Skip to main content
  1. CloudCertPro - Learn the Architecture Behind the Certification
  2. >
  3. Azure Cloud Knowledge Hub - CloudCertPro
  4. >
  5. AZ-104 Azure Administrator Associate Learning Hub
  6. >
  7. AZ-104 Skill Overview
  8. >
  9. AZ-104 Skill 1

AZ-104 Skill 1: Manage Azure Identities and Governance

Deep-dive guide | Identity, Access, and Governance for the Azure Administrator

This article goes far beyond the Microsoft exam objectives. It maps every tested skill to the Azure domains it draws from, the architecture it implements, and the real-world enterprise controls it enables. You’ll leave here understanding not only what to configure, but why it matters in a production Azure environment—and how Microsoft turns that into exam scenarios.

1. Overview
#

Identity and governance are the twin pillars that hold up every Azure workload. Identity answers “Who are you, and what can you do?” Governance answers “What can exist, where can it exist, and how much can it cost?” Together they form the security and operational foundation of the cloud.

Microsoft assigns 20–25% of the AZ‑104 exam to this area because, in day‑to‑day administration, nearly every task starts with an identity check and is constrained by a governance control. Deploy a VM? The account needs RBAC permissions; the subscription may have a policy that restricts VM sizes; the resource group might be locked; and the cost must be tracked. You can’t do anything else in Azure until identity and governance are right.

This skill area covers three intertwined capabilities:

  • Identity management – users, groups, external identities, licenses, self‑service password reset.
  • Access control – role‑based access control (RBAC), scope, role assignments, least privilege.
  • Governance – Azure Policy, resource locks, tags, resource groups, subscriptions, management groups, and cost controls.

Understanding how these pieces interact is the mark of an administrator who can operate Azure safely at scale.

2. Skill Area Breakdown
#

Microsoft’s official “Skills at a glance” breaks this area into three measured skill clusters. Here’s what each means in practice.

Identity Management
#

Administrators manage the lifecycle of identities that will authenticate to Azure and Microsoft 365.

  • Users – create, update, delete, bulk operations, directory roles (not RBAC).
  • Groups – security groups, Microsoft 365 groups, dynamic membership rules, assigned vs. dynamic.
  • External users – B2B collaboration, guest user invitations, external identity settings.
  • Licensing – assign and remove Microsoft Entra ID P1/P2, Microsoft 365 licenses, group‑based licensing.
  • Self‑service password reset (SSPR) – enable for selected users/groups, configure authentication methods, on‑premises writeback.

In production, identity management ensures that only the right people have accounts, that their accounts are properly licensed, and that they can securely recover access without helpdesk calls.

Access Control
#

RBAC translates identity into permissions on Azure resources.

  • Built‑in Azure roles – Owner, Contributor, Reader, plus specific roles like Virtual Machine Contributor, Storage Blob Data Contributor.
  • Assign roles at different scopes – management group, subscription, resource group, resource.
  • Interpret access assignments – determine effective permissions, understand inheritance and additive role assignments.
  • Least privilege principle – start with minimal permissions, use custom roles only when necessary.

Every resource operation (read, write, delete) is gated through RBAC. The exam expects you to reason about what a user can do given a set of role assignments at different scopes.

Governance
#

Governance ensures the environment stays compliant, organised, and cost‑controlled.

  • Azure Policy – create and assign policies (built‑in or custom), understand effects (Deny, Audit, Append, DeployIfNotExists), policy initiatives, remediation.
  • Resource locks – ReadOnly and Delete locks, scope inheritance, protecting production resources.
  • Tags – apply tags on resources, resource groups, subscriptions; use tags for billing, cost allocation, and management.
  • Resource groups – logical containers for lifecycle management, RBAC scope, policy scope.
  • Subscriptions – account boundaries, billing boundaries, trust relationship with Entra ID.
  • Management groups – hierarchical containers above subscriptions for unified policy and RBAC at scale.
  • Cost management – budgets, spending alerts, Azure Advisor cost recommendations.

Governance is what makes a multi‑subscription enterprise manageable. Without it, Azure quickly becomes a disordered and expensive sandbox.

3. Azure Domains Mapping
#

Each exam skill sits on top of a domain‑level knowledge structure. Mapping reveals which Azure domains you must truly understand to master this skill area.

Azure Domain What it encompasses Key services in this skill area
Identity Authentication, authorization, directory services, identity lifecycle Microsoft Entra ID, Managed Identities
Governance Resource standardization, compliance enforcement, organizational hierarchy, cost control Azure Policy, Management Groups, Azure Advisor, Cost Management
Security Access boundaries, least privilege, identity‑driven security RBAC, Conditional Access, Azure Key Vault (access policies)

How to read this mapping: An exam question about resource locks is a governance domain question that uses the resource locks service. A question about guest user access is an identity domain question that uses Entra ID B2B. Recognizing the underlying domain helps you recall the correct constraints and service behaviors.

4. Azure Architecture Mapping
#

This is the decision‑making layer. The architecture patterns that keep an enterprise Azure estate secure and manageable are designed long before the first resource is created. Your administrative actions either implement or undermine those patterns.

Identity Governance Architecture
#

  • Centralized identity model: A single Entra ID tenant serves as the authoritative identity provider for all Azure subscriptions and potentially thousands of applications. All administration flows through that tenant.
  • Tenant structure: Enterprise‑scale designs usually keep one production tenant with strict separation of administrative accounts and emergency access (“break‑glass”) accounts.
  • Identity boundaries: B2B guest users live outside the organizational boundary but receive scoped access. B2C is for customer‑facing apps (not AZ‑104 core).

Your exam skills on creating users, managing groups, and configuring SSPR directly support this architecture by building the identity fabric that everything else depends on.

RBAC Architecture
#

  • Role assignment hierarchy: Permissions are inherited from management group → subscription → resource group → resource. A role assigned at a higher scope cascades down.
  • Scope design: Production subscriptions use narrow role assignments. For example, a developer gets Contributor on a specific resource group, not the entire subscription.
  • Separation of duties: Use built‑in roles to split responsibilities: one team manages networking (Network Contributor), another manages VMs (Virtual Machine Contributor). Owner is reserved for trusted personnel only.
  • Least privilege implementation: Custom roles should be used sparingly; evaluate built‑in roles first. When used, custom roles must be scoped tightly.

A simple Mermaid diagram illustrates the RBAC scope hierarchy:

graph TD MG[Management Group] --> Sub[Subscription] Sub --> RG[Resource Group] RG --> Res[Resource] style MG fill:#f9f,stroke:#333 style Sub fill:#bbf,stroke:#333 style RG fill:#bfb,stroke:#333 style Res fill:#ff9,stroke:#333

Role assignments at the Management Group level apply to all subscriptions underneath. An assignment at the Resource Group level only affects resources inside that group. The exam will test whether you understand this inheritance and the additive nature of multiple assignments.

→ For a full architecture discussion, see /azure/architecture/rbac-architecture.

Governance Architecture
#

  • Subscription hierarchy: An enterprise‑scale landing zone design typically segments subscriptions by environment (prod, dev, shared) and by workload or business unit. Management groups enforce policies and RBAC consistently.
  • Policy‑driven governance: Azure Policies are applied at management group or subscription level to enforce guardrails—for example, “Allow only certain VM SKUs” or “Require encryption on storage accounts.”
  • Resource standardization: Tags are used as metadata to map resources to cost centers, projects, and environments. They are not inherited by default; tagging strategies are enforced via policy.

A typical management group hierarchy might look like this:

graph TD Root[Tenant Root Group] --> Corp[Corporate] Corp --> Prod[Production] Corp --> NonProd[Non-Production] Corp --> Shared[Shared Services] Prod --> SubProd[Prod Subscription] NonProd --> SubDev[Dev Subscription] NonProd --> SubTest[Test Subscription] Shared --> SubShared[Shared Subscription] style Root fill:#eee,stroke:#333

Policies applied at “Corp” flow down to all three subscriptions. RBAC can also be assigned at any group. This is the operational model you implement when you configure management groups and assign policies in the exam.

→ See /azure/architecture/governance-architecture.

Cost Governance Architecture
#

  • Budget controls: Budgets are set at subscription or resource group level and trigger alerts when spending thresholds are reached. They do not stop resources (that requires policy or automation).
  • Chargeback models: Tags feed into cost analysis to attribute spending to departments or projects. Showback/chargeback relies on consistent tagging.
  • Enterprise spending governance: Azure Advisor provides cost optimization recommendations; Cost Management gives historical analysis and budgets. Together they form a feedback loop for cost‑aware architecture.

5. Azure Services Deep Dive
#

This section provides a functional, architecture‑oriented explanation of the services you will use the most in this skill area.

Microsoft Entra ID
#

  • Authentication and directory: Every Azure subscription trusts exactly one Entra ID tenant. User sign‑ins are authenticated here, not in the subscription.
  • Users and groups: Users can be cloud‑only or synchronized from on‑premises Active Directory via Entra Connect. Groups can be security groups (used for RBAC) or Microsoft 365 groups (collaboration). Dynamic groups automate membership based on user attributes.
  • Licenses: Features like SSPR, Conditional Access, and group‑based licensing require Entra ID P1 or P2. Without a license, those options are greyed out in the portal.
  • External identities: Azure AD B2B allows guest users from other tenants or social identities. Guests have a #EXT# UPN and limited directory read permissions by default.

RBAC
#

  • Built‑in roles: Over 100 roles exist, from general (Owner, Contributor, Reader) to resource‑specific (Key Vault Secrets Officer). The exam favors built‑in roles because they follow the principle of least privilege without the complexity of custom roles.
  • Custom roles: JSON definitions with Actions, NotActions, DataActions, AssignableScopes. Only create custom roles when no built‑in role fits.
  • Scope inheritance: Role assignments are additive. If a user is Reader at subscription and Contributor on a resource group, they can read everything but only modify resources in that group. Deny assignments (from Azure Blueprints) override all, but AZ‑104 rarely tests deny assignments.

Azure Policy
#

  • Policy definition: A JSON rule that evaluates resource properties against allowed values or required properties. Example: restrict allowed locations, enforce tags.
  • Effects: Deny prevents non‑compliant resources from being created. Audit logs non‑compliance but doesn’t block. DeployIfNotExists triggers a remediation template. Append adds properties (like a tag).
  • Initiatives: A bundle of policies applied together. Built‑in initiatives like “ISO 27001” or “Azure Security Benchmark” simplify compliance.
  • Assignment scope: Policies are assigned to management groups, subscriptions, or resource groups. They flow downward. Multiple assignments merge; the most restrictive effect wins (Deny beats Audit).

Management Groups
#

  • Hierarchy: A container that can hold multiple subscriptions. Management groups can be nested up to six levels deep (excluding root).
  • Use case: Apply one Azure Policy to dozens of subscriptions with a single assignment. Assign RBAC to a team that needs access across all subscriptions.
  • Limits: A directory can have up to 10,000 management groups. A single management group can support up to 1,000 policy assignments (total across inheritance).

Cost Management
#

  • Budgets: Define spending limits and trigger alerts at thresholds (e.g., 50%, 80%, 100% of forecast). Budget alerts send emails or call webhooks.
  • Alerts: Different from budgets—billing alerts on invoice amounts, credit alerts on monetary commitments, departmental spending quotas.
  • Azure Advisor: Provides recommendations for cost savings (underutilized VMs, unassociated IPs, reserved instance purchases).

6. Real‑World Enterprise Scenario
#

Company context:
Contoso operates three Azure subscriptions:

  • Production – runs customer‑facing workloads.
  • Development – where developers build and test.
  • Shared Services – central networking, identity, and monitoring components.

Requirements:

  1. Developers must not create or modify any resource in the Production subscription.
  2. The security team centrally defines and enforces compliance rules across all subscriptions.
  3. The finance department needs monthly cost reports broken down by environment and project.
  4. External consultants need temporary access to a specific resource group in the Development subscription.

Solution mapping:

Requirement Identity / Governance control
Developers blocked from Production RBAC: Assign them Reader role on Production subscription at most. No Contributor or Owner assignments.
Central compliance rules Management Groups: Place all three subscriptions under a “Contoso” management group. Assign Azure Policy initiatives (e.g., require TLS 1.2, restrict allowed regions) at that level.
Cost visibility by project Tags: Enforce a “Project” tag via Azure Policy (Append effect). Azure Cost Management then groups costs by tag.
External consultant access Entra ID B2B: Invite consultant as guest user. Assign Contributor role scoped to the specific resource group in Development. Use access reviews to automatically remove access after 30 days.

This scenario demonstrates how identity and governance controls are woven together to meet real business requirements. Every piece is directly testable in the AZ‑104 exam.

7. AZ‑104 Exam Thinking
#

Microsoft designs exam questions as scenario‑driven decisions under constraint. Recognizing the pattern helps you answer faster and more accurately.

Identity Questions
#

  • Typical scenario: “You need to allow a group of users to reset their own passwords without contacting the helpdesk.”
    You must know: SSPR requires an Entra ID P1 or P2 license, can be scoped to groups, and supports multiple authentication methods.
  • What they test: Do you know the difference between cloud‑only and synchronized identities? What license enables SSPR? How to manage external guest users?

Reasoning approach: Identify the identity boundary (internal vs. external), check license requirements for premium features, and select the least administrative effort solution.

RBAC Questions
#

  • Typical scenario: “A user is Reader at the subscription level and Contributor on Resource Group A. What can they do on a storage account in Resource Group B?”
    You must know: Scope inheritance. Reader at subscription gives read access everywhere. Contributor on RG A gives write access only inside that RG. Therefore, they can only read the storage account in RG B.
  • What they test: Additive role assignments, effective permissions, and the ability to select the correct built‑in role for a task (e.g., “Which role should you assign to deploy VMs but not manage network?”).

Reasoning approach: Draw the scope boundaries in your head. Remember that RBAC is permissive—there is no “deny” unless a Deny Assignment (Azure Blueprints) is present, which is rare on the exam.

Governance Questions
#

  • Typical scenario: “You need to prevent accidental deletion of a production resource group.”
    You must know: A Delete lock on the resource group prevents deletion of the group and all resources within it. A ReadOnly lock is wrong because it blocks any modifications.
  • What they test: Policy effects (Deny vs. Audit), tag inheritance (tags don’t inherit by default), management group hierarchy, resource locks propagation, cost management alerting.

Reasoning approach: Determine whether the requirement is about prevention (Policy Deny, resource locks), detection (Audit, alerts), or organization (tags, management groups). Choose the tool that matches the requirement’s nature.

8. Practice Scenarios
#

Answer these as if you are sitting for AZ‑104. After each, review the explanation and architectural reasoning.

Scenario 1
#

Your company has a management group named Corp that contains a production subscription and a development subscription. You apply an Azure Policy at the Corp management group that denies creation of resources outside the “East US” region. In the development subscription, a developer tries to create a storage account in “West Europe”.

What is the result?

  • A. The storage account is created because development subscriptions are exempt.
  • B. The storage account is created, but an audit log entry is generated.
  • C. The creation request is denied.
  • D. The storage account is created, and a compliance report is sent.

Correct answer: C

Explanation: The policy Deny effect is enforced at the management group and inherited by all child subscriptions. The creation request is blocked at evaluation time, regardless of the subscription’s intended use.

Architecture reasoning: Policy‑driven governance applies uniformly from the management group down. This design ensures that even development environments respect location restrictions, preventing data sovereignty violations.

Related services: Management Groups, Azure Policy, Azure Resource Manager.

Scenario 2
#

A user named Admin1 is assigned the Reader role at the subscription level and the Virtual Machine Contributor role on Resource Group A. Resource Group A contains a virtual network and a VM.

What actions can Admin1 perform on the virtual network in Resource Group A?

  • A. Read the virtual network settings only.
  • B. Create subnets within the virtual network.
  • C. Delete the virtual network.
  • D. Read and modify virtual network peerings.

Correct answer: A

Explanation: The Virtual Machine Contributor role grants permissions related to VMs, not networking. The only permission Admin1 has on the virtual network is via the Reader role inherited from the subscription. No write actions are granted.

Architecture reasoning: RBAC roles are resource‑type specific. A user’s effective permissions are the union of all assigned roles. To manage networking, they’d need a role like Network Contributor.

Related services: RBAC, Virtual Network, Virtual Machine Contributor role.

Scenario 3
#

You need to ensure that all resources in a subscription have a “Department” tag with a value from a predefined list. Non‑compliant resources should be flagged but not blocked during creation. You must also be able to remediate existing non‑compliant resources later.

Which two features should you implement?

  • A. A Deny policy that requires the tag.
  • B. An Audit policy that checks for the tag.
  • C. A DeployIfNotExists policy that adds the tag.
  • D. A resource lock on the subscription.

Correct answer: B and C (in combination)

Explanation: An Audit policy flags missing tags without blocking deployment. A DeployIfNotExists policy can automatically add the tag with a default value and remediate existing resources when triggered. Deny would block creation, which the requirement says must not happen.

Architecture reasoning: A tagging strategy that is too strict can slow development. Audit plus automated remediation is a common enterprise pattern that maintains compliance without impacting agility.

Related services: Azure Policy (Audit and DeployIfNotExists effects), Policy Remediation.

Scenario 4
#

Your company’s Azure environment has a management group hierarchy: Root > Finance > Prod. A policy is assigned at Finance requiring all storage accounts to use TLS 1.2. Another policy is assigned at Prod denying storage accounts in the “West US” region.

You attempt to create a storage account in the Prod subscription, in “East US”, with TLS 1.1.

What happens?

  • A. The storage account is created because the TLS policy is only at Finance and Prod’s region policy does not restrict East US.
  • B. The creation fails because the TLS policy is denied.
  • C. The creation is denied due to the region policy.
  • D. The creation succeeds because the policies conflict and default to Allow.

Correct answer: B

Explanation: The TLS policy at Finance applies to all child management groups, including Prod. Since it is likely a Deny policy (the scenario implies enforcement), the non‑compliant TLS version triggers denial before region evaluation. Even though the region is allowed, the TLS requirement fails.

Architecture reasoning: Policy evaluation checks all applicable policies; the first Deny stops processing. This layered approach ensures foundational security requirements cannot be bypassed in lower scopes.

Related services: Management Groups, Azure Policy, Policy evaluation order.

Scenario 5
#

You need to provide an external auditor read‑only access to all resources in a specific subscription for 14 days. The auditor already has a Microsoft account.

What sequence of actions should you perform?

  • A. Create a new user in your Entra ID tenant, assign Reader role to the subscription, and share credentials.
  • B. Invite the auditor as a guest user, assign Reader role at the subscription scope, and configure an access review to remove access after 14 days.
  • C. Generate a shared access signature for the subscription and give it to the auditor.
  • D. Assign the Auditor built‑in role to the subscription for the external user.

Correct answer: B

Explanation: B2B guest invitation is the correct way to grant external identities access to Azure resources. Reader role at subscription provides read‑only access. An access review can automate removal after the defined period. Option A is insecure; C is for storage/data, not subscription‑wide access; D—there is no built‑in “Auditor” role.

Architecture reasoning: External collaboration should always use Entra ID B2B, preserving identity boundaries and allowing revocation from within your directory.

Related services: Microsoft Entra ID B2B, RBAC, Access Reviews.

9. Common Exam Mistakes
#

  • Confusing RBAC with Azure Policy: RBAC controls who can do what. Azure Policy controls what properties resources must have. A user can have permission to create a VM (RBAC), but be blocked by a policy that says “no VMs in this region.”
  • Confusing authentication and authorization: Authentication is proving identity (Entra ID sign‑in). Authorization is what that identity can do (RBAC). Many scenarios require both to be correctly configured.
  • Assigning overly broad permissions: Choosing Owner when Contributor would suffice. The exam rewards least privilege. If Contributor can do the task, do not select Owner.
  • Ignoring scope inheritance: Assuming a role assigned at resource group level gives permissions to other resource groups. Know the exact boundaries.
  • Misunderstanding management groups: Thinking management groups contain resources directly (they only contain subscriptions). Or not realizing policies and RBAC flow down.
  • Resource locks misconceptions: A Delete lock does not make resources read‑only. A ReadOnly lock blocks modifications but also prevents some management operations (e.g., starting a stopped VM). Locks are inherited by child resources.
  • Tag inheritance: Tags applied to a resource group are NOT automatically inherited by resources inside it. You must enforce tag inheritance via Azure Policy if needed.
  • SSPR without proper licensing: Configuring SSPR is not enough; users need an Entra ID P1 or P2 license. This is a classic exam trap.
  • Cost budget thinking: Budgets alert; they do not stop spending. To stop spending, you need a policy or an automation runbook triggered by the alert.

10. Skill 1 Learning Checklist
#

Must Know (exam‑critical)
#

  • Create and manage users and groups (including bulk operations, dynamic groups)
  • Assign built‑in RBAC roles at management group, subscription, resource group, and resource scopes
  • Interpret effective access permissions given multiple role assignments
  • Configure Azure Policy with Deny, Audit, and Append effects
  • Assign policies to management groups and subscriptions
  • Apply and manage resource locks (ReadOnly, Delete)
  • Apply and manage tags on resources and resource groups
  • Organize subscriptions into management groups
  • Configure cost budgets and cost alerts
  • Configure self‑service password reset (SSPR) for a group of users
  • Manage external guest users (B2B invitations)

Should Know (strong working knowledge)
#

  • Understand policy initiative structure and assignment
  • Interpret policy compliance data and remediate resources
  • Manage licenses (assign, remove, group‑based licensing)
  • Differentiate between Microsoft Entra roles (directory roles) and Azure RBAC roles
  • Know the limits of management groups (depth, policy assignments)

Nice to Know (architecture context)
#

  • Design a custom RBAC role JSON (minimal Actions and AssignableScopes)
  • Understand how Entra ID Connect synchronizes on‑premises identities
  • Familiarity with Privileged Identity Management (PIM) for just‑in‑time access (exceeds AZ‑104 but valuable for real‑world)
  • Know the role of Azure Blueprints in subscription governance (being deprecated but still relevant for older exams)

11. What’s Next
#

You’ve built the identity and governance foundation. Next, you’ll learn how to apply that foundation to data: AZ‑104 Skill 2: Implement and Manage Azure Storage.

Governance connects directly: the storage accounts you create will be locked, tagged, and constrained by the policies you designed here. RBAC roles like Storage Account Contributor and Storage Blob Data Contributor will control who can manage and access data. Cost management practices will track storage spending.

Move on when you can:

  • Confidently assign the least‑privileged RBAC role for any given task.
  • Predict the outcome of a policy + role combination at any scope.
  • Build a simple management group hierarchy and defend your design decisions.

AZ‑104 Skill 2: Implement and Manage Azure Storage →

Related Architecture and Domain Content
#

  • Identity domain deep‑dive: /azure/domains/identity
  • Governance domain deep‑dive: /azure/domains/governance
  • Security domain overview: /azure/domains/security
  • Identity governance architecture: /azure/architecture/identity-governance-architecture
  • RBAC architecture design: /azure/architecture/rbac-architecture
  • Governance architecture patterns: /azure/architecture/governance-architecture
  • Microsoft Entra ID service reference: /services/microsoft-entra-id
  • Azure RBAC service reference: /services/rbac
  • Azure Policy service reference: /services/azure-policy
  • Management groups guide: /services/management-groups
  • Cost Management guide: /services/cost-management