Azure Admin Challenge: 5 Tricky Questions Explained from Identity & Governance

So, you think you know Azure Administration?

Whether you are studying for the AZ-900 or the AZ-104, knowing how to manage users, policies, and resource groups is essential. But the exams love to trick you with small details.

Here are 5 quick-fire questions to test your knowledge. Cover the answers, make your guess, and see if you got it right!

These questions are filtered from real Dumps and you can expect them in real AZ-104 Certification exam

Q1: The New Tenant Dilemma

1.1 You need to create new user accounts in a newly created Azure AD (Entra ID) tenant. Who has the permission to create these users?

  • ⚪ Any global admin from the original tenant
  • ⚪ Only the user who created the tenant
  • ⚪ Any billing administrator
  • ⚪ Any user in the tenant

✅ Correct Answer: Only the user who created the tenant

Explanation: When a new tenant is created, it is a completely separate environment. The person who created it becomes the very first Global Administrator. Until they invite others or create new admins, they are the only person with access to add new users.

Q2: Group Expiration Policies

1.2 Which groups support expiration policies in Azure AD? (Select Two)

  • ⚪ Security groups (Assigned)
  • ⚪ Microsoft 365 groups (Assigned)
  • ⚪ Microsoft 365 groups (Dynamic)
  • ⚪ Security groups (Dynamic)

✅ Correct Answers: Microsoft 365 groups (Assigned & Dynamic)

Explanation: Expiration policies are a feature designed to clean up old collaboration spaces (like Teams or SharePoint sites). Therefore, they are supported ONLY for Microsoft 365 groups. Regular Security groups do not support expiration.

Q3: Azure Policy Effects

1.3 What is the effect of assigning an Azure Policy that allows SQL Servers ONLY in a specific resource group?

  • ⚪ SQL Servers can be created anywhere
  • ⚪ SQL Servers can be created only in the specified resource group
  • ⚪ SQL Servers are blocked everywhere
  • ⚪ Policy has no effect

✅ Correct Answer: SQL Servers can be created only in the specified resource group

Explanation: Azure Policy enforces rules. If a policy states that a resource (SQL Server) is allowed only in a specific scope (Resource Group), any attempt to create it outside that group will be Denied.

Q4: RBAC & Least Privilege

1.4 Which built-in role should be assigned to manage Azure Load Balancers following the principle of Least Privilege?

  • ⚪ Contributor
  • ⚪ Owner
  • ⚪ Network Contributor
  • ⚪ Reader

✅ Correct Answer: Network Contributor

Explanation:
Owner/Contributor: Gives too much power (can manage everything).
Reader: Gives too little power (cannot make changes).
Network Contributor: Is the perfect fit. It allows managing network resources (like Load Balancers) without giving access to storage or billing.

Q5: Tag Inheritance

1.5 Are Tags inherited from Resource Groups to the Resources inside them?

  • ⚪ Yes, always
  • ⚪ Yes, only via policy
  • ⚪ No
  • ⚪ Only at subscription level

✅ Correct Answer: No

Explanation: This is a very common exam trap! By default, tags applied to a Resource Group are NOT inherited by the resources inside. If you want inheritance, you must use an Azure Policy to force it.

How did you score?

If you got 5/5, you are ready for the next level! If you missed a few, don't worry—that is why we practice.

Newer Older