A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Create a custom RBAC role that blocks resources deployed outside approved regions.

RBAC authorizes actions, but it cannot conditionally deny based on a resource property such as region.

Add a CanNotDelete lock to every resource group.

Locks prevent deletion or writes, but they do not validate required tags or allowed locations.

Grant User Access Administrator to the deployment team.

This only changes authorization capabilities and does not enforce deployment compliance rules.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Assign an allowed-locations policy at the management group or subscription scope. — Azure Policy is the correct control for deployment governance such as allowed locations and required tags. RBAC determines who can perform actions, but it does not evaluate whether the resource matches a rule. In this scenario, policy should be used to prevent unsupported regions and to enforce the Environment tag on newly deployed resources. The team can keep Contributor access for normal operations while policy handles compliance enforcement. Why others are wrong: A custom RBAC role cannot deny deployments based on region, and User Access Administrator only controls role assignments. CanNotDelete locks do not validate tags or locations; they only protect against deletion and, in some cases, write operations. These are authorization or protection tools, not compliance rules.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.