Correct: C — Append

Why C: Append adds properties (including tags) to a resource request during creation or update, without blocking it. The deployment goes through; the tag is automatically included.

Why not A: Deny would block any deployment missing the tag — that contradicts the "without blocking" requirement.

Why not B: Audit only logs non-compliance. It doesn't add the tag.

Why not D: DeployIfNotExists deploys a separate related resource if it doesn't exist — it's for things like deploying a diagnostic settings resource alongside a VM, not for adding properties to the resource being created.

Exam tip: "Add a tag automatically without blocking" = Append. If the requirement is to block deployments without the tag, use Deny (possibly combined with Modify for remediation of existing resources).

Correct: B — Contributor lacks Microsoft.Authorization/locks/*

Why B: The Contributor role explicitly excludes any Microsoft.Authorization/* actions. Deleting a lock requires Microsoft.Authorization/locks/delete, which belongs to Owner and User Access Administrator only.

Why not A: Locks are not created or managed by Policy — they are a separate feature (Microsoft.Authorization/locks). Policy manages Microsoft.Authorization/policyAssignments.

Why not C: Subscription-level RBAC absolutely inherits downward to RGs and resources. That's how RBAC scope hierarchy works.

Why not D: Global Administrator is an Entra ID role, not an Azure RBAC role. It doesn't grant any Azure resource permissions unless explicitly elevated.

Correct: B — User-assigned managed identity

Why B: A user-assigned managed identity has its own lifecycle, independent of any VM. When the VM is deleted and recreated, you attach the same user-assigned identity — its Object ID never changes, so Key Vault access policies referencing it remain valid.

Why not A: System-assigned identity is tied to the VM's lifecycle. When the VM is deleted, the identity is deleted, and a new Object ID is created on recreation. All Key Vault access policies referencing the old Object ID must be manually re-added.

Why not C/D: Service principals require credential management (certificate expiry, secret rotation). Managed identities are Azure-managed — no credentials to handle.

Exam tip: "Survives resource recreation" or "shared across multiple VMs/services" = user-assigned managed identity.

Correct: B — Management group with a single policy assignment

Why B: Policy assignments at a management group scope inherit to all subscriptions underneath. One assignment covers all three — and any future subscriptions added to the group automatically inherit it.

Why not A: Technically correct but inefficient — three separate assignments to maintain. Adding a fourth subscription requires another manual assignment.

Why not C: RBAC is not the tool for enforcing resource properties like VM size. Custom RBAC roles cannot filter on resource attributes (size, SKU, etc.) — that's what Policy does.

Why not D: Blueprints can assign policies but are designed for full environment setup (RBAC + Policy + ARM templates together). Using Blueprints just to assign one policy to three subscriptions is over-engineering.

Exam tip: "Enforce across multiple subscriptions with minimum effort" = management group + policy assignment.

Correct: B — User Access Administrator at the resource group level

Why B: Assigning roles requires Microsoft.Authorization/roleAssignments/write. The minimum role that includes this is User Access Administrator — and since the assignment only needs to happen at the RG level, the RG scope is sufficient (least privilege).

Why not A: Owner at the subscription level would work, but it grants far more than necessary (Owner access to the entire subscription, not just the RG). The question asks for minimum permission.

Why not C: Security Administrator is an Entra ID role — it has no Azure RBAC assignment rights.

Why not D: Contributor explicitly excludes Microsoft.Authorization/* actions — it cannot assign roles. This is the most common wrong answer chosen by candidates.

Correct: B — listKeys is classified as a write operation on the management plane

Why B: The listKeys action (Microsoft.Storage/storageAccounts/listKeys/action) is classified as a write operation because it retrieves credentials that grant full data-plane access. A ReadOnly lock blocks all write actions on the management plane — including listKeys, even for Owners.

Why not A: Owners can list access keys under normal circumstances (no lock). The Storage Account Key Operator Service Role is a real role but is not relevant here.

Why not C: Access keys are Azure resource management objects, not Entra ID objects.

Why not D: The question says the lock is applied directly on the storage account — no cascade needed. But even if inherited, the result is the same.

Exam tip: ReadOnly lock on storage = cannot list keys. ReadOnly lock on VM = cannot start/stop the VM. ReadOnly is more restrictive than it sounds.

Correct: B — RBAC and Policy are complementary, sequential systems

Why B: The request flow is:

1. RBAC check — does the principal have permission to attempt this action? If not → denied.
2. Policy check — does the resource configuration comply with policies? If a Deny policy matches → denied.

Both must pass. Policy can block even an Owner.

Why not A: Policy Deny effect is not overridden by any RBAC role — not even Owner. They are separate systems; RBAC cannot bypass Policy.

Why not C: They are completely different systems with different APIs, resources, and scope models.

Why not D: Creating Policy assignments requires the Resource Policy Contributor Azure RBAC role (or Owner) — not Entra Global Admin.

Correct: B — Entra ID roles have no Azure resource permissions

Why B: User Administrator is an Entra ID role — it grants permission to manage directory objects (users, groups, passwords). It has zero Azure resource permissions. Creating a VM requires at minimum the Contributor Azure RBAC role on the target subscription or resource group.

Why not A/C: Entra roles and Azure RBAC roles are completely separate. No Entra role automatically grants any Azure RBAC permission (unless the Global Admin uses the Entra elevation toggle, which gives User Access Administrator on Azure subscriptions).

Why not D: There is no "Global Admin approval" process for subscription ownership — it's just an Azure RBAC assignment.

This is the #1 exam trap in Domain 1. Whenever a question presents an Entra ID role and asks about Azure resource access, the Entra role provides nothing unless an Azure RBAC role is also assigned.

Correct: B — Management group + Reader at management group scope

Why B: Management group RBAC inherits to all current and future subscriptions placed under it. One assignment covers all three subscriptions today and any new production subscriptions added tomorrow.

Why not A: Works but requires manual re-assignment for every new subscription. Doesn't satisfy "automatically included future subscriptions."

Why not C: "Subscription Reader in Entra ID" doesn't exist — Entra roles don't map to Azure subscription access. Guest users still need Azure RBAC assignments.

Why not D: Blueprints work but are heavier than needed for a single RBAC assignment. Also, Blueprint assignments are per-subscription, not inherited automatically for future subscriptions added later.

Correct: C — Public IP is blocked; VM creation succeeds without it

Why C: The Deny policy targets Microsoft.Network/publicIPAddresses — only that resource type is blocked. The VM itself is Microsoft.Compute/virtualMachines, which is not covered by this policy. Azure Resource Manager evaluates each resource deployment separately — the VM succeeds; the public IP fails.

Why not A: Owner does not override Policy. Policy and RBAC are independent systems; RBAC allows the attempt, Policy evaluates the resource.

Why not B: The VM itself is not a public IP — it's a separate resource type. The policy only blocks publicIPAddresses.

Why not D: The VM deployment succeeds (it's not covered by the policy). The IP fails because it is directly targeted.

Exam tip: Azure Policy targets specific "type" values. A policy targeting publicIPAddresses doesn't block the VM — it only blocks the public IP resource itself. The VM just won't have a public IP attached.