CCNA AZ Identity Questions

75 of 259 questions · Page 2/4 · AZ Identity topic · Answers revealed

76
Multi-Selecthard

A department has 12 subscriptions under a management group named Corp. New resources must be deployed only in East US or West US and must include a CostCenter tag. A pilot subscription must be exempt from these rules during testing. Which two actions should you take? Select two.

Select 2 answers
A.Assign an initiative containing both policy definitions at the Corp management-group scope.
B.Create a policy exemption for the pilot subscription.
C.Assign the policies individually at each resource group.
D.Use the Owner role at the management-group scope.
E.Use a resource lock instead of Azure Policy.
AnswersA, B

A management-group assignment applies the same governance to current and future subscriptions underneath it.

Why this answer

Option A is correct because assigning an initiative (a collection of policy definitions) at the Corp management-group scope ensures that all 12 subscriptions inherit both the location restriction and the CostCenter tag requirement. This is the most efficient and scalable way to enforce governance across multiple subscriptions without repeating assignments.

Exam trap

The trap here is that candidates may think individual policy assignments at each resource group (Option C) are acceptable, but Azure Policy is designed to be assigned at higher scopes (management group or subscription) for inheritance, and they may also confuse RBAC roles (Option D) with policy enforcement.

77
MCQmedium

Based on the exhibit, where should the Network Contributor role be assigned so the engineer can manage only VNet-vm and its subnets, but not other resources in rg-platform?

A.Assign Network Contributor at the management group scope.
B.Assign Network Contributor at the subscription scope.
C.Assign Network Contributor at the resource group scope for rg-platform.
D.Assign Network Contributor at the VNet-vm resource scope.
AnswerD

Assigning the role directly to the virtual network limits access to that specific network object and its child subnets while excluding unrelated resources in the same resource group.

Why this answer

Option D is correct because assigning the Network Contributor role at the VNet-vm resource scope grants the engineer permissions to manage only that specific virtual network and its subnets, while preventing any access to other resources within the rg-platform resource group. This follows the principle of least privilege by scoping the role assignment to the exact resource that needs to be managed.

Exam trap

The trap here is that candidates often assume assigning a role at the resource group scope is sufficient to limit access to a specific resource, but they overlook that resource group scope grants permissions to all resources of that type within the group, not just the intended one.

How to eliminate wrong answers

Option A is wrong because assigning Network Contributor at the management group scope would grant permissions to manage all virtual networks and networking resources across all subscriptions and resource groups under that management group, far exceeding the requirement to manage only VNet-vm. Option B is wrong because assigning Network Contributor at the subscription scope would allow the engineer to manage all virtual networks and networking resources within the entire subscription, including resources outside rg-platform. Option C is wrong because assigning Network Contributor at the resource group scope for rg-platform would grant permissions to manage all virtual networks and networking resources within that resource group, not just VNet-vm and its subnets.

78
MCQmedium

You need to ensure engineers cannot delete a production resource group, but they must still be able to start and stop VMs and change network rules during maintenance. Which resource lock should you apply to the resource group?

A.No lock
B.ReadOnly
C.CanNotDelete
D.Azure Policy deny assignment
AnswerC

This prevents deletion while still allowing normal write operations on the resources.

Why this answer

The CanNotDelete lock prevents deletion of the resource group while allowing all other operations, including starting/stopping VMs and modifying network rules. This meets the requirement because engineers retain full management capabilities except for deletion, which is explicitly blocked at the resource group scope.

Exam trap

The trap here is that candidates confuse ReadOnly with CanNotDelete, assuming any lock will block all operations, when in fact ReadOnly blocks all write operations (including start/stop and network changes) while CanNotDelete only blocks deletion.

How to eliminate wrong answers

Option A is wrong because no lock would allow engineers to delete the resource group, violating the requirement to prevent deletion. Option B is wrong because a ReadOnly lock prevents all write operations, including starting/stopping VMs and changing network rules, which are explicitly required during maintenance. Option D is wrong because an Azure Policy deny assignment can block specific actions but is not the intended mechanism for resource-level deletion protection; resource locks are the correct Azure governance tool for this purpose.

79
Multi-Selectmedium

A contractor pool changes every month. The operations team wants Azure role access to stay the same when people join or leave, without editing role assignments for each person. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a security group in Microsoft Entra ID for the contractor pool.
B.Assign the Azure role directly to each contractor account.
C.Create a Microsoft 365 group and use it for VM sign-in.
D.Assign the Azure role to the security group rather than to individual users.
E.Use a user-assigned managed identity for each contractor.
AnswersA, D

A security group is the right identity container for changing membership. Contractors can be added or removed from the group without touching the Azure RBAC assignment itself, which keeps access administration simple and consistent over time.

Why this answer

Option A is correct because creating a security group in Microsoft Entra ID (formerly Azure AD) allows the administrator to manage membership dynamically or manually as contractors join or leave. By assigning the Azure role to this security group (Option D), role assignments remain constant; only group membership changes, eliminating the need to edit individual role assignments. This approach leverages Azure RBAC's support for security groups as assignable principals, ensuring consistent access control.

Exam trap

The trap here is that candidates often confuse Microsoft 365 groups (used for collaboration and Entra ID join) with security groups (used for RBAC assignments), leading them to select Option C instead of A.

80
MCQmedium

Based on the exhibit, which Azure feature should the administrator add so ownership and chargeback information remains visible even if resources are moved between resource groups?

A.Management groups
B.Tags
C.Resource locks
D.Role assignments
AnswerB

Tags are designed to attach flexible metadata directly to resources, and the values remain useful for filtering and chargeback reporting.

Why this answer

Tags are metadata key-value pairs that can be assigned to Azure resources and resource groups. They persist even when resources are moved between resource groups, making them ideal for tracking ownership and chargeback information across organizational boundaries. Unlike other options, tags are specifically designed for cost tracking, ownership attribution, and resource categorization.

Exam trap

The trap here is that candidates confuse Resource locks (which prevent deletion) with metadata persistence, or assume Role assignments follow resources across moves, when in fact RBAC assignments are scoped to the original resource group and are lost upon relocation.

How to eliminate wrong answers

Option A is wrong because Management groups provide hierarchical governance for subscriptions (e.g., policy and RBAC inheritance), but they do not attach metadata to individual resources that survives resource group moves. Option C is wrong because Resource locks prevent accidental deletion or modification of resources but do not carry ownership or chargeback data. Option D is wrong because Role assignments control access permissions via Azure RBAC and are tied to the resource's scope; they do not persist as metadata when a resource is moved to a different resource group (the role assignment is lost unless re-applied).

81
MCQeasy

A company wants to group several subscriptions for Finance, HR, and Engineering so that the same governance settings can be applied above the subscription level. What should the administrator create?

A.A management group
B.A resource group
C.A tag
D.A resource lock
AnswerA

Management groups are designed to contain subscriptions and provide a hierarchy above the subscription level. Policies, access controls, and other governance settings can be assigned at the management group level and inherited by the subscriptions underneath it, which makes them the correct choice for organizing Finance, HR, and Engineering subscriptions together.

Why this answer

A management group is the correct choice because it allows you to organize multiple Azure subscriptions into a hierarchy and apply governance policies, role-based access control (RBAC), and compliance settings at a scope above the subscription level. By creating a management group for Finance, HR, and Engineering, the administrator can enforce consistent Azure Policy initiatives and RBAC assignments across all three subscriptions, ensuring uniform governance without needing to configure each subscription individually.

Exam trap

The trap here is that candidates often confuse management groups with resource groups, thinking resource groups can span subscriptions, but resource groups are strictly scoped to a single subscription and cannot aggregate governance across multiple subscriptions.

How to eliminate wrong answers

Option B is wrong because a resource group is a logical container for resources within a single subscription, not a mechanism to group multiple subscriptions or apply governance above the subscription level. Option C is wrong because a tag is a metadata key-value pair used for organizing resources and cost tracking, but it cannot enforce governance settings like policies or RBAC across subscriptions. Option D is wrong because a resource lock prevents accidental deletion or modification of a resource or resource group, but it operates at the resource or resource group level and cannot group subscriptions or apply governance above the subscription scope.

82
MCQeasy

You want to let a support engineer restart only the virtual machines in the Prod-Apps resource group, and any VM added later to that group should also be covered. Where should you assign the role?

A.At the subscription scope, because it will cover the resource group and future VMs.
B.At the Prod-Apps resource group scope, because the assignment will inherit to all VMs in that group.
C.At each VM resource scope, because role assignments never inherit.
D.At the management group scope, because it is the only scope that applies to VMs.
AnswerB

This is correct because the resource group is the narrowest scope that still covers all VMs in Prod-Apps, including any future VMs created there. Assigning the role at the group scope keeps access limited to the intended set of resources while still taking advantage of Azure RBAC inheritance for child resources.

Why this answer

Assigning the 'Virtual Machine Contributor' role at the Prod-Apps resource group scope ensures that the support engineer can restart all current and future VMs within that group. Role assignments in Azure RBAC are inherited by all child resources, so any VM added later to the resource group automatically receives the same permissions. This is the most efficient and maintainable approach for managing access to a dynamic set of resources.

Exam trap

The trap here is that candidates often confuse scope inheritance with the need to assign roles at the subscription level to cover future resources, not realizing that resource group scope inheritance already covers all current and future child resources within that group.

How to eliminate wrong answers

Option A is wrong because assigning at the subscription scope would grant the support engineer restart permissions on all VMs across every resource group in the subscription, which is overly broad and violates the principle of least privilege. Option C is wrong because role assignments in Azure RBAC do inherit from parent scopes to child resources; assigning at each VM individually would be administratively burdensome and would not automatically cover VMs added later. Option D is wrong because the management group scope is used to organize subscriptions and apply governance policies across multiple subscriptions, not to directly manage access to VMs within a single resource group; assigning at that scope would be too broad and would not specifically target the Prod-Apps resource group.

83
MCQeasy

Based on the exhibit, a shared resource group contains a production virtual machine and a storage account. Administrators must be able to update settings, but they must not be able to delete either resource by mistake. Which lock should be applied at the resource group scope?

A.ReadOnly lock, because it prevents all changes and keeps resources fully protected.
B.CanNotDelete lock, because it allows updates but blocks deletion.
C.No lock is needed because Azure RBAC already prevents deletion by default.
D.Management group lock, because all changes in the tenant must be blocked centrally.
AnswerB

CanNotDelete is the correct choice when administrators still need to modify resource settings but must be prevented from deleting the resources. Applied at the resource group scope, it protects both the VM and the storage account from accidental deletion while preserving normal update operations.

Why this answer

The CanNotDelete lock (option B) is correct because it allows administrators to update settings on the production VM and storage account while preventing accidental deletion of either resource. This lock operates at the resource group scope, applying to all resources within it, and is the appropriate choice for the stated requirement of allowing updates but blocking deletions.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, mistakenly thinking that preventing all changes is safer, but the question explicitly requires allowing updates, making ReadOnly locks too restrictive.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all changes, including updates to settings, which contradicts the requirement that administrators must be able to update settings. Option C is wrong because Azure RBAC does not prevent deletion by default; RBAC controls who can perform actions, but without a lock, users with Contributor or Owner roles can delete resources. Option D is wrong because a management group lock applies to all subscriptions within the management group hierarchy, not just a single resource group, and would be overly broad for this specific requirement.

84
Multi-Selectmedium

A contractor must manage only VM1 and VM2 in rg-prod. The contractor must not be able to manage any other resource in the resource group. Which two role assignment scopes should you create? Select two.

Select 2 answers
A.Assign the role at the VM1 resource scope.
B.Assign the role at the VM2 resource scope.
C.Assign the role at the rg-prod resource group scope.
D.Assign the role at the subscription scope.
E.Assign the role at the management group scope.
AnswersA, B

A resource-scope assignment on VM1 grants access only to that single virtual machine, which supports least privilege and prevents the contractor from touching unrelated resources.

Why this answer

Assigning the role at the VM1 resource scope (Option A) is correct because Azure RBAC allows you to scope a role assignment to an individual resource, such as a virtual machine. This grants the contractor permissions to manage only VM1, without affecting any other resources in the resource group. The same logic applies to VM2, making the resource-level scope the precise way to restrict management to just those two VMs.

Exam trap

The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, overlooking that resource-level scoping is available and required when the goal is to restrict access to individual resources within a group.

85
MCQmedium

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

A.Assign Contributor to the administrator at the management group scope.
B.Assign Contributor to the administrator at the Dev-Sub scope.
C.Assign Owner to the administrator at the resource group scope in Dev-Sub.
D.Assign Reader to the administrator at the Prod-Sub scope and Contributor at the tenant root group.
AnswerB

This limits the contributor permissions to Dev-Sub, which matches the requirement.

Why this answer

Option B is correct because assigning the Contributor role at the Dev-Sub scope grants the administrator full permissions to create and manage resource groups within that subscription, while the role assignment is scoped exclusively to Dev-Sub, ensuring no permissions in Prod-Sub. Azure RBAC is hierarchical, so a role assigned at a subscription scope applies to all resource groups within it, but does not cross subscription boundaries. This meets the requirement of allowing resource group creation only in Dev-Sub with no access to Prod-Sub.

Exam trap

The trap here is that candidates often confuse the scope required to create resource groups (subscription-level write permission) with the ability to manage existing resource groups (resource group-level permission), leading them to incorrectly choose Option C (Owner at resource group scope) which only allows management of that specific resource group, not creation of new ones.

How to eliminate wrong answers

Option A is wrong because assigning Contributor at the management group scope would grant permissions to all subscriptions under that management group, including Prod-Sub, violating the requirement that the administrator must have no permissions in Prod-Sub. Option C is wrong because assigning Owner at the resource group scope in Dev-Sub would only allow management of that specific resource group, not the ability to create new resource groups in Dev-Sub (creating a resource group requires write permission at the subscription scope). Option D is wrong because assigning Reader at the Prod-Sub scope grants read permissions in Prod-Sub, which violates the requirement of no permissions in Prod-Sub; additionally, Contributor at the tenant root group is overly broad and would grant permissions across all subscriptions.

86
MCQeasy

A production resource group must not be deleted accidentally, but administrators still need to update resources inside it. Which lock should you apply to the resource group?

A.ReadOnly lock
B.CanNotDelete lock
C.Contributor role
D.Azure Policy deny assignment
AnswerB

CanNotDelete blocks deletion while still allowing administrators to update resources normally.

Why this answer

The CanNotDelete lock (option B) is correct because it prevents deletion of the resource group while still allowing all other operations, including updates to resources within it. This lock type is specifically designed to protect against accidental deletion without blocking read, write, or modify actions, which aligns perfectly with the requirement that administrators need to update resources inside the group.

Exam trap

The trap here is that candidates often confuse RBAC roles (like Contributor) with resource locks, mistakenly thinking that assigning a role can prevent deletion, whereas locks are a separate governance mechanism that override role-based permissions for specific operations.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates to resources, which would block administrators from modifying resources inside the group. Option C is wrong because the Contributor role is an Azure RBAC role that grants permissions to manage resources but does not provide a lock mechanism to prevent deletion; it can be overridden by other permissions or bypassed by users with higher roles. Option D is wrong because an Azure Policy deny assignment is used to enforce compliance rules (e.g., restricting resource types or locations) and is not designed to block deletion of a resource group; it can be complex to configure and may inadvertently block updates if not scoped correctly.

87
MCQmedium

An operations team needs to let helpdesk staff restart virtual machines and view their properties only in RG-Dev. The staff must not be able to manage virtual networks, disks, or delete any resources. What is the best built-in role assignment?

A.Assign Reader at the subscription scope so the staff can view the VMs.
B.Assign Virtual Machine Contributor at the RG-Dev scope.
C.Assign Contributor at the RG-Dev scope.
D.Assign Virtual Machine Administrator Login at the RG-Dev scope.
AnswerB

Virtual Machine Contributor allows managing virtual machines, including restart operations, while avoiding broader control over networking resources. Assigning it at the resource group scope limits access to only RG-Dev, which matches the least-privilege requirement.

Why this answer

The Virtual Machine Contributor role at the RG-Dev scope grants the exact permissions needed: it allows restarting VMs and viewing their properties while explicitly preventing management of virtual networks, disks, or deletion of resources. This built-in role includes the 'Microsoft.Compute/virtualMachines/restart/action' and read permissions, but excludes write/delete on networking and storage resources, meeting all requirements.

Exam trap

The trap here is that candidates often choose Contributor (Option C) thinking it's a safe middle ground, but it actually grants full management rights including deletion, which violates the explicit restriction in the question.

How to eliminate wrong answers

Option A is wrong because the Reader role at subscription scope provides read-only access to all resources, but does not include the 'restart' action required for helpdesk staff. Option C is wrong because the Contributor role at RG-Dev scope grants full management rights, including the ability to delete resources and manage virtual networks and disks, which violates the restriction. Option D is wrong because Virtual Machine Administrator Login only provides login access via RDP/SSH and does not include the 'restart' action or view VM properties in the Azure portal.

88
MCQmedium

A finance application is deployed in a single resource group named rg-finance-app. The team must manage only the resources in that group and must not receive permissions for other resource groups in the subscription. Where should the Contributor role be assigned?

A.At the management group that contains the subscription.
B.At the subscription scope.
C.At the rg-finance-app resource group scope.
D.At each individual resource in the resource group.
AnswerC

Resource group scope is the narrowest scope that still covers all resources for the finance application. Any resource inside that group inherits the assignment, while resources in other groups remain unaffected. This gives the team exactly the access needed without expanding permissions to unrelated workloads.

Why this answer

The Contributor role must be assigned at the rg-finance-app resource group scope to restrict permissions exclusively to that group. This ensures the team can manage only the resources within that resource group, without inheriting permissions to other resource groups in the subscription. Role assignments in Azure are inherited from higher scopes (management group, subscription) down to lower scopes, so assigning at the resource group scope is the most specific and restrictive level that meets the requirement.

Exam trap

The trap here is that candidates often choose the subscription scope (Option B) thinking it is the simplest way to grant access, but they overlook that it would grant permissions to all resource groups in the subscription, violating the requirement to restrict access to only rg-finance-app.

How to eliminate wrong answers

Option A is wrong because assigning the Contributor role at the management group scope would grant the team Contributor permissions to all subscriptions and resource groups within that management group, including other resource groups outside rg-finance-app. Option B is wrong because assigning at the subscription scope would grant Contributor permissions to every resource group in the subscription, violating the requirement to restrict access only to rg-finance-app. Option D is wrong because assigning the role at each individual resource is unnecessary and inefficient; Azure RBAC supports inheritance from the resource group scope, so a single assignment at the resource group level covers all resources within it, and assigning per resource would also be overly granular and harder to manage.

89
MCQeasy

Based on the exhibit, which identity type should be used so the on-premises build server can authenticate to Azure without using a human account password?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal
D.Azure Storage access key
AnswerC

A service principal is the correct choice for non-Azure automation that needs to authenticate to Azure without using a person’s credentials. It can be paired with a certificate or secret and used by build and deployment tools running outside Azure.

Why this answer

A service principal is the correct identity type for an on-premises build server to authenticate to Azure without a human account password because it represents a non-human identity that can be assigned to applications, services, and automation tools. Service principals authenticate using client secrets or certificates, enabling secure, password-less authentication via OAuth 2.0 client credentials grant flow, which is ideal for automated build pipelines.

Exam trap

The trap here is that candidates often confuse managed identities (which are Azure-resource-bound) with service principals (which are application identities), leading them to choose a managed identity option even though the on-premises server cannot host an Azure-managed identity.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a specific Azure resource (e.g., an Azure VM or App Service) and cannot be used for on-premises servers; it is not exportable or usable outside of Azure. Option B is wrong because a user-assigned managed identity, while independent of a specific resource, is still an Azure-only identity that cannot be assigned to an on-premises machine; it requires an Azure resource to host it. Option D is wrong because an Azure Storage access key is a shared secret for accessing Azure Storage accounts, not an identity for authentication to Azure AD; it does not support OAuth 2.0 or role-based access control and is not suitable for authenticating a build server to Azure services beyond storage.

90
MCQmedium

An administrator added a user to an Entra security group that already has Contributor on a resource group. The role assignment is correct, but the user still gets 'You do not have access' in the Azure portal 5 minutes later. What is the most likely next step?

A.Change the role assignment from the group to the subscription.
B.Have the user sign out and sign back in to refresh the access token.
C.Delete and recreate the resource group.
D.Assign Owner directly to the user.
AnswerB

This refreshes token claims so the portal can recognize the new group membership.

Why this answer

When a user is added to a security group that already has a role assignment, the new permissions take effect immediately in Azure RBAC, but the user's existing access token (which is cached by the Azure portal) does not include the new group membership claims. The token must be refreshed by signing out and signing back in, or by closing and reopening the browser, to force a new token acquisition that includes the updated role assignments.

Exam trap

The trap here is that candidates assume Azure RBAC changes are instantaneous and overlook the client-side token caching mechanism, leading them to incorrectly modify the role assignment or scope instead of simply refreshing the user's session.

How to eliminate wrong answers

Option A is wrong because changing the role assignment scope from the resource group to the subscription does not address the token caching issue; it would only broaden the scope of permissions, but the user still holds a stale token. Option C is wrong because deleting and recreating the resource group is an unnecessary destructive action that does not resolve the token refresh problem; the role assignment on the existing resource group is correct. Option D is wrong because assigning Owner directly to the user bypasses the group-based assignment but still suffers from the same token caching issue; the user would need to refresh their token regardless.

91
MCQmedium

A company wants to stop users from deploying resources in any region except East US and West US. Users still need to be able to create resources if they choose an approved region. Which Azure feature should the administrator use?

A.Azure RBAC with a Contributor role at the subscription scope.
B.Azure Policy with a deny effect assigned at the appropriate scope.
C.A resource lock at the subscription level.
D.A tag requirement in Azure RBAC.
AnswerB

Azure Policy is designed for compliance and enforcement. A policy that checks the location property and uses a deny effect can block deployments outside the approved regions while still allowing valid deployments in East US or West US. This meets the requirement without changing the users' general ability to create resources.

Why this answer

Azure Policy with a deny effect can enforce that resource deployments are only allowed in specified regions (East US and West US) by evaluating the location property of the resource against a policy definition. When a user attempts to deploy a resource in a non-approved region, the policy engine rejects the request before any resource creation begins, ensuring compliance without blocking approved regions.

Exam trap

The trap here is confusing Azure Policy (which can enforce location restrictions with a deny effect) with Azure RBAC (which controls permissions but not resource properties) or resource locks (which protect against deletion/modification, not creation).

How to eliminate wrong answers

Option A is wrong because Azure RBAC with a Contributor role at the subscription scope grants broad permissions to create and manage resources but does not restrict the region where resources can be deployed; it lacks the ability to enforce location constraints. Option C is wrong because a resource lock at the subscription level (e.g., CanNotDelete or ReadOnly) prevents deletion or modification of all resources but does not restrict the region in which new resources can be created. Option D is wrong because a tag requirement in Azure RBAC is not a valid feature; Azure RBAC does not enforce tag requirements, and tags alone cannot block resource creation in disallowed regions.

92
MCQmedium

A policy at the management group denies storage accounts that allow public network access. One legacy storage account in RG-Legacy must stay public for 30 days while a migration runs, and the team does not want to change the policy for everyone else. What should the administrator create?

A.A resource lock on the storage account
B.A policy exemption for that storage account
C.A second policy assignment with higher priority
D.A custom RBAC role for the migration team
AnswerB

A policy exemption is designed for temporary or justified exceptions to an assignment without weakening the control for all other resources. It lets the legacy storage account remain out of compliance for the approved period while the deny policy continues to apply everywhere else under the management group.

Why this answer

A policy exemption allows specific resources to be excluded from the effect of a policy initiative without modifying the original policy definition. In this scenario, the management group policy denies storage accounts with public network access, but the legacy account needs to remain public temporarily. By creating a policy exemption (with 'exempt' category) for that specific storage account, the administrator can bypass the deny effect for 30 days while the policy continues to apply to all other resources.

Exam trap

The trap here is that candidates confuse policy exemptions with resource locks or RBAC, thinking that locking the resource or assigning permissions can bypass policy enforcement, but only a policy exemption can create a targeted exception without altering the policy definition.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents accidental deletion or modification of the storage account but does not override Azure Policy deny effects; the policy would still block the account's public access configuration. Option C is wrong because a second policy assignment with higher priority does not exist in Azure Policy; policy assignments are evaluated based on the closest scope (inheritance), not priority, and a second assignment would only add another layer of enforcement, not create an exception. Option D is wrong because a custom RBAC role controls who can manage resources (permissions) but does not alter the enforcement of Azure Policy; the policy's deny effect applies regardless of the user's role.

93
MCQhard

Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?

A.Assign the Contributor role at the Dev-Sub subscription scope.
B.Assign the Owner role at the tenant root scope.
C.Assign the Reader role at the Dev-Sub subscription scope.
D.Assign the Contributor role at the management group scope that contains both subscriptions.
AnswerA

Contributor at the Dev-Sub scope allows resource group creation within that subscription only.

Why this answer

The Contributor role allows a user to create and manage resources, including resource groups, within the assigned scope. By assigning this role at the Dev-Sub subscription scope, the user gains the necessary permissions to create resource groups only in that subscription, as Azure RBAC permissions are inherited downward but not across sibling scopes. This ensures the user cannot create resource groups in Prod-Sub or any other subscription.

Exam trap

The trap here is that candidates often confuse the Contributor role with the Reader role, or incorrectly assume that assigning a role at a management group scope can be used to limit permissions to a single subscription, not realizing that management group scope inheritance applies to all child subscriptions.

How to eliminate wrong answers

Option B is wrong because assigning the Owner role at the tenant root scope grants full administrative access over all subscriptions in the tenant, including Prod-Sub, which violates the requirement to restrict resource group creation to Dev-Sub only. Option C is wrong because the Reader role allows read-only access to resources and does not include the permission to create resource groups (Microsoft.Resources/subscriptions/resourceGroups/write). Option D is wrong because assigning the Contributor role at a management group scope that contains both subscriptions grants the user Contributor permissions in both Dev-Sub and Prod-Sub, allowing resource group creation in both, not just Dev-Sub.

94
Multi-Selecthard

A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.

Select 2 answers
A.Microsoft.Compute/virtualMachines/start/action grants the ability to start the VM without broader management permissions.
B.Microsoft.Compute/virtualMachines/restart/action permits a controlled restart operation on the target VM.
C.Microsoft.Compute/virtualMachines/delete gives the ability to remove the VM from the subscription.
D.Microsoft.Network/networkInterfaces/write is needed because a VM start or restart always requires NIC modification rights.
E.Microsoft.Authorization/roleAssignments/write would let the engineer grant access to other users and manage permissions.
AnswersA, B

This action is the precise permission needed to power on a virtual machine. It is narrower than Contributor and does not expose unrelated capabilities such as deleting the VM or changing attached resources. Using this action supports least privilege for operational support tasks.

Why this answer

Option A is correct because Microsoft.Compute/virtualMachines/start/action is a specific permission that allows starting a VM without granting broader management capabilities like deletion or network changes. This action is part of the Azure RBAC role definition and can be included in a custom role to limit the support engineer's scope to only starting the VM.

Exam trap

The trap here is that candidates may think network interface write permissions are required for VM operations, but start and restart only need compute-level actions, not network modifications.

95
MCQmedium

You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?

A.A resource lock
B.An Azure Policy with an append or modify effect
C.A management group lock
D.A custom RBAC role
AnswerB

Azure Policy can add the required tag automatically when resources are created.

Why this answer

Azure Policy with an append or modify effect can automatically add a CostCenter tag with a default value to resources that are missing it during deployment. The append effect adds the tag and value at creation time, while the modify effect (using a 'addOrReplace' operation) can also update existing resources. This ensures governance compliance without manual intervention.

Exam trap

The trap here is confusing Azure Policy (which enforces and automatically applies tags) with resource locks or RBAC roles, which manage permissions or prevent changes but do not automatically add missing tags.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents accidental deletion or modification of resources but does not enforce tagging or add default values. Option C is wrong because a management group lock applies only to the management group itself, not to resources within subscriptions, and cannot add tags. Option D is wrong because a custom RBAC role controls permissions for who can perform actions but does not automatically apply tags or enforce governance rules.

96
Multi-Selecteasy

A project team adds and removes contractors every month. The admin wants Azure access to update automatically when membership changes without editing role assignments for each person. Which two actions should the admin take? Select two.

Select 2 answers
A.Create a Microsoft Entra ID security group for the contractors.
B.Assign the Azure RBAC role directly to each contractor user account.
C.Assign the Azure RBAC role to the security group.
D.Create a management group for the contractors.
E.Use a resource lock to control access.
AnswersA, C

A security group gives the administrator one place to manage a changing set of users. When contractors join or leave, membership can be updated without rewriting Azure role assignments. This is the standard way to delegate access for a team or project that changes often.

Why this answer

Option A is correct because creating a Microsoft Entra ID security group for contractors allows the admin to manage membership dynamically. When contractors are added or removed from the group, their Azure access updates automatically without needing to edit individual role assignments. This leverages group-based RBAC, where the group is assigned the role, and membership changes propagate to Azure RBAC.

Exam trap

The trap here is that candidates often confuse management groups (Option D) with security groups, thinking they can be used for access control, but management groups are for organizing subscriptions and applying policies, not for assigning RBAC roles to users.

97
MCQmedium

An administrator assigned a modify policy at the subscription scope to add a CostCenter tag to new virtual machines. New VMs now have the tag, but older VMs in the subscription still do not. What must the administrator do to bring the existing VMs into compliance?

A.Reassign the policy at the resource group scope.
B.Create a remediation task for the noncompliant resources.
C.Add a resource lock to the subscription.
D.Move the VMs to another resource group and back again.
AnswerB

Policy assignments evaluate both existing and new resources, but a modify effect needs remediation to update already deployed resources. The remediation task tells Azure Policy to apply the configured effect to noncompliant resources that were created before the assignment or before the policy changed. That is the step that fills in the missing tag on the older virtual machines.

Why this answer

The modify effect policy assigned at the subscription scope automatically applies the CostCenter tag to new resources during creation, but it does not retroactively update existing noncompliant resources. To bring older VMs into compliance, the administrator must create a remediation task, which triggers Azure Policy's deployment engine to evaluate and apply the defined modify effect (e.g., adding the missing tag) to existing noncompliant resources using a managed identity.

Exam trap

The trap here is that candidates assume a policy assigned with a modify effect automatically applies to existing resources, but Azure Policy's modify effect only applies to new resources unless a remediation task is explicitly created and run.

How to eliminate wrong answers

Option A is wrong because reassigning the same policy at the resource group scope does not change the effect or retroactively apply tags; Azure Policy does not automatically remediate existing resources regardless of scope. Option C is wrong because a resource lock prevents accidental deletion or modification but has no effect on policy compliance or tag assignment. Option D is wrong because moving VMs to another resource group and back does not trigger policy evaluation or remediation; Azure Policy evaluates resources based on their current state, not their movement history.

98
Multi-Selecteasy

A team needs to understand Azure RBAC inheritance. Which two statements are correct? Select two.

Select 2 answers
A.A role assignment at a resource group scope applies to resources inside that group.
B.A role assignment at subscription scope applies to all resource groups and resources in that subscription.
C.A role assignment at a resource scope automatically applies to all other resources in the subscription.
D.A role assignment at management group scope applies only to the subscription where it was created.
E.A role assignment at a resource group scope is broader than a subscription scope.
AnswersA, B

RBAC permissions flow downward within the scope where the assignment is made. A resource group assignment automatically covers the resources inside that resource group, which is why groups are useful for managing several related resources together.

Why this answer

Option A is correct because Azure RBAC inheritance follows a hierarchical scope model: a role assignment at a resource group scope applies to all resources within that resource group, as the resource group is the parent scope for its child resources. This means any user or group assigned a role at the resource group level automatically inherits those permissions for every resource (e.g., VMs, storage accounts) inside that group, without needing separate assignments.

Exam trap

The trap here is that candidates often confuse the direction of RBAC inheritance, mistakenly thinking a narrower scope (like resource group) applies to broader scopes (like subscription), or that assignments at a resource scope propagate to other resources in the same subscription, when in fact inheritance only flows downward from parent to child scopes.

99
Multi-Selecthard

A Modify policy adds CostCenter=042 to resources in RG-Finance. New resources are tagged correctly, but existing virtual machines remain untagged. What three requirements must be met for the assignment to update the existing resources? Select three.

Select 3 answers
A.Create a remediation task for the policy assignment.
B.Ensure the policy assignment has a managed identity.
C.Grant that identity permission to update the target resources or tags at the assigned scope.
D.Recreate the virtual machines before the policy can evaluate them.
E.Change the effect from Modify to Audit to trigger the tag operation.
AnswersA, B, C

Existing resources are not changed automatically by a Modify assignment; remediation is needed to bring them into compliance.

Why this answer

Option A is correct because a remediation task is required to apply a Modify effect policy to existing non-compliant resources. The Modify effect only tags new resources automatically; existing resources remain untagged until a remediation task is triggered, which uses the policy's managed identity to update the resource tags.

Exam trap

The trap here is that candidates assume the Modify effect automatically updates existing resources, but it only applies to new resources; a remediation task is mandatory for existing resources, and the managed identity must have appropriate permissions (e.g., Tag Contributor) at the scope.

100
MCQmedium

You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?

A.Owner
B.Contributor
C.Reader
D.User Access Administrator
AnswerC

Reader is the least-privileged role for view-only access.

Why this answer

The Reader role provides read-only access to Azure resources, including cost data, while explicitly preventing any create, modify, or delete actions. This is the correct built-in role for a user who needs to view cost information but not manage resources.

Exam trap

The trap here is that candidates often confuse the Contributor role (which allows resource management but not access control) with the Reader role, or incorrectly assume that viewing cost data requires a specialized role like Cost Management Reader, when in fact the standard Reader role at the subscription scope includes cost data access.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full access to all resources, including the ability to create, modify, and delete them, as well as delegate access to others. Option B is wrong because the Contributor role allows creating and managing all types of Azure resources, though it cannot grant access to others. Option D is wrong because the User Access Administrator role is specifically designed to manage user access to Azure resources, not to view cost data, and it includes the ability to assign roles, which is not required.

101
Multi-Selecthard

A scheduled script runs on several Azure VMs. The VMs are rebuilt often, and the script must always use the same Azure identity across every rebuild without storing secrets on disk. Which two steps should the administrator take? Select two.

Select 2 answers
A.Create a user-assigned managed identity.
B.Assign that user-assigned identity to each VM that runs the script.
C.Use a system-assigned managed identity on one VM and clone it.
D.Store a service principal secret in the script configuration.
E.Use a shared access signature to authenticate to Azure Resource Manager.
AnswersA, B

Correct. A user-assigned managed identity is independent of any one VM and can outlive rebuilds.

Why this answer

A user-assigned managed identity is the correct choice because it is an Azure identity that exists independently of any VM and can be assigned to multiple VMs. When a VM is rebuilt, you simply assign the same user-assigned identity to the new VM, and the script can authenticate using the identity's client ID without storing any secrets on disk. This ensures the script always uses the same identity across rebuilds, as the identity's credentials are managed entirely by Azure and rotated automatically.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities with user-assigned ones, mistakenly thinking a system-assigned identity can be reused across VM rebuilds, when in fact it is deleted when the VM is deleted and cannot be transferred.

102
MCQeasy

An application team needs Contributor access only for the resources in rg-app. They must not manage any other resources in the subscription. At what scope should you assign the role?

A.Management group scope
B.Subscription scope
C.Resource group scope
D.Resource scope
AnswerC

A resource group scope limits Contributor access to only the resources contained in rg-app.

Why this answer

The Contributor role assigned at the resource group scope grants the application team full management access to all resources within rg-app, but no access to resources in other resource groups or at the subscription level. This meets the requirement of restricting permissions to only that specific resource group.

Exam trap

The trap here is that candidates often confuse 'resource group scope' with 'subscription scope' and assume Contributor at the subscription level is required for managing a group of resources, not realizing that resource group scope provides the exact isolation needed.

How to eliminate wrong answers

Option A is wrong because management group scope applies permissions to all subscriptions and resource groups under that management group, which would grant Contributor access to resources far beyond rg-app. Option B is wrong because subscription scope would give the team Contributor access to every resource group and resource within the entire subscription, violating the requirement to restrict access to only rg-app. Option D is wrong because resource scope would limit access to a single resource (e.g., a specific VM or storage account), which is too granular and would not allow the team to manage all resources within rg-app as a group.

103
MCQmedium

A support team must be able to start, stop, and restart virtual machines in one application resource group, but they must not create or delete VMs, modify disks, or manage networking. What is the best access approach?

A.Assign Contributor at the subscription scope so the team can manage all resources.
B.Create a custom RBAC role with only the required VM power actions and assign it at the resource group scope.
C.Assign Reader at the resource group scope and use Azure Policy to permit VM restarts.
D.Apply a resource lock to the resource group so the team can only make approved changes.
AnswerB

A custom role is appropriate when the built-in roles are broader than the actual task. By granting only the VM start, stop, and restart actions needed for that resource group, the administrator keeps permissions tightly limited. Assigning the role at the resource group scope also ensures the team cannot affect resources outside that application boundary.

Why this answer

Option B is correct because Azure RBAC allows you to create a custom role with specific actions like Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/restart/action, and Microsoft.Compute/virtualMachines/deallocate/action, and assign it at the resource group scope. This grants the support team exactly the permissions needed to start, stop, and restart VMs without allowing VM creation, deletion, disk modification, or networking changes, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse Azure Policy or resource locks with RBAC, thinking they can grant or restrict permissions, when in fact they are separate governance tools—Policy enforces rules, locks prevent changes, and only RBAC roles control who can perform actions.

How to eliminate wrong answers

Option A is wrong because assigning Contributor at the subscription scope grants full management access to all resources in the subscription, including the ability to create, delete, and modify VMs, disks, and networking, which violates the requirement to restrict those actions. Option C is wrong because the Reader role only allows read-only access and cannot perform any write actions like starting or restarting VMs; Azure Policy can audit or enforce compliance but cannot grant permissions to perform actions. Option D is wrong because a resource lock (e.g., CanNotDelete or ReadOnly) prevents deletion or modification of resources but does not grant specific permissions to start, stop, or restart VMs; it is a protection mechanism, not an access control method.

104
MCQmedium

Security wants one assignment that enforces all of these controls across several subscriptions: allowed Azure regions, required tags, and disabling public network access on specific resources. Which Azure feature should you use?

A.A single Azure Policy definition with one rule for all three controls
B.An Azure Policy initiative that contains multiple related policy definitions
C.A management group lock applied to the subscriptions
D.A custom RBAC role assigned at the management group
AnswerB

An initiative lets you group multiple policies into one assignment, which is ideal for enforcing a broader security baseline.

Why this answer

An Azure Policy initiative (also called a policy set) is the correct choice because it groups multiple independent policy definitions into a single assignable unit. This allows you to enforce all three distinct controls—allowed regions, required tags, and disabling public network access—across several subscriptions in one assignment, while keeping each rule as a separate policy definition for easier management and granular effect.

Exam trap

The trap here is that candidates often think a single policy definition can contain multiple rules (like a JSON array of conditions), but Azure Policy requires each definition to have exactly one policyRule, so an initiative is the only way to bundle separate controls into one assignment.

How to eliminate wrong answers

Option A is wrong because a single Azure Policy definition can contain only one rule (one policy effect per definition); combining three different controls into one definition would violate the policy structure and make it impossible to manage or audit each control independently. Option C is wrong because a management group lock prevents accidental deletion or modification of resources but cannot enforce compliance controls like allowed regions, required tags, or disabling public network access—locks are for operational protection, not governance. Option D is wrong because a custom RBAC role controls who can perform actions (permissions) but does not enforce resource configuration or compliance; RBAC cannot automatically block the creation of resources in disallowed regions or enforce tagging rules.

105
MCQmedium

Based on the exhibit, an administrator wants to prevent new Azure resources from being deployed in any region except East US and West US across the entire Corp hierarchy. What should the administrator configure?

A.Assign a built-in RBAC role that denies deployments in unsupported regions.
B.Create and assign an Azure Policy at the Corp management group using the allowed locations rule.
C.Apply a CanNotDelete lock to the subscriptions.
D.Use a resource tag named RegionApproved and require teams to set it manually.
AnswerB

Azure Policy is the correct tool for enforcing location compliance. Assigning the policy at the Corp management group ensures the restriction applies to all current and future child subscriptions, and a deny effect blocks noncompliant region deployments at creation time.

Why this answer

Azure Policy is the correct tool to enforce governance rules across management groups. The 'allowed locations' built-in policy definition restricts resource deployment to specified regions. By assigning this policy at the Corp management group, the rule applies to all child subscriptions and resources, preventing deployment in any region except East US and West US.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access) or resource locks (which prevent deletion), leading candidates to choose an option that addresses permissions rather than configuration compliance.

How to eliminate wrong answers

Option A is wrong because RBAC roles control access permissions (who can do what), not resource configuration or deployment restrictions; there is no built-in RBAC role that denies deployments based on region. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not restrict where new resources can be deployed. Option D is wrong because resource tags are metadata for organization and cost tracking, not a mechanism to enforce regional deployment restrictions; they require manual compliance and do not block deployment.

106
MCQmedium

Based on the exhibit, a support lead must manage role assignments for RG-Apps so the team can grant or revoke access for others. The support lead must not be able to change resource configurations. Which role should you assign?

A.Owner at RG-Apps
B.Contributor at RG-Apps
C.User Access Administrator at RG-Apps
D.Reader at RG-Apps
AnswerC

User Access Administrator is designed specifically for managing Azure RBAC access without granting full resource configuration rights. Assigning it at the resource group scope lets the support lead create and remove role assignments for RG-Apps while avoiding unnecessary management permissions.

Why this answer

The User Access Administrator role at the RG-Apps scope allows the support lead to manage role assignments (grant or revoke access) for others without having permissions to modify resource configurations. This role is specifically designed for delegating access management while preventing changes to the resources themselves, which aligns with the requirement.

Exam trap

The trap here is that candidates often confuse the Contributor role (which can manage resources but not access) with the User Access Administrator role, or mistakenly think the Owner role is required for managing role assignments, overlooking the specific delegation capability of User Access Administrator.

How to eliminate wrong answers

Option A is wrong because the Owner role at RG-Apps includes full administrative access, allowing the support lead to change resource configurations, which violates the requirement. Option B is wrong because the Contributor role can create and manage resources but cannot grant or revoke access to others, failing the primary requirement. Option D is wrong because the Reader role only allows viewing resources and configurations, with no permissions to manage role assignments or change anything.

107
MCQmedium

A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?

A.Assign Storage Account Contributor at the resource group scope.
B.Create a custom role with blob dataActions only and assign it at the container scope.
C.Assign Reader and give the service principal a storage account access key.
D.Assign Contributor at the subscription scope and restrict access with naming conventions.
AnswerB

This allows data access while avoiding storage account management permissions and limiting scope.

Why this answer

Option B is correct because it creates a custom Azure RBAC role with only the required blob data actions (e.g., Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read, write, delete) and assigns it at the container scope. This ensures the service principal can upload, read, and delete blobs in that specific container using Microsoft Entra authentication, without any permissions to manage storage account settings, keys, or other containers.

Exam trap

The trap here is that candidates often confuse built-in roles like Storage Blob Data Contributor (which works at the storage account scope) with the need for a custom role at the container scope, or they mistakenly think that assigning a management role like Contributor combined with an access key satisfies the requirement for Microsoft Entra authentication and container-specific access.

How to eliminate wrong answers

Option A is wrong because Storage Account Contributor at the resource group scope grants full management access to the storage account, including the ability to manage account settings, keys, and all containers, which violates the requirement to not manage storage account settings or other containers. Option C is wrong because assigning Reader and giving the service principal a storage account access key bypasses Microsoft Entra authentication and grants full data access to all blobs in the storage account via the key, not just the specified container. Option D is wrong because Contributor at the subscription scope grants extensive management permissions across all resources in the subscription, and naming conventions are not a security control; they cannot restrict access to a specific container.

108
Multi-Selectmedium

A platform team wants to prevent engineers from creating VM sizes that are not approved, but they also need the engineers to be able to restart their own VMs. Which two statements are correct? Select two.

Select 2 answers
A.Use Azure Policy to deny creation of nonapproved VM sizes.
B.Use Azure RBAC to grant the restart action on the VMs.
C.Use Azure Policy to grant restart permission when the VM is compliant.
D.Use a resource lock to approve only specific VM sizes.
E.Use tags to enforce the approved VM size list and restart action.
AnswersA, B

Azure Policy can enforce allowed VM size rules at deployment time, which is exactly what you want for blocking unapproved sizes.

Why this answer

Option A is correct because Azure Policy can enforce organizational standards by denying the creation of non-approved VM sizes through built-in policies like 'Allowed virtual machine SKUs'. This prevents engineers from provisioning unapproved VM sizes at the time of creation, ensuring compliance without blocking other actions. Option B is correct because Azure RBAC allows granular permission assignment, such as granting the 'Microsoft.Compute/virtualMachines/restart/action' to engineers, enabling them to restart their own VMs without granting broader management rights.

Exam trap

The trap here is confusing Azure Policy (which enforces compliance on resource creation) with Azure RBAC (which controls permissions on existing resources), leading candidates to incorrectly assign policy to grant permissions or RBAC to deny creation.

109
MCQmedium

A policy that requires secure transfer for storage accounts has been assigned to a subscription with the DeployIfNotExists effect. Several existing storage accounts are still noncompliant and have not changed. What should you do next to update those existing resources automatically?

A.Assign a CanNotDelete lock to the storage accounts
B.Create and run a remediation task for the policy assignment
C.Move the storage accounts into a new resource group
D.Grant the administrators a higher RBAC role on the subscription
AnswerB

A remediation task applies the policy's corrective effect to existing resources so they can be brought into compliance.

Why this answer

The DeployIfNotExists effect on a policy assignment automatically deploys a template to remediate noncompliant resources, but only for new or updated resources. Existing noncompliant resources require a manual remediation task to trigger the deployment of the template. Creating and running a remediation task for the policy assignment applies the required secure transfer configuration to all existing storage accounts, bringing them into compliance.

Exam trap

The trap here is that candidates assume DeployIfNotExists automatically remediates all existing resources, but it only applies to new or updated resources, requiring a separate remediation task for existing noncompliant resources.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock prevents deletion of the storage accounts but does not apply any configuration changes, so it cannot enforce the secure transfer requirement. Option C is wrong because moving storage accounts to a new resource group does not change their existing configuration; they remain noncompliant unless the policy is reassigned and a remediation task is run. Option D is wrong because granting a higher RBAC role (e.g., Owner) does not automatically apply policy effects; it only provides permissions, and the policy assignment still requires a remediation task to update existing resources.

110
MCQhard

Based on the exhibit, which change should the administrator make so the application identity remains stable across VM redeployments without reapplying RBAC assignments?

A.Keep the system-assigned identity and reapply the same RBAC roles after each rebuild.
B.Create a user-assigned managed identity and attach it to the VM template.
C.Store a local administrator password in Key Vault and use it for Azure resource access.
D.Replace the identity with a shared access signature so the VM can authenticate to Azure services.
AnswerB

A user-assigned managed identity is an independent Azure resource. It survives VM deletion and redeployment, so RBAC assignments remain valid.

Why this answer

A user-assigned managed identity is decoupled from the VM lifecycle, so it persists independently of VM redeployments. By attaching the same user-assigned identity to the new VM instance, the application retains its Azure AD object ID and all existing RBAC role assignments remain valid without requiring reapplication.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming both persist across VM redeployments, but only user-assigned identities survive VM deletion because they are separate Azure resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the VM's lifecycle; when the VM is deleted or rebuilt, the identity is destroyed and a new one is created, requiring RBAC roles to be reassigned. Option C is wrong because storing a local administrator password in Key Vault does not provide an Azure AD identity for the application to authenticate to Azure services; it only manages a local credential. Option D is wrong because a shared access signature (SAS) is a token for delegated access to specific Azure storage resources, not an identity that can be used for general Azure resource access or RBAC assignments.

111
MCQmedium

An enterprise wants to enforce three governance controls for all subscriptions under a management group: allowed locations, required tags, and permitted VM sizes. The team wants a single place to assign and track compliance for all three controls. What should the administrator use?

A.Three separate policy assignments at each subscription
B.One policy initiative assigned at the management group
C.A custom RBAC role assigned to each subscription
D.A resource lock on each subscription
AnswerB

An initiative groups related policies and can be assigned once to cover all subscriptions beneath the management group.

Why this answer

A policy initiative (also known as a policy set) allows you to group multiple policy definitions (e.g., allowed locations, required tags, permitted VM sizes) into a single, reusable package. Assigning this initiative at the management group level enforces all three governance controls across every subscription under that management group, providing a single place to assign and track compliance via Azure Policy's compliance dashboard.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access permissions) or resource locks (which prevent deletion), leading candidates to pick a solution that addresses a different concern than governance compliance.

How to eliminate wrong answers

Option A is wrong because creating three separate policy assignments at each subscription would require manual effort for every subscription, lacks centralized tracking, and violates the requirement for a single place to assign and track compliance. Option C is wrong because a custom RBAC role controls permissions (who can do what), not governance rules (what resources are allowed), and cannot enforce allowed locations, required tags, or permitted VM sizes. Option D is wrong because a resource lock only prevents accidental deletion or modification of resources, it does not enforce any governance controls like allowed locations or required tags.

112
MCQeasy

You need one assignment that requires a cost-center tag and also allows only approved locations. What should you use?

A.A policy initiative
B.A role assignment
C.A resource lock
D.A management group
AnswerA

An initiative groups multiple related policies into a single assignment for easier governance.

Why this answer

A policy initiative is the correct choice because it allows you to group multiple Azure Policy definitions (such as 'Require a cost-center tag' and 'Allowed locations') into a single, reusable assignment. This ensures both conditions are enforced simultaneously at a scope like a subscription or resource group, meeting the requirement for a cost-center tag and location restriction.

Exam trap

The trap here is that candidates often confuse a policy initiative with a management group, thinking the management group itself enforces rules, but a management group is only a hierarchy container—you must assign a policy or initiative to it to enforce compliance.

How to eliminate wrong answers

Option B is wrong because a role assignment grants permissions (e.g., Contributor, Reader) via Azure RBAC, but it cannot enforce resource properties like tags or locations; it controls who can act, not what resources must have. Option C is wrong because a resource lock prevents deletion or modification of resources (e.g., CanNotDelete, ReadOnly), but it does not enforce tagging or location restrictions; it is an operational safeguard, not a compliance rule. Option D is wrong because a management group is a logical container for organizing subscriptions and applying governance at scale, but it is not a policy assignment itself; you still need a policy initiative assigned to the management group to enforce the tag and location requirements.

113
MCQeasy

A finance analyst needs read-only access to one storage account named stprod01. The analyst must not see other resources in the subscription. Where should you assign the Reader role?

A.At the management group scope that contains the subscription
B.At the subscription scope that contains the storage account
C.At the resource group that contains the storage account
D.At the storage account resource scope
AnswerD

Assigning Reader at the storage account scope is the narrowest option that still provides read-only access to that single resource. Azure RBAC permissions inherit downward, so a resource-level assignment affects only that storage account and nothing else in the subscription. This matches the requirement to limit visibility and access as tightly as possible.

Why this answer

Assigning the Reader role at the storage account resource scope (stprod01) grants read-only access exclusively to that specific storage account. This meets the requirement of restricting the analyst from seeing any other resources in the subscription, as role assignments at a higher scope (e.g., resource group, subscription, management group) would inherit permissions to all resources under that scope.

Exam trap

The trap here is that candidates often assume assigning the Reader role at the resource group scope is sufficient, but this would grant access to all resources in that resource group, not just the single storage account, violating the 'must not see other resources' constraint.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at the management group scope would grant read-only access to all subscriptions and resources within that management group, far exceeding the requirement. Option B is wrong because assigning the Reader role at the subscription scope would grant read-only access to all resources in the subscription, including other storage accounts, virtual machines, and networks. Option C is wrong because assigning the Reader role at the resource group scope would grant read-only access to all resources within that resource group, not just the single storage account.

114
MCQmedium

A scheduled script runs on several Azure virtual machines that are created and replaced over time. The script must use the same Azure identity on every VM, and the identity should continue to exist even if one VM is deleted and recreated. What should the administrator use?

A.A system-assigned managed identity on each VM.
B.A user-assigned managed identity attached to the VMs.
C.A service principal with a client secret stored in each VM.
D.A shared access signature stored in the VM registry.
AnswerB

A user-assigned managed identity is created as a separate Azure resource and can be attached to multiple VMs. Because it is not tied to the lifecycle of a single VM, the same identity remains available even if one VM is deleted and rebuilt, which fits the requirement for shared, durable authentication.

Why this answer

A user-assigned managed identity is the correct choice because it is an Azure resource that exists independently of any VM, and it can be attached to multiple VMs. When a VM is deleted and recreated, the same user-assigned managed identity can be reattached, ensuring the script uses the same identity consistently. This decouples the identity lifecycle from the VM lifecycle, meeting the requirement for persistence across VM replacements.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are tied to a single resource's lifecycle) with user-assigned managed identities (which are independent and reusable), leading them to incorrectly choose option A for persistence across VM deletions.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if the VM is deleted, the identity is also deleted, and a new VM would get a new identity, breaking the requirement for a consistent identity. Option C is wrong because storing a client secret in each VM is a security risk and violates best practices; managed identities eliminate the need for secrets by using Azure AD tokens obtained via the IMDS endpoint. Option D is wrong because a shared access signature (SAS) is a token for delegated access to Azure Storage, not an Azure identity; it cannot be used for authentication to Azure AD or for running scripts with a consistent identity across VMs.

115
MCQeasy

Three Azure virtual machines in different resource groups must all use the same Azure identity to access a storage account. The identity should keep working even if one VM is rebuilt. What should you use?

A.A system-assigned managed identity on each VM
B.A user-assigned managed identity
C.A shared VM administrator password
D.A storage account SAS token
AnswerB

A user-assigned managed identity is a standalone Azure resource that can be attached to multiple VMs. Because it is not tied to one VM’s lifecycle, it continues to exist even if a VM is rebuilt or replaced. This makes it the best choice when several compute resources need to share the same identity for Azure access. It also simplifies permission management because you grant access once to the shared identity.

Why this answer

A user-assigned managed identity is created as a standalone Azure resource and can be assigned to multiple VMs, even across resource groups. It persists independently of any VM lifecycle, so rebuilding a VM does not affect the identity's availability or its permissions to access the storage account.

Exam trap

The trap here is that candidates confuse system-assigned managed identities (which are tied to a single VM's lifecycle) with user-assigned managed identities (which are independent resources), leading them to choose option A because they think 'each VM needs its own identity' rather than a shared, persistent one.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if the VM is deleted, the identity is also deleted, and rebuilding the VM would create a new identity, breaking access. Option C is wrong because a shared VM administrator password is used for OS-level authentication, not for Azure resource access, and it violates security best practices by sharing credentials. Option D is wrong because a storage account SAS token is a time-limited, shared access token that does not represent an Azure identity; it would need to be securely stored and rotated, and it cannot be consistently used across multiple VMs without complex management.

116
MCQmedium

You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?

A.Assign the Virtual Machine Contributor role at the subscription scope
B.Assign the Virtual Machine Contributor role at the RG-Test scope
C.Assign the Reader role at the RG-Test scope
D.Assign the Owner role at the RG-Test scope
AnswerB

Scoping the role to RG-Test limits access to that resource group only.

Why this answer

Assigning the Virtual Machine Contributor role at the RG-Test scope grants the contractor permissions to manage virtual machines within that specific resource group only, adhering to the principle of least privilege. This role includes actions like creating, starting, stopping, and deleting VMs, but does not allow access to other resource groups in the subscription because the role assignment is scoped to RG-Test.

Exam trap

The trap here is that candidates often confuse the Virtual Machine Contributor role with broader roles like Contributor or Owner, or incorrectly assume that a subscription-scoped assignment can be restricted by resource group, when in fact Azure RBAC permissions are cumulative and inherited from higher scopes.

How to eliminate wrong answers

Option A is wrong because assigning the Virtual Machine Contributor role at the subscription scope would grant the contractor permissions to manage VMs in all resource groups within the subscription, violating the requirement to restrict access to RG-Test only. Option C is wrong because the Reader role at the RG-Test scope only allows read-only access to resources, not the ability to manage virtual machines as required. Option D is wrong because the Owner role at the RG-Test scope grants full control over all resources in that resource group, including the ability to manage access and delete resources, which exceeds the necessary permissions and violates the principle of least privilege.

117
Multi-Selectmedium

An external consultant must access a resource group in your tenant using the consultant's existing work account. You want to avoid creating a separate username and password pair. Which two actions should the administrator take? Select two.

Select 2 answers
A.Invite the consultant as a guest user in Microsoft Entra ID.
B.Create a new member user account with an internal password.
C.Assign the required RBAC role on the target resource group to the guest account.
D.Add the consultant to the Global Administrator role.
E.Share the subscription ID and tenant ID only.
AnswersA, C

A guest user allows the consultant to authenticate with their existing organization identity while still being represented in your tenant. That keeps identity administration externalized and avoids creating a separate local password account.

Why this answer

Option A is correct because inviting the consultant as a guest user in Microsoft Entra ID (formerly Azure AD) allows the consultant to use their existing work account (external identity) without creating a new username/password. This leverages B2B collaboration, which uses the consultant's home directory for authentication, and the guest user object is created in your tenant to represent them.

Exam trap

The trap here is that candidates often confuse inviting a guest user (which uses external authentication) with creating a new user account (which requires a separate password), or they incorrectly think that sharing tenant/subscription IDs alone provides access without an identity and role assignment.

118
MCQeasy

Based on the exhibit, a script running on an Azure VM must create resources in another subscription without using passwords or client secrets. Which command should the administrator use first?

A.az login --identity
B.az login --service-principal
C.az account set --subscription <subscriptionId>
D.Connect-AzAccount -UseDeviceAuthentication
AnswerA

This command signs in the Azure CLI by using the VM's managed identity instead of a stored username or secret. It is the correct first step when a script on an Azure VM needs to access Azure resources securely without embedded credentials.

Why this answer

Option A is correct because the script must authenticate without passwords or client secrets, and Azure VMs can use a managed identity for this purpose. The `az login --identity` command authenticates the Azure CLI using the VM's managed identity, which is a passwordless, secretless authentication method. This allows the script to obtain tokens for accessing resources in another subscription, provided the managed identity has appropriate RBAC permissions.

Exam trap

The trap here is that candidates often confuse setting the subscription context (`az account set`) with authentication, forgetting that authentication must occur first before any subscription-level operations can be performed.

How to eliminate wrong answers

Option B is wrong because `az login --service-principal` requires a client secret or certificate, which violates the requirement of no passwords or client secrets. Option C is wrong because `az account set --subscription <subscriptionId>` only sets the active subscription context after authentication; it does not perform authentication and cannot be used first. Option D is wrong because `Connect-AzAccount -UseDeviceAuthentication` is a PowerShell cmdlet for interactive device code authentication, which requires user interaction and does not work for automated scripts running on a VM without passwords or secrets.

119
MCQeasy

Based on the exhibit, the governance team wants to assign three related policy definitions together: allowed regions, required tags, and approved VM SKUs. What should the administrator create first?

A.A policy initiative that groups the three policy definitions into one object.
B.A resource lock so the policies cannot be changed after assignment.
C.A custom RBAC role that grants permission to edit policy assignments.
D.A management group exemption so all three rules apply automatically.
AnswerA

An initiative is designed to bundle multiple policy definitions into a single reusable unit. This lets the administrator assign and report on the controls together at the management group scope. It is the correct choice when several related governance rules should be managed as one baseline.

Why this answer

A policy initiative (also known as a policy set) is the correct answer because it allows you to group multiple related policy definitions into a single assignable object. This is the intended Azure governance pattern for bundling policies like allowed regions, required tags, and approved VM SKUs, ensuring they are applied together consistently across management groups or subscriptions.

Exam trap

The trap here is that candidates often confuse a policy initiative with a resource lock or RBAC role, thinking that administrative controls are needed to enforce the grouping, when in fact the initiative itself is the native Azure construct for bundling policy definitions.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, but it does not group or assign policy definitions together. Option C is wrong because a custom RBAC role controls who can edit policy assignments, but it does not create a grouping of policy definitions. Option D is wrong because a management group exemption excludes resources from policy evaluation, but it does not create a grouping of policy definitions and would not automatically apply the three rules together.

120
MCQeasy

Based on the exhibit, an auditor needs to view all resources in RG-Finance but must not be able to make any changes. The auditor also should not have access to other resource groups. Which RBAC assignment best meets the requirement?

A.Reader at the subscription scope, because it is read-only and easy to manage.
B.Reader at RG-Finance scope, because it allows viewing without granting write permissions.
C.Contributor at RG-Finance scope, because the auditor needs to read tags and configuration.
D.Reader at the management group scope, because all finance resources are grouped there.
AnswerB

Reader at the resource group scope gives the auditor visibility into the resources in RG-Finance without permitting changes. This is the narrowest built-in role and scope combination that satisfies the requirement to view the group only and avoid access to other resource groups.

Why this answer

The Reader role at the RG-Finance scope grants read-only access to all resources within that specific resource group, preventing any modifications. This meets the auditor's requirement to view resources in RG-Finance without write permissions and without access to other resource groups, as the scope is limited to RG-Finance.

Exam trap

The trap here is that candidates often choose Reader at the subscription scope (Option A) thinking it is simpler and still read-only, but they overlook the requirement to restrict access to only one resource group, which subscription-level access violates due to inheritance.

How to eliminate wrong answers

Option A is wrong because assigning Reader at the subscription scope would grant read-only access to all resource groups in the subscription, violating the requirement that the auditor should not have access to other resource groups. Option C is wrong because Contributor at RG-Finance scope includes write permissions (e.g., create, delete, update resources), which violates the requirement that the auditor must not be able to make any changes. Option D is wrong because Reader at the management group scope would inherit read-only access to all subscriptions and resource groups under that management group, including non-finance resources, which violates the requirement to restrict access to only RG-Finance.

121
Multi-Selecthard

A user had a direct Reader assignment on a virtual machine, but that assignment was removed. The user can still open the VM blade and view its properties. Which two sources could still be granting access? Select two.

Select 2 answers
A.A Reader assignment at the parent resource group, subscription, or management group scope can still be inherited by the VM.
B.Membership in an Entra security group that has Reader at an inherited scope can still provide visibility to the VM.
C.A CanNotDelete lock on the VM is granting the user permission to view it.
D.An Azure Policy assignment that audits the VM is granting read access through compliance evaluation.
E.A private endpoint connected to the VM subnet is providing inherited read permission through networking.
AnswersA, B

RBAC inheritance flows downward from management group to subscription to resource group to resource. A broader-scope Reader assignment would still allow the user to view the VM even after the direct VM-level assignment was removed. This is the most common reason access appears to persist.

Why this answer

Option A is correct because Azure RBAC permissions are inherited from higher scopes. Even if a direct Reader assignment on the VM is removed, a Reader role assigned at the parent resource group, subscription, or management group scope will still grant the user read access to the VM through inheritance. This is a fundamental behavior of Azure RBAC, where permissions flow down the hierarchy.

Exam trap

The trap here is that candidates often confuse resource locks (like CanNotDelete) with RBAC permissions, or think that Azure Policy or networking constructs (like private endpoints) can grant access, when in fact only role assignments (direct or inherited) control access to Azure resources.

122
Multi-Selectmedium

A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.

Select 2 answers
A.Use an Azure Policy assignment with the Audit effect.
B.Assign the policy at the management group scope that contains the department subscriptions.
C.Use the Deny effect.
D.Grant Reader on the subscription to the compliance team.
E.Apply a ReadOnly lock to all resource groups.
AnswersA, B

Audit records noncompliance without blocking activity. That makes it ideal for compliance reporting when the organization wants visibility first and enforcement later.

Why this answer

Option A is correct because the Audit effect in Azure Policy allows the compliance team to identify resources missing an Environment tag without blocking resource creation or modification. This effect logs non-compliant resources to the activity log, enabling visibility without enforcement. Option B is correct because assigning the policy at the management group scope ensures it applies to all subscriptions within that department, covering all resources under a single governance boundary.

Exam trap

The trap here is that candidates often confuse the Audit effect with the Deny effect, thinking they need to block non-compliant resources to identify them, or they mistakenly believe granting Reader access is sufficient for automated tag discovery, when in fact Azure Policy is the correct tool for compliance evaluation without enforcement.

123
MCQmedium

Two Azure virtual machines run the same automation script and both need access to Key Vault and Storage. The script must keep working if one VM is redeployed, and the team wants the same identity to be usable by both VMs. What should the administrator use?

A.A system-assigned managed identity on each VM
B.A user-assigned managed identity attached to both VMs
C.A service principal stored in a configuration file on the VMs
D.A storage account access key stored in the script
AnswerB

A user-assigned identity is reusable, can be shared, and survives VM replacement or redeployment.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs. This ensures both VMs share the same identity for accessing Key Vault and Storage, and the identity persists independently of any single VM's lifecycle, so redeploying one VM does not break access for the other.

Exam trap

The trap here is that candidates often assume a system-assigned managed identity can be shared across VMs because it is 'managed,' but they overlook that it is inherently tied to a single resource's lifecycle and cannot be assigned to multiple resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, and it cannot be shared across multiple VMs. Option C is wrong because storing a service principal in a configuration file on the VMs introduces credential management overhead, security risks (e.g., credential leakage), and the need to rotate secrets, which contradicts the goal of a passwordless, resilient identity. Option D is wrong because a storage account access key stored in the script is a static secret that must be managed securely, cannot be shared across VMs without exposing the key, and does not provide a unified identity for both Key Vault and Storage access.

124
MCQhard

Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?

A.Owner
B.Virtual Machine Contributor
C.User Access Administrator
D.Reader
AnswerB

This allows VM management in the resource group without permission to grant access.

Why this answer

The Virtual Machine Contributor role provides the exact permissions needed: it allows creating and managing virtual machines within the specified scope (RG-Dev), but explicitly does not include the ability to assign roles to other users. This role grants write access to compute resources while preserving the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Virtual Machine Contributor role with the Owner role, mistakenly thinking that any contributor-level role includes role assignment capabilities, when in fact only Owner and User Access Administrator have that permission.

How to eliminate wrong answers

Option A is wrong because the Owner role includes the 'Microsoft.Authorization/roleAssignments/write' permission, which allows assigning roles to other users, violating the requirement. Option C is wrong because the User Access Administrator role is specifically designed to manage user access and role assignments, directly enabling the prohibited action. Option D is wrong because the Reader role only allows viewing resources, not creating virtual machines.

125
MCQmedium

You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?

A.Owner
B.Contributor
C.Reader
D.Monitoring Reader
AnswerC

Reader provides view-only access to resources across the assigned scope.

Why this answer

The Reader role is the correct choice because it grants read-only access to all resources in a subscription, including their properties and status, but does not allow any create, modify, or delete operations. This aligns perfectly with the requirement for junior administrators to view resources without making changes.

Exam trap

The trap here is that candidates often confuse the Monitoring Reader role with the Reader role, mistakenly thinking it provides full read access, but it only covers monitoring data, not all resource types.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full access to manage all resources, including the ability to assign roles, which would allow junior administrators to create, modify, or delete resources. Option B is wrong because the Contributor role allows creating, modifying, and deleting resources, which violates the requirement for read-only access. Option D is wrong because the Monitoring Reader role only provides read access to monitoring data (e.g., metrics, logs, alerts) and does not grant visibility into all resource types like virtual machines or storage accounts.

126
MCQmedium

A company has three business units. Each business unit needs its own subscription for billing and admin delegation. Corporate security wants one policy assignment to cover all current and future subscriptions in each business unit. What structure should you implement?

A.Place all resources in one subscription and separate them only by resource group
B.Create a management group for each business unit and place that unit's subscriptions underneath it
C.Assign the policy at each resource group because policies cannot target subscriptions
D.Create one resource group per business unit inside a shared subscription
AnswerB

Management groups provide a level above subscriptions, making them ideal for consistent policy assignment across multiple subscriptions in a business unit.

Why this answer

Management groups allow you to aggregate multiple subscriptions under a single hierarchy, enabling policy assignment at the management group level that applies to all current and future subscriptions within that group. This meets the requirement for per-business-unit billing isolation (via separate subscriptions) and centralized policy enforcement across all subscriptions in each unit.

Exam trap

The trap here is that candidates may think resource groups are sufficient for isolation and policy enforcement, overlooking that management groups provide subscription-level aggregation and inheritance that resource groups cannot achieve across multiple subscriptions.

How to eliminate wrong answers

Option A is wrong because placing all resources in one subscription with separate resource groups does not provide separate billing or admin delegation per business unit, and a single policy assignment would apply to all resources, not per unit. Option C is wrong because Azure Policy can be assigned at management group, subscription, and resource group scopes; the statement that policies cannot target subscriptions is false. Option D is wrong because creating one resource group per business unit inside a shared subscription does not provide separate billing or subscription-level isolation, and a single policy assignment would apply to all resource groups in that subscription, not per business unit.

127
Multi-Selecthard

A ReadOnly lock is applied to RG-App. Which two requested changes will fail because of the lock? Select two.

Select 2 answers
A.Resize a virtual machine to a larger SKU.
B.List the resources currently in the resource group.
C.Delete an unused public IP address.
D.Read the current tag values on the resource group.
E.View the VM power state in the portal.
AnswersA, C

Resizing requires a write operation, and ReadOnly blocks write operations against locked resources.

Why this answer

A ReadOnly lock on a resource group prevents any operations that modify existing resources or create/delete resources within that group. Resizing a VM to a larger SKU requires a write operation to the VM resource (specifically, updating the hardware profile), which is blocked by the lock. Deleting an unused public IP address is also a write operation (delete), which is blocked.

Read operations, such as listing resources or viewing tags, are allowed.

Exam trap

The trap here is that candidates often confuse a ReadOnly lock with a 'read-only' permission on the resource group itself, forgetting that read operations like listing resources or viewing tags are still allowed, while any write operation (including resize or delete) is blocked.

128
MCQeasy

Based on the exhibit, which identity should the administrator enable to remove the secret from app settings and have the identity disappear automatically when the app is deleted?

A.User-assigned managed identity
B.Service principal with a client secret
C.System-assigned managed identity
D.Shared access signature
AnswerC

A system-assigned managed identity is tied directly to the Azure resource, so it is created with the app and removed when the app is deleted. It is the best fit when you want to eliminate stored secrets and keep the identity lifecycle aligned to one resource.

Why this answer

The system-assigned managed identity is tied directly to the lifecycle of the Azure resource (e.g., an App Service). When you enable it, Azure automatically creates a service principal in Azure AD for that resource, and you can use the identity to access Azure Key Vault without storing secrets in app settings. When the resource is deleted, the system-assigned managed identity and its corresponding service principal are automatically removed, eliminating the need for manual cleanup.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, assuming both are automatically deleted with the resource, but only the system-assigned identity is tied to the resource's lifecycle.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is created as a standalone Azure resource with its own lifecycle; it does not automatically disappear when the app is deleted—you must delete it separately. Option B is wrong because a service principal with a client secret requires you to manually manage the secret (e.g., store it in app settings) and the service principal persists in Azure AD even after the app is deleted, requiring manual cleanup. Option D is wrong because a shared access signature (SAS) is a token used to delegate access to storage resources, not an identity for Azure AD authentication, and it does not automatically disappear when the app is deleted.

129
Multi-Selectmedium

You are designing a governance strategy for an Azure environment that includes multiple subscriptions. You need to ensure that all resources deployed in the production subscription adhere to specific regulatory compliance requirements, such as encryption at rest and denying public network access. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Create a custom Azure Policy definition that enforces encryption at rest and denies public network access.
.Assign the built-in Azure Policy initiative 'ISO 27001:2013' to the production subscription.
.Assign a custom Azure Policy definition at the management group that contains the production subscription.
.Create an Azure role-based access control (RBAC) role to enforce encryption and network restrictions.
.Configure Azure Blueprints to include the custom policy assignment and assign the blueprint to the production subscription.
.Use Azure Resource Graph to audit resources that do not meet compliance requirements.

Why this answer

Creating a custom Azure Policy definition allows you to enforce specific regulatory requirements like encryption at rest and denying public network access. Assigning this custom policy at the management group that contains the production subscription ensures the policy is inherited by the subscription and all its resources. Configuring Azure Blueprints to include the custom policy assignment and assigning the blueprint to the production subscription provides a repeatable, versioned deployment of the policy along with other artifacts, ensuring consistent governance.

Exam trap

The trap here is confusing Azure Policy (which enforces resource configuration rules) with Azure RBAC (which controls user permissions), leading candidates to incorrectly select RBAC as a method to enforce encryption and network restrictions.

130
MCQhard

The platform team wants to block deployment of virtual machines that use any size except a small approved list. Operators already have Contributor access and should keep that access for other tasks. Which Azure control should the administrator use to enforce the size restriction?

A.Assign an Azure Policy with an allowed virtual machine size rule and the Deny effect at the subscription scope.
B.Create a custom RBAC role that excludes unsupported VM sizes from the Contributor role.
C.Apply a CanNotDelete lock to the resource group that contains the virtual machines.
D.Assign Reader permissions to the operators and rely on Azure portal validation.
AnswerA

Azure Policy is designed to enforce configuration rules such as allowed regions or allowed VM sizes. The Deny effect blocks noncompliant deployments even when the user has Contributor permissions, because policy enforcement is separate from RBAC authorization.

Why this answer

Azure Policy with the 'allowed virtual machine sizes' built-in policy and the Deny effect is the correct control because it enforces a deny action at the resource creation or update level, preventing any VM deployment that does not match the approved size list. This works independently of RBAC permissions, so operators retain their Contributor role for other tasks while the policy blocks non-compliant VM sizes. The policy is assigned at the subscription scope to cover all resource groups, ensuring consistent enforcement across the environment.

Exam trap

The trap here is that candidates confuse Azure Policy (which controls resource properties) with RBAC (which controls who can perform actions), leading them to incorrectly choose a custom RBAC role when the requirement is to restrict a specific configuration, not the action itself.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role cannot exclude specific VM sizes; RBAC controls permissions to perform actions (e.g., 'Microsoft.Compute/virtualMachines/write'), not the properties of the resource being created. Option C is wrong because a CanNotDelete lock only prevents deletion of resources, not creation or modification, so it cannot block deployment of unapproved VM sizes. Option D is wrong because Reader permissions prevent operators from creating any VMs at all, which contradicts the requirement that they keep Contributor access for other tasks, and Azure portal validation is client-side only and can be bypassed via PowerShell, CLI, or API calls.

131
MCQhard

An enterprise has 30 Azure subscriptions. Production subscriptions need a common baseline of allowed regions, required tags, and approved SKU rules, and any new production subscription must inherit those rules automatically. Sandbox subscriptions should follow a separate, lighter baseline. Which Azure construct should the team use to organize this governance model?

A.A separate resource group for each business unit inside every subscription.
B.A management group hierarchy with separate production and sandbox branches.
C.A set of resource locks applied directly to critical resources in each subscription.
D.A single policy exemption applied at the tenant root.
AnswerB

Management groups are designed for organizing subscriptions and inheriting governance across many subscriptions.

Why this answer

Management groups allow you to build a hierarchy of Azure subscriptions and apply Azure Policy at the management group scope. By creating separate management group branches for production and sandbox, you can assign distinct policy sets (allowed regions, required tags, approved SKUs) to each branch, and any new subscription placed under the production branch will automatically inherit those baseline rules.

Exam trap

The trap here is that candidates confuse resource groups or resource locks with policy-based governance, failing to recognize that only management groups combined with Azure Policy can enforce a common baseline across multiple subscriptions and automatically apply to new subscriptions placed in the hierarchy.

How to eliminate wrong answers

Option A is wrong because resource groups are containers within a single subscription and cannot enforce policies across multiple subscriptions or automatically apply to new subscriptions. Option C is wrong because resource locks prevent accidental deletion or modification but cannot enforce allowed regions, required tags, or approved SKU rules across subscriptions. Option D is wrong because a policy exemption is used to exclude a scope from a policy effect, not to define or enforce baseline rules; applying it at the tenant root would exempt all subscriptions from policies, which is the opposite of what is needed.

132
Multi-Selectmedium

A DevOps engineer must run an Azure CLI script from a Windows VM to create resources in a specific resource group in another subscription. The script must not use a client secret or password, and access should be limited to only that resource group. Which three actions should the administrator take? Select three.

Select 3 answers
A.Enable a system-assigned managed identity on the source VM so the script can authenticate without stored credentials.
B.Assign Contributor on the target resource group to the VM identity so the script can create the required resources.
C.Use az login --identity in the script before running the Azure CLI deployment commands.
D.Create a service principal and store its client secret in a file on the VM for the script to read.
E.Grant Reader on the resource group because Reader permissions are sufficient for Azure CLI resource creation.
AnswersA, B, C

A system-assigned managed identity is tied directly to the VM and removes the need to store secrets on disk. It is the simplest credential-free option when a script runs inside a single virtual machine and must access Azure resources programmatically.

Why this answer

Option A is correct because enabling a system-assigned managed identity on the source VM allows the Azure CLI script to authenticate to Azure without storing any client secret or password. The managed identity is automatically managed by Azure AD and tied to the VM lifecycle, eliminating the need for credential management.

Exam trap

The trap here is that candidates may confuse Reader with Contributor, thinking Reader is sufficient for CLI commands, or they may default to creating a service principal with a secret, missing the managed identity approach that avoids stored credentials.

133
Multi-Selectmedium

A production resource group contains web and data resources. Administrators must be able to update, scale, and restart resources, but they must not delete the resource group or any resource inside it during maintenance windows. Which two actions should the administrator take? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to the resource group.
B.Apply a ReadOnly lock to the resource group.
C.Apply a CanNotDelete lock only to the individual virtual machines.
D.Apply the lock at the resource group scope so it covers child resources.
E.Use tags to mark the resources as production and prevent deletion.
AnswersA, D

CanNotDelete blocks deletion while still allowing normal write operations such as updates and scaling. That makes it the right lock when the organization wants protection from accidental removal but still needs management access.

Why this answer

Option A is correct because applying a CanNotDelete lock to the resource group prevents the deletion of the resource group and all resources within it, while still allowing administrators to update, scale, and restart resources. This lock type blocks delete operations but permits read and update operations, which aligns with the requirement to perform maintenance actions without risking deletion. The lock is inherited by all child resources in the resource group, ensuring comprehensive protection.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with the ReadOnly lock, mistakenly thinking a ReadOnly lock still allows updates and scaling, or they assume tags can enforce deletion prevention, when in reality tags are purely organizational and have no security or governance enforcement capabilities.

134
MCQmedium

A team in RG-Apps must be able to start, stop, and deallocate virtual machines and read their properties. Built-in roles available to the team are broader than necessary. What should the administrator do?

A.Assign Virtual Machine Contributor at the subscription scope.
B.Create a custom role with only the required VM actions and assign it at RG-Apps scope.
C.Assign Reader and Virtual Machine Contributor together at the resource group scope.
D.Assign Owner at the resource group scope to avoid troubleshooting access issues.
AnswerB

A custom role can include only the required actions, such as VM start, deallocate, and read, without granting unnecessary permissions. Assigning the role at RG-Apps scope keeps the permissions limited to the target resource group and is the cleanest least-privilege design.

Why this answer

Option B is correct because the team needs specific actions (start, stop, deallocate, read properties) that are a subset of the Virtual Machine Contributor role's permissions. Creating a custom role with only the required actions (Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, Microsoft.Compute/virtualMachines/read, etc.) and assigning it at the RG-Apps scope provides least-privilege access without granting broader capabilities like creating or deleting VMs.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option A or C) thinking it covers start/stop/deallocate, but they overlook that it also includes broader VM management actions like create, delete, and modify, which violates the least-privilege requirement stated in the question.

How to eliminate wrong answers

Option A is wrong because Virtual Machine Contributor at subscription scope grants broader permissions (e.g., create, delete VMs) across all resource groups, violating the least-privilege principle and exceeding the team's needs. Option C is wrong because combining Reader and Virtual Machine Contributor still grants the full Virtual Machine Contributor permissions (including create/delete) plus read-only access, which is broader than necessary and does not restrict to only start, stop, deallocate, and read. Option D is wrong because Owner at resource group scope grants full administrative control, including managing role assignments and all resources, which far exceeds the required actions and violates security best practices.

135
MCQmedium

A platform team wants every current and future subscription under the company's Azure hierarchy to inherit Reader access for a central audit group. The team does not want to create separate assignments for each subscription. Where should the role be assigned?

A.At the management group that contains the subscriptions.
B.At one subscription and rely on inheritance to reach the others.
C.At a resource group in a single subscription.
D.At an individual resource that the audit team will inspect.
AnswerA

Management group scope is designed for governance that must apply across multiple subscriptions, including subscriptions added later under the same hierarchy. A role assignment at that level is inherited by child subscriptions and their resources, which is ideal for broad read-only audit access.

Why this answer

Assigning the Reader role at the management group level ensures that all current and future subscriptions within that management group inherit the assignment via Azure RBAC inheritance. This meets the requirement without needing separate assignments per subscription, as role assignments flow down the hierarchy from management group to subscription to resource group to resource.

Exam trap

The trap here is that candidates may think assigning the role at one subscription will propagate to others via inheritance, but Azure RBAC inheritance is strictly hierarchical and does not apply across sibling subscriptions—only downward from a management group or parent scope.

How to eliminate wrong answers

Option B is wrong because assigning the role at one subscription does not cause inheritance to other subscriptions; RBAC inheritance flows only downward within the same hierarchy branch, not across sibling subscriptions. Option C is wrong because assigning at a resource group limits the scope to that specific resource group and its resources, not to entire subscriptions or the management group. Option D is wrong because assigning at an individual resource is the narrowest scope and would only grant Reader access to that single resource, not to any subscription or broader scope.

136
MCQmedium

An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?

A.Assign the User Administrator role to Helpdesk for the Europe-Users administrative unit only.
B.Create a Conditional Access policy that targets Helpdesk and Europe-Users.
C.Assign the Password Administrator role at the tenant scope and use Privileged Identity Management.
D.Create a custom RBAC role in the subscription and assign it to Helpdesk.
AnswerA

This scopes the role to the administrative unit and limits administration to users in that unit.

Why this answer

Option A is correct because Azure AD administrative units allow scoping of role assignments to a subset of users, groups, or devices. By assigning the User Administrator role to the Helpdesk group scoped to the Europe-Users administrative unit, the team can reset passwords only for users within that unit, meeting the requirement without granting broader tenant-wide permissions.

Exam trap

The trap here is confusing Azure AD administrative units (which scope directory roles) with Azure RBAC (which scopes resource management) or Conditional Access (which controls authentication policies), leading candidates to select options that address the wrong layer of access control.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control authentication and access conditions (e.g., MFA, location), not role-based permissions like password reset; they cannot scope administrative roles. Option C is wrong because assigning the Password Administrator role at the tenant scope grants the ability to reset passwords for all users in the tenant, not just those in Europe-Users, and Privileged Identity Management (PIM) provides just-in-time activation but does not change the scope of the role. Option D is wrong because custom RBAC roles in Azure subscriptions apply to Azure resources (e.g., VMs, storage), not to Azure AD user objects or password reset operations, which are managed via Azure AD roles.

137
Multi-Selecthard

A resource group has a ReadOnly lock applied to it. An operator can view the resources, but several portal changes fail. Which two operations will fail because of the lock? Select two.

Select 2 answers
A.Changing the size of an existing virtual machine in the resource group will fail because it is a write operation.
B.Deleting a storage account in the resource group will fail because deletion is also blocked by ReadOnly.
C.Reading the resource group's activity log will fail because lock-protected scopes cannot be queried.
D.Listing the resources in the resource group with Azure CLI will fail because enumeration is a write operation.
E.Fetching the current VM configuration from the ARM API will fail because reads are denied by the lock.
AnswersA, B

Resizing a VM modifies the resource configuration, so it is a write action. A ReadOnly lock blocks all write operations at the locked scope and below, which means even an otherwise valid size change is rejected while the lock remains in place.

Why this answer

A is correct because changing the size of an existing virtual machine is a write operation that modifies the VM's configuration. A ReadOnly lock on the resource group prevents all write and delete operations, so any attempt to resize the VM will fail. The lock does not affect read operations, which remain functional.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with read-only permissions, incorrectly assuming that all read operations (like listing resources or fetching configurations) are also blocked, when in fact only write and delete operations are denied.

138
Multi-Selecteasy

A VM-hosted application must read blobs from Azure Storage without storing any keys or passwords. Which two identity types can the VM use to authenticate to Azure Storage? Select two.

Select 2 answers
A.System-assigned managed identity, because it is tied to one VM and can request tokens without stored secrets.
B.User-assigned managed identity, because it can be reused by multiple resources without embedding credentials.
C.Storage account shared key, because it is the preferred credential when you want to avoid passwords.
D.Basic authentication with a storage account name and password, because Azure Storage supports that model directly.
E.Anonymous public access, because it lets the VM read blobs without any authentication at all.
AnswersA, B

A system-assigned managed identity is attached to one resource and avoids storing any secret in the application.

Why this answer

System-assigned managed identity is correct because it is directly tied to a single VM and can request tokens from Azure AD without storing any secrets or keys. The VM uses its managed identity to authenticate to Azure Storage by obtaining an OAuth 2.0 token, which is then passed to the storage service via the Authorization header. This eliminates the need for any stored credentials, meeting the requirement of not storing keys or passwords.

Exam trap

The trap here is that candidates often confuse managed identities with shared access signatures (SAS) or shared keys, thinking that any identity-based method requires storing a secret, or they incorrectly assume that anonymous access is a valid identity type for application authentication.

139
MCQhard

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

A.Azure Policy assigned at the management group scope
B.A custom RBAC role assigned at the tenant root
C.A ReadOnly lock on each subscription
D.A budget alert for each subscription
AnswerA

Management group policy assignments are inherited by child subscriptions and can restrict allowed resource types.

Why this answer

Azure Policy assigned at the management group scope is the correct choice because it allows you to enforce governance rules across all subscriptions within a management group hierarchy. By creating a policy definition that blocks deployment of resource types not on an approved list and assigning it to the Corp-MG management group, the policy will be inherited by all child subscriptions, ensuring consistent compliance without manual configuration per subscription.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties and types) with Azure RBAC (which controls user permissions), leading candidates to incorrectly choose a custom RBAC role when the question explicitly asks about blocking resource types.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role assigned at the tenant root controls permissions (who can do what) but does not enforce resource type restrictions; RBAC is for access control, not for blocking specific resource deployments. Option C is wrong because a ReadOnly lock prevents modifications or deletions of existing resources but does not block the creation of new resource types; it is a lock, not a policy-based restriction. Option D is wrong because a budget alert notifies you about spending thresholds but does not prevent deployment of unapproved resource types; it is a cost management tool, not a governance enforcement mechanism.

140
MCQmedium

You need to ensure that administrators cannot accidentally delete a production virtual network, but they must still be able to update subnet settings. Which Azure feature should you apply?

A.A CanNotDelete lock
B.A ReadOnly lock
C.An Azure Policy deny assignment
D.A budget alert
AnswerA

This prevents deletion while allowing modifications.

Why this answer

A CanNotDelete lock (Azure resource lock) prevents accidental deletion of the virtual network while allowing all other operations, including updates to subnet settings. This lock type blocks DELETE requests at the Azure Resource Manager level, but permits PUT and PATCH operations, so administrators can still modify subnet configurations.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules on resource properties) with resource locks (which control deletion or modification permissions), leading them to select a deny assignment instead of the simpler CanNotDelete lock.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock prevents all write operations, including updates to subnet settings, which violates the requirement that administrators must be able to update subnet settings. Option C is wrong because an Azure Policy deny assignment enforces compliance rules (e.g., requiring specific tags or SKUs) and is not designed to prevent deletion of a specific resource; it can block creation or modification based on policy conditions but does not provide a simple deletion guard. Option D is wrong because a budget alert only sends notifications when spending exceeds thresholds; it does not block any actions, including deletion.

141
MCQmedium

An organization has one Azure subscription with separate resource groups for Development and Operations. A contractor must start, stop, and read the properties of virtual machines only in RG-Operations. The contractor must not have access to virtual machines in RG-Development. Where should the role assignment be created?

A.At the subscription scope
B.At the RG-Operations resource group scope
C.At the management group scope
D.At an individual virtual machine scope
AnswerB

This limits the assignment to only resources inside RG-Operations, which satisfies least privilege.

Why this answer

Role assignments in Azure are inherited from higher scopes (management group, subscription, resource group) down to lower scopes. To grant the contractor the Virtual Machine Contributor role (or a custom role with start/stop/read permissions) only on VMs in RG-Operations and explicitly deny access to RG-Development, the assignment must be scoped to the RG-Operations resource group. Assigning at a higher scope (subscription or management group) would grant access to all resource groups, including RG-Development, violating the requirement.

Exam trap

The trap here is that candidates often assume assigning a role at the subscription scope is simpler and still allows them to control access via resource group membership, but they forget that role assignments at higher scopes are inherited by all child scopes, granting unintended access to resources in other resource groups like RG-Development.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope would grant the contractor the specified permissions on all virtual machines in every resource group under that subscription, including RG-Development, which violates the requirement to restrict access to only RG-Operations. Option C is wrong because a management group scope would apply the role assignment to all subscriptions and resource groups within that management group hierarchy, again granting unintended access to RG-Development. Option D is wrong because while an individual VM scope would restrict access to a single VM, it would require creating separate role assignments for each VM in RG-Operations, which is inefficient and does not scale; the requirement is to grant access to all VMs in the resource group, not per-VM.

142
MCQmedium

Based on the exhibit, what should you configure so the analysts can manage group membership without granting Azure resource permissions?

A.Assign the service desk analysts the User Administrator role in Microsoft Entra ID.
B.Add the service desk analysts as owners of the App-Support group.
C.Create separate local administrator accounts for each analyst.
D.Assign Contributor on the subscription to the service desk analysts.
AnswerB

Group ownership lets those analysts manage membership for that specific group without giving them Azure resource permissions. This is the least-privilege approach for delegating ongoing membership changes.

Why this answer

Option B is correct because adding the service desk analysts as owners of the App-Support group grants them the ability to manage group membership directly within Microsoft Entra ID (formerly Azure AD) without assigning any Azure RBAC permissions on resources. Group owners can add or remove members from the group, but they do not inherit any permissions to manage Azure resources like VMs or storage accounts.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID administrative roles (like User Administrator) with the more granular group ownership delegation, assuming that managing group membership requires a broader directory role rather than simply being added as an owner of the specific group.

How to eliminate wrong answers

Option A is wrong because the User Administrator role in Microsoft Entra ID grants broad permissions to manage all users and groups across the tenant, which is excessive for simply managing membership of a single group and could lead to unintended security risks. Option C is wrong because creating separate local administrator accounts for each analyst would grant full administrative access to the local machine, not just group membership management, and does not address managing group membership in Microsoft Entra ID. Option D is wrong because assigning the Contributor role on the subscription grants full permissions to manage all Azure resources within that subscription, which is far beyond the requirement to only manage group membership and would violate the principle of least privilege.

143
MCQeasy

Based on the exhibit, help desk staff must restart virtual machines only in RG-App. What is the narrowest scope where you should assign the role?

A.Assign the role at the subscription scope for Sub-IT-01.
B.Assign the role at the management group scope above the subscription.
C.Assign the role at the RG-App resource group scope.
D.Assign the role at the individual VM scope only.
AnswerC

A resource group scope is the narrowest scope that still covers both VMs in RG-App while excluding RG-Shared.

Why this answer

The narrowest scope that grants the necessary permissions to restart VMs only in RG-App is the resource group scope. Assigning the Virtual Machine Contributor role at the RG-App resource group level ensures that help desk staff can restart VMs within that specific resource group without having permissions to any other resources in the subscription or management group. This follows the principle of least privilege, limiting access to only what is required.

Exam trap

The trap here is that candidates often choose the subscription scope (Option A) thinking it is simpler, but they overlook the requirement to restrict actions to only one resource group, violating the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope (Sub-IT-01) would grant permissions to restart VMs in all resource groups within that subscription, including those outside RG-App, which violates the requirement to restrict actions to RG-App only. Option B is wrong because assigning the role at the management group scope above the subscription would apply permissions to all subscriptions under that management group, far exceeding the needed scope and potentially granting access to VMs in other subscriptions. Option D is wrong because assigning the role at the individual VM scope would require assigning the role to each VM separately, which is not the narrowest scope that still covers all VMs in RG-App; the resource group scope is narrower than subscription/management group but broader than individual VMs, and it is the most efficient and appropriate scope for managing all VMs in a resource group collectively.

144
MCQhard

Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?

A.Audit
B.Disabled
C.DeployIfNotExists
D.Append
AnswerC

This effect supports automatic remediation when conditions are not met.

Why this answer

The DeployIfNotExists policy effect is correct because it can automatically remediate noncompliant storage accounts by deploying a network rules configuration that restricts access to selected networks. Unlike Audit, which only reports compliance status, DeployIfNotExists actively modifies the resource to meet the policy requirement when possible, aligning with the need for automatic correction.

Exam trap

The trap here is that candidates often choose Append thinking it can modify network rules, but Append only adds properties to the resource (like tags) and cannot change existing network access configurations, whereas DeployIfNotExists can deploy a full remediation template.

How to eliminate wrong answers

Option A is wrong because Audit only logs compliance state without making any changes, so it cannot automatically correct noncompliant resources. Option B is wrong because Disabled completely deactivates the policy, providing no governance or remediation. Option D is wrong because Append adds fields to a resource but cannot modify existing network rules or enforce network restrictions on storage accounts; it is typically used for tagging or adding properties, not for configuring network access controls.

145
MCQmedium

You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?

A.Owner
B.Contributor
C.Reader
D.Virtual Machine Contributor
AnswerC

Reader provides view-only access and prevents changes.

Why this answer

The Reader role is the correct choice because it provides read-only access to all resources in a subscription, including the ability to view resource properties and deployment history, but it does not allow any create, modify, or delete operations. Additionally, the Reader role includes the 'Microsoft.CostManagement/views/read' permission, which enables viewing spending details (cost data) in the Azure portal. This aligns exactly with the requirement to view resources and spending without making changes.

Exam trap

The trap here is that candidates often confuse the Reader role with the Contributor role, assuming Contributor is needed for viewing spending details, but Contributor grants write permissions that violate the 'no create/modify/delete' constraint, while Reader alone provides the required read-only access including cost data.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full access to all resources, including the ability to delegate access to others, which violates the requirement to prevent creation, modification, or deletion. Option B is wrong because the Contributor role allows creating and managing all resources, which directly contradicts the 'cannot create, modify, or delete' constraint. Option D is wrong because Virtual Machine Contributor restricts permissions to only virtual machines (e.g., start/stop, modify VM settings) and does not provide read access to other resource types or spending details, failing the requirement to view all resources in the subscription.

146
MCQmedium

A security team wants operators in one resource group to start, stop, and restart virtual machines, but they must not create VMs, delete VMs, or manage disks and networking. What should the administrator configure?

A.Assign the Contributor role at the resource group scope.
B.Assign the Virtual Machine Contributor role at the resource group scope.
C.Create a custom RBAC role with only the VM power actions and assign it at the resource group scope.
D.Use Azure Policy to deny creation of new VMs in the resource group.
AnswerC

A custom RBAC role is the best fit for least-privilege access because the built-in roles are broader than the requirement. You can include only the actions needed for starting, stopping, restarting, and possibly reading VM state, then scope the role assignment to the specific resource group. That keeps the operators effective without giving them permissions to create, delete, or reconfigure related resources.

Why this answer

The correct answer is C because the built-in roles (Contributor and Virtual Machine Contributor) grant more permissions than needed, including the ability to create or delete VMs and manage networking. A custom RBAC role with only the specific power actions (start, stop, restart) ensures least privilege, meeting the security team's requirement exactly.

Exam trap

The trap here is that candidates often assume the Virtual Machine Contributor role is restrictive enough, but it actually includes broader permissions like creating and deleting VMs, which violates the 'must not create VMs, delete VMs, or manage disks and networking' constraint.

How to eliminate wrong answers

Option A is wrong because the Contributor role at the resource group scope allows full management of all resources, including creating and deleting VMs and managing disks and networking, which violates the restriction. Option B is wrong because the Virtual Machine Contributor role allows creating and deleting VMs, as well as managing disks and networking, exceeding the required permissions. Option D is wrong because Azure Policy can deny creation of new VMs but does not grant the ability to start, stop, or restart existing VMs; it only enforces compliance rules, not RBAC permissions.

147
Multi-Selectmedium

Finance, HR, and Engineering each use separate subscriptions. The compliance team wants a simple hierarchy that lets them apply governance to groups of subscriptions and produce resource ownership reports by department and environment. Which two features should the administrator use? Select two.

Select 2 answers
A.Management groups to organize the subscriptions into a hierarchy.
B.Tags on resources to record department and environment values.
C.Resource locks to group subscriptions by business unit.
D.Availability sets to group applications by department.
E.Private endpoints to separate Finance from HR.
AnswersA, B

Management groups are designed to organize subscriptions above the subscription level. They provide the hierarchy needed to apply governance consistently across sets of subscriptions.

Why this answer

Management groups (A) are correct because they allow you to organize multiple subscriptions into a hierarchical structure for applying governance policies and role-based access control at scale. This directly supports the compliance team's need to apply governance to groups of subscriptions and produce resource ownership reports by department and environment.

Exam trap

The trap here is that candidates often confuse resource locks with management groups for organizational control, or think availability sets or private endpoints can serve as grouping mechanisms for governance, when they are designed for entirely different purposes (high availability and network security, respectively).

148
MCQmedium

A compliance report must show which department and environment owns each Azure resource, even when the resources are spread across many resource groups and subscriptions. Which feature should the administrator use?

A.Resource group names only.
B.Management groups.
C.Resource tags.
D.Resource locks.
AnswerC

Tags are the correct feature because they attach metadata like department and environment directly to resources. That metadata can then be queried, filtered, and reported across multiple resource groups and subscriptions. Tags are a common Azure governance tool when business ownership must be tracked independently of the resource hierarchy.

Why this answer

Resource tags are metadata key-value pairs that can be attached to Azure resources, resource groups, and subscriptions. They allow administrators to logically organize resources by department, environment, cost center, or any custom category, and this metadata is included in compliance reports. Unlike resource group names or management groups, tags are flexible and can be applied across multiple resource groups and subscriptions, making them the correct choice for this requirement.

Exam trap

The trap here is that candidates confuse management groups (which organize subscriptions for policy and RBAC) with resource tags (which provide per-resource metadata), leading them to select management groups even though they cannot express department or environment ownership at the individual resource level.

How to eliminate wrong answers

Option A is wrong because resource group names are hierarchical containers, not metadata; they cannot be used to tag individual resources with department or environment information, and a resource can only belong to one resource group. Option B is wrong because management groups provide hierarchical governance for subscriptions (e.g., policy and RBAC inheritance), but they do not attach metadata to individual resources and cannot express per-resource department or environment ownership. Option D is wrong because resource locks prevent accidental deletion or modification of resources; they have no metadata or labeling capability and cannot convey ownership or environment details.

149
MCQhard

Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?

A.An Azure Policy assignment at the management group scope
B.A custom RBAC role at the tenant root
C.A CanNotDelete lock on each subscription
D.A subscription budget alert
AnswerA

Management group policy assignments are inherited and can enforce required tags centrally.

Why this answer

Azure Policy at the management group scope is the correct centralized solution because it enforces a policy (e.g., requiring tags) that is inherited by all child subscriptions and resource groups. This ensures that any deployment without the required tags is denied, meeting the requirement for a governance rule that applies across the entire Corp-MG hierarchy.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access) or locks (which prevent deletion), leading candidates to choose a permission-based or operational control instead of a governance policy.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role at the tenant root controls permissions (who can do what), not enforcement of resource creation rules like tag requirements; RBAC does not block deployments based on tags. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not block creation of resource groups or enforce tag requirements; locks are operational restrictions, not governance policies. Option D is wrong because a subscription budget alert only sends notifications when spending exceeds a threshold; it does not prevent resource creation or enforce tagging rules.

150
MCQmedium

A platform team must enforce three governance rules across every subscription in a management group: allowed Azure regions, required Environment tags, and approved VM sizes. They want one assignment that groups the rules together and gives a single compliance view. What should they use?

A.A single RBAC role assignment at the management group.
B.A management lock on each subscription.
C.An Azure Policy initiative assigned at the management group.
D.A private endpoint for Azure Resource Manager.
AnswerC

An initiative is the right tool when several related policies must be managed as one governance package. It lets the team assign the region, tagging, and VM size rules together, inherit them across all subscriptions under the management group, and review compliance in one place. This is simpler to operate than assigning each policy separately to each subscription.

Why this answer

An Azure Policy initiative (also known as a policy set) allows you to group multiple individual policy definitions—such as allowed regions, required tags, and approved VM sizes—into a single assignment. When assigned at the management group scope, the initiative enforces all three rules across every subscription within that group and provides a unified compliance view in the Azure Policy dashboard, meeting the team's requirement for consolidated governance.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource configurations) with RBAC (which controls user permissions) or management locks (which prevent deletion/modification), leading candidates to select a control that addresses a different aspect of governance.

How to eliminate wrong answers

Option A is wrong because RBAC role assignments control who can perform actions (authorization), not what resources are allowed or required (governance rules like allowed regions or tags). Option B is wrong because management locks prevent accidental deletion or modification of resources but cannot enforce specific resource configurations such as allowed regions, required tags, or approved VM sizes. Option D is wrong because a private endpoint for Azure Resource Manager restricts network access to the ARM API, but it does not enforce governance rules on resource properties or configurations.

← PreviousPage 2 of 4 · 259 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Identity questions.