AZ-104 · topic practice

Azure RBAC practice questions

Practise AZ-104 Azure RBAC practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Azure RBAC

What the exam tests

What to know about Azure RBAC

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Azure RBAC exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Azure RBAC questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full RBAC explanation →

A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?

Question 2hardmulti select
Read the full RBAC explanation →

A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.

Question 3mediummultiple choice
Read the full RBAC explanation →

A support engineer must start, stop, and restart only one virtual machine named vm-app01. The engineer should not gain permissions on any other virtual machine in the subscription. What is the best scope for the role assignment?

Question 4hardmulti select
Read the full RBAC explanation →

A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Question 5mediummultiple choice
Read the full RBAC explanation →

An administrator added a user to an Entra security group that already has Contributor on a resource group. The role assignment is correct, but the user still gets 'You do not have access' in the Azure portal 5 minutes later. What is the most likely next step?

Question 6mediummulti select
Read the full RBAC explanation →

An enterprise has a management group named Corp that contains all production and sandbox subscriptions. An Entra ID group named Auditors must be able to read resources in every current subscription under Corp and in any subscription added later. Which two actions should the administrator take? Select two.

Question 7mediummultiple choice
Read the full RBAC explanation →

You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?

Question 8easymultiple choice
Read the full RBAC explanation →

A contractor team changes every few weeks. The administrator wants Azure access to stay the same when individual contractors leave or join, without editing role assignments for each person. What should be assigned the Azure role?

Question 9mediummultiple choice
Read the full RBAC explanation →

A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?

Question 10mediummultiple choice
Read the full RBAC explanation →

A project team adds and removes contractors every few weeks. The team needs Azure access to follow membership changes without updating role assignments for each person. What should the administrator use to delegate the access?

Question 11mediummultiple choice
Read the full RBAC explanation →

A web application is made up of several Azure resources that are deployed, updated, and retired together. The team wants one container for applying access control, tags, and deletion protection consistently to the whole application. What should they use?

Question 12hardmulti select
Read the full RBAC explanation →

A service desk must grant and revoke access to an internal application for a changing group of employees. The service desk must not receive any Azure subscription or resource permissions. Which two actions should you take? Select two.

Question 13mediumdrag order
Read the full RBAC explanation →

Arrange the steps to assign a custom RBAC role to a user in Azure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14easymultiple choice
Read the full RBAC explanation →

A developer has the Reader role assigned at the subscription scope. Later, the developer is assigned Contributor at the RG-Web resource group scope. Which permission is inherited by a storage account inside RG-Web?

Question 15mediummulti select
Read the full RBAC explanation →

A company has 18 subscriptions under a management group named Corp. The audit team needs Reader access to all current and future subscriptions in Corp without creating one assignment per subscription. Which two statements are correct? Select two.

Question 16mediummultiple choice
Read the full RBAC explanation →

A company creates new Azure subscriptions every month. Central IT wants all production subscriptions to inherit the same governance baseline automatically, while sandbox subscriptions remain separate. What should the administrator implement?

Question 17easymultiple choice
Read the full RBAC explanation →

Based on the exhibit, a compliance team must read all current and future resources in every subscription under the Corp management group. Where should you assign the Reader role?

Exhibit

Management group hierarchy:
Corp
├─ Sub-Prod-01
│  └─ RG-Finance
└─ Sub-Prod-02
   └─ RG-Shared

Current role assignment:
- Reader assigned to Entra ID group Auditors at scope: /providers/Microsoft.Management/managementGroups/Corp

Requirement:
- Members of Auditors must read resources in any new subscription added under Corp without adding another assignment.
Question 18mediummultiple choice
Read the full RBAC explanation →

A web app running in Azure App Service must upload files to a blob container. The team wants to avoid storing any secrets in application settings and wants the app to authenticate without a password or access key. What should the administrator configure?

Question 19hardmultiple choice
Read the full RBAC explanation →

A Windows VM runs an application that uploads files to a blob container every hour. Security forbids storing storage account keys or long-lived SAS tokens on the VM. The application must be able to write only to that container and nothing else. What should the administrator configure?

Question 20hardmulti select
Read the full RBAC explanation →

A web app uses a managed identity to read blobs from a storage account. Security now wants to ensure no future requests can authenticate with shared keys and the app should continue to use secretless access. Which two changes should the administrator make? Select two.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Azure RBAC sessions

Start a Azure RBAC only practice session

Every question in these sessions is drawn from the Azure RBAC domain — nothing else.

Related practice questions

Related AZ-104 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-104 exam test about Azure RBAC?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Azure RBAC questions in a focused session?
Yes — the session launcher on this page draws every question from the Azure RBAC domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-104 topics?
Use the topic links above to move to related areas, or go back to the AZ-104 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-104 exam covers. They are not copied from any real exam or dump site.