CCNA AZ Identity Questions

75 of 259 questions · Page 1/4 · AZ Identity topic · Answers revealed

1
Multi-Selectmedium

Finance wants every resource created in one production resource group to receive the tag CostCenter=FINSVC automatically, but deployments should not be blocked if a template omits the tag. Existing resources should be updated when possible. Which two actions should the administrator take? Select two.

Select 2 answers
A.Assign a Modify policy that adds or updates the CostCenter tag.
B.Run a remediation task for noncompliant existing resources.
C.Apply a ReadOnly lock to the resource group to keep tags consistent.
D.Assign Reader to the resource group to ensure tag visibility.
E.Use only an Audit policy so teams can see missing tags.
AnswersA, B

The Modify effect can automatically add or update tags without blocking the deployment. That matches the requirement to keep deployments flowing while enforcing the tag.

Why this answer

Option A is correct because a Modify effect policy definition can automatically add or update the CostCenter tag on resources during creation or update, without blocking deployments if the tag is missing. This satisfies the requirement that deployments should not be blocked, as the Modify effect only applies the tag rather than denying non-compliant requests.

Exam trap

The trap here is that candidates often confuse Audit and Modify effects, thinking Audit can automatically fix tags, or they mistakenly believe a ReadOnly lock is needed to enforce consistency, when in fact Modify with remediation is the correct approach for automatic tag application without blocking deployments.

2
MCQmedium

A production resource group contains several VMs and a storage account. The operations manager wants to prevent accidental deletion of the resource group and its resources, but still allow normal configuration changes during maintenance windows. Which lock should be applied to the resource group?

A.ReadOnly lock at the resource group scope.
B.CanNotDelete lock at the resource group scope.
C.Azure Policy assignment that denies all delete requests.
D.Apply the lock only to individual virtual machines.
AnswerB

CanNotDelete is the correct lock when the goal is to prevent accidental removal while still allowing updates. It blocks delete operations for the resource group and its resources, but it does not stop normal configuration changes such as resizing, tagging, or network updates. That makes it suitable for production protection without freezing administration.

Why this answer

A CanNotDelete lock at the resource group scope prevents the deletion of the resource group and all its resources, while still allowing configuration changes (e.g., modifying VM settings or updating storage account properties). This meets the operations manager's requirement to block accidental deletion but permit normal maintenance operations. ReadOnly locks would block all write operations, which is too restrictive for maintenance windows.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, mistakenly thinking ReadOnly is safer, but ReadOnly blocks all write operations (including configuration changes), which is too restrictive for maintenance scenarios where updates are required.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock at the resource group scope prevents any write operations, including configuration changes during maintenance windows, which violates the requirement to allow normal changes. Option C is wrong because an Azure Policy assignment that denies all delete requests would block deletions but also requires additional policy management and does not inherently protect against accidental deletion at the resource group level as effectively as a lock; moreover, policies can be bypassed if not properly scoped or if the user has sufficient permissions, whereas locks are a definitive authorization boundary. Option D is wrong because applying the lock only to individual virtual machines leaves the resource group and other resources (like the storage account) unprotected from deletion, failing the requirement to prevent accidental deletion of the entire resource group and its resources.

3
MCQmedium

A deny policy blocks creation of storage accounts with public network access enabled. A legacy application in RG-Legacy must keep one existing storage account publicly reachable for 45 days while the rest of the subscription remains governed by the policy. What should the administrator configure?

A.A policy exemption at the RG-Legacy scope with an expiration date.
B.A new role assignment that grants Owner on RG-Legacy.
C.A management lock on the storage account.
D.A separate initiative assigned only to RG-Legacy with the deny setting disabled.
AnswerA

An exemption allows the specific scope to bypass the policy temporarily while keeping the policy active elsewhere.

Why this answer

A policy exemption at the RG-Legacy scope with an expiration date is the correct solution because it allows the specific storage account to bypass the deny policy while keeping the policy enforced for all other resources. The exemption can be scoped to the resource group and set to expire in 45 days, ensuring the legacy application retains public access temporarily without permanently weakening the governance posture. This approach directly addresses the requirement to maintain compliance for the rest of the subscription.

Exam trap

The trap here is that candidates often confuse policy exemptions with role assignments or management locks, mistakenly thinking that granting Owner permissions or locking a resource can override a deny policy, when in fact only a policy exemption (or a policy exclusion at assignment scope) can bypass the deny effect.

How to eliminate wrong answers

Option B is wrong because assigning the Owner role on RG-Legacy does not override a deny policy; Azure Policy deny effects are enforced at the Azure Resource Manager layer and cannot be bypassed by role assignments, even for Owners. Option C is wrong because a management lock (e.g., CanNotDelete or ReadOnly) prevents accidental deletion or modification of the storage account but does not affect policy evaluation; the deny policy would still block any attempt to create or update the account with public network access enabled. Option D is wrong because a separate initiative with the deny setting disabled would still be subject to the original deny policy assigned at a higher scope (e.g., subscription or management group); initiatives do not override existing policies unless explicitly excluded via an exemption.

4
MCQmedium

A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?

A.Remove the policy assignment from the management group until the migration is finished.
B.Create a policy exemption for the specific storage account with an expiration date.
C.Apply a CanNotDelete lock to the storage account.
D.Assign a Contributor role to the migration team on the storage account.
AnswerB

A policy exemption allows one approved resource to temporarily bypass the deny effect while preserving the policy for everything else. Adding an expiration date ensures the exception is temporary and supports compliance tracking during the migration period.

Why this answer

A policy exemption is the correct tool when a specific resource must temporarily diverge from an enforced policy. The deny policy stays in place for the management group, but the exempted storage account is allowed to remain publicly reachable during the migration window. This keeps governance intact while documenting the exception and its expiration, which is much safer than removing the policy or trying to solve a compliance issue with RBAC.

Why others are wrong: Removing the policy assignment would disable governance for all resources under the management group, not just the one legacy storage account. A CanNotDelete lock protects against deletion only; it does not affect policy evaluation or network access settings. Granting Contributor does not help because Azure Policy is evaluated separately from RBAC, so more permission does not override a deny policy.

5
MCQeasy

Based on the exhibit, three VMs in different resource groups must use the same Azure identity, and the identity must continue working if one VM is deleted and recreated. What should you use?

A.A system-assigned managed identity on each VM.
B.A user-assigned managed identity attached to all three VMs.
C.A service principal stored in the VM image.
D.A shared access signature assigned to the resource group.
AnswerB

A user-assigned managed identity is correct because it is created independently from any single VM and can be attached to multiple resources. That makes it ideal when several VMs need the same identity and the identity must remain available even if one VM is deleted and recreated.

Why this answer

A user-assigned managed identity is an Azure resource that can be created independently and then assigned to multiple VMs. Because it persists as a separate resource in Azure, deleting and recreating a VM does not affect the identity; you simply reattach the same user-assigned identity to the new VM. This ensures the identity continues working across VM lifecycle changes, meeting the requirement for a shared, resilient identity.

Exam trap

The trap here is that candidates confuse system-assigned managed identities (which are tied to VM lifecycle) with user-assigned managed identities (which are independent resources), leading them to choose Option A despite the requirement for identity persistence across VM deletion and recreation.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of the VM—if the VM is deleted, the identity is also deleted, and recreating the VM creates a new identity with a different principal ID, breaking continuity. Option C is wrong because a service principal stored in the VM image is a static credential embedded in the image; it cannot be shared across VMs in different resource groups without manual key management, and it does not leverage Azure's managed identity infrastructure for automatic rotation and lifecycle management. Option D is wrong because a shared access signature (SAS) is a delegation token for specific Azure storage resources, not an Azure AD identity; it cannot be used for VM authentication to Azure services like Azure AD or Key Vault.

6
MCQeasy

Based on the exhibit, what is the best way to simplify access management for the project team?

A.Keep assigning RBAC roles directly to each user account.
B.Assign the RBAC role to an Entra ID group and manage membership there.
C.Create a resource lock on RG-App.
D.Create an Azure Policy assignment for RG-App.
AnswerB

Using a group centralizes access control so membership changes automatically update who has the role.

Why this answer

The best practice is to assign the RBAC role to an Entra ID group instead of individual users. That way, access management is handled by adding or removing members from the group, which is much easier and less error-prone. The role assignment remains stable while team membership changes over time, which is exactly what the requirement describes.

Why others are wrong: A works initially but becomes difficult to maintain as team membership changes. C does not control access at all. D is a governance mechanism, not an authorization mechanism, so it cannot replace group-based RBAC.

7
Multi-Selecthard

RG-Prod hosts line-of-business workloads. The business wants to prevent accidental deletion of the resource group during change freezes and also ensure every new resource carries a CostCenter tag for chargeback. Which two governance controls should be used? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to RG-Prod.
B.Apply a ReadOnly lock to RG-Prod.
C.Use Azure Policy with a Modify effect to add the CostCenter tag to new resources.
D.Grant Reader to the finance team on the resource group.
E.Create a private endpoint for RG-Prod.
AnswersA, C

CanNotDelete protects the resource group and its resources from accidental deletion while still allowing normal updates.

Why this answer

Option A is correct because applying a CanNotDelete lock to RG-Prod prevents the resource group from being deleted during change freezes, which directly meets the requirement to prevent accidental deletion. This lock type allows read and update operations but blocks delete operations, making it ideal for protecting critical resources without impacting ongoing workloads.

Exam trap

The trap here is that candidates often confuse a ReadOnly lock with a CanNotDelete lock, assuming any lock prevents deletion, but ReadOnly locks also block updates, which would break production workloads, while the correct choice is the less restrictive CanNotDelete lock for deletion prevention only.

8
MCQmedium

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

A.Assign the custom role to VMOperators at the subscription scope.
B.Assign the custom role to VMOperators at the RG-Prod scope.
C.Assign the Virtual Machine Contributor role to VMOperators at the RG-Prod scope.
D.Assign the custom role to VMOperators at the management group scope.
AnswerB

This applies the permissions only to resources in the RG-Prod resource group and follows least privilege.

Why this answer

Option B is correct because assigning the custom role at the RG-Prod scope restricts the role's permissions to only the virtual machines within that specific resource group. This meets the requirement that VMOperators can restart VMs but not create, delete, or resize them, and only within RG-Prod.

Exam trap

The trap here is that candidates often confuse the scope of role assignments, thinking a subscription-level assignment can be restricted by a condition, but Azure RBAC does not support conditions for built-in or custom roles without Azure Policy or attribute-based access control (ABAC), which is not mentioned in the question.

How to eliminate wrong answers

Option A is wrong because assigning the custom role at the subscription scope would grant the restart permission to all virtual machines in the entire subscription, not just those in RG-Prod. Option C is wrong because the Virtual Machine Contributor role includes permissions to create, delete, and resize VMs, which exceeds the requirement to only allow restart. Option D is wrong because assigning the role at the management group scope would apply the permissions to all subscriptions under that management group, far broader than the RG-Prod resource group.

9
MCQeasy

A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?

A.Azure RBAC, because it controls whether users can create resources.
B.Azure Policy, because it can evaluate and enforce required resource properties.
C.A resource lock, because it can force resources to use tags.
D.A service endpoint, because it can filter which resources are allowed in a subscription.
AnswerB

This is correct because Azure Policy is designed to enforce standards and assess compliance. A policy can require a tag such as costCenter and deny or audit noncompliant resource creation. RBAC could still allow the user to create storage accounts, but Policy adds the configuration rule that controls whether the deployment is compliant.

Why this answer

Azure Policy is correct because it can enforce organizational standards by evaluating resource properties during creation and modification. By defining a policy that requires a 'costCenter' tag on all storage accounts, Azure Policy will deny creation of any storage account that does not include that tag, ensuring compliance without manual intervention.

Exam trap

The trap here is confusing Azure Policy (which enforces resource properties) with Azure RBAC (which controls permissions), as both are governance tools but serve fundamentally different purposes.

How to eliminate wrong answers

Option A is wrong because Azure RBAC controls permissions (who can create resources) but cannot enforce specific resource properties like tags; it only grants or denies the ability to perform actions. Option C is wrong because a resource lock prevents deletion or modification of a resource but cannot enforce tag requirements during creation. Option D is wrong because a service endpoint restricts network access to Azure services from specific subnets, not resource properties or tag enforcement.

10
Multi-Selecteasy

A company wants to stop users from creating resources in regions that are not approved and also require a Department tag on new resources. Which two tasks are best handled by Azure Policy? Select two.

Select 2 answers
A.Restrict allowed deployment locations.
B.Require a Department tag on resources.
C.Give users Contributor access to the subscription.
D.Create Microsoft Entra ID users for contractors.
E.Place a CanNotDelete lock on every resource group.
AnswersA, B

Azure Policy is designed to enforce configuration standards such as allowed locations. It can block or audit deployments that do not match the approved region list, which is a compliance requirement rather than an access-control requirement.

Why this answer

Azure Policy can enforce organizational standards by evaluating resource properties against business rules. Option A is correct because the 'Allowed Locations' policy definition restricts users from deploying resources to any region not explicitly permitted, directly addressing the requirement to block unapproved regions. Option B is correct because the 'Require a tag and its value on resources' policy definition can enforce that a Department tag must exist on all new resources, ensuring compliance with tagging requirements.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC or resource locks, thinking that policy can manage user permissions or prevent deletion, when in fact policy is solely for enforcing rules on resource properties like location and tags.

11
MCQmedium

A VM-hosted automation tool must call Azure APIs without storing a password or certificate on disk. The identity should disappear automatically when the VM is deleted. Which identity should the administrator assign?

A.A user-assigned managed identity
B.A service principal with a client secret
C.A system-assigned managed identity
D.A storage account access key
AnswerC

A system-assigned managed identity is tied directly to the VM lifecycle, so it is created with the VM and removed when the VM is deleted. It allows the automation tool to authenticate to Azure services without storing passwords, secrets, or certificates on disk, which is the secure pattern requested.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — when the VM is deleted, the identity is automatically removed. It allows the VM to authenticate to Azure APIs without storing any credentials (password or certificate) on disk, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254.

Exam trap

The trap here is that candidates confuse user-assigned and system-assigned managed identities, failing to recognize that only system-assigned identities are automatically deleted with the VM, while user-assigned identities persist independently.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is a standalone Azure resource that persists independently of the VM; deleting the VM does not automatically delete the identity, and it must be explicitly removed. Option B is wrong because a service principal with a client secret requires storing the secret on disk or in environment variables, violating the requirement to avoid storing a password or certificate on disk. Option D is wrong because a storage account access key is a shared key for accessing Azure Storage, not an identity for authenticating to Azure APIs, and it must be stored on disk or in configuration.

12
MCQmedium

Based on the exhibit, an Azure Policy with the Modify effect was assigned to add Environment=Prod to resources in RG-Prod. New resources get the tag, but existing virtual machines still do not have it. What should the administrator do next?

A.Create a remediation task for the policy assignment.
B.Move the policy assignment to the subscription scope.
C.Change the policy effect from Modify to Deny.
D.Add a CanNotDelete lock to RG-Prod.
AnswerA

Modify can add or update the tag for future deployments, but existing resources usually need remediation so the policy engine can apply the change to what is already deployed. A remediation task is the correct next step.

Why this answer

The Modify effect in Azure Policy automatically applies to new resources during creation or update, but it does not retroactively fix existing non-compliant resources. To apply the tag to existing virtual machines, the administrator must create a remediation task for the policy assignment, which triggers a deployment to modify those resources.

Exam trap

The trap here is that candidates often assume Azure Policy automatically remediates all resources at assignment time, but in reality, only new or updated resources are affected unless a remediation task is explicitly created.

How to eliminate wrong answers

Option B is wrong because moving the policy assignment to the subscription scope would not retroactively fix existing resources; it would only expand the policy's evaluation scope, and remediation tasks are still required for existing non-compliant resources. Option C is wrong because changing the effect from Modify to Deny would block creation of resources without the tag but would not add the tag to existing resources, and it could break future deployments. Option D is wrong because adding a CanNotDelete lock prevents deletion of resources but does not modify existing tags or enforce tagging compliance.

13
MCQmedium

A production storage account must remain available for updates, but administrators want to prevent accidental deletion during maintenance windows. Which lock should be applied to the storage account?

A.ReadOnly lock at the storage account scope.
B.CanNotDelete lock at the storage account scope.
C.CanNotDelete lock at the subscription scope.
D.Azure Policy deny assignment on all storage account operations.
AnswerB

CanNotDelete is the correct lock because it prevents deletion while still allowing typical configuration updates. That matches the requirement to protect the storage account from accidental removal without freezing all management operations. Applying it directly at the resource scope keeps the protection targeted to the specific storage account.

Why this answer

The CanNotDelete lock at the storage account scope prevents the storage account from being deleted while still allowing all read and update operations. This meets the requirement of keeping the storage account available for updates while preventing accidental deletion during maintenance windows.

Exam trap

The trap here is that candidates often confuse the ReadOnly lock with preventing deletion, but ReadOnly also blocks updates, which fails the requirement; they may also incorrectly assume a subscription-scoped lock is necessary for a single resource, ignoring the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates, which contradicts the requirement that the storage account must remain available for updates. Option C is wrong because a CanNotDelete lock at the subscription scope would prevent deletion of all resources in the subscription, which is overly broad and not scoped to just the storage account; it could also interfere with other resources that need to be deleted. Option D is wrong because an Azure Policy deny assignment on all storage account operations would block all operations, including updates, and is not a lock mechanism; it is a policy-based control that can be more complex to manage and does not specifically target accidental deletion.

14
MCQeasy

An Azure Policy that appends the Environment tag is assigned to a subscription. New virtual machines get the tag, but existing VMs do not. What should the administrator do next?

A.Remove the policy and reassign it at the resource group scope
B.Create a remediation task for the policy assignment
C.Grant the policy assignment Reader access
D.Apply a CanNotDelete lock to the subscription
AnswerB

A remediation task is used to bring existing resources into compliance after a policy assignment is in place. In this case, the append effect works for new deployments, but older virtual machines need remediation so the Environment tag is added to resources that were created before the policy took effect. That is the expected operational follow-up.

Why this answer

Azure Policy assignments with 'deployIfNotExists' or 'append' effects only apply to new resources by default. To bring existing non-compliant resources into compliance, a remediation task must be triggered, which uses a managed identity to modify the resource. Option B is correct because creating a remediation task for the policy assignment will evaluate and append the missing Environment tag to existing VMs.

Exam trap

The trap here is that candidates assume policy effects like 'append' or 'deny' automatically apply to all resources in scope, forgetting that only 'audit' and 'modify' effects have built-in support for existing resources, while others require a remediation task.

How to eliminate wrong answers

Option A is wrong because removing and reassigning the policy at a different scope does not retroactively apply the effect to existing resources; the append effect still only applies to new resources unless a remediation task is run. Option C is wrong because granting the policy assignment Reader access does not enable remediation; remediation requires a managed identity with contributor-level permissions to modify resources, not read-only access. Option D is wrong because applying a CanNotDelete lock prevents deletion of the subscription or its resources but does not modify existing resources to add the missing tag; it is unrelated to policy compliance remediation.

15
MCQhard

A web app and a VM scale set both need the same Azure identity to read secrets from Key Vault. The identity must survive redeployment, and the team wants to remove it centrally without changing each resource individually. Which identity type should they use?

A.A system-assigned managed identity on each resource.
B.A user-assigned managed identity attached to both resources.
C.A service principal with a client secret stored in application settings.
D.A resource lock on the Key Vault to preserve the secret access path.
AnswerB

A user-assigned identity is reusable across resources and can be managed independently of any single workload.

Why this answer

A user-assigned managed identity (B) is the correct choice because it is created as a standalone Azure resource, can be attached to multiple Azure resources (e.g., a web app and a VM scale set), and persists independently of those resources. This allows the identity to survive redeployment of either resource and enables centralized removal (by deleting the user-assigned identity) without needing to modify each resource individually.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are simpler but resource-bound) with user-assigned managed identities, failing to recognize that only user-assigned identities can be shared across multiple resources and survive independent redeployment.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single resource; it is automatically deleted when the resource is deleted, so it cannot survive redeployment, and it cannot be shared across multiple resources. Option C is wrong because a service principal with a client secret stored in application settings introduces secret management overhead, does not survive redeployment seamlessly (the secret must be re-stored), and requires individual configuration changes on each resource to remove the identity. Option D is wrong because a resource lock on Key Vault only prevents accidental deletion or modification of the vault itself; it does not provide an identity for authentication and does not address the requirement for a shared, centrally removable identity.

16
Multi-Selecthard

An Azure application and an Azure Automation account need Azure access without any stored secrets. The same identity should be reusable and should not require manual secret rotation. Which two identity choices meet the requirement? Select two.

Select 2 answers
A.System-assigned managed identity attached to the resource that needs access.
B.User-assigned managed identity that can be attached to multiple Azure resources.
C.Service principal with a client secret stored in an app setting.
D.Shared administrator username and password stored in a Key Vault secret.
E.SAS token generated once and reused indefinitely by both resources.
AnswersA, B

System-assigned managed identities eliminate secrets and are automatically managed for the lifetime of the resource.

Why this answer

System-assigned managed identity (Option A) is correct because it is automatically created and tied to a specific Azure resource, such as a virtual machine or App Service, and provides an Azure AD identity that can be used to authenticate to any service supporting Azure AD authentication without storing any secrets. The identity is managed by Azure, eliminating the need for manual secret rotation, and it is automatically deleted when the resource is deleted, ensuring no orphaned secrets.

Exam trap

The trap here is that candidates often confuse service principals with managed identities, thinking that storing a client secret in an app setting or Key Vault is acceptable, but the question explicitly requires 'no stored secrets' and 'no manual secret rotation,' which only managed identities satisfy.

17
MCQeasy

Help desk staff must start, stop, and restart virtual machines in one application resource group. They must not create or delete VMs or modify networking or disks. Which built-in role should you assign?

A.Reader
B.Virtual Machine Contributor
C.Virtual Machine Operator
D.Contributor
AnswerC

Virtual Machine Operator is the appropriate least-privilege choice for operational control of VMs. It allows actions such as starting, stopping, and restarting virtual machines without giving full management rights over creation, deletion, or related networking and disk resources. That makes it a better fit than broader contributor roles when the team only needs day-to-day operations.

Why this answer

The Virtual Machine Operator role allows starting, stopping, and restarting virtual machines, but explicitly denies creating, deleting, or modifying VMs, networking, or disks. This matches the help desk staff's required permissions exactly, making it the correct built-in role for this scenario.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option B) because it sounds like it covers VM operations, but they overlook that it also includes create and delete permissions, which are explicitly prohibited in the question.

How to eliminate wrong answers

Option A is wrong because the Reader role provides read-only access to all resources, including VMs, but does not allow any start, stop, or restart actions. Option B is wrong because the Virtual Machine Contributor role allows full management of VMs, including creating and deleting them, which exceeds the required permissions. Option D is wrong because the Contributor role grants full access to manage all resources in the resource group, including networking and disks, which is too permissive for the help desk staff's needs.

18
MCQeasy

Based on the exhibit, a compliance dashboard shows that several storage accounts are marked noncompliant because they do not have the required tag. The policy itself is correct, but one business unit needs a temporary exception for a single resource group during a merger. What should the administrator configure?

A.A policy exemption at the rg-merger01 resource group scope.
B.Delete the policy assignment from corp-root and recreate it later.
C.Move rg-merger01 to a separate subscription so the policy no longer applies.
D.Change the policy effect to Audit so the resources can remain noncompliant.
AnswerA

A policy exemption lets the administrator document and scope a temporary exception without disabling the policy for the rest of the environment. Because the request applies to one resource group for a limited time, an exemption at that scope is the cleanest governance solution.

Why this answer

A policy exemption at the rg-merger01 resource group scope is the correct solution because it allows the administrator to temporarily exclude a specific resource group from the policy's enforcement or compliance evaluation without modifying or deleting the original policy assignment. This is designed for scenarios like mergers where a short-term exception is needed, and it maintains the policy's integrity for all other scopes.

Exam trap

The trap here is that candidates often confuse a policy exemption with modifying the policy effect or scope, not realizing that exemptions are the only built-in mechanism to grant a temporary, scoped exception without affecting the rest of the environment.

How to eliminate wrong answers

Option B is wrong because deleting the policy assignment from corp-root would remove the policy from all resources under that root scope, not just rg-merger01, causing a broader compliance gap that would require manual re-creation later. Option C is wrong because moving rg-merger01 to a separate subscription is an overly complex and disruptive workaround that may break dependencies, incur additional management overhead, and does not address the temporary nature of the exception. Option D is wrong because changing the policy effect to Audit would make the policy non-enforcing for all resources under the assignment scope, not just rg-merger01, and would still mark resources as noncompliant without providing a true exception mechanism.

19
MCQeasy

Based on the exhibit, a contractor must be able to restart only one virtual machine named vm-pay-01 and read its properties. The contractor must not be able to manage any other VM in the resource group. Where should the role assignment be created?

A.At the subscription scope so the contractor inherits access everywhere in the subscription.
B.At the resource scope for vm-pay-01 so the contractor receives permissions only on that VM.
C.At the resource group scope because resource assignments cannot be applied to virtual machines.
D.At the management group scope so the same role can be reused for all payroll subscriptions.
AnswerB

Assigning the role at the specific virtual machine resource scope limits the contractor to that VM only. Because Azure RBAC permissions inherit downward, this is the narrowest scope that still allows restart and read operations on vm-pay-01 without exposing other resources in the resource group.

Why this answer

Option B is correct because Azure RBAC allows role assignments at the resource scope, which in this case is the virtual machine vm-pay-01. By assigning a role (e.g., Virtual Machine Contributor or a custom role with restart and read permissions) directly to the VM resource, the contractor receives permissions only on that specific VM, fulfilling the requirement to restrict access to other VMs in the resource group.

Exam trap

The trap here is that candidates often assume role assignments must be at the resource group or subscription scope, forgetting that Azure RBAC supports direct assignments at the individual resource scope, which is the most precise way to grant permissions to a single VM.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope would grant the contractor permissions on all resources in the subscription, including all VMs in the resource group, violating the requirement to restrict access to only vm-pay-01. Option C is wrong because Azure RBAC supports role assignments at the resource scope (e.g., a specific virtual machine), so the statement that 'resource assignments cannot be applied to virtual machines' is factually incorrect. Option D is wrong because assigning the role at the management group scope would propagate permissions to all subscriptions under that management group, granting broader access than intended and making it impossible to isolate permissions to just vm-pay-01.

20
MCQmedium

A cloud operations team in the Corp business unit needs to read all Azure resources in every current and future subscription under the Corp management group to prepare monthly governance reports. They must not gain access to subscriptions that belong to other business units. What scope should the administrator use when assigning the Reader role?

A.Subscription scope
B.Resource group scope
C.Management group scope
D.Resource scope
AnswerC

This scope lets the Reader role inherit to all subscriptions currently under the Corp management group and to new subscriptions moved there later.

Why this answer

The Reader role assigned at the management group scope grants read-only access to all subscriptions within that management group, including future subscriptions, because Azure RBAC permissions are inherited by child resources. This meets the requirement to cover all current and future subscriptions under the Corp management group while excluding subscriptions in other business units.

Exam trap

The trap here is that candidates often choose subscription scope because they think each subscription needs a separate role assignment, failing to realize that management group scope provides inheritance to all current and future subscriptions under that management group.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at the subscription scope would only grant access to a single subscription, not all current and future subscriptions under the Corp management group. Option B is wrong because resource group scope limits access to a single resource group, failing to cover all resources across multiple subscriptions. Option D is wrong because resource scope restricts access to a single resource, which is far too granular for the team's need to read all resources across multiple subscriptions.

21
MCQeasy

A single Azure virtual machine must read blobs from a storage account without storing any passwords, keys, or connection strings. The identity should be removed automatically if the VM is deleted. Which option should you use?

A.Storage account access key, because it is the simplest authentication method.
B.System-assigned managed identity, because it is tied to that VM.
C.Shared access signature, because it always removes the need for identity management.
D.User-assigned managed identity, because it is deleted automatically with the VM.
AnswerB

A system-assigned managed identity is attached directly to one Azure resource, such as a VM, and is automatically removed when that resource is deleted.

Why this answer

System-assigned managed identity is tied directly to the lifecycle of the Azure VM. When the VM is deleted, the identity is automatically removed. It allows the VM to authenticate to Azure Storage without storing any credentials, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS).

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, assuming user-assigned identities are also automatically deleted with the VM, when in fact they are independent resources that must be manually cleaned up.

How to eliminate wrong answers

Option A is wrong because storage account access keys are static secrets that must be stored in code or configuration, violating the requirement to avoid storing passwords, keys, or connection strings. Option C is wrong because a shared access signature (SAS) is a token that can be generated without identity management but still requires the SAS token to be stored or passed securely, and it does not automatically remove access when the VM is deleted. Option D is wrong because user-assigned managed identity is not automatically deleted with the VM; it is a standalone Azure resource that persists independently until explicitly removed.

22
MCQmedium

Based on the exhibit, which Azure Policy effect should be used so new resources without an Environment tag are blocked at deployment time?

A.Audit
B.Append
C.Deny
D.Disabled
AnswerC

Deny stops the deployment when the condition is not met, which is exactly what is needed to block resources missing the required tag.

Why this answer

The Deny effect (Option C) is the correct choice because it actively blocks any deployment that does not meet the policy rule—in this case, resources lacking an Environment tag. When a policy with Deny is assigned, Azure Resource Manager evaluates the request during deployment and rejects it with a 403 (Forbidden) status if the condition is not satisfied, preventing the resource from being created entirely.

Exam trap

The trap here is that candidates often confuse 'Audit' with 'Deny' because both can report non-compliance, but only Deny actively prevents the deployment, whereas Audit merely logs the violation without blocking it.

How to eliminate wrong answers

Option A (Audit) is wrong because it only generates a warning log entry for non-compliant resources without blocking the deployment; the resource would still be created. Option B (Append) is wrong because it adds missing tags or values after deployment but does not prevent the resource from being created; it modifies the resource post-creation. Option D (Disabled) is wrong because it renders the policy ineffective, allowing all resources to be deployed regardless of tags.

23
Multi-Selecteasy

A VM-hosted app needs to upload blobs without storing a storage account key or password on the VM. Which two authentication options meet this requirement? Select two.

Select 2 answers
A.System-assigned managed identity
B.User-assigned managed identity
C.Storage account access key in an application setting
D.Shared access signature token saved on the VM
E.Anonymous public access to the container
AnswersA, B

A system-assigned managed identity lets the VM authenticate to Azure services without a stored secret.

Why this answer

System-assigned managed identity (Option A) is correct because it allows the VM to authenticate to Azure Blob Storage without storing any credentials on the VM. When enabled, Azure automatically creates a service principal in Azure AD for the VM, and the VM can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to authenticate to storage. This eliminates the need for any storage account key or password on the VM.

Exam trap

The trap here is that candidates may confuse 'not storing a key or password on the VM' with 'using a credential that is stored elsewhere on the VM' — for example, a SAS token saved in a file or an access key in an app setting still counts as a stored credential, while managed identities provide credential-less authentication via Azure AD tokens.

24
MCQmedium

An operations team must apply three related policies to all subscriptions in a department: require a cost-center tag, allow only approved locations, and block certain VM SKUs. They want to assign and track these rules as one unit. What should they create?

A.A single Azure Policy definition containing all three rules.
B.An Azure Policy initiative.
C.A management group with no policy assignments.
D.An RBAC custom role with deny permissions.
AnswerB

An initiative groups multiple policy definitions so they can be assigned, monitored, and managed together. This is ideal when several compliance rules must be applied consistently across multiple subscriptions. It also simplifies reporting because the team can evaluate one assignment instead of several separate ones.

Why this answer

An Azure Policy initiative is a collection of policy definitions designed to group related policies together for assignment and tracking as a single unit. By creating an initiative, the operations team can assign all three rules (cost-center tag, allowed locations, blocked VM SKUs) to all subscriptions in a department and track compliance at the initiative level, simplifying management and reporting.

Exam trap

The trap here is that candidates may think a single policy definition can contain multiple rules (Option A), but Azure Policy requires each definition to enforce one specific condition or effect, and grouping multiple rules requires an initiative.

How to eliminate wrong answers

Option A is wrong because a single Azure Policy definition can only contain one policy rule; it cannot combine multiple distinct rules like tag enforcement, location restrictions, and VM SKU blocking into one definition. Option C is wrong because a management group with no policy assignments does not enforce any rules; it is merely a container for organizing subscriptions and cannot apply or track the required policies. Option D is wrong because an RBAC custom role with deny permissions controls access to Azure resources (who can perform actions) but does not enforce resource-level compliance rules like required tags, allowed locations, or blocked VM SKUs; policy-based governance is separate from role-based access control.

25
Multi-Selecthard

A bootstrap script must install software on three VMs, then download configuration files from Blob Storage. Security forbids secrets in templates or scripts, and the same authentication method must work after the VMs are rebuilt. Which two choices should you make? Select two.

Select 2 answers
A.Assign a user-assigned managed identity and attach it to each VM.
B.Store the storage account access key in a script variable.
C.Use a Custom Script Extension to run the bootstrap commands at provisioning.
D.Create a separate local administrator account for the script to use.
E.Embed a SAS token directly in the Bicep parameters file.
AnswersA, C

A user-assigned managed identity can be reused across multiple VMs and survives VM rebuilds because it is a separate Azure resource. That makes it ideal when the same identity must work for several machines over time.

Why this answer

Option A is correct because a user-assigned managed identity provides a secure, credential-free authentication method that persists across VM rebuilds. Unlike system-assigned managed identities, which are tied to a specific VM lifecycle and are lost when the VM is deleted, a user-assigned identity is a standalone Azure resource that can be reassigned to new VMs. This allows the bootstrap script to authenticate to Azure Blob Storage via Azure AD without storing any secrets, satisfying the security constraint.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are tied to the VM lifecycle and lost on deletion) with user-assigned managed identities (which persist independently), leading them to incorrectly assume that managed identities cannot survive a VM rebuild.

26
MCQeasy

Based on the exhibit, an Azure VM must read secrets from Azure Key Vault during startup. No passwords, certificates, or client secrets may be stored on the VM. What should you configure?

A.Assign a user-assigned managed identity to the VM so it can be shared later.
B.Enable a system-assigned managed identity on the VM.
C.Create a service principal and store its client secret in the VM configuration.
D.Use a shared access signature in the startup script to authenticate to Key Vault.
AnswerB

A system-assigned managed identity is the best fit because it gives the VM an Azure identity without storing secrets on the machine. It is tied directly to that VM, so it is easy to create, use, and automatically remove when the VM is deleted. This matches the requirement for startup access to Key Vault and avoids any embedded credentials.

Why this answer

A system-assigned managed identity is the correct choice because it is tied directly to the VM's lifecycle, requires no credential storage, and can authenticate to Azure Key Vault without any secrets stored on the VM. When enabled, Azure automatically creates a service principal in Azure AD for the VM, and the VM can request an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to access Key Vault secrets. This satisfies the requirement of no passwords, certificates, or client secrets on the VM.

Exam trap

The trap here is that candidates often confuse managed identities with service principals or shared access signatures, mistakenly thinking that a client secret or SAS token is needed for authentication, when in fact managed identities eliminate the need for any stored credentials.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is not required for a single VM and adds unnecessary complexity; it is designed for scenarios where the identity must be shared across multiple resources, not for a single VM's startup secret retrieval. Option C is wrong because storing a client secret in the VM configuration violates the explicit requirement that no passwords, certificates, or client secrets may be stored on the VM, and it introduces a security risk. Option D is wrong because a shared access signature (SAS) is used for granting delegated access to Azure Storage resources, not for authenticating to Azure Key Vault; Key Vault uses Azure AD authentication (OAuth 2.0) and does not support SAS tokens.

27
MCQmedium

A security team needs to grant and remove RBAC access for a set of operators on resources in one resource group, but those operators must not create, modify, or delete the resources themselves. Which built-in role should be assigned?

A.Reader, because it is the most restrictive role available.
B.Contributor, because it can manage resources and role assignments together.
C.User Access Administrator at the resource group scope.
D.Tag Contributor, because role management and tagging are both governance tasks.
AnswerC

User Access Administrator is the built-in role designed for managing access permissions without granting broad resource management rights. At the resource group scope, it lets the security team add and remove RBAC assignments for that group while avoiding direct control over the workload resources themselves. This matches least privilege much better than Owner or Contributor.

Why this answer

Option C is correct because the User Access Administrator role at the resource group scope grants the ability to manage RBAC role assignments for other users on resources within that resource group, but it does not grant permissions to create, modify, or delete the resources themselves. This meets the security team's requirement to grant and remove access without allowing resource management.

Exam trap

The trap here is that candidates often confuse the Contributor role (which can manage resources but not role assignments) with the User Access Administrator role, or mistakenly think the Reader role is sufficient for managing access, when in fact only roles with Microsoft.Authorization/roleAssignments/write can grant or remove RBAC assignments.

How to eliminate wrong answers

Option A is wrong because the Reader role only allows read-only access to resources and cannot grant or remove RBAC assignments for other users. Option B is wrong because the Contributor role allows full management of resources (create, modify, delete) but does not include the permission to manage role assignments (Microsoft.Authorization/roleAssignments/write). Option D is wrong because the Tag Contributor role only allows management of resource tags and does not include any permissions to manage RBAC role assignments.

28
MCQmedium

Based on the exhibit, the Prod management group contains three subscriptions that host application workloads. An operations group must be able to read all current and future resources in those Prod subscriptions, but it must not have access to Sandbox. Where should you assign the Reader role?

A.Assign Reader to OpsGroup at the Corp management group.
B.Assign Reader to OpsGroup at the Prod management group.
C.Assign Reader to OpsGroup at one application resource group in AppSub1.
D.Assign Reader to OpsGroup at each subscription individually.
AnswerB

Assigning at the Prod management group gives inherited read access to every subscription, resource group, and resource under Prod. It also automatically applies to future subscriptions added under Prod, while keeping Sandbox out of scope.

Why this answer

Assigning the Reader role at the Prod management group scope ensures that OpsGroup inherits read permissions to all current and future subscriptions and resources within that management group, while excluding the Sandbox subscription which is outside the Prod hierarchy. This leverages Azure RBAC inheritance, where roles assigned at a management group propagate to all child subscriptions and resource groups, meeting the requirement for a single assignment that covers all Prod workloads without granting access to Sandbox.

Exam trap

The trap here is that candidates often choose subscription-level assignments (Option D) because they think it's more precise, but they miss the requirement for future resources and the efficiency of a single management group assignment that automatically covers new subscriptions.

How to eliminate wrong answers

Option A is wrong because assigning Reader at the Corp management group would grant OpsGroup read access to all subscriptions under Corp, including Sandbox, violating the requirement to exclude Sandbox. Option C is wrong because assigning Reader at a single resource group in AppSub1 would only grant access to that specific resource group, not to all current and future resources across all three Prod subscriptions. Option D is wrong because assigning Reader at each subscription individually would work but is inefficient and does not automatically cover future subscriptions added to the Prod management group, requiring manual updates.

29
MCQmedium

A company wants development and production workloads for the same application to have separate budgets, separate subscription administrators, and different access controls. The central IT team still wants to apply the same security policies to both environments. What is the best design?

A.Use one subscription and separate the environments with tags only
B.Use one management group and two resource groups, one for dev and one for prod
C.Create a separate subscription for dev and prod, then place both subscriptions under the same management group
D.Put production in a management group and development in a resource group
AnswerC

Separate subscriptions provide billing and admin boundaries, while the management group allows central policy and governance to be applied consistently to both environments.

Why this answer

Option C is correct because it uses separate subscriptions for development and production, which provides independent budget tracking, subscription-level role assignments, and separate administrators. Placing both subscriptions under the same management group allows the central IT team to apply consistent Azure Policy and RBAC security policies across both environments via the management group hierarchy, ensuring governance without compromising isolation.

Exam trap

The trap here is that candidates often confuse resource groups with management groups, thinking that resource groups can provide the same policy inheritance and administrative isolation as subscriptions, but resource groups lack subscription-level billing separation and independent RBAC administration.

How to eliminate wrong answers

Option A is wrong because tags alone cannot enforce separate budgets, subscription administrators, or access controls; tags are metadata for resource organization and cost reporting, not a security boundary. Option B is wrong because resource groups within a single subscription share the same subscription-level administrators and budget, and cannot provide the required separation of administrative control. Option D is wrong because a management group is a container for subscriptions, not for individual workloads, and placing production in a management group with development in a resource group is architecturally invalid and provides no isolation or policy enforcement.

30
MCQmedium

An organization wants to enforce two governance controls on all subscriptions under a management group: only approved Azure regions can be used, and every resource must have a costCenter tag. Central IT wants one assignment that can grow as more controls are added later. What should they use?

A.A single Azure Policy assignment that contains both requirements as separate policy rules.
B.An initiative assigned at the management group scope.
C.A role assignment at the management group scope.
D.A resource lock applied to each subscription.
AnswerB

An initiative groups related policies under one assignment and is ideal for reusable governance baselines.

Why this answer

An initiative (policy set) allows grouping multiple policy definitions into a single assignment, which can be assigned at the management group scope to enforce both the allowed regions and costCenter tag requirements. This approach supports future growth by simply adding new policy definitions to the initiative without creating separate assignments. Assigning at the management group scope ensures the controls cascade to all child subscriptions.

Exam trap

The trap here is confusing a single policy assignment with an initiative assignment, as candidates often think multiple rules can be added to one policy definition, but Azure Policy requires an initiative to combine separate policy definitions.

How to eliminate wrong answers

Option A is wrong because a single Azure Policy assignment can contain only one policy definition; you cannot combine two separate policy rules into one assignment without using an initiative. Option C is wrong because role assignments control permissions (who can do what), not governance controls like allowed regions or tagging requirements. Option D is wrong because resource locks prevent deletion or modification of resources but cannot enforce allowed regions or require specific tags.

31
MCQmedium

A contractor needs read-only access to resources in one application resource group. The access must be removed immediately when the contractor is removed from the contractor team. What is the best access strategy?

A.Assign Reader directly to the contractor's user account at the subscription scope.
B.Assign Reader to the Entra ID contractor group at the resource group scope.
C.Assign Contributor to the contractor group at the resource group scope.
D.Assign Reader to the contractor group at the management group scope.
AnswerB

This is the best practice because Azure RBAC supports group-based assignments, and scope should be as narrow as possible. Assigning Reader to the contractor group at the resource group gives the team exactly the access needed and ensures removal from the group immediately revokes access through group membership changes. It is easier to audit and manage than assigning permissions to individual contractor accounts.

Why this answer

Option B is correct because assigning the Reader role to the Entra ID contractor group at the resource group scope ensures that all members of the group inherit read-only access to resources within that specific resource group. When a contractor is removed from the Entra ID group, their access is immediately revoked because Azure RBAC evaluates group membership dynamically at authentication time. This approach follows the principle of least privilege and enables centralized access management via group-based assignments.

Exam trap

The trap here is that candidates often choose a broader scope (subscription or management group) thinking it simplifies management, but they overlook the requirement to restrict access to only one resource group, which is a classic Azure RBAC scope misunderstanding.

How to eliminate wrong answers

Option A is wrong because assigning Reader directly to the contractor's user account at the subscription scope grants read-only access to all resource groups in the subscription, which violates the requirement of scoping access to only one application resource group. Option C is wrong because assigning Contributor to the contractor group at the resource group scope provides write-level permissions, which exceeds the required read-only access and violates the principle of least privilege. Option D is wrong because assigning Reader to the contractor group at the management group scope grants read-only access to all subscriptions and resource groups under that management group, which is too broad and does not limit access to the single application resource group.

32
MCQeasy

Based on the exhibit, a compliance team must read all current and future resources in every subscription under the Corp management group. Where should you assign the Reader role?

A.Assign Reader at the RG-Finance resource group scope.
B.Assign Reader at the Corp management group scope.
C.Assign Reader separately at each subscription scope.
D.Assign Reader only at the individual resource scope.
AnswerB

This scope covers all subscriptions currently under Corp and any subscriptions added later beneath that management group.

Why this answer

Assigning the Reader role at the Corp management group scope applies the role to all current and future subscriptions and resource groups within that management group hierarchy. This is because Azure RBAC roles assigned at a management group scope are inherited by all child management groups, subscriptions, and resources, ensuring the compliance team can read all resources across the entire Corp hierarchy without needing separate assignments.

Exam trap

The trap here is that candidates often think they must assign roles at the subscription or resource group level for granularity, overlooking that management group scope provides automatic inheritance to all child scopes, which is the most efficient way to grant permissions across an entire hierarchy.

How to eliminate wrong answers

Option A is wrong because assigning Reader at the RG-Finance resource group scope only grants read access to resources within that single resource group, not to all subscriptions under Corp. Option C is wrong because assigning Reader separately at each subscription scope would require manual updates for every new subscription added under Corp, failing the requirement to cover future resources automatically. Option D is wrong because assigning Reader only at the individual resource scope would require assigning the role to every single resource, which is impractical and does not scale to cover all current and future resources.

33
MCQeasy

Based on the exhibit, the team must prevent accidental deletion of a resource group, but administrators still need to update settings on resources inside it. Which lock should you apply?

A.Apply no lock and rely on RBAC alone.
B.Apply a ReadOnly lock to RG-Prod.
C.Apply a CanNotDelete lock to RG-Prod.
D.Apply a Contributor role assignment to RG-Prod.
AnswerC

CanNotDelete prevents accidental deletion while still allowing normal update operations on existing resources in the scope.

Why this answer

Option C is correct because applying a CanNotDelete lock to RG-Prod prevents the resource group from being deleted while still allowing administrators to update settings on resources inside it. This lock type blocks delete operations but permits read and update operations, which aligns with the requirement to prevent accidental deletion without restricting management changes.

Exam trap

The trap here is that candidates often confuse CanNotDelete with ReadOnly, mistakenly thinking that preventing deletion requires blocking all write operations, but CanNotDelete specifically targets delete operations while allowing updates.

How to eliminate wrong answers

Option A is wrong because relying solely on RBAC does not prevent accidental deletion; RBAC controls access based on roles, but a user with Contributor or Owner permissions could still delete the resource group. Option B is wrong because a ReadOnly lock prevents all write operations, including updates to resource settings, which contradicts the requirement that administrators need to update settings. Option D is wrong because assigning a Contributor role grants permissions to manage resources, including the ability to delete the resource group, so it does not prevent deletion.

34
MCQeasy

Based on the exhibit, which Azure construct should the administrator create to group these related policy rules into one assignment?

A.Azure Policy initiative
B.Resource lock
C.Azure RBAC custom role
D.Policy exemption
AnswerA

An initiative groups multiple policy definitions into one assignment, which is ideal when the organization wants a single governance package at management group scope. This makes deployment and compliance tracking simpler than assigning each policy separately.

Why this answer

An Azure Policy initiative is a collection of policy definitions designed to group related policies into a single assignable unit. This allows the administrator to apply multiple policy rules together for consistent governance across resources, which is exactly what the question describes.

Exam trap

The trap here is confusing a policy initiative with a policy exemption, as both involve policy grouping, but only an initiative groups rules for assignment, while an exemption removes resources from evaluation.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, not grouping policy rules. Option C is wrong because an Azure RBAC custom role defines permissions for access control, not policy rules. Option D is wrong because a policy exemption is used to exclude specific resources from policy evaluation, not to group policies together.

35
MCQmedium

A shared resource group contains a critical virtual machine and a storage account. Administrators must still be able to update settings, but nobody should accidentally delete either resource during routine maintenance. Which lock should be applied?

A.ReadOnly lock on the resource group.
B.CanNotDelete lock on the resource group.
C.A policy assignment that denies delete operations.
D.A management group assignment with Contributor removed.
AnswerB

CanNotDelete blocks deletion while still allowing normal update operations on the resources.

Why this answer

The CanNotDelete lock on the resource group prevents deletion of the resource group and all resources within it, while still allowing administrators to update settings. This meets the requirement of protecting both the critical VM and storage account from accidental deletion during routine maintenance, without blocking configuration changes.

Exam trap

The trap here is that candidates often confuse Azure Policy with resource locks, thinking a deny policy can prevent deletion, but locks are the only mechanism that directly blocks delete operations at the resource level regardless of RBAC permissions.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates to settings, which contradicts the requirement that administrators must still be able to update settings. Option C is wrong because a policy assignment that denies delete operations is not a lock; Azure Policy evaluates compliance and can block creation or modification, but it does not provide the same resource-level protection as locks and can be bypassed if the policy is removed or excluded. Option D is wrong because a management group assignment with Contributor removed would affect all subscriptions under that management group, is overly broad, and does not directly protect the specific resource group from accidental deletion; it also does not prevent deletion by users with Owner or other high-privilege roles.

36
Multi-Selectmedium

An enterprise has a management group named Corp that contains all production and sandbox subscriptions. An Entra ID group named Auditors must be able to read resources in every current subscription under Corp and in any subscription added later. Which two actions should the administrator take? Select two.

Select 2 answers
A.Assign the Reader role to the Auditors group at the Corp management group scope.
B.Assign the Reader role directly to every subscription under Corp.
C.Assign the Reader role to the Auditors group at one resource group scope.
D.Add the intended users to the Auditors Entra ID group.
E.Create an Azure Policy assignment to grant read access to all subscriptions.
AnswersA, D

A Reader assignment at the management group scope inherits to every child subscription and resource below it. That is the narrowest scope that still covers all current and future subscriptions under Corp.

Why this answer

Assigning the Reader role at the Corp management group scope ensures that the Auditors group inherits read permissions to all current and future subscriptions under Corp, because Azure RBAC permissions assigned at a management group are inherited by all child subscriptions and resource groups. This meets the requirement for both existing and future subscriptions without manual updates.

Exam trap

The trap here is confusing Azure Policy (which enforces compliance rules) with Azure RBAC (which grants permissions), leading candidates to incorrectly select Option E instead of recognizing that RBAC assignments at the management group scope are the correct method for inheritance across all subscriptions.

37
Multi-Selecthard

A policy initiative is assigned at the Corp management group to enforce allowed locations and required tags. A new subscription is added under Corp later. Which two statements are true? Select two.

Select 2 answers
A.The new subscription is automatically in scope because the assignment is at the management group.
B.The initiative must be copied to every resource group in the new subscription before it takes effect.
C.Existing noncompliant resources appear in Azure Policy compliance, but they are not changed until remediation runs.
D.The initiative changes RBAC so users lose read access to the subscription.
E.Compliance results are only visible in Activity Log, not in Azure Policy.
AnswersA, C

Management group assignments inherit to child subscriptions, including subscriptions added later.

Why this answer

Option A is correct because Azure Policy assignments at a management group scope are inherited by all child subscriptions, including new ones added later. When the Corp management group has the initiative assigned, any subscription under Corp automatically falls within the policy's evaluation scope without requiring manual re-assignment.

Exam trap

The trap here is that candidates often assume new subscriptions or resources are not automatically covered by a management group policy assignment, or they confuse policy enforcement with RBAC changes, leading them to select options B or D.

38
MCQmedium

Based on the exhibit, which identity approach should be used so all three virtual machines can reuse the same Azure access without sharing secrets?

A.Assign a system-assigned managed identity to each VM.
B.Use a user-assigned managed identity and attach it to all three VMs.
C.Create a storage account access key and place it in each VM's application settings.
D.Create a separate SAS token for each VM and rotate it manually.
AnswerB

A user-assigned managed identity is the right fit when multiple resources need the same Azure identity. It is created as a standalone resource and can be attached to all three VMs, so the access model remains consistent even if a VM is reimaged or replaced. This also avoids storing storage keys, passwords, or connection strings in the application or operating system.

Why this answer

A user-assigned managed identity is a standalone Azure resource that can be assigned to multiple Azure VMs, allowing all three VMs to authenticate to Azure services (e.g., Azure Storage, Key Vault) using the same identity without sharing any secrets. This approach eliminates the need to manage or rotate credentials, as the identity is managed entirely by Azure AD and tokens are obtained via the Azure Instance Metadata Service (IMDS) endpoint.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, incorrectly assuming that system-assigned identities can be shared across multiple VMs, when in fact only user-assigned identities support multi-VM assignment.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a single VM and cannot be shared across multiple VMs; each VM would get a unique identity principal, not the same identity. Option C is wrong because storing a storage account access key in each VM's application settings requires sharing a static secret, which violates the requirement of not sharing secrets and introduces security risks if the key is compromised. Option D is wrong because creating separate SAS tokens for each VM still requires sharing tokens (which are secrets) and manually rotating them, which is not a 'no secrets' approach and adds operational overhead.

39
Multi-Selecteasy

An operations team wants to label resources by Department and Environment so they can search and report on ownership across many resource groups. Which two statements are correct? Select two.

Select 2 answers
A.Tags are key-value pairs that can be applied to resources and resource groups.
B.Tags help organize and filter resources, but they do not grant access.
C.A ReadOnly lock is the best way to record department ownership.
D.Tags automatically encrypt the data in a resource.
E.Tags replace Azure Policy when compliance must be enforced.
AnswersA, B

Tags are simple metadata labels, usually in key-value form, that can be attached to resources and resource groups. They are commonly used for cost allocation, ownership, and environment tracking.

Why this answer

Option A is correct because Azure tags are indeed key-value pairs that can be applied to resources and resource groups. This allows the operations team to label resources with metadata like Department and Environment, enabling efficient searching, filtering, and reporting across multiple resource groups without affecting resource functionality.

Exam trap

The trap here is that candidates often confuse Azure tags with access control or compliance enforcement, mistakenly thinking tags can replace Azure Policy or locks, when in fact tags are purely for organization and metadata.

40
Multi-Selectmedium

A production resource group contains application VMs and databases. Operators must be able to update resources inside the group, but nobody should be able to delete the whole group by accident. Finance also wants ownership data to remain with the resources if they are moved to another resource group. Which two actions should you take? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to the resource group.
B.Use tags such as Department and Owner on the resources.
C.Apply a ReadOnly lock to the resource group.
D.Move the resource group to a management group.
E.Grant Resource Policy Contributor to the operators.
AnswersA, B

A CanNotDelete lock prevents accidental deletion while still allowing normal updates and configuration changes inside the resource group.

Why this answer

Option A is correct because applying a CanNotDelete lock to the resource group prevents anyone from deleting the entire resource group, while still allowing operators to update resources inside it. This lock does not prevent resource-level deletions or modifications, so operators can continue to manage the VMs and databases as needed.

Exam trap

The trap here is that candidates often confuse resource group locks with resource-level locks or assume that moving a resource group to a management group provides deletion protection, when in fact only explicit locks (CanNotDelete or ReadOnly) prevent deletion at the resource group scope.

41
MCQmedium

An administrator assigns Contributor at the RG-Apps resource group scope and Reader at the subscription scope. A developer opens a VM inside RG-Apps and can change its settings, but a different VM in RG-Shared is read-only. Which statement best explains this behavior?

A.The VM in RG-Apps has a direct Contributor assignment that does not apply elsewhere.
B.The VM in RG-Apps inherited Contributor from the resource group, while RG-Shared only inherits Reader.
C.Reader always overrides Contributor when both roles exist in the same subscription.
D.Azure Policy is granting write access only inside RG-Apps because the subscription has no policy.
AnswerB

Permissions flow from the resource group to its resources. Contributor at RG-Apps applies to all resources there, while the subscription-level Reader remains inherited everywhere.

Why this answer

Role assignments in Azure are inherited from higher scopes (subscription, management group) down to lower scopes (resource group, resource). The developer has Reader at the subscription scope, which is inherited by all resource groups, including RG-Shared. However, the Contributor assignment at the RG-Apps resource group scope overrides the inherited Reader for that specific resource group, granting write access to VMs within RG-Apps.

RG-Shared has no direct role assignment, so it only inherits the subscription-level Reader, making its VMs read-only.

Exam trap

The trap here is that candidates often confuse inheritance with direct assignments, thinking that a role at a higher scope (subscription) always overrides a role at a lower scope (resource group), when in fact RBAC combines permissions additively and the most permissive role at the most specific scope wins.

How to eliminate wrong answers

Option A is wrong because Contributor was assigned at the resource group scope (RG-Apps), not directly on the VM; the VM inherits the role from its resource group. Option C is wrong because Azure RBAC does not have a fixed override order between Reader and Contributor; the effective permissions are determined by the most permissive role at the lowest applicable scope, and here Contributor at the resource group scope is more permissive than Reader at the subscription scope. Option D is wrong because Azure Policy is not involved in this scenario; the behavior is purely due to RBAC role assignments, and the subscription having no policy does not grant write access.

42
MCQhard

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

A.Global Administrator
B.User Administrator
C.Reader
D.Billing Administrator
AnswerB

This aligns with the least-privilege requirement for user management tasks like password resets.

Why this answer

The User Administrator role in Microsoft Entra ID (formerly Azure AD) grants permissions to reset passwords for cloud users, but explicitly excludes the ability to create or delete users. This makes it the correct choice for a help desk team that needs password reset capabilities without broader user management rights.

Exam trap

The trap here is that candidates often confuse the User Administrator role with the Global Administrator role, assuming password reset requires the highest privilege, but Microsoft deliberately scopes the User Administrator role to include password reset while excluding user creation and deletion.

How to eliminate wrong answers

Option A is wrong because Global Administrator has full access to all administrative features, including creating and deleting users, which violates the requirement. Option C is wrong because the Reader role only provides read-only access to Azure resources and cannot reset passwords. Option D is wrong because Billing Administrator is limited to billing-related tasks and cannot reset user passwords.

43
MCQmedium

Three application VMs in different resource groups must use the same Azure identity to read blobs from a storage account. The identity must continue to work if the VMs are redeployed. What should you use?

A.A system-assigned managed identity on each VM
B.A user-assigned managed identity
C.A shared access signature stored in a configuration file
D.The local Administrator account on each VM
AnswerB

A user-assigned managed identity can be attached to multiple VMs and survives VM redeployment.

Why this answer

A user-assigned managed identity is the correct choice because it is a standalone Azure resource that can be assigned to multiple VMs across different resource groups. It persists independently of the VM lifecycle, so it continues to work even if the VMs are redeployed, and it can be used to authenticate to Azure Storage for blob read operations via Azure AD.

Exam trap

The trap here is that candidates often choose a system-assigned managed identity (Option A) because they assume it can be shared, but it is per-resource and cannot be assigned to multiple VMs across resource groups.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a single VM and cannot be shared across multiple VMs in different resource groups; it is also deleted when the VM is deleted. Option C is wrong because a shared access signature (SAS) stored in a configuration file is a static token that can expire, requires manual rotation, and does not provide a managed identity that persists across VM redeployments. Option D is wrong because the local Administrator account is a local user account that cannot be used to authenticate to Azure Storage blobs; it has no Azure RBAC permissions and is not designed for cloud resource access.

44
MCQmedium

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

A.Audit
B.Deny
C.Modify
D.Disabled
AnswerC

Modify can add the required tag value during deployment and is the best fit here.

Why this answer

The Modify effect is correct because it allows Azure Policy to automatically add or alter tags on resources or resource groups during creation or update, ensuring the CostCenter tag with a fixed value is applied even if the creator omits it. Unlike Audit or Deny, Modify actively remediates non-compliant resources by appending the required tag, making it ideal for enforcing mandatory inheritance without blocking deployment.

Exam trap

The trap here is that candidates often choose Deny thinking it enforces compliance by blocking non-tagged resources, but they overlook that the question requires automatic inheritance, not rejection, making Modify the only effect that actively adds the missing tag.

How to eliminate wrong answers

Option A is wrong because Audit only logs non-compliance without taking any action, so the CostCenter tag would not be automatically added. Option B is wrong because Deny blocks the creation of resource groups that lack the tag, which would prevent deployment entirely rather than ensuring the tag is inherited. Option D is wrong because Disabled turns off the policy effect, providing no enforcement or remediation at all.

45
Multi-Selecthard

A management group named Corp contains subscription Sales. RG-App is in Sales and contains several virtual machines. The Auditors group must read every resource in Sales, including resources in future resource groups created under that subscription. The ServerOps group must be able to start, stop, and restart only the virtual machines in RG-App. Which two role assignments should the administrator configure? Select two.

Select 2 answers
A.Assign Reader to Auditors at the Sales subscription scope.
B.Assign Reader to Auditors at the RG-App resource group scope.
C.Assign Virtual Machine Contributor to ServerOps at the RG-App resource group scope.
D.Assign Virtual Machine Contributor to ServerOps at the Sales subscription scope.
E.Assign Owner to ServerOps at the RG-App resource group scope.
AnswersA, C

Subscription scope covers all existing and future resource groups and resources inside Sales, which matches the auditor requirement.

Why this answer

Option A is correct because assigning the Reader role to the Auditors group at the Sales subscription scope grants read access to all resources within that subscription, including any future resource groups and resources created under it. This meets the requirement that Auditors must read every resource in Sales, including those in future resource groups.

Exam trap

The trap here is that candidates often assign roles at too broad a scope (e.g., subscription) for ServerOps, thinking it simplifies management, or assign too permissive a role like Owner, not realizing that Virtual Machine Contributor is the precise built-in role for VM start/stop/restart operations.

46
Multi-Selecteasy

Finance, HR, and Engineering each have their own subscriptions, and one production resource group must not be deleted by mistake. Which two Azure features should be used? Select two.

Select 2 answers
A.Create a management group for the subscriptions.
B.Apply a CanNotDelete lock to the production resource group.
C.Assign Reader to everyone in the company.
D.Use a distribution list for the subscriptions.
E.Move the resource group into a different region.
AnswersA, B

Management groups are designed to organize subscriptions above the subscription level. They help apply consistent governance to groups of subscriptions such as Finance, HR, and Engineering.

Why this answer

Option A is correct because a management group allows you to centrally manage governance, policy, and compliance across multiple Azure subscriptions. By placing the Finance, HR, and Engineering subscriptions under a single management group, you can apply Azure Policy or RBAC assignments that affect all subscriptions, ensuring consistent governance without needing to configure each subscription individually.

Exam trap

The trap here is that candidates often confuse RBAC roles (like Reader) with resource locks, thinking that restricting permissions alone prevents deletion, but locks are required to explicitly block delete operations regardless of permissions.

47
Multi-Selectmedium

Three application VMs in separate resource groups must use the same identity to read a configuration endpoint. The identity must keep working if any one VM is deleted and later recreated. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create a user-assigned managed identity that can exist independently of any single VM.
B.Attach the same user-assigned managed identity to each of the three VMs.
C.Grant the user-assigned identity the minimum required RBAC role on the target configuration endpoint.
D.Use a system-assigned managed identity on only one VM and copy its access token to the other two VMs.
E.Store one application password locally on each VM and use it instead of Azure-managed identities.
AnswersA, B, C

A user-assigned managed identity has its own lifecycle and is not deleted when a VM is removed. That makes it the correct choice when multiple VMs need the same identity and the identity must survive VM recreation.

Why this answer

A user-assigned managed identity is an Azure resource that exists independently of any VM, unlike a system-assigned identity which is tied to the VM lifecycle. This independence ensures the identity persists even when a VM is deleted and recreated, maintaining continuous access to the configuration endpoint. By creating a user-assigned managed identity, the administrator decouples the identity from any single VM, satisfying the requirement that the identity must keep working after VM deletion and recreation.

Exam trap

The trap here is that candidates often confuse user-assigned and system-assigned managed identities, incorrectly assuming that a system-assigned identity can be shared across VMs or that its access token can be copied, when in fact system-assigned identities are per-resource and cannot survive resource deletion.

48
MCQmedium

Based on the exhibit, the help desk team must be able to restart virtual machines in RG-App, but they must not be able to create, delete, or resize VMs. What is the best action?

A.Assign Virtual Machine Contributor to HelpDeskGroup at the subscription scope.
B.Assign Contributor to HelpDeskGroup at RG-App.
C.Create a custom RBAC role that allows VM start, restart, and deallocate actions, then assign it at RG-App.
D.Assign Owner to HelpDeskGroup at RG-App and use Azure Policy to block unwanted changes.
AnswerC

A custom role is the best fit when no built-in role is narrow enough. Assigning it at the resource group scope limits the permission to RG-App, while the role itself can be restricted to only the VM operational actions that the help desk needs.

Why this answer

Option C is correct because the help desk team needs only specific actions (start, restart, deallocate) without the ability to create, delete, or resize VMs. The built-in Virtual Machine Contributor role includes write permissions that allow creating and deleting VMs, so a custom RBAC role that explicitly grants only the required actions (Microsoft.Compute/virtualMachines/start/action, restart/action, deallocate/action) and is assigned at the RG-App scope meets the requirement precisely.

Exam trap

The trap here is that candidates often assume the built-in Virtual Machine Contributor role is the correct choice because it sounds restrictive, but it actually includes write permissions that allow VM creation and deletion, making a custom role necessary for the exact set of actions required.

How to eliminate wrong answers

Option A is wrong because assigning Virtual Machine Contributor at the subscription scope grants permissions to create, delete, and resize VMs across all resource groups, which violates the requirement to prevent those actions. Option B is wrong because the Contributor role at RG-App includes full write access to all resources in the resource group, allowing VM creation, deletion, and resizing. Option D is wrong because assigning Owner at RG-App grants full control, including the ability to modify or remove Azure Policy assignments, and using Azure Policy to block changes is an indirect, less reliable approach that can be bypassed by users with Owner permissions.

49
Multi-Selectmedium

An operations team must be able to restart virtual machines in one resource group. They must not create, delete, resize, or change disks or networking. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a custom RBAC role that includes only read and restart actions for virtual machines.
B.Assign the Virtual Machine Contributor role to the operations group.
C.Assign the custom role to the operations group at the resource group scope.
D.Create an Azure Policy assignment that denies VM creation in the resource group.
E.Apply a ReadOnly lock to the resource group.
AnswersA, C

A custom role lets the administrator grant only the exact VM actions needed. Including read and restart permissions satisfies the task without giving broader management capabilities.

Why this answer

Option A is correct because a custom RBAC role can be defined to include only the 'Microsoft.Compute/virtualMachines/read' and 'Microsoft.Compute/virtualMachines/restart/action' permissions, which precisely limits the operations team to reading and restarting VMs without allowing create, delete, resize, or disk/network changes. This aligns with the principle of least privilege.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces compliance rules) with RBAC (which controls permissions), or mistakenly think a ReadOnly lock still allows restart actions, not realizing that restart is a write operation in the Azure Resource Manager.

50
MCQmedium

You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?

A.A ReadOnly lock
B.A CanNotDelete lock
C.A deny assignment
D.A budget alert
AnswerB

A CanNotDelete lock prevents accidental deletion while still allowing updates.

Why this answer

A CanNotDelete lock (B) prevents the resource group from being deleted while still allowing all operations (including updates) on resources within it. This is the correct choice because the requirement is to block accidental deletion of the entire resource group, not to restrict modifications to its resources.

Exam trap

The trap here is that candidates often confuse a ReadOnly lock with a CanNotDelete lock, assuming that preventing deletion requires a more restrictive lock, but the correct lock is the one that specifically targets deletion only.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents both deletion and modification of resources, which would block administrators from updating resources inside the group. Option C is wrong because a deny assignment is used with Azure Blueprints or managed applications to explicitly deny specific actions via RBAC, not to prevent deletion of a resource group while allowing updates. Option D is wrong because a budget alert only sends notifications when spending exceeds a threshold; it does not enforce any deletion prevention.

51
MCQhard

A shared resource group contains a VM and a storage account used by payroll. Administrators still need to modify configuration and apply patches, but accidental deletion of either resource must be prevented. What should the administrator apply?

A.A ReadOnly lock on the entire resource group.
B.A CanNotDelete lock on each resource.
C.A policy assignment that denies delete operations on the resource group.
D.A management group with a deny assignment.
AnswerB

CanNotDelete prevents deletion while still allowing updates, and applying it per resource limits collateral impact.

Why this answer

Option B is correct because a CanNotDelete lock prevents the deletion of a resource while still allowing all other operations, including configuration modifications and patching. This meets the requirement of protecting the VM and storage account from accidental deletion while preserving administrative access for updates.

Exam trap

The trap here is that candidates often confuse resource locks with Azure Policy or RBAC, mistakenly thinking a policy or role assignment at the resource group scope will protect individual resources, when in fact locks must be applied directly to each resource to prevent its deletion.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including configuration changes and patching, which violates the requirement that administrators must still be able to modify configuration and apply patches. Option C is wrong because a policy assignment that denies delete operations on the resource group would block deletion of the resource group itself, but it does not prevent deletion of individual resources within the group; Azure Policy evaluates at the resource level only if the policy definition explicitly targets resource types, and a simple deny on the resource group does not cascade to resources. Option D is wrong because a management group with a deny assignment applies at a higher scope (multiple subscriptions) and is overly broad; it would affect all resources under that management group, not just the specific shared resource group, and it does not provide the granular per-resource protection needed here.

52
MCQeasy

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

A.A Microsoft Entra group and a single role assignment to the group.
B.A separate custom role assignment for each administrator.
C.A resource lock on every virtual machine.
D.A policy exemption for the administrators.
AnswerA

This is the most scalable and maintainable approach.

Why this answer

Option A is correct because assigning a single RBAC role to a Microsoft Entra group allows you to manage permissions centrally. When membership changes, you only need to add or remove users from the group, and the role assignment automatically applies to the new members. This minimizes ongoing administrative effort compared to managing individual role assignments.

Exam trap

The trap here is confusing resource locks (which prevent changes) with RBAC role assignments (which grant permissions), leading candidates to incorrectly select option C as a way to control access.

How to eliminate wrong answers

Option B is wrong because creating a separate custom role assignment for each administrator increases administrative overhead; any membership change requires modifying each individual assignment, which is inefficient and error-prone. Option C is wrong because a resource lock prevents accidental deletion or modification of resources but does not grant permissions to manage backups; it is a protection mechanism, not an authorization mechanism. Option D is wrong because a policy exemption allows certain resources to be excluded from Azure Policy compliance evaluation; it does not assign RBAC roles or grant permissions to manage backups.

53
MCQmedium

Based on the exhibit, the production resource group must not be deleted during a change freeze, but administrators still need to update VM sizes and tag values. Which lock should you apply?

A.Apply a ReadOnly lock to RG-Prod.
B.Apply a CanNotDelete lock to RG-Prod.
C.Apply a lock to the subscription instead of the resource group.
D.Use Azure Policy with a deny effect to block deletes.
AnswerB

CanNotDelete is designed to stop deletion while still allowing normal read and write operations. That fits a freeze where the team wants to prevent accidental removal but continue making approved changes.

Why this answer

A CanNotDelete lock (B) prevents deletion of the resource group while allowing all other operations, including updating VM sizes and modifying tag values. This meets the requirement of blocking deletion during a change freeze without restricting administrative updates.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, assuming that any lock will prevent updates, when in fact ReadOnly locks block all write operations while CanNotDelete locks only block deletion.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updating VM sizes and tags, which violates the requirement that administrators need to perform these updates. Option C is wrong because applying a lock to the subscription would affect all resource groups within it, unnecessarily restricting other resource groups that may need to be deleted or modified. Option D is wrong because Azure Policy with a deny effect can block deletes but is more complex to configure and manage than a simple resource lock, and it does not provide the same straightforward, scope-specific protection against deletion as a CanNotDelete lock.

54
MCQhard

A compliance team wants to bundle three policy definitions—allowed locations, required cost center tags, and approved VM sizes—so they can assign them together to a management group and review compliance in one place. Later they want to exempt one pilot subscription from the entire set for 60 days. What should they use?

A.A policy initiative at the management group scope.
B.A custom RBAC role with resource permissions for policy management.
C.A resource lock on the pilot subscription.
D.A separate management group for each of the three policy definitions.
AnswerA

An initiative groups multiple policy definitions into one assignable unit and supports compliance tracking across them.

Why this answer

A policy initiative (also called a policy set) allows you to group multiple policy definitions into a single, reusable bundle. By assigning the initiative at the management group scope, all three policies apply together to every subscription under that group. When the pilot subscription needs an exemption, you can create an exemption resource on that subscription for the entire initiative, specifying a 60-day expiration, which temporarily excludes it from all bundled policies while keeping compliance reporting unified.

Exam trap

The trap here is that candidates often confuse policy exemptions with resource locks or RBAC roles, thinking that locking a subscription or assigning permissions can bypass policy evaluation, when in fact only a policy exemption (or an explicit deny assignment override) can exclude a scope from compliance enforcement for a defined period.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role with resource permissions for policy management controls who can create or assign policies, but it does not bundle policy definitions or provide a mechanism to exempt a subscription from a set of policies. Option C is wrong because a resource lock prevents accidental deletion or modification of a subscription, but it does not exempt the subscription from policy compliance evaluation or allow a time-bound exclusion. Option D is wrong because creating a separate management group for each policy definition would fragment governance, require three separate assignments, and make it impossible to exempt all three policies from the pilot subscription with a single action.

55
MCQmedium

During a change freeze, an administrator applies a lock to a resource group. Users can still read resource details, but attempts to update tags, resize a VM, or change an NSG fail. Which lock was applied?

A.CanNotDelete lock, because it blocks all updates but allows reading.
B.ReadOnly lock, because it blocks write operations while allowing read access.
C.Reader role assignment, because it removes edit permissions from the group.
D.Azure Policy audit assignment, because it reports changes without blocking them.
AnswerB

ReadOnly is the lock that allows users to view resources but prevents writes, including changes to tags, VM sizes, network rules, and many other configuration actions. This exactly matches the symptom described during a change freeze. It is a strong protection and should be used only when the organization truly wants to halt modifications.

Why this answer

The ReadOnly lock (option B) is correct because it explicitly blocks all write operations (including updates to tags, resizing a VM, or modifying an NSG) while allowing read operations. This matches the scenario where users can still read resource details but cannot perform any modifications.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with blocking updates, when in fact it only prevents deletion, while the ReadOnly lock is the one that blocks all write operations including updates and modifications.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock only prevents deletion of resources; it does not block updates to tags, resizing a VM, or changing an NSG. Option C is wrong because a Reader role assignment would remove all write permissions, but the scenario describes a lock applied to the resource group, not a role assignment; locks and role-based access control (RBAC) are separate governance mechanisms. Option D is wrong because an Azure Policy audit assignment only evaluates and reports compliance without actively blocking changes; it does not enforce a deny effect.

56
Multi-Selecthard

A service desk must grant and revoke access to an internal application for a changing group of employees. The service desk must not receive any Azure subscription or resource permissions. Which two actions should you take? Select two.

Select 2 answers
A.Use a Microsoft Entra security group to represent application access.
B.Add the service desk as an owner of that security group.
C.Assign the service desk the Contributor role on the application resource group.
D.Assign the service desk the User Administrator directory role to manage the application users.
E.Create individual user assignments for every employee instead of using group-based access.
AnswersA, B

A security group is the right identity container for access delegation and membership-based authorization.

Why this answer

Using a Microsoft Entra security group creates a stable access boundary for the application, and making the service desk an owner lets them add or remove members without touching Azure RBAC. That is the least-privilege way to delegate access administration. It keeps resource permissions out of the model, avoids tenant-wide admin roles, and supports frequent employee changes cleanly through group membership updates.

Why others are wrong: Contributor on a resource group gives Azure resource control, not just membership administration. User Administrator is a directory-wide role and is too broad for one application group. Individual user assignments defeat the goal of delegated membership management and create ongoing maintenance. The correct pattern is group-based access with delegated ownership.

57
MCQmedium

A web application is made up of several Azure resources that are deployed, updated, and retired together. The team wants one container for applying access control, tags, and deletion protection consistently to the whole application. What should they use?

A.A subscription dedicated to the application.
B.A resource group.
C.A management group.
D.A tag value that names the application.
AnswerB

A resource group is the standard lifecycle container for related Azure resources that are managed together. It lets administrators apply RBAC, tags, and locks to the application as a unit while keeping the workload separate from other applications. This is the most practical way to organize resources that are deployed and retired together.

Why this answer

A resource group is the correct container because it is a logical grouping of Azure resources that share the same lifecycle, allowing you to apply access control (RBAC), tags, and deletion protection (resource locks) consistently to all resources within the group. This aligns with the requirement to deploy, update, and retire resources together as a single unit.

Exam trap

The trap here is that candidates often confuse tags as a grouping mechanism for access control or deletion protection, but tags are purely metadata and cannot enforce RBAC or resource locks, whereas a resource group provides a true security and lifecycle boundary.

How to eliminate wrong answers

Option A is wrong because a dedicated subscription would provide a billing and policy boundary but is an overly broad and costly approach for a single application, and it does not inherently group resources for lifecycle management. Option C is wrong because a management group is used for organizing subscriptions and applying governance at scale (e.g., Azure Policy across multiple subscriptions), not for grouping resources within a single application. Option D is wrong because a tag value is metadata that can be used for filtering and cost tracking, but it does not provide a container for applying access control or deletion protection consistently; tags are not a security boundary and cannot enforce resource locks or RBAC.

58
MCQmedium

An external consultant from another company needs read-only access to a resource group and must sign in with their own work account. What should be created in Microsoft Entra ID?

A.A member user account in the company tenant
B.A guest user account
C.A Microsoft 365 group
D.A service principal
AnswerB

A guest user lets the consultant authenticate with their own organization credentials while being represented in your tenant as an external identity.

Why this answer

B is correct because a guest user account in Microsoft Entra ID (formerly Azure AD) allows an external user from another organization to sign in using their own work account (via B2B collaboration) and be granted read-only access to a specific resource group. This leverages the existing identity provider of the external consultant, eliminating the need to create a separate identity in the company tenant.

Exam trap

The trap here is that candidates often confuse a guest user with a member user, thinking a new identity must be created in the tenant, but the key requirement is that the external consultant signs in with their own work account, which only a guest user (B2B collaboration) supports.

How to eliminate wrong answers

Option A is wrong because creating a member user account in the company tenant would require the external consultant to manage a separate identity and password within your tenant, which violates the requirement that they sign in with their own work account. Option C is wrong because a Microsoft 365 group is a security or distribution group used for managing permissions and collaboration within the tenant, not an identity object that allows external users to authenticate. Option D is wrong because a service principal is an identity used by applications or automated tools to access Azure resources, not for individual human users to sign in with their own work account.

59
MCQeasy

Based on the exhibit, an automation account must restart virtual machines and read network interface settings in RG-App. Built-in roles are too broad because they also allow actions the team does not want. What should the administrator do?

A.Assign the Reader role at RG-App, because reading permissions automatically include restart actions.
B.Create a custom role with only the required read and restart actions, then assign it at RG-App.
C.Assign Virtual Machine Contributor at the subscription scope so the automation account can reach all resources.
D.Create a management group and move RG-App into it so only the needed actions are exposed.
AnswerB

A custom role is the correct solution when built-in roles are broader than needed. By defining only the required VM restart action and read permissions for the VM and network interface, the administrator can keep permissions tightly limited to RG-App and avoid unnecessary capabilities such as deletion or network changes.

Why this answer

Option B is correct because built-in roles like Virtual Machine Contributor include actions beyond the required scope (e.g., write/delete operations), which the team wants to avoid. A custom role allows precise definition of only the needed actions: 'Microsoft.Compute/virtualMachines/restart/action' and 'Microsoft.Network/networkInterfaces/read'. Assigning this custom role at the RG-App scope ensures least privilege without exposing broader permissions.

Exam trap

The trap here is that candidates assume built-in roles like Reader or Virtual Machine Contributor are 'close enough' and overlook the need for custom roles to exclude unwanted write/delete actions, or they confuse management groups with a mechanism for fine-grained action filtering.

How to eliminate wrong answers

Option A is wrong because the Reader role does not include the 'Microsoft.Compute/virtualMachines/restart/action' permission; reading permissions do not automatically grant restart actions, as restart is a separate control-plane action. Option C is wrong because assigning Virtual Machine Contributor at the subscription scope grants write/delete permissions on all VMs in the subscription, which is broader than needed and violates the principle of least privilege. Option D is wrong because management groups do not expose or restrict specific actions; they are hierarchical containers for policy and RBAC inheritance, not a mechanism to filter actions at a resource group level.

60
MCQmedium

Based on the exhibit, which identity should be granted the Contributor role so access can be managed centrally as team members change?

A.Assign Contributor to each user account individually.
B.Assign Contributor to a Microsoft Entra security group that contains the team members.
C.Assign Contributor to a managed identity.
D.Assign Contributor to the management group that contains rg-app.
AnswerB

A security group provides a single identity for access management. Updating group membership automatically changes access for all assigned members without rewriting RBAC assignments.

Why this answer

Assigning the Contributor role to a Microsoft Entra security group that contains the team members allows access to be managed centrally. As team members join or leave, you simply add or remove them from the group, and their permissions update automatically without needing to modify role assignments for each individual user. This aligns with Azure RBAC best practices for centralized identity governance.

Exam trap

The trap here is that candidates often think assigning roles to individual users (Option A) is simpler or more direct, overlooking the centralized management and scalability benefits of using a security group, or they confuse managed identities (Option C) with user identities, not realizing managed identities are for Azure resources, not human users.

How to eliminate wrong answers

Option A is wrong because assigning Contributor to each user account individually creates administrative overhead and does not scale; any team change requires manually updating each user's role assignment, which is not centrally managed. Option C is wrong because a managed identity is designed for Azure resources (e.g., VMs, App Services) to authenticate to Azure services, not for granting permissions to human team members; it cannot be used to centrally manage user access as team members change. Option D is wrong because assigning Contributor to the management group that contains rg-app would grant the role to all subscriptions and resources under that management group, which is overly broad and not a targeted way to manage access for a specific resource group; it also does not directly address managing team membership changes.

61
MCQmedium

Central IT wants to apply three related policy definitions—allowed Azure regions, required owner tag, and approved VM sizes—to all subscriptions in the Corp management group and report compliance as one package. What should the administrator create?

A.An initiative
B.A resource lock
C.A role assignment
D.A managed identity
AnswerA

An initiative groups multiple policy definitions into a single assignment and provides one compliance view for the set. That matches the requirement to apply several related governance controls together across the management group without managing each policy separately.

Why this answer

An initiative (also known as a policy set) in Azure Policy allows you to group multiple related policy definitions into a single package. By assigning the initiative to the Corp management group, all subscriptions under that management group inherit the three policies (allowed regions, required owner tag, approved VM sizes) as a bundle, and compliance is reported collectively for the entire initiative.

Exam trap

The trap here is that candidates may confuse a single policy definition with a policy initiative, or think that a resource lock or role assignment can enforce governance rules, when only an initiative can group multiple policies and report compliance as one package.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, but it does not enforce or report compliance on policy definitions. Option C is wrong because a role assignment grants permissions to users or services via Azure RBAC, not enforce governance rules like allowed regions or tags. Option D is wrong because a managed identity provides an Azure AD identity for applications to authenticate to Azure resources, not to define or enforce policy definitions.

62
Multi-Selectmedium

A platform team must enforce two governance rules across every current and future subscription under a management group: only East US and West US deployments are allowed, and every resource must include an Environment tag. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create a policy initiative that groups the governance requirements.
B.Assign the initiative at the management group scope.
C.Include both the allowed locations policy and the required Environment tag policy in the initiative.
D.Assign the policies separately to each existing subscription only.
E.Use an RBAC Contributor role to enforce region and tag compliance.
AnswersA, B, C

An initiative is the right container when multiple related policy definitions must be managed together. It simplifies assignment and reporting for a shared governance objective.

Why this answer

Option A is correct because a policy initiative (also known as a policy set) allows you to group multiple individual Azure Policy definitions into a single, reusable governance package. This simplifies assignment and ensures both the allowed locations and required tag policies are enforced together consistently across all subscriptions under the management group.

Exam trap

The trap here is that candidates often confuse RBAC with Azure Policy, mistakenly thinking a Contributor role can enforce compliance rules, when in fact RBAC controls who can act, while Azure Policy controls what is allowed.

63
MCQeasy

The finance team wants every resource created in one resource group to carry the same CostCenter tag automatically. They want to reduce manual entry and keep the tag value consistent. What should you configure?

A.Ask users to add the tag manually to every resource
B.Assign a Reader role to the finance team
C.Apply a CanNotDelete lock to the resource group
D.Use Azure Policy to inherit the CostCenter tag from the resource group
AnswerD

Azure Policy can enforce consistent tagging by inheriting a tag value from the resource group to child resources. This reduces manual work and helps ensure that new resources receive the same CostCenter value automatically. It is a governance control, so it is the right feature when the goal is standardization rather than access control.

Why this answer

Option D is correct because Azure Policy can enforce tag inheritance from a resource group to all resources within it using the 'Inherit a tag from the resource group' built-in policy effect. This ensures the CostCenter tag is automatically applied to every new or existing resource without manual entry, maintaining consistency and reducing administrative overhead.

Exam trap

The trap here is confusing Azure Policy's tag inheritance with Azure RBAC roles or resource locks, as candidates often mistakenly think a Reader role or a lock can enforce tag consistency, when only Policy can automatically apply tags at scale.

How to eliminate wrong answers

Option A is wrong because asking users to manually add the tag does not reduce manual entry and risks inconsistency or omission, defeating the goal of automation. Option B is wrong because assigning a Reader role to the finance team only grants read-only access to resources, not the ability to enforce or automate tag inheritance. Option C is wrong because applying a CanNotDelete lock prevents deletion of the resource group but does not affect tag assignment or inheritance.

64
Multi-Selectmedium

A company has many subscriptions arranged under a management group named Corp. The audit team needs Reader access to every current and future subscription in Corp, and the administrator wants only one role assignment to maintain. Which two actions should be taken? Select two.

Select 2 answers
A.Assign Reader at the Corp management group scope.
B.Ensure all existing and new subscriptions remain under the Corp management group.
C.Assign Reader separately on each subscription.
D.Assign Reader at the tenant root and remove the management group.
E.Create a resource group for each subscription and assign Reader there.
AnswersA, B

A management group assignment is inherited by subscriptions beneath that group. This gives the audit team a single place to manage access while automatically covering current and future child subscriptions.

Why this answer

Assigning the Reader role at the Corp management group scope grants read-only access to all current and future subscriptions within that management group. This is because Azure RBAC roles assigned at a management group are inherited by all child subscriptions, eliminating the need for individual assignments. This approach satisfies the requirement of a single role assignment that covers all subscriptions.

Exam trap

The trap here is that candidates may think Reader must be assigned at each subscription individually (Option C) or at the tenant root (Option D), overlooking the inheritance behavior of management groups that allows a single assignment to cover all current and future subscriptions under a management group.

65
Drag & Dropmedium

Order the steps to set up Azure Site Recovery for on-premises to Azure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create vault, configure, install agent, enable replication, then test failover.

66
MCQhard

Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?

A.An Azure Policy assigned at the management group scope
B.A custom RBAC role assigned at each subscription
C.A CanNotDelete lock on each subscription
D.A budget alert on each subscription
AnswerA

A management group policy assignment is inherited by child subscriptions and can restrict allowed locations centrally.

Why this answer

Azure Policy assigned at the management group scope is the correct centralized governance solution because it enforces a standard list of allowed Azure regions across all subscriptions under that management group. Policies at the management group level are inherited by all child subscriptions, ensuring consistent compliance without requiring individual assignment per subscription.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access permissions), leading candidates to incorrectly choose a custom RBAC role thinking it can restrict regions.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role controls permissions (who can do what) but does not enforce resource configuration rules like allowed regions. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not restrict which regions can be used for new deployments. Option D is wrong because a budget alert monitors spending and triggers notifications, but it does not enforce regional restrictions or prevent deployments in non-allowed regions.

67
MCQmedium

An operations team needs to start and deallocate every virtual machine in RG-App and read VM settings, but they must not be able to delete VMs or manage networking resources. What is the best Azure RBAC solution?

A.Assign the Virtual Machine Contributor role at the subscription scope
B.Create a custom role and assign it at the RG-App resource group scope
C.Assign the Reader role at the resource group scope
D.Assign the Owner role at the resource group scope
AnswerB

A custom role can include only the start, deallocate, and read actions needed for that resource group.

Why this answer

Option B is correct because the required permissions—starting, deallocating, and reading VM settings—are not fully covered by any built-in role, and the custom role must be scoped to RG-App to avoid granting broader access. A custom role allows combining Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, and Microsoft.Compute/virtualMachines/read, while explicitly excluding delete and networking management actions. Assigning at the resource group scope ensures the permissions apply only to resources within RG-App.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option A) because it seems to cover VM operations, but they overlook that it includes delete and networking management permissions, and that scoping at subscription level grants excessive access beyond the RG-App resource group.

How to eliminate wrong answers

Option A is wrong because Virtual Machine Contributor at subscription scope grants the ability to delete VMs and manage networking resources (e.g., virtual networks), which violates the requirement to prevent deletion and networking management. Option C is wrong because Reader role provides read-only access (Microsoft.Compute/virtualMachines/read) but does not include the start or deallocate actions, so the team cannot perform the required operations. Option D is wrong because Owner role at resource group scope grants full control, including deletion of VMs and management of all networking resources, which exceeds the required permissions and violates the restrictions.

68
MCQmedium

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

A.A CanNotDelete lock on stfinance01.
B.A ReadOnly lock on stfinance01.
C.A policy assignment that audits storage accounts.
D.An NSG rule denying outbound traffic from the subnet.
AnswerA

This prevents accidental deletion while allowing permitted write operations.

Why this answer

A CanNotDelete lock on stfinance01 prevents the storage account from being deleted while still allowing administrators to read and modify data. This lock type blocks delete operations at the resource level, but does not restrict read or write access, which is exactly what the requirement specifies.

Exam trap

The trap here is that candidates often confuse resource locks with role-based access control (RBAC) or network security groups, thinking a ReadOnly lock or NSG rule can prevent accidental deletion, but only a CanNotDelete lock directly blocks delete operations at the resource level.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock would prevent administrators from modifying data, which violates the requirement that they must still be able to read and modify the data. Option C is wrong because a policy assignment that audits storage accounts only evaluates compliance and generates logs; it does not prevent deletion of the storage account. Option D is wrong because an NSG rule denying outbound traffic from the subnet controls network traffic at the subnet level, not resource-level deletion permissions, and has no effect on Azure Resource Manager delete operations.

69
MCQeasy

Based on the exhibit, three Azure virtual machines run the same automation script. The VMs are rebuilt often, and the team wants one identity that can be reused across all three VMs and retained even if a VM is replaced. Which identity type should the administrator use?

A.System-assigned managed identity on each VM, because each VM gets the same identity automatically.
B.A user-assigned managed identity attached to all three VMs.
C.An Azure AD guest user account, because the same account can sign in from every VM.
D.A shared storage account key, because it can be used by multiple VMs without extra configuration.
AnswerB

A user-assigned managed identity is independent of any single VM and can be attached to multiple resources. That makes it ideal when several VMs need the same identity and the identity must survive if a VM is deleted, rebuilt, or replaced during maintenance or scaling.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs. Unlike system-assigned identities, which are tied to the lifecycle of a single VM, a user-assigned identity persists independently and remains available even when VMs are rebuilt or replaced. This allows the automation script to use the same identity across all three VMs without needing to reconfigure permissions after each rebuild.

Exam trap

The trap here is that candidates confuse system-assigned and user-assigned managed identities, assuming that 'system-assigned' means the same identity is automatically shared across all VMs, when in fact each system-assigned identity is unique and tied to a single VM's lifecycle.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; when a VM is deleted, the identity is also deleted, so it cannot be reused across multiple VMs or retained after VM replacement. Option C is wrong because an Azure AD guest user account is designed for external collaboration and cannot be used as a VM identity for Azure resource access; it would require interactive sign-in and does not support the automated, non-interactive authentication needed by a script. Option D is wrong because a shared storage account key is a static secret that must be securely stored and rotated, and it does not provide a managed identity for Azure AD authentication; using keys also violates the principle of least privilege and introduces security risks.

70
MCQmedium

A contractor should be able to view resources in one resource group for 30 days. When the contract ends, removing the contractor from the group should immediately remove access. What is the best approach?

A.Assign Reader directly to the contractor's user account at the resource group scope.
B.Assign Reader to an Entra ID group and add the contractor to that group.
C.Assign Reader at the subscription scope to the contractor so access is simple.
D.Create a CanNotDelete lock on the resource group until the contract ends.
AnswerB

Group-based role assignment is the best operational choice because access follows group membership rather than individual user objects. When the contractor is removed from the group, the RBAC assignment no longer applies to that person. It also makes temporary access easier to manage and reduces the risk of forgotten direct permissions.

Why this answer

Assigning the Reader role to an Entra ID group and adding the contractor as a member allows centralized access management. When the contractor is removed from the group, the role assignment is immediately revoked because Azure RBAC evaluates group membership at the time of authorization. This meets the 30-day requirement and ensures instant access removal upon contract termination.

Exam trap

The trap here is that candidates often confuse access control mechanisms, mistakenly thinking a resource lock (CanNotDelete) can restrict read access, or that assigning a role at a broader scope is simpler without considering the security implications of over-permissioning.

How to eliminate wrong answers

Option A is wrong because assigning Reader directly to the contractor's user account requires manual deletion of the role assignment to remove access, which is less efficient and prone to delay or oversight. Option C is wrong because assigning Reader at the subscription scope grants access to all resource groups in the subscription, violating the principle of least privilege and potentially exposing resources beyond the intended group. Option D is wrong because a CanNotDelete lock prevents deletion of the resource group but does not control read access; the contractor would still be able to view resources even after the contract ends.

71
MCQmedium

Based on the exhibit, every resource created in RG-Finance must automatically receive CostCenter=FIN, but deployments should not fail if the tag is omitted. What should you configure?

A.Assign an Azure Policy with the Modify effect at RG-Finance.
B.Assign an RBAC role that forces all users to enter the tag.
C.Apply a ReadOnly lock to the resource group.
D.Use Azure Policy with a Deny effect at the management group.
AnswerA

Modify is the right policy effect when you want Azure to add or update a tag without failing the deployment. Assigning it at the resource group ensures the requirement applies only to RG-Finance and keeps the CostCenter value consistent.

Why this answer

Option A is correct because the Azure Policy 'Modify' effect can automatically add the CostCenter=FIN tag to resources in RG-Finance without causing deployment failures if the tag is omitted. Unlike 'Deny', which blocks non-compliant deployments, 'Modify' uses a remediation task to append the missing tag after creation, ensuring compliance without disruption.

Exam trap

The trap here is confusing the 'Modify' effect with the 'Deny' effect; candidates often choose 'Deny' because it enforces compliance, but fail to notice the requirement that deployments should not fail if the tag is omitted.

How to eliminate wrong answers

Option B is wrong because RBAC roles control permissions (who can do what), not resource tagging; they cannot force tag entry or automatically apply tags. Option C is wrong because a ReadOnly lock prevents any modifications to resources in the resource group, including tag updates, which would block the automatic addition of the CostCenter tag. Option D is wrong because the Deny effect would reject any deployment that omits the CostCenter tag, causing failures, which contradicts the requirement that deployments should not fail.

72
Multi-Selecthard

RG-Prod is locked during a change freeze with a CanNotDelete lock. Administrators still need to keep the environment healthy without removing the lock. Which three actions can still be completed? Select three.

Select 3 answers
A.Change the size of an existing virtual machine in the resource group.
B.Delete an unused storage account from the resource group.
C.Add or update a tag on an existing resource.
D.Delete the entire resource group to rebuild it from scratch.
E.Create a new storage account in the locked resource group.
AnswersA, C, E

CanNotDelete blocks deletion, but it does not block normal write operations such as resizing an existing VM.

Why this answer

A CanNotDelete lock prevents deletion of resources but allows all management operations that do not involve deletion. Changing the size of an existing virtual machine is a modification operation, not a deletion, so it is permitted under this lock type.

Exam trap

The trap here is that candidates often confuse CanNotDelete with ReadOnly locks, thinking all modifications are blocked, or they assume creating new resources is prevented by a lock, but CanNotDelete only blocks deletion, not creation or modification.

73
MCQmedium

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which Azure lock should you apply?

A.ReadOnly
B.CanNotDelete
C.Delete lock
D.No lock and a budget alert
AnswerB

A CanNotDelete lock prevents deletion while still permitting updates.

Why this answer

The CanNotDelete lock prevents deletion of the resource group while still allowing all operations (read, write, modify) on resources within it. This lock type is designed specifically to protect against accidental deletion without restricting administrative actions like creating or updating resources.

Exam trap

The trap here is that candidates confuse the CanNotDelete lock with the ReadOnly lock, mistakenly thinking ReadOnly still allows modifications, or they invent a non-existent 'Delete lock' option because it sounds plausible.

How to eliminate wrong answers

Option A is wrong because ReadOnly lock prevents all write operations, including creating and modifying resources, which contradicts the requirement to allow administrators to create and modify resources. Option C is wrong because 'Delete lock' is not a valid Azure lock type; Azure only supports CanNotDelete and ReadOnly locks. Option D is wrong because a budget alert only sends notifications when spending exceeds a threshold and does not prevent deletion of the resource group.

74
MCQmedium

A build server hosted in a company datacenter must deploy ARM templates to a target resource group in Azure without storing a user password. The server is not running in Azure, and the team wants to authorize deployments with Azure RBAC. What should be configured?

A.A service principal authenticated with a certificate and assigned RBAC on the target scope
B.A system-assigned managed identity on the build server
C.A personal user account with multifactor authentication
D.A shared access signature for the resource group
AnswerA

This works from outside Azure and supports noninteractive authentication with Azure RBAC authorization.

Why this answer

A service principal authenticated with a certificate is the correct approach because it allows non-Azure resources (like an on-premises build server) to authenticate to Azure without storing a user password. The certificate-based authentication satisfies the requirement to avoid storing a password, and assigning RBAC on the target resource group grants the service principal the necessary permissions to deploy ARM templates. This method is secure, supports automation, and aligns with Azure AD application registration best practices.

Exam trap

The trap here is that candidates may confuse managed identities (which are Azure-only) with service principals, or mistakenly think a SAS token can be used for RBAC-based ARM deployments, when SAS is strictly for Storage access.

How to eliminate wrong answers

Option B is wrong because a system-assigned managed identity can only be assigned to Azure resources (e.g., Azure VMs, App Services), not to an on-premises build server; it cannot be used outside Azure. Option C is wrong because a personal user account with multifactor authentication would require interactive login or storing user credentials, which violates the requirement to avoid storing a password and is not suitable for automated deployments. Option D is wrong because a shared access signature (SAS) is used to delegate access to Azure Storage resources (e.g., blobs, containers), not to authorize ARM template deployments to a resource group; SAS tokens do not support Azure RBAC.

75
MCQmedium

A project team adds and removes contractors every few weeks. The team needs Azure access to follow membership changes without updating role assignments for each person. What should the administrator use to delegate the access?

A.Assign the Azure role directly to each contractor user account.
B.Create a Microsoft Entra security group, add the contractors, and assign the Azure role to the group.
C.Use a Microsoft 365 group and assign the Azure role to it.
D.Create a management group for the contractors and assign the role there.
AnswerB

A security group is the best delegation target because membership can change without editing the RBAC assignment. The role remains stable, while adding or removing users from the group immediately changes who receives the permissions. This is the standard least-administration approach for a team whose membership changes often.

Why this answer

Option B is correct because assigning an Azure role to a Microsoft Entra security group allows the administrator to manage access by simply adding or removing contractors from the group, without needing to update role assignments for each individual. This leverages Azure RBAC's support for group-based assignments, which automatically propagate role permissions to new members and revoke them from removed members.

Exam trap

The trap here is that candidates might confuse Microsoft 365 groups (which are primarily for collaboration and may not support all Azure RBAC roles) with security groups, or incorrectly think that management groups are appropriate for individual user access delegation.

How to eliminate wrong answers

Option A is wrong because directly assigning the Azure role to each contractor user account would require manual updates every time a contractor is added or removed, which is inefficient and error-prone for frequent membership changes. Option C is wrong because Microsoft 365 groups, while they can be used for some Azure role assignments, are primarily designed for collaboration and may not support all Azure RBAC roles or scenarios; security groups are the recommended and more flexible choice for this purpose. Option D is wrong because a management group is a container for organizing subscriptions and applying governance policies, not for managing individual user access; assigning a role at the management group level would apply to all subscriptions within it, which is overly broad and not suitable for delegating access to specific contractors.

Page 1 of 4 · 259 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Identity questions.