AZ-104 Manage Azure Identities and Governance Practice Question
This AZ-104 practice question tests your understanding of manage azure identities and governance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Resource group: RG-Prod-Shared
Resources:
- prodvm01 (Microsoft.Compute/virtualMachines)
- prodstore01 (Microsoft.Storage/storageAccounts)
Change control note:
- Updates must still be allowed
- Accidental deletion must be prevented
- Lock should apply to both resources in the group
Based on the exhibit, a shared resource group contains a production virtual machine and a storage account. Administrators must be able to update settings, but they must not be able to delete either resource by mistake. Which lock should be applied at the resource group scope?
Exhibit
Resource group: RG-Prod-Shared
Resources:
- prodvm01 (Microsoft.Compute/virtualMachines)
- prodstore01 (Microsoft.Storage/storageAccounts)
Change control note:
- Updates must still be allowed
- Accidental deletion must be prevented
- Lock should apply to both resources in the group
A
ReadOnly lock, because it prevents all changes and keeps resources fully protected.
Why wrong: ReadOnly is too restrictive because it blocks write operations as well as deletions. The scenario says administrators must still be able to update settings, so a ReadOnly lock would prevent legitimate management tasks and break the requirement.
B
CanNotDelete lock, because it allows updates but blocks deletion.
CanNotDelete is the correct choice when administrators still need to modify resource settings but must be prevented from deleting the resources. Applied at the resource group scope, it protects both the VM and the storage account from accidental deletion while preserving normal update operations.
C
No lock is needed because Azure RBAC already prevents deletion by default.
Why wrong: Azure RBAC does not block deletion by default if a user has sufficient permissions. Since the requirement is specifically to prevent accidental deletion, a resource lock is needed in addition to any role assignments.
D
Management group lock, because all changes in the tenant must be blocked centrally.
Why wrong: Management groups are for organizing subscriptions and applying governance at a high level, but the question is about protecting one resource group. A management group lock is not the right concept here and would be far broader than required.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
CanNotDelete lock, because it allows updates but blocks deletion.
The CanNotDelete lock (option B) is correct because it allows administrators to update settings on the production VM and storage account while preventing accidental deletion of either resource. This lock operates at the resource group scope, applying to all resources within it, and is the appropriate choice for the stated requirement of allowing updates but blocking deletions.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
ReadOnly lock, because it prevents all changes and keeps resources fully protected.
Why it's wrong here
ReadOnly is too restrictive because it blocks write operations as well as deletions. The scenario says administrators must still be able to update settings, so a ReadOnly lock would prevent legitimate management tasks and break the requirement.
When this WOULD be correct
A ReadOnly lock would be correct in a scenario where the requirement is to prevent any changes to resources, such as protecting a critical production database from accidental modifications while still allowing read access.
✓
CanNotDelete lock, because it allows updates but blocks deletion.
Why this is correct
CanNotDelete is the correct choice when administrators still need to modify resource settings but must be prevented from deleting the resources. Applied at the resource group scope, it protects both the VM and the storage account from accidental deletion while preserving normal update operations.
Related concept
Read the scenario before looking for a memorised answer.
✗
No lock is needed because Azure RBAC already prevents deletion by default.
Why it's wrong here
Azure RBAC does not block deletion by default if a user has sufficient permissions. Since the requirement is specifically to prevent accidental deletion, a resource lock is needed in addition to any role assignments.
When this WOULD be correct
If the question stated that administrators already have a custom RBAC role that denies delete actions, and the requirement is to prevent any further changes, then no additional lock is needed.
✗
Management group lock, because all changes in the tenant must be blocked centrally.
Why it's wrong here
Management groups are for organizing subscriptions and applying governance at a high level, but the question is about protecting one resource group. A management group lock is not the right concept here and would be far broader than required.
When this WOULD be correct
A management group lock would be correct if the question asked for a lock that prevents deletion of all resources across multiple subscriptions under a management group, such as when enforcing a policy that no resources in the entire organization can be deleted.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.
✓CanNotDelete lock, because it allows updates but blocks deletion.Correct answer▾
Why this is correct
CanNotDelete is the correct choice when administrators still need to modify resource settings but must be prevented from deleting the resources. Applied at the resource group scope, it protects both the VM and the storage account from accidental deletion while preserving normal update operations.
✗ReadOnly lock, because it prevents all changes and keeps resources fully protected.Wrong answer — click to see why▾
Why this is wrong here
The question requires that administrators can update settings, but a ReadOnly lock prevents all updates, which is too restrictive for the stated requirement.
★ When this WOULD be the correct answer
A ReadOnly lock would be correct in a scenario where the requirement is to prevent any changes to resources, such as protecting a critical production database from accidental modifications while still allowing read access.
Why candidates choose this
Candidates may think ReadOnly lock is the safest choice to prevent accidental deletion, overlooking that it also blocks necessary updates.
✗No lock is needed because Azure RBAC already prevents deletion by default.Wrong answer — click to see why▾
Why this is wrong here
Azure RBAC does not prevent deletion by default; the Contributor role, for example, allows deletion. A lock is required to explicitly block deletion while allowing updates.
★ When this WOULD be the correct answer
If the question stated that administrators already have a custom RBAC role that denies delete actions, and the requirement is to prevent any further changes, then no additional lock is needed.
Why candidates choose this
Candidates may confuse RBAC permissions with resource locks, assuming that default roles like Contributor already block deletion, which is incorrect.
✗Management group lock, because all changes in the tenant must be blocked centrally.Wrong answer — click to see why▾
Why this is wrong here
Management group locks apply to all subscriptions within a management group hierarchy, not to a single resource group. The question specifies a resource group scope, so a management group lock is too broad and would affect other resources unnecessarily.
★ When this WOULD be the correct answer
A management group lock would be correct if the question asked for a lock that prevents deletion of all resources across multiple subscriptions under a management group, such as when enforcing a policy that no resources in the entire organization can be deleted.
Why candidates choose this
Candidates may confuse management group locks with resource group locks, thinking that applying a lock at a higher scope is more effective or simpler, without considering the scope requirements of the question.
Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, mistakenly thinking that preventing all changes is safer, but the question explicitly requires allowing updates, making ReadOnly locks too restrictive.
Trap categories for this question
Scenario analysis trap
ReadOnly is too restrictive because it blocks write operations as well as deletions. The scenario says administrators must still be able to update settings, so a ReadOnly lock would prevent legitimate management tasks and break the requirement.
Detailed technical explanation
How to think about this question
Azure resource locks are applied at the scope level (e.g., subscription, resource group, or resource) and override any RBAC permissions, meaning even an Owner cannot delete a resource with a CanNotDelete lock. The lock is enforced via Azure Resource Manager, which checks the lock before allowing any DELETE or POST (for updates) operations; a ReadOnly lock would block both PUT and DELETE operations, while CanNotDelete only blocks DELETE. In a real-world scenario, this lock is critical for production environments where accidental deletion could cause significant downtime, but updates (e.g., scaling a VM or changing storage account tier) must remain possible.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this AZ-104 question in full detail.
Manage Azure Identities and Governance — This question tests Manage Azure Identities and Governance — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: CanNotDelete lock, because it allows updates but blocks deletion. — The CanNotDelete lock (option B) is correct because it allows administrators to update settings on the production VM and storage account while preventing accidental deletion of either resource. This lock operates at the resource group scope, applying to all resources within it, and is the appropriate choice for the stated requirement of allowing updates but blocking deletions.
What should I do if I get this AZ-104 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.