AZ-104: Microsoft Azure Administrator Practice Exam

What the AZ-104 exam covers

• Manage Azure Identities and Governance196 questions
• Implement and Manage Storage181 questions
• Deploy and Manage Azure Compute Resources190 questions
• Implement and Manage Virtual Networking178 questions
• Monitor and Maintain Azure Resources176 questions

Free AZ-104 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 921.

1. Question 1Manage Azure Identities and Governance

   You need to ensure that users in the Sales department are automatically added to a security group named SalesTeam. What type of group membership should you configure?

   • AAssigned membership
   • BMicrosoft 365 group with assigned membership
   • CDynamic device membership
   • DDynamic user membershipCorrect
   ✓ Correct answer: D

   Dynamic user membership groups in Microsoft Entra ID use attribute-based rules to automatically add and remove users based on their properties. For example, a rule such as user.department -eq "Sales" would automatically include all users whose department attribute is set to Sales. This feature requires Microsoft Entra ID P1 or P2 licensing and eliminates the need for manual group management.

   Why the other options are wrong

   • AAssigned membership requires an administrator to manually add and remove users, which does not meet the automation requirement.
   • BMicrosoft 365 group with assigned membership is a collaboration group type and still requires manual member management rather than automatic population.
   • CDynamic device membership evaluates device attributes, not user attributes like department, so it cannot filter users by their Sales department membership.
2. Question 2Manage Azure Identities and GovernanceSelect all that apply

   You need to implement a policy that prevents users from creating virtual machines with more than 4 vCPUs in any resource group within a subscription. Which two steps are required? (Choose two.)

   • ACreate a custom Azure Policy definition with a deny effect that checks the VM SKU against allowed sizesCorrect
   • BConfigure a budget alert in Azure Cost Management
   • CCreate an Microsoft Entra ID Conditional Access policy to block VM creation
   • DAssign the policy to the subscription scopeCorrect
   ✓ Correct answer: A, D

   To prevent users from creating virtual machines with more than 4 vCPUs, you need two steps. First, create a custom Azure Policy definition that uses a deny effect and includes a rule that evaluates the VM SKU (size) against a list of allowed sizes that have 4 or fewer vCPUs. The deny effect ensures that any deployment request for a non-compliant VM size is blocked before the resource is created. Second, assign this policy at the subscription scope so that it applies to all resource groups within the subscription, providing comprehensive coverage without needing to assign the policy individually to each resource group.

   Why the other options are wrong

   • BConfiguring a budget alert in Azure Cost Management monitors spending and sends notifications but cannot prevent the deployment of specific VM sizes.
   • CCreating a Microsoft Entra ID Conditional Access policy controls user sign-in conditions and authentication requirements but has no capability to restrict which Azure resources can be deployed.
3. Question 3Implement and Manage StorageSelect all that apply

   Contoso Ltd is configuring network security for an Azure storage account. Which three methods can be used to restrict network access to the storage account? (Choose three.)

   • AUse virtual network service endpointsCorrect
   • BEnable storage account encryption
   • CChange the minimum TLS version
   • DConfigure storage account firewall rules with allowed IP addressesCorrect
   • EConfigure private endpointsCorrect
   ✓ Correct answer: A, D, E

   Network access to a storage account is restricted using three mechanisms: virtual network service endpoints with VNet rules, firewall rules that allow specific public IP addresses or ranges, and private endpoints that bring the storage account into a VNet with a private IP. Each of these limits which networks or clients can reach the account. Together they form the network-security toolkit for Azure Storage. Encryption and TLS settings, by contrast, protect data confidentiality rather than restricting network reachability.

   Why the other options are wrong

   • BEnabling storage account encryption protects data at rest but does not restrict which networks can reach the account; encryption is always on regardless.
   • CChanging the minimum TLS version enforces a stronger transport protocol for connections but does not block access from any particular network.
4. Question 4Deploy and Manage Azure Compute Resources

   Your App Service plan is on the Basic (B1) tier. You need to configure auto-scaling based on CPU utilization metrics. What should you do first?

   • ACreate a new App Service in a different plan
   • BScale up the App Service plan to Standard (S1) or higherCorrect
   • CConfigure auto-scale rules directly on the Basic plan
   • DEnable Application Insights on the App Service
   ✓ Correct answer: B

   Metric-based auto-scaling in Azure App Service is only available on the Standard tier and above. The Basic (B1) tier supports manual scaling up to 3 instances but does not support automatic scaling rules based on performance metrics such as CPU utilization. Before you can configure auto-scale rules, you must first upgrade the App Service plan to at least the Standard (S1) tier, which unlocks auto-scale capabilities along with other features like deployment slots and daily backups.

   Why the other options are wrong

   • ACreating a new App Service in a different plan does not address the requirement; the issue is the pricing tier, not the plan itself.
   • CConfiguring auto-scale rules directly on the Basic plan is not possible because the Basic tier does not support metric-based auto-scaling.
   • DEnabling Application Insights provides monitoring and diagnostics but does not enable auto-scaling functionality on a Basic tier plan.
5. Question 5Deploy and Manage Azure Compute ResourcesSelect all that apply

   You are configuring Azure Monitor data collection for a set of Linux VMs. You need to collect Syslog events and performance counters. Which two components must you configure? (Choose two.)

   • AInstall the Log Analytics gateway on the VMs
   • BCreate a Data Collection Rule (DCR) specifying Syslog and performance counter data sourcesCorrect
   • CInstall the Azure Monitor Agent (AMA) on each Linux VMCorrect
   • DConfigure Microsoft Entra ID Conditional Access
   ✓ Correct answer: B, C

   Install the Azure Monitor Agent (AMA) on each Linux VM. The Azure Monitor Agent is the agent that runs on the VM and collects data according to the instructions defined in a Data Collection Rule. The DCR specifies which data sources to collect, such as Syslog events and performance counters, along with the destination workspace. Both components work together to enable comprehensive monitoring of Linux VMs.

   Why the other options are wrong

   • AInstalling the Log Analytics gateway is used for proxying agent traffic through a single point and is not required for direct data collection from VMs.
   • DConfiguring Microsoft Entra ID Conditional Access is an identity and access management feature that has no role in VM monitoring or data collection.
6. Question 6Implement and Manage Virtual Networking

   You need to deploy an Azure Load Balancer that supports the following requirements: route traffic based on source IP to ensure a client always connects to the same backend VM, and support traffic on port 443. What session persistence setting should you configure?

   • ASource IP affinity (two-tuple hash)Correct
   • BSource IP and protocol affinity (three-tuple hash)
   • CCookie-based affinity
   • DNone (five-tuple hash)
   ✓ Correct answer: A

   Azure Load Balancer session persistence determines how traffic from a client is distributed to backend VMs. Source IP affinity, also known as two-tuple hash, uses the source IP address and destination IP address to create a hash that maps a client to a specific backend VM. This ensures that all requests from the same client IP address are always directed to the same backend server for the duration of the session. This is ideal when you need session persistence based on the client's IP address without considering the protocol.

   Why the other options are wrong

   • BSource IP and protocol affinity (three-tuple hash) is incorrect because while it also provides session persistence, it uses source IP, destination IP, and protocol to create the hash; this is more restrictive than needed since the requirement only specifies routing based on source IP.
   • CCookie-based affinity is incorrect because cookie-based session affinity is a feature of Azure Application Gateway (Layer 7), not Azure Load Balancer (Layer 4); Load Balancer does not inspect HTTP cookies.
   • DNone (five-tuple hash) is incorrect because the default five-tuple hash uses source IP, source port, destination IP, destination port, and protocol to distribute traffic, which does not provide session persistence and would cause requests from the same client to be distributed across different backend VMs.
7. Question 7Monitor and Maintain Azure ResourcesSelect all that apply

   You are configuring Azure Monitor for your environment. Which of the following data sources can Azure Monitor collect? (Choose three.)

   • AMicrosoft Entra ID sign-in logs sent to a Log Analytics workspaceCorrect
   • BOn-premises server hardware BIOS settings
   • CAzure resource metrics (platform metrics)Correct
   • DGuest OS performance counters from VMs with the Azure Monitor Agent installedCorrect
   ✓ Correct answer: A, C, D

   Azure Monitor can collect data from a wide range of sources. Microsoft Entra ID sign-in logs can be configured to stream to a Log Analytics workspace through diagnostic settings, enabling analysis alongside other monitoring data. Platform metrics are automatically collected from Azure resources without any agent configuration. Guest OS performance counters such as CPU, memory, and disk metrics from within the VM operating system are collected through the Azure Monitor Agent, which must be installed on the VM and configured with data collection rules.

   Why the other options are wrong

   • BOn-premises server hardware BIOS settings is incorrect because BIOS settings are firmware-level configurations that are not exposed through any monitoring agent or Azure Monitor data collection mechanism, as they exist at the hardware level below the operating system.
8. Question 8Monitor and Maintain Azure Resources

   You review the backup status shown in the table. Which backup item has a potential problem?

   • AVM-Prod-SQL
   • BVM-Prod-WebCorrect
   • CFileShare-Prod
   • DVM-Dev
   ✓ Correct answer: B

   VM-Prod-Web is configured for daily backups, yet the last successful backup was 3 days ago. This indicates that backup jobs have been failing for at least 2 consecutive days. In Azure Backup, when a backup item misses its scheduled backup for more than the expected interval, it should be flagged as having a potential problem. Consistent backup failures can lead to data loss in the event of a disaster, making this a critical issue that requires immediate investigation. Common causes include VM agent communication issues, insufficient storage account permissions, or locked resources preventing snapshots.

   Why the other options are wrong

   • AVM-Prod-SQL is incorrect because its backup status shows it is completing backups on schedule according to its configured policy.
   • CFileShare-Prod is incorrect because its backup status indicates successful backups within the expected timeframe for its configured backup frequency.
   • DVM-Dev is incorrect because its backup status shows it is completing backups within the expected schedule, and as a development resource, it may have a less frequent backup policy that is still being met.
9. Question 9Implement and Manage StorageSelect all that apply

   Woodgrove Bank is migrating its on-premises file server infrastructure to Azure. The IT team has identified the following requirements for the migration: - Branch offices need to cache frequently accessed files locally while keeping the authoritative copy in Azure Files. - The solution must support SMB protocol access from Windows Server 2022 machines at each branch. - Files that have not been accessed for 60 days should automatically be tiered to reduce local storage consumption. - A central Azure file share must act as the single source of truth, and all branch office servers must sync with it. Which two components are required to implement this solution? (Choose two.)

   • AAzure File Sync agent installed on each branch office Windows ServerCorrect
   • BAzure Data Lake Storage Gen2 with hierarchical namespace enabled
   • CA Storage Sync Service resource deployed in the same region as the storage accountCorrect
   • DAzure Blob Storage with lifecycle management policies configured for cool tiering
   ✓ Correct answer: A, C

   Azure File Sync requires two essential components to function: the Azure File Sync agent installed on each on-premises Windows Server creates the server endpoint that enables local caching and synchronization with the Azure file share, and the Storage Sync Service resource in Azure serves as the top-level management resource that orchestrates the sync relationship between the cloud endpoint (Azure file share) and registered server endpoints. The Azure File Sync agent supports SMB protocol access from Windows Server, enables cloud tiering to automatically tier files not accessed within a configurable period (such as 60 days), and maintains the branch office servers in sync with the central Azure file share as the single source of truth.

   Why the other options are wrong

   • BAzure Data Lake Storage Gen2 with hierarchical namespace enabled is incorrect because ADLS Gen2 is designed for big data analytics workloads and does not support SMB protocol or file synchronization with on-premises Windows Servers.
   • DAzure Blob Storage with lifecycle management policies configured for cool tiering is incorrect because lifecycle management policies manage blob access tiers (Hot, Cool, Cold, Archive) for cost optimization in blob storage, which is a different mechanism from Azure File Sync cloud tiering that manages local disk space on server endpoints.
10. Question 10Deploy and Manage Azure Compute Resources

    You perform a swap between the Production and Staging slots. What happens to the DB_CONN setting after the swap?

    • AProduction slot gets staging-db connection string and Staging gets prod-db
    • BBoth slots retain their original DB_CONN values
    • CProduction slot keeps prod-db and Staging keeps staging-dbCorrect
    • DBoth slots get the production DB_CONN value
    ✓ Correct answer: C

    DB_CONN is configured as a slot setting, which makes it sticky to the slot it lives in rather than part of the application content that moves during a swap. When Production and Staging swap, the deployed code and all non-sticky configuration trade places, but each slot's sticky values stay put. As a result Production still resolves DB_CONN to Server=prod-db and Staging still resolves it to Server=staging-db. This is precisely the intended use of slot settings: keeping environment-specific values like connection strings pinned to their environment across deployments.

    Why the other options are wrong

    • AProduction receiving the staging-db value while Staging receives prod-db would require DB_CONN to travel with the code, but a sticky slot setting is explicitly excluded from the swap and never crosses over.
    • BClaiming both slots merely retain their original values describes the result without the mechanism and is framed as though a swap of the setting was even possible; the actual cause is that slot settings are pinned per slot and are not part of the swap at all.
    • DHaving every slot end up with the production value cannot occur because each slot maintains its sticky DB_CONN independently, and swapping never copies one slot's value onto the other.

AZ-104 practice exam FAQ