A company wants to stop users from creating resources in regions that are not approved and also require a Department tag on new resources. Which two tasks are best handled by Azure Policy? Select two.

Give users Contributor access to the subscription.

Contributor is an RBAC permission that controls what a user can do, not whether a resource matches a compliance rule. Access control and policy are separate functions.

Create Microsoft Entra ID users for contractors.

User creation is an identity task in Microsoft Entra ID, not an Azure Policy task. Policy cannot create accounts or manage identities.

Place a CanNotDelete lock on every resource group.

A lock protects resources from deletion, but it does not enforce allowed locations or required tags. Locks and policy solve different governance problems.

What does this AZ-104 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Restrict allowed deployment locations. — Azure Policy is the correct tool for compliance rules that control how resources are deployed or configured. In this case, restricting allowed locations and requiring a Department tag are both policy scenarios because they shape what can be created and what metadata must be present. RBAC decides who can do something, while policy decides whether the requested configuration is allowed. Why others are wrong: Contributor access is an RBAC role and does not enforce deployment rules. Creating Entra ID users is an identity operation, not a compliance control. CanNotDelete locks help protect resources from deletion, but they do not enforce tags or region selection. The question is about policy enforcement, not permissions or resource protection.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.