Question 1easymultiple choice
Full question →AZ-104 · topic practice
Azure RBAC practice questions
Use this page to practise AZ-104 Azure RBAC practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Azure RBAC
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
IaaS, PaaS and SaaS responsibilities and examples.
Public, private, hybrid and community cloud deployment models.
On-premises vs cloud trade-offs: cost, control, scalability.
How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.
Practice set
Azure RBAC questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A company has 18 Azure subscriptions. Production subscriptions must inherit stricter governance than sandbox subscriptions, and central IT wants one place to target future policy assignments to each group. What should the administrator do?
Question 3mediummulti select
Full question →A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.
Question 4hardmultiple choice
Full question →A compliance team wants to bundle three policy definitions—allowed locations, required cost center tags, and approved VM sizes—so they can assign them together to a management group and review compliance in one place. Later they want to exempt one pilot subscription from the entire set for 60 days. What should they use?
Question 5easymultiple choice
Full question →A contractor team changes every few weeks. The administrator wants Azure access to stay the same when individual contractors leave or join, without editing role assignments for each person. What should be assigned the Azure role?
Question 6hardmulti select
Full question →A developer has the Contributor role on a resource group. A Bicep deployment that creates a VM with a public IP fails with a policy denial, but the same template succeeds after the public IP resource is removed. Which two statements are true? Select two.
Question 7hardmulti select
Full question →A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.
Question 8easymultiple choice
Full question →A developer has the Reader role assigned at the subscription scope. Later, the developer is assigned Contributor at the RG-Web resource group scope. Which permission is inherited by a storage account inside RG-Web?
Question 9easymultiple choice
Full question →A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?
Question 10mediummultiple choice
Full question →A company wants to stop users from deploying resources in any region except East US and West US. Users still need to be able to create resources if they choose an approved region. Which Azure feature should the administrator use?
Question 11mediummultiple choice
Full question →A company wants to enforce three controls across all current and future subscriptions under a management group: allowed Azure regions, a required cost center tag, and approved VM SKUs. Central IT wants a single assignment and consolidated compliance reporting. What should they use?
Question 12mediummulti select
Full question →A DevOps engineer must run an Azure CLI script from a Windows VM to create resources in a specific resource group in another subscription. The script must not use a client secret or password, and access should be limited to only that resource group. Which three actions should the administrator take? Select three.
Question 13mediummultiple choice
Full question →A developer can access an Azure Blob container from the portal using Microsoft Entra sign-in, but their custom app gets a 403 error when reading the same blob. The storage account is configured to use Azure AD authorization. What is the most likely fix?
Question 14easymultiple choice
Full question →A production resource group must not be deleted accidentally, but administrators still need to update resources inside it. Which lock should you apply to the resource group?
Question 15mediummultiple choice
Full question →A partner company needs write access to a single blob container for 24 hours. The partner does not have an Azure subscription in your tenant, and the team does not want to share the storage account key. Which access method is the best choice?
Question 16mediummultiple choice
Full question →A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in another subscription. The script cannot store a password or client secret. What should it use to authenticate to Azure?
Question 17easymultiple choice
Full question →A finance analyst needs read-only access to one storage account named stprod01. The analyst must not see other resources in the subscription. Where should you assign the Reader role?
Question 18mediummultiple choice
Full question →A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?
Question 19hardmulti select
Full question →A policy initiative is assigned at the Corp management group to enforce allowed locations and required tags. A new subscription is added under Corp later. Which two statements are true? Select two.
Question 20easymulti select
Full question →A storage account should use a private IP address inside a virtual network, and workloads in that VNet must resolve the storage name to the private address. Which two items are required? Select two.
Watch out for
Common Azure RBAC exam traps
- ▸IaaS gives you infrastructure control; SaaS gives you only the application.
- ▸Hybrid cloud combines on-premises and public cloud — not two public clouds.
- ▸Cloud does not automatically mean cheaper or more secure.
- ▸Management responsibility shifts with each service model (IaaS → PaaS → SaaS).
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Azure RBAC sessions
Start a Azure RBAC only practice session
Every question in these sessions is drawn from the Azure RBAC domain — nothing else.
Related practice questions
Related AZ-104 topic practice pages
Move into related areas when this topic feels solid.
AZ-104 Azure RBAC practice questions
Practise AZ-104 questions linked to AZ-104 Azure RBAC.
AZ-104 storage account practice questions
Practise AZ-104 questions linked to AZ-104 storage account.
AZ-104 virtual network practice questions
Practise AZ-104 questions linked to AZ-104 virtual network.
AZ-104 NSG practice questions
Practise AZ-104 questions linked to AZ-104 NSG.
AZ-104 Azure Monitor practice questions
Practise AZ-104 questions linked to AZ-104 Azure Monitor.
AZ-104 backup practice questions
Practise AZ-104 questions linked to AZ-104 backup.
AZ-104 managed identity practice questions
Practise AZ-104 questions linked to AZ-104 managed identity.
AZ-104 load balancer practice questions
Practise AZ-104 questions linked to AZ-104 load balancer.
AZ-104 Azure Policy practice questions
Practise AZ-104 questions linked to AZ-104 Azure Policy.
AZ-104 virtual machine practice questions
Practise AZ-104 questions linked to AZ-104 virtual machine.
Frequently asked questions
- What does the AZ-104 exam test about Azure RBAC?
- Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Azure RBAC questions in a focused session?
- Yes — the session launcher on this page draws every question from the Azure RBAC domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other AZ-104 topics?
- Use the topic links above to move to related areas, or go back to the AZ-104 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the AZ-104 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeExam traps to avoid
- ▸IaaS gives you infrastructure control; SaaS gives you only the application.
- ▸Hybrid cloud combines on-premises and public cloud — not two public clouds.
- ▸Cloud does not automatically mean cheaper or more secure.
- ▸Management responsibility shifts with each service model (IaaS → PaaS → SaaS).