contributor access only for the resources in rg-app. They must not manage any other resources in the subscription. At what scope should you assign the role?
139A platform team wants to prevent engineers from creating VM sizes that are not approved, but they also need the engineers to be able to restart their own VMs. Which two statements are correct? Select two.
140You need one assignment that requires a cost-center tag and also allows only approved locations. What should you use?
141Three Azure virtual machines in different resource groups must all use the same Azure identity to access a storage account. The identity should keep working even if one VM is rebuilt. What should you use?
142An external consultant must access a resource group in your tenant using the consultant's existing work account. You want to avoid creating a separate username and password pair. Which two actions should the administrator take? Select two.
143A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.
144A production resource group contains web and data resources. Administrators must be able to update, scale, and restart resources, but they must not delete the resource group or any resource inside it during maintenance windows. Which two actions should the administrator take? Select two.
145A platform team wants every current and future subscription under the company's Azure hierarchy to inherit Reader access for a central audit group. The team does not want to create separate assignments for each subscription. Where should the role be assigned?
146A VM-hosted application must read blobs from Azure Storage without storing any keys or passwords. Which two identity types can the VM use to authenticate to Azure Storage? Select two.
147Based on the exhibit, what should you configure so the analysts can manage group membership without granting Azure resource permissions?
148Finance, HR, and Engineering each use separate subscriptions. The compliance team wants a simple hierarchy that lets them apply governance to groups of subscriptions and produce resource ownership reports by department and environment. Which two features should the administrator use? Select two.
149A compliance report must show which department and environment owns each Azure resource, even when the resources are spread across many resource groups and subscriptions. Which feature should the administrator use?
150A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.
151An operations team needs one Azure identity that can be attached to several VMs and kept even if a VM is deleted. Which two statements about a user-assigned managed identity are correct? Select two.
152A web app running on an Azure VM must read files from Azure Blob Storage without storing any passwords, secrets, or access keys on the VM. The identity should be tied to that VM and removed automatically if the VM is deleted. What should you enable?
153A contractor team changes every few weeks. The administrator wants Azure access to stay the same when individual contractors leave or join, without editing role assignments for each person. What should be assigned the Azure role?
154Based on the exhibit, which action should the administrator take so Contractor01 can manage the team membership without receiving Azure resource permissions?
155A web API runs on a single Azure VM and must access Azure Key Vault without storing any credentials on the VM. The identity should be tied to that VM and removed when the VM is deleted. What should you enable?
156A VM-hosted app must read blobs from Azure Storage without storing a shared key, SAS token, or password. Which two configuration steps should the administrator take? Select two.
157A partner company needs a developer to access resources in your tenant by using the developer's existing work account. You do not want to create a new separate username and password for that person. What should you create in Microsoft Entra ID?
158Based on the exhibit, which identity approach should the administrator use so both VMs can share the same access without managing secrets or recreating role assignments when a VM is replaced?
159A company has 18 subscriptions under a management group named Corp. The audit team needs Reader access to all current and future subscriptions in Corp without creating one assignment per subscription. Which two statements are correct? Select two.
160A team needs Reader access to exactly two Azure resources that are in the same resource group, and they must not gain access to other resources in that group. Which two scope choices are appropriate? Select two.
161A subscription must block creation of resources in any region except East US and West US, and the security team also wants a nonblocking report of existing resources that are missing a CostCenter tag. Which two Azure Policy effects should you use? Select two.
162The service desk needs to add and remove users from a support group that grants access to an internal application, but the service desk must not receive Azure subscription permissions. Which two actions should you take? Select two.
163Based on the exhibit, which identity should be enabled on the VM so the application can access Azure Blob Storage and the identity disappears when the VM is deleted?
164A team wants every resource in a subscription to include a Department tag. New resources that do not have the tag should be blocked from being created. Which Azure Policy effect should you use?
165A project team adds and removes contractors every month. The team wants Azure role assignments to stay the same when individual contractors leave or join, and access should be granted to everyone on the team through one control point. What should the administrator assign the Azure role to?
166A central audit group must have Reader access for every current and future subscription in the company hierarchy. You want one assignment that will apply broadly as new subscriptions are added. Where should the role be assigned?
167A department wants three related policies grouped together and assigned as one unit to a set of subscriptions. Which two statements about an Azure Policy initiative are correct? Select two.
168Three VMs run the same batch app and should use the same Azure identity to read blobs. The identity should remain available even if one VM is deleted. Which identity should you use?
169Based on the exhibit, which lock should the administrator apply to protect the resource group from accidental deletion while still allowing normal updates to the resources inside it?
170Three Azure VMs in separate resource groups run the same data-processing agent. The agent must read blobs from a storage account, and the access must continue to work if any VM is rebuilt or replaced. The operations team also wants one identity they can reassign to future VMs without creating another credential. Which identity approach should be used?
171Based on the exhibit, which Azure Policy construct should the administrator use to deploy and manage these guardrails as one unit across the department?
172Based on the exhibit, where should the Reader role be assigned so the audit team automatically has access to every current and future subscription under Corp?
173An operations team must enforce two rules across all subscriptions in a department: new resources must include a CostCenter tag, and deployments are allowed only in East US and West US. The team wants one assignment and automatic blocking of noncompliant deployments. Which three actions should the administrator take? Select three.
174A company wants to stop users from creating resources in any Azure region except East US and West US across all subscriptions. Which Azure feature should be used to enforce this requirement?
175A VM-hosted application must read blobs from an Azure Storage account without storing any secret in code or configuration. Which identity should you enable on the VM?
176A project team expects frequent joiners and leavers. The same Azure permissions are needed for all members of the team, and you want to avoid editing role assignments for each person. Which two actions best meet the requirement? Select two.
177A department has 10 subscriptions and wants the same two governance rules applied to all current and future subscriptions. One rule audits missing tags, and the other denies unapproved locations. Which two actions should the administrator take? Select two.
178A central audit team needs Reader access on every current and future subscription under the company hierarchy. Which scope should you use for the role assignment?
179You want to group subscriptions for Finance, HR, and Engineering so you can apply governance consistently at a higher level. What should you create?
180Finance wants every resource created in one production resource group to receive the tag CostCenter=FINSVC automatically, but deployments should not be blocked if a template omits the tag. Existing resources should be updated when possible. Which two actions should the administrator take? Select two.
181A production resource group contains several VMs and a storage account. The operations manager wants to prevent accidental deletion of the resource group and its resources, but still allow normal configuration changes during maintenance windows. Which lock should be applied to the resource group?
182Based on the exhibit, three VMs in different resource groups must use the same Azure identity, and the identity must continue working if one VM is deleted and recreated. What should you use?
183Based on the exhibit, what is the best way to simplify access management for the project team?
184RG-Prod hosts line-of-business workloads. The business wants to prevent accidental deletion of the resource group during change freezes and also ensure every new resource carries a CostCenter tag for chargeback. Which two governance controls should be used? Select two.
185Based on the exhibit, an Azure Policy with the Modify effect was assigned to add Environment=Prod to resources in RG-Prod. New resources get the tag, but existing virtual machines still do not have it. What should the administrator do next?
186An Azure Policy that appends the Environment tag is assigned to a subscription. New virtual machines get the tag, but existing VMs do not. What should the administrator do next?
187Help desk staff must start, stop, and restart virtual machines in one application resource group. They must not create or delete VMs or modify networking or disks. Which built-in role should you assign?
188A VM-hosted app needs to upload blobs without storing a storage account key or password on the VM. Which two authentication options meet this requirement? Select two.
189Based on the exhibit, an Azure VM must read secrets from Azure Key Vault during startup. No passwords, certificates, or client secrets may be stored on the VM. What should you configure?
190A security team needs to grant and remove RBAC access for a set of operators on resources in one resource group, but those operators must not create, modify, or delete the resources themselves. Which built-in role should be assigned?
191Based on the exhibit, the Prod management group contains three subscriptions that host application workloads. An operations group must be able to read all current and future resources in those Prod subscriptions, but it must not have access to Sandbox. Where should you assign the Reader role?
192A contractor needs read-only access to resources in one application resource group. The access must be removed immediately when the contractor is removed from the contractor team. What is the best access strategy?
193Based on the exhibit, a compliance team must read all current and future resources in every subscription under the Corp management group. Where should you assign the Reader role?
194Based on the exhibit, the team must prevent accidental deletion of a resource group, but administrators still need to update settings on resources inside it. Which lock should you apply?
195An enterprise has a management group named Corp that contains all production and sandbox subscriptions. An Entra ID group named Auditors must be able to read resources in every current subscription under Corp and in any subscription added later. Which two actions should the administrator take? Select two.
196A policy initiative is assigned at the Corp management group to enforce allowed locations and required tags. A new subscription is added under Corp later. Which two statements are true? Select two.
197A management group named Corp contains subscription Sales. RG-App is in Sales and contains several virtual machines. The Auditors group must read every resource in Sales, including resources in future resource groups created under that subscription. The ServerOps group must be able to start, stop, and restart only the virtual machines in RG-App. Which two role assignments should the administrator configure? Select two.
198Three application VMs in separate resource groups must use the same identity to read a configuration endpoint. The identity must keep working if any one VM is deleted and later recreated. Which three actions should the administrator take? Select three.
199Based on the exhibit, the help desk team must be able to restart virtual machines in RG-App, but they must not be able to create, delete, or resize VMs. What is the best action?
200An operations team must be able to restart virtual machines in one resource group. They must not create, delete, resize, or change disks or networking. Which two actions should the administrator take? Select two.
201Based on the exhibit, the production resource group must not be deleted during a change freeze, but administrators still need to update VM sizes and tag values. Which lock should you apply?
202During a change freeze, an administrator applies a lock to a resource group. Users can still read resource details, but attempts to update tags, resize a VM, or change an NSG fail. Which lock was applied?
203A platform team must enforce two governance rules across every current and future subscription under a management group: only East US and West US deployments are allowed, and every resource must include an Environment tag. Which three actions should the administrator take? Select three.
204The finance team wants every resource created in one resource group to carry the same CostCenter tag automatically. They want to reduce manual entry and keep the tag value consistent. What should you configure?
205A contractor should be able to view resources in one resource group for 30 days. When the contract ends, removing the contractor from the group should immediately remove access. What is the best approach?
206Based on the exhibit, every resource created in RG-Finance must automatically receive CostCenter=FIN, but deployments should not fail if the tag is omitted. What should you configure?
207RG-Prod is locked during a change freeze with a CanNotDelete lock. Administrators still need to keep the environment healthy without removing the lock. Which three actions can still be completed? Select three.
208An administrator assigned a modify policy at the subscription scope to add a CostCenter tag to new virtual machines. New VMs now have the tag, but older VMs in the subscription still do not. What must the administrator do to bring the existing VMs into compliance?
209A Modify policy adds CostCenter=042 to resources in RG-Finance. New resources are tagged correctly, but existing virtual machines remain untagged. What three requirements must be met for the assignment to update the existing resources? Select three.
210A support team must be able to start, stop, and restart virtual machines in one application resource group, but they must not create or delete VMs, modify disks, or manage networking. What is the best access approach?
211Based on the exhibit, an administrator wants to prevent new Azure resources from being deployed in any region except East US and West US across the entire Corp hierarchy. What should the administrator configure?
212Based on the exhibit, a support lead must manage role assignments for RG-Apps so the team can grant or revoke access for others. The support lead must not be able to change resource configurations. Which role should you assign?
213Based on the exhibit, which change should the administrator make so the application identity remains stable across VM redeployments without reapplying RBAC assignments?
214A finance analyst needs read-only access to one storage account named stprod01. The analyst must not see other resources in the subscription. Where should you assign the Reader role?
215Based on the exhibit, a script running on an Azure VM must create resources in another subscription without using passwords or client secrets. Which command should the administrator use first?
216A ReadOnly lock is applied to RG-App. Which two requested changes will fail because of the lock? Select two.
217The platform team wants to block deployment of virtual machines that use any size except a small approved list. Operators already have Contributor access and should keep that access for other tasks. Which Azure control should the administrator use to enforce the size restriction?
218A DevOps engineer must run an Azure CLI script from a Windows VM to create resources in a specific resource group in another subscription. The script must not use a client secret or password, and access should be limited to only that resource group. Which three actions should the administrator take? Select three.
219Based on the exhibit, help desk staff must restart virtual machines only in RG-App. What is the narrowest scope where you should assign the role?
220A security team wants operators in one resource group to start, stop, and restart virtual machines, but they must not create VMs, delete VMs, or manage disks and networking. What should the administrator configure?
221A platform team must enforce three governance rules across every subscription in a management group: allowed Azure regions, required Environment tags, and approved VM sizes. They want one assignment that groups the rules together and gives a single compliance view. What should they use?
222A production resource group must be protected from accidental deletion during a change freeze. Administrators still need to update VM sizes, rotate tags, and change NSG rules. Which two actions should the administrator take? Select two.
223Based on the exhibit, a subscription policy must add CostCenter=042 to new resources, and deployments must not fail if the tag is missing. Which policy effect should you use?
224A developer wants to give one Azure VM access to Azure Storage now, and that identity should be removed automatically if the VM is deleted. Which identity type should the administrator assign?
225A modify policy that appends a CostCenter tag was assigned to a management group. The policy shows as assigned, but older virtual machines still lack the tag. What must the administrator do to update those existing resources?
226During a change freeze, administrators must prevent deletion of a production resource group and all resources inside it, but they still need to update VM sizes and tags. Which lock should be applied?
227A platform team must enforce two governance rules across every current and future subscription under a management group: resources must include an Environment tag, and only East US or West US may be used for deployment. They want one compliance view for both rules and a way to correct missing tags on existing resources where supported. What should they assign?
228A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.
229A team operates two Azure VMs that both need to call Azure services with the same identity. The VMs are rebuilt frequently, and the identity must continue to work if either VM is deleted and recreated. Which identity should the administrator attach?
230Three Azure VMs in different resource groups need to access the same Azure resources using one identity. The identity must keep working if any VM is deleted and recreated. What should the administrator assign to the VMs?
231An enterprise uses one management group to contain five subscriptions for a business unit. A compliance auditor in an Entra ID group needs read-only access to every current and future resource in all five subscriptions, but must not see resources in other business units. What is the best scope for the Reader role assignment?
232Based on the exhibit, where should the administrator go to see which resources are non-compliant with the assigned policy?
233A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in another subscription. The script cannot store a password or client secret. What should it use to authenticate to Azure?
234A newly created VM must read secrets from Azure Key Vault. The solution must not store credentials on the VM, and the identity should disappear automatically when the VM is deleted. What should the administrator enable?
235An administrator wants to run a one-time Azure CLI command from inside a VM to create a resource in Azure, but the administrator does not want to store credentials on the VM. What should be used for authentication?
236A project team has 12 operators who need to read resource properties and restart only the virtual machines in one application resource group. Access should be removed automatically when an operator leaves the team, and any new VMs added to that resource group should inherit the same access without further changes. What should the administrator configure?
237An enterprise has a management group named Corp. Corp contains two child management groups: Prod and Sandbox. A compliance auditor is a member of an Entra ID group and must have read-only access to every current and future resource in all subscriptions that are under Prod. The auditor must not see resources in Sandbox, and the admin does not want to maintain separate assignments for each new subscription. What should the administrator do?
238An Azure administrator deploys a Linux VM that runs an application needing to read secrets from Azure Key Vault. The security policy forbids storing passwords, certificates, or access tokens on the VM. The application will run only on this single VM. What should be enabled on the VM?
239Based on the exhibit, where should you assign the Reader role so the Auditors group can read every current and future resource in the Sales subscription, including resource groups created later, while not granting access to the Research subscription?
240A company uses one management group for all production subscriptions. A compliance analyst is a member of an Entra ID group and must view every current and future resource in all production subscriptions, but must not make any changes. Where should you assign the Reader role?
241The platform team wants to block deployment of Azure resources in any region except East US and West US. What should they configure?
242An administrator assigned a policy definition with the Modify effect to add tag Environment=Prod to resources in a subscription. Existing VMs still do not show the tag. Which two actions should the administrator take to bring the existing VMs into compliance? Select two.
243Based on the exhibit, which Azure service is preventing deployment because the resource is missing a required tag?
244An Azure CLI script runs on a utility VM every night to create and tag resources in another subscription. The script cannot store a password or client secret, and the VM is regularly redeployed from a standard image. What is the best identity design?
245A contractor from a partner company needs read-only access to one application resource group for 14 days. When the contractor leaves the project, access should be removed immediately by removing a single identity from a group. Which two actions should the administrator take? Select two.
246An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or client secrets on the VM. What should the administrator configure first?
247A company has 12 subscriptions under one management group. An external auditor needs Reader access to resources in every current and future subscription under that management group. Where should you assign the role?
248The platform team wants every resource deployed in a subscription to include an Environment tag. New resources that do not meet the rule must be blocked, and existing noncompliant resources should appear in compliance reports. What should be configured?
249During a change freeze, the operations team wants to prevent accidental deletion of a production resource group and everything in it. They still need to update VM settings, change tags, and modify network rules. Which lock should be applied?
250A team has 20 operators who need the same Reader access to one application resource group. You want to grant access and later revoke it by changing group membership instead of editing each user's permissions. What should you use for the role assignment?
251A finance team wants every resource created in one production resource group to carry CostCenter=PRD automatically. They do not want deployments blocked if a team forgets the tag, but they do want existing resources and future resources in that resource group to converge on the correct tag value. What should the administrator configure?
252An administrator wants to let a help desk group start, stop, and restart virtual machines in one resource group, but the group must not be able to delete the VMs or any other resource in the group. Which two actions should the administrator take? Select two.
253A team can already deploy virtual machines, but they want to prevent users from creating VMs unless the deployment includes an approved tag. They also want to see which existing resources do not meet the rule. What should the administrator use?
254You are designing a governance strategy for an Azure environment that includes multiple subscriptions. You need to ensure that all resources deployed in the production subscription adhere to specific regulatory compliance requirements, such as encryption at rest and denying public network access. Which three of the following should you implement? (Choose three.)
255Your organization has an Azure Active Directory (Azure AD) tenant with 500 users. You need to ensure that users can reset their own passwords without IT support, but only if they have registered for multi-factor authentication (MFA). Additionally, you want to prevent users from reusing their last 10 passwords. Which three of the following should you configure? (Choose three.)
256You are responsible for managing Azure resources in a hybrid environment. Your on-premises Active Directory Domain Services (AD DS) is synced to Azure AD using Azure AD Connect. You need to ensure that administrative units (AUs) are used to delegate administration of specific groups of users to help desk staff. Which three of the following are true regarding administrative units in Azure AD? (Choose three.)
257You are an Azure administrator for a company that is planning to implement a new Azure environment. The company has the following requirements: - Users must be able to sign in using their on-premises Active Directory credentials. - Multi-factor authentication (MFA) must be enforced for all administrative users. - Access to Azure resources must be controlled using role-based access control (RBAC) with custom roles. - Audit logs must be retained for a minimum of three years. Which four of the following solutions should you implement to meet these requirements? Choose all that apply. (There are four correct answers.)
258Arrange the steps to create a virtual network in Azure with a subnet and deploy a VM.
259Order the steps to set up Azure Site Recovery for on-premises to Azure.
Deep-dive questions
The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.
Manage Azure Identities and Governance tests Azure AD users and groups, RBAC role assignments, management groups, subscriptions, and Azure Policy.
The Courseiva AZ-104 question bank contains 259 questions in the Manage Azure Identities and Governance domain, covering the 20% of the exam attributed to this domain in the official Microsoft blueprint. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage Azure Identities and Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included