Question 856 of 1,170
Deploy and Manage Azure ComputehardMultiple ChoiceObjective-mapped

AZ-104 Deploy and Manage Azure Compute Practice Question

This AZ-104 practice question tests your understanding of deploy and manage azure compute. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A scale set of application VMs uploads JSON files to one blob container. The identity must not use secrets, must keep working if an instance is reimaged or replaced, and the same identity should be reusable across all instances. What should the administrator configure?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A user-assigned managed identity, attached to the scale set, with Storage Blob Data Contributor scoped to the container.

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs in a scale set, and persists independently of any VM instance lifecycle. This ensures the identity remains available even if an instance is reimaged or replaced, and it avoids the need for secrets. The Storage Blob Data Contributor role scoped to the specific container grants the necessary permissions for uploading JSON files without exposing account-level access.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A system-assigned managed identity on each VM instance, with account-wide storage permissions.

    Why it's wrong here

    System-assigned identities are tied to each resource lifecycle and do not provide one reusable identity that survives instance replacement.

    When this WOULD be correct

    A system-assigned managed identity would be correct if the question required each VM to have its own unique identity for individual auditing or access control, and reusability across instances was not a concern.

  • A user-assigned managed identity, attached to the scale set, with Storage Blob Data Contributor scoped to the container.

    Why this is correct

    A user-assigned managed identity persists independently of any single VM instance, so it remains usable after reimaging or replacement. Scoping Storage Blob Data Contributor to the container follows least privilege while still allowing the workload to upload the JSON files.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A shared access signature stored in the VM image and renewed annually.

    Why it's wrong here

    A SAS token is still a secret, and storing it in the image violates the requirement to avoid secrets and to keep access resilient through replacements.

    When this WOULD be correct

    An administrator needs to grant temporary, time-limited access to a specific blob container for a single VM that will be decommissioned after a short period, and the VM image is never reused or reimaged. In this case, storing a SAS token in the VM image is acceptable because the VM's lifetime is short and the SAS can be set to expire after the task completes.

  • The storage account access key, because it allows the most reliable upload path.

    Why it's wrong here

    Access keys are long-lived secrets, provide broader access than needed, and are not appropriate when the requirement explicitly forbids secrets.

    When this WOULD be correct

    If the question required the most permissive access for administrative tasks, such as migrating data between containers or managing storage account settings, and secret management was not a concern, the access key would be appropriate.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.

A user-assigned managed identity, attached to the scale set, with Storage Blob Data Contributor scoped to the container.Correct answer

Why this is correct

A user-assigned managed identity persists independently of any single VM instance, so it remains usable after reimaging or replacement. Scoping Storage Blob Data Contributor to the container follows least privilege while still allowing the workload to upload the JSON files.

A system-assigned managed identity on each VM instance, with account-wide storage permissions.Wrong answer — click to see why

Why this is wrong here

A system-assigned managed identity on each VM instance would not be reusable across all instances; each instance gets a unique identity, and reimaging or replacing an instance creates a new identity, breaking the requirement for a single reusable identity.

★ When this WOULD be the correct answer

A system-assigned managed identity would be correct if the question required each VM to have its own unique identity for individual auditing or access control, and reusability across instances was not a concern.

Why candidates choose this

Candidates may confuse system-assigned with user-assigned managed identities, or assume that 'managed identity' alone satisfies the requirement without considering reusability across instances.

A shared access signature stored in the VM image and renewed annually.Wrong answer — click to see why

Why this is wrong here

A shared access signature (SAS) stored in the VM image is a secret, which violates the requirement that the identity must not use secrets. Additionally, if the SAS expires or the VM is reimaged, the SAS may need to be renewed or re-deployed, breaking the requirement for continued operation without manual intervention.

★ When this WOULD be the correct answer

An administrator needs to grant temporary, time-limited access to a specific blob container for a single VM that will be decommissioned after a short period, and the VM image is never reused or reimaged. In this case, storing a SAS token in the VM image is acceptable because the VM's lifetime is short and the SAS can be set to expire after the task completes.

Why candidates choose this

Candidates may think a SAS token is a secure, keyless way to grant access without managing credentials, but they overlook that the SAS itself is a secret that must be stored and managed, and it does not meet the 'no secrets' and 'reusable across instances' requirements.

The storage account access key, because it allows the most reliable upload path.Wrong answer — click to see why

Why this is wrong here

The storage account access key provides full control over the storage account, violating the principle of least privilege. It is a secret that must be securely stored and managed, contradicting the requirement that the identity must not use secrets.

★ When this WOULD be the correct answer

If the question required the most permissive access for administrative tasks, such as migrating data between containers or managing storage account settings, and secret management was not a concern, the access key would be appropriate.

Why candidates choose this

Candidates may think the access key is the simplest and most reliable method for authentication, overlooking the security and secret management requirements specified in the question.

Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming system-assigned identities can be shared across instances, when in fact each instance gets a unique identity that is destroyed on reimage, making user-assigned the only option for a reusable, persistent identity across a scale set.

Detailed technical explanation

How to think about this question

User-assigned managed identities use Azure Active Directory (Azure AD) tokens for authentication, eliminating the need for any stored secrets. When assigned to a Virtual Machine Scale Set, the identity is available to all instances via the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254), which provides OAuth 2.0 tokens for accessing Azure resources like Blob Storage. This design supports zero-trust principles and simplifies credential rotation, as the Azure platform handles token lifecycle automatically.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Deploy and Manage Azure Compute — This question tests Deploy and Manage Azure Compute — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A user-assigned managed identity, attached to the scale set, with Storage Blob Data Contributor scoped to the container. — A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs in a scale set, and persists independently of any VM instance lifecycle. This ensures the identity remains available even if an instance is reimaged or replaced, and it avoids the need for secrets. The Storage Blob Data Contributor role scoped to the specific container grants the necessary permissions for uploading JSON files without exposing account-level access.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.