Azure Administrator Associate · 23% of the exam

Manage Azure identities and governance: free practice questions

5 sample questions from our 58-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Azure exam.

1. A company has a management group hierarchy: Tenant Root Group → Corp-MG → Dev-MG. A policy with the 'DeployIfNotExists' effect is assigned at the Corp-MG level to automatically deploy a diagnostic settings resource whenever a new Key Vault is created. A developer creates a new Key Vault in a subscription under Dev-MG. The Key Vault is created successfully, but the diagnostic settings are NOT automatically deployed. What is the MOST likely cause?

  • A. The 'DeployIfNotExists' effect is not supported at the management group scope; it can only be assigned at the subscription level.
  • B. The managed identity associated with the policy assignment does not have sufficient permissions on the subscription where the Key Vault was created.✓ Correct
  • C. The policy definition uses 'DeployIfNotExists', which only applies to resources that existed before the policy was assigned.
  • D. The developer's RBAC role prevented the policy from evaluating the Key Vault resource.
Explanation

DeployIfNotExists policies require a managed identity to perform the remediation deployment on behalf of Azure Policy. If that managed identity does not have a role (such as Contributor) on the target subscription or resource group, the remediation task will fail silently — the resource is created successfully, but the automatic deployment does not occur. DeployIfNotExists is fully supported at management group scope. DeployIfNotExists applies to new and existing resources (existing resources are handled via manual or automatic remediation tasks). The deploying user's RBAC role has no bearing on whether the policy's managed identity can perform its remediation action.

2. An administrator needs to invite an external user (guest) from partner.com to a Microsoft Entra ID tenant. After the invitation is sent, the guest user reports they never received the invitation email. Which TWO actions should the administrator take to resolve this issue? (Choose TWO)

  • A. Check whether the organization's external collaboration settings in Microsoft Entra ID block invitations to the partner.com domain.✓ Correct
  • B. Verify that the guest user's email server is not filtering or blocking invitation emails from Microsoft.
  • C. Assign the guest user the Global Administrator role so they can complete the sign-up process without an invitation link.
  • D. Re-send the invitation from the Microsoft Entra admin center or generate a direct invitation link to share with the guest.✓ Correct
  • E. Create a new Entra Connect sync rule to synchronize the external user from the on-premises directory.
Explanation

Option A is correct because Microsoft Entra External Collaboration settings allow administrators to restrict or allow invitations by domain. If partner.com is on a blocklist (or not on an allowlist), the invitation may be silently suppressed or blocked. Option D is correct because re-sending the invitation or sharing a direct redemption URL from the Entra admin center is the standard remediation when a guest hasn't received or can't find the invitation email. Option B, while a practical real-world consideration, is not an Azure-side administrative action and is outside the administrator's control in Entra. Option C is incorrect and dangerous — assigning Global Administrator to an unverified guest to bypass invitation flow is a severe security violation and does not address the root cause. Option E is incorrect because external guest users are not synchronized via Entra Connect; they are cloud-only B2B collaboration accounts.

3. Contoso has a Microsoft Entra ID tenant. The IT team wants to enable group-based licensing for Microsoft 365 E5 licenses. They assign the license to a security group named 'LicenseGroup-E5'. After the assignment, they notice that 3 users in the group have a license error. What are the TWO most common reasons that would cause a license assignment error for users in a group-based licensing scenario? (Select TWO)

  • A. The users are guest (external) users and guest users cannot receive group-based licenses.
  • B. The tenant does not have enough available Microsoft 365 E5 license seats to cover all group members.✓ Correct
  • C. The users already have a conflicting service plan enabled through a directly assigned license for an overlapping product.
  • D. The security group is a dynamic membership group; only assigned membership groups support group-based licensing.
  • E. The users have multi-factor authentication enabled, which blocks license assignment.
  • F. The users' usage location property is not set in their Microsoft Entra ID profile.✓ Correct
Explanation

The two most common causes of group-based licensing errors are: (1) insufficient license seats — if the tenant has fewer available licenses than group members, some users will receive an error; and (2) missing usage location — Microsoft requires that a user's 'Usage location' attribute be set before a license with location-restricted services (like Microsoft 365 E5) can be assigned. Guest users CAN receive group-based licenses if usage location is set and licenses are available. Both dynamic and assigned membership groups support group-based licensing. Conflicting service plans can cause errors in some scenarios but are less common than the two selected; the question asks for the MOST common. MFA has no bearing on license assignment.

4. Contoso's Azure environment has the following management hierarchy: Root Management Group → Contoso-Root MG → Production MG → Sub-A. A 'Deny' policy for tag 'CostCenter' is assigned at the Production MG level. A separate 'Append' policy for tag 'Environment' is assigned at the Sub-A subscription level. A user attempts to create a virtual machine in Sub-A without any tags. What is the outcome?

  • A. The deployment is denied because the required 'CostCenter' tag is missing, and the 'Append' policy would add the 'Environment' tag if the deployment were allowed.✓ Correct
  • B. The deployment succeeds, and both the 'CostCenter' and 'Environment' tags are automatically appended.
  • C. The deployment succeeds with only the 'Environment' tag appended, because subscription-level policies override management group-level policies.
  • D. The deployment is denied because both the 'Deny' and 'Append' policies conflict with each other when no tags are provided.
Explanation

Azure Policy effects are evaluated at deployment time. The 'Deny' effect (inherited from the Production MG) is evaluated and takes precedence by blocking the deployment outright because the 'CostCenter' tag is absent. The 'Append' effect would add the 'Environment' tag if the deployment were not denied, but since the Deny effect stops the request, it never gets to execute. — Option B is incorrect because the Deny policy prevents the deployment; tags cannot be appended to a resource that is never created. — Option C is incorrect because child scopes do NOT override parent scope policies; policies are cumulative and inherited downward, not overridden. — Option D is incorrect because 'Deny' and 'Append' effects do not conflict; they serve different purposes and Deny simply prevents the resource creation first.

5. A new developer joins Fabrikam and needs to deploy and manage Azure Kubernetes Service (AKS) clusters in a specific resource group, but should not be able to manage any other resource types. Which approach BEST follows the principle of least privilege?

  • A. Assign the Contributor role to the developer at the resource group scope.
  • B. Assign the Owner role to the developer at the subscription scope, then use a deny assignment to block other resource types.
  • C. Create a custom RBAC role with only AKS-related actions and assign it at the resource group scope.✓ Correct
  • D. Assign the built-in 'Azure Kubernetes Service Contributor Role' at the subscription scope.
Explanation

Creating a custom RBAC role that includes only the required AKS actions (e.g., Microsoft.ContainerService/*) and assigning it at the resource group scope adheres precisely to least privilege — the user can only perform the specific operations needed and only within the targeted resource group. Option A is incorrect because Contributor grants broad permissions over ALL resource types in the resource group, violating least privilege. Option B is incorrect because Owner at subscription scope is far too broad, and deny assignments cannot be created by regular administrators — they are only set by Azure Blueprints/managed applications. Option D is incorrect because assigning even a scoped built-in AKS role at the subscription level grants access across all resource groups in the subscription, unnecessarily broadening scope.

53 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free