Question 946 of 1,170
Manage Azure Identities and GovernancemediumMultiple ChoiceObjective-mapped

Quick Answer

The correct choice is to apply a CanNotDelete lock to the resource group, as this lock prevents the resource group itself from being deleted while still allowing normal create, modify, and delete operations on the resources inside it. This works because the CanNotDelete lock (often called a Delete lock) operates at the resource group scope, blocking any deletion of that container without restricting updates to its child resources. On the AZ-104 exam, this scenario tests your understanding of Azure lock inheritance and scope—a common trap is confusing the ReadOnly lock, which blocks all updates, or assuming a lock on individual resources is needed. Remember, the CanNotDelete lock protects the parent resource group from accidental deletion while leaving the children fully mutable. For a quick memory tip: think of the CanNotDelete lock as a “gatekeeper” that only stops the gate from being removed, not the items inside the yard.

AZ-104 Manage Azure Identities and Governance Practice Question

This AZ-104 practice question tests your understanding of manage azure identities and governance. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: azure resource locks prevent accidental deletion or modification.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Resource group details
Name: rg-payroll-prod
Resources:
- 6 virtual machines
- 2 storage accounts
- 1 Key Vault
Maintenance requirement: Administrators must continue starting, stopping, resizing, and updating the resources during the maintenance window. The only thing that must be prevented is accidental deletion of the entire resource group.

Based on the exhibit, which lock should the administrator apply to protect the resource group from accidental deletion while still allowing normal updates to the resources inside it?

Question 1mediummultiple choice
Full question →

Exhibit

Resource group details
Name: rg-payroll-prod
Resources:
- 6 virtual machines
- 2 storage accounts
- 1 Key Vault
Maintenance requirement: Administrators must continue starting, stopping, resizing, and updating the resources during the maintenance window. The only thing that must be prevented is accidental deletion of the entire resource group.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Apply a CanNotDelete lock to rg-payroll-prod.

The CanNotDelete lock (also known as Delete lock) prevents the resource group itself from being deleted while still allowing all updates (including create, modify, and delete operations) on the resources within it. This is the correct choice because the requirement is to protect only the resource group from accidental deletion, not to restrict changes to the resources inside.

Key principle: Azure resource locks prevent accidental deletion or modification.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Apply a CanNotDelete lock to rg-payroll-prod.

    Why this is correct

    CanNotDelete blocks deletion of the locked scope while still allowing normal management operations such as updates, restarts, and configuration changes.

    Related concept

    Azure resource locks prevent accidental deletion or modification.

  • Apply a ReadOnly lock to rg-payroll-prod.

    Why it's wrong here

    ReadOnly would block writes and many administrative changes, which conflicts with the need to keep updating and operating the resources.

  • Apply a tag named Protected=True to rg-payroll-prod.

    Why it's wrong here

    Tags help with organization and reporting, but they do not enforce deletion protection or any access restriction.

  • Create an Azure Policy assignment that denies all delete operations.

    Why it's wrong here

    Policy can enforce rules, but the requirement specifically calls for protecting a resource group from deletion, which is the lock use case.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse the CanNotDelete lock with a ReadOnly lock, mistakenly thinking that preventing deletion also requires blocking updates, or they assume a tag or policy can substitute for a resource lock.

Detailed technical explanation

How to think about this question

Azure resource locks operate at the management plane level, using Azure Resource Manager (ARM) to enforce the lock on the scope (resource group or resource). The CanNotDelete lock is inherited by all child resources but only prevents delete operations; update and create operations are still permitted. This is distinct from Role-Based Access Control (RBAC), which controls who can perform actions, whereas locks apply to all users regardless of their RBAC permissions.

KKey Concepts to Remember

  • Azure resource locks prevent accidental deletion or modification.
  • CanNotDelete lock prevents deletion but allows all other operations.
  • Locks can be applied at subscription, resource group, or resource scope.
  • Locks are inherited by child resources from their parent scope.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Azure resource locks prevent accidental deletion or modification.

Real-world example

How this comes up in practice

A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. Azure resource locks prevent accidental deletion or modification. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.

What to study next

Got this wrong? Here's your next step.

Review azure resource locks prevent accidental deletion or modification., then practise related AZ-104 questions on the same topic to reinforce the concept.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Manage Azure Identities and Governance — This question tests Manage Azure Identities and Governance — Azure resource locks prevent accidental deletion or modification..

What is the correct answer to this question?

The correct answer is: Apply a CanNotDelete lock to rg-payroll-prod. — The CanNotDelete lock (also known as Delete lock) prevents the resource group itself from being deleted while still allowing all updates (including create, modify, and delete operations) on the resources within it. This is the correct choice because the requirement is to protect only the resource group from accidental deletion, not to restrict changes to the resources inside.

What should I do if I get this AZ-104 question wrong?

Review azure resource locks prevent accidental deletion or modification., then practise related AZ-104 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Azure resource locks prevent accidental deletion or modification.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.