AZ-104 · topic practice

Azure Policy practice questions

Practise AZ-104 Azure Policy practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Azure Policy

What the exam tests

What to know about Azure Policy

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Azure Policy exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Azure Policy questions

20 questions · select your answer, then reveal the explanation

Question 1hardmulti select
Read the full Policy explanation →

A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Question 2hardmultiple choice
Read the full Policy explanation →

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

Question 3easymultiple choice
Read the full Policy explanation →

A team wants every resource in a subscription to include a Department tag. New resources that do not have the tag should be blocked from being created. Which Azure Policy effect should you use?

Question 4easymultiple choice
Read the full Policy explanation →

The platform team wants to block deployment of Azure resources in any region except East US and West US. What should they configure?

Question 5hardmultiple choice
Read the full Policy explanation →

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

Question 6mediummultiple choice
Read the full Policy explanation →

Based on the exhibit, which Azure Policy effect should be used so new resources without an Environment tag are blocked at deployment time?

Exhibit

Policy evaluation output
Definition name: Require-Environment
Assignment scope: /subscriptions/1111-2222
Compliance state: Non-compliant
Non-compliant resource: stapp01
Reason: Missing tag 'Environment'
Requirement: Any new resource created without the Environment tag must be prevented from deploying.
Question 7easymultiple choice
Read the full Policy explanation →

A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?

Question 8easymultiple choice
Read the full Policy explanation →

A container group runs a one-time import job in Azure Container Instances. After the job finishes successfully, it should not restart. Which restart policy should you choose?

Question 9mediummultiple choice
Read the full Policy explanation →

A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?

Question 10hardmultiple choice
Read the full Policy explanation →

A Windows VM and a Linux VM in the same on-premises Active Directory Domain Services domain must mount the same Azure Files share over SMB. Security policy forbids storage account keys and long-lived SAS tokens. What should the administrator configure?

Question 11mediummultiple choice
Read the full Policy explanation →

An enterprise wants to enforce three governance controls for all subscriptions under a management group: allowed locations, required tags, and permitted VM sizes. The team wants a single place to assign and track compliance for all three controls. What should the administrator use?

Question 12hardmulti select
Read the full Policy explanation →

A policy initiative is assigned at the Corp management group to enforce allowed locations and required tags. A new subscription is added under Corp later. Which two statements are true? Select two.

Question 13hardmultiple choice
Read the full Policy explanation →

Your application stores compliance records in Azure Blob Storage. The records must remain in a write-once-read-many state for three years and must not be altered or deleted during that period. What should you configure?

Question 14hardmultiple choice
Read the full Policy explanation →

A virtual machine is already protected by Azure Backup. The current policy runs daily at 23:00 and keeps daily recovery points for 30 days. The business now wants the same schedule but wants new daily recovery points retained for 90 days. No new vault or re-registration should occur. What should the administrator do?

Question 15mediummulti select
Read the full Policy explanation →

A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.

Question 16hardmultiple choice
Read the full Policy explanation →

Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?

Match each network design requirement or limitation on the left with the best Azure behavior or corrective action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The address spaces overlap, so one range must be changed before peering can be created.

Create VNet peering; it provides private connectivity without a VPN gateway.

Enable gateway transit on the hub peering and use remote gateways on the spoke peering.

VNet peering is not transitive, so A must be connected to C directly or routed through an appliance.

Create a new non-overlapping address space and migrate workloads before removing the old range.

Question 18hardmultiple choice
Read the full Policy explanation →

Your application stores regulatory records in Azure Blob Storage. The records must remain in a write-once-read-many state for four years and must not be altered or deleted during that time. What should you configure?

Question 19hardmultiple choice
Read the full Policy explanation →

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

Question 20mediummultiple choice
Read the full Policy explanation →

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Azure Policy sessions

Start a Azure Policy only practice session

Every question in these sessions is drawn from the Azure Policy domain — nothing else.

Related practice questions

Related AZ-104 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-104 exam test about Azure Policy?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Azure Policy questions in a focused session?
Yes — the session launcher on this page draws every question from the Azure Policy domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-104 topics?
Use the topic links above to move to related areas, or go back to the AZ-104 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-104 exam covers. They are not copied from any real exam or dump site.