Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›AZ-104›Objectives›Manage Azure Identities and Governance
Objective 1.020% of exam

Manage Azure Identities and Governance

AZ-104 Practice Questions

Identity and governance is the foundation of AZ-104. The RBAC scope hierarchy and the difference between Azure AD roles and Azure RBAC roles cause the most confusion — get these right before exam day.

Full Practice Test →All Objectives

What this objective tests

AZ-104 Manage Azure Identities and Governance — Key Topics

Manage Azure Identities and Governance tests Azure AD users and groups, RBAC role assignments, management groups, subscriptions, and Azure Policy.

  • Azure AD objects: users, groups, service principals, and managed identities.
  • RBAC: built-in roles (Owner, Contributor, Reader), custom roles, and scope hierarchy.
  • Management groups, subscriptions, resource groups, and how policy inheritance flows down.
  • Azure Policy effects: Deny, Audit, Append, DeployIfNotExists, and Modify.

Common exam traps

Where candidates lose marks on Manage Azure Identities and Governance

  • ⚠Assuming Owner at the resource group level grants Owner access to the subscription — roles do not inherit upward.
  • ⚠Confusing Azure AD roles (directory-level) with Azure RBAC roles (resource-level).
  • ⚠Forgetting that Azure Policy can only enforce compliance going forward — existing non-compliant resources require a remediation task.
  • ⚠Mixing up Deny (blocks creation) and Audit (logs non-compliance) policy effects.

AZ-104 Manage Azure Identities and Governance — Practice Questions

30 questions from this objective · 20% of your AZ-104 exam

Question 2mediummultiple choice
Full question →

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

Question 3hardmultiple choice
Full question →

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

Question 4hardmultiple choice
Full question →

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

Question 5easymultiple choice
Full question →

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

Question 6mediummultiple choice
Full question →

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

Question 7mediummultiple choice
Full question →

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

Question 8hardmultiple choice
Full question →

Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?

Question 9mediummultiple choice
Full question →

You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?

Question 10hardmultiple choice
Full question →

Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?

Question 11mediummultiple choice
Full question →

You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?

Question 12mediummultiple choice
Full question →

You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?

Question 13mediummultiple choice
Full question →

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

Question 14hardmultiple choice
Full question →

Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?

Question 15mediummultiple choice
Full question →

An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?

Question 16hardmultiple choice
Full question →

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

Question 17hardmultiple choice
Full question →

Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?

Question 18mediummultiple choice
Full question →

You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?

Question 19mediummultiple choice
Full question →

You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?

Question 20mediummultiple choice
Full question →

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?

Question 21mediummultiple choice
Full question →

You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?

Question 22hardmultiple choice
Full question →

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

Question 23mediummultiple choice
Review the full subnetting walkthrough →

You need to ensure that administrators cannot accidentally delete a production virtual network, but they must still be able to update subnet settings. Which Azure feature should you apply?

Question 24mediummultiple choice
Full question →

You need to allow a support engineer to restart virtual machines in the RG-App resource group, but the engineer must not be able to create, delete, or resize the virtual machines. What should you do?

Question 25mediummultiple choice
Full question →

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which Azure lock should you apply?

Question 26mediummultiple choice
Full question →

You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?

Question 27hardmultiple choice
Full question →

Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?

Question 28mediummultiple choice
Full question →

You need to let a junior administrator manage virtual machines only in the RG-Dev resource group. The administrator must not be able to change role assignments or manage other resource groups. Which role assignment should you use?

Question 29hardmulti select
Full question →

An Azure application and an Azure Automation account need Azure access without any stored secrets. The same identity should be reusable and should not require manual secret rotation. Which two identity choices meet the requirement? Select two.

Question 30mediummultiple choice
Full question →

You need to ensure engineers cannot delete a production resource group, but they must still be able to start and stop VMs and change network rules during maintenance. Which resource lock should you apply to the resource group?

Question 31mediummultiple choice
Full question →

An administrator added a user to an Entra security group that already has Contributor on a resource group. The role assignment is correct, but the user still gets 'You do not have access' in the Azure portal 5 minutes later. What is the most likely next step?

More Manage Azure Identities and Governance questions available in the full practice test.

Continue Practising →

Next objective

Implement and Manage Storage

→

All AZ-104 Objectives

  • 1.Manage Azure Identities and Governance20%
  • 2.Implement and Manage Storage15%
  • 3.Deploy and Manage Azure Compute20%
  • 4.Implement and Manage Virtual Networking20%
  • 5.Monitor and Maintain Azure Resources25%