AZ-104 Governance Questions: RBAC, Policies, and Framework
You’re staring at your practice test results and seeing 62% on the governance section. Or worse — you passed overall at 720, but barely, and you know governance tripped you up. The questions felt nothing like the study guide. They were asking about the why behind policy decisions, not just how to click buttons in the portal.
That’s the governance problem on AZ-104.
This isn’t about memorizing what RBAC stands for. You already know that. The issue is that exam questions test scenario judgment — situations where you have to pick the right governance tool from five plausible options, and three of them are actually valid, but only one solves the business problem stated in the question.
What Most Candidates Get Wrong About This
Most candidates study RBAC, Azure Policy, and management groups as separate topics. They learn the mechanics: “Here’s how to assign a role. Here’s how to create a policy. Here’s how to structure subscriptions.” Then they hit the exam and freeze because the question isn’t asking how — it’s asking when.
Example from a real AZ-104 exam scenario: You have 40 subscriptions across 8 departments. Finance needs to audit all resource spending. Developers keep deploying non-compliant resources. C-suite wants governance enforced consistently across all departments without manual approval workflows.
Three common wrong answers:
- “Use RBAC with Reader role on all subscriptions” — This gives audit access, but doesn’t prevent non-compliant deployments.
- “Assign Owner role to a compliance team in each subscription” — This creates 40 manual approval bottlenecks.
- “Use management groups with Azure Policy” — This is correct, but candidates pick it by luck, not understanding why the other two fail.
The real answer requires understanding that RBAC handles access while Azure Policy handles compliance enforcement. You need management groups to apply policies consistently at scale. Without that conceptual framework, you’re guessing on every governance question.
Second mistake: Candidates don’t know the actual limitations of each tool. Azure Policy can’t delete resources (it can only deny or audit). RBAC can’t enforce tagging standards. Management groups can’t be used below subscription level. These aren’t edge cases — they appear in at least 3-4 questions on the real exam.
Third mistake: Missing the difference between scope options. RBAC roles can be assigned at resource, resource group, subscription, or management group level. Azure Policy can apply at subscription or management group level (not resource level). This scope mismatch is a distractor in nearly every governance scenario question.
The Specific Problem You’re Facing
You’re probably scoring one of these ways on governance questions:
Scenario 1: You’re getting 50-60% right, but mostly on basic recall (“Which role allows VM creation?”). On scenario-heavy questions, you’re 30% accurate. This means you understand RBAC mechanics but can’t apply the framework to real problems.
Scenario 2: You’re confusing when to use Policy vs. RBAC vs. management groups. You know all three exist, but you don’t have a decision tree. So when a question asks about enforcing mandatory tagging, you’re torn between “use RBAC to prevent non-owners from creating resources” and “use Azure Policy with DeployIfNotExists.”
Scenario 3: You’re passing governance questions, but it’s taking 2-3 minutes per question because you’re re-reading the scenario multiple times. This means you don’t have a consistent framework for parsing what the question is really asking.
The root cause: Governance questions test judgment, not memory. They require a decision matrix in your head before you even read the answer choices.
A Step-By-Step Approach That Works
Step 1: Build your governance decision tree (Day 1 — 45 minutes)
Before doing anything else, create a simple flowchart:
- Question asks about “preventing non-compliant deployments”? → Use Azure Policy
- Question asks about “who can do what”? → Use RBAC
- Question asks about “applying governance consistently across 10+ subscriptions”? → Use management groups as the scope layer
- Question mentions “audit trail, who made what change”? → This is Activity Log, separate from governance frameworks
Write this on a physical piece of paper. Repeat it out loud three times. This becomes your mental filter.
Step 2: Learn the specific scope limitations (Day 1-2 — 1 hour)
Memorize this table:
| Tool | Can Assign At Resource Level? | Can Assign At Subscription? | Can Assign At Management Group? | Can Apply Below Subscription? |
|---|---|---|---|---|
| RBAC | Yes | Yes | Yes | No |
| Azure Policy | No | Yes | Yes | No |
| Management Groups | N/A (it’s a container) | N/A | Yes | No |
This table will eliminate wrong answers on 40% of governance questions immediately.
Step 3: Study the actual limitations (Day 2 — 30 minutes)
Read the official docs on:
- What Azure Policy can’t do: It cannot modify existing non-compliant resources. It cannot delete. It can only Deny, Audit, or DeployIfNotExists.
- What RBAC can’t do: It cannot enforce standards or deny based on resource properties. It only controls identity-based access.
When you see “enforce all VMs must have tags,” immediately know: Not RBAC, has to be Policy.
Step 4: Practice with scenario deconstruction (Day 3-4 — 2 hours)
Take 10 governance practice questions. For each one, before reading answers:
- Write down what the business problem is (e.g., “Finance needs to see spending”)
- Write down what constraint exists (e.g., “40 subscriptions, can’t manage manually”)
- Predict which tool solves this
- Then read the answers
This forces your brain to think like the exam question writer, not like someone looking for keywords.
Step 5: Know the one exception (Day 4 — 10 minutes)
Azure Policy has one powerful feature: DeployIfNotExists. This is the exception where Policy actually creates resources (like Log Analytics agents). Expect one question that tricks you by asking if Policy can “enforce” something, and the answer is “yes, using DeployIfNotExists.”
What To Focus On (And What To Skip)
Focus on these:
- Management groups and subscription hierarchy (appears in 2-3 direct questions)
- Azure Policy effects: Deny, Audit, Append, DeployIfNotExists, Modify (expect scenario questions on each)
- RBAC custom roles basics (1-2 questions)
- Role-based access scenarios (3-4 scenario questions)
- Policy scope and exclusions (2-3 questions)
Skip these:
- Deep Azure Blueprints details (1 question, maybe)
- Writing custom Policy definitions from scratch (you won’t be asked to code)
- Advanced management group filtering (not on AZ-104)
- Historical versions of RBAC (not testable)
Time allocation on real exam: Spend 1.5-2 minutes per governance scenario question. If you hit 3 minutes, skip and return.
Your Next Move
Right now, close this article and do one thing: Write out the decision tree from Step 1 by hand. Just the flowchart. Five minutes of your time.
Then, take one practice test focused only on governance questions (10-15 questions). Score it. Note which category you missed most: scope questions, policy effects, RBAC assignment, or scenario judgment.
Reply to that specific gap tomorrow. Don’t study everything. Your next practice test should show 75%+ on governance questions. If it doesn’t, the decision tree isn’t locked in yet.
AZ-104 governance isn’t hard. It’s just testing whether you understand the why, not the how. Lock in that framework first. Everything else follows.