A company wants to stop users from deploying resources in any region except East US and West US. Users still need to be able to create resources if they choose an approved region. Which Azure feature should the administrator use?

Azure RBAC with a Contributor role at the subscription scope.

RBAC controls who can act, but it does not enforce deployment rules such as allowed regions. Users could still deploy in any region if they have permission.

A resource lock at the subscription level.

A lock protects existing resources from modification or deletion, but it does not evaluate whether a new resource is created in an approved region.

A tag requirement in Azure RBAC.

Tags can help organize and report on resources, but RBAC does not enforce tag-based or region-based deployment restrictions.

What does this AZ-104 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Azure Policy with a deny effect assigned at the appropriate scope. — Azure Policy is the correct service because the requirement is about compliance enforcement, not permission management. A deny effect can block resource creation in disallowed regions while still permitting users to deploy resources in approved regions. This is exactly the kind of preventive control Azure Policy provides. RBAC alone cannot enforce location restrictions because it only determines whether a principal is allowed to perform an action. Why others are wrong: RBAC decides whether someone has permission, but it cannot enforce that the region is acceptable. A resource lock protects existing assets, not future compliance. Tags are useful for organization and reporting, but they do not restrict where resources can be deployed. The scenario specifically requires enforcement of a deployment rule.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.