Question 1mediummultiple choice
Read the full Manage Identities and Governance explanation →AZ-104 Manage Azure Identities and Governance • Complete Question Bank
Complete AZ-104 Manage Azure Identities and Governance question bank — all 0 questions with answers and detailed explanations.
Compliance report excerpt Policy assignment: Require-department-tag Scope: corp-root management group Effect: Deny Noncompliant resources: - rg-merger01/storage accounts - rg-merger02/storage accounts Exception request: - Allow only resource group rg-merger01 to bypass this policy for 45 days - Keep the policy active for everyone else
Governance request: - Allow only East US and West US - Require the tag CostCenter on all resources - Allow only Standard_D and Standard_E VM sizes - The team wants one assignment at the management group scope.
Azure portal notes Automation account: aa-appops Target resource group: RG-App Required actions: - Restart virtual machines - Read virtual machine properties - Read network interface properties Not allowed: - Delete any resource - Modify network settings - Manage resources outside RG-App Current built-in role testing: Virtual Machine Contributor = can restart VMs, but also can manage disks and extensions Reader = can read resources, but cannot restart VMs
Automation notes VMs: vm-a1, vm-a2, vm-a3 Script requirement: - Authenticate to Azure Resource Manager - No password or certificate stored on disk - Same identity must be used by all three VMs - Identity must survive VM rebuilds and replacements
Resource group: RG-Prod-Shared Resources: - prodvm01 (Microsoft.Compute/virtualMachines) - prodstore01 (Microsoft.Storage/storageAccounts) Change control note: - Updates must still be allowed - Accidental deletion must be prevented - Lock should apply to both resources in the group
Build server details: - Host: ONPREM-BUILD01 - Location: On-premises datacenter - Current command: az login with a user name and password - Requirement: Noninteractive Azure authentication for deployment jobs - Constraint: The server is not running in Azure.
Policy definitions to combine 1. Allowed locations 2. Require costCenter tag on resource groups 3. Allowed virtual machine SKUs Target scope: Management group: corp-root Desired outcome: - Assign the three controls as a single package - Review compliance from one place
Access review notes Requested access for user: auditor1 Scope needed: RG-Finance only Permitted actions: - View resource properties - View tags and configuration Prohibited actions: - Create, update, or delete resources - Access other resource groups Current assignment candidates: - Reader at subscription scope - Reader at RG-Finance scope - Contributor at RG-Finance scope
Web app configuration: - Name: orders-web - Current authentication method: client secret stored in application settings - Requirement: Access Azure resources without storing credentials in the app - Additional requirement: When the app is deleted, the identity should be removed automatically.
Policy compliance details Assignment name: Deny-Public-Storage Scope: Subscription / Contoso-Prod Effect: Deny Condition: Microsoft.Storage/storageAccounts/publicNetworkAccess = 'Enabled' Compliance state: - stapp01: Non-compliant, creation denied - stlegacy01: Non-compliant, existing exception requested by application team Request note: - Keep stlegacy01 publicly reachable until migration is complete - Do not change the policy for all other resources
Current access review: - User: Alex - Existing role: Virtual Machine Contributor - Scope: RG-Training - Requirement: Alex must read VM properties and restart only VM-Training01. - Alex must not delete the VM, manage disks, or change networking settings.
Resource group: RG-Finance Current lock status: None Business requirement: - Administrators must still change settings on the VM and storage account. - Nobody should be able to delete the resource group or the resources inside it accidentally.
Azure hierarchy: Tenant root ├── Platform-MG │ ├── Prod-MG │ └── Sandbox-MG Requirement: - New subscription: Finance-Prod - It must inherit the production policy baseline and reporting settings automatically.
Tenant: Contoso Subscription: Prod-Sub Resource groups: - RG-App - RG-Data - RG-Net Requirement: - Helpdesk contractors must start and stop all VMs only in RG-App. - They must not see or manage resources in the other resource groups.
Policy compliance report: - Assignment: Deny public network access on storage accounts - Scope: MG-Platform - Noncompliant resource: stlegacy01 in RG-Legacy - Business note: The legacy application must stay publicly reachable for 30 days during migration.
Policy evaluation output Definition name: Require-Environment Assignment scope: /subscriptions/1111-2222 Compliance state: Non-compliant Non-compliant resource: stapp01 Reason: Missing tag 'Environment' Requirement: Any new resource created without the Environment tag must be prevented from deploying.
Deployment note: - vm-app1 is in rg-web - vm-app2 is in rg-api - vm-app3 is in rg-batch - All three VMs must read from the same storage account - The identity must keep working if one VM is reimaged or replaced - Access should be granted once and then reused by all three VMs
Current access review Team members: - Asha Khan - Ben Miller - Chen Wu - Dana Ortiz All four users need Contributor access to rg-app today. Requirement: The team changes every month. When people join or leave, the administrator wants to update one membership list instead of editing Azure role assignments for each user.
Shared resource group layout Resource group: rg-platform Resources: - VNet-vm - VM-web01 - VM-db01 - stlogs Requirement: A network engineer must create and modify subnets and network settings only for VNet-vm. They must not be able to change either VM or the storage account in the resource group.
Cost reporting extract Resource name: vm-fin-01 | Resource group: rg-west-prod | Department: blank | Environment: Prod Resource name: sql-fin-01 | Resource group: rg-west-data | Department: blank | Environment: Prod Resource name: app-fin-01 | Resource group: rg-east-app | Department: blank | Environment: Test Requirement: Finance wants each resource to retain ownership metadata for reporting and chargeback, regardless of which resource group the resource is placed in later.
Microsoft Entra ID Group name: App-Support Type: Security Owners: None Members: 28 users Requirement: Service desk analysts must add and remove employees from App-Support each week. They must not receive permissions to Azure subscriptions, resource groups, or resources. Current approach: Analysts sign in with their regular work accounts.
Microsoft Entra group details Group name: AppOps-Admins Owners: Mia Lopez Members: Sam Patel, Contractor01 Notes: Contractor01 is a temporary contractor with no existing Azure role assignments. Requirement: Contractor01 must be able to add or remove members from AppOps-Admins for 30 days, but must not be able to manage Azure resources or receive broader directory permissions.
Workload note: - VM01 and VM02 both need to read the same Azure SQL connection metadata from an app registration-protected service. - The identity must be reusable across multiple VMs. - The team wants to avoid secrets in scripts and configuration.
Application requirement: - A web API runs on a single Azure VM - The API must read blobs from Azure Storage without any stored password, key, or connection string - The identity must be tied to the VM and removed automatically when the VM is deleted
Resource group details Name: rg-payroll-prod Resources: - 6 virtual machines - 2 storage accounts - 1 Key Vault Maintenance requirement: Administrators must continue starting, stopping, resizing, and updating the resources during the maintenance window. The only thing that must be prevented is accidental deletion of the entire resource group.
Policy set draft Name: Dept-Guardrails Included rules: - Allowed locations: East US, West US - Require tag: CostCenter - Deny public IP creation on virtual machines Requirement: The same three controls must be assigned together to all subscriptions in the department, and the department wants one object to manage instead of three separate assignments.
Azure governance hierarchy
Root management group
└── Corp
├── Prod
│ ├── Sub-001
│ └── Sub-002
└── NonProd
├── Sub-101
└── Sub-102
Requirement: The audit team needs read-only access across all subscriptions that are or will be placed under Corp, without creating separate assignments for each subscription.Identity requirement: - VM1 in rg-web - VM2 in rg-api - VM3 in rg-batch - All three VMs need the same access to an Azure service - The identity must not disappear when any one VM is deleted
Current access model: - User: Alex has Reader on RG-App - User: Bri has Reader on RG-App - User: Chen has Reader on RG-App - User: Dana has Reader on RG-App Requirement: - All current project members should keep the same access. - If someone joins or leaves the team, access should be updated in one place.
Policy assignment details: - Scope: RG-Prod - Policy definition: Add tag Environment=Prod - Effect: Modify Observed result: - New resources are tagged - Existing VMs in RG-Prod remain untagged
Management group layout:
- Corp
- Prod
- AppSub1
- AppSub2
- AppSub3
- Sandbox
- DevSub1
Requirement:
- OpsGroup must read everything in Prod only
- New subscriptions added under Prod should inherit access automaticallyManagement group hierarchy: Corp ├─ Sub-Prod-01 │ └─ RG-Finance └─ Sub-Prod-02 └─ RG-Shared Current role assignment: - Reader assigned to Entra ID group Auditors at scope: /providers/Microsoft.Management/managementGroups/Corp Requirement: - Members of Auditors must read resources in any new subscription added under Corp without adding another assignment.
Resource group: RG-Prod Current lock: - Type: None Change request: - Prevent accidental deletion of RG-Prod and its resources. - Allow administrators to change VM sizes, tags, and NSG rules when needed.
Current assignments for RG-App: - HelpDeskGroup -> Reader - PlatformAdmins -> Contributor Business requirement: - HelpDeskGroup can start, stop, and restart VMs only - HelpDeskGroup must not manage NICs, disks, or other resources
Change-freeze requirement: - Prevent accidental deletion of RG-Prod - Allow normal configuration changes inside the resource group - VM resize operations must still work Current lock state: - No locks are configured
Resource group requirement: - Scope: RG-Finance - Every new resource must carry CostCenter=FIN - Missing tag should be added automatically when possible - Deployments must not be blocked Current state: - Teams manually add tags today - Inconsistent tag values are common
Governance requirement: - All current and future subscriptions under Corp must be restricted to East US and West US - Deployments to any other region must be blocked Current state: - Contributors already have permission to create resources - No region restriction is currently in place
Requested permissions: - Add or remove Azure RBAC role assignments for RG-Apps - Do not allow resource configuration changes - Do not allow resource creation or deletion Existing assignments: - SupportLead -> Reader - AppOwners -> Contributor
Bicep snippet:
resource vm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'appvm01'
location: resourceGroup().location
identity: {
type: 'SystemAssigned'
}
properties: {
hardwareProfile: {
vmSize: 'Standard_D2s_v5'
}
osProfile: {
computerName: 'appvm01'
}
}
}
Operational note:
- The VM is rebuilt every month from source control.
- The workload must read secrets from Key Vault and upload logs to Blob Storage.
- Recreating the VM must not require new role assignments for the workload identity.Script context: - The script runs on an Azure VM - Azure CLI is installed - The VM has been assigned a managed identity - The script needs to call Azure Resource Manager in another subscription - No stored credentials are allowed on the VM
Subscription: Sub-IT-01 Resource groups: - RG-App - vm-app01 - vm-app02 - RG-Shared - vm-dns01 Requirement: - Help desk operators can restart VMs in RG-App only. - They must not affect VMs in RG-Shared.
Policy design notes: - Scope: subscription - Target: all resource groups - Desired outcome: add tag CostCenter=042 automatically - Requirement: do not block the deployment if the tag is omitted Policy effects being considered: - Deny - Audit - Append - Modify
Policy assignment: Require-Environment-Tag Compliance summary: - Compliant resources: 18 - Non-compliant resources: 5 - Evaluation time: 2026-04-26 10:30 UTC Need: - Identify the specific non-compliant resources - Review why they failed the policy evaluation
Tenant hierarchy:
- Corp (management group)
- Sales (subscription)
- RG-Web
- RG-Data
- Research (subscription)
- RG-Lab
Requirement from the business owner:
- Auditors must view all resources in Sales.
- Any new resource group created under Sales must also be covered.
- Auditors must not see resources in Research.Policy assignment summary: Name: Require-Environment-Tag Scope: /subscriptions/11111111-2222-3333-4444-555555555555 Effect: deny Compliance state: Non-compliant Deployment error: Resource creation blocked by policy. The request did not include tag 'Environment'.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.