Manage Azure identities and governance — Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Manage Azure identities and governance

1. You see a user object in Azure AD that has the 'Source' property set to 'Windows Server AD'. What does this indicate about the account's origin and how it should be managed?

A.It indicates the account is synchronized from an on-premises Active Directory and must be managed on-premises for core attributes to avoid overwrite by sync.✓ Correct
B.It indicates the account is a cloud-only user created in Azure AD and can be fully managed through the Azure portal without on-premises dependencies.
C.It indicates the account is a guest B2B user invited from another tenant and should be managed via guest user lifecycle controls in the inviting tenant.
D.It indicates the account is a service principal representing an application identity, and credential rotation should be done through app registrations.

Explanation

A 'Windows Server AD' source means the user is synced from on-premises AD, so canonical attribute management occurs on-premises; cloud edits may be overwritten by sync. Other options describe cloud-only, guest, or app accounts and are incorrect.

2. An IT admin must choose between creating many new user accounts directly in Azure AD vs synchronizing from on-premises AD. Which primary operational difference should influence the decision?

A.Creating accounts in Azure AD makes them cloud-only and allows immediate cloud-only password and attribute management without relying on on-premises identity infrastructure.✓ Correct
B.Creating accounts in Azure AD automatically provisions corresponding on-premises AD user objects and replicates them into the local domain controllers for hybrid management.
C.Synchronizing from on-premises AD requires converting users to guest accounts, which limits access to internal resources and disables normal user sign-in.
D.Synchronizing from on-premises AD prevents those users from ever using self-service password reset because writeback is unsupported for synced accounts.

Explanation

Cloud-only accounts are managed in Azure AD directly; on-premises sync creates source-of-authority on-premises. The other options are false about automatic on-prem provisioning, guest conversion, and SSPR writeback.

3. You need to create 250 new cloud-only users in Azure AD with consistent properties. Which method and consideration is most appropriate to accomplish this efficiently?

A.Use the Azure AD bulk import CSV template to define required attributes and ensure the CSV columns exactly match the template headers before uploading for creation.✓ Correct
B.Run an on-premises PowerShell AD command to create users and rely on Azure AD to automatically detect and import newly created cloud-only users without further action.
C.Manually create a single user in the portal and then clone that user 250 times using the Azure AD 'duplicate user' bulk operation in the portal.
D.Invite each user as a guest B2B user using the bulk invite CSV template, because guest invites are the only supported bulk operation in Azure AD.

Explanation

Azure AD supports a bulk import CSV for creating cloud users; the CSV must match the template headers. The other choices describe unsupported or incorrect procedures.

4. A directory admin must update jobTitle and department for 1,200 existing users. Which approach is best and what must the admin be careful about when using the CSV update?

A.Use the Azure AD bulk update CSV where each row includes the user's immutableId or userPrincipalName and updated attributes, ensuring identifiers match exactly to avoid creating duplicates.✓ Correct
B.Export users from Azure AD to CSV, edit the file arbitrarily, then re-upload it and Azure AD will automatically reconcile duplicates by matching display names.
C.Delete all 1,200 users and re-import them with the new attributes to guarantee no stale data remains, because updates are unreliable in bulk operations.
D.Use group-based licensing to change jobTitle and department attributes automatically through assigned licenses during bulk operations.

Explanation

Bulk updates require exact identifiers like userPrincipalName or immutableId to match existing accounts; wrong identifiers risk duplicates. The other options are unsafe or incorrect methods for attribute updates.

5. An administrator wants a group to automatically include all users with department set to 'Engineering' and exclude contractors. Which group membership type and configuration is appropriate?

A.Create a dynamic membership group with a rule that includes users whose department equals 'Engineering' and excludes users where employeeType equals 'Contractor' to maintain automatic membership.✓ Correct
B.Create an assigned membership group and manually add all current Engineering users, then rely on periodic Azure AD heuristics to keep membership updated automatically.
C.Create a security group with nested assigned groups for each engineering team, because dynamic rules cannot filter on user attributes like department or employeeType.
D.Use a distribution list with dynamic membership set to 'Engineering' and configure mail-enabled attributes to ensure contractors are excluded by default.

Explanation

Dynamic membership with attribute-based rules automates membership; assigned groups are manual, and distribution lists or nested assigned groups are incorrect for attribute-based automation.

Practice all 33+ questions in this domain

Start free practice →

Frequently asked questions

How many Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions are there for Manage Azure identities and governance?↓

AnyCert has 33 Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions specifically for the Manage Azure identities and governance domain, each with a detailed AI-tutored explanation.

Is Manage Azure identities and governance heavily tested on the Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator exam?↓

Manage Azure identities and governance is one of the core domains in the Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Manage Azure identities and governance domain for Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator?↓

Practice all 33 Manage Azure identities and governance questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Manage Azure identities and governance

1. You see a user object in Azure AD that has the 'Source' property set to 'Windows Server AD'. What does this indicate about the account's origin and how it should be managed?

A.It indicates the account is synchronized from an on-premises Active Directory and must be managed on-premises for core attributes to avoid overwrite by sync.✓ Correct
B.It indicates the account is a cloud-only user created in Azure AD and can be fully managed through the Azure portal without on-premises dependencies.
C.It indicates the account is a guest B2B user invited from another tenant and should be managed via guest user lifecycle controls in the inviting tenant.
D.It indicates the account is a service principal representing an application identity, and credential rotation should be done through app registrations.

Explanation

2. An IT admin must choose between creating many new user accounts directly in Azure AD vs synchronizing from on-premises AD. Which primary operational difference should influence the decision?

A.Creating accounts in Azure AD makes them cloud-only and allows immediate cloud-only password and attribute management without relying on on-premises identity infrastructure.✓ Correct
B.Creating accounts in Azure AD automatically provisions corresponding on-premises AD user objects and replicates them into the local domain controllers for hybrid management.
C.Synchronizing from on-premises AD requires converting users to guest accounts, which limits access to internal resources and disables normal user sign-in.
D.Synchronizing from on-premises AD prevents those users from ever using self-service password reset because writeback is unsupported for synced accounts.

Explanation

3. You need to create 250 new cloud-only users in Azure AD with consistent properties. Which method and consideration is most appropriate to accomplish this efficiently?

A.Use the Azure AD bulk import CSV template to define required attributes and ensure the CSV columns exactly match the template headers before uploading for creation.✓ Correct
B.Run an on-premises PowerShell AD command to create users and rely on Azure AD to automatically detect and import newly created cloud-only users without further action.
C.Manually create a single user in the portal and then clone that user 250 times using the Azure AD 'duplicate user' bulk operation in the portal.
D.Invite each user as a guest B2B user using the bulk invite CSV template, because guest invites are the only supported bulk operation in Azure AD.

Explanation

Azure AD supports a bulk import CSV for creating cloud users; the CSV must match the template headers. The other choices describe unsupported or incorrect procedures.

4. A directory admin must update jobTitle and department for 1,200 existing users. Which approach is best and what must the admin be careful about when using the CSV update?

A.Use the Azure AD bulk update CSV where each row includes the user's immutableId or userPrincipalName and updated attributes, ensuring identifiers match exactly to avoid creating duplicates.✓ Correct
B.Export users from Azure AD to CSV, edit the file arbitrarily, then re-upload it and Azure AD will automatically reconcile duplicates by matching display names.
C.Delete all 1,200 users and re-import them with the new attributes to guarantee no stale data remains, because updates are unreliable in bulk operations.
D.Use group-based licensing to change jobTitle and department attributes automatically through assigned licenses during bulk operations.

Explanation

5. An administrator wants a group to automatically include all users with department set to 'Engineering' and exclude contractors. Which group membership type and configuration is appropriate?

A.Create a dynamic membership group with a rule that includes users whose department equals 'Engineering' and excludes users where employeeType equals 'Contractor' to maintain automatic membership.✓ Correct
B.Create an assigned membership group and manually add all current Engineering users, then rely on periodic Azure AD heuristics to keep membership updated automatically.
C.Create a security group with nested assigned groups for each engineering team, because dynamic rules cannot filter on user attributes like department or employeeType.
D.Use a distribution list with dynamic membership set to 'Engineering' and configure mail-enabled attributes to ensure contractors are excluded by default.

Explanation

Dynamic membership with attribute-based rules automates membership; assigned groups are manual, and distribution lists or nested assigned groups are incorrect for attribute-based automation.

Practice all 33+ questions in this domain

Start free practice →

Frequently asked questions

How many Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions are there for Manage Azure identities and governance?↓

Is Manage Azure identities and governance heavily tested on the Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator exam?↓

How should I study the Manage Azure identities and governance domain for Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator?↓