Try 10 focused AZ-104 questions on Manage Azure Identities and Governance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AZ-104 |
| Topic area | Manage Azure Identities and Governance |
| Blueprint weight | 15% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Manage Azure Identities and Governance for AZ-104. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 15% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Manage Azure Identities and Governance
An administrator enables self-service password reset (SSPR) in Microsoft Entra ID, allows mobile phone, email, and Microsoft Authenticator app as authentication methods, and requires two methods to reset a password. Which statement correctly describes what end users must do before they can use SSPR?
Options:
A. Register a single method now; Azure will prompt for a second method only if the first one fails during a password reset.
B. Register at least two of the allowed methods (such as mobile phone, email, or the app) during security info registration before using SSPR.
C. Do nothing; Azure automatically uses any phone numbers and email addresses already stored in their profile for SSPR without user registration.
D. Register only the Microsoft Authenticator app, because mobile phone and email cannot be used as SSPR authentication methods.
Best answer: B
Explanation: Microsoft Entra self-service password reset (SSPR) lets users reset their own passwords using one or more verification methods that an administrator has allowed, such as mobile phone (SMS or voice), email, and the Microsoft Authenticator app.
When an admin configures SSPR, they choose both which methods are allowed and how many methods are required to reset a password. During the security information (authentication methods) registration experience, users are prompted to set up enough methods to meet that requirement. For example, if two methods are required, users must register at least two of the allowed options before they can successfully use SSPR.
Existing directory attributes, like a phone number or email address stored on the user object, are not automatically trusted for SSPR; the user must actively confirm and register them as security info. This ensures the contact details used for password reset are verified and under the user’s control.
Topic: Manage Azure Identities and Governance
Your company uses Microsoft Entra self-service password reset (SSPR) for a subset of users.
A user named Alice reports that she cannot reset her password. You open the Microsoft Entra admin center and go to Monitoring & health > Sign-in logs. You filter the logs by:
The following result is displayed.
Exhibit:
| Date (UTC) | User | Client app | Status | Failure reason |
|---|---|---|---|---|
| 2025-02-03 09:14:22 | alice@contoso.onmicrosoft.com | Self-service password reset | Failure | User not in any password reset policy |
Based on the information in the exhibit, what should you do to resolve Alice’s issue?
Options:
A. Assign the Authentication Administrator role to Alice so she can reset her own password.
B. Enable combined security information registration for all users so Alice can register authentication methods.
C. Add Alice to a user group that is included in the SSPR password reset policy scope.
D. Change the SSPR policy mode to “Selected” and leave the user scope empty so SSPR uses the default settings.
Best answer: C
Explanation: Self-service password reset (SSPR) activity is recorded in the Microsoft Entra sign-in logs. When troubleshooting a failed reset attempt, you should filter the sign-in logs by Client app = Self-service password reset and Status = Failure. The resulting entries include a Failure reason that points to the root cause.
In the exhibit, the failure reason is “User not in any password reset policy”. This means the SSPR feature is configured, but the user is not in scope for the SSPR policy. Microsoft Entra SSPR can be targeted at all users or specific users/groups. If you configure it for Selected users/groups, only those included in the policy can perform SSPR.
To resolve the issue, you must add Alice to the SSPR scope, either by:
Other actions, such as assigning admin roles or enabling combined registration, do not change whether the user is included in the SSPR policy and therefore would not fix this specific failure reason.
Topic: Manage Azure Identities and Governance
You are an administrator for a company that uses Microsoft Entra ID. You must pilot self-service password reset (SSPR) for a subset of cloud-only users.
Requirements:
You will configure SSPR in the Microsoft Entra admin center.
Which of the following actions will meet these requirements? (Select THREE.)
Options:
A. In the SSPR Properties settings, enable SSPR for All so that any user in the tenant can reset their own password.
B. Ask users in the SSPR-Pilot group to manually browse to the SSPR registration URL, and leave Require users to register when signing in disabled.
C. In SSPR Authentication methods, enable Mobile app notification or code and Mobile phone, and set Number of methods required to reset to 2.
D. In SSPR Authentication methods, allow only Mobile phone and set Number of methods required to reset to 1.
E. In SSPR Registration settings, turn on Require users to register when signing in and configure a registration reconfirmation period.
F. In the SSPR Properties settings, set Self service password reset enabled to Selected and assign the SSPR-Pilot security group.
Correct answers: C, E and F
Explanation: Self-service password reset (SSPR) in Microsoft Entra ID is controlled through three main areas: scope (who can use SSPR), registration settings (how users register their methods), and authentication methods (which methods are allowed and how many are required during reset).
To run a pilot, administrators typically scope SSPR to a dedicated security group so only members of that group can use SSPR. This prevents unplanned impact on all users.
The registration settings allow you to force users to register when they sign in. When the “Require users to register when signing in” option is enabled, users are prompted to register SSPR data and will continue to see the prompt until they complete registration.
The authentication methods configuration controls which methods users can register (for example, mobile phone, office phone, email, Microsoft Authenticator app) and how many different methods they must use when performing a reset. If the requirement is to use both a mobile phone and the Microsoft Authenticator app and to require two methods during the reset, you must enable those methods and set the required number of methods to 2.
Putting this together, scoping SSPR to the SSPR-Pilot group, forcing registration at sign-in, and allowing both mobile phone and mobile app methods with two required methods fully meets the scenario’s requirements.
Topic: Manage Azure Identities and Governance
You manage a subscription with hundreds of existing resources. Only some resource groups have the required CostCenter and Environment tags. Resources do not automatically inherit updated tags from their resource groups. You must ensure all current and future resources have these two tags, using the resource group’s values, with minimal ongoing manual effort and without custom scripts. Which approach should you implement?
Options:
A. Assign the built-in Azure Policy definitions that inherit tags from the resource group with a Modify effect at the subscription scope for CostCenter and Environment, ensure all resource groups are correctly tagged, and run remediation tasks for existing resources.
B. Tag all resource groups with CostCenter and Environment and rely on automatic tag inheritance so that all existing and new resources receive the same tags.
C. Create an Azure Policy initiative with Audit-only policies that check for missing CostCenter and Environment tags, then periodically export non-compliant resources and update tags manually in the portal.
D. Develop an Azure Automation runbook that runs daily to copy CostCenter and Environment tags from each resource group to all resources in that group, and schedule it from an Automation account.
Best answer: A
Explanation: Tags in Azure are applied at the individual resource or resource group level. By default, tags on a resource group do not automatically flow down to resources, nor are resources updated if the group’s tags change later.
Azure Policy can be used to enforce consistent tagging. The built-in definitions that inherit a tag from the resource group use the Modify effect to add the specified tag to resources when it is missing, using the value from the resource group. When assigned at a higher scope, such as the subscription, these policies ensure every resource in scope has the required tags.
For existing resources, a remediation task can be run for a Modify policy to retroactively apply the tag changes. This combination provides automatic tagging for both current and future resources with minimal manual effort and no need for custom automation scripts.
In this scenario, the goal is to ensure all existing and future resources have CostCenter and Environment tags matching the resource group values, while minimizing ongoing administration and avoiding custom scripts. Using Azure Policy with Modify and remediation directly addresses these requirements in a built-in, supportable way.
Topic: Manage Azure Identities and Governance
Which of the following statements about using the Access control (IAM) blade in the Azure portal to understand who has access to a resource are true? (Select THREE.)
Options:
A. Effective access shown in Check access is based on role assignments at the current scope plus any role assignments at higher scopes that inherit down to the current resource.
B. The Access control (IAM) blade for a resource shows permissions granted through shared keys or SAS tokens alongside RBAC role assignments.
C. On a resource’s Access control (IAM) blade, the Role assignments tab shows both direct and inherited role assignments that apply to that resource.
D. The Check access feature lets you select a user, group, or service principal and view which role assignments grant that principal access to the current resource.
E. Using Check access at the subscription level lists every individual resource inside that subscription that the selected user can access.
Correct answers: A, C and D
Explanation: Access control (IAM) in the Azure portal is the primary place for an administrator to understand who has access to a resource and why. At any scope (management group, subscription, resource group, or resource), the Role assignments tab lists all RBAC role assignments that affect that scope, including those that are inherited from higher levels.
When you open the Access control (IAM) blade on a specific resource, the Role assignments view shows assignments that apply to that resource. Assignments made directly on the resource are marked as direct, while those coming from parent scopes are marked as inherited. This helps you see both where the access was granted and which role is in effect.
The Check access feature focuses on a particular security principal (user, group, service principal, or managed identity). At a given scope, it evaluates RBAC role assignments at that scope and all parent scopes that flow down to the current resource. It then presents the effective access and the role assignments that grant it. This is useful for troubleshooting unexpected access or verifying least privilege.
Access control (IAM) only shows RBAC-based control. Other access mechanisms such as storage account keys or shared access signatures (SAS) are not visible in RBAC views, because they are data-plane mechanisms managed by the resource type itself, not Azure RBAC on the control plane. Likewise, Check access does not attempt to enumerate every single resource a principal can access; instead, it summarizes the role assignments and scopes that grant access.
Topic: Manage Azure Identities and Governance
You are an Azure administrator for a production subscription. Several deployments are failing with errors similar to the following:
Code: ScopeLocked
Message: The scope '/subscriptions/xxxx/resourceGroups/Prod-RG' is locked and cannot be deleted or modified.
Code: RequestDisallowedByPolicy
Message: Resource 'vm-app01' was disallowed by policy. Policy assignment 'Deny-Public-IP'
You must ensure teams can deploy compliant resources while maintaining strong governance.
Which of the following configurations should you AVOID? (Select TWO.)
Options:
A. Create a policy exemption or narrower policy scope that allows only compliant exceptions for specific resource groups or workloads.
B. Instruct deployment teams to check for error codes such as ‘ScopeLocked’ or ‘RequestDisallowedByPolicy’ before opening incidents, so they can identify when locks or policies are causing failures.
C. Remove all resource locks from the subscription so that deployments are never blocked by locks.
D. Temporarily remove the read-only lock from the affected resource group, perform the required change, and then reapply the lock.
E. Temporarily exclude the entire subscription from all Azure Policy assignments so that no deployment is blocked by a policy denial.
Correct answers: C and E
Explanation: The error code ScopeLocked indicates that a management lock (for example, read-only) is preventing modification or deletion at the specified scope. The error code RequestDisallowedByPolicy indicates that an Azure Policy assignment is denying the deployment because it does not meet the defined rules.
In these situations, the correct approach is to adjust the specific lock or policy scope, or use targeted exemptions, while preserving overall governance controls. Completely removing locks or disabling all policies at the subscription level just to avoid deployment errors is an anti-pattern that weakens security and compliance.
Administrators should also be able to recognize these error codes quickly, so they can distinguish between permission issues, policy denials, and lock-related blocks, and then apply the appropriate fix at the right scope.
Topic: Manage Azure Identities and Governance
You manage a storage account named stfiles.
Users in the SG-AppDevs security group report that they can upload and delete blobs in stfiles from a local tool, even though you believe they should have read-only or no data access.
You capture the following information.
Exhibit:
Role assignments on stfiles:
| Principal | Role | Scope |
|---|---|---|
| SG-AppDevs | Reader | stfiles |
Application configuration:
{
"StorageConnectionString":
"DefaultEndpointsProtocol=https;AccountName=stfiles;AccountKey=<redacted>;EndpointSuffix=core.windows.net"
}
Based only on the information in the exhibit, what is the most likely explanation for why SG-AppDevs members can modify blob data in stfiles?
Options:
A. The role assignment is at the storage account scope, which always overrides any restrictions on data access defined inside the storage account.
B. The Azure RBAC Reader role automatically includes read and write permissions to all blob data when applications use connection strings.
C. The connection string uses the storage account key, which grants data access inside the storage service independently of the Azure RBAC Reader assignment.
D. Because the tool is running outside Azure, Azure RBAC does not apply, and any authenticated user can modify blobs in the storage account.
Best answer: C
Explanation: The exhibit shows that SG-AppDevs has the Azure RBAC Reader role on the storage account stfiles. Reader is a management-plane role: it allows viewing resource configuration (for example, viewing properties in the portal) but does not grant rights to modify data in blob containers.
However, the application configuration clearly uses a storage connection string that contains AccountKey=<redacted>. A storage account key is a resource-specific secret that grants full control over data within the storage account (subject only to any service-level restrictions such as network rules). When a client authenticates with the account key, the request is authorized directly by the Storage service, and Azure RBAC checks are not used.
Therefore, members of SG-AppDevs can upload and delete blobs because the local tool authenticates with the storage account key, not because of their Reader role. The Azure RBAC role shown in the exhibit is essentially irrelevant for these data operations.
This illustrates the distinction between Azure RBAC, which governs identity-based access (management plane and, with appropriate data roles, data plane), and resource-specific access models like storage account keys, which bypass RBAC and provide their own authorization mechanism inside the resource.
Topic: Manage Azure Identities and Governance
Which of the following statements about Azure management groups is NOT correct?
Options:
A. A subscription can be a member of only one management group at a time in the hierarchy.
B. Assigning an Azure Policy at a management group scope causes the policy to apply to all child management groups and subscriptions unless they are explicitly excluded.
C. You can apply resource locks directly at a management group to prevent deletion of any resource in its child subscriptions.
D. Role assignments created at a management group scope are inherited by all child management groups and subscriptions within that hierarchy.
Best answer: C
Explanation: Azure management groups provide a way to organize and govern multiple subscriptions at scale. They form a hierarchy above subscriptions, enabling centralized assignment of Azure Policy and Azure RBAC. These assignments inherit down the hierarchy, allowing consistent governance without configuring each subscription individually.
However, not all governance features support management group scope. Resource locks, which protect resources from accidental deletion or modification, are limited to subscription, resource group, and resource scopes. They cannot be applied at the management group level. Understanding which controls are available at each scope is key to designing a consistent governance model.
Topic: Manage Azure Identities and Governance
An administrator enables Microsoft Entra self-service password reset (SSPR) for a specific security group of users, configures strong registration (two verification methods), and relies on users to reset their own passwords instead of calling the help desk. This change is primarily an example of which cloud operations principle?
Options:
A. Implementing disaster recovery for user credentials
B. Improving operational efficiency through controlled self-service
C. Designing for high availability of identity services
D. Enforcing strict network isolation around identity endpoints
Best answer: B
Explanation: In this scenario, the administrator enables Microsoft Entra self-service password reset (SSPR) and scopes it to a specific security group. Users in that group can reset their own passwords using pre-registered verification methods, instead of opening help desk tickets.
This configuration primarily targets operational efficiency. Common password reset requests are one of the largest sources of support tickets. By giving users a secure, policy-controlled way to reset their own passwords, you reduce help desk workload, shorten resolution time, and improve user productivity. Scoping SSPR to a security group lets you control rollout and apply the feature only where it is needed.
Although SSPR is part of a secure identity strategy, in this context the main principle is controlled self-service to improve operations, not high availability, disaster recovery, or network isolation.
Topic: Manage Azure Identities and Governance
You manage the ContosoRoot management group that contains the Prod-Sub and Dev-Sub subscriptions. You recently created the Azure Policy assignment shown in the exhibit. You must allow Dev-Sub to use any Azure region, while Prod-Sub must be restricted to East US and West Europe.
Based only on the exhibit, what should you do next?
Exhibit:
| Setting | Value |
|---|---|
| Assignment name | Allowed locations |
| Definition type | Built-in |
| Scope | Management group: ContosoRoot |
| Exclusions | (none) |
| Effect | Deny |
| allowedLocations | East US; West Europe |
Options:
A. Create a second Allowed locations assignment at the Prod-Sub subscription scope using the same parameters.
B. Change the Effect from Deny to Audit on the existing policy assignment.
C. Change the scope of the policy assignment from the ContosoRoot management group to the Dev-Sub subscription.
D. Edit the existing policy assignment and add the Dev-Sub subscription under Exclusions.
Best answer: D
Explanation: The exhibit shows an Azure Policy assignment for the built-in Allowed locations policy. The scope is the ContosoRoot management group, with no exclusions and an effect of Deny. When a policy is assigned at a management group scope, it applies to all child subscriptions and their resources unless a child scope (such as a specific subscription or resource group) is explicitly excluded.
Because there are no exclusions, both Prod-Sub and Dev-Sub inherit the location restriction, so both are limited to East US and West Europe. The requirement, however, is to restrict only Prod-Sub and leave Dev-Sub free to use any Azure region. The most direct and appropriate way to achieve this with the current assignment is to edit it and add Dev-Sub as an excluded scope. After that change, the Allowed locations policy will no longer apply to Dev-Sub, but will still apply to Prod-Sub and any other non-excluded child scopes.
Other options either reverse the restriction, disable enforcement entirely, or add redundant assignments without addressing the inherited scope from the management group, so they do not satisfy the stated requirement.
Use the AZ-104 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AZ-104 on Web View AZ-104 Practice Test
Read the AZ-104 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.