Certifications Tools Exam Guides Blog Pricing
Start for free
Home / Blog / AZ-104
AZ-104

AZ-104 Governance Questions Are Confusing? A Simple Framework to Master Subscriptions, RBAC & Policies

CE
Certsqill Exam Coach
Certification Expert
January 25, 2025

Why are AZ-104 governance and RBAC questions so confusing?

AZ-104 governance questions confuse candidates because Azure’s RBAC, policies, and management groups have overlapping scopes. Most failures aren’t from lacking knowledge — they’re from not having a clear ‘Who, What, Where’ mental framework. Once you map RBAC to ‘Who can do What at Which scope,’ governance questions become predictable patterns.

If AZ-104 governance questions leave you second-guessing every answer, you’re not alone. Most candidates don’t fail these questions because they lack knowledge—they fail because Azure’s governance model has layers that feel arbitrary without a clear mental structure. The good news: once you understand the “Who, What, Where” framework, governance questions become predictable patterns instead of confusing puzzles.

Why Azure Governance Feels Overwhelming at First

Azure governance isn’t one topic—it’s an interlocking system of hierarchy, identity, permissions, and compliance. The AZ-104 exam tests all of these together, often in the same question.

Before diving into specifics, you need to internalize the AZ-104 subscription hierarchy:

  • Tenant: The top-level Azure AD (now Entra ID) boundary. One tenant = one organization identity.
  • Management Groups: Containers for organizing multiple subscriptions. Policies and RBAC can be applied here.
  • Subscriptions: Billing and access boundaries. Most enterprises have multiple subscriptions.
  • Resource Groups: Logical containers for resources that share lifecycle and permissions.
  • Resources: Individual Azure services (VMs, storage accounts, databases, etc.).

Everything in Azure governance flows through this hierarchy. Settings applied at higher levels inherit downward. This is why AZ-104 questions often test “at which scope should you apply X?”—because the answer changes everything.

The 3 Core Governance Concepts AZ-104 Tests

While Azure governance includes many features, the AZ-104 exam focuses heavily on three areas:

1. Role-Based Access Control (RBAC)

RBAC answers: “Who can do what, and where?”

AZ-104 RBAC questions typically test:

  • Built-in roles (Owner, Contributor, Reader, User Access Administrator)
  • Custom role creation and JSON structure
  • Role assignment scope (management group, subscription, resource group, resource)
  • The difference between control plane (Azure Resource Manager) and data plane permissions

Key insight: RBAC is additive. If a user has multiple role assignments, their effective permissions are the union of all assigned permissions. There is no “deny” in standard RBAC—only the absence of permission.

2. Azure Policy

Policy answers: “What configurations are allowed or required?”

Azure policy exam questions typically test:

  • Policy effects: Deny, Audit, Append, DeployIfNotExists, Modify
  • Policy assignment scope and exclusions
  • Initiative definitions (grouping multiple policies)
  • Compliance evaluation and remediation tasks

Key insight: Policy is evaluated AFTER RBAC. A user might have permission to create a resource (RBAC allows), but Policy can still block it if the resource doesn’t comply.

3. Blueprints & Landing Zones (Conceptual)

Blueprints answer: “How do we deploy standardized environments repeatedly?”

AZ-104 tests blueprints at a conceptual level:

  • Blueprints combine ARM templates, policies, RBAC, and resource groups into deployable packages
  • They’re used for enterprise-scale landing zones
  • Versioning and locking concepts

Don’t over-study blueprints for AZ-104—understand the concept, not deep implementation details.

The “Who, What, Where” Framework

Every AZ-104 governance question can be broken down using this simple framework:

WHO = Identity & Role

Identify the security principal in the question:

  • Is it a user, group, service principal, or managed identity?
  • What role are they assigned (or need to be assigned)?
  • Are they using built-in or custom roles?

WHAT = Permissions or Compliance Rule

Determine what action is being controlled:

  • For RBAC: What operations (read, write, delete, action) are needed?
  • For Policy: What configuration is being enforced or audited?
  • Is this about granting access or restricting configurations?

WHERE = Scope Level

Identify the scope boundary:

  • Management group, subscription, resource group, or individual resource?
  • Does inheritance matter? (Higher scope = broader effect)
  • Are there exclusions mentioned?

When you read an AZ-104 governance question, mentally label each element with “Who, What, Where” before looking at the answers. This prevents the common trap of jumping to conclusions based on keywords.

Common AZ-104 Governance Traps in Exam Questions

Knowing these traps helps you avoid them:

Trap 1: Mixing RBAC with Policy

The question describes a compliance requirement (like “all VMs must have a specific tag”), and answer options include both RBAC roles and Policy assignments. Remember: RBAC controls who can act; Policy controls what configurations are valid. Compliance requirements = Policy.

Trap 2: Wrong Scope Assignment

A question asks for the “minimum scope” to achieve something. Candidates often choose too broad (subscription when resource group is enough) or too narrow (resource when inheritance from resource group would work). Always think: “What’s the smallest scope that covers all affected resources?”

Trap 3: Confusing Deny vs Allow Logic

RBAC doesn’t have explicit deny—lack of permission = implicit deny. But Azure Policy has an explicit Deny effect. When a question mentions blocking or denying, clarify whether it’s about access (RBAC) or configuration compliance (Policy).

Trap 4: Forgetting Inheritance Direction

Permissions and policies flow downward (parent → child), not upward. A policy on a management group affects all subscriptions beneath it. Candidates sometimes assume scope works the opposite direction.

How to Study Governance the Smart Way

Governance can’t be learned through memorization alone. Here’s the smart approach:

Step 1: Build a Mini Governance Lab

In a free Azure subscription:

  • Create a management group and nest a subscription
  • Create multiple resource groups
  • Assign different RBAC roles at different scopes
  • Apply a simple policy (like requiring tags) and observe compliance

This 30-minute exercise builds more understanding than hours of video watching.

Step 2: Practice Scenario Mapping

For every practice question you encounter:

  1. Draw the hierarchy (management group → subscription → resource group → resource)
  2. Mark where RBAC or Policy is being applied
  3. Trace the inheritance path
  4. Identify the minimum effective scope

This visual approach makes abstract concepts concrete.

Step 3: Focus on Decision Logic, Not Definitions

Don’t just memorize “Contributor role can create resources.” Instead, practice questions like: “A user needs to deploy VMs but not manage access. What role at what scope?” The exam tests application, not recall.

Turn Governance Confusion Into Exam Confidence

AZ-104 governance questions aren’t designed to trick you—they’re designed to test whether you understand Azure’s access and compliance model as a system. Once you internalize the hierarchy and the “Who, What, Where” framework, these questions become predictable.

The candidates who struggle are those who memorize definitions without understanding relationships. The candidates who pass are those who can trace a permission or policy through the hierarchy and predict its effect.

At Certsqill, our AZ-104 simulations focus on governance decision logic, not memorization. Every question teaches you to think through scenarios the way the exam expects—identifying scope, matching tools to requirements, and avoiding common traps.

Start practicing governance scenarios today and transform confusion into your competitive advantage.

Frequently Asked Questions

What is the difference between RBAC and Azure Policy in AZ-104?

RBAC controls WHO can do WHAT (permissions for users/groups), while Azure Policy controls WHAT can be done regardless of who (compliance rules for resources). RBAC answers “Can this person create a VM?” Policy answers “Can ANY VM be created without encryption?”

What is the Azure hierarchy for governance?

The Azure governance hierarchy from top to bottom is: Tenant → Management Groups → Subscriptions → Resource Groups → Resources. Settings applied at higher levels inherit downward unless explicitly overridden.

How does scope inheritance work in Azure RBAC?

RBAC roles assigned at a higher scope automatically apply to all child resources. A Contributor role at the subscription level grants Contributor permissions to all resource groups and resources within that subscription.

What Azure Policy effects should I know for AZ-104?

Key policy effects for AZ-104 are: Deny (blocks non-compliant resources), Audit (logs but allows), DeployIfNotExists (auto-remediate), and Modify (add/change tags or properties). Know when each applies based on scenario requirements.