Microsoft Azure Administrator Associate Practice Test (AZ-104)
Use the form below to configure your Microsoft Azure Administrator Associate Practice Test (AZ-104). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

Microsoft Azure Administrator Associate AZ-104 Information
As a candidate for this certification, you should have subject matter expertise in implementing, managing, and monitoring an organization’s Azure environment, including:
- Virtual networks
- Storage
- Compute
- Identity
- Security
- Governance
As an Azure administrator, you often serve as part of a larger team dedicated to implementing an organization's cloud infrastructure. You also coordinate with other roles to deliver Azure networking, security, database, application development, and DevOps solutions.
You should be familiar with:
- Operating systems
- Networking
- Servers
- Virtualization
In addition, you should have experience with:
- PowerShell
- Azure CLI
- The Azure portal
- Azure Resource Manager templates
- Microsoft Entra ID
Skills measured
- Manage Azure identities and governance
- Implement and manage storage
- Deploy and manage Azure compute resources
- Implement and manage virtual networking
- Monitor and maintain Azure resources
Free Microsoft Azure Administrator Associate AZ-104 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 15
- Time: Unlimited
- Included Topics:Manage Azure identities and governanceImplement and manage storageDeploy and manage Azure compute resourcesConfigure and manage virtual networkingMonitor and maintain Azure resources
An administrator has deployed a public load balancer to distribute incoming HTTP traffic across three Azure virtual machines (VMs). However, users report that they cannot access the web application hosted on these VMs, and diagnostics show that the load balancer is not distributing traffic to the backend pool. What should the administrator check first to resolve the issue?
Check if the Azure Firewall is blocking incoming traffic to the load balancer
Verify that the health probes are configured properly and that the backend VMs are responding to them
Ensure that the load balancer's SKU matches that of the backend VMs
Increase the instance count of the load balancer to handle more traffic
Answer Description
The administrator should verify that the health probes are configured properly and that the backend VMs are responding to them. Azure Load Balancer uses health probes to determine which backend instances are healthy and able to receive traffic. If the health probes are misconfigured or the VMs are not responding correctly (e.g., because the web server service is not running), the load balancer will not send traffic to them. Checking the health probe configuration and VM responsiveness is the first step in troubleshooting this issue.
Checking if Azure Firewall is blocking traffic may not be relevant if there is no firewall configured, or if the issue is with the health probes rather than network policies. Ensuring that the load balancer's SKU matches that of the backend VMs is not relevant, as load balancer SKU does not need to match VM SKU. Increasing the instance count of the load balancer is unnecessary and will not resolve a connectivity issue; it is used for scaling purposes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are health probes in Azure Load Balancer?
How can I check if my VMs are responding to health probes?
What happens if health probes are misconfigured?
You are an Azure administrator at Contoso Ltd. Your organization needs to collaborate with external consultants who require access to certain internal applications secured by Azure Entra ID. You want to grant them access while maintaining security and manageability. What should you do to provide access to these external users?
Enable anonymous access to the applications to allow external users to access them.
Create new user accounts in Azure Entra ID for the consultants with standard user licenses.
Share the credentials of existing internal users with the consultants.
Add the external consultants as guest users through Azure AD B2B collaboration.
Answer Description
Inviting external consultants as guest users through Azure Entra ID B2B collaboration allows you to manage external access securely. This method lets you invite external users using their own credentials from their organization, while applying your organization's policies and monitoring their access. Creating new internal accounts for them is less secure and harder to manage. Sharing internal user credentials is a security risk and against best practices. Enabling anonymous access compromises security and is not suitable for sensitive applications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Entra ID B2B collaboration?
What are the advantages of using guest access instead of creating new user accounts?
Why is sharing internal user credentials a security risk?
You are tasked with automating the bulk transfer of files from an on-premises server to Azure Blob Storage. Which tool would be most appropriate to use?
AzCopy
Azure Portal
Azure Data Box
Azure Storage Explorer
Answer Description
AzCopy is a command-line utility optimized for high-performance data transfer to and from Azure Storage. It allows for scripting and automation of bulk data transfers, making it ideal for the task. Azure Storage Explorer provides a graphical interface, which is less suitable for automation and handling large-scale transfers. The Azure Portal is not designed for automating bulk uploads, and Azure Data Box is a physical appliance for large offline data migrations, not suitable for this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AzCopy and how does it work?
Why is Azure Storage Explorer not ideal for bulk transfers?
What scenarios is Azure Data Box best suited for?
You need to configure replication of an Azure virtual machine to a secondary region for disaster recovery purposes. Which resource must you create first?
A Traffic Manager profile
A Recovery Services vault
A Network Security Group
An Azure Container Registry
Answer Description
To enable replication of Azure virtual machines to a secondary region using Azure Site Recovery, you must first create a Recovery Services vault. This vault holds the configuration and management settings for site recovery and orchestrates the replication process. The other options—Azure Container Registry, Traffic Manager profile, and Network Security Group—do not facilitate VM replication for disaster recovery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Recovery Services vault?
How does Azure Site Recovery work?
What are the benefits of using a Recovery Services vault for disaster recovery?
You are administering an Azure web application running on an App Service in the Standard pricing tier. You need to ensure the application data is backed up regularly to allow for restoration if needed. What should you do?
Use Azure Backup to back up the App Service to a Recovery Services vault
Enable the built-in backup feature in the App Service and configure a storage account
Downgrade the App Service plan to the Basic tier
Configure Azure Site Recovery to protect the App Service
Answer Description
To set up regular backups for an App Service, you should enable the built-in backup feature available in the App Service settings. This feature is accessible when using the Standard tier or higher. By enabling backups, you can configure a storage account where the backups will be stored. Downgrading to the Basic tier is not appropriate because the Basic tier does not support the backup feature. Configuring Azure Site Recovery is intended for virtual machines and physical servers, not for App Services. Similarly, using Azure Backup with a Recovery Services vault is designed for virtual machines and does not apply to App Services.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the built-in backup feature in Azure App Services?
Why is the Basic tier not suitable for backups in Azure App Services?
How does Azure Site Recovery differ from backing up App Services?
You have an existing AKS cluster running an older version of Kubernetes. You need to change it to a newer supported version. Which method should you use?
Create a new cluster with the desired version and migrate applications.
Manually update the Kubernetes components on each node.
Use the Azure CLI command to perform an in-place upgrade of the cluster.
Modify the cluster configuration file to set the new version.
Answer Description
To update the Kubernetes version of an existing AKS cluster, you should use the Azure CLI command to perform an in-place upgrade of the cluster. This command handles the upgrade process, ensuring that all cluster components are properly updated. Manually updating Kubernetes components is not supported in Azure Kubernetes Service (AKS). Creating a new cluster and migrating applications is unnecessary when an in-place upgrade is available. Modifying cluster configuration files does not initiate an upgrade process in AKS.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure CLI and how is it used for AKS upgrades?
What are the risks of manually updating Kubernetes components in AKS?
What are the benefits of performing an in-place upgrade of an AKS cluster?
A company wants to manage network security by assigning policies to multiple virtual machines that serve the same function, without specifying IP addresses. Which Azure feature allows this?
Azure Firewall
Network Interfaces
Application Security Groups
Network Security Groups
Answer Description
Application Security Groups allow you to group virtual machines based on their function and apply network security rules to the group. This eliminates the need to specify IP addresses when assigning policies. Network Security Groups control traffic but are applied to individual resources or subnets, not groups of virtual machines serving the same role. Azure Firewall provides centralized network protection but doesn't group virtual machines based on function. Network Interfaces connect virtual machines to a network but don't facilitate grouping for security policies.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Application Security Groups and how do they work?
How do Application Security Groups differ from Network Security Groups?
What role do network security policies play in Azure and how are they implemented?
An organization wants to allow their users to regain access to their accounts if they forget their passwords, without involving administrators. Which Azure Entra ID feature should be enabled to accomplish this?
Password writeback
Conditional Access
Self-Service Password Reset
Multi-Factor Authentication
Answer Description
Enabling Self-Service Password Reset allows users to reset their own passwords without administrator intervention, fulfilling the organization's requirement. Password writeback enables password changes in Azure Entra ID to be written back to on-premises AD but does not provide self-service capabilities. Multi-Factor Authentication enhances security by requiring additional verification methods but does not directly enable users to reset forgotten passwords. Conditional Access policies control user access to resources based on conditions but do not address password reset needs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Self-Service Password Reset (SSPR)?
What are the prerequisites for enabling SSPR in Azure Entra ID?
How does SSPR improve security for organizations?
You are deploying an Azure Kubernetes Service (AKS) cluster that requires advanced networking features, including assigning static IP addresses to pods and implementing network policies. Which networking model should you use for the AKS cluster deployment?
Use the default network configuration
Use the Azure Container Networking Interface (CNI) networking model
Configure network security groups (NSGs) for advanced networking
Use the kubenet networking model
Answer Description
To enable advanced networking features like assigning static IP addresses to pods and implementing network policies, you should use the Azure Container Networking Interface (CNI) networking model. Azure CNI integrates with Azure Virtual Networks, allowing pods to receive IP addresses directly from the virtual network subnet, facilitating advanced networking scenarios.
The kubenet networking model provides basic networking where pods receive NAT-ed IP addresses and doesn't support assigning static IPs to pods or advanced network policies. Using the default network configuration or configuring network security groups (NSGs) alone won't fulfill the requirements for pod-level IP assignments and advanced networking features in AKS.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the advantages of using the Azure CNI networking model in AKS?
What are network policies in the context of Azure Kubernetes Service?
What is the difference between the kubenet and Azure CNI models?
An organization wants to back up their Azure virtual machines with a specific retention policy: daily backups retained for 30 days, weekly backups retained for 12 weeks, monthly backups retained for 12 months, and yearly backups retained for 7 years. They want to automate this process with minimal administrative overhead. Which backup policy configuration option should they use?
Create a custom backup policy with multiple retention ranges for daily, weekly, monthly, and yearly backups
Set up a backup policy using Azure Site Recovery with custom retention settings
Configure separate backup policies for daily, weekly, monthly, and yearly backups
Use the default backup policy and adjust the retention to meet the requirements
Answer Description
Creating a custom backup policy with multiple retention ranges for daily, weekly, monthly, and yearly backups allows the organization to meet their complex retention requirements within a single policy. This approach minimizes administrative overhead by automating backups and retention without the need to manage multiple policies. Using the default backup policy would not meet the specific retention needs. Configuring separate backup policies increases administrative effort, contrary to the requirement of minimal overhead. Azure Site Recovery is designed for disaster recovery, not for meeting specific backup retention policies.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Azure backup policies?
What is the importance of retention periods in backup policies?
Why is it better to create a custom backup policy instead of using defaults?
You are an Azure administrator for Contoso Ltd. The company wants to allow its users to access blobs in an Azure Storage account using their existing corporate credentials. Which authentication method should you configure?
Use shared access signatures (SAS) for each user
Configure Azure Entra ID authentication for the storage account
Distribute the storage account access keys to the users
Enable anonymous access to the blobs
Answer Description
Configuring Azure Entra ID authentication allows users to access the storage account using their corporate credentials, leveraging their existing identities without sharing access keys or tokens. This method enhances security and simplifies user management. Sharing account keys or SAS tokens involves managing and securing secrets, which can be less secure and harder to manage. Enabling anonymous access would not require credentials and is not secure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Entra ID authentication?
What are shared access signatures (SAS)?
Why is enabling anonymous access considered insecure?
You are managing a critical Azure virtual machine that should not be accidentally deleted or modified. Which Azure feature should you use to prevent such accidental changes?
Azure Resource Locks
Azure Tags
Azure Role-Based Access Control (RBAC)
Azure Policy
Answer Description
Azure Resource Locks allow you to set lock levels, such as ReadOnly or CanNotDelete, on resources to prevent accidental modification or deletion. By applying a lock, even users with the necessary permissions are prevented from performing restricted actions unless the lock is removed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the different types of Azure Resource Locks available?
How do I apply an Azure Resource Lock to a virtual machine?
What happens if I need to make changes to a resource that has a lock applied?
An organization needs to delegate administrative permissions so that certain administrators can manage users and groups within their own department without affecting other departments. Which Azure feature should you implement to achieve this?
Azure Entra ID Administrative Units
Azure Management Groups
Azure Entra ID Privileged Identity Management
Azure Role-Based Access Control (RBAC)
Answer Description
Administrative Units in Azure Entra ID allow you to delegate administrative permissions to specific subsets of users or groups within your organization, such as by department or region. By using Administrative Units, you can assign administrators to manage only the users and groups within a particular Administrative Unit, without giving them broader access to other resources in Azure Entra ID. Other features like Azure Entra ID Privileged Identity Management, Management Groups, and Role-Based Access Control (RBAC) do not provide the necessary scope limitation at the department level within Azure AD user and group management.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Azure Entra ID Administrative Units?
How do Administrative Units differ from Role-Based Access Control (RBAC)?
What are some best practices for using Administrative Units in Azure AD?
You are an Azure administrator responsible for managing a virtual machine named VM1 that runs Windows Server 2019. You need to automate the installation of software and apply configuration settings on VM1, but you cannot connect directly to the VM. What is the best method to accomplish this?
Use Azure Automation to run a runbook against VM1
Use the Custom Script Extension to run a PowerShell script on VM1
Create a snapshot of VM1, install the software on the snapshot, and replace VM1 with the snapshot
Connect to VM1 via Remote Desktop Protocol (RDP) and install the software manually
Answer Description
Using the Custom Script Extension is the best method to automate software installation and configuration on an Azure virtual machine without direct connection. This extension runs scripts on the VM remotely, allowing administrators to perform tasks efficiently. Connecting via Remote Desktop Protocol (RDP) is not feasible when direct connection is not possible. While Azure Automation runbooks can automate tasks, they are typically used for orchestrating processes across multiple resources and may be more complex for this specific need. Creating a snapshot and replacing the VM is impractical and time-consuming for simply installing software.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Custom Script Extension?
How does the Custom Script Extension execute PowerShell scripts?
What are some use cases for the Custom Script Extension?
Your company runs a web application on Azure virtual machines. The application load varies throughout the day, and you need to ensure efficient resource utilization by dynamically adjusting the number of virtual machines based on resource demand. You decide to use a Virtual Machine Scale Set (VMSS) to achieve this. Which feature should you configure on the VM scale set to meet these requirements?
Enable autoscaling with custom scaling rules
Set up scheduled scaling with predefined times
Use Azure Traffic Manager to distribute load
Configure manual scaling with a fixed instance count
Answer Description
By enabling autoscaling with custom scaling rules on the VM scale set, you can dynamically adjust the number of virtual machines based on metrics like CPU utilization, ensuring resources match the demand. Manual scaling with a fixed instance count would not adjust the number of instances automatically. Scheduled scaling changes the number of instances at predefined times, not based on current demand. Azure Traffic Manager distributes network traffic across regions but does not adjust the scale of virtual machines.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Virtual Machine Scale Set (VMSS)?
How does autoscaling work in Azure VM Scale Sets?
What are custom scaling rules in Azure autoscaling?
Wow!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.