Preparing for the Microsoft Azure Administrator (AZ-104) exam requires more than just memorizing facts. To succeed, you need to understand how Azure services work together and how Microsoft expects you to apply that knowledge in real-world scenarios.
The following Domain 1: Manage Azure identities and governance practice questions are designed to mirror the style, difficulty, and reasoning found on the actual exam. Each question includes a detailed explanation of why the correct answer is right and why the others are not, with references to official Microsoft Learn documentation for further study.
Question: You need to grant an administrator the ability to manage Azure role assignments (grant, revoke or modify role assignments) at the subscription scope.
Which built‑in role should you assign?
- Owner
- Contributor
- Reader
- User Access Administrator
Correct Answer
D. User Access Administrator
Explanation:
A. Owner – The Owner role has full control over all resources and can assign access to others. While this meets the requirement, it grants significantly more permissions than needed, violating the principle of least privilege.
B. Contributor – This role allows creating and managing all types of Azure resources but does not permit assigning roles or managing access. It does not meet the requirement.
C. Reader – Provides read-only access to resources without any modification or access management rights. Not suitable for managing role assignments.
D. User Access Administrator – Specifically designed to manage user access to Azure resources. This role allows assigning, removing, and modifying role assignments at the selected scope (such as subscription), without granting broader resource management permissions. This is the correct and most appropriate choice.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#user-access-administrator
Question: You are auditing your Azure subscription and need to ensure that all resources comply with organizational tagging standards.
You also want to automatically remediate non-compliant resources.
Which Azure service should you use?
- Azure Policy
- Azure Monitor
- Azure Blueprints
- Azure Advisor
Correct Answer
A. Azure Policy
Explanation:
A. Azure Policy – Azure Policy is the correct service for enforcing organizational standards, including tagging rules. It can audit resources for compliance and automatically remediate non-compliant resources using policy effects like modify or deployIfNotExists.
B. Azure Monitor – Used for collecting, analyzing, and acting on telemetry from Azure resources. It does not enforce compliance or remediate configuration issues.
C. Azure Blueprints – Allows you to define and deploy a set of resources and policies together for consistent environments. While it can include Azure Policy, Blueprints themselves do not perform ongoing compliance checks or remediation.
D. Azure Advisor – Provides best practice recommendations for cost, security, performance, and reliability but does not enforce compliance or remediate resources.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/governance/policy/overview
Question: Your company wants to require multi-factor authentication (MFA) for all users accessing the Azure portal, but only when they sign in from outside the corporate network.
What should you configure?
- Conditional Access policy in Microsoft Entra ID (Azure AD)
- Azure Policy
- Role-Based Access Control (RBAC)
- Azure Firewall
Correct Answer
A. Conditional Access policy in Microsoft Entra ID (Azure AD)
Explanation:
A. Conditional Access policy in Microsoft Entra ID (Azure AD) – Correct. Conditional Access lets you enforce MFA based on specific conditions, such as sign-in location. You can define a named location for the corporate network and require MFA only for sign-ins from outside it.
B. Azure Policy – Enforces resource configurations and compliance but cannot control authentication behavior.
C. Role-Based Access Control (RBAC) – Controls what actions users can perform after authentication, not the conditions under which they authenticate.
D. Azure Firewall – Controls network traffic in and out of Azure but does not handle user authentication or MFA requirements.
Microsoft Learn Reference:
https://learn.microsoft.com/entra/identity/conditional-access/overview
Question: You want to give a user permission to manage only virtual machines in one resource group.
At what scope should you assign the role?
- Management group
- Subscription
- Resource group
- Resource
Correct Answer
Resource group
Explanation:
- A. Management group – Applies RBAC permissions to all subscriptions under the management group. This is too broad for the requirement of limiting permissions to one resource group.
- B. Subscription – Grants permissions across all resource groups and resources within the subscription. This is also broader than required.
- C. Resource group – Correct. Assigning the role at the resource group scope allows the user to manage resources (such as virtual machines) only within that specific resource group.
- D. Resource – Assigning the role at the resource level limits access to a single resource, which would not allow the user to manage all VMs in the resource group.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/role-based-access-control/overview
Question: You have 10 Azure subscriptions and want to apply the same policy to all of them at once.
What should you use?
- Management groups
- Azure Policy assignments at the subscription level
- Resource groups
- Blueprints
Correct Answer
A. Management groups
Explanation:
A. Management groups – Correct. Management groups allow you to organize multiple subscriptions into a hierarchy and apply Azure Policy at the management group level so that all subscriptions within it inherit the policy.
B. Azure Policy assignments at the subscription level – Would require assigning the policy individually to each subscription, which is less efficient.
C. Resource groups – Organize resources within a single subscription and cannot be used to group multiple subscriptions.
D. Blueprints – Can package policies, role assignments, and templates together, but to apply a single policy across multiple subscriptions efficiently, management groups are still the better approach.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/governance/management-groups/overview
Question: You need to give someone the ability to reset passwords for all users in Azure AD.
Which role should you use?
- Owner (RBAC)
- Password Administrator (Azure AD role)
- Contributor (RBAC)
- User Administrator (Azure AD role)
Correct Answer
D. User Administrator (Azure AD role)
Explanation:
A. Owner (RBAC) – An Azure Resource Manager role for managing resources at a subscription or resource group level. It does not grant permissions to manage user accounts or reset passwords in Microsoft Entra ID (Azure AD).
B. Password Administrator (Azure AD role) – Can reset passwords for most non-administrative users but cannot reset passwords for certain admin roles, such as global administrators. This does not fully meet the requirement for “all users.”
C. Contributor (RBAC) – Allows full resource management within Azure Resource Manager but does not grant Azure AD user management capabilities.
D. User Administrator (Azure AD role) – Correct. This role allows resetting passwords for all users, including most administrators (except for certain privileged roles that require Global Administrator).
Microsoft Learn Reference:
https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference
Question: You want all resources to have a “CostCenter” tag. If they don’t, Azure should add it automatically.
What should you use?
- Azure Policy with modify effect
- Azure Advisor
- Azure Monitor
- Azure Tags in the portal
Correct Answer
A. Azure Policy with modify effect
Explanation:
A. Azure Policy with modify effect – Correct. Azure Policy can check for the existence of a required tag and use the modify effect to automatically add it if it is missing, ensuring compliance without manual intervention.
B. Azure Advisor – Gives recommendations on cost, security, performance, and reliability but cannot automatically add tags.
C. Azure Monitor – Collects and analyzes telemetry data but does not enforce tagging or modify resource properties.
D. Azure Tags in the portal – Lets you manually add tags but does not enforce or auto-add them across all resources.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/governance/policy/concepts/effects#modify
Question: You want to stop people from deleting a resource group, but still allow updates to the resources inside it.
Which lock should you use?
- Read-only
- Delete
- Contributor lock
- Owner lock
Correct Answer
B. Delete
Explanation:
A. Read-only – Prevents both updates and deletions, allowing only read operations. This would block updates, which is not desired in this case.
B. Delete – Correct. A Delete lock prevents deletion of the resource group or its resources but still allows modifications and updates to those resources.
C. Contributor lock – Not an actual lock type in Azure. “Contributor” is an RBAC role, not a lock.
D. Owner lock – Not an actual lock type in Azure. “Owner” is an RBAC role, not a lock.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources
Question:
Correct Answer
Explanation:
A. Azure Policy – Azure Policy is the correct service for enforcing organizational standards, including tagging rules. It can audit resources for compliance and automatically remediate non-compliant resources using policy effects like modify or deployIfNotExists.
Question: You need to deploy a consistent set of role assignments, Azure Policies, and ARM templates to multiple subscriptions as part of a governance baseline.
Which service should you use?
- Azure Blueprints
- Management groups
- Azure Policy
- Azure Resource Manager templates
Correct Answer
A. Azure Blueprints
Explanation:
A. Azure Blueprints – Correct. Azure Blueprints let you package and deploy a repeatable set of governance artifacts, such as role assignments, Azure Policy definitions, and ARM templates, across multiple subscriptions in a controlled and consistent way.
B. Management groups – Organize subscriptions into a hierarchy for governance. While you can apply policies at the management group level, they do not package and deploy all governance components together like Blueprints do.
C. Azure Policy – Enforces compliance rules but cannot bundle role assignments or ARM templates into a single deployment package.
D. Azure Resource Manager templates – Deploy infrastructure resources but do not inherently include policy assignments or RBAC role assignments as part of a governance baseline.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/governance/blueprints/overview
Question: Your company wants MFA for all admin role sign-ins, but only if the sign-in is from an untrusted network. Which service and condition should you configure?
- Azure Policy with network location condition
- Conditional Access with sign-in risk condition
- Conditional Access with named location condition
- RBAC with MFA requirement
Correct Answer
C. Conditional Access with named location condition
Explanation:
A. Azure Policy with network location condition – Azure Policy cannot enforce MFA or authentication rules; it is used for resource compliance, not sign-in security.
B. Conditional Access with sign-in risk condition – Triggers MFA based on risk level (calculated from factors like unfamiliar locations or anomalous sign-ins) rather than explicitly based on a trusted vs. untrusted network list.
C. Conditional Access with named location condition – Correct. Conditional Access in Microsoft Entra ID allows you to define “named locations” for trusted IP ranges (corporate network) and require MFA only when the sign-in originates outside those ranges.
D. RBAC with MFA requirement – Role-Based Access Control manages permissions after sign-in; it does not enforce MFA or sign-in conditions.
Microsoft Learn Reference:
https://learn.microsoft.com/entra/identity/conditional-access/location-condition
Question: You set a budget for $5,000 in Azure Cost Management with
an alert at 90%. What will Azure do at 90% spend?
- Stop all resources automatically
- Send an alert and continue running resources
- Restrict deployments until next month
- Lock the subscription
Correct Answer
B. Send an alert and continue running resources
Explanation:
A. Stop all resources automatically – Budgets in Azure Cost Management do not have built-in stop functionality unless you configure automation (for example, with Azure Automation or Logic Apps).
B. Send an alert and continue running resources – Correct. Budgets trigger notifications when thresholds are met but do not take enforcement action by default.
C. Restrict deployments until next month – Budgets do not impose deployment restrictions.
D. Lock the subscription – Budgets do not lock subscriptions; you would need separate governance tools for that.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets
