Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Your company has several Azure subscriptions, and you need to create a custom role that allows security engineers to start and stop Azure virtual machines but not delete them or modify their network interfaces. The role must be scoped to a specific resource group. How should you define this custom role?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Assign the built-in Contributor role to the resource group.
Contributor allows full management access, including deletion of VMs and modification of network interfaces, which exceeds the required permissions.
B
Best answer
Create a custom role with allowed actions for start and stop, and explicitly deny delete actions using NotActions.
A custom role can include 'Microsoft.Compute/virtualMachines/start/action' and 'stop/action' in the 'Actions' list, and 'Microsoft.Compute/virtualMachines/delete' in 'NotActions' to deny deletion. This provides exactly the required permissions.
C
Distractor review
Use Azure Policy to prevent deletion of VMs in that resource group.
Azure Policy enforces compliance rules but does not grant permissions. It can deny deletion actions, but the engineers still need permissions to start/stop VMs, which Policy cannot provide.
D
Distractor review
Add the engineers to an Microsoft Entra ID administrative unit and assign permissions for VM operations.
Microsoft Entra ID administrative units are used for administrative scope management of Microsoft Entra ID objects (users, groups), not for Azure resource permissions.
Common exam trap
Common exam trap: ACLs stop at the first match
ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.
Technical deep dive
How to think about this question
ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.
KKey Concepts to Remember
- Standard ACLs match source addresses.
- Extended ACLs can match source, destination, protocol and ports.
- The first matching ACL entry is used.
- There is usually an implicit deny at the end.
TExam Day Tips
- Check inbound versus outbound direction.
- Read the ACL from top to bottom.
- Look for a broader permit or deny above the intended line.
Related practice questions
Related AZ-204 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
An application stores customer invoices in Azure Blob Storage. Deleted blobs must be recoverable for 14 days. What should be enabled?
Question 2
You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS termination. You need to configure these features. Which resource should you create alongside the container group?
Question 3
A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The architecture review board prefers a managed AWS-native control.
Question 4
You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?
Question 5
You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function uses a Service Bus queue trigger and runs on a Consumption Plan. The queue receives a high volume of messages in bursts. You need to ensure that the function scales out to handle the load but does not exceed 10 concurrent instances. Which configuration should you apply?
Question 6
You are monitoring an Azure App Service using Application Insights. You notice that the server response time is high for certain requests. You need to drill down to see which external dependencies (like databases or APIs) are causing the delay. Which Application Insights feature should you use?
FAQ
Questions learners often ask
What does this AZ-204 question test?
Standard ACLs match source addresses.
What is the correct answer to this question?
The correct answer is: Create a custom role with allowed actions for start and stop, and explicitly deny delete actions using NotActions. — Azure custom roles are defined with a list of allowed actions in JSON. To allow start and stop but not delete, you grant the actions Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/stop/action, and explicitly exclude delete with 'NotActions'. The role must be assigned at the resource group scope. Using the built-in Contributor role (A) grants delete permissions, which is too permissive. Azure Policy (C) can audit or enforce compliance but does not grant permissions. Microsoft Entra ID administrative units (D) are unrelated to VM permissions.
What should I do if I get this AZ-204 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.