Manage Azure Identities and Governance for AZ-104

This chapter covers the control-plane decisions that shape whether an Azure environment stays operable as it grows. AZ-104 does not just test whether you can click through Microsoft Entra admin screens. It tests whether you know which scope to use, which control actually enforces the rule, and which governance choice avoids breaking everyday administration.

What this domain is really testing

Expect questions that force you to separate identity management from Azure authorization, and governance from access control. Candidates lose points here when they know the product names but do not know which layer each product controls.

Current weight in the study guide

Microsoft currently weights this domain at 20–25% of AZ-104. It is one of the two heaviest domains, so weak performance here is hard to offset later.

Work this domain in order

Start with Users, Groups, and SSPR, then move to Azure RBAC and Scope, and finish with Policy, Tags, Locks, and Cost Control.

Common AZ-104 traps

• mixing up Microsoft Entra roles and Azure RBAC roles
• assigning permissions higher than necessary because it feels faster
• using locks to solve a policy problem
• tagging inconsistently and then trying to fix cost visibility later

If this chapter still feels fuzzy, review the glossary before you move on. The identity and governance terms are close enough that label confusion alone can cause missed questions.

In this section

• Manage Microsoft Entra Users, Groups, and SSPR for AZ-104
  Learn the user, group, licensing, guest-access, and self-service password reset decisions that matter for AZ-104.
• Manage Azure RBAC and Scope for AZ-104
  Understand built-in roles, assignment scope, inherited access, and effective permissions for the Azure RBAC questions that appear on AZ-104.
• Manage Policy, Tags, Locks, and Cost Control for AZ-104
  Learn how Azure Policy, tags, locks, management groups, subscriptions, and cost controls fit together for AZ-104 governance scenarios.