A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?

Azure RBAC, because it controls whether users can create resources.

This is incorrect because RBAC controls who can perform actions, not whether a resource configuration meets a compliance rule.

A resource lock, because it can force resources to use tags.

This is incorrect because locks prevent deletion or modification, but they do not evaluate deployment rules like required tags.

A service endpoint, because it can filter which resources are allowed in a subscription.

This is incorrect because service endpoints are for network access to Azure services, not compliance enforcement.

What does this AZ-104 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Azure Policy, because it can evaluate and enforce required resource properties. — Azure Policy is the right tool when the requirement is about resource compliance, such as requiring a tag, restricting allowed locations, or enforcing a configuration standard. RBAC only answers whether a user is allowed to perform an action. In this case, the company wants to block or audit deployments that do not include the costCenter tag, which is a policy concern rather than an access-control concern. Why others are wrong: RBAC can allow or deny actions, but it cannot validate resource properties like tags. Resource locks protect existing resources from deletion or changes, but they do not enforce deployment standards. Service endpoints are unrelated to compliance and only affect how certain network traffic reaches Azure services.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.