The correct choice is to apply a CanNotDelete lock to the resource group, as this lock prevents the resource group itself from being deleted while still allowing normal create, modify, and delete operations on the resources inside it. This works because the CanNotDelete lock (often called a Delete lock) operates at the resource group scope, blocking any deletion of that container without restricting updates to its child resources. On the AZ-104 exam, this scenario tests your understanding of Azure lock inheritance and scope—a common trap is confusing the ReadOnly lock, which blocks all updates, or assuming a lock on individual resources is needed. Remember, the CanNotDelete lock protects the parent resource group from accidental deletion while leaving the children fully mutable. For a quick memory tip: think of the CanNotDelete lock as a “gatekeeper” that only stops the gate from being removed, not the items inside the yard.
AZ-104 Manage Azure Identities and Governance Practice Question
This AZ-104 practice question tests your understanding of manage azure identities and governance. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: azure resource locks prevent accidental deletion or modification.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Resource group details
Name: rg-payroll-prod
Resources:
- 6 virtual machines
- 2 storage accounts
- 1 Key Vault
Maintenance requirement: Administrators must continue starting, stopping, resizing, and updating the resources during the maintenance window. The only thing that must be prevented is accidental deletion of the entire resource group.
Based on the exhibit, which lock should the administrator apply to protect the resource group from accidental deletion while still allowing normal updates to the resources inside it?
Resource group details
Name: rg-payroll-prod
Resources:
- 6 virtual machines
- 2 storage accounts
- 1 Key Vault
Maintenance requirement: Administrators must continue starting, stopping, resizing, and updating the resources during the maintenance window. The only thing that must be prevented is accidental deletion of the entire resource group.
A
Apply a CanNotDelete lock to rg-payroll-prod.
CanNotDelete blocks deletion of the locked scope while still allowing normal management operations such as updates, restarts, and configuration changes.
B
Apply a ReadOnly lock to rg-payroll-prod.
Why wrong: ReadOnly would block writes and many administrative changes, which conflicts with the need to keep updating and operating the resources.
C
Apply a tag named Protected=True to rg-payroll-prod.
Why wrong: Tags help with organization and reporting, but they do not enforce deletion protection or any access restriction.
D
Create an Azure Policy assignment that denies all delete operations.
Why wrong: Policy can enforce rules, but the requirement specifically calls for protecting a resource group from deletion, which is the lock use case.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Apply a CanNotDelete lock to rg-payroll-prod.
The CanNotDelete lock (also known as Delete lock) prevents the resource group itself from being deleted while still allowing all updates (including create, modify, and delete operations) on the resources within it. This is the correct choice because the requirement is to protect only the resource group from accidental deletion, not to restrict changes to the resources inside.
Key principle: Azure resource locks prevent accidental deletion or modification.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
Apply a CanNotDelete lock to rg-payroll-prod.
Why this is correct
CanNotDelete blocks deletion of the locked scope while still allowing normal management operations such as updates, restarts, and configuration changes.
Related concept
Azure resource locks prevent accidental deletion or modification.
✗
Apply a ReadOnly lock to rg-payroll-prod.
Why it's wrong here
ReadOnly would block writes and many administrative changes, which conflicts with the need to keep updating and operating the resources.
✗
Apply a tag named Protected=True to rg-payroll-prod.
Why it's wrong here
Tags help with organization and reporting, but they do not enforce deletion protection or any access restriction.
✗
Create an Azure Policy assignment that denies all delete operations.
Why it's wrong here
Policy can enforce rules, but the requirement specifically calls for protecting a resource group from deletion, which is the lock use case.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse the CanNotDelete lock with a ReadOnly lock, mistakenly thinking that preventing deletion also requires blocking updates, or they assume a tag or policy can substitute for a resource lock.
Detailed technical explanation
How to think about this question
Azure resource locks operate at the management plane level, using Azure Resource Manager (ARM) to enforce the lock on the scope (resource group or resource). The CanNotDelete lock is inherited by all child resources but only prevents delete operations; update and create operations are still permitted. This is distinct from Role-Based Access Control (RBAC), which controls who can perform actions, whereas locks apply to all users regardless of their RBAC permissions.
KKey Concepts to Remember
Azure resource locks prevent accidental deletion or modification.
CanNotDelete lock prevents deletion but allows all other operations.
Locks can be applied at subscription, resource group, or resource scope.
Locks are inherited by child resources from their parent scope.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Azure resource locks prevent accidental deletion or modification.
Real-world example
How this comes up in practice
A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. Azure resource locks prevent accidental deletion or modification. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this AZ-104 question in full detail.
Review azure resource locks prevent accidental deletion or modification., then practise related AZ-104 questions on the same topic to reinforce the concept.
Manage Azure Identities and Governance — This question tests Manage Azure Identities and Governance — Azure resource locks prevent accidental deletion or modification..
What is the correct answer to this question?
The correct answer is: Apply a CanNotDelete lock to rg-payroll-prod. — The CanNotDelete lock (also known as Delete lock) prevents the resource group itself from being deleted while still allowing all updates (including create, modify, and delete operations) on the resources within it. This is the correct choice because the requirement is to protect only the resource group from accidental deletion, not to restrict changes to the resources inside.
What should I do if I get this AZ-104 question wrong?
Review azure resource locks prevent accidental deletion or modification., then practise related AZ-104 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Azure resource locks prevent accidental deletion or modification.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.