Question 799 of 1,170
Manage Azure Identities and GovernanceeasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is a system-assigned managed identity because its lifecycle is directly tied to the Azure resource it’s enabled on, such as a VM. When the VM is deleted, Azure automatically removes the system-assigned identity from Azure AD and cleans up all associated role assignments, meeting the developer’s requirement for zero-touch cleanup. On the AZ-104 exam, this distinction between system-assigned and user-assigned managed identity lifecycle is a frequent trap: many candidates mistakenly choose user-assigned, which persists independently even after the VM is deleted, requiring manual deletion. The exam tests your understanding that system-assigned identities are resource-scoped and ephemeral, while user-assigned identities are standalone Azure resources with their own lifecycle. A simple memory tip: think “system = same lifecycle as the resource,” so if the resource goes, the identity goes with it.

AZ-104 Manage Azure Identities and Governance Practice Question

This AZ-104 practice question tests your understanding of manage azure identities and governance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A developer wants to give one Azure VM access to Azure Storage now, and that identity should be removed automatically if the VM is deleted. Which identity type should the administrator assign?

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A system-assigned managed identity

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM. When the VM is deleted, Azure automatically removes the identity from Azure AD and revokes any associated role assignments, fulfilling the developer's requirement for automatic cleanup. This identity is created and managed by Azure without any additional administrative overhead.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A user-assigned managed identity

    Why it's wrong here

    A user-assigned managed identity can be shared across multiple resources and remains independent of any single VM. That makes it useful for reuse, but it does not automatically disappear when one VM is deleted. This does not match the requirement for VM-tied lifecycle behavior.

  • A system-assigned managed identity

    Why this is correct

    A system-assigned managed identity is attached directly to one Azure resource, such as a VM, and Azure manages its lifecycle with that resource. If the VM is deleted, the identity is also removed automatically. This makes it the right choice when the identity should exist only for that VM.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A storage account SAS token

    Why it's wrong here

    A SAS token is a signed access string for storage, not an Azure identity. It can expire, but it does not provide a managed identity lifecycle tied to the VM. It would also have to be stored or distributed somewhere, which is not the desired model here.

  • An NSG service tag

    Why it's wrong here

    A service tag is used in network security rules to represent groups of IP addresses. It does not grant the VM access to Azure Storage through identity-based authentication and does not have a lifecycle tied to the VM. It is the wrong feature for this requirement.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse user-assigned managed identities with system-assigned ones, assuming both are automatically deleted, but only system-assigned identities are lifecycle-coupled to the resource.

Detailed technical explanation

How to think about this question

System-assigned managed identities leverage Azure Instance Metadata Service (IMDS) at the non-routable IP 169.254.169.254 to obtain OAuth 2.0 tokens for authenticating to Azure AD. The identity is automatically deleted from Azure AD when the parent resource is removed, ensuring no orphaned identities remain. In real-world scenarios, this is ideal for ephemeral workloads like auto-scaling VMs or batch processing jobs where identity cleanup must be guaranteed.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Manage Azure Identities and Governance — This question tests Manage Azure Identities and Governance — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A system-assigned managed identity — A system-assigned managed identity is tied directly to the lifecycle of the Azure VM. When the VM is deleted, Azure automatically removes the identity from Azure AD and revokes any associated role assignments, fulfilling the developer's requirement for automatic cleanup. This identity is created and managed by Azure without any additional administrative overhead.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

4 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Several Azure VMs need the same Azure identity so they can access a shared resource without storing passwords. The identity should be reusable across VMs and removable centrally. Which identity type should the administrator use?

easy
  • A.System-assigned managed identity
  • B.User-assigned managed identity
  • C.Service principal with a client secret
  • D.Local administrator account

Why B: A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs simultaneously, and can be centrally removed or updated without affecting the VMs themselves. This identity is reusable across VMs and eliminates the need to store passwords or secrets in code or configuration.

Variation 2. A web API runs on a single Azure VM and must access Azure Key Vault without storing any credentials on the VM. The identity should be tied to that VM and removed when the VM is deleted. What should you enable?

medium
  • A.A user-assigned managed identity
  • B.A system-assigned managed identity
  • C.A storage account shared access signature
  • D.A local administrator account with a strong password

Why B: A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — it is created when the VM is provisioned and automatically deleted when the VM is deleted. This identity can be used to authenticate to Azure Key Vault without storing any credentials on the VM, using the Azure Instance Metadata Service (IMDS) endpoint to obtain tokens. This matches the requirement that the identity be removed when the VM is deleted.

Variation 3. Three Azure VMs run the same scheduled script and must access both Storage and Key Vault. The team wants one identity that can be reused if a VM is rebuilt, and they do not want the identity tied to a single machine. What should the administrator create?

medium
  • A.A system-assigned managed identity on each virtual machine.
  • B.A service principal with a certificate file copied to each VM.
  • C.A user-assigned managed identity attached to all three virtual machines.
  • D.A shared access signature for each storage account and Key Vault access policy.

Why C: A user-assigned managed identity is the correct choice because it is an independent Azure resource that can be assigned to multiple VMs, persists independently of any single VM's lifecycle, and can be reused when a VM is rebuilt. This identity provides seamless authentication to both Storage and Key Vault without managing credentials, meeting the requirement for a reusable, non-machine-tied identity.

Variation 4. Three Azure VMs in different resource groups need to access the same Azure resources using one identity. The identity must keep working if any VM is deleted and recreated. What should the administrator assign to the VMs?

medium
  • A.A system-assigned managed identity on each VM.
  • B.A user-assigned managed identity.
  • C.A local administrator account.
  • D.An Azure Blueprint assignment.

Why B: A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs, even across different resource groups. If a VM is deleted and recreated, the user-assigned identity persists independently and can be reassigned to the new VM, ensuring continuous access to Azure resources without reconfiguration.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.