Practice questions · IT & Cloud
Microsoft Azure Administrator (AZ-104): Practice Questions
Original practice questions for Microsoft Azure Administrator (AZ-104). Each answer is explained, including why the others are wrong. Filter by domain or difficulty. These are concept checks - not real exam questions.
Answered 0 · Correct 0
-
Microsoft Entra ID (formerly Azure AD) provides:
Correct answer: C. Entra ID manages identities, sign-in and access. Storage, compute and CDN are separate Azure services. -
Azure role-based access control (RBAC) grants permissions by:
Correct answer: B. RBAC assigns roles (sets of permissions) to identities (users, groups or service principals) at a defined scope such as a subscription, resource group or resource. Opening all ports is a networking change, encrypting disks is a security feature, and creating storage accounts is provisioning - none grant access by role. -
Azure Policy is used to:
Correct answer: C. Azure Policy evaluates and enforces rules (e.g., allowed regions, required tags). Addressing, containers and backup are handled by other services. -
Azure Blob Storage is designed for:
Correct answer: B. Blob storage holds unstructured objects. Relational data uses Azure SQL, networking uses VNets, and apps run on App Service or VMs. -
Which redundancy option replicates storage to a secondary region?
Correct answer: C. GRS replicates data to a paired secondary region for regional durability. LRS keeps copies within one datacenter; the other options are not redundancy types. -
To grant time-limited, scoped access to a blob without sharing account keys, you use:
Correct answer: B. A SAS grants limited, expiring access to specific resources. Sharing the account key is over-permissive; VMs and NSGs are unrelated. -
Virtual Machine Scale Sets let you:
Correct answer: D. Virtual Machine Scale Sets deploy and auto-scale a set of identical VMs. Resolving DNS is done by Azure DNS, managing identities is Microsoft Entra ID, and storing objects is Blob storage - none of which manage a scalable VM group. -
Which is a declarative infrastructure-as-code option for Azure?
Correct answer: D. ARM templates and Bicep define resources declaratively. Manual portal clicks are not IaC, and the other options are not provisioning tools. -
To run a container without managing servers in Azure, a quick option is:
Correct answer: B. Azure Container Instances runs containers serverlessly. Availability Zones, storage accounts and NSGs do not run containers. -
A Network Security Group (NSG) is used to:
Correct answer: D. An NSG allows or denies traffic by rules, like a basic firewall. Secrets (Key Vault), roles (RBAC) and VM creation are separate. -
VNet peering is used to:
Correct answer: C. VNet peering connects two virtual networks so their resources communicate privately. Assigning RBAC roles is access control, encrypting blobs is a storage feature, and scaling VMs is a compute task - none of which link networks. -
Which distributes HTTP traffic with Layer-7 features such as URL-based routing?
Correct answer: A. Application Gateway is a Layer-7 load balancer with URL routing and WAF. (A standard Load Balancer works at Layer 4.) NSGs, blob storage and Policy do not load-balance HTTP. -
Azure Monitor primarily provides:
Correct answer: A. Azure Monitor collects metrics and logs and raises alerts. Storage, identity and orchestration are other services. -
Log Analytics lets you:
Correct answer: D. Log Analytics stores log data and lets you query it using Kusto Query Language (KQL). Assigning IPs is a networking task, running serverless functions is Azure Functions, and encrypting disks is a security feature - none of which query logs. -
Azure Backup is used to:
Correct answer: D. Azure Backup creates recovery points to restore data and VMs. Traffic filtering (NSG), roles (RBAC) and global delivery (CDN) are separate. -
An Azure 'resource group' is:
Correct answer: A. A resource group is a logical container that groups related Azure resources for management. A network interface card and a virtual machine are individual resources placed inside it, and a billing account handles payment - none are the container itself. -
Azure Management Groups are used to:
Correct answer: A. Management groups sit above subscriptions to organize many of them and apply governance at scale. Storing blobs is Blob storage, routing network traffic is a networking task, and running virtual machines is compute - none organize subscriptions. -
Multi-factor authentication in Microsoft Entra ID improves security by:
Correct answer: D. MFA adds a second verification factor (such as a code or device) beyond the password, so a stolen password alone is not enough. It does not remove passwords entirely, does not encrypt local disks, and does not disable accounts - those are different actions. -
An Azure RBAC role assignment is made up of a security principal, a role definition and a:
Correct answer: D. RBAC = who (principal) + what (role definition) + where (scope). Passwords, regions and tags are not parts of the assignment. -
Locally redundant storage (LRS) keeps:
Correct answer: A. LRS keeps multiple copies within a single region (one datacenter). It is not a single copy, does not store anything on the user's PC, and does not copy to another country - cross-region copies require geo-redundant storage (GRS). -
Which storage access tier is most cost-effective for rarely accessed data?
Correct answer: B. Cool/Archive tiers cost less for infrequently accessed data. Hot suits frequent access; the SSD options are disk types, not blob tiers. -
Azure Files provides:
Correct answer: A. Azure Files offers managed file shares. Blobs, databases and CDNs are different services. -
An Availability Set protects virtual machines against:
Correct answer: D. Availability Sets guard against rack/host failures inside a datacenter. Region-wide protection needs Availability Zones or regions. -
Azure App Service is:
Correct answer: C. Azure App Service is a managed platform (PaaS) for hosting web apps and APIs. A firewall filters network traffic, a storage access tier (hot/cool/archive) controls blob cost, and a virtual network connects resources - none host web apps. -
Azure Kubernetes Service (AKS) is used to:
Correct answer: A. Azure Kubernetes Service (AKS) runs and orchestrates containers at scale. Storing blobs is Blob storage, managing user identities is Microsoft Entra ID, and collecting logs is Azure Monitor/Log Analytics - none orchestrate containers. -
A subnet is:
Correct answer: A. A subnet is a segment of a virtual network's IP address range. A storage tier controls blob cost, a VM size defines CPU/memory, and an Azure region is a geographic location - none divide a network's address space. -
An Azure Load Balancer operates primarily at:
Correct answer: B. The Load Balancer works at Layer 4; Application Gateway handles Layer 7 features like URL routing. -
To connect an on-premises network to Azure over a private, dedicated link (not the public internet), you use:
Correct answer: A. ExpressRoute provides a private, dedicated connection between on-premises and Azure that bypasses the public internet. Azure Policy enforces rules, a storage account holds data, and a public IP exposes a resource on the internet - none give a private dedicated link. -
An Azure Monitor alert rule:
Correct answer: B. Alert rules fire on defined conditions. Storing data, creating VMs and assigning roles are other functions. -
Azure Site Recovery is primarily used for:
Correct answer: B. Azure Site Recovery provides disaster recovery by replicating workloads to another region for failover. Container orchestration is AKS, cost analysis is Cost Management, and user management is Microsoft Entra ID - none handle DR replication. -
Your company acquires a startup with its own Microsoft Entra tenant. To let the startup's users sign in to apps in your tenant without recreating their accounts, you should use:
Correct answer: C. B2B (guest) collaboration invites external users into your tenant as guest objects so they can use their existing credentials. Conditional access controls how users sign in but does not import external identities. A resource lock prevents accidental deletion or changes, not sign-in. A second subscription is a billing/governance boundary and does not federate users. -
A junior admin needs to manage virtual machines in one resource group but must not be able to change role assignments there. Which built-in role fits best?
Correct answer: C. Contributor can create and manage all resource types but cannot grant access to others, which matches the requirement. Owner can also manage access, so it gives too much. User Access Administrator manages access but cannot manage the VMs themselves. Reader can only view resources, so it is too restrictive. -
You want to prevent anyone from accidentally deleting a critical production storage account, while still allowing configuration changes. Apply:
Correct answer: C. A CanNotDelete lock blocks deletion but still allows reads and modifications. A ReadOnly lock would also block configuration changes, which the requirement allows. A Policy that denies all writes would block legitimate configuration changes too. A data-plane deny assignment affects data access, not deletion of the account resource. -
Which statement about Azure RBAC inheritance is correct?
Correct answer: B. RBAC is additive and flows downward: a role granted at the subscription is inherited by its resource groups and resources. A narrower assignment adds to rather than removes a broader one. Inheritance applies to both built-in and custom roles. Resource groups do inherit subscription-level assignments. -
To require multi-factor authentication only when users sign in from outside the corporate network, you configure:
Correct answer: C. Conditional Access evaluates signals such as named/IP locations and can enforce MFA only for risky or external sign-ins. A resource lock protects resources from deletion, not sign-in. A management group organizes subscriptions. A custom RBAC role defines permissions, not sign-in conditions. -
A user reports they cannot create resources even though they have Contributor on the subscription. The resource group has a ReadOnly lock. What is happening?
Correct answer: D. Resource locks apply on top of RBAC: a ReadOnly lock prevents create and modify actions even for users with sufficient permissions. Locks do affect Contributors, so claiming the lock has no effect is wrong. There is no automatic Reader override described. A disabled subscription would block far more than just this resource group. -
Azure Policy reports a non-compliant VM that was created before the policy existed. Which effect can bring it into compliance by changing the resource?
Correct answer: A. deployIfNotExists and modify can remediate existing resources through a remediation task. The audit effect only flags non-compliance without changing anything. deny blocks new non-compliant resources but cannot fix existing ones. disabled turns the policy off entirely. -
You need many subscriptions to automatically inherit the same 'allowed regions' policy. Assign the policy at the level of:
Correct answer: B. Assigning a policy at a management group lets all child subscriptions inherit it, so governance scales without repeating work. Assigning per resource or per resource group would require many separate assignments. A storage account is a resource, not a governance scope for many subscriptions. -
What is the main advantage of using a Microsoft Entra security group for RBAC assignments instead of assigning roles to individual users?
Correct answer: C. Group-based assignment means access is managed by group membership, so onboarding/offboarding just changes membership. It does not encrypt credentials. It does not bypass Conditional Access, which still applies. It has no effect on subscription quotas. -
A service running on an Azure VM needs to read secrets from Key Vault without storing any credentials. The recommended approach is:
Correct answer: D. A managed identity gives the VM an Entra identity that can be granted Key Vault access, with no secrets to store or rotate. Hardcoding a key defeats the purpose and is insecure. Sharing an admin password is a serious security risk. A SAS token is for storage resources and still has to be managed and rotated. -
Which Microsoft Entra feature lets an eligible admin activate a privileged role only for a limited time, with approval and justification?
Correct answer: A. PIM provides just-in-time, time-bound activation of privileged roles with approval and audit. Conditional Access governs sign-in conditions, not role activation. Azure Policy enforces resource rules. Self-service password reset lets users reset their own passwords and is unrelated to privileged role activation. -
You want resources in a subscription to always carry a 'CostCenter' tag, and to block creation if it is missing. Use an Azure Policy with the effect:
Correct answer: B. The deny effect prevents creation of resources that do not satisfy the rule, enforcing the required tag. audit would only report missing tags, not block them. append can add a value but is typically used to add defaults, not to hard-block. disabled turns the policy off. -
A custom RBAC role is needed because no built-in role matches your exact permissions. Custom roles in Azure are defined using:
Correct answer: C. A custom role is a JSON definition specifying allowed Actions, excluded NotActions and assignable scopes. An NSG filters network traffic. A storage lifecycle policy moves/deletes blobs by age. An ARM lock prevents deletion or changes, not permission definition. -
Which of these is true about Microsoft Entra ID compared with an on-premises Active Directory domain?
Correct answer: D. Entra ID is a cloud identity provider built around modern web protocols (OAuth, OpenID Connect, SAML). It does not use GPOs or OUs, which are AD Domain Services concepts. It is a managed service and does not require you to run a domain controller VM. -
Self-service password reset (SSPR) in Microsoft Entra ID primarily reduces:
Correct answer: A. SSPR lets users securely reset their own passwords after verifying identity, cutting helpdesk workload. It has nothing to do with storage costs, subscription count or network latency. -
Two RBAC assignments apply to a user at the same scope: a role that allows VM start and a deny assignment that blocks VM start. The result is:
Correct answer: B. Deny assignments take precedence over role assignments, so the blocked action is denied even when a role would allow it. The allow does not win over an explicit deny. Access is deterministic, not intermittent. The assignments do not simply cancel; deny prevails. -
You need to delegate the ability to assign roles to others on a resource group, but nothing else. Assign:
Correct answer: C. User Access Administrator can manage access (assign roles) without rights to manage the resources themselves. Contributor manages resources but cannot assign roles. Reader can only view. Owner grants both resource management and access management, which is broader than required. -
Where do you move a subscription to change which directory (tenant) it is associated with, or to reorganize governance?
Correct answer: D. Subscriptions can be moved between management groups for governance and transferred to a different Entra tenant. Resource groups live inside subscriptions, not the other way around. Storage containers hold blobs, and virtual networks hold resources; neither contains subscriptions. -
Which best describes the relationship between a Microsoft Entra tenant and an Azure subscription?
Correct answer: A. A subscription relies on a single Entra tenant for authentication, but one tenant can be linked to many subscriptions. A subscription does not contain tenants. A tenant is not limited to one subscription. They are distinct concepts: identity boundary versus billing/management boundary. -
To apply governance rules that should affect every current and future subscription in your organization, place them at:
Correct answer: B. The root management group sits above all subscriptions, so assignments there cover existing and new subscriptions. A single resource group only affects its own contents. Per-VM rules do not scale organization-wide. A storage account is a resource, not a governance scope. -
A guest (B2B) user keeps appearing in your tenant after a project ends. Which feature can automatically review and remove stale guest access?
Correct answer: C. Access reviews let owners periodically recertify access and automatically remove users who are no longer needed. Azure Backup protects data, not identities. Network Watcher diagnoses networking. Azure Advisor gives best-practice recommendations but does not run access recertification. -
Which scope is the broadest at which an Azure RBAC role can be assigned?
Correct answer: D. Management group is the broadest RBAC scope; assignments flow down to subscriptions, resource groups and resources. A resource is the narrowest scope. A resource group is broader than a resource but narrower than a subscription. A subscription is broad but still below management group. -
You want new VMs to automatically receive a backup configuration when created. Which Azure Policy effect deploys the related resource if it is missing?
Correct answer: A. deployIfNotExists deploys an associated resource (such as a backup configuration) when it is absent. audit only reports. deny blocks creation. modify changes properties or tags on the resource itself but does not deploy a separate resource. -
An application registered in Microsoft Entra ID needs an identity to call another API as itself (no signed-in user). This non-human identity is a:
Correct answer: B. A service principal is the identity an app uses to authenticate and be authorized in a tenant. A guest user is a human external identity. A resource lock prevents deletion/changes. A subscription is a billing/management container, not an identity. -
Dynamic membership groups in Microsoft Entra ID add or remove members based on:
Correct answer: C. Dynamic groups use rules over attributes (e.g., department, country) to populate membership automatically. Manual selection describes assigned (static) groups. A subscription's region and a storage tier are unrelated to identity group membership. -
Which is the correct order of Azure governance scopes from broadest to narrowest?
Correct answer: D. The hierarchy is management group, then subscription, then resource group, then resource. The other orderings invert or shuffle these levels, which would break inheritance, since governance flows from broad to narrow in exactly this sequence. -
You assigned the Reader role to a team, but they also need to restart a specific web app. The least-privilege approach is to additionally assign:
Correct answer: A. A specific role scoped to the single app grants just the needed action with least privilege. Owner on the subscription is far too broad. Contributor on the resource group is broader than necessary. User Access Administrator manages access, not app restarts. -
What does a deny assignment do that a normal role assignment cannot?
Correct answer: B. Deny assignments explicitly block actions and take precedence over allow (role) assignments. Role assignments grant, not block. Neither deny nor allow assignments create resources by themselves. Encryption at rest is a separate platform feature. -
You need read access from a paired secondary region even when the primary is available. Choose the redundancy option:
Correct answer: C. RA-GRS adds read access to the secondary region's replica at any time. LRS keeps copies in one datacenter only. ZRS spreads copies across zones in one region but not to a second region. Plain GRS replicates to a secondary region but does not allow reads there unless a failover occurs. -
Which redundancy option keeps three synchronous copies across separate availability zones within a single region?
Correct answer: D. ZRS stores copies across multiple availability zones in one region for zone-level resilience. LRS keeps all copies in a single datacenter. GRS and RA-GRS replicate to a second region rather than across zones in the same region. -
A blob must move to a cheaper tier automatically after 30 days without access and be deleted after a year. Configure:
Correct answer: A. Lifecycle management rules move blobs between tiers and delete them based on age/conditions. A SAS token only grants temporary access. An NSG filters network traffic. A resource lock prevents deletion or changes and cannot automate tiering. -
To let an application authenticate to Blob storage using Microsoft Entra identities and RBAC instead of keys, you assign roles such as:
Correct answer: B. Storage Blob Data Contributor grants data-plane read/write to blobs via Entra/RBAC. Network Contributor manages networking, not blob data. Subscription Owner is over-broad and is a management-plane role. DNS Zone Contributor manages DNS records, not blob access. -
A lift-and-shift application expects a traditional file share it can mount over SMB from multiple VMs. Use:
Correct answer: C. Azure Files provides managed SMB/NFS file shares that multiple VMs can mount, ideal for lift-and-shift. Block blobs are object storage, not a mountable file share. Table storage is a NoSQL key-value store. Queue storage is for messaging, not file access. -
Which storage service is best suited for decoupling components by passing small messages between them?
Correct answer: D. Queue storage holds messages so producers and consumers can work asynchronously and independently. Azure Files is for shared file access. Disk storage backs VM disks. The blob archive tier is for rarely accessed objects, not messaging. -
AzCopy is most appropriate for:
Correct answer: A. AzCopy is a command-line tool optimized for bulk data transfer to/from Azure Storage. Filtering traffic is an NSG function. Assigning roles is RBAC. Creating virtual networks is a networking task. None of those involve data transfer. -
You want only resources inside a specific virtual network to reach a storage account, with no public access. Configure:
Correct answer: B. Storage firewalls and private endpoints restrict access to selected networks and remove public exposure. A long-lived SAS still allows public network access and is risky. A ReadOnly lock prevents changes but does not restrict network access. GRS is about durability, not network isolation. -
The Archive access tier for blobs is characterized by:
Correct answer: C. Archive offers the lowest storage cost but blobs are offline and must be rehydrated (which takes time) before access. It does not provide the fastest reads, which is the Hot tier. Geo-replication is a separate redundancy setting. It is for rarely accessed data, not frequent access. -
Which feature lets you recover a blob that was overwritten or deleted by keeping previous versions automatically?
Correct answer: D. Soft delete and blob versioning retain prior states so you can restore overwritten or deleted blobs. An NSG filters network traffic. A management group organizes subscriptions. ExpressRoute is a private connectivity option. None of those recover blob data. -
A premium-performance, low-latency disk is required for a database VM. Which disk type fits best?
Correct answer: A. Premium SSD delivers high IOPS and low latency for demanding workloads like databases. Standard HDD is slowest and cheapest. Standard SSD is mid-tier and may not meet strict latency needs. An archive blob is offline object storage, not a VM disk at all. -
To upload data from on-premises to Azure when the volume is too large to send over the network in a reasonable time, you can use:
Correct answer: B. Azure Data Box ships a physical appliance so massive datasets can be transferred offline. A SAS token grants access but does not solve bandwidth limits. VNet peering connects networks. An availability set is a VM resiliency construct. None move bulk data offline. -
Which permission boundary does a service-level (account) SAS differ from a user delegation SAS by?
Correct answer: C. A user delegation SAS is secured with Entra ID credentials instead of the storage account key, which is more secure and auditable. SAS tokens do not modify firewall ports. They are time-limited and do expire. They do not encrypt VM disks. -
By default, data in an Azure Storage account is:
Correct answer: D. Azure Storage encrypts all data at rest by default with Storage Service Encryption using Microsoft-managed keys. It is never stored in plain text. SAS tokens are about access, not encryption. Encryption applies to all tiers, not just Archive. -
You need to mount an Azure Files share on a Linux VM using the NFS protocol. This requires:
Correct answer: A. NFS file shares require a premium FileStorage account with NFS enabled. A general-purpose v1 Hot account does not provide NFS file shares. A blob container is object storage, not a mountable share. A queue is for messaging. -
Object replication for Blob storage is used to:
Correct answer: B. Object replication asynchronously copies block blobs between source and destination containers (commonly cross-region) to reduce latency or distribute data. It does not filter traffic, rotate keys or resize disks; those are unrelated functions. -
Which storage service provides a schemaless NoSQL key-value store for large amounts of structured, non-relational data?
Correct answer: C. Table storage is a NoSQL key-value/attribute store for large volumes of structured, non-relational data. Azure Files serves file shares. Block blobs hold unstructured objects. Disk storage backs VM disks. None are a key-value NoSQL table store. -
After a regional outage, you want to fail your GRS storage account over to the secondary region. This is done via:
Correct answer: D. GRS supports a customer-initiated failover that promotes the secondary region to primary. Creating an NSG is networking. Assigning Owner is access management. Enabling a SAS grants temporary access. None of those perform a regional failover. -
To prevent a storage account from being reached over the public internet at all, you should:
Correct answer: A. Disabling public network access and using private endpoints keeps traffic on the private network only. Raising redundancy to GRS affects durability, not exposure. A CanNotDelete lock blocks deletion, not network access. Moving resource groups does not change network reachability. -
Which is true about the immutable (WORM) storage policy for blobs?
Correct answer: B. Immutable storage (WORM) makes blobs write-once/read-many for a set retention period to meet compliance. It does not auto-delete after a day. It does not filter traffic. It applies to blobs, not queues. -
A general-purpose v2 storage account is generally preferred over v1 because it:
Correct answer: C. General-purpose v2 supports access tiers and current features, making it the default recommendation. Both v1 and v2 are encrypted at rest. VM disks are managed disks, not tied to account version this way. v2 supports the full range of redundancy options, contrary to the last choice. -
You want a VM that, when the host hardware is updated or fails, has a partner VM that stays online. To get an SLA for two VMs in one datacenter, place them in:
Correct answer: D. An availability set spreads VMs across fault and update domains so host maintenance or failure does not take both down. The same subnet is networking and gives no compute SLA. A storage account is unrelated to VM availability. Merely sharing a resource group provides no resiliency guarantee. -
To protect a workload against an entire datacenter failure within a region, deploy VM instances across:
Correct answer: A. Availability zones are physically separate datacenters in a region, so spreading instances across them survives a single datacenter failure. Multiple subnets in one zone do not add datacenter-level resilience. Resource groups and storage tiers are organizational/storage constructs, not zone redundancy. -
A Virtual Machine Scale Set should add instances when average CPU exceeds 70 percent. You configure this with:
Correct answer: B. Autoscale rules add or remove instances automatically based on metrics like CPU. Deploying manually each time defeats the purpose of a scale set. An NSG filters traffic. A resource lock prevents deletion/changes, not scaling. -
Which deployment mode of an ARM/Bicep template deletes resources in the resource group that are not defined in the template?
Correct answer: C. Complete mode makes the resource group match the template exactly, removing resources not in it. Incremental mode adds/updates without deleting others. Validate only checks the template. What-if previews changes without applying them. -
To make a captured, reusable image of a configured VM available to many subscriptions and regions, use:
Correct answer: D. Azure Compute Gallery stores and replicates VM images across regions and shares them across subscriptions. A lone snapshot is not designed for broad sharing/replication. An NSG filters traffic. A blob lifecycle policy manages blob tiers, not images. -
A web app on Azure App Service needs to run staging and production with the ability to swap them with no downtime. Use:
Correct answer: A. Deployment slots let you stage a version and swap it into production with minimal downtime and easy rollback. Creating a new plan each change is wasteful and disruptive. A storage lifecycle rule manages blobs. An NSG filters network traffic. Neither enables zero-downtime swaps. -
An App Service plan determines:
Correct answer: B. The App Service plan defines the underlying compute: pricing tier, VM size and number of instances. DNS is handled separately. Blob redundancy is a storage setting. RBAC roles govern access, not the app's compute. -
You need to run a short-lived batch job in a container without provisioning or managing any VMs or clusters. Use:
Correct answer: C. Azure Container Instances runs single containers quickly and serverlessly, ideal for short tasks. AKS is a full orchestrator with cluster management overhead. A scale set manages VMs. An availability set is a VM resiliency construct, not a container runtime. -
To customize a Linux VM at first boot (install packages, run scripts) without logging in, you can use:
Correct answer: D. cloud-init and the custom script extension run setup commands during provisioning. An NSG filters traffic. A blob SAS grants storage access. A management group organizes subscriptions. None of those configure the OS at boot. -
A Windows VM lost its administrator password. Which Azure feature can reset it without rebuilding the VM?
Correct answer: A. The VMAccess extension (Reset password in the portal) resets local credentials on a running VM. Azure Policy enforces rules. Rotating a storage key affects storage, not the VM login. VNet peering connects networks. None of those reset a VM password. -
Spot VMs are appropriate when your workload:
Correct answer: B. Spot VMs offer deep discounts but can be evicted with little notice, so they suit interruptible workloads. They are unsuitable when interruption is unacceptable. They are about cost/capacity, not static IPs. They do not provide the highest SLA, since they can be reclaimed. -
Generalizing a Windows VM image before capturing it for reuse typically requires running:
Correct answer: C. Sysprep generalizes a Windows installation (removing machine-specific data) so the image can be reused. AzCopy moves data. Bicep is an IaC language. Network Watcher diagnoses networking. None of those generalize a Windows image. -
Which statement about resizing an Azure VM is correct?
Correct answer: D. You can resize a VM to another available SKU; some changes require deallocation/restart. The claim that size can never change is false. Resizing does not delete attached disks. Resizing does not move the VM to another region. -
To deploy the same set of resources repeatedly and predictably, the Azure-native infrastructure-as-code language that is a cleaner abstraction over ARM JSON is:
Correct answer: A. Bicep is a domain-specific IaC language that compiles to ARM templates with simpler syntax. PowerShell DSC configures OS state, not full resource deployment in this sense. An NSG filters traffic. A SAS token grants storage access. Neither is an IaC deployment language. -
A containerized microservice app needs automatic scaling, rolling updates and self-healing across many nodes. The best fit is:
Correct answer: B. AKS orchestrates containers with scaling, rolling updates and self-healing across a cluster. ACI runs individual containers without orchestration. A single VM lacks orchestration entirely. Azure Files is storage, not a container platform. -
You want to ensure a VM's OS disk can be restored to a known good point. The simplest built-in option is to:
Correct answer: C. A disk snapshot or Azure Backup captures a restorable point for the OS disk. VNet peering connects networks. An NSG filters traffic. The Reader role grants view access. None of those create a restore point. -
In a Virtual Machine Scale Set, the 'Flexible' orchestration mode (versus 'Uniform') is preferred when you want:
Correct answer: D. Flexible orchestration gives per-VM control and zone spreading while keeping scale-set benefits. Uniform mode treats instances as identical and managed together. Flexible does not disable autoscaling. It supports availability zones rather than avoiding them. -
To reduce VM cost for a workload that will run continuously for one or three years, you should consider:
Correct answer: A. Reservations commit to 1- or 3-year terms for steady workloads at a large discount. Pay-as-you-go is more expensive for always-on VMs. Spot does not guarantee uptime. Choosing Premium SSD is a disk decision, not a way to discount compute. -
When you stop a VM from inside the guest OS (rather than 'Stop' in Azure), the VM:
Correct answer: B. Shutting down from the guest OS leaves the VM allocated, so compute charges can continue; only deallocating (Stop in Azure) releases the compute. It is not deleted. It does not move regions. The key distinction is allocation state versus a guest shutdown. -
Which extension or service helps keep many Azure (and on-prem) VMs patched on a schedule?
Correct answer: C. Azure Update Manager assesses and deploys OS updates across VMs on a schedule. Azure Front Door is a global HTTP load balancer/CDN. Table storage is a NoSQL store. A SAS token grants storage access. None handle patch management. -
To deploy a container image directly to a managed, serverless container platform with built-in scaling to zero, you can use:
Correct answer: D. Azure Container Apps runs containers serverlessly with autoscaling, including scale-to-zero. An availability set is a VM resiliency feature. A storage lifecycle policy manages blobs. An NSG filters traffic. None run containers serverlessly. -
Which is required before you can attach an existing data disk to a VM?
Correct answer: A. A managed data disk must reside in the same region as the VM to be attached. The Archive tier is for blobs, not disks. A public IP is unrelated to disk attachment. There is no such thing as a 'blob queue' disk. -
App Service scaling 'up' versus 'out' differs in that scaling out:
Correct answer: B. Scaling out adds more instances to handle load; scaling up increases the size/tier of each instance. Scaling out does not delete the app. It does not change the region. The distinction is more instances (out) versus bigger instances (up). -
You need to run code on a schedule or in response to events without managing servers. The serverless compute option is:
Correct answer: C. Azure Functions runs event-driven or scheduled code serverlessly. A scale set manages VMs you must size and patch. Azure Files is storage. An availability set is a VM resiliency construct. None are serverless code runtimes. -
To safely test what a Bicep or ARM deployment will change before applying it, run:
Correct answer: D. The what-if operation previews the changes a deployment would make without applying them. Running complete mode immediately would actually apply changes (and could delete resources). A storage failover is unrelated. An RBAC review recertifies access, not deployments. -
Which of these is the correct way to ensure VMs in a scale set are distributed across availability zones?
Correct answer: A. You specify the availability zones at scale-set creation so instances spread across them. A SAS token grants storage access. A CanNotDelete lock prevents deletion. The Archive tier is for blobs. None of those control zone distribution. -
An organization wants to run Windows VMs without paying separately for Windows licenses by reusing existing on-prem licenses. They should use:
Correct answer: B. Azure Hybrid Benefit lets you apply eligible on-prem Windows/SQL licenses to Azure VMs to cut cost. Spot VMs reduce cost via eviction risk, not licensing. A storage reservation discounts storage, not Windows licensing. A blob lifecycle policy manages blob tiers. -
A VM in Subnet A cannot reach a VM in Subnet B in the same VNet, even though no NSG denies it. What is the most likely cause to check first?
Correct answer: C. Within a VNet, subnets route to each other by default, so a UDR redirecting traffic or an NSG rule is the usual culprit. The claim that VNets cannot route between subnets is false. Subnets in the same VNet do not need peering. VMs are not automatically in different regions. -
Two VNets in different regions must communicate privately over Microsoft's backbone. The simplest option is:
Correct answer: D. Global VNet peering connects VNets across regions privately over Microsoft's backbone. Public IPs would route over the internet, not privately. An NSG only filters traffic; it does not connect networks. A storage account is unrelated to network connectivity. -
An NSG rule is evaluated based on priority. Which statement is correct?
Correct answer: A. NSG rules are processed from the lowest priority number upward, and the first matching rule decides the outcome. The highest number does not automatically win. Rules are not applied simultaneously. A deny is not ignored simply because an allow exists; order and match determine the result. -
To connect an on-premises site to an Azure VNet over an encrypted tunnel across the public internet, deploy:
Correct answer: B. A VPN gateway establishes an encrypted site-to-site tunnel over the internet between on-prem and Azure. An availability set is for VM resiliency. A storage account holds data. A management group organizes subscriptions. None create a VPN tunnel. -
Individual remote workers need encrypted access to an Azure VNet from their laptops. Configure:
Correct answer: C. A point-to-site VPN lets individual client devices connect securely to the VNet. VNet peering links whole networks, not individual clients. An NSG deny-all rule would block traffic, not provide access. A blob container is storage. -
Which Azure service provides name resolution for custom domains within a virtual network, mapping hostnames to private IPs?
Correct answer: D. Private DNS zones resolve custom domain names to private IPs inside VNets. Azure Policy enforces rules. Azure Backup protects data. Azure Monitor handles metrics/logs. None provide private DNS name resolution. -
A standard public Load Balancer distributes traffic to backend VMs at Layer 4. To also get URL path-based routing and TLS termination, you instead need:
Correct answer: A. Application Gateway is a Layer-7 load balancer offering path-based routing and TLS termination. An NSG filters traffic but does not load-balance HTTP. A route table directs traffic but offers no L7 features. Azure Files is storage. -
To globally distribute and accelerate a web application with failover across regions at the HTTP layer, use:
Correct answer: B. Azure Front Door provides global HTTP load balancing, acceleration and regional failover. A basic internal Load Balancer is regional and Layer 4. An NSG filters traffic only. A VPN gateway connects networks privately, not global web acceleration. -
By default, can a VM in Azure with no public IP and no NAT configuration initiate outbound connections to the internet?
Correct answer: C. Azure historically provided default outbound access, but that is being retired, so an explicit method such as a NAT gateway is recommended. Saying outbound is always blocked is inaccurate for legacy behavior. A ReadOnly lock is unrelated to networking. VNet peering connects VNets, not internet egress. -
A NAT gateway is used to:
Correct answer: D. A NAT gateway gives reliable outbound connectivity for a subnet with predictable public IPs and no inbound exposure. Filtering inbound traffic is an NSG function. Assigning roles is RBAC. Storing blobs is Blob storage. None provide managed outbound NAT. -
Which is true about Azure service tags in NSG rules?
Correct answer: A. Service tags abstract the changing IP ranges of an Azure service so rules stay valid without manual updates. They are not random strings. They do not open all ports. They have nothing to do with disk encryption. -
A subnet that will host a VPN gateway must be named:
Correct answer: B. The VPN/ExpressRoute gateway requires a subnet specifically named GatewaySubnet. Names like DefaultSubnet or PublicSubnet will not be recognized for the gateway. The claim that any name works is incorrect for the gateway subnet. -
You need to centrally inspect and filter all outbound and inbound traffic for many subnets with a stateful, managed firewall and threat intelligence. Deploy:
Correct answer: C. Azure Firewall is a managed, stateful network firewall for centralized filtering with features like threat intelligence. NSGs are basic, distributed filters without centralized application rules. A storage firewall protects only the storage account. A management group organizes subscriptions. -
A user-defined route (UDR) is used to:
Correct answer: D. A UDR overrides system routes to direct traffic to a chosen next hop, such as a network virtual appliance or firewall. It does not assign IPs to users. Filtering by port is an NSG function. Backing up VMs is Azure Backup. -
To allow resources in a VNet to reach an Azure PaaS service (like a storage account) over the Azure backbone rather than the public internet, you can use a:
Correct answer: A. A private endpoint gives the PaaS service a private IP in your VNet so traffic stays on the backbone. A public IP routes over the internet. A ReadOnly lock prevents changes. A spot VM is a compute option. None provide private PaaS connectivity. -
Which statement about NSGs and application security groups (ASGs) is correct?
Correct answer: B. ASGs let you group network interfaces and reference the group by name in NSG rules, simplifying management. ASGs work with NSGs rather than replacing them. They are not storage. They do not encrypt traffic; they organize sources/destinations. -
When you peer two VNets, by default traffic between them:
Correct answer: C. Peered VNet traffic stays on Microsoft's private backbone. It does not traverse the public internet. Peering itself does not add VPN encryption (though the backbone is private). It does not require public IPs on the VMs. -
A standard SKU public IP address differs from a basic SKU public IP in that the standard SKU:
Correct answer: D. Standard public IPs support zone redundancy and are closed to inbound traffic unless an NSG allows it. They are static, not always dynamic/free. They are used with standard load balancers. They are not limited to storage. -
To diagnose why traffic between two VMs is blocked, which Azure tool shows whether an NSG rule is allowing or denying a flow?
Correct answer: A. Network Watcher's IP flow verify and related tools show which NSG rule allows or denies a given flow. Azure Policy enforces governance, not flow diagnostics. Azure Backup protects data. Azure Compute Gallery stores images. None diagnose NSG flows. -
Which is the correct relationship between a VNet's address space and its subnets?
Correct answer: B. Subnets carve non-overlapping ranges out of the VNet's address space. Subnets cannot overlap one another. A subnet cannot be larger than its parent VNet. Subnets live in the same region as their VNet. -
To connect many branch offices and VNets together with simplified, centralized management of routing and connectivity, you can use:
Correct answer: C. Azure Virtual WAN provides a hub-and-spoke service to connect many sites and VNets with centralized routing. A single NSG only filters traffic. A storage lifecycle policy manages blobs. An availability set is VM resiliency. None provide WAN-scale connectivity. -
A standard internal Load Balancer is used when you need to:
Correct answer: D. An internal Load Balancer distributes traffic to backend VMs using private IPs, keeping it inside the VNet. Exposing to the internet uses a public Load Balancer. Encrypting blobs is a storage feature. Assigning roles is RBAC. -
To collect detailed guest-OS metrics and logs (like memory usage and event logs) from a VM into Azure Monitor, you should:
Correct answer: A. Guest-level telemetry requires the Azure Monitor Agent plus a data collection rule that defines what to collect and where to send it. Host platform metrics alone do not include in-guest data like memory or event logs. An NSG filters traffic. A SAS token grants storage access. -
A query against your logs to find failed sign-ins over the last 24 hours is written in:
Correct answer: B. Log queries in Azure Monitor/Log Analytics use KQL. T-SQL is for SQL databases, not Log Analytics queries. Bicep is an IaC language. An NSG rule filters network traffic. Only KQL queries the logs. -
An alert should notify an on-call team by SMS and email and also trigger a webhook. The reusable object that defines these notifications is:
Correct answer: C. An action group bundles notification and action settings (SMS, email, webhook, etc.) that alert rules invoke. A resource lock prevents deletion/changes. A subnet is networking. A storage tier controls blob cost. None define alert actions. -
Which Azure Monitor capability provides deep, code-level application performance monitoring (requests, dependencies, exceptions)?
Correct answer: D. Application Insights is the APM feature for tracking requests, dependencies and exceptions in apps. Network Watcher diagnoses networking. Azure Policy enforces governance. Azure Backup protects data. None provide application performance monitoring. -
Platform metrics in Azure Monitor are retained for a limited time. To keep metric or log data long term for compliance, you can:
Correct answer: A. Diagnostic settings route metrics/logs to a Log Analytics workspace, storage account or event hub for longer retention. Default platform metric retention is limited, so doing nothing loses data. A NAT gateway is networking. A spot VM is compute. Neither retains telemetry. -
A metric alert that fires whenever CPU is over 80 percent for 5 minutes is best described as monitoring based on:
Correct answer: B. This is a static-threshold metric alert evaluated over an aggregation window (5 minutes). It is not random sampling. A storage lifecycle rule manages blobs. An RBAC role grants permissions. Neither defines a metric alert. -
Azure Service Health is used to:
Correct answer: C. Service Health reports Azure service issues, outages and planned maintenance relevant to you. Filtering traffic is an NSG function. Storing NoSQL tables is Table storage. Assigning roles is RBAC. None report platform health. -
To centralize logs from many subscriptions and resources so you can query them together, you send them to:
Correct answer: D. A shared Log Analytics workspace consolidates telemetry from many sources for unified KQL queries. Separate text files on each VM are not centrally queryable. The archive tier stores cold blobs, not queryable logs. NSGs filter traffic and do not store logs. -
Azure Advisor primarily helps you by:
Correct answer: A. Azure Advisor analyzes your resources and recommends improvements across cost, security, reliability and performance. It does not filter traffic, encrypt disks or run containers; those are other services. -
You configured Azure Backup for a VM with a daily policy and 30-day retention. To restore a single deleted file (not the whole VM), you use:
Correct answer: B. Azure Backup supports item-level (file) recovery from a recovery point, so you can restore just the file. A full VM redeploy is unnecessary and would not recover the file from backup. An NSG filters traffic. VNet peering connects networks. -
The Recovery Services vault in Azure is used to:
Correct answer: C. A Recovery Services vault is the container that holds backup data and replication settings for Azure Backup and Site Recovery. It does not filter traffic, host web apps or define RBAC roles; those are unrelated functions. -
Which is the correct difference between metrics and logs in Azure Monitor?
Correct answer: D. Metrics are lightweight numeric time-series, while logs are richer records queried with KQL. They are not identical. The roles are not reversed (logs are not always numeric). Both metrics and logs can trigger alerts, so the claim that neither can is wrong. -
To get a daily email summary of estimated spend and to alert when a budget threshold is reached, use:
Correct answer: A. Cost Management budgets track spend and send alerts at thresholds. An NSG filters traffic. A SAS token grants storage access. A subnet is networking. None track or alert on cost. -
A log alert rule differs from a metric alert in that it:
Correct answer: B. A log alert periodically runs a KQL query and fires when results meet a condition. It can send notifications via action groups, so claiming it cannot send notifications is wrong. It is not limited to storage accounts. It is unrelated to resource locks. -
You need to verify that a maintenance change did not increase error rates on a web app. The fastest place to see request failure trends is:
Correct answer: C. Application Insights surfaces request and failure trends for the app, so you can spot regressions quickly. An NSG filters traffic. A storage lifecycle policy manages blobs. A management group organizes subscriptions. None show app error trends. -
Connection Monitor in Network Watcher is used to:
Correct answer: D. Connection Monitor continuously checks reachability and latency between endpoints for proactive network monitoring. Assigning roles is RBAC. Encrypting storage is a storage feature. Scaling VMs is compute. None monitor connectivity. -
A workbook in Azure Monitor is best described as:
Correct answer: A. Workbooks provide interactive, customizable reports that combine queries, metrics and visuals. A recovery point is a backup snapshot. A network route directs traffic. A storage container holds blobs. None are reporting canvases. -
To be alerted when a critical resource is deleted or a role assignment changes, create an alert based on:
Correct answer: B. Activity log alerts fire on management-plane events such as deletions or role changes. A blob lifecycle rule manages storage tiers. A NAT gateway metric is about outbound networking. A subnet range is addressing. None capture management events as alerts. -
VM insights (part of Azure Monitor) provides:
Correct answer: C. VM insights gives performance charts and a dependency map for VMs and their connections. A site-to-site VPN is networking. Object storage is Blob storage. A custom RBAC role defines permissions. None provide VM performance/dependency views.
Practice questions FAQ
- Are these real AZ-104 exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.