AZ-104 Exam Prep: 15 Real-World Governance Scenarios You Must Know

Azure governance is the set of native controls that decides what gets deployed, where it can live, who can change it, and what it costs. On AZ-104 the domain carries 20–25% of the exam score, the heaviest of the five functional areas, against a passing mark of 700 [1]. The 15 scenarios below map directly to that domain and to the work a junior Azure admin does on day one.

Prerequisites

A Microsoft Entra tenant with Global Administrator access
An Azure subscription with Owner or User Access Administrator rights
Microsoft Entra ID P2 or Entra ID Governance licensing for the PIM scenarios [10]
Azure CLI 2.x or the Azure PowerShell Az module installed
Working familiarity with the portal IAM, Policy, and Cost Management blades
The AZ-104 study guide section on Manage Azure identities and governance [1]

1. Build the Container Tree

Scenario 1: Design a four-tier tree. A common pattern stacks Root at the top, then Platform and Landing Zones below it, then Environment containers, then the subscriptions themselves. Conditions set at any tier flow down by inheritance to every subscription underneath [2]. Every subscription inside the tree has to trust the same Microsoft Entra tenant [2]. The root container's ID matches the tenant ID, and it cannot be moved or deleted [2]. Global Administrators are the only identity with default access there, and they have to grant themselves tenant-level access first [2]. A tenant accommodates 10,000 containers and six levels of depth, not counting root or subscriptions [2]. Plan the shape on paper before clicking anything.

Scenario 2: Move a subscription between containers. Azure Resource Manager caches the tree for as long as 30 minutes, so a move does not show up in the portal right away [2]. Wait it out before opening a ticket.

2. Configure RBAC at the Right Scope

Scenario 3: Right-scope a role assignment. RBAC has four scope levels, from broadest to narrowest: container, subscription, resource group, and resource [4]. A developer who only needs to restart VMs should get Virtual Machine Contributor on the resource group, not Contributor on the subscription. To create that assignment the caller needs Microsoft.Authorization/roleAssignments/write, which ships with the Role Based Access Control Administrator and User Access Administrator built-ins [5]. For a custom role you intend to reuse across child subscriptions, declare its assignableScopes at a parent tier so the definition lives in one place. Least privilege is the default posture here, not a stretch goal.

Scenario 4: Replace standing Owner with PIM. Privileged Identity Management gives you just-in-time, time-bound, approval-gated, and MFA-protected activation for Microsoft Entra roles, Azure resource roles, and PIM for Groups [10]. Eligible assignments require the user to activate before privileges apply; active assignments do not [10]. P2 or Entra ID Governance is required for eligible assignments through PIM [5]. Only a subscription administrator, resource Owner, or resource User Access Administrator can manage Azure resource role assignments inside PIM [10]. The service will not let you remove the last active Global Administrator or Privileged Role Administrator, so a lockout from this side is impossible [10].

3. Configure Azure Policy and Initiatives

Azure Policy evaluates resources against JSON business rules and groups related rules into an initiative, also called a policySet, that targets one goal [6].

Scenario 5: Allowed Locations. Use the built-in Allowed Locations definition with a Deny effect to keep data residency inside approved Azure regions [6]. Apply it at the top of the tree so every subscription inherits it.

Scenario 6: Allowed Virtual Machine SKUs. The Allowed Virtual Machine SKUs definition uses Deny to constrain VM sizes [6]. Other useful built-ins include Allowed Resource Types, Allowed Storage Account SKUs, and Not allowed resource types [6].

Scenario 7: Bundle regulatory controls. ISO 27001 and PCI-DSS map cleanly to initiatives, so compliance for an entire regulation shows up on a single dashboard. An initiative can carry 1,000 definitions and 400 parameters, and a single definition can take 20 parameters [6]. Each scope accommodates 500 definitions, 200 assignments, and 1,000 exemptions [6].

Scenario 8: Backfill missing tags. A Modify-effect policy with a remediation task can rewrite existing resources to add a required tag. Both Modify and DeployIfNotExists need a managed identity created at assignment time [11]. The portal flow is Policy > Assignments > Assign Policy, then Scope, optional Exclusions, the definition, parameters, the remediation toggle and managed identity, a non-compliance message, and Review + create [11]. A remediation task can touch 50,000 resources in one run [6].

A few rules worth keeping in mind. Assignments evaluate at create or update, when an assignment itself is created or modified, and during the standard compliance cycle, which runs every 24 hours [6]. Audit and AuditIfNotExists should land before Deny, Modify, or DeployIfNotExists so the compliance dashboard surfaces what is about to break [6]. Use notScopes to carve a child resource group out of a parent assignment, with 400 exclusions allowed per assignment [6]. You can assign at the top of the tree, but only subscription and resource group resources are evaluated for compliance [6]. Audit first. Enforce second.

4. Apply Resource Locks

Locks come in two levels. CanNotDelete (Delete) blocks deletion. ReadOnly blocks deletion and modification and behaves like restricting every caller to Reader [3]. Locks override RBAC and apply to every user and role [3]. They cover control-plane calls against Azure Resource Manager only, so a lock on a storage account does not stop blobs, queues, tables, or files from being changed or removed [3]. Locks cannot be applied at the container tier above subscription [3]. Creating or deleting one needs Microsoft.Authorization/locks/*, which sits inside Owner and User Access Administrator [3].

Scenario 9: Protect production with CanNotDelete. Put CanNotDelete on every production resource group. It holds against Owner-level callers and stops accidental deletion from a PowerShell script run against the wrong context. Cheap insurance.

Scenario 10: Avoid ReadOnly lock pitfalls. A ReadOnly lock on a storage account blocks the List Keys POST, so callers without keys are pushed to Microsoft Entra credentials for blob and queue access [3]. The same lock breaks container creation. A ReadOnly lock on a resource group holding a VM prevents start and restart, because those calls are POST operations [3]. A CanNotDelete lock on a resource group stops Resource Manager from cleaning deployment history; deployments fail after the resource group hits 800 entries [3]. The same lock will fail Azure Backup at 18 restore points [3]. Know the side effects before you apply.

5. Implement Tagging and Cost Management

Scenario 11: Define a tagging taxonomy. Settle on three required tags first: Environment, CostCenter, and Owner. Tags attach to resources, resource groups, and subscriptions, never to management groups [7]. Resources do not inherit tags from a parent; if you want inheritance, enforce it with a Modify-effect tag policy [7]. The hard limits: 50 name-value pairs per object, 512 characters for a name, 256 for a value, with 128-character names on storage accounts [7]. A small set of services, including Azure Automation, Azure Content Delivery Network, Azure Public DNS, Azure Private DNS, and Azure Log Analytics saved searches, only support 15 tags [7]. Names are case-insensitive for operations, values are case-sensitive, and the contents are stored as plain text, so nothing sensitive belongs in there [7]. The Tag Contributor role writes Microsoft.Resources/tags, which covers subscription tagging in the portal but not resource or resource group tagging [7].

Scenario 12: Chargeback views. Add cm-resource-parent as a tag pointing at the owning application so Cost Management groups child resources under one parent for chargeback reports. One tag, one rolled-up bill.

Scenario 13: Sandbox budget with a forecast alert. A Cost Management budget can be scoped to a container, subscription, or resource group, and to Enterprise Agreement or Microsoft Customer Agreement billing scopes [8]. Five thresholds and five email recipients are allowed per budget; thresholds range from 0.01% to 1000% of the budget amount [8]. Configure one threshold at 80% on forecasted cost and wire it to an Azure Monitor action group that triggers a webhook or Function [8]. Cost data lands within 8 to 24 hours and budgets evaluate every 24 hours; alert emails go out within an hour after a threshold is hit [8]. Budgets reset at the end of each monthly, quarterly, or annual period [8]. A forecast alert at 80% beats an actual alert at 100%.

6. Harden Identity Governance

Scenario 14: Turn on security defaults for a free-tier tenant. Security defaults enforce MFA registration for every user, MFA for administrators, blocks for legacy authentication and device code flow, and MFA on access to the Azure portal, Microsoft Entra admin center, Azure PowerShell, and Azure CLI [9]. Microsoft attributes more than 99.9% of blocked identity attacks to MFA combined with blocking legacy auth [9]. The 14-day MFA registration grace period was removed on July 29, 2024 [9]. New tenants get security defaults on by default with a 24-hour MFA grace period [9]. Do not run this on tenants with Microsoft Entra ID P1 or P2; move the controls into Conditional Access instead [9]. Configure it at Entra admin center > Entra ID > Overview > Properties > Manage security defaults; the operator needs at least Conditional Access Administrator [9].

Scenario 15: Build two break-glass accounts. Maintain two cloud-only emergency access accounts permanently assigned Global Administrator [9]. Exclude both from every Conditional Access policy so a misconfigured MFA rule or a federation outage does not lock the tenant out. Store the credentials offline, split between two trusted custodians, and test sign-in on a calendar.

Troubleshooting and Common Issues

A container move is not showing up in the portal. That is the 30-minute Resource Manager cache. Wait for it [2].
A subscription moved between tenants and roles disappeared. RBAC assignments and Key Vault tenant IDs do not follow the subscription. Rebuild both.
A policy assigned at the top of the tree shows nothing in compliance. Only subscription and resource group resources are evaluated; tier-level resources are skipped [6].
Two assignments conflict and one is denying everything. Drop the competing assignment and use notScopes to exclude the carve-out, with 400 entries allowed per assignment [6].
A DeployIfNotExists or Modify assignment will not remediate. The managed identity was not created at assignment time. Re-assign with the identity option enabled [11].
Users cannot read storage account keys. A ReadOnly lock blocks List Keys; redirect callers to Microsoft Entra credentials [3].
A VM will not start under a ReadOnly lock. Start and restart are POST operations and a ReadOnly lock blocks POST [3].
ARM deployments suddenly fail. A CanNotDelete lock has blocked deployment history cleanup at the 800-entry limit [3].
Azure Backup stops working. A CanNotDelete lock on the service-managed resource group is holding the 18th restore point [3].
Child resources are missing tags. No automatic inheritance; apply a Modify-effect tag policy [7].
A budget alert email never arrived. Cost data is 8 to 24 hours behind and evaluation runs every 24 hours [8].
PIM will not let you remove the last Global Administrator. That is the lockout safeguard. Add another active assignment first [10].
Security defaults appear greyed out. The tenant has P1 or P2 licensing; move the controls into Conditional Access [9].
A role assignment fails with a permission error. The caller is missing Microsoft.Authorization/roleAssignments/write [5].

Summary

These 15 scenarios cover the full 20-25% governance domain on AZ-104 and the order of operations behind a passing score of 700 [1]. Work from the top of the tree downward: containers, then RBAC, then Policy, then locks, then tags, then cost, then identity. Audit before you enforce on every Policy effect. Right-scope every role assignment and put privileged access under PIM. Treat locks as the last line of defence, with the storage, VM, deployment, and Backup pitfalls clearly in mind. Practice each scenario end to end inside a free-tier subscription before exam day.