AZ-104 · topic practice

Manage Azure Identities and Governance practice questions

Identity and governance is the foundation of AZ-104. The RBAC scope hierarchy and the difference between Azure AD roles and Azure RBAC roles cause the most confusion — get these right before exam day.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Manage Azure Identities and Governance

What the exam tests

What to know about Manage Azure Identities and Governance

Manage Azure Identities and Governance tests Azure AD users and groups, RBAC role assignments, management groups, subscriptions, and Azure Policy.

Azure AD objects: users, groups, service principals, and managed identities.

RBAC: built-in roles (Owner, Contributor, Reader), custom roles, and scope hierarchy.

Management groups, subscriptions, resource groups, and how policy inheritance flows down.

Azure Policy effects: Deny, Audit, Append, DeployIfNotExists, and Modify.

Watch out for

Common Manage Azure Identities and Governance exam traps

  • Assuming Owner at the resource group level grants Owner access to the subscription — roles do not inherit upward.
  • Confusing Azure AD roles (directory-level) with Azure RBAC roles (resource-level).
  • Forgetting that Azure Policy can only enforce compliance going forward — existing non-compliant resources require a remediation task.
  • Mixing up Deny (blocks creation) and Audit (logs non-compliance) policy effects.

Practice set

Manage Azure Identities and Governance questions

20 questions · select your answer, then reveal the explanation

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?

You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?

Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?

You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?

You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?

An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?

You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?

You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?

You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Manage Azure Identities and Governance sessions

Start a Manage Azure Identities and Governance only practice session

Every question in these sessions is drawn from the Manage Azure Identities and Governance domain — nothing else.

Related practice questions

Related AZ-104 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-104 exam test about Manage Azure Identities and Governance?
Manage Azure Identities and Governance tests Azure AD users and groups, RBAC role assignments, management groups, subscriptions, and Azure Policy.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage Azure Identities and Governance questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage Azure Identities and Governance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-104 topics?
Use the topic links above to move to related areas, or go back to the AZ-104 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-104 exam covers. They are not copied from any real exam or dump site.