Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Manage Azure Identities and Governance practice sets

AZ-104 Manage Azure Identities and Governance • Complete Question Bank

AZ-104 Manage Azure Identities and Governance — All Questions With Answers

Complete AZ-104 Manage Azure Identities and Governance question bank — all 0 questions with answers and detailed explanations.

259
Questions
Free
No signup
Certifications/AZ-104/Practice Test/Manage Azure Identities and Governance/All Questions
Question 1mediummultiple choice
Read the full Manage Identities and Governance explanation →

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

Question 2hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

Question 3hardmultiple choice
Read the full Manage Identities and Governance explanation →

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

Question 4easymultiple choice
Read the full Manage Identities and Governance explanation →

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

Question 5mediummultiple choice
Read the full Manage Identities and Governance explanation →

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

Question 6mediummultiple choice
Read the full Manage Identities and Governance explanation →

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

Question 7hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?

Question 8mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?

Question 9hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?

Question 10mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?

Question 11mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?

Question 12mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

Question 13hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?

Question 14mediummultiple choice
Read the full Manage Identities and Governance explanation →

An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?

Question 15hardmultiple choice
Read the full Manage Identities and Governance explanation →

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

Question 16hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?

Question 17mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?

Question 18mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?

Question 19mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?

Question 20mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?

Question 21hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

Question 22mediummultiple choice
Review the full subnetting walkthrough →

You need to ensure that administrators cannot accidentally delete a production virtual network, but they must still be able to update subnet settings. Which Azure feature should you apply?

Question 23mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to allow a support engineer to restart virtual machines in the RG-App resource group, but the engineer must not be able to create, delete, or resize the virtual machines. What should you do?

Question 24mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which Azure lock should you apply?

Question 25mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?

Question 26hardmultiple choice
Read the full Manage Identities and Governance explanation →

Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?

Question 27mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to let a junior administrator manage virtual machines only in the RG-Dev resource group. The administrator must not be able to change role assignments or manage other resource groups. Which role assignment should you use?

Question 28hardmulti select
Read the full Manage Identities and Governance explanation →

An Azure application and an Azure Automation account need Azure access without any stored secrets. The same identity should be reusable and should not require manual secret rotation. Which two identity choices meet the requirement? Select two.

Question 29mediummultiple choice
Read the full Manage Identities and Governance explanation →

You need to ensure engineers cannot delete a production resource group, but they must still be able to start and stop VMs and change network rules during maintenance. Which resource lock should you apply to the resource group?

Question 30mediummultiple choice
Read the full Manage Identities and Governance explanation →

An administrator added a user to an Entra security group that already has Contributor on a resource group. The role assignment is correct, but the user still gets 'You do not have access' in the Azure portal 5 minutes later. What is the most likely next step?

Question 31hardmulti select
Read the full Manage Identities and Governance explanation →

A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.

Question 32mediummultiple choice
Read the full Manage Identities and Governance explanation →

A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?

Question 33hardmulti select
Read the full Manage Identities and Governance explanation →

A user had a direct Reader assignment on a virtual machine, but that assignment was removed. The user can still open the VM blade and view its properties. Which two sources could still be granting access? Select two.

Question 34hardmulti select
Read the full Manage Identities and Governance explanation →

A resource group has a ReadOnly lock applied to it. An operator can view the resources, but several portal changes fail. Which two operations will fail because of the lock? Select two.

Question 35mediummultiple choice
Read the full Manage Identities and Governance explanation →

A support engineer must start, stop, and restart only one virtual machine named vm-app01. The engineer should not gain permissions on any other virtual machine in the subscription. What is the best scope for the role assignment?

Question 36hardmulti select
Read the full Manage Identities and Governance explanation →

An enterprise wants one governance package to be applied automatically to every production subscription that is added in the future. The package contains several policy definitions that should be managed together. Which two actions are required? Select two.

Question 37mediummultiple choice
Read the full Manage Identities and Governance explanation →

Your company has separate subscriptions for development, test, and production. Security wants one baseline policy and one RBAC assignment to apply automatically to every production subscription now and in the future. What should you use?

Question 38mediummultiple choice
Read the full Manage Identities and Governance explanation →

A developer has the Contributor role on a subscription. Their ARM deployment of a virtual machine with a public IP fails, and the error message says the request is denied by policy. The developer can create other resources successfully. What should you change to allow this deployment while keeping the Contributor role unchanged?

Question 39hardmulti select
Read the full Manage Identities and Governance explanation →

A developer has the Contributor role on a resource group and tries to deploy a Windows VM with a public IP address. The deployment fails, even though the role assignment is active. Which two checks should you perform first to confirm why the deployment failed? Select two.

Question 40mediummultiple choice
Read the full Manage Identities and Governance explanation →

An Azure Automation account runs PowerShell runbooks that must authenticate to Azure resources without embedded secrets. The automation account is recreated periodically during deployment, and the identity must continue to work after recreation without reissuing credentials. Which identity should you use?

Question 41hardmulti select
Read the full Manage Identities and Governance explanation →

Your company wants one governance baseline to apply automatically to all current and future production subscriptions, and finance wants cost reporting by application across many resource groups. Which two design choices best satisfy the requirements? Select two.

Question 42hardmulti select
Study the full multicast explanation →

A contractor is a member of an Entra security group that has a PIM-eligible Contributor assignment on a resource group. The contractor sees the role in the portal, but deployment fails with a role not active message. The activation policy requires justification, MFA, and manager approval. Which two actions are required before the deployment succeeds? Select two.

Question 43hardmulti select
Read the full Manage Identities and Governance explanation →

Your company has multiple applications deployed across separate production and nonproduction subscriptions. Finance wants cost reporting by application, and each app team should manage only its own resources. Which two design choices best satisfy both requirements? Select two.

Question 44hardmulti select
Read the full Manage Identities and Governance explanation →

An Azure Automation account is recreated periodically during a migration project. Runbooks must authenticate to Azure resources without embedded secrets, and the identity must continue to work after the account is rebuilt. Which two choices should you make? Select two.

Question 45mediummultiple choice
Read the full Manage Identities and Governance explanation →

A contractor is a member of an Entra security group that has the Contributor role on a resource group. When the contractor tries to deploy, the portal says the role is not active. The activation request requires approver approval, and the previous activation window has expired. What should the contractor do?

Question 46easymultiple choice
Read the full Manage Identities and Governance explanation →

A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?

Question 47easymultiple choice
Read the full Manage Identities and Governance explanation →

You want to let a support engineer restart only the virtual machines in the Prod-Apps resource group, and any VM added later to that group should also be covered. Where should you assign the role?

Question 48easymultiple choice
Read the full Manage Identities and Governance explanation →

A developer already has permission to create resource groups. The company wants to allow deployments only in the East US and West US regions. Which service should enforce this rule?

Question 49easymultiple choice
Read the full Manage Identities and Governance explanation →

A user is assigned the Reader role on a resource group named RG1. Later, a new storage account is created in RG1. What access will the user have to that storage account without any new role assignment?

Question 50hardmulti select
Read the full Manage Identities and Governance explanation →

A bootstrap script must install software on three VMs, then download configuration files from Blob Storage. Security forbids secrets in templates or scripts, and the same authentication method must work after the VMs are rebuilt. Which two choices should you make? Select two.

Question 51mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company wants development and production workloads for the same application to have separate budgets, separate subscription administrators, and different access controls. The central IT team still wants to apply the same security policies to both environments. What is the best design?

Question 52mediummultiple choice
Read the full Manage Identities and Governance explanation →

An administrator assigns Contributor at the RG-Apps resource group scope and Reader at the subscription scope. A developer opens a VM inside RG-Apps and can change its settings, but a different VM in RG-Shared is read-only. Which statement best explains this behavior?

Question 53mediummultiple choice
Read the full Manage Identities and Governance explanation →

Security wants one assignment that enforces all of these controls across several subscriptions: allowed Azure regions, required tags, and disabling public network access on specific resources. Which Azure feature should you use?

Question 54mediummultiple choice
Read the full Manage Identities and Governance explanation →

A policy that requires secure transfer for storage accounts has been assigned to a subscription with the DeployIfNotExists effect. Several existing storage accounts are still noncompliant and have not changed. What should you do next to update those existing resources automatically?

Question 55mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company has three business units. Each business unit needs its own subscription for billing and admin delegation. Corporate security wants one policy assignment to cover all current and future subscriptions in each business unit. What structure should you implement?

Question 56mediummultiple choice
Read the full Manage Identities and Governance explanation →

A production resource group contains VMs, public IP addresses, and a storage account. During a migration window, administrators must still be able to change settings and resize VMs, but nobody should accidentally delete any resource. Which lock should you apply to the resource group?

Question 57mediummultiple choice
Read the full Manage Identities and Governance explanation →

A support engineer needs to restart only one virtual machine named VM-App01. The engineer must not gain access to any other VM, storage account, or network resource in the resource group. At which scope should you assign the required RBAC role?

Question 58easymultiple choice
Read the full Manage Identities and Governance explanation →

A developer has the Reader role assigned at the subscription scope. Later, the developer is assigned Contributor at the RG-Web resource group scope. Which permission is inherited by a storage account inside RG-Web?

Question 59mediummultiple choice
Read the full Manage Identities and Governance explanation →

A change-freeze requires that no one can modify the settings of a subscription's resource group for six hours. Deletion is not the main concern; the priority is to block changes to existing resources during the freeze. Which lock should you apply?

Question 60mediummultiple choice
Read the full Manage Identities and Governance explanation →

A deny policy blocks creation of storage accounts with public network access enabled. A legacy application in RG-Legacy must keep one existing storage account publicly reachable for 45 days while the rest of the subscription remains governed by the policy. What should the administrator configure?

Question 61mediummultiple choice
Read the full Manage Identities and Governance explanation →

A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?

Question 62mediummultiple choice
Read the full Manage Identities and Governance explanation →

A VM-hosted automation tool must call Azure APIs without storing a password or certificate on disk. The identity should disappear automatically when the VM is deleted. Which identity should the administrator assign?

Question 63hardmultiple choice
Read the full Manage Identities and Governance explanation →

A web app and a VM scale set both need the same Azure identity to read secrets from Key Vault. The identity must survive redeployment, and the team wants to remove it centrally without changing each resource individually. Which identity type should they use?

Question 64easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a compliance dashboard shows that several storage accounts are marked noncompliant because they do not have the required tag. The policy itself is correct, but one business unit needs a temporary exception for a single resource group during a merger. What should the administrator configure?

Exhibit

Compliance report excerpt

Policy assignment: Require-department-tag
Scope: corp-root management group
Effect: Deny
Noncompliant resources:
- rg-merger01/storage accounts
- rg-merger02/storage accounts
Exception request:
- Allow only resource group rg-merger01 to bypass this policy for 45 days
- Keep the policy active for everyone else
Question 65easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a contractor must be able to restart only one virtual machine named vm-pay-01 and read its properties. The contractor must not be able to manage any other VM in the resource group. Where should the role assignment be created?

Network Topology
scope /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/RG-Payrolloutput tableAzure CLI outputPrincipalName RoleDefinitionName Scopecontoso-contractor Virtual Machine Contributor /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/RG-PayrollResource detailsResource group: RG-PayrollVirtual machine: vm-pay-01Virtual machine resource ID: /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/RG-Payroll/providers/Microsoft.Compute/virtualMachines/vm-pay-01
Question 66mediummultiple choice
Read the full Manage Identities and Governance explanation →

A cloud operations team in the Corp business unit needs to read all Azure resources in every current and future subscription under the Corp management group to prepare monthly governance reports. They must not gain access to subscriptions that belong to other business units. What scope should the administrator use when assigning the Reader role?

Question 67mediummultiple choice
Read the full Manage Identities and Governance explanation →

An organization wants to enforce two governance controls on all subscriptions under a management group: only approved Azure regions can be used, and every resource must have a costCenter tag. Central IT wants one assignment that can grow as more controls are added later. What should they use?

Question 68easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which Azure construct should the administrator create to group these related policy rules into one assignment?

Exhibit

Governance request:
- Allow only East US and West US
- Require the tag CostCenter on all resources
- Allow only Standard_D and Standard_E VM sizes
- The team wants one assignment at the management group scope.
Question 69mediummultiple choice
Read the full Manage Identities and Governance explanation →

A shared resource group contains a critical virtual machine and a storage account. Administrators must still be able to update settings, but nobody should accidentally delete either resource during routine maintenance. Which lock should be applied?

Question 70hardmultiple choice
Read the full NAT/PAT explanation →

A shared resource group contains a VM and a storage account used by payroll. Administrators still need to modify configuration and apply patches, but accidental deletion of either resource must be prevented. What should the administrator apply?

Question 71hardmultiple choice
Read the full Manage Identities and Governance explanation →

A compliance team wants to bundle three policy definitions—allowed locations, required cost center tags, and approved VM sizes—so they can assign them together to a management group and review compliance in one place. Later they want to exempt one pilot subscription from the entire set for 60 days. What should they use?

Question 72easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, an automation account must restart virtual machines and read network interface settings in RG-App. Built-in roles are too broad because they also allow actions the team does not want. What should the administrator do?

Exhibit

Azure portal notes

Automation account: aa-appops
Target resource group: RG-App
Required actions:
- Restart virtual machines
- Read virtual machine properties
- Read network interface properties
Not allowed:
- Delete any resource
- Modify network settings
- Manage resources outside RG-App

Current built-in role testing:
Virtual Machine Contributor = can restart VMs, but also can manage disks and extensions
Reader = can read resources, but cannot restart VMs
Question 73mediummultiple choice
Read the full Manage Identities and Governance explanation →

Central IT wants to apply three related policy definitions—allowed Azure regions, required owner tag, and approved VM sizes—to all subscriptions in the Corp management group and report compliance as one package. What should the administrator create?

Question 74mediummultiple choice
Read the full Manage Identities and Governance explanation →

An operations team needs to start and deallocate every virtual machine in RG-App and read VM settings, but they must not be able to delete VMs or manage networking resources. What is the best Azure RBAC solution?

Question 75easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, three Azure virtual machines run the same automation script. The VMs are rebuilt often, and the team wants one identity that can be reused across all three VMs and retained even if a VM is replaced. Which identity type should the administrator use?

Exhibit

Automation notes

VMs: vm-a1, vm-a2, vm-a3
Script requirement:
- Authenticate to Azure Resource Manager
- No password or certificate stored on disk
- Same identity must be used by all three VMs
- Identity must survive VM rebuilds and replacements
Question 76mediummultiple choice
Read the full Manage Identities and Governance explanation →

A build server hosted in a company datacenter must deploy ARM templates to a target resource group in Azure without storing a user password. The server is not running in Azure, and the team wants to authorize deployments with Azure RBAC. What should be configured?

Question 77easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a shared resource group contains a production virtual machine and a storage account. Administrators must be able to update settings, but they must not be able to delete either resource by mistake. Which lock should be applied at the resource group scope?

Exhibit

Resource group: RG-Prod-Shared
Resources:
- prodvm01 (Microsoft.Compute/virtualMachines)
- prodstore01 (Microsoft.Storage/storageAccounts)

Change control note:
- Updates must still be allowed
- Accidental deletion must be prevented
- Lock should apply to both resources in the group
Question 78mediummultiple choice
Read the full Manage Identities and Governance explanation →

An operations team needs to let helpdesk staff restart virtual machines and view their properties only in RG-Dev. The staff must not be able to manage virtual networks, disks, or delete any resources. What is the best built-in role assignment?

Question 79easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which identity type should be used so the on-premises build server can authenticate to Azure without using a human account password?

Exhibit

Build server details:
- Host: ONPREM-BUILD01
- Location: On-premises datacenter
- Current command: az login with a user name and password
- Requirement: Noninteractive Azure authentication for deployment jobs
- Constraint: The server is not running in Azure.
Question 80mediummultiple choice
Read the full Manage Identities and Governance explanation →

A policy at the management group denies storage accounts that allow public network access. One legacy storage account in RG-Legacy must stay public for 30 days while a migration runs, and the team does not want to change the policy for everyone else. What should the administrator create?

Question 81hardmulti select
Read the full Manage Identities and Governance explanation →

A scheduled script runs on several Azure VMs. The VMs are rebuilt often, and the script must always use the same Azure identity across every rebuild without storing secrets on disk. Which two steps should the administrator take? Select two.

Question 82mediummultiple choice
Read the full Manage Identities and Governance explanation →

An enterprise wants to enforce three governance controls for all subscriptions under a management group: allowed locations, required tags, and permitted VM sizes. The team wants a single place to assign and track compliance for all three controls. What should the administrator use?

Question 83mediummultiple choice
Read the full Manage Identities and Governance explanation →

A scheduled script runs on several Azure virtual machines that are created and replaced over time. The script must use the same Azure identity on every VM, and the identity should continue to exist even if one VM is deleted and recreated. What should the administrator use?

Question 84easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, the governance team wants to assign three related policy definitions together: allowed regions, required tags, and approved VM SKUs. What should the administrator create first?

Exhibit

Policy definitions to combine

1. Allowed locations
2. Require costCenter tag on resource groups
3. Allowed virtual machine SKUs

Target scope:
Management group: corp-root
Desired outcome:
- Assign the three controls as a single package
- Review compliance from one place
Question 85easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, an auditor needs to view all resources in RG-Finance but must not be able to make any changes. The auditor also should not have access to other resource groups. Which RBAC assignment best meets the requirement?

Exhibit

Access review notes

Requested access for user: auditor1
Scope needed: RG-Finance only
Permitted actions:
- View resource properties
- View tags and configuration
Prohibited actions:
- Create, update, or delete resources
- Access other resource groups

Current assignment candidates:
- Reader at subscription scope
- Reader at RG-Finance scope
- Contributor at RG-Finance scope
Question 86mediummultiple choice
Read the full Manage Identities and Governance explanation →

Two Azure virtual machines run the same automation script and both need access to Key Vault and Storage. The script must keep working if one VM is redeployed, and the team wants the same identity to be usable by both VMs. What should the administrator use?

Question 87easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which identity should the administrator enable to remove the secret from app settings and have the identity disappear automatically when the app is deleted?

Exhibit

Web app configuration:
- Name: orders-web
- Current authentication method: client secret stored in application settings
- Requirement: Access Azure resources without storing credentials in the app
- Additional requirement: When the app is deleted, the identity should be removed automatically.
Question 88hardmultiple choice
Read the full Manage Identities and Governance explanation →

An enterprise has 30 Azure subscriptions. Production subscriptions need a common baseline of allowed regions, required tags, and approved SKU rules, and any new production subscription must inherit those rules automatically. Sandbox subscriptions should follow a separate, lighter baseline. Which Azure construct should the team use to organize this governance model?

Question 89mediummultiple choice
Read the full Manage Identities and Governance explanation →

A team in RG-Apps must be able to start, stop, and deallocate virtual machines and read their properties. Built-in roles available to the team are broader than necessary. What should the administrator do?

Question 90mediummultiple choice
Read the full Manage Identities and Governance explanation →

An organization has one Azure subscription with separate resource groups for Development and Operations. A contractor must start, stop, and read the properties of virtual machines only in RG-Operations. The contractor must not have access to virtual machines in RG-Development. Where should the role assignment be created?

Question 91hardmultiple choice
Read the full Manage Identities and Governance explanation →

A build server in an on-premises datacenter must deploy ARM templates to Azure. The automation must not use a human account password, and Microsoft Entra conditional access for device sign-in is not available because the server is outside Azure. The security team allows a non-human credential but wants the strongest practical option for this scenario. What should the administrator configure?

Question 92hardmultiple choice
Read the full Manage Identities and Governance explanation →

A system-assigned managed identity is attached to an Azure VM to call Key Vault. The VM is frequently reimaged and sometimes redeployed to a different name during scale events, but the application must keep the same identity and secretless access. What should the administrator use instead?

Question 93mediummultiple choice
Read the full Manage Identities and Governance explanation →

An App Service application needs to read secrets from Azure Key Vault. The security team does not want any password, certificate, or client secret stored in application settings, and they want the identity removed automatically if the app is deleted. What should the administrator enable?

Question 94mediummultiple choice
Read the full Manage Identities and Governance explanation →

A VM-hosted automation tool must call Azure Resource Manager APIs, but the team will not store a password, certificate, or client secret on the VM. The identity should also disappear automatically when the VM is deleted. Which identity should be assigned?

Question 95easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a policy assigned at the subscription denies storage accounts that allow public network access. One existing storage account in RG-Legacy must remain publicly reachable for 30 days while a migration is completed. What should the administrator use?

Exhibit

Policy compliance details

Assignment name: Deny-Public-Storage
Scope: Subscription / Contoso-Prod
Effect: Deny
Condition: Microsoft.Storage/storageAccounts/publicNetworkAccess = 'Enabled'
Compliance state:
- stapp01: Non-compliant, creation denied
- stlegacy01: Non-compliant, existing exception requested by application team
Request note:
- Keep stlegacy01 publicly reachable until migration is complete
- Do not change the policy for all other resources
Question 96mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company has 18 Azure subscriptions. Production subscriptions must inherit stricter governance than sandbox subscriptions, and central IT wants one place to target future policy assignments to each group. What should the administrator do?

Question 97mediummultiple choice
Read the full Manage Identities and Governance explanation →

A policy assignment denies storage accounts unless public network access is disabled. One legacy storage account in a pilot resource group must remain publicly reachable for 60 days while the application team remediates dependencies. Compliance reporting must continue to show the policy as enforced everywhere else. What should the administrator do?

Question 98easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, what should the administrator create to let Alex restart one VM and read its properties without giving broader permissions?

Exhibit

Current access review:
- User: Alex
- Existing role: Virtual Machine Contributor
- Scope: RG-Training
- Requirement: Alex must read VM properties and restart only VM-Training01.
- Alex must not delete the VM, manage disks, or change networking settings.
Question 99mediummultiple choice
Read the full Manage Identities and Governance explanation →

New Azure subscriptions are created every month. Production subscriptions require stricter governance than sandbox subscriptions, and central IT wants those rules to apply automatically to any future production subscription without reconfiguring each one. What should they set up?

Question 100mediummultiple choice
Read the full Manage Identities and Governance explanation →

A platform team runs an internal automation tool that must restart VMs and read network interface settings in one resource group. Built-in roles available to the team are broader than the access they want to grant. What should the administrator create?

Question 101easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which lock should the administrator apply so resources can still be updated but cannot be deleted by mistake?

Exhibit

Resource group: RG-Finance
Current lock status: None
Business requirement:
- Administrators must still change settings on the VM and storage account.
- Nobody should be able to delete the resource group or the resources inside it accidentally.
Question 102mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company creates new Azure subscriptions every month. Central IT wants all production subscriptions to inherit the same governance baseline automatically, while sandbox subscriptions remain separate. What should the administrator implement?

Question 103easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, where should the new subscription be placed so it inherits the production governance baseline automatically?

Exhibit

Azure hierarchy:
Tenant root
├── Platform-MG
│   ├── Prod-MG
│   └── Sandbox-MG

Requirement:
- New subscription: Finance-Prod
- It must inherit the production policy baseline and reporting settings automatically.
Question 104easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, where should the administrator assign the role so the contractor can start and stop virtual machines only in RG-App and nothing else?

Exhibit

Tenant: Contoso
Subscription: Prod-Sub
Resource groups:
- RG-App
- RG-Data
- RG-Net
Requirement:
- Helpdesk contractors must start and stop all VMs only in RG-App.
- They must not see or manage resources in the other resource groups.
Question 105mediummultiple choice
Read the full Manage Identities and Governance explanation →

Three Azure VMs run the same scheduled script and must access both Storage and Key Vault. The team wants one identity that can be reused if a VM is rebuilt, and they do not want the identity tied to a single machine. What should the administrator create?

Question 106mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company wants to enforce three controls across all current and future subscriptions under a management group: allowed Azure regions, a required cost center tag, and approved VM SKUs. Central IT wants a single assignment and consolidated compliance reporting. What should they use?

Question 107mediummultiple choice
Read the full Manage Identities and Governance explanation →

A support engineer must restart and view the properties of virtual machines only in RG-Dev. The engineer must not gain access to other resource groups in the subscription. What should the administrator do?

Question 108easymultiple choice
Read the full Manage Identities and Governance explanation →

Several Azure VMs need the same Azure identity so they can access a shared resource without storing passwords. The identity should be reusable across VMs and removable centrally. Which identity type should the administrator use?

Question 109mediummultiple choice
Read the full VPN explanation →

A shared resource group contains a VPN gateway and several virtual machines used by the finance department. Administrators must still be able to resize the VMs and update NSG rules, but no one should be able to delete the resource group or anything in it during the quarter-end freeze. Which lock should be applied?

Question 110easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, what should the administrator use to temporarily allow the legacy storage account to remain noncompliant without changing the policy for everyone?

Exhibit

Policy compliance report:
- Assignment: Deny public network access on storage accounts
- Scope: MG-Platform
- Noncompliant resource: stlegacy01 in RG-Legacy
- Business note: The legacy application must stay publicly reachable for 30 days during migration.
Question 111easymulti select
Read the full Manage Identities and Governance explanation →

A company wants to stop users from creating resources in regions that are not approved and also require a Department tag on new resources. Which two tasks are best handled by Azure Policy? Select two.

Question 112mediummultiple choice
Read the full Manage Identities and Governance explanation →

A production storage account must remain available for updates, but administrators want to prevent accidental deletion during maintenance windows. Which lock should be applied to the storage account?

Question 113easymultiple choice
Read the full Manage Identities and Governance explanation →

A single Azure virtual machine must read blobs from a storage account without storing any passwords, keys, or connection strings. The identity should be removed automatically if the VM is deleted. Which option should you use?

Question 114mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which Azure Policy effect should be used so new resources without an Environment tag are blocked at deployment time?

Exhibit

Policy evaluation output
Definition name: Require-Environment
Assignment scope: /subscriptions/1111-2222
Compliance state: Non-compliant
Non-compliant resource: stapp01
Reason: Missing tag 'Environment'
Requirement: Any new resource created without the Environment tag must be prevented from deploying.
Question 115mediummultiple choice
Read the full Manage Identities and Governance explanation →

An operations team must apply three related policies to all subscriptions in a department: require a cost-center tag, allow only approved locations, and block certain VM SKUs. They want to assign and track these rules as one unit. What should they create?

Question 116mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which identity approach should be used so all three virtual machines can reuse the same Azure access without sharing secrets?

Exhibit

Deployment note:
- vm-app1 is in rg-web
- vm-app2 is in rg-api
- vm-app3 is in rg-batch
- All three VMs must read from the same storage account
- The identity must keep working if one VM is reimaged or replaced
- Access should be granted once and then reused by all three VMs
Question 117easymulti select
Read the full Manage Identities and Governance explanation →

An operations team wants to label resources by Department and Environment so they can search and report on ownership across many resource groups. Which two statements are correct? Select two.

Question 118mediummulti select
Read the full Manage Identities and Governance explanation →

A production resource group contains application VMs and databases. Operators must be able to update resources inside the group, but nobody should be able to delete the whole group by accident. Finance also wants ownership data to remain with the resources if they are moved to another resource group. Which two actions should you take? Select two.

Question 119mediummultiple choice
Read the full Manage Identities and Governance explanation →

Three application VMs in different resource groups must use the same Azure identity to read blobs from a storage account. The identity must continue to work if the VMs are redeployed. What should you use?

Question 120easymulti select
Read the full Manage Identities and Governance explanation →

Finance, HR, and Engineering each have their own subscriptions, and one production resource group must not be deleted by mistake. Which two Azure features should be used? Select two.

Question 121hardmulti select
Read the full Manage Identities and Governance explanation →

A service desk must grant and revoke access to an internal application for a changing group of employees. The service desk must not receive any Azure subscription or resource permissions. Which two actions should you take? Select two.

Question 122mediummultiple choice
Read the full Manage Identities and Governance explanation →

A web application is made up of several Azure resources that are deployed, updated, and retired together. The team wants one container for applying access control, tags, and deletion protection consistently to the whole application. What should they use?

Question 123mediummultiple choice
Read the full Manage Identities and Governance explanation →

An external consultant from another company needs read-only access to a resource group and must sign in with their own work account. What should be created in Microsoft Entra ID?

Question 124mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which identity should be granted the Contributor role so access can be managed centrally as team members change?

Exhibit

Current access review
Team members:
- Asha Khan
- Ben Miller
- Chen Wu
- Dana Ortiz
All four users need Contributor access to rg-app today.
Requirement: The team changes every month. When people join or leave, the administrator wants to update one membership list instead of editing Azure role assignments for each user.
Question 125mediummulti select
Read the full Manage Identities and Governance explanation →

A company has many subscriptions arranged under a management group named Corp. The audit team needs Reader access to every current and future subscription in Corp, and the administrator wants only one role assignment to maintain. Which two actions should be taken? Select two.

Question 126mediummultiple choice
Read the full Manage Identities and Governance explanation →

A project team adds and removes contractors every few weeks. The team needs Azure access to follow membership changes without updating role assignments for each person. What should the administrator use to delegate the access?

Question 127hardmulti select
Read the full Manage Identities and Governance explanation →

A department has 12 subscriptions under a management group named Corp. New resources must be deployed only in East US or West US and must include a CostCenter tag. A pilot subscription must be exempt from these rules during testing. Which two actions should you take? Select two.

Question 128mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, where should the Network Contributor role be assigned so the engineer can manage only VNet-vm and its subnets, but not other resources in rg-platform?

Exhibit

Shared resource group layout
Resource group: rg-platform
Resources:
- VNet-vm
- VM-web01
- VM-db01
- stlogs
Requirement: A network engineer must create and modify subnets and network settings only for VNet-vm. They must not be able to change either VM or the storage account in the resource group.
Question 129mediummulti select
Read the full Manage Identities and Governance explanation →

A contractor pool changes every month. The operations team wants Azure role access to stay the same when people join or leave, without editing role assignments for each person. Which two actions should the administrator take? Select two.

Question 130mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which Azure feature should the administrator add so ownership and chargeback information remains visible even if resources are moved between resource groups?

Exhibit

Cost reporting extract
Resource name: vm-fin-01 | Resource group: rg-west-prod | Department: blank | Environment: Prod
Resource name: sql-fin-01 | Resource group: rg-west-data | Department: blank | Environment: Prod
Resource name: app-fin-01 | Resource group: rg-east-app | Department: blank | Environment: Test
Requirement: Finance wants each resource to retain ownership metadata for reporting and chargeback, regardless of which resource group the resource is placed in later.
Question 131easymultiple choice
Read the full Manage Identities and Governance explanation →

A company wants to group several subscriptions for Finance, HR, and Engineering so that the same governance settings can be applied above the subscription level. What should the administrator create?

Question 132mediummulti select
Read the full Manage Identities and Governance explanation →

A contractor must manage only VM1 and VM2 in rg-prod. The contractor must not be able to manage any other resource in the resource group. Which two role assignment scopes should you create? Select two.

Question 133easymultiple choice
Read the full Manage Identities and Governance explanation →

A production resource group must not be deleted accidentally, but administrators still need to update resources inside it. Which lock should you apply to the resource group?

Question 134mediummultiple choice
Read the full Manage Identities and Governance explanation →

A finance application is deployed in a single resource group named rg-finance-app. The team must manage only the resources in that group and must not receive permissions for other resource groups in the subscription. Where should the Contributor role be assigned?

Question 135mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company wants to stop users from deploying resources in any region except East US and West US. Users still need to be able to create resources if they choose an approved region. Which Azure feature should the administrator use?

Question 136easymulti select
Read the full Manage Identities and Governance explanation →

A project team adds and removes contractors every month. The admin wants Azure access to update automatically when membership changes without editing role assignments for each person. Which two actions should the admin take? Select two.

Question 137easymulti select
Read the full Manage Identities and Governance explanation →

A team needs to understand Azure RBAC inheritance. Which two statements are correct? Select two.

Question 138easymultiple choice
Read the full Manage Identities and Governance explanation →

An application team needs Contributor access only for the resources in rg-app. They must not manage any other resources in the subscription. At what scope should you assign the role?

Question 139mediummulti select
Read the full Manage Identities and Governance explanation →

A platform team wants to prevent engineers from creating VM sizes that are not approved, but they also need the engineers to be able to restart their own VMs. Which two statements are correct? Select two.

Question 140easymultiple choice
Read the full Manage Identities and Governance explanation →

You need one assignment that requires a cost-center tag and also allows only approved locations. What should you use?

Question 141easymultiple choice
Read the full Manage Identities and Governance explanation →

Three Azure virtual machines in different resource groups must all use the same Azure identity to access a storage account. The identity should keep working even if one VM is rebuilt. What should you use?

Question 142mediummulti select
Read the full Manage Identities and Governance explanation →

An external consultant must access a resource group in your tenant using the consultant's existing work account. You want to avoid creating a separate username and password pair. Which two actions should the administrator take? Select two.

Question 143mediummulti select
Read the full Manage Identities and Governance explanation →

A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.

Question 144mediummulti select
Read the full Manage Identities and Governance explanation →

A production resource group contains web and data resources. Administrators must be able to update, scale, and restart resources, but they must not delete the resource group or any resource inside it during maintenance windows. Which two actions should the administrator take? Select two.

Question 145mediummultiple choice
Read the full Manage Identities and Governance explanation →

A platform team wants every current and future subscription under the company's Azure hierarchy to inherit Reader access for a central audit group. The team does not want to create separate assignments for each subscription. Where should the role be assigned?

Question 146easymulti select
Read the full Manage Identities and Governance explanation →

A VM-hosted application must read blobs from Azure Storage without storing any keys or passwords. Which two identity types can the VM use to authenticate to Azure Storage? Select two.

Question 147mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, what should you configure so the analysts can manage group membership without granting Azure resource permissions?

Exhibit

Microsoft Entra ID
Group name: App-Support
Type: Security
Owners: None
Members: 28 users
Requirement: Service desk analysts must add and remove employees from App-Support each week. They must not receive permissions to Azure subscriptions, resource groups, or resources.
Current approach: Analysts sign in with their regular work accounts.
Question 148mediummulti select
Read the full Manage Identities and Governance explanation →

Finance, HR, and Engineering each use separate subscriptions. The compliance team wants a simple hierarchy that lets them apply governance to groups of subscriptions and produce resource ownership reports by department and environment. Which two features should the administrator use? Select two.

Question 149mediummultiple choice
Read the full Manage Identities and Governance explanation →

A compliance report must show which department and environment owns each Azure resource, even when the resources are spread across many resource groups and subscriptions. Which feature should the administrator use?

Question 150hardmulti select
Read the full Manage Identities and Governance explanation →

A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.

Question 151easymulti select
Read the full Manage Identities and Governance explanation →

An operations team needs one Azure identity that can be attached to several VMs and kept even if a VM is deleted. Which two statements about a user-assigned managed identity are correct? Select two.

Question 152easymultiple choice
Read the full Manage Identities and Governance explanation →

A web app running on an Azure VM must read files from Azure Blob Storage without storing any passwords, secrets, or access keys on the VM. The identity should be tied to that VM and removed automatically if the VM is deleted. What should you enable?

Question 153easymultiple choice
Read the full Manage Identities and Governance explanation →

A contractor team changes every few weeks. The administrator wants Azure access to stay the same when individual contractors leave or join, without editing role assignments for each person. What should be assigned the Azure role?

Question 154mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which action should the administrator take so Contractor01 can manage the team membership without receiving Azure resource permissions?

Exhibit

Microsoft Entra group details
Group name: AppOps-Admins
Owners: Mia Lopez
Members: Sam Patel, Contractor01
Notes: Contractor01 is a temporary contractor with no existing Azure role assignments.
Requirement: Contractor01 must be able to add or remove members from AppOps-Admins for 30 days, but must not be able to manage Azure resources or receive broader directory permissions.
Question 155mediummultiple choice
Read the full Manage Identities and Governance explanation →

A web API runs on a single Azure VM and must access Azure Key Vault without storing any credentials on the VM. The identity should be tied to that VM and removed when the VM is deleted. What should you enable?

Question 156easymulti select
Read the full Manage Identities and Governance explanation →

A VM-hosted app must read blobs from Azure Storage without storing a shared key, SAS token, or password. Which two configuration steps should the administrator take? Select two.

Question 157easymultiple choice
Read the full Manage Identities and Governance explanation →

A partner company needs a developer to access resources in your tenant by using the developer's existing work account. You do not want to create a new separate username and password for that person. What should you create in Microsoft Entra ID?

Question 158easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which identity approach should the administrator use so both VMs can share the same access without managing secrets or recreating role assignments when a VM is replaced?

Exhibit

Workload note:
- VM01 and VM02 both need to read the same Azure SQL connection metadata from an app registration-protected service.
- The identity must be reusable across multiple VMs.
- The team wants to avoid secrets in scripts and configuration.
Question 159mediummulti select
Read the full Manage Identities and Governance explanation →

A company has 18 subscriptions under a management group named Corp. The audit team needs Reader access to all current and future subscriptions in Corp without creating one assignment per subscription. Which two statements are correct? Select two.

Question 160mediummulti select
Read the full Manage Identities and Governance explanation →

A team needs Reader access to exactly two Azure resources that are in the same resource group, and they must not gain access to other resources in that group. Which two scope choices are appropriate? Select two.

Question 161mediummulti select
Read the full Manage Identities and Governance explanation →

A subscription must block creation of resources in any region except East US and West US, and the security team also wants a nonblocking report of existing resources that are missing a CostCenter tag. Which two Azure Policy effects should you use? Select two.

Question 162mediummulti select
Read the full Manage Identities and Governance explanation →

The service desk needs to add and remove users from a support group that grants access to an internal application, but the service desk must not receive Azure subscription permissions. Which two actions should you take? Select two.

Question 163mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which identity should be enabled on the VM so the application can access Azure Blob Storage and the identity disappears when the VM is deleted?

Exhibit

Application requirement:
- A web API runs on a single Azure VM
- The API must read blobs from Azure Storage without any stored password, key, or connection string
- The identity must be tied to the VM and removed automatically when the VM is deleted
Question 164easymultiple choice
Read the full Manage Identities and Governance explanation →

A team wants every resource in a subscription to include a Department tag. New resources that do not have the tag should be blocked from being created. Which Azure Policy effect should you use?

Question 165mediummultiple choice
Read the full Manage Identities and Governance explanation →

A project team adds and removes contractors every month. The team wants Azure role assignments to stay the same when individual contractors leave or join, and access should be granted to everyone on the team through one control point. What should the administrator assign the Azure role to?

Question 166easymultiple choice
Read the full Manage Identities and Governance explanation →

A central audit group must have Reader access for every current and future subscription in the company hierarchy. You want one assignment that will apply broadly as new subscriptions are added. Where should the role be assigned?

Question 167easymulti select
Read the full Manage Identities and Governance explanation →

A department wants three related policies grouped together and assigned as one unit to a set of subscriptions. Which two statements about an Azure Policy initiative are correct? Select two.

Question 168easymultiple choice
Read the full Manage Identities and Governance explanation →

Three VMs run the same batch app and should use the same Azure identity to read blobs. The identity should remain available even if one VM is deleted. Which identity should you use?

Question 169mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which lock should the administrator apply to protect the resource group from accidental deletion while still allowing normal updates to the resources inside it?

Exhibit

Resource group details
Name: rg-payroll-prod
Resources:
- 6 virtual machines
- 2 storage accounts
- 1 Key Vault
Maintenance requirement: Administrators must continue starting, stopping, resizing, and updating the resources during the maintenance window. The only thing that must be prevented is accidental deletion of the entire resource group.
Question 170hardmultiple choice
Read the full Manage Identities and Governance explanation →

Three Azure VMs in separate resource groups run the same data-processing agent. The agent must read blobs from a storage account, and the access must continue to work if any VM is rebuilt or replaced. The operations team also wants one identity they can reassign to future VMs without creating another credential. Which identity approach should be used?

Question 171mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which Azure Policy construct should the administrator use to deploy and manage these guardrails as one unit across the department?

Exhibit

Policy set draft
Name: Dept-Guardrails
Included rules:
- Allowed locations: East US, West US
- Require tag: CostCenter
- Deny public IP creation on virtual machines
Requirement: The same three controls must be assigned together to all subscriptions in the department, and the department wants one object to manage instead of three separate assignments.
Question 172mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, where should the Reader role be assigned so the audit team automatically has access to every current and future subscription under Corp?

Exhibit

Azure governance hierarchy
Root management group
└── Corp
    ├── Prod
    │   ├── Sub-001
    │   └── Sub-002
    └── NonProd
        ├── Sub-101
        └── Sub-102
Requirement: The audit team needs read-only access across all subscriptions that are or will be placed under Corp, without creating separate assignments for each subscription.
Question 173mediummulti select
Read the full Manage Identities and Governance explanation →

An operations team must enforce two rules across all subscriptions in a department: new resources must include a CostCenter tag, and deployments are allowed only in East US and West US. The team wants one assignment and automatic blocking of noncompliant deployments. Which three actions should the administrator take? Select three.

Question 174mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company wants to stop users from creating resources in any Azure region except East US and West US across all subscriptions. Which Azure feature should be used to enforce this requirement?

Question 175easymultiple choice
Read the full Manage Identities and Governance explanation →

A VM-hosted application must read blobs from an Azure Storage account without storing any secret in code or configuration. Which identity should you enable on the VM?

Question 176mediummulti select
Read the full Manage Identities and Governance explanation →

A project team expects frequent joiners and leavers. The same Azure permissions are needed for all members of the team, and you want to avoid editing role assignments for each person. Which two actions best meet the requirement? Select two.

Question 177mediummulti select
Read the full Manage Identities and Governance explanation →

A department has 10 subscriptions and wants the same two governance rules applied to all current and future subscriptions. One rule audits missing tags, and the other denies unapproved locations. Which two actions should the administrator take? Select two.

Question 178easymultiple choice
Read the full Manage Identities and Governance explanation →

A central audit team needs Reader access on every current and future subscription under the company hierarchy. Which scope should you use for the role assignment?

Question 179easymultiple choice
Read the full Manage Identities and Governance explanation →

You want to group subscriptions for Finance, HR, and Engineering so you can apply governance consistently at a higher level. What should you create?

Question 180mediummulti select
Read the full Manage Identities and Governance explanation →

Finance wants every resource created in one production resource group to receive the tag CostCenter=FINSVC automatically, but deployments should not be blocked if a template omits the tag. Existing resources should be updated when possible. Which two actions should the administrator take? Select two.

Question 181mediummultiple choice
Read the full Manage Identities and Governance explanation →

A production resource group contains several VMs and a storage account. The operations manager wants to prevent accidental deletion of the resource group and its resources, but still allow normal configuration changes during maintenance windows. Which lock should be applied to the resource group?

Question 182easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, three VMs in different resource groups must use the same Azure identity, and the identity must continue working if one VM is deleted and recreated. What should you use?

Exhibit

Identity requirement:
- VM1 in rg-web
- VM2 in rg-api
- VM3 in rg-batch
- All three VMs need the same access to an Azure service
- The identity must not disappear when any one VM is deleted
Question 183easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, what is the best way to simplify access management for the project team?

Exhibit

Current access model:
- User: Alex has Reader on RG-App
- User: Bri has Reader on RG-App
- User: Chen has Reader on RG-App
- User: Dana has Reader on RG-App

Requirement:
- All current project members should keep the same access.
- If someone joins or leaves the team, access should be updated in one place.
Question 184hardmulti select
Read the full Manage Identities and Governance explanation →

RG-Prod hosts line-of-business workloads. The business wants to prevent accidental deletion of the resource group during change freezes and also ensure every new resource carries a CostCenter tag for chargeback. Which two governance controls should be used? Select two.

Question 185mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, an Azure Policy with the Modify effect was assigned to add Environment=Prod to resources in RG-Prod. New resources get the tag, but existing virtual machines still do not have it. What should the administrator do next?

Exhibit

Policy assignment details:
- Scope: RG-Prod
- Policy definition: Add tag Environment=Prod
- Effect: Modify
Observed result:
- New resources are tagged
- Existing VMs in RG-Prod remain untagged
Question 186easymultiple choice
Read the full Manage Identities and Governance explanation →

An Azure Policy that appends the Environment tag is assigned to a subscription. New virtual machines get the tag, but existing VMs do not. What should the administrator do next?

Question 187easymultiple choice
Read the full Manage Identities and Governance explanation →

Help desk staff must start, stop, and restart virtual machines in one application resource group. They must not create or delete VMs or modify networking or disks. Which built-in role should you assign?

Question 188easymulti select
Read the full Manage Identities and Governance explanation →

A VM-hosted app needs to upload blobs without storing a storage account key or password on the VM. Which two authentication options meet this requirement? Select two.

Question 189easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, an Azure VM must read secrets from Azure Key Vault during startup. No passwords, certificates, or client secrets may be stored on the VM. What should you configure?

Network Topology
az vm createresource-group rg-appname vm01image Ubuntu2204admin-username azureadminApplication note:
Question 190mediummultiple choice
Read the full Manage Identities and Governance explanation →

A security team needs to grant and remove RBAC access for a set of operators on resources in one resource group, but those operators must not create, modify, or delete the resources themselves. Which built-in role should be assigned?

Question 191mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, the Prod management group contains three subscriptions that host application workloads. An operations group must be able to read all current and future resources in those Prod subscriptions, but it must not have access to Sandbox. Where should you assign the Reader role?

Exhibit

Management group layout:
- Corp
  - Prod
    - AppSub1
    - AppSub2
    - AppSub3
  - Sandbox
    - DevSub1
Requirement:
- OpsGroup must read everything in Prod only
- New subscriptions added under Prod should inherit access automatically
Question 192mediummultiple choice
Read the full Manage Identities and Governance explanation →

A contractor needs read-only access to resources in one application resource group. The access must be removed immediately when the contractor is removed from the contractor team. What is the best access strategy?

Question 193easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a compliance team must read all current and future resources in every subscription under the Corp management group. Where should you assign the Reader role?

Exhibit

Management group hierarchy:
Corp
├─ Sub-Prod-01
│  └─ RG-Finance
└─ Sub-Prod-02
   └─ RG-Shared

Current role assignment:
- Reader assigned to Entra ID group Auditors at scope: /providers/Microsoft.Management/managementGroups/Corp

Requirement:
- Members of Auditors must read resources in any new subscription added under Corp without adding another assignment.
Question 194easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, the team must prevent accidental deletion of a resource group, but administrators still need to update settings on resources inside it. Which lock should you apply?

Exhibit

Resource group: RG-Prod
Current lock:
- Type: None

Change request:
- Prevent accidental deletion of RG-Prod and its resources.
- Allow administrators to change VM sizes, tags, and NSG rules when needed.
Question 195mediummulti select
Read the full Manage Identities and Governance explanation →

An enterprise has a management group named Corp that contains all production and sandbox subscriptions. An Entra ID group named Auditors must be able to read resources in every current subscription under Corp and in any subscription added later. Which two actions should the administrator take? Select two.

Question 196hardmulti select
Read the full Manage Identities and Governance explanation →

A policy initiative is assigned at the Corp management group to enforce allowed locations and required tags. A new subscription is added under Corp later. Which two statements are true? Select two.

Question 197hardmulti select
Read the full Manage Identities and Governance explanation →

A management group named Corp contains subscription Sales. RG-App is in Sales and contains several virtual machines. The Auditors group must read every resource in Sales, including resources in future resource groups created under that subscription. The ServerOps group must be able to start, stop, and restart only the virtual machines in RG-App. Which two role assignments should the administrator configure? Select two.

Question 198mediummulti select
Read the full Manage Identities and Governance explanation →

Three application VMs in separate resource groups must use the same identity to read a configuration endpoint. The identity must keep working if any one VM is deleted and later recreated. Which three actions should the administrator take? Select three.

Question 199mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, the help desk team must be able to restart virtual machines in RG-App, but they must not be able to create, delete, or resize VMs. What is the best action?

Exhibit

Current assignments for RG-App:
- HelpDeskGroup -> Reader
- PlatformAdmins -> Contributor
Business requirement:
- HelpDeskGroup can start, stop, and restart VMs only
- HelpDeskGroup must not manage NICs, disks, or other resources
Question 200mediummulti select
Read the full Manage Identities and Governance explanation →

An operations team must be able to restart virtual machines in one resource group. They must not create, delete, resize, or change disks or networking. Which two actions should the administrator take? Select two.

Question 201mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, the production resource group must not be deleted during a change freeze, but administrators still need to update VM sizes and tag values. Which lock should you apply?

Exhibit

Change-freeze requirement:
- Prevent accidental deletion of RG-Prod
- Allow normal configuration changes inside the resource group
- VM resize operations must still work
Current lock state:
- No locks are configured
Question 202mediummultiple choice
Read the full Manage Identities and Governance explanation →

During a change freeze, an administrator applies a lock to a resource group. Users can still read resource details, but attempts to update tags, resize a VM, or change an NSG fail. Which lock was applied?

Question 203mediummulti select
Read the full Manage Identities and Governance explanation →

A platform team must enforce two governance rules across every current and future subscription under a management group: only East US and West US deployments are allowed, and every resource must include an Environment tag. Which three actions should the administrator take? Select three.

Question 204easymultiple choice
Read the full Manage Identities and Governance explanation →

The finance team wants every resource created in one resource group to carry the same CostCenter tag automatically. They want to reduce manual entry and keep the tag value consistent. What should you configure?

Question 205mediummultiple choice
Read the full Manage Identities and Governance explanation →

A contractor should be able to view resources in one resource group for 30 days. When the contract ends, removing the contractor from the group should immediately remove access. What is the best approach?

Question 206mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, every resource created in RG-Finance must automatically receive CostCenter=FIN, but deployments should not fail if the tag is omitted. What should you configure?

Exhibit

Resource group requirement:
- Scope: RG-Finance
- Every new resource must carry CostCenter=FIN
- Missing tag should be added automatically when possible
- Deployments must not be blocked
Current state:
- Teams manually add tags today
- Inconsistent tag values are common
Question 207hardmulti select
Read the full Manage Identities and Governance explanation →

RG-Prod is locked during a change freeze with a CanNotDelete lock. Administrators still need to keep the environment healthy without removing the lock. Which three actions can still be completed? Select three.

Question 208mediummultiple choice
Read the full Manage Identities and Governance explanation →

An administrator assigned a modify policy at the subscription scope to add a CostCenter tag to new virtual machines. New VMs now have the tag, but older VMs in the subscription still do not. What must the administrator do to bring the existing VMs into compliance?

Question 209hardmulti select
Read the full Manage Identities and Governance explanation →

A Modify policy adds CostCenter=042 to resources in RG-Finance. New resources are tagged correctly, but existing virtual machines remain untagged. What three requirements must be met for the assignment to update the existing resources? Select three.

Question 210mediummultiple choice
Read the full Manage Identities and Governance explanation →

A support team must be able to start, stop, and restart virtual machines in one application resource group, but they must not create or delete VMs, modify disks, or manage networking. What is the best access approach?

Question 211mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, an administrator wants to prevent new Azure resources from being deployed in any region except East US and West US across the entire Corp hierarchy. What should the administrator configure?

Exhibit

Governance requirement:
- All current and future subscriptions under Corp must be restricted to East US and West US
- Deployments to any other region must be blocked
Current state:
- Contributors already have permission to create resources
- No region restriction is currently in place
Question 212mediummultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a support lead must manage role assignments for RG-Apps so the team can grant or revoke access for others. The support lead must not be able to change resource configurations. Which role should you assign?

Exhibit

Requested permissions:
- Add or remove Azure RBAC role assignments for RG-Apps
- Do not allow resource configuration changes
- Do not allow resource creation or deletion
Existing assignments:
- SupportLead -> Reader
- AppOwners -> Contributor
Question 213hardmultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which change should the administrator make so the application identity remains stable across VM redeployments without reapplying RBAC assignments?

Exhibit

Bicep snippet:
resource vm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
  name: 'appvm01'
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    hardwareProfile: {
      vmSize: 'Standard_D2s_v5'
    }
    osProfile: {
      computerName: 'appvm01'
    }
  }
}

Operational note:
- The VM is rebuilt every month from source control.
- The workload must read secrets from Key Vault and upload logs to Blob Storage.
- Recreating the VM must not require new role assignments for the workload identity.
Question 214easymultiple choice
Read the full Manage Identities and Governance explanation →

A finance analyst needs read-only access to one storage account named stprod01. The analyst must not see other resources in the subscription. Where should you assign the Reader role?

Question 215easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a script running on an Azure VM must create resources in another subscription without using passwords or client secrets. Which command should the administrator use first?

Exhibit

Script context:
- The script runs on an Azure VM
- Azure CLI is installed
- The VM has been assigned a managed identity
- The script needs to call Azure Resource Manager in another subscription
- No stored credentials are allowed on the VM
Question 216hardmulti select
Read the full Manage Identities and Governance explanation →

A ReadOnly lock is applied to RG-App. Which two requested changes will fail because of the lock? Select two.

Question 217hardmultiple choice
Read the full Manage Identities and Governance explanation →

The platform team wants to block deployment of virtual machines that use any size except a small approved list. Operators already have Contributor access and should keep that access for other tasks. Which Azure control should the administrator use to enforce the size restriction?

Question 218mediummulti select
Read the full Manage Identities and Governance explanation →

A DevOps engineer must run an Azure CLI script from a Windows VM to create resources in a specific resource group in another subscription. The script must not use a client secret or password, and access should be limited to only that resource group. Which three actions should the administrator take? Select three.

Question 219easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, help desk staff must restart virtual machines only in RG-App. What is the narrowest scope where you should assign the role?

Exhibit

Subscription: Sub-IT-01
Resource groups:
- RG-App
  - vm-app01
  - vm-app02
- RG-Shared
  - vm-dns01

Requirement:
- Help desk operators can restart VMs in RG-App only.
- They must not affect VMs in RG-Shared.
Question 220mediummultiple choice
Read the full Manage Identities and Governance explanation →

A security team wants operators in one resource group to start, stop, and restart virtual machines, but they must not create VMs, delete VMs, or manage disks and networking. What should the administrator configure?

Question 221mediummultiple choice
Read the full Manage Identities and Governance explanation →

A platform team must enforce three governance rules across every subscription in a management group: allowed Azure regions, required Environment tags, and approved VM sizes. They want one assignment that groups the rules together and gives a single compliance view. What should they use?

Question 222mediummulti select
Read the full Manage Identities and Governance explanation →

A production resource group must be protected from accidental deletion during a change freeze. Administrators still need to update VM sizes, rotate tags, and change NSG rules. Which two actions should the administrator take? Select two.

Question 223easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, a subscription policy must add CostCenter=042 to new resources, and deployments must not fail if the tag is missing. Which policy effect should you use?

Exhibit

Policy design notes:
- Scope: subscription
- Target: all resource groups
- Desired outcome: add tag CostCenter=042 automatically
- Requirement: do not block the deployment if the tag is omitted

Policy effects being considered:
- Deny
- Audit
- Append
- Modify
Question 224easymultiple choice
Read the full Manage Identities and Governance explanation →

A developer wants to give one Azure VM access to Azure Storage now, and that identity should be removed automatically if the VM is deleted. Which identity type should the administrator assign?

Question 225mediummultiple choice
Read the full Manage Identities and Governance explanation →

A modify policy that appends a CostCenter tag was assigned to a management group. The policy shows as assigned, but older virtual machines still lack the tag. What must the administrator do to update those existing resources?

Question 226easymultiple choice
Read the full Manage Identities and Governance explanation →

During a change freeze, administrators must prevent deletion of a production resource group and all resources inside it, but they still need to update VM sizes and tags. Which lock should be applied?

Question 227hardmultiple choice
Read the full Manage Identities and Governance explanation →

A platform team must enforce two governance rules across every current and future subscription under a management group: resources must include an Environment tag, and only East US or West US may be used for deployment. They want one compliance view for both rules and a way to correct missing tags on existing resources where supported. What should they assign?

Question 228hardmulti select
Read the full Manage Identities and Governance explanation →

A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Question 229hardmultiple choice
Read the full Manage Identities and Governance explanation →

A team operates two Azure VMs that both need to call Azure services with the same identity. The VMs are rebuilt frequently, and the identity must continue to work if either VM is deleted and recreated. Which identity should the administrator attach?

Question 230mediummultiple choice
Read the full Manage Identities and Governance explanation →

Three Azure VMs in different resource groups need to access the same Azure resources using one identity. The identity must keep working if any VM is deleted and recreated. What should the administrator assign to the VMs?

Question 231mediummultiple choice
Read the full Manage Identities and Governance explanation →

An enterprise uses one management group to contain five subscriptions for a business unit. A compliance auditor in an Entra ID group needs read-only access to every current and future resource in all five subscriptions, but must not see resources in other business units. What is the best scope for the Reader role assignment?

Question 232easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, where should the administrator go to see which resources are non-compliant with the assigned policy?

Exhibit

Policy assignment: Require-Environment-Tag
Compliance summary:
- Compliant resources: 18
- Non-compliant resources: 5
- Evaluation time: 2026-04-26 10:30 UTC

Need:
- Identify the specific non-compliant resources
- Review why they failed the policy evaluation
Question 233mediummultiple choice
Read the full Manage Identities and Governance explanation →

A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in another subscription. The script cannot store a password or client secret. What should it use to authenticate to Azure?

Question 234easymultiple choice
Read the full Manage Identities and Governance explanation →

A newly created VM must read secrets from Azure Key Vault. The solution must not store credentials on the VM, and the identity should disappear automatically when the VM is deleted. What should the administrator enable?

Question 235easymultiple choice
Read the full Manage Identities and Governance explanation →

An administrator wants to run a one-time Azure CLI command from inside a VM to create a resource in Azure, but the administrator does not want to store credentials on the VM. What should be used for authentication?

Question 236hardmultiple choice
Read the full Manage Identities and Governance explanation →

A project team has 12 operators who need to read resource properties and restart only the virtual machines in one application resource group. Access should be removed automatically when an operator leaves the team, and any new VMs added to that resource group should inherit the same access without further changes. What should the administrator configure?

Question 237hardmultiple choice
Read the full Manage Identities and Governance explanation →

An enterprise has a management group named Corp. Corp contains two child management groups: Prod and Sandbox. A compliance auditor is a member of an Entra ID group and must have read-only access to every current and future resource in all subscriptions that are under Prod. The auditor must not see resources in Sandbox, and the admin does not want to maintain separate assignments for each new subscription. What should the administrator do?

Question 238mediummultiple choice
Read the full Manage Identities and Governance explanation →

An Azure administrator deploys a Linux VM that runs an application needing to read secrets from Azure Key Vault. The security policy forbids storing passwords, certificates, or access tokens on the VM. The application will run only on this single VM. What should be enabled on the VM?

Question 239hardmultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, where should you assign the Reader role so the Auditors group can read every current and future resource in the Sales subscription, including resource groups created later, while not granting access to the Research subscription?

Exhibit

Tenant hierarchy:
- Corp (management group)
  - Sales (subscription)
    - RG-Web
    - RG-Data
  - Research (subscription)
    - RG-Lab

Requirement from the business owner:
- Auditors must view all resources in Sales.
- Any new resource group created under Sales must also be covered.
- Auditors must not see resources in Research.
Question 240mediummultiple choice
Read the full Manage Identities and Governance explanation →

A company uses one management group for all production subscriptions. A compliance analyst is a member of an Entra ID group and must view every current and future resource in all production subscriptions, but must not make any changes. Where should you assign the Reader role?

Question 241easymultiple choice
Read the full Manage Identities and Governance explanation →

The platform team wants to block deployment of Azure resources in any region except East US and West US. What should they configure?

Question 242mediummulti select
Read the full Manage Identities and Governance explanation →

An administrator assigned a policy definition with the Modify effect to add tag Environment=Prod to resources in a subscription. Existing VMs still do not show the tag. Which two actions should the administrator take to bring the existing VMs into compliance? Select two.

Question 243easymultiple choice
Read the full Manage Identities and Governance explanation →

Based on the exhibit, which Azure service is preventing deployment because the resource is missing a required tag?

Exhibit

Policy assignment summary:
Name: Require-Environment-Tag
Scope: /subscriptions/11111111-2222-3333-4444-555555555555
Effect: deny
Compliance state: Non-compliant

Deployment error:
Resource creation blocked by policy. The request did not include tag 'Environment'.
Question 244hardmultiple choice
Read the full Manage Identities and Governance explanation →

An Azure CLI script runs on a utility VM every night to create and tag resources in another subscription. The script cannot store a password or client secret, and the VM is regularly redeployed from a standard image. What is the best identity design?

Question 245mediummulti select
Read the full Manage Identities and Governance explanation →

A contractor from a partner company needs read-only access to one application resource group for 14 days. When the contractor leaves the project, access should be removed immediately by removing a single identity from a group. Which two actions should the administrator take? Select two.

Question 246easymultiple choice
Read the full Manage Identities and Governance explanation →

An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or client secrets on the VM. What should the administrator configure first?

Question 247easymultiple choice
Read the full Manage Identities and Governance explanation →

A company has 12 subscriptions under one management group. An external auditor needs Reader access to resources in every current and future subscription under that management group. Where should you assign the role?

Question 248mediummultiple choice
Read the full Manage Identities and Governance explanation →

The platform team wants every resource deployed in a subscription to include an Environment tag. New resources that do not meet the rule must be blocked, and existing noncompliant resources should appear in compliance reports. What should be configured?

Question 249mediummultiple choice
Read the full Manage Identities and Governance explanation →

During a change freeze, the operations team wants to prevent accidental deletion of a production resource group and everything in it. They still need to update VM settings, change tags, and modify network rules. Which lock should be applied?

Question 250easymultiple choice
Read the full Manage Identities and Governance explanation →

A team has 20 operators who need the same Reader access to one application resource group. You want to grant access and later revoke it by changing group membership instead of editing each user's permissions. What should you use for the role assignment?

Question 251hardmultiple choice
Read the full Manage Identities and Governance explanation →

A finance team wants every resource created in one production resource group to carry CostCenter=PRD automatically. They do not want deployments blocked if a team forgets the tag, but they do want existing resources and future resources in that resource group to converge on the correct tag value. What should the administrator configure?

Question 252mediummulti select
Read the full Manage Identities and Governance explanation →

An administrator wants to let a help desk group start, stop, and restart virtual machines in one resource group, but the group must not be able to delete the VMs or any other resource in the group. Which two actions should the administrator take? Select two.

Question 253mediummultiple choice
Read the full Manage Identities and Governance explanation →

A team can already deploy virtual machines, but they want to prevent users from creating VMs unless the deployment includes an approved tag. They also want to see which existing resources do not meet the rule. What should the administrator use?

Question 254mediummulti select
Read the full Manage Identities and Governance explanation →

You are designing a governance strategy for an Azure environment that includes multiple subscriptions. You need to ensure that all resources deployed in the production subscription adhere to specific regulatory compliance requirements, such as encryption at rest and denying public network access. Which three of the following should you implement? (Choose three.)

Question 255mediummulti select
Read the full Manage Identities and Governance explanation →

Your organization has an Azure Active Directory (Azure AD) tenant with 500 users. You need to ensure that users can reset their own passwords without IT support, but only if they have registered for multi-factor authentication (MFA). Additionally, you want to prevent users from reusing their last 10 passwords. Which three of the following should you configure? (Choose three.)

Question 256mediummulti select
Read the full Manage Identities and Governance explanation →

You are responsible for managing Azure resources in a hybrid environment. Your on-premises Active Directory Domain Services (AD DS) is synced to Azure AD using Azure AD Connect. You need to ensure that administrative units (AUs) are used to delegate administration of specific groups of users to help desk staff. Which three of the following are true regarding administrative units in Azure AD? (Choose three.)

Question 257mediummulti select
Read the full Manage Identities and Governance explanation →

You are an Azure administrator for a company that is planning to implement a new Azure environment. The company has the following requirements: - Users must be able to sign in using their on-premises Active Directory credentials. - Multi-factor authentication (MFA) must be enforced for all administrative users. - Access to Azure resources must be controlled using role-based access control (RBAC) with custom roles. - Audit logs must be retained for a minimum of three years. Which four of the following solutions should you implement to meet these requirements? Choose all that apply. (There are four correct answers.)

Question 258mediumdrag order
Review the full subnetting walkthrough →

Arrange the steps to create a virtual network in Azure with a subnet and deploy a VM.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 259mediumdrag order
Read the full Manage Identities and Governance explanation →

Order the steps to set up Azure Site Recovery for on-premises to Azure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-104 Practice Test 1 — 10 Questions→AZ-104 Practice Test 2 — 10 Questions→AZ-104 Practice Test 3 — 10 Questions→AZ-104 Practice Test 4 — 10 Questions→AZ-104 Practice Test 5 — 10 Questions→AZ-104 Practice Exam 1 — 20 Questions→AZ-104 Practice Exam 2 — 20 Questions→AZ-104 Practice Exam 3 — 20 Questions→AZ-104 Practice Exam 4 — 20 Questions→Free AZ-104 Practice Test 1 — 30 Questions→Free AZ-104 Practice Test 2 — 30 Questions→Free AZ-104 Practice Test 3 — 30 Questions→AZ-104 Practice Questions 1 — 50 Questions→AZ-104 Practice Questions 2 — 50 Questions→AZ-104 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage Azure Identities and GovernanceImplement and Manage StorageDeploy and Manage Azure ComputeImplement and Manage Virtual NetworkingMonitor and Maintain Azure Resources

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Manage Azure Identities and Governance setsAll Manage Azure Identities and Governance questionsAZ-104 Practice Hub