CCNA Manage Azure Identities and Governance Questions

34 of 259 questions · Page 4/4 · Manage Azure Identities and Governance · Answers revealed

226
MCQeasy

The platform team wants to block deployment of Azure resources in any region except East US and West US. What should they configure?

A.An Azure Policy assignment that uses an allowed locations policy
B.A Reader role assignment at the management group
C.A CanNotDelete lock on the subscription
D.A tag requirement enforced only by resource group naming
AnswerA

Azure Policy is designed to enforce configuration rules such as approved regions. An allowed locations policy can deny deployments outside East US and West US, which directly matches the requirement. This is governance, not authorization, so RBAC is not the right tool for controlling where resources can be created.

Why this answer

Azure Policy's 'allowed locations' built-in policy definition enables you to restrict the regions where resources can be deployed. By assigning this policy at a management group or subscription scope with a parameter list containing only 'East US' and 'West US', any attempt to deploy resources in other regions will be denied at the Azure Resource Manager level, effectively blocking non-compliant deployments.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC roles or resource locks, mistakenly thinking that a Reader role or a CanNotDelete lock can restrict where resources can be deployed, when in fact only Azure Policy can enforce such location-based governance rules.

How to eliminate wrong answers

Option B is wrong because a Reader role assignment grants read-only access to resources but does not enforce any deployment restrictions or location controls. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not block creation or modification of resources in disallowed regions. Option D is wrong because a tag requirement enforced only by resource group naming is not a native Azure governance feature; tags are metadata and do not prevent deployment in unauthorized regions.

227
MCQmedium

A company creates new Azure subscriptions every month. Central IT wants all production subscriptions to inherit the same governance baseline automatically, while sandbox subscriptions remain separate. What should the administrator implement?

A.Apply all governance controls individually to each new subscription after it is created.
B.Organize subscriptions under management groups and assign the baseline at the appropriate management group.
C.Use a resource lock on the subscription root.
D.Place all resources into one shared resource group per business unit.
AnswerB

Management groups provide inheritance so new subscriptions automatically receive the assigned governance controls.

Why this answer

Management groups allow hierarchical organization of Azure subscriptions, enabling the assignment of Azure Policy and RBAC at the management group level. By placing all production subscriptions under a dedicated management group and assigning the governance baseline (e.g., Azure Policy initiatives) to that group, new subscriptions automatically inherit the baseline without manual intervention. Sandbox subscriptions remain separate by being placed in a different management group or at the root level without the baseline.

Exam trap

The trap here is confusing resource locks (which protect against accidental deletion/modification) with governance baselines (which enforce compliance via Azure Policy), leading candidates to incorrectly select resource locks as a solution for automatic policy inheritance.

How to eliminate wrong answers

Option A is wrong because manually applying governance controls to each new subscription is inefficient, error-prone, and does not scale, contradicting the requirement for automatic inheritance. Option C is wrong because resource locks prevent accidental deletion or modification of resources but do not enforce governance baselines like policies or RBAC; they are not inherited by new subscriptions automatically. Option D is wrong because placing all resources into one shared resource group per business unit does not enforce governance at the subscription level, does not scale across multiple subscriptions, and fails to provide automatic inheritance for new subscriptions.

228
Multi-Selectmedium

An administrator assigned a policy definition with the Modify effect to add tag Environment=Prod to resources in a subscription. Existing VMs still do not show the tag. Which two actions should the administrator take to bring the existing VMs into compliance? Select two.

Select 2 answers
A.Create a remediation task for the policy assignment.
B.Verify that the policy assignment identity has permission to modify tags at the assigned scope.
C.Reassign the policy at the resource group scope only.
D.Switch the policy effect to AuditIfNotExists.
E.Manually tag only the newest virtual machines.
AnswersA, B

A remediation task tells Azure Policy to apply the modify operation to resources that already exist. Without remediation, existing noncompliant resources may remain unchanged.

Why this answer

A is correct because a policy with the Modify effect does not automatically apply to existing non-compliant resources; a remediation task must be triggered to evaluate and update those resources. Remediation uses the managed identity assigned to the policy to perform the modification, which is why verifying that identity has the necessary permissions (option B) is also required. Without remediation, only new resources created after the policy assignment will have the tag applied.

Exam trap

The trap here is that candidates assume the Modify effect automatically applies to existing resources, but in reality, it only affects new resources unless a remediation task is explicitly created.

229
MCQmedium

A company wants to stop users from creating resources in any Azure region except East US and West US across all subscriptions. Which Azure feature should be used to enforce this requirement?

A.An Azure RBAC role assignment
B.An Azure Policy assignment with a Deny effect at the management group scope
C.A CanNotDelete resource lock on the subscriptions
D.A tag inheritance rule on the management group
AnswerB

Azure Policy with a Deny effect can block noncompliant deployments, and management group scope applies the rule across subscriptions in the hierarchy.

Why this answer

Azure Policy with a Deny effect at the management group scope is the correct choice because it can enforce a location constraint across all subscriptions under that management group. The Deny effect prevents the creation of resources in non-compliant regions at the time of deployment, ensuring that only East US and West US are allowed. This is a governance control that applies to all subscriptions within the scope, making it the ideal solution for this requirement.

Exam trap

The trap here is that candidates often confuse Azure RBAC (who can do what) with Azure Policy (what can be done), leading them to select RBAC role assignments instead of the correct policy-based governance control.

How to eliminate wrong answers

Option A is wrong because Azure RBAC role assignments control who can perform actions (authorization), not what resources can be created or where they can be created; they cannot restrict resource locations. Option C is wrong because a CanNotDelete resource lock prevents deletion of a subscription or resource but does not restrict the creation of resources in specific regions. Option D is wrong because tag inheritance rules propagate tags from a management group to subscriptions or resources but do not enforce any location restrictions.

230
MCQeasy

Based on the exhibit, which Azure service is preventing deployment because the resource is missing a required tag?

A.Azure Policy
B.Azure RBAC
C.Resource locks
D.Azure Monitor
AnswerA

Azure Policy evaluates the request against compliance rules and can deny deployment when required conditions are not met.

Why this answer

Azure Policy is the correct answer because it enforces organizational standards and compliance rules, such as requiring specific tags on resources. When a policy is defined to require a tag (e.g., 'CostCenter') and a deployment attempts to create a resource without that tag, Azure Policy evaluates the request against the policy assignment and denies the deployment. This is a built-in capability of Azure Policy, not a permission or lock mechanism.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules on resource properties like tags) with Azure RBAC (which controls user permissions), leading them to incorrectly select RBAC when the issue is about missing configuration, not insufficient access rights.

How to eliminate wrong answers

Option B (Azure RBAC) is wrong because RBAC controls who can perform actions on resources (authorization via role assignments), not what tags or configurations those resources must have. Option C (Resource locks) is wrong because resource locks prevent accidental deletion or modification of resources at the resource, resource group, or subscription level, but they do not enforce tagging requirements. Option D (Azure Monitor) is wrong because Azure Monitor collects and analyzes telemetry data (metrics, logs) for performance and health; it does not enforce compliance rules or block deployments based on missing tags.

231
Multi-Selectmedium

Your organization has an Azure Active Directory (Azure AD) tenant with 500 users. You need to ensure that users can reset their own passwords without IT support, but only if they have registered for multi-factor authentication (MFA). Additionally, you want to prevent users from reusing their last 10 passwords. Which three of the following should you configure? (Choose three.)

Select 3 answers
.Enable the 'Self-service password reset' feature in Azure AD.
.Configure 'Password protection' with a custom banned password list.
.Set the 'Number of passwords remembered' policy to 10 in the 'Password reset' blade.
.Configure the 'Number of methods required to reset' to 2 and require MFA registration.
.Enable 'Combined registration' for security info to simplify MFA and SSPR registration.
.Assign the 'Global Administrator' role to all users to allow password reset.

Why this answer

To allow users to reset their own passwords without IT support, you must enable the 'Self-service password reset' (SSPR) feature in Azure AD. To prevent password reuse, you set the 'Number of passwords remembered' policy to 10 in the Password reset blade, which enforces a password history of 10 unique passwords. Finally, to ensure that only users registered for MFA can reset their passwords, you configure the 'Number of methods required to reset' to 2 and require MFA registration, which forces users to provide two authentication methods (including MFA) before resetting.

Exam trap

The trap here is that candidates often confuse 'Combined registration' with enforcing MFA registration for SSPR, but combined registration only simplifies the user interface, not the policy requirement; the actual enforcement comes from setting the number of methods required to reset and ensuring MFA is one of those methods.

232
Multi-Selecthard

Your company has multiple applications deployed across separate production and nonproduction subscriptions. Finance wants cost reporting by application, and each app team should manage only its own resources. Which two design choices best satisfy both requirements? Select two.

Select 2 answers
A.Place each application's Azure resources in a dedicated resource group.
B.Tag each resource with an application or cost-center identifier.
C.Create one subscription per virtual machine to simplify chargeback reporting.
D.Use resource names only for cost reporting because names are always unique and queryable.
E.Place all applications in one management group and use it as the access boundary for each app team.
AnswersA, B

Resource groups are the correct administrative boundary for delegating access to a specific application’s resources.

Why this answer

Option A is correct because resource groups are the logical container for grouping Azure resources by application, enabling each app team to manage its own resources via Azure RBAC at the resource group scope. Option B is correct because tagging resources with an application or cost-center identifier allows Azure Cost Management to filter and report costs by application, satisfying the finance requirement for cost reporting by application.

Exam trap

The trap here is that candidates often confuse management groups with resource groups for access control, assuming a single management group can isolate app teams, but management groups do not provide RBAC boundaries for individual applications—they are for hierarchical policy management, not resource isolation.

233
MCQhard

An Azure CLI script runs on a utility VM every night to create and tag resources in another subscription. The script cannot store a password or client secret, and the VM is regularly redeployed from a standard image. What is the best identity design?

A.Assign a system-assigned managed identity to the utility VM
B.Create a user-assigned managed identity and attach it to the utility VM
C.Create a service principal and store its secret in the VM configuration
D.Use a shared access signature to sign the Azure CLI session
AnswerB

A user-assigned identity persists independently of the VM and can be reused after redeployment.

Why this answer

Option B is correct because a user-assigned managed identity can be created once, assigned to the utility VM, and used across redeployments without storing any credentials. The script can authenticate via Azure CLI using the managed identity's client ID, and the identity persists independently of the VM's lifecycle, satisfying the requirement of no password or client secret storage.

Exam trap

The trap here is that candidates often choose system-assigned managed identity (Option A) without realizing that redeploying the VM from a standard image destroys the identity, breaking any cross-subscription role assignments that were configured for the original identity.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the VM's lifecycle; when the VM is redeployed from a standard image, the identity is deleted and a new one is created, breaking any role assignments or resource tags that depend on the previous identity. Option C is wrong because storing a service principal secret in the VM configuration violates the requirement that the script cannot store a password or client secret, and it introduces a security risk. Option D is wrong because a shared access signature (SAS) is used for delegated access to Azure Storage resources, not for authenticating an Azure CLI session to manage resources across subscriptions.

234
Multi-Selectmedium

A contractor from a partner company needs read-only access to one application resource group for 14 days. When the contractor leaves the project, access should be removed immediately by removing a single identity from a group. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create an Entra ID security group for the contractor team.
B.Assign the Reader role to that group at the application resource group scope.
C.Assign Reader directly to the contractor's user object at the subscription scope.
D.Assign Contributor at the resource group scope and rely on discipline.
E.Use a resource lock to limit the contractor to read-only access.
AnswersA, B

Using a group gives the administrator one identity to manage instead of many individual user assignments. Removing a person from the group immediately removes their inherited access.

Why this answer

Creating an Entra ID security group for the contractor team (Option A) allows the administrator to manage access centrally. By assigning the Reader role to that group at the application resource group scope (Option B), all members inherit read-only permissions. When the contractor leaves, removing their user object from the group immediately revokes access without needing to modify role assignments, satisfying the requirement for a single identity removal.

Exam trap

The trap here is that candidates often confuse resource locks with RBAC roles, thinking a lock can enforce read-only access, but locks only prevent accidental deletion or modification and do not affect permissions granted by role assignments.

235
MCQeasy

An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or client secrets on the VM. What should the administrator configure first?

A.A shared local account on the VM
B.A system-assigned managed identity on the VM
C.An Azure Policy exemption
D.A public IP address on the VM
AnswerB

A managed identity lets the VM authenticate to Azure directly, so the script can use Azure CLI or PowerShell without secrets.

Why this answer

A system-assigned managed identity enables an Azure VM to authenticate to Azure services (e.g., Azure Resource Manager) without storing any credentials in the VM. The identity is automatically created and managed by Azure, and the VM can obtain an access token from Azure AD via the Instance Metadata Service (IMDS) endpoint (169.254.169.254) using a simple HTTP call. This allows the script to securely create resources without hardcoding passwords or client secrets.

Exam trap

The trap here is that candidates may confuse managed identities with service principals or think a public IP is needed for outbound authentication, but the IMDS endpoint works entirely within the Azure network without requiring a public IP.

How to eliminate wrong answers

Option A is wrong because a shared local account on the VM is a local user account that cannot authenticate to Azure AD or Azure Resource Manager; it provides no mechanism to create Azure resources without credentials. Option C is wrong because an Azure Policy exemption only excludes a resource from policy evaluation; it does not provide any authentication or authorization to create resources. Option D is wrong because a public IP address on the VM only enables inbound/outbound network connectivity; it does not grant any identity or permissions to interact with Azure services.

236
Multi-Selectmedium

You are responsible for managing Azure resources in a hybrid environment. Your on-premises Active Directory Domain Services (AD DS) is synced to Azure AD using Azure AD Connect. You need to ensure that administrative units (AUs) are used to delegate administration of specific groups of users to help desk staff. Which three of the following are true regarding administrative units in Azure AD? (Choose three.)

Select 3 answers
.Administrative units can contain users, groups, and devices.
.An administrative unit can span multiple Azure AD tenants.
.You can assign Azure AD roles scoped to an administrative unit.
.Administrative units are available in all editions of Azure AD, including Free.
.Users synced from on-premises AD DS can be added to administrative units.
.Administrative units can be created only via the Azure portal and not via PowerShell.

Why this answer

Administrative units (AUs) in Azure AD are containers that can hold users, groups, and devices, allowing you to delegate administrative permissions over a subset of resources. You can assign Azure AD roles scoped to an AU, which limits the role's permissions to only the members of that AU. Users synced from on-premises AD DS via Azure AD Connect can be added to AUs because they become Azure AD user objects after synchronization, making them eligible for AU membership.

Exam trap

The trap here is that candidates often assume administrative units are available in all Azure AD editions (including Free) because they are a basic delegation feature, but in reality they require Azure AD Premium P1 or higher.

237
MCQeasy

Based on the exhibit, where should the new subscription be placed so it inherits the production governance baseline automatically?

A.Place the subscription under Prod-MG.
B.Place the subscription under Sandbox-MG.
C.Create a resource group named Finance-Prod instead of assigning a management group.
D.Move the subscription to the tenant root and assign policies later.
AnswerA

Putting the subscription under Prod-MG ensures it inherits the production governance controls assigned there. Management group inheritance is the right tool when central IT wants future subscriptions to receive the same baseline automatically.

Why this answer

Option A is correct because placing the new subscription under the Prod-MG management group ensures it automatically inherits the Azure Policy and RBAC assignments applied at that level. Management groups in Azure allow hierarchical governance, and any subscription within a management group inherits policies and role assignments from that group and all parent groups. This enables consistent enforcement of the production governance baseline without manual configuration.

Exam trap

The trap here is that candidates may think creating a resource group with a descriptive name (like Finance-Prod) is sufficient to apply governance, but Azure governance inheritance only flows through management group hierarchy, not through resource group naming conventions.

How to eliminate wrong answers

Option B is wrong because placing the subscription under Sandbox-MG would inherit the sandbox governance baseline, which typically has relaxed policies and is not intended for production workloads. Option C is wrong because creating a resource group named Finance-Prod does not cause inheritance of management group-level policies; resource groups are containers within a subscription and do not inherit policies from management groups unless the subscription itself is placed under the correct management group. Option D is wrong because moving the subscription to the tenant root would place it directly under the root management group, which may not have the production governance baseline applied, and assigning policies later would require manual effort and would not provide automatic inheritance.

238
MCQeasy

Based on the exhibit, where should the administrator assign the role so the contractor can start and stop virtual machines only in RG-App and nothing else?

A.Assign the role at the subscription scope so it covers the contractor's work area.
B.Assign the role at the resource group scope for RG-App.
C.Assign the role at the management group scope above the subscription.
D.Assign the role directly to one virtual machine only, because that is always the best scope.
AnswerB

This is the narrowest scope that still reaches all virtual machines inside RG-App. RBAC permissions assigned at the resource group level apply only to resources in that group, which fits the requirement to manage VMs there without affecting RG-Data or RG-Net.

Why this answer

The contractor needs to manage virtual machines only within RG-App. Azure RBAC allows you to assign the Virtual Machine Contributor role at the resource group scope, which grants permissions to start and stop VMs within that specific resource group while preventing access to resources in other resource groups or at higher scopes. Assigning at the subscription or management group level would grant permissions across all resource groups, violating the principle of least privilege.

Exam trap

The trap here is that candidates often assume assigning at the subscription scope is simpler and still 'covers the work area,' failing to recognize that it violates least privilege by granting access to all resource groups, not just RG-App.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope would grant the contractor permissions to start and stop VMs in all resource groups within the subscription, not just RG-App. Option C is wrong because assigning at the management group scope would apply the role to all subscriptions under that management group, granting far broader access than intended. Option D is wrong because assigning the role directly to a single VM is overly restrictive and impractical for managing multiple VMs, and it is not 'always the best scope'—resource group scope is the appropriate level for this requirement.

239
MCQeasy

A company has 12 subscriptions under one management group. An external auditor needs Reader access to resources in every current and future subscription under that management group. Where should you assign the role?

A.At each resource group in each subscription
B.At the management group scope
C.At one subscription scope only
D.At one resource scope in the first subscription
AnswerB

A role assignment at the management group scope inherits to all subscriptions and resources below it. Because the requirement includes both current and future subscriptions, the management group is the right place to assign Reader. This centralizes access management and avoids creating separate assignments for each subscription or resource group.

Why this answer

Assigning the Reader role at the management group scope ensures that the external auditor inherits read-only access to all current and future subscriptions under that management group. Role assignments at the management group scope are inherited by all child subscriptions and resource groups, making it the single, scalable solution for the requirement.

Exam trap

The trap here is that candidates may think assigning the role at the subscription scope is sufficient, overlooking the requirement for future subscriptions, or they may incorrectly believe that management group scope assignments do not propagate to child subscriptions.

How to eliminate wrong answers

Option A is wrong because assigning the role at each resource group would require manual updates for every new resource group and does not cover future subscriptions, violating the requirement for automatic inheritance. Option C is wrong because assigning the role at one subscription scope only grants access to that single subscription, not to all current and future subscriptions under the management group. Option D is wrong because assigning the role at one resource scope in the first subscription provides access only to that specific resource, failing to cover any other resources, subscriptions, or future subscriptions.

240
Multi-Selectmedium

You are an Azure administrator for a company that is planning to implement a new Azure environment. The company has the following requirements: - Users must be able to sign in using their on-premises Active Directory credentials. - Multi-factor authentication (MFA) must be enforced for all administrative users. - Access to Azure resources must be controlled using role-based access control (RBAC) with custom roles. - Audit logs must be retained for a minimum of three years. Which four of the following solutions should you implement to meet these requirements? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Deploy Azure AD Connect to synchronize identities from on-premises Active Directory to Azure AD.
.Configure Azure AD Conditional Access policy to require MFA for all users in the Global Administrator role.
.Create a custom RBAC role in Azure AD to control access to Azure resources.
.Create a custom RBAC role in Azure Resource Manager to control access to Azure resources.
.Configure diagnostic settings for the Azure AD audit logs to send them to a Log Analytics workspace with a retention policy of 1095 days.
.Configure Azure AD Privileged Identity Management (PIM) to require approval for role activation.

Why this answer

Azure AD Connect synchronizes on-premises Active Directory identities to Azure AD, enabling users to sign in with their on-premises credentials. This meets the requirement for single sign-on using existing directory credentials.

Exam trap

The trap here is confusing Azure AD roles (which manage Azure AD itself) with Azure RBAC roles (which manage Azure resources), leading candidates to incorrectly select 'Create a custom RBAC role in Azure AD' instead of the Azure Resource Manager option.

241
MCQmedium

The platform team wants every resource deployed in a subscription to include an Environment tag. New resources that do not meet the rule must be blocked, and existing noncompliant resources should appear in compliance reports. What should be configured?

A.An Azure Policy assignment at the subscription scope with a deny effect.
B.A Contributor role assignment at the subscription scope.
C.A resource lock on the subscription.
D.A custom RBAC role that includes tag write permissions.
AnswerA

Azure Policy is the governance feature that evaluates resources against rules, reports compliance, and can block noncompliant deployments when the deny effect is used. Assigning it at the subscription scope applies the rule to all resources in that subscription. This matches the requirement to enforce tagging and to show existing noncompliant resources in compliance views.

Why this answer

Azure Policy with a deny effect at the subscription scope is the correct choice because it enforces a rule that blocks the creation or update of any resource that does not include the required 'Environment' tag. The deny effect actively prevents noncompliant deployments, while the policy itself evaluates existing resources and marks them as noncompliant in compliance reports, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules and blocks noncompliant resources) with RBAC roles (which control permissions) or resource locks (which prevent accidental deletion), failing to recognize that only Azure Policy can both block new noncompliant resources and report on existing ones.

How to eliminate wrong answers

Option B is wrong because a Contributor role assignment grants permissions to create and manage resources but does not enforce any tagging rule or block noncompliant resources; it only provides access control. Option C is wrong because a resource lock on the subscription prevents deletion or modification of the subscription itself, not individual resources, and does not enforce tagging requirements or generate compliance reports. Option D is wrong because a custom RBAC role with tag write permissions allows users to add or modify tags but does not block the creation of resources without the required tag or provide compliance reporting; it only grants the ability to write tags.

242
MCQeasy

A VM-hosted application must read blobs from an Azure Storage account without storing any secret in code or configuration. Which identity should you enable on the VM?

A.A storage account access key
B.A system-assigned managed identity
C.A shared access signature (SAS) token
D.A local administrator account on the VM
AnswerB

A system-assigned managed identity is tied to the VM and lets the application authenticate to Azure services without storing credentials. Azure can issue tokens for the identity automatically, and the identity is removed when the VM is deleted. This is the simplest credential-free option for a single VM that needs access to Storage or other Azure resources.

Why this answer

A system-assigned managed identity (B) is the correct choice because it allows the VM to authenticate to Azure Storage without storing any credentials in code or configuration. Azure automatically manages the identity's lifecycle and provides a token that the VM can use to access the storage account via Azure AD authentication, eliminating the need for secrets.

Exam trap

The trap here is that candidates may confuse managed identities with SAS tokens or access keys, thinking they need a shared secret for authentication, but Azure AD authentication with managed identities eliminates the need for any stored credentials.

How to eliminate wrong answers

Option A is wrong because a storage account access key is a static secret that must be stored in code or configuration, violating the requirement to avoid storing secrets. Option C is wrong because a shared access signature (SAS) token is a URI-based credential that must be generated and stored, again requiring secret management in code or configuration. Option D is wrong because a local administrator account on the VM is a local credential unrelated to Azure Storage access and cannot authenticate to Azure Storage without storing a password or key.

243
MCQmedium

Three Azure VMs run the same scheduled script and must access both Storage and Key Vault. The team wants one identity that can be reused if a VM is rebuilt, and they do not want the identity tied to a single machine. What should the administrator create?

A.A system-assigned managed identity on each virtual machine.
B.A service principal with a certificate file copied to each VM.
C.A user-assigned managed identity attached to all three virtual machines.
D.A shared access signature for each storage account and Key Vault access policy.
AnswerC

A user-assigned managed identity can be shared across multiple VMs and reused independently of any one VM.

Why this answer

A user-assigned managed identity is the correct choice because it is an independent Azure resource that can be assigned to multiple VMs, persists independently of any single VM's lifecycle, and can be reused when a VM is rebuilt. This identity provides seamless authentication to both Storage and Key Vault without managing credentials, meeting the requirement for a reusable, non-machine-tied identity.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, incorrectly assuming that system-assigned identities can be shared across VMs or persist after VM deletion, when in fact only user-assigned identities are independent, reusable resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM—if the VM is deleted, the identity is also deleted, and it cannot be reused across multiple VMs. Option B is wrong because a service principal with a certificate file requires manual certificate management, rotation, and secure distribution to each VM, violating the 'no identity tied to a single machine' requirement and adding operational overhead. Option D is wrong because a shared access signature (SAS) provides delegated access to a specific storage account but cannot be used for Key Vault authentication, and it exposes a token that must be securely stored and rotated, not a reusable identity.

244
Multi-Selecthard

An Azure Automation account is recreated periodically during a migration project. Runbooks must authenticate to Azure resources without embedded secrets, and the identity must continue to work after the account is rebuilt. Which two choices should you make? Select two.

Select 2 answers
A.Use a user-assigned managed identity so the identity is independent of the Automation account lifecycle.
B.Grant the managed identity the required Azure RBAC roles on the target resources or resource groups.
C.Use a service principal with a client secret stored in an encrypted Automation variable.
D.Use a system-assigned managed identity attached to the Automation account because it is always reusable after recreation.
E.Store a storage account key in a runbook asset and retrieve it at runtime.
AnswersA, B

A user-assigned managed identity is not tied to one specific Automation account instance. That makes it resilient when the account is recreated during migration or recovery activities. It also avoids storing passwords or secrets in the runbook, which satisfies the secure automation requirement.

Why this answer

Option A is correct because a user-assigned managed identity exists as a standalone Azure resource independent of the Automation account's lifecycle. When the Automation account is recreated, you can reassign the same user-assigned managed identity to the new account, preserving the identity's object ID and its RBAC role assignments. This ensures that runbooks can authenticate without embedded secrets and continue to work seamlessly after the account is rebuilt.

Exam trap

The trap here is that candidates often assume a system-assigned managed identity is reusable after account recreation, but they fail to recognize that its object ID changes upon deletion and recreation, breaking existing RBAC assignments.

245
Multi-Selectmedium

A project team expects frequent joiners and leavers. The same Azure permissions are needed for all members of the team, and you want to avoid editing role assignments for each person. Which two actions best meet the requirement? Select two.

Select 2 answers
A.Create a security group for the project team.
B.Assign the Azure roles to the group instead of individual users.
C.Assign the same roles directly to every user account.
D.Use guest accounts for all team members.
E.Assign the roles to a service principal shared by the team.
AnswersA, B

A security group gives you one identity container for the whole team, so membership changes do not require role assignment changes each time.

Why this answer

Option A is correct because creating a security group allows you to manage permissions collectively rather than individually. By adding or removing users from the group as joiners and leavers occur, you avoid editing role assignments for each person. This aligns with Azure AD group-based licensing and RBAC best practices for dynamic teams.

Exam trap

The trap here is that candidates may think assigning roles directly to users (Option C) is simpler, but they overlook the administrative overhead of managing individual assignments for frequent joiners and leavers.

246
MCQmedium

During a change freeze, the operations team wants to prevent accidental deletion of a production resource group and everything in it. They still need to update VM settings, change tags, and modify network rules. Which lock should be applied?

A.Apply a ReadOnly lock to the resource group.
B.Apply a CanNotDelete lock to the resource group.
C.Assign the Reader role to all operators.
D.Assign an Azure Policy deny assignment at the subscription.
AnswerB

CanNotDelete is the correct lock because it blocks deletion while still allowing normal update operations. That means the team can continue to change VM settings, update tags, and manage networking during the freeze, but they cannot accidentally delete the protected resource group or its child resources. It is the standard choice when preservation is required without freezing all management activity.

Why this answer

The CanNotDelete lock (Option B) prevents deletion of the resource group and all resources within it, while still allowing read and update operations such as modifying VM settings, changing tags, and updating network rules. This lock type is specifically designed to protect against accidental deletion during a change freeze without blocking management operations.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, assuming that any lock will block all changes, but the key distinction is that ReadOnly locks block all write operations (including updates), whereas CanNotDelete locks only block deletion, allowing the required modifications.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including the needed updates to VM settings, tags, and network rules, which would block the operations team's required changes. Option C is wrong because assigning the Reader role to all operators prevents any modifications (write operations) entirely, as Reader only allows read access, not updates. Option D is wrong because an Azure Policy deny assignment at the subscription level is a broader governance tool that can block specific resource types or configurations, but it does not provide a simple, targeted lock against deletion of a single resource group and its contents; it also requires custom policy definitions and can inadvertently block other operations.

247
MCQmedium

A company wants to enforce three controls across all current and future subscriptions under a management group: allowed Azure regions, a required cost center tag, and approved VM SKUs. Central IT wants a single assignment and consolidated compliance reporting. What should they use?

A.Three separate policy assignments at each subscription scope.
B.One initiative assignment at the management group scope.
C.A resource lock on the management group to prevent noncompliant deployments.
D.A custom RBAC role assigned to the management group.
AnswerB

An initiative groups multiple related policies into one assignable unit. Assigning it at the management group scope ensures the controls apply to all current and future subscriptions beneath it, while keeping compliance reporting centralized and easier to manage.

Why this answer

An initiative (policy set) at the management group scope allows you to bundle multiple policy definitions (allowed regions, required tag, approved VM SKUs) into a single assignment. This ensures the controls apply to all current and future subscriptions under that management group, and Azure Policy provides consolidated compliance reporting at the management group level, meeting the requirement for a single assignment and unified view.

Exam trap

The trap here is that candidates often confuse resource locks or RBAC with policy-based governance, thinking they can enforce allowed configurations through access control or locks, but only Azure Policy (via initiatives) can evaluate and enforce resource properties like regions, tags, and SKUs.

How to eliminate wrong answers

Option A is wrong because three separate policy assignments at each subscription scope would require manual management for every subscription, fail to automatically cover future subscriptions, and would not provide consolidated compliance reporting across all subscriptions from a single view. Option C is wrong because a resource lock prevents deletion or modification of resources but does not enforce compliance controls like allowed regions, tags, or VM SKUs; it is an operational safeguard, not a governance policy. Option D is wrong because a custom RBAC role controls who can perform actions, not what resources are compliant; it cannot enforce allowed regions, required tags, or approved VM SKUs, and it does not provide compliance reporting.

248
MCQeasy

A team has 20 operators who need the same Reader access to one application resource group. You want to grant access and later revoke it by changing group membership instead of editing each user's permissions. What should you use for the role assignment?

A.Individual user accounts
B.An Entra ID security group
C.A management group
D.A resource lock
AnswerB

Assigning the role to an Entra ID security group is the best practice for shared access. You manage access by adding or removing users from the group, which is easier to maintain and less error-prone than changing many separate role assignments. This also supports least privilege and makes future access reviews simpler.

Why this answer

Using an Entra ID security group allows you to assign the Reader role to the group, then add or remove the 20 operators as members. This centralizes permission management: granting or revoking access is done by changing group membership rather than editing individual role assignments, which is more efficient and less error-prone.

Exam trap

The trap here is that candidates often confuse management groups (which control policy and cost across subscriptions) with security groups (which control RBAC access at a specific scope), leading them to pick Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role to each individual user account would require editing each user's permissions to revoke access, which is exactly what the question wants to avoid. Option C is wrong because a management group is a container for managing multiple subscriptions and their policies/costs, not a mechanism for assigning roles to users within a single resource group. Option D is wrong because a resource lock prevents accidental deletion or modification of resources, not granting or revoking user access permissions.

249
MCQmedium

A contractor is a member of an Entra security group that has the Contributor role on a resource group. When the contractor tries to deploy, the portal says the role is not active. The activation request requires approver approval, and the previous activation window has expired. What should the contractor do?

A.Wait for the role assignment to propagate to Azure.
B.Create a new security group and assign Contributor directly.
C.Sign out of the portal and sign back in only.
D.Activate the eligible role through Privileged Identity Management and obtain approval if required.
AnswerD

This matches the eligible assignment and the approval-based workflow described in the problem.

Why this answer

The contractor has an eligible role assignment that requires activation through Privileged Identity Management (PIM). Since the previous activation window has expired, the role is no longer active, and the contractor must initiate a new activation request, which may require approver approval. Option D correctly describes this process, as PIM is the Azure service designed for just-in-time access to privileged roles.

Exam trap

The trap here is that candidates confuse 'eligible' role assignments with 'active' assignments, assuming the role is permanently available when it actually requires manual activation through PIM.

How to eliminate wrong answers

Option A is wrong because role assignment propagation (which typically takes a few minutes) is not the issue; the role is eligible, not active, so propagation does not apply. Option B is wrong because creating a new security group and assigning Contributor directly bypasses the PIM activation requirement and would require administrative privileges the contractor likely does not have, and it does not address the need for approval. Option C is wrong because signing out and back in does not activate an eligible role; the role must be explicitly activated through PIM, and the portal session refresh does not change the role assignment status.

250
MCQmedium

A support engineer must restart and view the properties of virtual machines only in RG-Dev. The engineer must not gain access to other resource groups in the subscription. What should the administrator do?

A.Assign the Reader role at the subscription scope and the Virtual Machine Contributor role at RG-Dev scope.
B.Assign the Virtual Machine Contributor role at the RG-Dev scope.
C.Assign the Contributor role at the RG-Dev scope.
D.Create a custom role at the subscription scope and assign it to the engineer.
AnswerB

This limits VM management permissions to the specific resource group and avoids broader subscription access.

Why this answer

Option B is correct because the Virtual Machine Contributor role at the RG-Dev scope grants the engineer the necessary permissions to restart and view properties of virtual machines within that resource group, while restricting access to other resource groups. This role includes actions like Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/read, which cover the required tasks without granting broader management rights.

Exam trap

The trap here is that candidates often choose Option A, mistakenly thinking the Reader role at subscription scope is harmless, but it actually grants read access to all resources in the subscription, violating the explicit restriction to RG-Dev only.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at the subscription scope grants read access to all resources in the subscription, including other resource groups, violating the requirement to restrict access to RG-Dev only. Option C is wrong because the Contributor role at the RG-Dev scope includes write and delete permissions beyond what is needed (e.g., ability to delete resources), which is excessive and violates the principle of least privilege. Option D is wrong because creating a custom role at the subscription scope would apply permissions across the entire subscription, potentially granting access to other resource groups, and is unnecessary when a built-in role at the resource group scope suffices.

251
MCQeasy

Several Azure VMs need the same Azure identity so they can access a shared resource without storing passwords. The identity should be reusable across VMs and removable centrally. Which identity type should the administrator use?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal with a client secret
D.Local administrator account
AnswerB

User-assigned identities can be attached to multiple resources and managed independently of the VMs.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs simultaneously, and can be centrally removed or updated without affecting the VMs themselves. This identity is reusable across VMs and eliminates the need to store passwords or secrets in code or configuration.

Exam trap

The trap here is that candidates often choose system-assigned managed identity because it is simpler to configure, but they overlook the requirement for the identity to be reusable across multiple VMs, which only user-assigned managed identities support.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a single VM and cannot be shared across multiple VMs; it is created and deleted with the VM. Option C is wrong because a service principal with a client secret requires storing and rotating the secret, which contradicts the requirement to avoid storing passwords. Option D is wrong because a local administrator account is VM-specific, not reusable across VMs, and requires password management, violating the no-password-storage requirement.

252
MCQhard

A finance team wants every resource created in one production resource group to carry CostCenter=PRD automatically. They do not want deployments blocked if a team forgets the tag, but they do want existing resources and future resources in that resource group to converge on the correct tag value. What should the administrator configure?

A.Apply a CanNotDelete lock to the production resource group.
B.Assign a modify policy for CostCenter=PRD at the production resource group scope and create a remediation task.
C.Assign Contributor on the subscription and require teams to enter the tag manually.
D.Set the tag on the management group and expect all resources to inherit it automatically.
AnswerB

A modify policy can add or correct the tag without blocking deployment, which matches the business requirement. Assigning it at the resource-group scope limits the effect to only that production workload, and remediation updates existing resources so both old and new items converge on the same tag value.

Why this answer

Option B is correct because Azure Policy with a 'modify' effect can automatically add or correct the CostCenter tag on resources within the specified scope. By assigning the policy at the production resource group scope and creating a remediation task, the policy will audit existing resources and, via a managed identity, apply the tag value to non-compliant resources without blocking deployment. This satisfies the requirement for automatic convergence without preventing creation if the tag is missing.

Exam trap

The trap here is confusing Azure Policy's 'modify' effect (which allows non-blocking correction) with 'deny' or 'append' effects (which block or add without remediation), or assuming that tags on management groups automatically propagate to resources, which they do not.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock prevents resource deletion but does not enforce or add tags; it does not address the requirement for automatic tag convergence. Option C is wrong because assigning Contributor at the subscription level grants broad permissions but does not automatically apply tags; it relies on manual entry, which contradicts the 'automatically' requirement and does not ensure convergence. Option D is wrong because tags set on a management group are not inherited by resources; Azure Policy or Azure Resource Manager templates are required for inheritance, and tags on management groups only apply to the management group itself, not to child subscriptions or resource groups.

253
MCQmedium

A shared resource group contains a VPN gateway and several virtual machines used by the finance department. Administrators must still be able to resize the VMs and update NSG rules, but no one should be able to delete the resource group or anything in it during the quarter-end freeze. Which lock should be applied?

A.ReadOnly lock on the resource group
B.CanNotDelete lock on the resource group
C.Management group lock on the subscription
D.Azure Policy deny effect on the resource group
AnswerB

This prevents deletion while still allowing allowed changes like resizing and configuration updates.

Why this answer

The CanNotDelete lock (option B) prevents deletion of the resource group and all resources within it, while still allowing read and update operations such as resizing VMs and modifying NSG rules. This meets the requirement to block deletions during the quarter-end freeze without hindering administrative changes. ReadOnly locks would block all write operations, including resizing and NSG rule updates, which is not desired.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, assuming that blocking all writes is necessary to prevent deletions, but ReadOnly locks also block updates like VM resizing and NSG rule changes, which are explicitly allowed in the requirement.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock blocks all write operations, including resizing VMs and updating NSG rules, which violates the requirement that administrators must still be able to perform these actions. Option C is wrong because a management group lock on the subscription would apply to all resource groups under that management group, which is overly broad and not scoped to just the shared resource group; it could also inadvertently affect other teams. Option D is wrong because an Azure Policy deny effect can block specific actions based on conditions, but it requires policy definition and assignment, and it does not provide a simple, blanket deletion prevention like a lock; it is also more complex to configure and maintain for a temporary freeze.

254
Multi-Selectmedium

A department has 10 subscriptions and wants the same two governance rules applied to all current and future subscriptions. One rule audits missing tags, and the other denies unapproved locations. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create an Azure Policy initiative that contains both policy definitions.
B.Assign the initiative at the management group scope.
C.Assign each policy only to one resource group.
D.Use Azure RBAC instead of Policy for both requirements.
E.Create a read-only lock on each subscription.
AnswersA, B

An initiative groups multiple related policies into a single package, which makes it easier to manage the department's governance rules together.

Why this answer

Azure Policy Initiative allows grouping multiple policy definitions (like audit for missing tags and deny for unapproved locations) into a single set for coordinated enforcement. Assigning the initiative at the management group scope ensures it applies to all current and future subscriptions under that management group, meeting the requirement for consistent governance across all 10 subscriptions and any new ones added later.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC or resource locks, thinking they can enforce governance rules through permissions or protection mechanisms, when Policy is the only service that audits and denies resource configurations based on rules.

255
MCQeasy

A central audit team needs Reader access on every current and future subscription under the company hierarchy. Which scope should you use for the role assignment?

A.Management group scope
B.Subscription scope
C.Resource group scope
D.Resource scope
AnswerA

A management group lets the role inherit to all child subscriptions now and later.

Why this answer

A management group scope allows role assignments to be inherited by all subscriptions and resource groups within that management group hierarchy. By assigning the Reader role at the management group level, the central audit team automatically gains read access to every current subscription and any future subscription added under that management group, ensuring consistent governance without manual updates.

Exam trap

The trap here is that candidates often default to subscription scope because they think of subscriptions as the primary boundary for access control, overlooking that management groups provide a broader, hierarchical inheritance that automatically covers future subscriptions.

How to eliminate wrong answers

Option B is wrong because assigning the Reader role at the subscription scope would only grant access to that specific subscription; any new subscriptions created under the hierarchy would not inherit the assignment, requiring manual reconfiguration. Option C is wrong because a resource group scope limits the role assignment to a single resource group, failing to cover multiple subscriptions or future resources. Option D is wrong because a resource scope applies only to a specific Azure resource (e.g., a VM or storage account), providing no access to other resources, subscriptions, or future deployments.

256
Multi-Selectmedium

An administrator wants to let a help desk group start, stop, and restart virtual machines in one resource group, but the group must not be able to delete the VMs or any other resource in the group. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a custom RBAC role with only VM start, stop, restart, and read actions.
B.Assign the custom role to the help desk group at the resource group scope.
C.Assign Virtual Machine Contributor to the help desk group.
D.Apply a CanNotDelete lock to the resource group.
E.Use Azure Policy to block VM deletion and leave RBAC unchanged.
AnswersA, B

A custom role is required because the built-in roles are broader than the help desk's task. Limiting the actions keeps the permission set aligned with the actual operational need.

Why this answer

Option A is correct because creating a custom RBAC role with only VM start, stop, restart, and read actions ensures the help desk group can perform only those specific operations without any delete permissions. This role must be assigned at the resource group scope (Option B) to limit its effect to that resource group, preventing the group from modifying or deleting resources in other scopes. Together, these two actions fulfill the requirement precisely.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option C) thinking it provides only VM management, but it actually includes delete permissions and broader resource control, or they incorrectly combine a CanNotDelete lock (Option D) with an existing role, not realizing the lock does not grant the required start/stop/restart actions.

257
MCQeasy

You want to group subscriptions for Finance, HR, and Engineering so you can apply governance consistently at a higher level. What should you create?

A.Resource groups
B.Management groups
C.Tags
D.Resource locks
AnswerB

Management groups organize subscriptions and support consistent governance across multiple subscriptions.

Why this answer

Management groups are the correct choice because they allow you to organize Azure subscriptions into a hierarchy for applying governance policies, role-based access control (RBAC), and cost management consistently across multiple subscriptions. By creating a management group hierarchy (e.g., Finance, HR, Engineering), you can assign Azure Policy initiatives or RBAC roles at the management group level, which are inherited by all subscriptions within that group. This provides a scalable and centralized governance model without needing to configure each subscription individually.

Exam trap

The trap here is that candidates often confuse resource groups (which group resources within a subscription) with management groups (which group subscriptions themselves), leading them to select resource groups as the answer for cross-subscription governance.

How to eliminate wrong answers

Option A is wrong because resource groups are logical containers for resources within a single subscription, not for grouping multiple subscriptions; they cannot apply governance across subscriptions. Option C is wrong because tags are metadata key-value pairs used for organizing and filtering resources, but they do not enforce governance policies or RBAC inheritance across subscriptions. Option D is wrong because resource locks prevent accidental deletion or modification of resources but operate at the resource, resource group, or subscription level, not across multiple subscriptions for consistent governance.

258
MCQeasy

Based on the exhibit, what should the administrator use to temporarily allow the legacy storage account to remain noncompliant without changing the policy for everyone?

A.Modify the policy definition so all storage accounts can use public network access.
B.Create a policy exemption for the legacy storage account or its resource group.
C.Apply a ReadOnly lock to the storage account.
D.Move the storage account to another subscription so the policy no longer applies.
AnswerB

A policy exemption is designed for approved exceptions to an existing assignment. It lets the legacy storage account remain temporarily outside the deny effect while preserving the policy for everything else. This keeps governance intact and documents the exception clearly.

Why this answer

A policy exemption allows the administrator to exclude a specific resource (the legacy storage account) or its resource group from the Azure Policy evaluation without modifying the underlying policy definition. This is the correct approach because it temporarily grants noncompliance for that resource while the policy remains enforced for all other resources, aligning with the requirement to avoid changing the policy for everyone.

Exam trap

The trap here is that candidates often confuse policy exemptions with resource locks or policy definition modifications, mistakenly thinking a ReadOnly lock or moving the resource will bypass policy evaluation, when in fact only an exemption explicitly excludes a resource from policy compliance checks.

How to eliminate wrong answers

Option A is wrong because modifying the policy definition to allow public network access for all storage accounts would permanently change the policy for everyone, which contradicts the requirement to not change the policy for everyone. Option C is wrong because a ReadOnly lock prevents modifications to the storage account but does not exempt it from Azure Policy evaluation; the policy would still flag the account as noncompliant and could trigger remediation tasks. Option D is wrong because moving the storage account to another subscription would remove it from the current policy scope, but this is a permanent structural change that does not temporarily allow noncompliance and may introduce additional management overhead.

259
MCQmedium

A team can already deploy virtual machines, but they want to prevent users from creating VMs unless the deployment includes an approved tag. They also want to see which existing resources do not meet the rule. What should the administrator use?

A.A custom RBAC role that removes the create action for virtual machines.
B.An Azure Policy assignment with a deny or audit effect for the tag requirement.
C.A resource lock on the resource group.
D.An Entra ID dynamic group for the VM creators.
AnswerB

Azure Policy is the correct control because the requirement is about resource compliance, not user authorization. A policy can deny deployments that do not include the approved tag and can also audit existing resources to show which ones are noncompliant. That separates governance enforcement from RBAC, which only decides who is allowed to perform actions in Azure.

Why this answer

Azure Policy with a 'deny' effect prevents creation of VMs that lack the required tag, while the 'audit' effect identifies non-compliant existing resources without blocking them. This directly addresses both requirements: enforcing the tag on new deployments and discovering which existing resources violate the rule.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties like tags) with RBAC (which controls who can perform actions), leading candidates to mistakenly choose a custom role instead of the policy-based solution.

How to eliminate wrong answers

Option A is wrong because a custom RBAC role removing the create action would block all VM creation regardless of tags, not enforce a tag requirement, and it cannot audit existing resources. Option C is wrong because a resource lock prevents deletion or modification of the entire resource group, not the creation of VMs, and it cannot enforce tag policies. Option D is wrong because an Entra ID dynamic group manages user membership based on attributes, not resource compliance; it has no effect on VM creation or tag enforcement.

← PreviousPage 4 of 4 · 259 questions total

Ready to test yourself?

Try a timed practice session using only Manage Azure Identities and Governance questions.