CCNA AZ Identity Questions

75 of 259 questions · Page 3/4 · AZ Identity topic · Answers revealed

151
Multi-Selecthard

A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.

Select 2 answers
A.Assign the role at the VM1 resource scope.
B.Assign the role at the VM2 resource scope.
C.Assign the role at the rg-prod resource group scope.
D.Assign the role at the subscription scope.
E.Assign the role at the management group scope.
AnswersA, B

A resource-level assignment limits permissions to VM1 and does not extend to unrelated resources.

Why this answer

Option A is correct because assigning the Contributor role at the VM1 resource scope grants the contractor permissions exclusively to that virtual machine, leaving all other resources in rg-prod and other scopes untouched. This meets the requirement of limiting access to only VM1 and VM2 within rg-prod.

Exam trap

The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, forgetting that this grants access to all resources in that group, not just the specified VMs.

152
MCQhard

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

A.Apply a ReadOnly lock to each resource group.
B.Assign a policy that denies resources in disallowed locations.
C.Create an action group in Azure Monitor.
D.Move all existing VMs to approved regions.
AnswerB

This blocks creation of new VMs in unapproved regions while leaving existing deployments intact.

Why this answer

Azure Policy can enforce organizational standards by evaluating resources for compliance. The built-in 'Not allowed locations' policy denies the creation of resources in specified regions, ensuring users can only deploy VMs in approved regions. Since the requirement is to allow existing noncompliant VMs to remain unchanged, a deny effect policy (without a 'DeployIfNotExists' or 'Modify' effect) will only affect new deployments, leaving existing resources untouched.

Exam trap

The trap here is that candidates may confuse Azure Policy with Azure RBAC or locks, thinking that restricting permissions or locking resources will control where resources can be created, but only Azure Policy can enforce location-based restrictions at deployment time.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all modifications and deletions to resources, but it does not restrict the region where new VMs can be created; users could still create VMs in unapproved regions in other resource groups. Option C is wrong because an action group in Azure Monitor defines notifications and actions for alerts, but it does not enforce any regional restrictions on resource creation. Option D is wrong because moving existing VMs to approved regions is not required by the question (existing noncompliant VMs can remain unchanged) and would be an unnecessary operational overhead; the goal is to prevent future noncompliant deployments, not to remediate existing ones.

153
MCQmedium

A support engineer must start, stop, and restart only one virtual machine named vm-app01. The engineer should not gain permissions on any other virtual machine in the subscription. What is the best scope for the role assignment?

A.The entire subscription that contains vm-app01.
B.The resource group that contains vm-app01.
C.The vm-app01 virtual machine resource itself.
D.The management group that contains the subscription.
AnswerC

This is the narrowest scope that grants access only to the targeted VM.

Why this answer

Option C is correct because Azure RBAC allows role assignments to be scoped to individual resources, such as a specific virtual machine. By assigning a role like 'Virtual Machine Contributor' at the vm-app01 resource scope, the support engineer will have permissions to start, stop, and restart only that VM, and no other resources in the subscription or resource group.

Exam trap

The trap here is that candidates often default to the resource group scope because it is the most common level for role assignments, but they overlook that the requirement explicitly restricts access to a single VM, which demands the resource-level scope.

How to eliminate wrong answers

Option A is wrong because assigning a role at the subscription scope grants permissions to all resources within that subscription, including all virtual machines, which violates the requirement of restricting access to only vm-app01. Option B is wrong because assigning a role at the resource group scope grants permissions to all resources within that resource group, including any other VMs or resources, which again exceeds the required scope. Option D is wrong because a management group scope encompasses multiple subscriptions and all resources within them, providing far broader permissions than needed and violating the principle of least privilege.

154
Multi-Selecteasy

An operations team needs one Azure identity that can be attached to several VMs and kept even if a VM is deleted. Which two statements about a user-assigned managed identity are correct? Select two.

Select 2 answers
A.It is created as a separate Azure resource.
B.It can be assigned to more than one VM.
C.It is automatically deleted when the first VM is deleted.
D.It requires a storage account access key to work.
E.It can only be attached to one VM at a time.
AnswersA, B

A user-assigned managed identity exists independently of any VM and is managed like its own Azure resource.

Why this answer

Option A is correct because a user-assigned managed identity is created as a separate Azure resource in its own right, independent of any VM. This means it has its own lifecycle and can be managed (created, deleted, assigned) independently from the VMs it is associated with.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned managed identities, which are tied to the VM lifecycle and are automatically deleted when the VM is deleted, leading them to incorrectly select option C.

155
MCQhard

A build server in an on-premises datacenter must deploy ARM templates to Azure. The automation must not use a human account password, and Microsoft Entra conditional access for device sign-in is not available because the server is outside Azure. The security team allows a non-human credential but wants the strongest practical option for this scenario. What should the administrator configure?

A.A system-assigned managed identity on the build server.
B.A service principal authenticated with a certificate.
C.A user-assigned managed identity shared with the build server.
D.A resource lock on the target resource group to permit template deployment.
AnswerB

A certificate-based service principal is suitable for non-interactive automation outside Azure and avoids storing a user password.

Why this answer

Option B is correct because a service principal authenticated with a certificate provides a non-human credential that does not require a human password and is the strongest practical option for an on-premises build server that cannot use managed identities (which are Azure-resource-scoped) or device-based conditional access. Certificate-based authentication for service principals uses asymmetric cryptography (X.509 certificates) with a private key stored securely on the build server, offering higher security than a client secret and meeting the requirement to avoid human account passwords.

Exam trap

The trap here is that candidates often confuse managed identities (which are Azure-only) with service principals, assuming managed identities can be used for on-premises resources, but managed identities require an Azure resource context and cannot be assigned to non-Azure machines.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to an Azure resource (e.g., an Azure VM) and cannot be assigned to an on-premises build server outside Azure; managed identities are only available for Azure-hosted resources. Option C is wrong because a user-assigned managed identity, like system-assigned, is an Azure-only identity that cannot be assigned to an on-premises server; it requires an Azure resource to host it. Option D is wrong because a resource lock prevents accidental deletion or modification of a resource group but does not provide any authentication or authorization mechanism for deploying ARM templates; it is a governance tool, not an identity solution.

156
MCQeasy

A web app running on an Azure VM must read files from Azure Blob Storage without storing any passwords, secrets, or access keys on the VM. The identity should be tied to that VM and removed automatically if the VM is deleted. What should you enable?

A.A system-assigned managed identity
B.A shared storage account key in the application settings
C.A user account with a local password on the VM
D.A service endpoint on the VM subnet
AnswerA

A system-assigned managed identity is created for one Azure resource, such as a VM, and its lifecycle is tied to that resource. The app can use Azure AD-based authentication to access Blob Storage without storing secrets on the VM. If the VM is deleted, the identity is also removed, which matches the requirement exactly. This is the preferred approach for credential-free access when only one VM needs the identity.

Why this answer

A system-assigned managed identity is the correct choice because it creates an identity in Azure AD that is tied directly to the lifecycle of the VM. When the VM is deleted, the identity is automatically removed. The VM can use this identity to authenticate to Azure Blob Storage via Azure AD without storing any credentials on the VM, using the Azure Instance Metadata Service (IMDS) to obtain tokens.

Exam trap

The trap here is that candidates often confuse service endpoints (which only provide network-level access control) with managed identities (which provide identity-based authentication), leading them to select option D thinking it enables secure access without credentials.

How to eliminate wrong answers

Option B is wrong because storing a shared storage account key in application settings violates the requirement of not storing any passwords, secrets, or access keys on the VM, and the key is not automatically removed if the VM is deleted. Option C is wrong because a user account with a local password on the VM does not integrate with Azure AD for accessing Azure Blob Storage, and it stores credentials locally, which is explicitly prohibited. Option D is wrong because a service endpoint on the VM subnet only secures traffic to the storage account at the network level and does not provide an identity or credential-free authentication mechanism for the VM to access the storage account.

157
MCQeasy

A contractor team changes every few weeks. The administrator wants Azure access to stay the same when individual contractors leave or join, without editing role assignments for each person. What should be assigned the Azure role?

A.Each contractor user account individually
B.A Microsoft Entra ID security group
C.A device group
D.An Azure subscription
AnswerB

Role assignment to a group keeps permissions stable while membership changes handle joiners and leavers.

Why this answer

Assigning the Azure role to a Microsoft Entra ID security group allows the administrator to manage access by adding or removing contractors from the group, rather than editing individual role assignments. This approach ensures that role assignments remain unchanged when contractors leave or join, as the group itself retains the role. It leverages Azure RBAC's support for group-based access control, which is the recommended method for dynamic teams.

Exam trap

The trap here is that candidates may think assigning roles to individual user accounts is simpler, but the question specifically requires a solution that avoids editing role assignments when contractors change, making group-based assignment the only correct answer.

How to eliminate wrong answers

Option A is wrong because assigning the role to each contractor user account individually would require manual updates every time a contractor leaves or joins, defeating the goal of maintaining consistent access without editing role assignments. Option C is wrong because a device group is used for managing device policies and configurations (e.g., via Intune or Conditional Access), not for assigning Azure RBAC roles to users. Option D is wrong because an Azure subscription is a management boundary, not a security principal; you cannot assign an Azure role to a subscription itself—roles are assigned to users, groups, or service principals within a subscription.

158
MCQmedium

You need to allow a support engineer to restart virtual machines in the RG-App resource group, but the engineer must not be able to create, delete, or resize the virtual machines. What should you do?

A.Assign the Virtual Machine Contributor role at the RG-App scope
B.Create a custom role that includes restart permissions and assign it at the RG-App scope
C.Assign the Contributor role at the subscription scope
D.Assign the Reader role at the RG-App scope
AnswerB

A custom role can be limited to the exact action required and scoped to the target resource group.

Why this answer

The Virtual Machine Contributor role includes permissions to restart VMs but also allows creating, deleting, and resizing VMs, which violates the requirement. A custom role with only the Microsoft.Compute/virtualMachines/restart/action permission assigned at the RG-App scope grants the exact restart capability without broader management rights.

Exam trap

The trap here is that candidates often assume the Virtual Machine Contributor role is restrictive enough for restart-only tasks, but it actually includes full VM management permissions, making a custom role necessary for precise access control.

How to eliminate wrong answers

Option A is wrong because the Virtual Machine Contributor role includes permissions to create, delete, and resize VMs (e.g., Microsoft.Compute/virtualMachines/write), which exceeds the required restriction. Option C is wrong because the Contributor role at the subscription scope grants full management access to all resources in the subscription, including creating and deleting VMs, and is far too permissive. Option D is wrong because the Reader role only allows read access and does not include any action permissions such as restart, so the engineer would be unable to restart VMs.

159
Multi-Selectmedium

A production resource group must be protected from accidental deletion during a change freeze. Administrators still need to update VM sizes, rotate tags, and change NSG rules. Which two actions should the administrator take? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to the resource group.
B.Apply a ReadOnly lock to the resource group.
C.Place the CanNotDelete lock at the resource group scope so it covers current and future resources.
D.Use Azure Policy to deny all delete requests.
E.Add a Protected=true tag and use it to prevent deletion.
AnswersA, C

CanNotDelete prevents deletion while still allowing normal update operations. That makes it the right lock for a freeze where changes are allowed but removal is not.

Why this answer

Option A is correct because applying a CanNotDelete lock to the resource group prevents the entire resource group from being deleted, while still allowing administrators to update VM sizes, rotate tags, and modify NSG rules. This lock type blocks delete operations but permits all read and write operations, aligning with the requirement to protect against accidental deletion during a change freeze while maintaining administrative flexibility.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with a ReadOnly lock, assuming any lock will block all changes, or they mistakenly think Azure Policy or tags can directly prevent deletion without additional configuration, leading them to select options that either over-restrict or under-protect the resource group.

160
MCQmedium

Based on the exhibit, which action should the administrator take so Contractor01 can manage the team membership without receiving Azure resource permissions?

A.Add Contractor01 as an owner of the AppOps-Admins group.
B.Add Contractor01 as a member of the AppOps-Admins group.
C.Assign Contractor01 the User Administrator role at the tenant scope.
D.Assign Contractor01 Contributor on the subscription.
AnswerA

Group owners can manage membership and ownership-related settings for that group without being granted Azure RBAC permissions on subscriptions or resource groups.

Why this answer

Adding Contractor01 as an owner of the AppOps-Admins group grants them the ability to manage group membership (add/remove members) without inheriting any Azure resource permissions. Group ownership is an Azure AD role that controls group administration only, not access to Azure resources like VMs or storage. This meets the requirement of managing team membership without resource permissions.

Exam trap

The trap here is that candidates often confuse Azure AD group ownership with Azure RBAC roles, assuming that managing a group requires a high-privilege directory role like User Administrator, or they mistakenly think adding the user as a member of the group will suffice without understanding that membership inherits the group's resource permissions.

How to eliminate wrong answers

Option B is wrong because adding Contractor01 as a member of the AppOps-Admins group would give them the group's Azure resource permissions (if the group is assigned to a role like Contributor), which violates the requirement to avoid resource permissions. Option C is wrong because the User Administrator role at the tenant scope grants broad Azure AD administrative rights, including the ability to create and manage users and groups across the entire tenant, which far exceeds the need to manage only one group's membership and introduces unnecessary security risk. Option D is wrong because assigning Contributor on the subscription grants full management access to all resources in the subscription, directly giving Azure resource permissions, which is explicitly prohibited by the requirement.

161
MCQhard

A system-assigned managed identity is attached to an Azure VM to call Key Vault. The VM is frequently reimaged and sometimes redeployed to a different name during scale events, but the application must keep the same identity and secretless access. What should the administrator use instead?

A.A system-assigned managed identity on each newly deployed VM.
B.A user-assigned managed identity associated with the workload.
C.A shared storage account key placed in the VM custom script.
D.A policy exemption for the Key Vault access policy.
AnswerB

A user-assigned identity remains stable across reimages and redeployments and can be attached to new VMs as needed.

Why this answer

A user-assigned managed identity is decoupled from the VM lifecycle, so it persists independently when VMs are reimaged or redeployed with different names. This allows the application to retain the same identity and secretless access to Key Vault without requiring manual reconfiguration or credential rotation.

Exam trap

The trap here is that candidates assume system-assigned identities are reusable across VM redeployments, but they are instance-scoped and destroyed with the VM, whereas user-assigned identities are persistent and can be reassigned to any resource.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the specific VM instance and is deleted when the VM is deleted, so it cannot survive redeployment to a different VM name. Option C is wrong because using a shared storage account key introduces a static secret that must be stored and rotated, violating the requirement for secretless access and increasing security risk. Option D is wrong because a policy exemption does not provide an identity for the VM to authenticate with Key Vault; it only bypasses Azure Policy effects, not access control.

162
MCQeasy

Based on the exhibit, a subscription policy must add CostCenter=042 to new resources, and deployments must not fail if the tag is missing. Which policy effect should you use?

A.Deny
B.Audit
C.Append
D.Modify
AnswerD

Modify is used to automatically change resource requests, such as adding or correcting tags, without blocking deployment.

Why this answer

The 'Modify' effect (option D) is correct because it can add the CostCenter=042 tag to new resources without causing deployment failures if the tag is missing. Unlike 'Deny', which blocks non-compliant resources, or 'Append', which is deprecated and only works on non-tag properties, 'Modify' uses a 'merge' operation to add tags during resource creation or update, and its 'conflictEffect' can be set to 'audit' to ensure deployments succeed even when the tag is absent.

Exam trap

The trap here is that candidates often confuse 'Append' with 'Modify' because both can alter resources, but 'Append' is deprecated and cannot handle tags, while 'Modify' is the modern effect designed specifically for tag operations with flexible conflict resolution.

How to eliminate wrong answers

Option A is wrong because 'Deny' blocks resource creation or update if the condition (missing tag) is met, causing deployment failures, which contradicts the requirement that deployments must not fail. Option B is wrong because 'Audit' only logs non-compliance without taking any action to add the missing tag, so it cannot enforce the CostCenter=042 tag on new resources. Option C is wrong because 'Append' is a deprecated policy effect that cannot modify tags; it was used for adding fields to resources (e.g., IP rules) but not for tag operations, and it would not work for this scenario.

163
MCQmedium

A web API runs on a single Azure VM and must access Azure Key Vault without storing any credentials on the VM. The identity should be tied to that VM and removed when the VM is deleted. What should you enable?

A.A user-assigned managed identity
B.A system-assigned managed identity
C.A storage account shared access signature
D.A local administrator account with a strong password
AnswerB

A system-assigned managed identity is created for one resource, used without secrets, and deleted with that resource.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — it is created when the VM is provisioned and automatically deleted when the VM is deleted. This identity can be used to authenticate to Azure Key Vault without storing any credentials on the VM, using the Azure Instance Metadata Service (IMDS) endpoint to obtain tokens. This matches the requirement that the identity be removed when the VM is deleted.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, failing to recognize that only system-assigned identities are automatically deleted with the parent resource, while user-assigned identities persist independently.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is a standalone Azure resource with its own lifecycle — it is not automatically deleted when the VM is deleted, so it does not satisfy the requirement that the identity be removed with the VM. Option C is wrong because a storage account shared access signature (SAS) is a token granting delegated access to a storage account, not an identity for authenticating to Key Vault, and it must be stored somewhere (e.g., in a file or environment variable), violating the no-credentials-on-VM requirement. Option D is wrong because a local administrator account with a strong password stores credentials directly on the VM, which contradicts the requirement to avoid storing any credentials on the VM, and it does not provide a managed identity for Azure AD authentication.

164
MCQeasy

A developer wants to give one Azure VM access to Azure Storage now, and that identity should be removed automatically if the VM is deleted. Which identity type should the administrator assign?

A.A user-assigned managed identity
B.A system-assigned managed identity
C.A storage account SAS token
D.An NSG service tag
AnswerB

A system-assigned managed identity is attached directly to one Azure resource, such as a VM, and Azure manages its lifecycle with that resource. If the VM is deleted, the identity is also removed automatically. This makes it the right choice when the identity should exist only for that VM.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM. When the VM is deleted, Azure automatically removes the identity from Azure AD and revokes any associated role assignments, fulfilling the developer's requirement for automatic cleanup. This identity is created and managed by Azure without any additional administrative overhead.

Exam trap

The trap here is that candidates confuse user-assigned managed identities with system-assigned ones, assuming both are automatically deleted, but only system-assigned identities are lifecycle-coupled to the resource.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity has an independent lifecycle from the VM; it persists in Azure AD even after the VM is deleted, requiring manual cleanup. Option C is wrong because a storage account SAS token is a shared access signature that provides delegated access to storage resources, but it is not an Azure AD identity and does not automatically revoke upon VM deletion. Option D is wrong because an NSG service tag is a network security group construct used to define IP address ranges for Azure services, not an identity mechanism for granting access to Azure Storage.

165
MCQeasy

A developer already has permission to create resource groups. The company wants to allow deployments only in the East US and West US regions. Which service should enforce this rule?

A.Azure RBAC, because region selection is part of user permissions.
B.Azure Policy, because it can restrict which regions are allowed for deployments.
C.A network security group, because it can block unsupported regions.
D.A read-only lock, because it limits changes to approved regions.
AnswerB

This is correct because Azure Policy can enforce a list of allowed locations at deployment time. The developer may still have RBAC permission to create resources, but the policy can deny deployments outside East US and West US. That makes Policy the proper control for region compliance, while RBAC handles access rights separately.

Why this answer

Azure Policy is the correct service because it enforces organizational rules by evaluating resource configurations against policy definitions. In this scenario, a built-in or custom policy can restrict allowed regions for all resources, ensuring deployments only occur in East US and West US. Unlike RBAC, which controls who can perform actions, Azure Policy controls what resource configurations are permitted, making it the appropriate tool for region restriction.

Exam trap

The trap here is confusing Azure RBAC (who can act) with Azure Policy (what is allowed), leading candidates to mistakenly choose RBAC for region restrictions when RBAC cannot enforce resource configuration constraints.

How to eliminate wrong answers

Option A is wrong because Azure RBAC manages permissions for actions (e.g., creating resource groups) but does not enforce constraints on resource properties like region; region selection is not a permission but a configuration attribute. Option C is wrong because a network security group (NSG) filters network traffic at the subnet or NIC level based on IP addresses and ports, not geographic regions; it cannot block or allow resource deployments in specific Azure regions. Option D is wrong because a read-only lock prevents any modifications to a resource but does not restrict which regions can be used during deployment; it is a lock, not a governance policy.

166
MCQmedium

A modify policy that appends a CostCenter tag was assigned to a management group. The policy shows as assigned, but older virtual machines still lack the tag. What must the administrator do to update those existing resources?

A.Reassign the policy at a lower scope so it applies more quickly.
B.Create a remediation task for the policy assignment.
C.Change the policy effect from modify to audit.
D.Add a CanNotDelete lock to the virtual machines.
AnswerB

Policy assignment alone evaluates future requests, but existing resources often need remediation before the policy effect is applied to them. A remediation task triggers the policy logic against already deployed resources and applies the configured correction when the managed identity has enough permissions. That is how missing tags on older VMs are brought into compliance.

Why this answer

The 'modify' policy effect appends the CostCenter tag to new or updated resources automatically, but it does not retroactively apply to existing resources. To update older virtual machines that lack the tag, the administrator must create a remediation task for the policy assignment. This task uses Azure Policy's 'deployIfNotExists' or 'modify' effect to trigger a deployment that evaluates and corrects non-compliant existing resources.

Exam trap

The trap here is that candidates assume a 'modify' policy effect automatically applies to all existing resources, but in reality, it only applies to new or updated resources unless a remediation task is explicitly created.

How to eliminate wrong answers

Option A is wrong because reassigning the policy at a lower scope does not change the fact that the policy effect only applies to new or updated resources; it does not force retroactive evaluation or remediation. Option C is wrong because changing the effect from 'modify' to 'audit' would only report non-compliance without taking any corrective action, leaving the tags missing. Option D is wrong because adding a CanNotDelete lock prevents accidental deletion but does not add or modify tags on existing resources.

167
MCQmedium

You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?

A.Global Administrator
B.User Administrator
C.Helpdesk Administrator
D.Security Administrator
AnswerC

Helpdesk Administrator is the least-privileged built-in role that supports password resets for appropriate users.

Why this answer

The Helpdesk Administrator role is specifically designed to allow password resets for non-administrator users (including cloud-only users) while explicitly preventing modifications to group memberships or deletion of users. This aligns perfectly with the requirement to restrict the HelpdeskAdmins group to only password reset capabilities.

Exam trap

The trap here is that candidates often confuse User Administrator with Helpdesk Administrator, assuming both can reset passwords, but User Administrator also grants broader user management capabilities like modifying group memberships and deleting users, which the question explicitly forbids.

How to eliminate wrong answers

Option A is wrong because Global Administrator has full access to all Microsoft Entra ID features, including the ability to modify group memberships and delete users, which exceeds the required permissions. Option B is wrong because User Administrator can reset passwords and also manage user accounts, including modifying group memberships and deleting users, which violates the restriction. Option D is wrong because Security Administrator focuses on security-related features like managing security policies and reviewing security reports, not on password resets for users.

168
Multi-Selecthard

An enterprise wants one governance package to be applied automatically to every production subscription that is added in the future. The package contains several policy definitions that should be managed together. Which two actions are required? Select two.

Select 2 answers
A.Create or use a production management group and assign the governance package at that scope.
B.Package the related policy definitions into a policy initiative before assigning them.
C.Assign each policy separately to every resource group so the settings are inherited upward.
D.Use tags on resources to make policy definitions automatically apply to new subscriptions.
E.Apply a resource lock to the management group so all child subscriptions inherit the policies.
AnswersA, B

Management groups are the correct hierarchy for automatic inheritance across multiple subscriptions. Assigning governance at the management-group scope ensures every child production subscription receives the baseline without separate manual work. This satisfies the requirement for future subscriptions as well as existing ones.

Why this answer

Option A is correct because assigning the governance package (policy initiative) at the management group scope ensures that all child subscriptions, including future ones, automatically inherit the policies. Management groups provide hierarchical governance, and any subscription added under that management group will inherit the assigned policies without manual intervention.

Exam trap

The trap here is that candidates confuse resource locks with policy assignments, thinking locks can enforce policy inheritance, when in fact locks only prevent deletion or modification and have no effect on policy application.

169
MCQhard

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

A.Remove the policy assignment from Corp-MG.
B.Create a policy exemption at the Prod-Sub or RG-App scope.
C.Change the policy effect from Deny to Audit for all assignments.
D.Move Prod-Sub out of Corp-MG.
AnswerB

A scoped exemption allows the deployment while preserving the broader governance model.

Why this answer

A policy exemption allows you to exclude a specific scope (like Prod-Sub or RG-App) from the enforcement of a policy assignment without modifying or removing the policy itself. This lets the single deployment proceed while maintaining the Deny effect for all other resources under Corp-MG. Exemptions can be created with an expiration date to ensure temporary relief does not become permanent.

Exam trap

The trap here is that candidates often think they must remove or change the policy assignment itself, but Azure provides the policy exemption feature specifically to handle temporary exceptions without weakening overall enforcement.

How to eliminate wrong answers

Option A is wrong because removing the policy assignment from Corp-MG would disable enforcement for the entire organization, not just the single deployment. Option C is wrong because changing the effect from Deny to Audit for all assignments would weaken enforcement globally, allowing all future violations to be logged but not blocked. Option D is wrong because moving Prod-Sub out of Corp-MG would remove the subscription from the management group hierarchy, breaking inheritance for all policies assigned at Corp-MG and affecting other governance controls.

170
Multi-Selecteasy

A VM-hosted app must read blobs from Azure Storage without storing a shared key, SAS token, or password. Which two configuration steps should the administrator take? Select two.

Select 2 answers
A.Enable a system-assigned managed identity on the VM.
B.Assign the Storage Blob Data Reader role to that identity on the storage account.
C.Store the storage account access key in the app configuration.
D.Generate a SAS token and embed it in the application code.
E.Move the VM into a different subnet.
AnswersA, B

A system-assigned managed identity gives the VM an Azure identity without storing any secrets in the application.

Why this answer

A system-assigned managed identity on the VM allows Azure to automatically manage a service principal for the VM, eliminating the need for any stored credentials. By assigning the Storage Blob Data Reader role to that identity on the storage account, the VM can authenticate to Azure Storage using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint, without ever storing a shared key, SAS token, or password.

Exam trap

The trap here is that candidates may think moving the VM to a different subnet (Option E) solves the authentication problem, but subnet changes only affect network access control, not credentialless authentication; the correct approach relies on Azure AD and RBAC via managed identities.

171
MCQmedium

An App Service application needs to read secrets from Azure Key Vault. The security team does not want any password, certificate, or client secret stored in application settings, and they want the identity removed automatically if the app is deleted. What should the administrator enable?

A.A service principal with a client secret stored in App Service configuration.
B.A system-assigned managed identity on the App Service.
C.A user-assigned managed identity shared by all applications.
D.A shared access signature stored in Key Vault.
AnswerB

A system-assigned managed identity avoids stored credentials and is tied to the app lifecycle.

Why this answer

A system-assigned managed identity (Option B) is the correct choice because it provides an identity for the App Service that is automatically managed by Azure, tied to the lifecycle of the resource (deleted when the app is deleted), and requires no credentials to be stored in application settings. This allows the app to authenticate to Key Vault using Azure AD tokens without any secrets, satisfying the security team's requirements.

Exam trap

The trap here is that candidates may confuse user-assigned managed identities (which are independent resources with separate lifecycles) with system-assigned managed identities (which are tied to the resource's lifecycle), leading them to choose Option C despite the automatic removal requirement.

How to eliminate wrong answers

Option A is wrong because storing a client secret in App Service configuration violates the security team's requirement of no passwords, certificates, or client secrets in application settings, and the secret would not be automatically removed if the app is deleted. Option C is wrong because a user-assigned managed identity is not automatically deleted when the app is deleted; it has its own lifecycle and must be manually removed, failing the 'identity removed automatically' requirement. Option D is wrong because a shared access signature (SAS) is used for granting access to Azure Storage resources, not for authenticating to Key Vault, and it would need to be stored as a secret, which is prohibited.

172
MCQmedium

A production resource group contains VMs, public IP addresses, and a storage account. During a migration window, administrators must still be able to change settings and resize VMs, but nobody should accidentally delete any resource. Which lock should you apply to the resource group?

A.ReadOnly
B.CanNotDelete
C.Contributor
D.Azure Policy
AnswerB

CanNotDelete prevents accidental deletion while still allowing normal management changes such as updates and resizing.

Why this answer

The CanNotDelete lock prevents any user or process from deleting the resource group or its resources, while still allowing all other operations including read, write, and configuration changes such as resizing VMs. This matches the requirement that administrators must be able to change settings and resize VMs but must not accidentally delete any resource.

Exam trap

The trap here is that candidates often confuse Azure Policy with resource locks, thinking Policy can prevent deletion, when in fact only a CanNotDelete lock (or a custom policy with a deny effect on delete) blocks delete operations, and Policy alone does not provide that protection.

How to eliminate wrong answers

Option A is wrong because ReadOnly lock prevents all write operations, including resizing VMs and changing settings, which directly contradicts the requirement that administrators must still be able to perform these actions. Option C is wrong because Contributor is an Azure RBAC role, not a resource lock; it grants permissions to manage resources but does not prevent deletion, so it does not satisfy the 'nobody should accidentally delete any resource' requirement. Option D is wrong because Azure Policy is a governance tool for enforcing compliance rules (e.g., allowed VM sizes or tagging), not a lock that prevents deletion of resources; it does not block delete operations by default.

173
MCQeasy

During a change freeze, administrators must prevent deletion of a production resource group and all resources inside it, but they still need to update VM sizes and tags. Which lock should be applied?

A.ReadOnly on the resource group
B.CanNotDelete on the resource group
C.CanNotDelete on the management group
D.An Azure Policy deny assignment
AnswerB

CanNotDelete is the correct lock when you want to stop accidental deletion but still allow configuration changes. Applied at the resource group scope, it protects the group and the resources inside it from being deleted while still permitting updates such as resizing a VM or changing tags. That makes it ideal for a maintenance freeze.

Why this answer

The CanNotDelete lock on the resource group prevents deletion of the resource group and all resources within it, while still allowing read and update operations such as modifying VM sizes and tags. This meets the requirement of blocking deletions during the change freeze without restricting updates. ReadOnly locks would block all write operations, including the needed updates.

Exam trap

The trap here is that candidates often confuse CanNotDelete with ReadOnly, assuming that any lock will block updates, but CanNotDelete specifically allows modifications while only preventing deletion.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock on the resource group would block all write operations, including updating VM sizes and tags, which violates the requirement to allow those updates. Option C is wrong because a CanNotDelete lock on the management group would apply to all subscriptions and resource groups under that management group, which is overly broad and not scoped to the specific production resource group; it also does not prevent deletion of the resource group itself if the lock is not inherited correctly. Option D is wrong because an Azure Policy deny assignment can be used to prevent specific actions, but it requires custom policy definitions and assignment, which is more complex and not the simplest or most direct solution; the question specifically asks for a lock, not a policy.

174
MCQeasy

A user is assigned the Reader role on a resource group named RG1. Later, a new storage account is created in RG1. What access will the user have to that storage account without any new role assignment?

A.No access, because RBAC assignments do not apply to resources created later.
B.Reader access, because the resource group assignment is inherited by the storage account.
C.Contributor access, because storage accounts inherit the highest available permissions.
D.Owner access, because resource group permissions always become full control on child resources.
AnswerB

This is correct because Azure RBAC permissions flow downward from the assigned scope. A role assigned at the resource group level applies to all current and future resources in that group unless a more restrictive condition or deny assignment applies. The new storage account automatically inherits the Reader permissions from RG1, so the user can view it without another assignment.

Why this answer

Option B is correct because Azure RBAC permissions assigned at a resource group scope are inherited by all resources within that resource group, including resources created after the assignment. Since the user has the Reader role on RG1, that role is inherited by the new storage account, granting read-only access to it without any additional role assignment.

Exam trap

The trap here is that candidates mistakenly believe RBAC assignments do not apply to resources created after the assignment, confusing Azure RBAC with classic deployment model permissions or assuming inheritance is only for existing resources.

How to eliminate wrong answers

Option A is wrong because RBAC assignments at a parent scope (resource group) are inherited by child resources, even those created after the assignment, due to Azure's hierarchical inheritance model. Option C is wrong because inheritance does not escalate permissions; the user retains only the Reader role, not Contributor, and Azure does not automatically assign the highest available permissions. Option D is wrong because resource group permissions do not become full control on child resources; inheritance strictly follows the assigned role (Reader) and does not grant Owner or any elevated access.

175
MCQeasy

A partner company needs a developer to access resources in your tenant by using the developer's existing work account. You do not want to create a new separate username and password for that person. What should you create in Microsoft Entra ID?

A.A local user account in each resource group
B.A guest user account
C.A managed identity
D.A new service principal
AnswerB

A guest user lets the person sign in with their own organization account while being invited into your tenant.

Why this answer

B is correct because Microsoft Entra ID B2B collaboration allows you to invite an external user's existing work account as a guest user. This grants access to resources without creating a new username and password, as the developer authenticates using their home tenant credentials. Guest users are managed in Entra ID and can be assigned permissions via Azure RBAC or group membership.

Exam trap

The trap here is that candidates confuse a guest user (B2B collaboration) with a service principal or managed identity, thinking any external access requires a non-user identity, but the question explicitly asks for a user account using an existing work account.

How to eliminate wrong answers

Option A is wrong because local user accounts in resource groups do not exist in Azure; Azure RBAC uses Entra ID identities, not resource-group-level local accounts. Option C is wrong because a managed identity is an Azure resource identity used by Azure services to authenticate to other services, not a user account for external developers. Option D is wrong because a service principal is an application identity used for automated authentication (e.g., scripts or apps), not for a human user's interactive access with their existing work account.

176
MCQmedium

A VM-hosted automation tool must call Azure Resource Manager APIs, but the team will not store a password, certificate, or client secret on the VM. The identity should also disappear automatically when the VM is deleted. Which identity should be assigned?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal with a client secret
D.Shared access signature
AnswerA

A system-assigned managed identity is tied to one VM and is removed automatically when the VM is deleted.

Why this answer

A system-assigned managed identity is the correct choice because it is tied directly to the lifecycle of the Azure VM—when the VM is deleted, the identity is automatically removed. It allows the automation tool to authenticate to Azure Resource Manager APIs without storing any credentials (password, certificate, or client secret) on the VM, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, failing to recognize that user-assigned identities are independent resources that do not automatically disappear when the VM is deleted.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity is a standalone resource that persists independently of the VM; it does not automatically disappear when the VM is deleted, and it must be explicitly removed. Option C is wrong because a service principal with a client secret requires storing the secret on the VM, which violates the requirement to not store a password, certificate, or client secret. Option D is wrong because a shared access signature (SAS) is a token used for delegating access to Azure Storage resources, not for authenticating to Azure Resource Manager APIs, and it also requires storing a token on the VM.

177
MCQmedium

Your company has separate subscriptions for development, test, and production. Security wants one baseline policy and one RBAC assignment to apply automatically to every production subscription now and in the future. What should you use?

A.A resource group that contains all production resources.
B.A management group above the production subscriptions.
C.A tag applied to each production resource.
D.A single production subscription with multiple resource groups.
AnswerB

This is the correct parent scope for inheritance across multiple subscriptions.

Why this answer

B is correct because management groups allow you to apply Azure Policy and RBAC assignments hierarchically. By placing all production subscriptions under a single management group, any policy or role assignment at that level will be inherited by every current and future production subscription, meeting the requirement for automatic application without manual intervention.

Exam trap

The trap here is that candidates often confuse tags with policy enforcement, thinking tags can automatically apply governance, when in fact tags are only metadata and require Azure Policy to enforce tag inheritance or compliance.

How to eliminate wrong answers

Option A is wrong because a resource group is a container for resources within a single subscription; it cannot span multiple subscriptions, so it cannot apply policies or RBAC to all production subscriptions. Option C is wrong because tags are metadata labels, not a mechanism for enforcing policies or RBAC assignments; they can be used for filtering or cost tracking but do not automatically apply governance. Option D is wrong because using a single production subscription with multiple resource groups would not cover future subscriptions; the requirement is to apply policies across multiple subscriptions now and in the future, which a single subscription cannot achieve.

178
MCQhard

A platform team must enforce two governance rules across every current and future subscription under a management group: resources must include an Environment tag, and only East US or West US may be used for deployment. They want one compliance view for both rules and a way to correct missing tags on existing resources where supported. What should they assign?

A.Assign two separate policies manually to each subscription and skip remediation.
B.Assign an initiative at the management group scope that contains the tag and allowed-location policies, then remediate the tag policy.
C.Assign Contributor to the management group so administrators can fix any noncompliant resource manually.
D.Apply a CanNotDelete lock at the management group scope to prevent drift.
AnswerB

An initiative groups multiple policies into one assignment, which gives the team a single compliance view and consistent enforcement across all current and future subscriptions under the management group. The tag policy can then be remediated for existing resources where the effect supports it, while the location rule blocks future noncompliant deployments.

Why this answer

Option B is correct because an initiative (policy set) at the management group scope enforces both the required tag and allowed-location rules across all current and future subscriptions in a single compliance view. The tag policy can be remediated using a remediation task with a managed identity to automatically add missing tags on existing resources where supported (e.g., via modify effect). This approach centralizes governance without manual per-subscription assignment.

Exam trap

The trap here is that candidates often confuse assigning individual policies per subscription (Option A) with using an initiative at the management group scope, missing the requirement for a single compliance view and automatic future subscription coverage.

How to eliminate wrong answers

Option A is wrong because assigning two separate policies manually to each subscription violates the requirement for a single compliance view and does not cover future subscriptions automatically; skipping remediation leaves existing noncompliant resources uncorrected. Option C is wrong because assigning Contributor at the management group scope grants excessive permissions (e.g., ability to delete or modify any resource) and does not enforce rules programmatically or provide a compliance view; it relies on manual fixes, which is not scalable or auditable. Option D is wrong because a CanNotDelete lock at the management group scope prevents deletion of the management group itself or its resources but does not enforce tagging or location restrictions, nor does it provide compliance monitoring or remediation.

179
Multi-Selecthard

A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Select 2 answers
A.Assign an allowed-locations policy at the management group or subscription scope.
B.Create a custom RBAC role that blocks resources deployed outside approved regions.
C.Assign a policy that enforces the Environment tag on new resources.
D.Add a CanNotDelete lock to every resource group.
E.Grant User Access Administrator to the deployment team.
AnswersA, C

Location is a resource property that policy can evaluate and deny, while RBAC cannot inspect deployment metadata like region.

Why this answer

Option A is correct because Azure Policy can enforce an 'allowed-locations' policy at the management group or subscription scope to restrict resource deployment to only approved Azure regions. This is a governance control that operates declaratively, evaluating resource properties against policy rules before or after creation, unlike RBAC which controls identity-based permissions. Option C is correct because Azure Policy can enforce the 'Environment' tag on new resources using a 'require a tag and its value' policy, ensuring compliance without modifying role assignments.

Exam trap

The trap here is that candidates often confuse RBAC (identity-based permissions) with Azure Policy (resource property enforcement), mistakenly thinking a custom RBAC role can restrict regions or tags, when in fact RBAC only controls actions like 'write' or 'delete' and cannot evaluate resource properties like location or tags.

180
MCQeasy

Based on the exhibit, which identity approach should the administrator use so both VMs can share the same access without managing secrets or recreating role assignments when a VM is replaced?

A.A separate system-assigned managed identity on each VM.
B.A single user-assigned managed identity attached to both VMs.
C.An administrator username and password stored in the script.
D.A shared access signature assigned to the virtual network.
AnswerB

A user-assigned managed identity is independent of any one VM and can be attached to multiple resources. That makes it ideal when several VMs need the same permissions and the access must continue even if one VM is deleted or rebuilt.

Why this answer

A user-assigned managed identity is an independent Azure resource that can be attached to multiple VMs, allowing them to share the same identity for accessing Azure resources. This approach eliminates the need to manage secrets (like passwords or keys) and avoids recreating role assignments when a VM is replaced, because the identity persists independently of the VM lifecycle.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, incorrectly assuming that a system-assigned identity can be shared across VMs or that it persists after VM deletion, when in fact it is deleted with the VM.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if the VM is replaced, a new identity is created, requiring role assignments to be recreated. Option C is wrong because storing an administrator username and password in a script introduces security risks (credential leakage) and violates the principle of managing secrets, plus it does not provide a managed identity for Azure RBAC. Option D is wrong because a shared access signature (SAS) is a token for delegated access to Azure Storage resources, not an identity for VMs, and it cannot be assigned to a virtual network for VM authentication.

181
MCQeasy

Based on the exhibit, a policy assigned at the subscription denies storage accounts that allow public network access. One existing storage account in RG-Legacy must remain publicly reachable for 30 days while a migration is completed. What should the administrator use?

A.Create a policy exemption for stlegacy01 at the resource scope.
B.Remove the policy assignment from the subscription until the migration finishes.
C.Change the policy effect from Deny to Audit.
D.Move the legacy storage account to a separate subscription and assign the policy there.
AnswerA

A policy exemption is the correct tool when one known resource must temporarily be excluded from a policy assignment. It preserves the policy for everything else while documenting the exception for stlegacy01. This is ideal for a time-bound migration because it avoids weakening the policy across the subscription.

Why this answer

A policy exemption at the resource scope is the correct approach because it allows the administrator to selectively exclude the specific storage account (stlegacy01) from the subscription-level policy that denies public network access. This exemption can be configured with an expiration date of 30 days, ensuring the legacy account remains publicly reachable during the migration while the policy continues to apply to all other resources. Policy exemptions are designed for exactly this scenario—temporary exceptions for compliance or migration needs—without altering the policy definition or assignment.

Exam trap

The trap here is that candidates often confuse policy exemptions with policy exclusions (which are set at assignment scope and apply to entire resource groups or subscriptions), leading them to think they must modify the assignment or move resources instead of using the precise exemption mechanism designed for temporary exceptions.

How to eliminate wrong answers

Option B is wrong because removing the policy assignment from the subscription would disable the deny effect for all storage accounts across the entire subscription, not just the legacy one, which violates the requirement to keep the policy active for other resources. Option C is wrong because changing the policy effect from Deny to Audit would stop blocking public network access for all storage accounts, making the policy non-enforceable and failing to protect other resources during the 30-day period. Option D is wrong because moving the storage account to a separate subscription and assigning the policy there would still deny public network access in the new subscription, defeating the purpose of keeping the account publicly reachable; additionally, this approach introduces unnecessary administrative overhead and does not provide a temporary exception.

182
Multi-Selectmedium

A company has 18 subscriptions under a management group named Corp. The audit team needs Reader access to all current and future subscriptions in Corp without creating one assignment per subscription. Which two statements are correct? Select two.

Select 2 answers
A.Assign Reader at the Corp management group scope.
B.Place new subscriptions under the Corp management group so they inherit the assignment.
C.Assign Reader separately at each subscription scope.
D.Assign Reader at one resource group in each subscription.
E.Create a lock on each subscription to provide Reader access.
AnswersA, B

A management group assignment applies to every subscription under that branch, which is the cleanest way to cover current and future subscriptions.

Why this answer

Assigning the Reader role at the Corp management group scope is correct because Azure RBAC allows role assignments to be inherited by all child resources, including all current and future subscriptions under that management group. This eliminates the need to create a separate assignment per subscription, as the single assignment at the management group level applies to all subscriptions within it.

Exam trap

The trap here is that candidates may confuse Azure RBAC role assignments with Azure Policy or locks, thinking that a lock can grant permissions, or they may overlook the inheritance behavior of management groups and attempt to assign roles at a lower scope unnecessarily.

183
MCQhard

A team operates two Azure VMs that both need to call Azure services with the same identity. The VMs are rebuilt frequently, and the identity must continue to work if either VM is deleted and recreated. Which identity should the administrator attach?

A.A system-assigned managed identity on one of the VMs
B.A user-assigned managed identity attached to both VMs
C.A service principal with a client secret stored on each VM
D.A certificate uploaded to each VM and used for Azure sign-in
AnswerB

User-assigned identities are independent Azure resources that can be shared across VMs and survive VM recreation.

Why this answer

A user-assigned managed identity is the correct choice because it is a standalone Azure resource that can be attached to multiple VMs. When a VM is deleted and recreated, the identity persists independently and can be reassigned to the new VM, ensuring continuous access to Azure services without credential management.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming a system-assigned identity can be shared or persist after VM deletion, when in fact only user-assigned identities are decoupled from the VM lifecycle and can be attached to multiple resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, and it cannot be shared across multiple VMs. Option C is wrong because storing a client secret on each VM introduces security risks (secret exposure) and requires manual rotation and management, violating the principle of credentialless authentication that managed identities provide. Option D is wrong because uploading a certificate to each VM requires manual certificate lifecycle management (renewal, distribution) and does not integrate with Azure AD automatic token acquisition like managed identities do.

184
Multi-Selectmedium

A team needs Reader access to exactly two Azure resources that are in the same resource group, and they must not gain access to other resources in that group. Which two scope choices are appropriate? Select two.

Select 2 answers
A.Assign the role at the storage account scope.
B.Assign the role at the Key Vault scope.
C.Assign the role at the resource group scope.
D.Assign the role at the subscription scope.
E.Assign the role at the management group scope.
AnswersA, B

A resource-level assignment on the storage account grants access only to that one object. It is the narrowest practical scope for a single resource and avoids exposing unrelated resources in the same group.

Why this answer

Assigning the Reader role at the storage account scope (Option A) grants read-only access to exactly that storage account, and no other resources in the resource group. This is because Azure RBAC scopes are hierarchical, and a role assignment at a specific resource scope limits permissions to only that resource. Therefore, this meets the requirement of providing access to exactly two resources without granting access to others in the same resource group.

Exam trap

The trap here is that candidates often assume assigning a role at the resource group scope is sufficient, but they overlook that it grants access to all resources in the group, not just the selected ones.

185
MCQmedium

Three Azure VMs in different resource groups need to access the same Azure resources using one identity. The identity must keep working if any VM is deleted and recreated. What should the administrator assign to the VMs?

A.A system-assigned managed identity on each VM.
B.A user-assigned managed identity.
C.A local administrator account.
D.An Azure Blueprint assignment.
AnswerB

A user-assigned managed identity is independent of any single VM, so it can be reused across multiple machines.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs, even across different resource groups. If a VM is deleted and recreated, the user-assigned identity persists independently and can be reassigned to the new VM, ensuring continuous access to Azure resources without reconfiguration.

Exam trap

The trap here is that candidates often choose system-assigned managed identities (Option A) because they are simpler to configure, but they fail to recognize that system-assigned identities are deleted with the VM, making them unsuitable for scenarios requiring identity persistence across VM deletions and recreations.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, and a new VM would require a new identity assignment, breaking the requirement for a persistent identity across VM deletions and recreations. Option C is wrong because a local administrator account is a VM-level credential that does not provide an Azure AD identity for accessing Azure resources, and it would not survive VM deletion or support multiple VMs sharing the same identity. Option D is wrong because an Azure Blueprint assignment is used for deploying and governing environments (e.g., resource groups, policies, RBAC) and does not provide an identity that VMs can use to authenticate to Azure resources.

186
MCQmedium

An enterprise uses one management group to contain five subscriptions for a business unit. A compliance auditor in an Entra ID group needs read-only access to every current and future resource in all five subscriptions, but must not see resources in other business units. What is the best scope for the Reader role assignment?

A.Assign Reader at the management group that contains the five subscriptions.
B.Assign Reader separately at each subscription in the business unit.
C.Assign Reader at a single resource group within one subscription.
D.Assign Reader directly to each resource that the auditor should see.
AnswerA

This scope lets the role flow downward to all subscriptions, resource groups, and resources under that management group. It is the narrowest place that still covers every current and future subscription in that business unit. The auditor gets consistent read-only visibility without requiring separate assignments for each subscription, and access stays isolated from other management groups.

Why this answer

Assigning the Reader role at the management group scope grants inherited read-only access to all current and future resources within every subscription under that management group, while preventing access to resources in other business units that are in separate management groups. This satisfies the auditor's requirement for a single, scalable assignment that automatically covers new subscriptions added to the management group.

Exam trap

The trap here is that candidates may think subscription-level assignments are necessary for granularity, overlooking that management group scope provides inheritance to all current and future subscriptions and resources within that group, which is the most efficient and correct approach for multi-subscription governance.

How to eliminate wrong answers

Option B is wrong because assigning Reader separately at each subscription requires manual updates whenever a new subscription is added, failing the 'future resources' requirement and increasing administrative overhead. Option C is wrong because scoping to a single resource group within one subscription provides access only to that specific resource group, not to all resources across all five subscriptions. Option D is wrong because assigning Reader directly to each resource is impractical at scale, violates Azure RBAC best practices, and does not automatically cover new resources created in the future.

187
MCQmedium

A company has 18 Azure subscriptions. Production subscriptions must inherit stricter governance than sandbox subscriptions, and central IT wants one place to target future policy assignments to each group. What should the administrator do?

A.Create management groups for Prod and Sandbox, then move subscriptions into them
B.Create resource groups named Prod and Sandbox in each subscription
C.Use tags on subscriptions to separate production from sandbox
D.Apply a CanNotDelete lock to each subscription
AnswerA

Management groups create administrative boundaries and allow shared governance to flow to child subscriptions.

Why this answer

Management groups allow you to organize Azure subscriptions hierarchically and apply Azure Policy and role-based access control (RBAC) at the management group level, which is inherited by all subscriptions within that group. By creating separate management groups for Prod and Sandbox and moving the respective subscriptions into them, central IT can assign policy assignments once to each management group, ensuring stricter governance for production subscriptions and a lighter touch for sandbox subscriptions.

Exam trap

The trap here is that candidates often confuse resource groups or tags as mechanisms for grouping subscriptions for policy inheritance, but only management groups provide the hierarchical structure needed to apply policies consistently across multiple subscriptions.

How to eliminate wrong answers

Option B is wrong because resource groups are containers within a single subscription and cannot span multiple subscriptions; they do not provide a single place to target policy assignments across all production or sandbox subscriptions. Option C is wrong because tags are metadata labels that do not enforce inheritance of policies or RBAC; they are used for filtering and cost reporting, not for hierarchical governance. Option D is wrong because a CanNotDelete lock prevents deletion of the subscription itself but does not enforce governance policies or allow grouping of subscriptions for policy assignment.

188
MCQmedium

A developer has the Contributor role on a subscription. Their ARM deployment of a virtual machine with a public IP fails, and the error message says the request is denied by policy. The developer can create other resources successfully. What should you change to allow this deployment while keeping the Contributor role unchanged?

A.Assign the developer the Owner role on the subscription.
B.Modify or exempt the Azure Policy assignment that blocks public IP addresses.
C.Remove any lock from the virtual machine's resource group.
D.Move the virtual machine to another management group.
AnswerB

This directly addresses the policy denial while leaving the RBAC role unchanged.

Why this answer

The error indicates that an Azure Policy is denying the deployment of a virtual machine with a public IP address. Since the developer has the Contributor role, they have sufficient permissions to create resources, but Azure Policy overrides permissions by enforcing rules. Modifying or creating an exemption for the specific policy that blocks public IP addresses will allow the deployment without changing the developer's role.

Exam trap

The trap here is that candidates often confuse Azure Policy with RBAC or resource locks, assuming that a permission issue (like needing Owner) or a lock is the cause, when in fact policy enforcement is a separate governance layer that can deny deployments even with sufficient RBAC permissions.

How to eliminate wrong answers

Option A is wrong because assigning the Owner role would grant full access, but it is unnecessary and violates the requirement to keep the Contributor role unchanged; the issue is policy-based, not permission-based. Option C is wrong because resource locks prevent deletion or modification of resources, not creation; removing a lock would not resolve a policy denial during deployment. Option D is wrong because moving the virtual machine to another management group does not bypass Azure Policy assignments that are inherited from the subscription or management group; the policy would still apply unless explicitly excluded.

189
MCQmedium

A support engineer needs to restart only one virtual machine named VM-App01. The engineer must not gain access to any other VM, storage account, or network resource in the resource group. At which scope should you assign the required RBAC role?

A.At the management group scope that contains the subscription
B.At the specific virtual machine resource scope
C.At the resource group scope that contains the virtual machine
D.At the subscription scope that contains the resource group
AnswerB

A resource scope limits the permission to only VM-App01, which matches the least-privilege requirement.

Why this answer

Option B is correct because assigning the Virtual Machine Contributor role at the specific VM resource scope (VM-App01) grants the engineer permissions to restart only that VM, with no access to other VMs, storage accounts, or network resources in the same resource group. RBAC roles applied at a narrower scope (resource level) override broader scopes and limit permissions to that exact resource.

Exam trap

The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, overlooking that this grants permissions to all resources in the group, not just the target VM.

How to eliminate wrong answers

Option A is wrong because assigning a role at the management group scope would grant permissions to all subscriptions and resources under that management group, far exceeding the requirement to restrict access to only one VM. Option C is wrong because assigning a role at the resource group scope would grant permissions to all resources within that resource group, including other VMs, storage accounts, and network resources, violating the constraint. Option D is wrong because assigning a role at the subscription scope would grant permissions to all resource groups and resources in the subscription, which is too broad and would include unintended access.

190
MCQmedium

You need to let a junior administrator manage virtual machines only in the RG-Dev resource group. The administrator must not be able to change role assignments or manage other resource groups. Which role assignment should you use?

A.Owner at the RG-Dev scope
B.Virtual Machine Contributor at the RG-Dev scope
C.Reader at the subscription scope
D.Contributor at the subscription scope
AnswerB

This limits VM management to the target resource group without broader subscription access.

Why this answer

The Virtual Machine Contributor role at the RG-Dev scope grants the junior administrator full permissions to manage virtual machines (including start, stop, restart, delete, and modify VM configurations) but explicitly denies the ability to manage role assignments (RBAC) or access to other resource groups. This aligns with the principle of least privilege, ensuring the administrator can perform their required tasks without exceeding their authority.

Exam trap

The trap here is that candidates often confuse the Contributor role (which includes RBAC write permissions) with the Virtual Machine Contributor role, or they incorrectly assume that a subscription-scope role can be restricted by the administrator's intent, but Azure RBAC does not support implicit scoping—permissions are granted exactly at the assigned scope.

How to eliminate wrong answers

Option A is wrong because the Owner role at the RG-Dev scope includes the ability to manage role assignments (Microsoft.Authorization/roleAssignments/write), which would allow the junior administrator to grant themselves or others elevated permissions, violating the requirement to not change role assignments. Option C is wrong because the Reader role at the subscription scope provides read-only access to all resources in the subscription, including RG-Dev, but does not grant any write permissions to manage virtual machines, so the administrator cannot perform management tasks. Option D is wrong because the Contributor role at the subscription scope grants full management permissions over all resources in the entire subscription, including other resource groups, and also includes the ability to manage role assignments (Microsoft.Authorization/roleAssignments/write), which violates both constraints.

191
Multi-Selectmedium

A subscription must block creation of resources in any region except East US and West US, and the security team also wants a nonblocking report of existing resources that are missing a CostCenter tag. Which two Azure Policy effects should you use? Select two.

Select 2 answers
A.Deny
B.Audit
C.Modify
D.DeployIfNotExists
E.Disabled
AnswersA, B

Deny is the correct enforcement effect when you want Azure to stop noncompliant deployments, such as resources created outside the approved regions.

Why this answer

Deny is correct because it actively blocks resource creation in regions outside East US and West US by evaluating the location property against an allowed list and rejecting non-compliant requests at deployment time. Audit is correct because it logs a compliance event for existing resources missing the CostCenter tag without blocking any operations, providing a nonblocking report for the security team.

Exam trap

The trap here is that candidates often confuse Audit (which only reports) with DeployIfNotExists or Modify (which actively remediate), leading them to select a remediation effect when the question explicitly asks for a nonblocking report.

192
Multi-Selectmedium

The service desk needs to add and remove users from a support group that grants access to an internal application, but the service desk must not receive Azure subscription permissions. Which two actions should you take? Select two.

Select 2 answers
A.Create a security group in Microsoft Entra ID for the application access.
B.Add the service desk staff as owners of that group.
C.Assign the service desk staff Contributor on the subscription.
D.Convert the service desk staff into guest users in the tenant.
E.Add the service desk staff as members only, without ownership.
AnswersA, B

Security groups are the standard Entra ID container for access management. They let you grant permissions once and control membership centrally, which is ideal for a support team that will add and remove users often.

Why this answer

Option A is correct because creating a security group in Microsoft Entra ID (formerly Azure AD) allows you to manage access to the internal application without granting any Azure subscription permissions. The service desk can then add or remove users from this group, and the application's access control can be configured to rely on group membership, ensuring the service desk staff never receive Azure RBAC roles.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (like Contributor) with Microsoft Entra ID directory roles or group ownership, mistakenly thinking that managing group membership requires subscription-level permissions.

193
MCQmedium

Based on the exhibit, which identity should be enabled on the VM so the application can access Azure Blob Storage and the identity disappears when the VM is deleted?

A.System-assigned managed identity
B.User-assigned managed identity
C.Storage account shared key
D.SAS token stored in a startup script
AnswerA

A system-assigned managed identity is tied directly to one Azure resource, such as a VM. It is created and removed with the VM, which matches the requirement that the identity disappear automatically when the VM is deleted. The application can use the identity to request tokens for Blob Storage without storing secrets in code or configuration.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — when the VM is deleted, the identity is automatically removed. It can be granted access to Azure Blob Storage via Azure RBAC, allowing the application to authenticate without storing credentials. This matches the requirement for an identity that disappears with the VM.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities (which persist independently) with system-assigned managed identities (which are tied to the VM lifecycle), leading them to select the wrong option when the question explicitly requires the identity to disappear with the VM.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity has an independent lifecycle from the VM; it persists even after the VM is deleted unless explicitly removed. Option C is wrong because a storage account shared key is a static credential that does not disappear when the VM is deleted and introduces security risks if leaked. Option D is wrong because a SAS token stored in a startup script is a static credential that remains in the script or disk even after VM deletion, and it does not automatically disappear with the VM.

194
Multi-Selecthard

A developer has the Contributor role on a resource group and tries to deploy a Windows VM with a public IP address. The deployment fails, even though the role assignment is active. Which two checks should you perform first to confirm why the deployment failed? Select two.

Select 2 answers
A.Review Azure Policy assignments at the subscription or management group for deny or modify effects on public IP resources.
B.Verify the Contributor role is assigned at the resource group or a higher scope for the target deployment resources.
C.Check for a CanNotDelete lock on the resource group because that lock blocks all deployments.
D.Confirm that the VM size is available in the region because size availability is the most common authorization issue.
E.Inspect whether tags are inherited from the subscription because tag inheritance can deny a deployment request.
AnswersA, B

Policy can block creation even when RBAC allows the action, so the assignment and effect must be checked first.

Why this answer

Option A is correct because Azure Policy can override role-based permissions. Even though the developer has the Contributor role, a policy with a 'deny' or 'modify' effect on public IP resources at the subscription or management group scope can block the deployment of a VM with a public IP address. Policies are evaluated before RBAC, so this is a primary check.

Exam trap

The trap here is that candidates often assume the Contributor role is sufficient for all deployments, overlooking that Azure Policy can override RBAC permissions, and that locks like CanNotDelete are often confused with ReadOnly locks which do block deployments.

195
MCQmedium

An Azure Automation account runs PowerShell runbooks that must authenticate to Azure resources without embedded secrets. The automation account is recreated periodically during deployment, and the identity must continue to work after recreation without reissuing credentials. Which identity should you use?

A.A system-assigned managed identity.
B.A user-assigned managed identity.
C.A service principal with a client secret stored in Key Vault.
D.A shared access signature token.
AnswerB

This identity exists independently of the Automation account and survives recreation.

Why this answer

A user-assigned managed identity (B) is the correct choice because it is an independent Azure resource that persists even when the Automation account is recreated. Unlike a system-assigned managed identity, which is tied to the lifecycle of the Automation account and is deleted when the account is deleted, a user-assigned managed identity can be reassigned to the new Automation account after recreation without requiring new credentials. This allows the runbooks to authenticate seamlessly using the same identity, avoiding embedded secrets.

Exam trap

The trap here is that candidates often assume a system-assigned managed identity is simpler and sufficient, but they overlook that it is deleted with the resource, making it unsuitable for scenarios where the resource is recreated and identity continuity is required.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of the Automation account; when the account is recreated, the old identity is deleted and a new one is created, breaking the authentication continuity. Option C is wrong because a service principal with a client secret stored in Key Vault still requires managing a secret, which violates the requirement of no embedded secrets and introduces credential rotation overhead. Option D is wrong because a shared access signature (SAS) token is a time-limited, resource-specific token used for Azure Storage access, not for authenticating runbooks to Azure resources, and it must be embedded or stored, contradicting the no-secrets requirement.

196
MCQeasy

A team wants every resource in a subscription to include a Department tag. New resources that do not have the tag should be blocked from being created. Which Azure Policy effect should you use?

A.Audit
B.Deny
C.Append
D.Disabled
AnswerB

Deny stops noncompliant deployments, which matches the requirement to block missing tags.

Why this answer

The Deny effect is correct because it actively blocks any resource creation or update request that does not include the required Department tag, enforcing compliance at the time of the operation. Unlike Audit, which only logs non-compliant resources, Deny prevents the non-compliant resource from being provisioned, directly meeting the requirement to block new resources without the tag.

Exam trap

The trap here is that candidates often confuse Append with Deny, thinking Append will automatically add the tag and thus 'block' the resource, but Append only modifies the request and does not prevent creation if the tag cannot be applied, whereas Deny actively rejects the request.

How to eliminate wrong answers

Option A (Audit) is wrong because Audit only generates a compliance log entry for non-compliant resources but does not block their creation, so it fails to prevent untagged resources from being deployed. Option C (Append) is wrong because Append adds the missing tag to the resource during creation or update, but it does not block the resource if the tag cannot be added (e.g., due to a conflict), and it cannot enforce a mandatory tag value if the user explicitly omits it. Option D (Disabled) is wrong because Disabled removes the policy effect entirely, meaning no enforcement or logging occurs, which does not satisfy the requirement to block untagged resources.

197
MCQmedium

A policy assignment denies storage accounts unless public network access is disabled. One legacy storage account in a pilot resource group must remain publicly reachable for 60 days while the application team remediates dependencies. Compliance reporting must continue to show the policy as enforced everywhere else. What should the administrator do?

A.Delete the policy assignment and re-create it later
B.Use an Azure Policy exemption for that storage account
C.Apply a read-only lock to the storage account
D.Assign a custom RBAC role to the application team
AnswerB

An exemption documents the exception at the specific scope while preserving the policy assignment for the rest of the environment.

Why this answer

An Azure Policy exemption allows the administrator to exclude a specific scope (the legacy storage account) from the policy's effect while still reporting the policy as enforced on all other resources. The exemption can be set with an expiration date (60 days) to automatically remove the exception after the remediation period. This ensures compliance reporting continues to show the policy as active and enforced everywhere except the exempted resource.

Exam trap

The trap here is that candidates confuse Azure Policy exemptions with RBAC or locks, thinking they can bypass policy enforcement through access control or resource protection, when in fact only a policy exemption (or exclusion) can selectively skip the policy's effect while maintaining compliance reporting.

How to eliminate wrong answers

Option A is wrong because deleting the policy assignment would remove enforcement from all resources, not just the legacy account, breaking compliance reporting for the entire scope. Option C is wrong because a read-only lock prevents modifications to the storage account but does not bypass the deny effect of the policy; the policy would still block creation or update of the account with public network access enabled. Option D is wrong because assigning a custom RBAC role does not override Azure Policy; RBAC controls who can manage resources, not what configurations are allowed or denied by policy.

198
MCQeasy

A developer has the Reader role assigned at the subscription scope. Later, the developer is assigned Contributor at the RG-Web resource group scope. Which permission is inherited by a storage account inside RG-Web?

A.Only the Reader role from the subscription scope is inherited by the storage account.
B.The Contributor role from RG-Web is inherited by the storage account.
C.Neither role is inherited because storage accounts require a direct assignment.
D.Both roles are merged into a new custom role automatically.
AnswerB

Permissions assigned at the resource group scope are inherited by resources in that group.

Why this answer

In Azure RBAC, permissions are inherited from higher scopes to lower scopes. The Contributor role assigned at the RG-Web resource group scope is inherited by all resources within that resource group, including the storage account. The Reader role from the subscription scope is also inherited, but the more permissive Contributor role at the resource group scope takes precedence for actions allowed by Contributor.

Therefore, the storage account effectively has Contributor permissions.

Exam trap

The trap here is that candidates often think only the most specific scope (resource group) applies and forget that roles from higher scopes (subscription) are also inherited, leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because it ignores that the Contributor role assigned at the resource group scope is also inherited by the storage account, not just the Reader role from the subscription. Option C is wrong because Azure RBAC roles are inherited by child resources; storage accounts do not require a direct assignment and automatically inherit roles from their parent resource group. Option D is wrong because Azure RBAC does not automatically merge roles into a custom role; instead, effective permissions are the union of all assigned roles, with the most permissive role granting the highest level of access.

199
MCQmedium

A project team adds and removes contractors every month. The team wants Azure role assignments to stay the same when individual contractors leave or join, and access should be granted to everyone on the team through one control point. What should the administrator assign the Azure role to?

A.A Microsoft Entra security group
B.A Microsoft 365 group
C.A guest user account
D.A managed identity
AnswerA

Security groups are the right choice for Azure RBAC delegation because membership can change without editing the role assignment itself.

Why this answer

Assigning an Azure role to a Microsoft Entra security group provides a single control point for managing permissions. When contractors join or leave, the administrator only needs to add or remove their user accounts from the group, and the role assignments remain intact. This decouples access from individual user accounts and ensures consistent permissions for the entire team.

Exam trap

The trap here is that candidates may confuse Microsoft 365 groups with security groups, assuming both are equally suitable for Azure RBAC, but Microsoft 365 groups are optimized for collaboration features and are not the default or most efficient choice for managing Azure resource access.

How to eliminate wrong answers

Option B is wrong because a Microsoft 365 group is primarily designed for collaboration (e.g., shared mailboxes, calendars, and Teams) and, while it can be assigned Azure roles, it is not the recommended or most straightforward control point for managing Azure resource access; security groups are the standard for role-based access control. Option C is wrong because a guest user account represents a single external user, not a team, and would require individual role assignments for each contractor, defeating the purpose of a single control point. Option D is wrong because a managed identity is an Azure service principal used for authenticating to Azure resources from code or services, not for granting access to human users or groups.

200
Multi-Selecthard

Your company wants one governance baseline to apply automatically to all current and future production subscriptions, and finance wants cost reporting by application across many resource groups. Which two design choices best satisfy the requirements? Select two.

Select 2 answers
A.Place the production subscriptions under a dedicated management group so inherited policy and RBAC can be applied once.
B.Use tags such as Application or CostCenter on resources or resource groups for chargeback and reporting.
C.Place all production workloads into one shared resource group so governance and reporting are simpler.
D.Use management groups instead of tags because tags are not useful for cost reporting.
E.Assign the baseline only at one subscription and copy the settings manually to every new subscription.
AnswersA, B

Management groups are the right abstraction for organizing subscriptions that share governance requirements. Assigning policy and RBAC at that level lets the enterprise apply a baseline once and have it flow to child subscriptions automatically. This is the strongest fit for enterprise-wide production governance.

Why this answer

Option A is correct because placing production subscriptions under a dedicated management group allows you to apply Azure Policy and Azure RBAC at the management group scope, which automatically inherits to all current and future subscriptions within that hierarchy. This ensures a consistent governance baseline without manual intervention for new subscriptions.

Exam trap

The trap here is that candidates may confuse management groups and tags as mutually exclusive, when in fact they are complementary: management groups enforce governance inheritance, while tags enable granular cost reporting and chargeback.

201
MCQeasy

A central audit group must have Reader access for every current and future subscription in the company hierarchy. You want one assignment that will apply broadly as new subscriptions are added. Where should the role be assigned?

A.At the management group that contains the subscriptions
B.At one resource group in each subscription
C.At a single resource
D.At the tenant root only for one application
AnswerA

A management group assignment flows down to current and future subscriptions under it.

Why this answer

Assigning the Reader role at the management group level ensures that the central audit group inherits the role to all current and future subscriptions within that management group hierarchy. This is the most efficient and scalable approach because Azure RBAC assignments on a management group are inherited by all child subscriptions and resource groups, eliminating the need to manually update permissions as new subscriptions are added.

Exam trap

The trap here is that candidates may think assigning at the tenant root is possible for subscription-level access, but Azure does not support role assignments at the tenant root scope for resource management; the correct hierarchical scope for broad inheritance is the management group.

How to eliminate wrong answers

Option B is wrong because assigning the Reader role at a resource group in each subscription would require manual updates for every new subscription and does not cover the entire subscription scope, leaving other resource groups without the required access. Option C is wrong because assigning at a single resource provides the narrowest scope, granting access only to that specific resource, not to any subscription or resource group. Option D is wrong because the tenant root scope (/) is not a valid assignment target for role-based access control; role assignments must be made at management group, subscription, resource group, or resource scopes, and the tenant root is only used for administrative units or directory-level roles, not for granting Reader access to subscriptions.

202
MCQmedium

A change-freeze requires that no one can modify the settings of a subscription's resource group for six hours. Deletion is not the main concern; the priority is to block changes to existing resources during the freeze. Which lock should you apply?

A.CanNotDelete
B.ReadOnly
C.Reader
D.DeployIfNotExists
AnswerB

ReadOnly blocks write operations, which is the appropriate choice when all configuration changes must be prevented during a freeze.

Why this answer

The ReadOnly lock prevents any modification to existing resources, including configuration changes, while still allowing read operations. This directly satisfies the change-freeze requirement to block changes for six hours, as it denies all write operations at the resource group scope.

Exam trap

The trap here is confusing Azure RBAC roles (like Reader) with resource locks, as both can restrict changes but locks are applied at the resource scope and override all permissions, while RBAC roles are identity-based and can be bypassed by privileged users.

How to eliminate wrong answers

Option A is wrong because CanNotDelete only prevents deletion of resources but still allows modifications like updating settings, scaling, or changing configurations, which violates the change-freeze. Option C is wrong because Reader is an Azure RBAC role, not a lock; it controls access via role assignments but does not enforce a resource-level lock that can be applied independently of user permissions. Option D is wrong because DeployIfNotExists is a policy effect used in Azure Policy to deploy resources when a condition is not met, not a lock for blocking modifications.

203
Multi-Selecteasy

A department wants three related policies grouped together and assigned as one unit to a set of subscriptions. Which two statements about an Azure Policy initiative are correct? Select two.

Select 2 answers
A.An initiative groups multiple policy definitions into one assignment.
B.An initiative can be assigned at management group scope to cover child subscriptions.
C.An initiative grants Azure permissions to users.
D.An initiative replaces resource group locks.
E.An initiative is used to create a new resource group.
AnswersA, B

An initiative is used to bundle related policy definitions so they can be managed together. This reduces administrative effort because you assign and review one control set instead of handling each policy separately.

Why this answer

Option A is correct because an Azure Policy initiative is specifically designed to group multiple policy definitions into a single assignment. This allows you to apply a set of related compliance rules as one unit, simplifying management and ensuring consistent enforcement across subscriptions.

Exam trap

The trap here is that candidates often confuse Azure Policy initiatives with RBAC roles or resource locks, mistakenly thinking initiatives manage permissions or protect resources, when in fact they only enforce compliance rules.

204
MCQeasy

Three VMs run the same batch app and should use the same Azure identity to read blobs. The identity should remain available even if one VM is deleted. Which identity should you use?

A.Shared access signature (SAS) token
B.System-assigned managed identity
C.User-assigned managed identity
D.Storage account shared key
AnswerC

A user-assigned managed identity can be attached to multiple VMs and continues to exist even if one VM is deleted.

Why this answer

C is correct because a user-assigned managed identity is an independent Azure resource that persists even if a specific VM is deleted. This allows multiple VMs to share the same identity to authenticate to Azure Blob Storage, ensuring continuous access to blobs as long as at least one VM remains.

Exam trap

The trap here is that candidates often choose system-assigned managed identity (Option B) because it is simpler to set up, but they overlook the requirement that the identity must survive VM deletion, which only a user-assigned identity guarantees.

How to eliminate wrong answers

Option A is wrong because a SAS token is a URL-based delegation of access that must be stored and rotated manually; it is not an Azure AD identity and cannot be shared across VMs without exposing the token. Option B is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM—if that VM is deleted, the identity is also deleted, breaking access for other VMs. Option D is wrong because a storage account shared key is a static, high-privilege credential that must be stored in code or configuration, violating the principle of using an Azure AD identity and introducing security risks if leaked.

205
MCQmedium

Based on the exhibit, which lock should the administrator apply to protect the resource group from accidental deletion while still allowing normal updates to the resources inside it?

A.Apply a CanNotDelete lock to rg-payroll-prod.
B.Apply a ReadOnly lock to rg-payroll-prod.
C.Apply a tag named Protected=True to rg-payroll-prod.
D.Create an Azure Policy assignment that denies all delete operations.
AnswerA

CanNotDelete blocks deletion of the locked scope while still allowing normal management operations such as updates, restarts, and configuration changes.

Why this answer

The CanNotDelete lock (also known as Delete lock) prevents the resource group itself from being deleted while still allowing all updates (including create, modify, and delete operations) on the resources within it. This is the correct choice because the requirement is to protect only the resource group from accidental deletion, not to restrict changes to the resources inside.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with a ReadOnly lock, mistakenly thinking that preventing deletion also requires blocking updates, or they assume a tag or policy can substitute for a resource lock.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock prevents all write and delete operations on the resource group and its resources, which would block normal updates to the resources inside. Option C is wrong because a tag is a metadata label and does not enforce any access control or deletion protection; it cannot prevent deletion. Option D is wrong because an Azure Policy assignment that denies all delete operations would block deletion of both the resource group and all resources within it, which is overly restrictive and does not allow normal updates.

206
MCQeasy

Based on the exhibit, where should the administrator go to see which resources are non-compliant with the assigned policy?

A.Azure Policy compliance view.
B.Entra ID users and groups.
C.Azure Activity log only.
D.Resource locks blade.
AnswerA

The compliance view lists policy results and shows which resources are compliant or non-compliant.

Why this answer

The Azure Policy compliance view is the correct place to see which resources are non-compliant with assigned policies. This view aggregates compliance states across all policies and initiatives, showing a per-resource breakdown of compliant, non-compliant, and exempt statuses. It directly reflects the evaluation results from the Azure Policy engine, which runs periodic scans and on-demand evaluations.

Exam trap

The trap here is that candidates confuse the Azure Activity log (which records who did what) with the Azure Policy compliance view (which shows what is out of compliance), leading them to pick the Activity log instead of the dedicated compliance dashboard.

How to eliminate wrong answers

Option B is wrong because Entra ID users and groups is an identity management blade for managing users, groups, and roles, not for viewing policy compliance of Azure resources. Option C is wrong because the Azure Activity log only records operational events (e.g., create, delete, update) and does not provide a compliance state summary for policy assignments. Option D is wrong because the Resource locks blade is used to manage delete/read-only locks on resources to prevent accidental changes, not to display policy compliance results.

207
MCQhard

Three Azure VMs in separate resource groups run the same data-processing agent. The agent must read blobs from a storage account, and the access must continue to work if any VM is rebuilt or replaced. The operations team also wants one identity they can reassign to future VMs without creating another credential. Which identity approach should be used?

A.A system-assigned managed identity on each VM.
B.A storage account shared key embedded in the application settings.
C.A service principal credential stored in a Key Vault secret.
D.A user-assigned managed identity attached to the VMs.
AnswerD

A user-assigned managed identity is the right choice when the same Azure identity must be shared across multiple VMs and survive VM replacement. You can grant it access once, attach it to current and future VMs, and avoid storing passwords or access keys in the workload.

Why this answer

A user-assigned managed identity (D) is the correct choice because it is a standalone Azure resource that can be created independently and then attached to multiple VMs. If a VM is rebuilt or replaced, the same user-assigned identity can be reassigned to the new VM without any credential rotation or secret management. This ensures continuous blob access via Azure AD authentication, meeting the requirement for a single, reusable identity.

Exam trap

The trap here is that candidates confuse system-assigned and user-assigned managed identities, assuming both are equally reusable, but system-assigned identities are deleted with the VM, making them unsuitable for scenarios requiring identity persistence across VM rebuilds.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, requiring a new identity and role assignment for any replacement VM. Option B is wrong because a storage account shared key is a static, high-privilege credential that must be securely stored and rotated, and it cannot be reassigned to future VMs without exposing the key in application settings, violating the 'no new credential' requirement. Option C is wrong because a service principal credential stored in Key Vault still requires managing a secret (the client secret or certificate), which must be rotated and securely retrieved by each VM, adding complexity and a potential single point of failure; it does not provide the seamless, credential-less reassignment that a managed identity offers.

208
MCQmedium

Based on the exhibit, which Azure Policy construct should the administrator use to deploy and manage these guardrails as one unit across the department?

A.Create an Azure Policy initiative and assign it at the management group scope.
B.Create an Azure RBAC role assignment at the management group scope.
C.Apply a ReadOnly lock to each subscription.
D.Move all resources into one resource group.
AnswerA

An initiative groups multiple related policies into one assignable unit, which is ideal when several guardrails must be managed together across many subscriptions.

Why this answer

An Azure Policy initiative is a collection of policy definitions designed to group related policies together for deployment as a single unit. By assigning the initiative at the management group scope, the administrator can enforce consistent guardrails across all subscriptions within that management group, ensuring centralized governance and compliance for the entire department.

Exam trap

The trap here is confusing Azure Policy initiatives with RBAC roles or resource locks, as candidates often think access control or resource protection alone can enforce governance guardrails, but only policy initiatives provide the unified, rule-based deployment and management of compliance requirements.

How to eliminate wrong answers

Option B is wrong because Azure RBAC role assignments control access permissions (who can do what), not the deployment and management of guardrails (what is allowed or denied). Option C is wrong because a ReadOnly lock prevents resource modification but does not enforce compliance rules or deploy policies as a unit. Option D is wrong because moving all resources into one resource group does not provide governance guardrails; it only consolidates resources without any policy enforcement.

209
MCQmedium

A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in another subscription. The script cannot store a password or client secret. What should it use to authenticate to Azure?

A.az login with a username and password.
B.az login --identity.
C.Connect-AzAccount with device code authentication.
D.An app registration secret stored in a PowerShell variable.
AnswerB

The Azure CLI can sign in with the VM's managed identity by using az login --identity. That allows the script to authenticate without storing a password or client secret. After sign-in, the identity can be granted access to the target subscription or resource group, which makes the solution both secure and automation-friendly for nightly jobs.

Why this answer

Option B is correct because the script runs on an Azure VM and can use a managed identity to authenticate without storing any secrets. The `az login --identity` command uses the VM's system-assigned or user-assigned managed identity to obtain an Azure AD access token via the Azure Instance Metadata Service (IMDS) endpoint. This satisfies the requirement of no password or client secret storage.

Exam trap

The trap here is that candidates often confuse managed identity with service principal secrets or device code authentication, assuming any non-interactive method requires a stored secret, but `az login --identity` provides secretless authentication for Azure resources.

How to eliminate wrong answers

Option A is wrong because `az login` with a username and password requires interactive input or storing credentials, and it does not support non-interactive automation without a service principal or device code flow. Option C is wrong because `Connect-AzAccount` with device code authentication requires a user to manually open a browser and enter a code, which is not suitable for an unattended nightly script. Option D is wrong because storing an app registration secret in a PowerShell variable still requires the secret to be present in the script or environment, violating the requirement of no stored password or client secret.

210
MCQmedium

Based on the exhibit, where should the Reader role be assigned so the audit team automatically has access to every current and future subscription under Corp?

A.Assign Reader at the Corp management group scope.
B.Assign Reader at the subscription scope for Sub-001.
C.Assign Reader at the resource group scope in each subscription.
D.Assign Reader directly to each resource that the audit team might review.
AnswerA

A management group assignment inherits to all child subscriptions, so new subscriptions placed under Corp also receive the access automatically.

Why this answer

Assigning the Reader role at the Corp management group scope uses Azure RBAC inheritance to grant the audit team read-only access to all current and future subscriptions under that management group. Because management group scope propagates role assignments to all child subscriptions and resource groups, this ensures automatic coverage without manual updates.

Exam trap

The trap here is that candidates often choose subscription-level assignment (Option B) because they think it covers all resources in that subscription, but they overlook that the question requires access to every current and future subscription under Corp, which only management group inheritance can provide.

How to eliminate wrong answers

Option B is wrong because assigning Reader at the subscription scope for Sub-001 would only grant access to that single subscription, not to any future subscriptions added under Corp. Option C is wrong because assigning Reader at the resource group scope in each subscription would require manual assignment for every resource group and would not cover new subscriptions or resource groups automatically. Option D is wrong because assigning Reader directly to each resource is impractical and does not scale; it also fails to grant access to resources created in the future unless the assignment is repeated.

211
MCQeasy

A newly created VM must read secrets from Azure Key Vault. The solution must not store credentials on the VM, and the identity should disappear automatically when the VM is deleted. What should the administrator enable?

A.User-assigned managed identity
B.System-assigned managed identity
C.A service principal with a stored client secret
D.A storage account access key
AnswerB

A system-assigned managed identity is tied directly to one VM. Azure creates and manages the identity for that resource, so no passwords or client secrets need to be stored on the server. When the VM is deleted, the identity is removed automatically, which satisfies both security and lifecycle requirements.

Why this answer

A system-assigned managed identity is automatically created and tied to the lifecycle of the Azure VM. When the VM is deleted, the identity is automatically removed, satisfying the requirement that the identity disappears. This identity can be granted access to Key Vault secrets via Azure RBAC or access policies, without storing any credentials on the VM.

Exam trap

The trap here is that candidates often confuse user-assigned and system-assigned managed identities, assuming both are tied to the VM lifecycle, but only the system-assigned identity is automatically deleted with the VM.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is created as a standalone Azure resource and persists independently of the VM; it will not be automatically deleted when the VM is deleted. Option C is wrong because a service principal with a stored client secret requires the secret to be stored on the VM (e.g., in a configuration file or environment variable), violating the requirement that no credentials be stored on the VM. Option D is wrong because a storage account access key is used for authenticating to Azure Storage, not for accessing Key Vault secrets, and it would need to be stored on the VM, again violating the no-credentials-on-VM requirement.

212
MCQeasy

Based on the exhibit, what should the administrator create to let Alex restart one VM and read its properties without giving broader permissions?

A.Create a custom role that includes only the required VM read and restart actions.
B.Create an Azure Policy assignment that allows restart operations on the VM.
C.Apply a CanNotDelete lock to the VM resource.
D.Move the VM to a management group so the permissions become more specific.
AnswerA

A custom role lets the administrator define only the actions needed for the task, such as reading VM properties and restarting the VM. That is the cleanest least-privilege solution when built-in roles are broader than necessary.

Why this answer

Option A is correct because Azure custom roles allow you to define granular permissions by specifying only the required actions in the `Actions` field of the role definition. For Alex to restart a VM (`Microsoft.Compute/virtualMachines/restart/action`) and read its properties (`Microsoft.Compute/virtualMachines/read`), a custom role with exactly these two actions provides the least-privilege access without granting broader permissions like VM write or delete.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces configurations) with RBAC (which controls permissions), or they mistakenly think locks or management groups can grant specific actions like restart.

How to eliminate wrong answers

Option B is wrong because Azure Policy is used to enforce compliance rules (e.g., requiring specific tags or SKUs) and cannot grant or deny permissions; it evaluates resource configurations but does not control RBAC actions like restart. Option C is wrong because a CanNotDelete lock only prevents deletion of the VM resource; it does not grant any permissions to read properties or perform restart actions. Option D is wrong because moving a VM to a management group does not make permissions more specific; management groups are used for hierarchical organization and policy inheritance, not for granting granular RBAC permissions.

213
Drag & Dropmedium

Arrange the steps to create a virtual network in Azure with a subnet and deploy a VM.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the VNet with address space, then add a subnet, associate NSG, deploy VM, then verify.

214
MCQmedium

New Azure subscriptions are created every month. Production subscriptions require stricter governance than sandbox subscriptions, and central IT wants those rules to apply automatically to any future production subscription without reconfiguring each one. What should they set up?

A.Separate resource groups for production and sandbox workloads in each subscription.
B.A management group hierarchy with production and sandbox child management groups, then assign governance at the appropriate scope.
C.A CanNotDelete lock on each subscription.
D.A custom role assigned to each subscription owner.
AnswerB

Management groups provide a hierarchy for organizing subscriptions and applying governance that inherits to child scopes. Placing production and sandbox subscriptions under different child management groups lets central IT target different controls once, and the settings flow automatically to future subscriptions placed in those groups.

Why this answer

Management groups allow you to build a hierarchy that reflects your organizational structure and apply governance policies (e.g., Azure Policy, RBAC) at the management group scope. By creating a 'Production' child management group under the root, any new subscription placed in that group automatically inherits the assigned policies and role assignments, eliminating the need to reconfigure each subscription individually.

Exam trap

The trap here is that candidates confuse resource groups or locks with management groups, failing to realize that only management groups provide hierarchical inheritance of governance across multiple subscriptions without per-subscription configuration.

How to eliminate wrong answers

Option A is wrong because resource groups are containers within a single subscription and cannot apply governance across multiple subscriptions or automatically enforce rules on new subscriptions. Option C is wrong because a CanNotDelete lock prevents accidental deletion of a subscription but does not enforce governance policies like allowed regions, SKU restrictions, or tagging requirements. Option D is wrong because a custom role assigned to each subscription owner delegates permissions but does not automatically apply governance rules to new subscriptions; it requires manual assignment per subscription and does not enforce policies.

215
Multi-Selectmedium

An operations team must enforce two rules across all subscriptions in a department: new resources must include a CostCenter tag, and deployments are allowed only in East US and West US. The team wants one assignment and automatic blocking of noncompliant deployments. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create an Azure Policy initiative that contains both policy definitions.
B.Assign the initiative at the management group scope that contains the department subscriptions.
C.Use the Deny effect for both policy definitions.
D.Grant Contributor at the subscription scope.
E.Apply a CanNotDelete lock to each resource group.
AnswersA, B, C

An initiative bundles multiple related policy definitions into a single assignable unit. That allows the team to manage the tag requirement and allowed-location requirement together as one governance package.

Why this answer

Option A is correct because an Azure Policy initiative (a set of policy definitions) allows combining the CostCenter tag requirement and the allowed region restriction into a single assignment, simplifying management. This ensures both rules are enforced together across all subscriptions in the department.

Exam trap

The trap here is that candidates often confuse RBAC roles (like Contributor) with Azure Policy effects, mistakenly thinking granting permissions can enforce compliance, or they confuse resource locks with policy enforcement.

216
MCQmedium

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?

A.ReadOnly
B.CanNotDelete
C.Delete lock
D.No lock and a budget alert
AnswerB

A CanNotDelete lock blocks deletion but still permits updates.

Why this answer

The CanNotDelete lock prevents the resource group from being deleted while still allowing all operations (including create and modify) on resources within it. This is the correct choice because the requirement is specifically to block deletion, not to restrict modifications or read access.

Exam trap

The trap here is that candidates confuse the non-existent 'Delete lock' with the actual CanNotDelete lock, or assume a ReadOnly lock is needed when only deletion prevention is required.

How to eliminate wrong answers

Option A is wrong because ReadOnly lock prevents all modifications to resources, including create and modify operations, which contradicts the requirement to allow administrators to create and modify resources. Option C is wrong because 'Delete lock' is not a valid Azure lock type; Azure supports only CanNotDelete and ReadOnly locks. Option D is wrong because a budget alert only sends notifications when spending exceeds a threshold and does not prevent deletion of the resource group.

217
MCQeasy

An administrator wants to run a one-time Azure CLI command from inside a VM to create a resource in Azure, but the administrator does not want to store credentials on the VM. What should be used for authentication?

A.The VM's managed identity
B.A local administrator password
C.A network security group rule
D.An Azure region paired with the VM
AnswerA

The VM’s managed identity lets scripts or Azure CLI commands authenticate to Azure without storing secrets on the machine. After the identity is enabled and granted the needed role, the command can sign in by using the identity instead of a password or service principal secret. This is the secure and practical approach.

Why this answer

Azure Managed Identity provides an automatically managed identity in Azure AD that allows a VM to authenticate to any service that supports Azure AD authentication, including Azure Resource Manager, without storing any credentials on the VM. When the administrator runs the Azure CLI command from within the VM, the CLI can use the managed identity's token endpoint (169.254.169.254/metadata/identity/oauth2/token) to obtain an access token, enabling secure, credential-free resource creation.

Exam trap

The trap here is that candidates may confuse authentication with authorization or network controls, thinking a local password or NSG rule can somehow grant Azure resource creation permissions, when only an Azure AD-backed identity like a managed identity can provide credential-free authentication to ARM.

How to eliminate wrong answers

Option B is wrong because a local administrator password is stored on the VM and would be exposed if the VM is compromised; it also cannot authenticate to Azure Resource Manager for creating resources. Option C is wrong because a network security group (NSG) rule controls inbound/outbound traffic at the subnet or NIC level and has no role in authentication or authorization to create Azure resources. Option D is wrong because an Azure paired region is a disaster recovery and replication concept that provides no authentication mechanism for running Azure CLI commands from a VM.

218
MCQhard

A project team has 12 operators who need to read resource properties and restart only the virtual machines in one application resource group. Access should be removed automatically when an operator leaves the team, and any new VMs added to that resource group should inherit the same access without further changes. What should the administrator configure?

A.Assign the role directly to each operator at the resource group scope.
B.Create an Entra ID group, add the operators to it, and assign a custom least-privilege role to the group at the resource group scope.
C.Assign Virtual Machine Contributor to the team at the subscription scope.
D.Use a resource lock and add the operators as lock owners.
AnswerB

Using a group makes access management dynamic, because removing someone from the group immediately removes their effective permissions. Assigning the role at the resource group scope also ensures any new VM in that group inherits the access automatically, while a custom role can keep permissions limited to read and restart actions.

Why this answer

Option B is correct because it uses an Entra ID group to manage access, which allows automatic removal of operators from the group when they leave the team, and any new VMs added to the resource group will inherit the role assignment at the resource group scope. A custom least-privilege role ensures operators can only read resource properties and restart VMs, meeting the specific requirements without over-permissioning.

Exam trap

The trap here is that candidates often confuse resource locks with RBAC permissions, thinking locks can control access, or they overlook the need for a group-based approach to meet the automatic access removal requirement, instead choosing direct assignments or overly broad subscription-level roles.

How to eliminate wrong answers

Option A is wrong because assigning the role directly to each operator requires manual updates when an operator leaves or joins, failing the automatic access removal requirement. Option C is wrong because assigning Virtual Machine Contributor at the subscription scope grants excessive permissions to all VMs in the subscription, not just the application resource group, and does not provide a least-privilege custom role. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but does not grant any permissions to read properties or restart VMs; lock owners only manage the lock itself, not access to the VMs.

219
Multi-Selecthard

A contractor is a member of an Entra security group that has a PIM-eligible Contributor assignment on a resource group. The contractor sees the role in the portal, but deployment fails with a role not active message. The activation policy requires justification, MFA, and manager approval. Which two actions are required before the deployment succeeds? Select two.

Select 2 answers
A.Activate the eligible role assignment in Privileged Identity Management.
B.Complete the configured activation requirements, such as justification, MFA, and manager approval.
C.Add the contractor directly to the subscription Owner role to bypass the eligibility workflow.
D.Wait for Azure Policy compliance evaluation to finish before trying again.
E.Remove the user from the security group and add them back so the role becomes active.
AnswersA, B

An eligible assignment does not grant active access until the user activates it. Seeing the role in the portal only means the assignment exists; it does not mean it is currently effective. Activation is the first required step to make the permissions usable.

Why this answer

Option A is correct because the contractor has a PIM-eligible role assignment, which means the role is not active until the user activates it through Privileged Identity Management. Activation is a prerequisite for the role to be effective, and without it, any deployment requiring the Contributor role will fail with a 'role not active' message.

Exam trap

The trap here is that candidates often assume an eligible role assignment is immediately usable, but PIM requires explicit activation with all configured requirements before the role becomes effective for deployments.

220
MCQhard

An enterprise has a management group named Corp. Corp contains two child management groups: Prod and Sandbox. A compliance auditor is a member of an Entra ID group and must have read-only access to every current and future resource in all subscriptions that are under Prod. The auditor must not see resources in Sandbox, and the admin does not want to maintain separate assignments for each new subscription. What should the administrator do?

A.Assign the Reader role to the group at each subscription scope under Prod.
B.Assign the Reader role to the group at the Corp management group scope.
C.Assign the Reader role to the group at the Prod management group scope.
D.Assign the Reader role to the group at one resource group in each Prod subscription.
AnswerC

A role assignment at the Prod management group scope inherits to all subscriptions, resource groups, and resources beneath that management group, including future subscriptions placed there later. It also stays limited to Prod, so Sandbox remains outside the auditor's visibility.

Why this answer

Option C is correct because assigning the Reader role at the Prod management group scope applies that permission to all current and future subscriptions and resources within Prod, satisfying the requirement for read-only access without needing separate assignments. Management groups in Azure provide a hierarchical scope that inherits role assignments to all child subscriptions and resource groups, making this the most efficient and future-proof approach.

Exam trap

The trap here is that candidates may choose Option B (assign at Corp scope) thinking it covers all subscriptions, but they overlook that it would also grant access to Sandbox, failing the requirement to restrict the auditor to Prod only.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at each subscription scope under Prod would require manual maintenance for every new subscription, violating the requirement to avoid separate assignments. Option B is wrong because assigning the Reader role at the Corp management group scope would grant read-only access to all subscriptions under both Prod and Sandbox, which the auditor must not see. Option D is wrong because assigning the Reader role at one resource group in each Prod subscription would only grant access to that specific resource group, not to all resources in the subscription, and would still require separate assignments for each subscription.

221
MCQmedium

A platform team runs an internal automation tool that must restart VMs and read network interface settings in one resource group. Built-in roles available to the team are broader than the access they want to grant. What should the administrator create?

A.A custom role with only the required compute and read permissions, assigned at the resource group scope.
B.The Contributor role assigned at the subscription scope.
C.The Reader role assigned at the resource group scope.
D.The Network Contributor role assigned at the resource group scope.
AnswerA

A custom role lets the admin grant only the specific actions the tool needs, and only in one resource group.

Why this answer

Option A is correct because the team needs only specific actions (restart VMs and read network interface settings) within a single resource group. Creating a custom role with only the required compute and read permissions, assigned at the resource group scope, follows the principle of least privilege and avoids granting broader access than necessary. Built-in roles like Contributor or Network Contributor include extra permissions (e.g., write, delete) that are not needed.

Exam trap

The trap here is that candidates often choose a built-in role like Contributor or Network Contributor because they see 'restart' or 'network' in the name, without realizing these roles include excessive permissions that violate the principle of least privilege.

How to eliminate wrong answers

Option B is wrong because the Contributor role at subscription scope grants write and delete permissions on all resources in the subscription, far exceeding the required actions and violating least privilege. Option C is wrong because the Reader role at resource group scope provides read-only access to all resources but does not include the 'Microsoft.Compute/virtualMachines/restart/action' permission needed to restart VMs. Option D is wrong because the Network Contributor role at resource group scope includes write permissions for network resources (e.g., create/delete network interfaces) but lacks the compute restart action, and it also grants broader network permissions than needed.

222
MCQeasy

Based on the exhibit, which lock should the administrator apply so resources can still be updated but cannot be deleted by mistake?

A.ReadOnly lock
B.CanNotDelete lock
C.Subscription lock
D.Management group lock
AnswerB

CanNotDelete is the correct lock when the organization wants to allow configuration changes but prevent accidental deletion. It protects the resource group and its resources from delete operations while still letting administrators update settings and perform normal management tasks.

Why this answer

The CanNotDelete lock (option B) is correct because it allows all operations including updates and reads, but explicitly prevents deletion of the resource. This meets the requirement that resources can still be updated but cannot be deleted by mistake. Azure resource locks operate at the scope level and override any role-based permissions, ensuring that even users with Contributor or Owner roles cannot delete the resource while the lock is active.

Exam trap

The trap here is that candidates often confuse the ReadOnly lock with the CanNotDelete lock, mistakenly thinking that a ReadOnly lock still allows updates, when in fact it blocks all write operations including updates, making it unsuitable for the stated requirement.

How to eliminate wrong answers

Option A is wrong because the ReadOnly lock prevents all write operations, including updates, which directly contradicts the requirement that resources must still be updatable. Option C is wrong because a Subscription lock applies to the entire subscription scope, which is overly broad and would affect all resources in the subscription, not just the specific resources the administrator intends to protect. Option D is wrong because a Management group lock applies to all subscriptions within that management group hierarchy, which is also too broad and does not target the specific resources that need to be protected from deletion while allowing updates.

223
MCQmedium

An Azure administrator deploys a Linux VM that runs an application needing to read secrets from Azure Key Vault. The security policy forbids storing passwords, certificates, or access tokens on the VM. The application will run only on this single VM. What should be enabled on the VM?

A.Store a service principal secret in a protected file and use it at startup.
B.Enable a system-assigned managed identity on the VM.
C.Create a user-assigned managed identity and avoid assigning it to the VM.
D.Use an SSH certificate to authenticate the app to Key Vault.
AnswerB

A system-assigned managed identity lets the VM authenticate to Azure resources without storing secrets.

Why this answer

A system-assigned managed identity enables the VM to authenticate to Azure Key Vault without storing any credentials on the VM. Azure automatically creates a service principal in Azure AD for the VM, and the application can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) using that identity. This satisfies the security policy forbidding stored secrets because the identity is managed entirely by Azure and no passwords, certificates, or tokens are stored locally.

Exam trap

The trap here is that candidates may confuse SSH certificates (used for VM access) with Azure AD authentication tokens, or incorrectly assume that a user-assigned managed identity can be used without assignment to the VM.

How to eliminate wrong answers

Option A is wrong because storing a service principal secret in a protected file on the VM violates the explicit security policy forbidding storing passwords, certificates, or access tokens on the VM. Option C is wrong because a user-assigned managed identity must be assigned to the VM to be used by the application; creating it without assignment provides no authentication capability. Option D is wrong because SSH certificates are used for SSH authentication to the VM itself, not for authenticating an application to Azure Key Vault, and they do not integrate with Azure AD token-based access.

224
MCQhard

Based on the exhibit, where should you assign the Reader role so the Auditors group can read every current and future resource in the Sales subscription, including resource groups created later, while not granting access to the Research subscription?

A.Assign Reader to RG-Web, because the group can then inherit access to resources in that resource group only.
B.Assign Reader to the Sales subscription, because subscription-level scope includes all current and future resource groups and resources in that subscription.
C.Assign Reader to the Corp management group, because that is the only scope that can cover multiple subscriptions.
D.Assign Reader to each resource individually, because that avoids inheritance and limits visibility to selected items.
AnswerB

Subscription scope is the narrowest scope that satisfies the requirement. RBAC inheritance flows downward, so a Reader assignment at the Sales subscription applies to all current and future resource groups and resources inside Sales, but it does not grant access to the Research subscription.

Why this answer

Assigning the Reader role at the Sales subscription scope grants the Auditors group read access to all current and future resource groups and resources within that subscription. This is because Azure RBAC roles assigned at a subscription level are inherited by all child resource groups and resources, including those created later. The requirement explicitly excludes the Research subscription, so a subscription-level assignment is the correct and most efficient approach.

Exam trap

The trap here is that candidates often choose the management group scope (Option C) thinking it is necessary to cover multiple subscriptions, but they overlook the requirement to exclude the Research subscription, making the subscription-level scope the only correct choice.

How to eliminate wrong answers

Option A is wrong because assigning Reader to RG-Web only grants access to that specific resource group and its resources, not to all current and future resource groups in the Sales subscription. Option C is wrong because assigning Reader at the Corp management group would grant access to both the Sales and Research subscriptions, violating the requirement to not grant access to Research. Option D is wrong because assigning Reader to each resource individually is impractical and does not cover future resources, and it violates the principle of using inheritance for scalable access management.

225
MCQmedium

A company uses one management group for all production subscriptions. A compliance analyst is a member of an Entra ID group and must view every current and future resource in all production subscriptions, but must not make any changes. Where should you assign the Reader role?

A.Assign Reader to the compliance analyst's user account at each resource group.
B.Assign Reader to the Entra ID group at the management group scope.
C.Assign Reader to one production subscription and rely on inheritance to cover the others.
D.Assign Reader directly to each resource because resource-level assignments always override broader scopes.
AnswerB

This is the best choice because role assignments inherit from management groups down to subscriptions, resource groups, and resources. By assigning Reader to the Entra ID group at the management group level, every current and future production subscription under that hierarchy will inherit read-only access. Using the group also makes access easier to manage when analysts join or leave the team.

Why this answer

Assigning the Reader role to the Entra ID group at the management group scope ensures that all current and future resources in all production subscriptions inherit the role via Azure RBAC inheritance. This meets the requirement to view every resource without making changes, as the management group encompasses all production subscriptions and the group membership automatically grants permissions to the compliance analyst.

Exam trap

The trap here is that candidates often assume they must assign roles at the subscription or resource group level, overlooking the management group scope which provides inheritance across multiple subscriptions and future resources without manual intervention.

How to eliminate wrong answers

Option A is wrong because assigning Reader at each resource group is inefficient, does not cover future resources automatically, and requires manual updates as resources are added. Option C is wrong because assigning Reader to only one subscription does not cover other production subscriptions; RBAC assignments do not inherit across subscriptions, only down within a scope. Option D is wrong because assigning Reader directly to each resource is impractical and unnecessary; resource-level assignments do not override broader scopes but rather add permissions, and the requirement is for a broad, inheritable assignment.

← PreviousPage 3 of 4 · 259 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Identity questions.