A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.

Use the Deny effect.

Deny would block the deployment or update if the tag is missing. That conflicts with the requirement to let users continue creating and changing resources.

Grant Reader on the subscription to the compliance team.

Reader helps people view resources, but it does not evaluate compliance or generate policy results. Policy is the control that identifies missing tags, not RBAC.

Apply a ReadOnly lock to all resource groups.

ReadOnly locks interfere with normal management operations and still do not provide compliance reporting for missing tags. This is the wrong tool for the task.

What does this AZ-104 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Use an Azure Policy assignment with the Audit effect. — If the goal is to report noncompliance without stopping work, Audit is the correct policy effect. It surfaces missing tags while leaving deployments and updates uninterrupted. Assigning the policy at the management group scope makes the check apply across all department subscriptions through one governance point. This combination supports compliance visibility without introducing operational friction. Why others are wrong: Deny would block activity, which the scenario explicitly rejects. Reader and locks do not perform policy evaluation or compliance reporting. The distinction being tested is simple: Azure Policy audits or enforces, while RBAC and locks do something else entirely.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.