AZ-104 Practice Questions

These questions cover identity and access management — the highest-weighted domain on AZ-104 and the one most candidates underestimate.

Question 1

A contractor from an external company needs temporary read access to your Azure resources for a three-month engagement. What is the correct approach in Microsoft Entra ID?

• A) Create a guest user account and assign the Reader role on the relevant resources
• B) Create a member user account and set an account expiry date
• C) Share your service principal credentials with the contractor
• D) Create a separate Azure subscription for the contractor

Answer: A — Create a guest user and assign the Reader role

Microsoft Entra guest users (formerly Azure AD B2B) are the correct mechanism for external access. The contractor authenticates with their own organisation's identity provider; you control what they can access in your tenant via RBAC assignments.

Sharing service principal credentials is a security anti-pattern. Member accounts grant broader directory permissions than guests. A separate subscription is unnecessary and costly for read-only access.

Question 2

Users are calling the helpdesk to reset forgotten passwords. Which feature reduces helpdesk tickets while keeping IT in control of the password policy?

• A) Conditional Access with a password change requirement on risky sign-ins
• B) Self-Service Password Reset (SSPR) in Microsoft Entra ID
• C) Allow users to update passwords directly in the Azure portal
• D) Deploy an on-premises Active Directory password filter

Answer: B — Self-Service Password Reset (SSPR)

SSPR lets users reset their own passwords after verifying their identity through methods you configure: authenticator app, email, phone, or security questions. IT retains control of which verification methods are required, the number of methods needed, and whether writeback to on-premises AD is enabled.

SSPR authentication methods the exam tests:

• Mobile app notification (Microsoft Authenticator)
• Mobile app code (TOTP)
• Email to an alternate address
• Mobile phone (call or SMS)
• Office phone
• Security questions (only for unlock, not for reset in some configurations)

Conditional Access addresses risky sign-ins but doesn't let users self-serve a forgotten password.

Question 3

Your organisation needs to enforce that all Azure VMs must be deployed with a specific tag containing the cost centre code. Which Azure feature enforces this at deployment time?

• A) Azure RBAC — deny permission to create VMs without tags
• B) Azure Policy with a deny effect on the tag requirement
• C) Azure Blueprints to package tag requirements into a subscription template
• D) Azure Resource Manager locks on the subscription

Answer: B — Azure Policy with a deny effect

Azure Policy evaluates resource configurations against defined rules. A policy with the deny effect blocks the deployment if the resource doesn't meet the condition — in this case, if the tag is absent or has an unexpected value. This enforcement happens before the resource is created.

RBAC vs Policy — a distinction the exam tests constantly:

RBAC can deny a user permission to create any VM at all, but it can't conditionally block a deployment based on a missing tag while still allowing the VM to be created with the correct tag. That's Policy's job.

ARM locks prevent deletion or modification of existing resources — they don't govern what properties resources must have at creation.

Key Takeaways

• External users = guest accounts (Entra B2B); internal employees = member accounts
• SSPR reduces helpdesk load while keeping IT in control of verification methods and policies
• RBAC controls who can act; Azure Policy controls what configurations are permitted — both together form defence in depth