Scope Overreach — Azure Administrator (AZ-104)
You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.
When the simplest solution hides in plain sight
The exam uses phrases like "minimal administrative effort," "without additional infrastructure," and "using existing tooling." Candidates read these and still reach for AKS or Azure DevOps pipelines because those services feel complete. The wording is signaling that a lighter service — a Logic App, a single Azure Function, a basic alert rule — satisfies the stated requirement. Advanced services answer questions the scenario never asked.
The Scenario
A team needs to restrict access to a Storage Account so only resources in their virtual network can reach it. You design Azure Private Link for private IP connectivity, Azure Firewall for traffic inspection, and Network Security Groups for subnet-level filtering. The correct answer is enabling a Service Endpoint on the VNet subnet and adding a network rule on the Storage Account to allow only that VNet. The scenario said "restrict to VNet" — not "implement zero-trust network architecture." Service Endpoints are free, require no DNS changes, and take 30 seconds to configure.
How to Spot It
- •Azure Service Endpoints vs. Private Endpoints is the most common scope overreach test. Service Endpoints (free, VNet-scoped access restriction) are correct when you just need to limit network access. Private Endpoints ($0.01/hour, private IP in your VNet) are correct when you need private IP addressing, on-premises access via VPN/ExpressRoute, or cross-region private connectivity.
- •Azure Firewall costs ~$912/month base. If the scenario does not mention traffic inspection, threat intelligence, or centralized network security policy, adding Azure Firewall is scope overreach.
- •The exam tests whether you solve exactly the stated problem. If your answer addresses security threats, compliance requirements, or scaling concerns the scenario never mentioned, you have expanded scope beyond what was asked.
Decision Rules
Assign the Azure Policy definition at the Management Group that contains only the production subscriptions, not at the Tenant Root Group and not individually at each subscription, so that policy inheritance eliminates redundant assignments while respecting the production-only blast-radius constraint.
Assign a deny-effect Azure Policy definition at the Production management group scope — not at each subscription individually and not at the tenant root management group — so the single assignment inherits down to all 15 child subscriptions without over-scoping to non-production hierarchy siblings.
At which management hierarchy level to assign the Azure Policy definition: the Finance management group (correct — inherits to exactly 8 Finance subscriptions) versus the Tenant Root Group (scope overreach — cascades to all 14 subscriptions including Corporate) or individual subscription assignments (under-scoping — 8 separate assignments defeats least-effort constraint).
At which management hierarchy level should the Azure Policy assignment be scoped so that it covers all production subscriptions—including future ones—without cascading into development subscriptions, and without requiring per-subscription reassignment?
Select the Azure Policy assignment scope that precisely matches the stated compliance boundary — Production management group — rather than the Tenant Root Group (scope overreach that also captures dev and sandbox subscriptions) or per-subscription assignment (administrative burden that requires manual updates as subscriptions are added).
Choose the credential type that is simultaneously time-bounded and scoped to a single container with write-only permission, rejecting options that grant broader account-level access or require persistent identity enrollment.
Choose Encryption at Host (platform-layer server-side encryption covering OS disk, data disks, and temp disk with no guest-OS agent required) over Azure Disk Encryption (guest-layer BitLocker/dm-crypt covering OS and data disks only, requiring in-guest extension installation) to satisfy a compliance mandate that explicitly includes temporary storage and prohibits guest-OS changes.
Which inbound network isolation control satisfies the private-VNet restriction for an App Service without overengineering the hosting tier or breaking slot-swap governance?
Choose Encryption at Host (platform-layer, covers OS disk, data disks, and temp disk, no guest agent required) over Azure Disk Encryption (guest-layer, excludes temp disk, requires per-instance OS agent) to satisfy a compliance mandate that is both temp-disk-inclusive and zero-guest-OS-change.
Whether to use Private Endpoints (resource-instance-level private IP, public endpoint disabled) or Service Endpoints (service-category-level backbone routing) when the constraint requires isolating a single PaaS instance and preventing data-exfiltration to sibling resources.
Whether to apply a subnet-scoped NSG inbound rule alone or introduce Application Security Groups — use NSG alone when all subnet members share uniform security requirements; use ASGs only when VM-level role differentiation is needed inside a mixed-workload subnet.
Domain Coverage
Difficulty Breakdown
Related Patterns