2.7 Identity and Governance Case Lab
Key Takeaways
- Mixed identity and governance scenarios require separating authentication, authorization, compliance, protection, and cost signals.
- The safest scope is the lowest scope that includes all required targets and excludes unrelated resources.
- Portal workflows are efficient for investigation, while CLI commands are stronger for repeatable rollout and audit evidence.
- Exam case studies may combine users, groups, RBAC, policy, locks, tags, budgets, and Advisor recommendations in one story.
Case Background
Contoso has one Microsoft Entra tenant and four Azure subscriptions: sub-platform, sub-prod-apps, sub-dev-apps, and sub-sandbox. The subscriptions are organized under management groups. sub-platform sits under mg-platform. sub-prod-apps sits under mg-production. sub-dev-apps and sub-sandbox sit under mg-nonprod.
The company has these teams:
| Team | Requirement |
|---|---|
| CloudOps | Manage all production application resources but not tenant-wide identity settings. |
| NetworkOps | Manage hub networks in sub-platform and read spoke network settings in production. |
| Helpdesk | Reset passwords for cloud users and read Azure resources for support. |
| Developers | Manage resources only in their dev application resource groups. |
| Vendors | Read monitoring data for one production resource group for 30 days. |
| Finance | Report costs by application, environment, and cost center. |
Your job is to design the first governance pass without overgranting permissions.
Step 1: Separate Identity From Azure Authorization
Helpdesk password reset is a Microsoft Entra task. Reading Azure resources is an Azure RBAC task. Do not solve both with subscription Owner. Give Helpdesk the appropriate directory role or SSPR administrative capability for password support according to organizational policy, and separately assign Reader at the needed Azure scope. If the support team only supports production resources, Reader at mg-production may be better than tenant root or all subscriptions.
For users, check account state, user type, source, and group membership. For guests, invite the external user, verify redemption and directory context, then grant resource access through a time-bound process. AZ-104 may not test full privileged identity management configuration in depth, but it does expect you to avoid permanent broad access when a narrow temporary assignment meets the requirement.
Step 2: Choose Groups Before Assigning Roles
Create security groups that represent job functions and scopes. Examples:
| Group | Assignment |
|---|---|
az-prod-cloudops-contributors | Contributor at mg-production. |
az-prod-access-admins | User Access Administrator at mg-production if delegated access management is required. |
az-platform-network-contributors | Network Contributor or appropriate network role at platform network resource groups. |
az-prod-network-readers | Reader or Network-related reader access for production network resources. |
az-dev-rg-payroll-contributors | Contributor at rg-payroll-dev. |
az-prod-monitor-vendors | Monitoring Reader at rg-prod-orders, reviewed after 30 days. |
This group-first pattern makes onboarding and offboarding cleaner. If a user leaves CloudOps, remove the user from the group. Do not hunt for ten direct role assignments scattered across resources.
Step 3: Scope The Role Assignment
Apply the lowest common parent rule. CloudOps needs all production application resources, so mg-production may be correct if that management group contains only production application subscriptions. Developers need only dev resource groups, so assign at each dev workload resource group, not at sub-dev-apps if the subscription contains shared services.
NetworkOps is more nuanced. If hub VNets are in dedicated platform resource groups, assign network administration at those resource groups. If production spoke networks live in app resource groups and NetworkOps only needs read access, assign a reader role at the production network resource groups or management group according to the resource layout.
Exam trap: the presence of a management group does not mean it is always the right scope. Use it only when every child needs the same access or policy.
Step 4: Add Policy For Compliance
Contoso requires production resources to use only eastus and centralus, include CostCenter, Application, and Environment tags, and prevent public IP creation except in approved network resource groups.
Policy design:
| Requirement | Control |
|---|---|
| Allowed production regions | Deny policy at mg-production. |
| Required tags | Policy requiring tags at production and nonproduction scopes. |
| Tag inheritance from resource group | Modify or append policy where appropriate. |
| Public IP restriction | Deny policy with exemptions or narrower scope for approved networking groups. |
| Existing noncompliant resources | Compliance review and remediation plan. |
Use initiatives when several policies form one baseline. Assign the initiative at mg-production for production controls and at mg-nonprod for less restrictive controls. Do not assign strict production policy at tenant root if sandbox subscriptions should allow experimentation.
Step 5: Protect Critical Resources With Locks
Production databases, key shared network resources, and recovery vaults may need CanNotDelete locks. A CanNotDelete lock allows authorized updates but blocks deletion. Use ReadOnly locks carefully because they can break normal service operations that require writes.
Example: Apply CanNotDelete to rg-prod-orders or directly to the production database resource if accidental deletion is the main risk. If deployments update resources in that group, a ReadOnly lock would cause deployment failures. The exam may describe a failed deployment after a ReadOnly lock; the lock is the cause even when Contributor access exists.
Step 6: Add Cost Signals
Finance needs reporting by application, environment, and cost center. Tags support this. Cost Management budgets provide alerts for each subscription or resource group. Advisor recommendations identify possible savings, such as idle or underutilized resources.
Do not confuse alerts with enforcement. A budget can notify CloudOps at 80 percent and 100 percent of forecast or actual spend, but it does not automatically prevent a developer from creating another VM. If hard prevention is required, use policy, quota strategy, automation, or approval workflows depending on the exact requirement.
Step 7: Investigation Workflow
When a user reports access failure, use this order:
- Confirm the user is in the correct tenant and subscription context.
- Confirm the user or guest object exists and is enabled.
- Check group membership and direct assignments.
- Check inherited role assignments at parent scopes.
- Check locks, deny assignments, and policy compliance messages.
- Check service-specific data-plane roles and network restrictions.
- Wait for propagation or refresh credentials when recent changes were made.
Portal workflow: use Microsoft Entra ID > Users, then the target scope's Access control (IAM) > Check access, then Locks, then Policy > Compliance. CLI workflow: use az account show, az ad user show, az role assignment list --include-inherited, az lock list, and az policy state summarize.
Exam Simulation
Question: A vendor can sign in but cannot view metrics for rg-prod-orders. The vendor is a guest in the tenant and a member of az-prod-monitor-vendors. The group has Monitoring Reader at rg-prod-billing, not rg-prod-orders. The answer is to assign the group at the correct resource group scope or add a separate assignment for rg-prod-orders. Do not recreate the guest account.
Question: Developers cannot deploy in westus in production even though they have Contributor. The production policy allows only eastus and centralus. The answer is to deploy to an allowed region or request a policy change. Do not assign Owner as a reflex.
Question: CloudOps cannot delete a production database before a migration. They have Owner on the resource group. A CanNotDelete lock exists. The answer is to remove or modify the lock through approved change control, then delete. RBAC is already sufficient.
Question: Finance reports unallocated costs. Resources are missing CostCenter. The answer is to enforce required tags with Azure Policy and remediate existing resources. A budget alerts on spending but does not label costs.
This decomposition is the habit AZ-104 rewards. Authentication, authorization, compliance, protection, and cost management are related, but they are distinct controls.
In the Contoso lab, vendors need to view monitoring data for one production resource group for 30 days. Which assignment best fits least privilege?
Finance needs cost reporting by application and cost center. Which governance feature directly supports that requirement?
A developer with Contributor on a dev resource group cannot deploy a resource because an Azure Policy denies the selected SKU. What is the correct interpretation?