Microsoft Azure Administrator · Domain 1 · 24% of exam

Manage Azure identities and governance

Drill 20 practice questions focused entirely on Manage Azure identities and governance for the Microsoft AZ-104 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

Your organization has a single Microsoft Entra tenant with users from several regional offices. The IT team in the Berlin office must be able to reset passwords and manage properties only for users who belong to the Berlin office, without gaining any control over users in other offices. You want to grant this access using the least-privilege approach. What should you do?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your company requires that every resource within the resource group 'RG-Finance' carry a 'CostCenter' tag with the value 'FIN-2024' for chargeback reporting. Developers frequently deploy new resources without specifying tags, and manually tagging each resource is not sustainable. You want resources to automatically receive the correct tag value at deployment time without blocking deployments. What should you do?

Reviewed for accuracy · Report an issue
Question 3 of 20

Your organization has 3,500 users in Microsoft Entra ID. The HR department frequently adds and removes users from a dynamic group named 'Sales-Team'. You need to ensure that every current and future member of the Sales-Team group automatically receives a Microsoft 365 E3 license without manual intervention, while minimizing administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 4 of 20

Your company uses a Microsoft Entra ID security group named Sales-Team to control access to several SharePoint sites. The IT manager wants two members of the sales department to be able to add and remove members from the group without granting them any directory-wide administrative permissions. What should you configure to meet this requirement with the least privilege?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your company has a resource group named RG-Finance that contains several virtual machines. A new team member, Dana, needs to be able to start, stop, and restart all virtual machines in RG-Finance, but must NOT be able to create or delete VMs, modify VM configurations, or manage any other resource types in the resource group. You want to follow the principle of least privilege using built-in roles only. What should you do?

Reviewed for accuracy · Report an issue
Question 6 of 20

You manage an Azure environment for Contoso. A new colleague, Amit, needs to view all resources across every resource group in the Production subscription, but he must not be able to make any changes. You want to grant this access with the fewest role assignments possible while following least-privilege principles. What should you do?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your company runs 40 production virtual machines across three subscriptions. Finance reports that spending is higher than expected. You are asked to identify specific VMs that are consistently underutilized so they can be resized or shut down, without deploying any additional tooling or agents. Which Azure feature should you use to obtain these recommendations?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your company has a compliance requirement that all Azure resources must be deployed only in the West Europe and North Europe regions. You need to prevent users from creating resources in any other region across an entire subscription, with the least administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 9 of 20

Your company applies an Azure Policy assignment at the subscription scope that denies the creation of any storage account that does not use geo-redundant storage (GRS). The development team needs to create locally redundant storage (LRS) accounts in a single resource group named rg-dev-sandbox for testing, without disabling the policy for the rest of the subscription. What should you configure?

Reviewed for accuracy · Report an issue
Question 10 of 20

You assign a new Azure Policy with a 'deny' effect that prohibits creating storage accounts that allow public blob access. Several storage accounts with public blob access already existed in the scope before the assignment. After the assignment, you check the policy's compliance report but notice the existing storage accounts are not yet listed. What is the MOST likely reason the existing resources are not reflected as non-compliant?

Reviewed for accuracy · Report an issue
Question 11 of 20

Your company requires that no storage accounts be created without secure transfer (HTTPS) enabled. You author an Azure Policy definition and assign it at the subscription scope. However, the compliance team notes that several developers are still successfully creating non-compliant storage accounts, and the policy is only flagging them afterward in the compliance report. You need to prevent these non-compliant resources from being created in the first place, without affecting resources that already exist. What should you do?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your company must enforce a set of related compliance controls across all subscriptions, including allowed VM SKUs, required tags, and permitted regions. Auditors want to assess overall compliance against this single control set with one compliance score rather than tracking each rule separately. You need to deploy and assign these rules together and report on them as a unit. What should you create and assign?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your company requires that every resource in the production subscription automatically receives a CostCenter tag set to 'Finance' when it is created, even if the deployment template does not include the tag. You want Azure Policy to add the tag without blocking any deployments. Which policy effect should the policy definition use?

Reviewed for accuracy · Report an issue
Question 14 of 20

You create an Azure Policy assignment with a 'deployIfNotExists' effect that ensures diagnostic settings are configured on all storage accounts in a subscription. After the assignment is created, you notice that 50 storage accounts that existed before the assignment remain non-compliant and do not have diagnostic settings applied. New storage accounts created after the assignment are compliant. You must bring the 50 existing storage accounts into compliance with the least administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 15 of 20

Your company's finance team wants to be automatically notified when spending against the Production subscription reaches 80% of the monthly forecast, and they also want an automated webhook to trigger a Logic App that posts a message to Microsoft Teams. You need to configure this in Cost Management using the least administrative effort. Which approach should you take?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your organization uses group-based licensing in Microsoft Entra ID. A user named Jordan is a member of two groups: the 'Sales' group, which is assigned an Office 365 E3 license with the 'Exchange Online' service plan enabled, and the 'Contractors' group, which is assigned an Office 365 E3 license with 'Exchange Online' disabled. Jordan is also directly assigned an Office 365 E3 license with all service plans enabled. Which statement correctly describes the resulting license state for Jordan?

Reviewed for accuracy · Report an issue
Question 17 of 20

You are an Azure administrator for Contoso. Your organization has an existing Microsoft Entra security group named SG-Finance that contains 45 assigned members. The collaboration team asks you to enable a shared mailbox and a shared calendar for these members through group-based collaboration in Microsoft 365. You want to reuse the existing membership rather than recreate it. What should you do?

Reviewed for accuracy · Report an issue
Question 18 of 20

You are the Azure administrator for Contoso. Finance asks you to identify which resource groups are driving the highest spend this month and to see a projected total for the current billing period before the invoice arrives. You must use a native Azure tool without deploying any additional resources. Which tool should you use?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your company owns the public DNS domain contoso.com and wants users in Microsoft Entra ID to sign in with user principal names such as user@contoso.com instead of the default onmicrosoft.com domain. You add contoso.com as a custom domain name in the Microsoft Entra admin center, but it shows a status of Unverified. What must you do to complete verification?

Reviewed for accuracy · Report an issue
Question 20 of 20

Your company needs a custom Azure role for a team of support engineers. They must be able to view and restart virtual machines in a resource group, but they must NOT be able to delete virtual machines or change any role assignments. You are defining the JSON for the custom role. Which combination of properties correctly enforces these requirements?

Reviewed for accuracy · Report an issue

More AZ-104 practice

Keep going with the other Microsoft Azure Administrator domains, or take a full timed mock exam.

← Back to AZ-104 overview