Manage Azure Identities and Governance

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?

You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?

Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?

You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?

You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?

An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?

You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?

You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?

You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

You need to ensure that administrators cannot accidentally delete a production virtual network, but they must still be able to update subnet settings. Which Azure feature should you apply?

You need to allow a support engineer to restart virtual machines in the RG-App resource group, but the engineer must not be able to create, delete, or resize the virtual machines. What should you do?

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which Azure lock should you apply?

You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?

Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?

You need to let a junior administrator manage virtual machines only in the RG-Dev resource group. The administrator must not be able to change role assignments or manage other resource groups. Which role assignment should you use?