An operations team must enforce two rules across all subscriptions in a department: new resources must include a CostCenter tag, and deployments are allowed only in East US and West US. The team wants one assignment and automatic blocking of noncompliant deployments. Which three actions should the administrator take? Select three.

Grant Contributor at the subscription scope.

Contributor is an RBAC permission, not a policy control. It allows resource management but does not enforce tag or location compliance and does not block noncompliant deployments.

Apply a CanNotDelete lock to each resource group.

Locks protect resources from deletion or modification, but they do not enforce deployment standards like required tags or approved locations. They solve a different governance problem.

What does this AZ-104 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Create an Azure Policy initiative that contains both policy definitions. — A single initiative is the best way to package the two related policy definitions, and assigning it at the management group scope applies it across all department subscriptions. The Deny effect is what enforces the rules at deployment time, preventing resources that lack the required tag or use disallowed regions. Together, these three actions create centralized, enforceable governance. Why others are wrong: RBAC permissions do not enforce compliance rules, and locks are for protecting existing resources rather than controlling policy-based deployment conditions. The scenario calls for centralized governance and blocking behavior, which is the job of Azure Policy, not RBAC or resource locks.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.