Identity & governance
35 free practice questions with explanations
PassNova has 35 free Microsoft Azure Administrator (AZ-104) practice questions on Identity & governance, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.
Identity & governance: example questions & answers
Here are 6 example questions from this topic. Practise the full set of 35 free in the browser.
-
Which Microsoft Entra ID role assignment scope grants permissions across all subscriptions linked to a single tenant?
- A Resource group scope
- B Subscription scope
- C Management group scope ✓
- D Resource scope
Answer: Assigning an Azure RBAC role at a management group scope cascades down to all subscriptions, resource groups, and resources beneath it, making it the broadest practical scope for governance.
-
You need to grant a user the ability to manage all resources in a resource group but NOT assign roles to others. Which built-in role should you use?
- A Owner
- B Contributor ✓
- C Reader
- D User Access Administrator
Answer: The Contributor role allows full management of resources but cannot grant access to others; only Owner and User Access Administrator can manage role assignments.
-
What is the purpose of an Azure Policy 'deny' effect?
- A It logs non-compliant resources without blocking them
- B It prevents a resource request that does not meet the policy condition ✓
- C It automatically remediates existing non-compliant resources
- D It assigns a tag to compliant resources
Answer: The deny effect blocks resource creation or update requests during deployment when they violate the policy rule, enforcing standards before resources exist.
-
Which feature of Microsoft Entra ID requires users to provide two or more verification methods to sign in?
- A Conditional Access
- B Multi-factor authentication (MFA) ✓
- C Self-service password reset
- D Privileged Identity Management
Answer: Multi-factor authentication requires two or more verification factors (such as a password plus a phone prompt), significantly improving sign-in security.
-
What does an Azure resource lock with the 'CanNotDelete' level allow?
- A No reading, writing, or deleting
- B Reading and modifying, but not deleting ✓
- C Only reading the resource
- D Deleting but not modifying
Answer: A CanNotDelete (Delete) lock lets authorized users read and modify a resource but blocks deletion, protecting critical resources from accidental removal.
-
In Microsoft Entra ID, what is a dynamic group?
- A A group whose membership is manually assigned by an administrator
- B A group whose membership is automatically updated based on user or device attributes ✓
- C A group that exists only for the duration of a session
- D A group synchronized only from on-premises Active Directory
Answer: Dynamic groups use membership rules based on attributes (like department or country) so users or devices are automatically added or removed as their attributes change.