Microsoft Azure Administrator Associate Practice Test (AZ-104)
Use the form below to configure your Microsoft Azure Administrator Associate Practice Test (AZ-104). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

Microsoft Azure Administrator Associate AZ-104 Information
As a candidate for this certification, you should have subject matter expertise in implementing, managing, and monitoring an organization’s Azure environment, including:
- Virtual networks
- Storage
- Compute
- Identity
- Security
- Governance
As an Azure administrator, you often serve as part of a larger team dedicated to implementing an organization's cloud infrastructure. You also coordinate with other roles to deliver Azure networking, security, database, application development, and DevOps solutions.
You should be familiar with:
- Operating systems
- Networking
- Servers
- Virtualization
In addition, you should have experience with:
- PowerShell
- Azure CLI
- The Azure portal
- Azure Resource Manager templates
- Microsoft Entra ID
Skills measured
- Manage Azure identities and governance
- Implement and manage storage
- Deploy and manage Azure compute resources
- Implement and manage virtual networking
- Monitor and maintain Azure resources
Free Microsoft Azure Administrator Associate AZ-104 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 20
- Time: Unlimited
- Included Topics:Manage Azure identities and governanceImplement and manage storageDeploy and manage Azure compute resourcesConfigure and manage virtual networkingMonitor and maintain Azure resources
You are an Azure administrator for a company that stores sensitive data in Azure Blob Storage. You want to ensure that users can access the blobs using their existing corporate credentials without managing storage account keys or shared access signatures. What should you configure to achieve this?
Configure Azure Entra ID authentication for the storage account.
Enable anonymous access on the storage account.
Provide users with the storage account access keys.
Use shared access signatures to grant access to users.
Answer Description
Configuring Azure Entra ID authentication for the storage account enables users to access blobs using their corporate credentials. This approach integrates with your organization's existing identity management, enhancing security and simplifying access control. Using shared access signatures or distributing access keys would require managing and securing keys or tokens, which you aim to avoid. Enabling anonymous access would significantly reduce security and is not appropriate for sensitive data.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Entra ID authentication for Azure Blob Storage?
What is the difference between shared access signatures and Azure Entra ID authentication?
Why is enabling anonymous access inappropriate for sensitive data?
You are an Azure administrator for your company. You have configured Azure Backup for several virtual machines. Management wants a comprehensive report on the backup status and trends over time. You need to implement a solution that provides detailed information and insights into backup jobs, alerts, and usage patterns.
Which solution should you implement to meet this requirement?
Implement Azure Advisor recommendations to monitor backup health.
Use Azure Backup reports with a Log Analytics workspace.
Configure Azure Monitor metrics to track backup status.
Create custom Power BI reports by querying Azure Backup data.
Answer Description
Using Azure Backup reports with a Log Analytics workspace is the appropriate solution. Azure Backup reports offer built-in monitoring and reporting capabilities by collecting data into a Log Analytics workspace. This allows you to analyze backup data across multiple subscriptions, vaults, and regions, providing detailed insights into backup jobs, alerts, and usage patterns.
Configuring Azure Monitor metrics (Option A) can track some aspects of backup status but lacks the depth and historical analysis required for comprehensive reporting. Creating custom Power BI reports (Option C) would involve extensive manual setup and may not capture all necessary backup details effectively. Implementing Azure Advisor recommendations (Option D) focuses on best practices and optimizations, not on generating detailed backup reports.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Log Analytics workspace?
How do Azure Backup reports collect and display data?
What is the role of Kusto Query Language (KQL) in Azure Backup reporting?
You are an Azure administrator for your organization. A group of 100 new employees is starting next week, and you need to create user accounts for them in Azure Entra ID. What is the most efficient way to accomplish this task?
Request Microsoft Support to create the user accounts for you.
Use PowerShell to write a script that creates the user accounts one by one.
Use the bulk create users feature in the Azure portal to import a CSV file with the user details.
Use the Azure portal to create each user account individually.
Answer Description
Using the bulk create users feature in the Azure portal allows you to import multiple user accounts at once by uploading a CSV file containing the user details. This method is efficient for creating a large number of users. Creating each user individually through the portal or scripting each account separately with PowerShell would be time-consuming. Microsoft Support does not offer a service to create user accounts on behalf of administrators.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Entra ID?
How does the bulk create users feature work in the Azure portal?
What is CSV and why is it used for bulk operations?
An administrator needs to enable backups for an Azure App Service web app. Which prerequisite must be met before the Backups blade in the Azure portal becomes available for the app?
The web app must be integrated with Azure Active Directory
The web app must have an SSL certificate installed
The web app must be running on an App Service plan in the Basic tier or higher
The web app must have Application Insights configured
Answer Description
The backup feature is available only on App Service plans in the dedicated compute tiers-Basic, Standard, Premium, or Isolated. If the app is running in the Free or Shared tier, the Backups blade is hidden until the plan is scaled up. Application Insights, Azure AD integration, and SSL certificates are optional features and are not required to turn on backups.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an App Service Plan in Azure?
What are the differences between Azure App Service Plan tiers?
How do you configure backups for an Azure App Service?
You are administering an Azure storage account used by several applications in your organization. For security compliance, you are required to regularly regenerate the access keys for the storage account. How can you ensure that the applications experience minimal downtime during the key regeneration process?
Pause the applications, regenerate the access keys, and then restart the applications.
Regenerate one of the access keys, and update the applications to use the regenerated key before regenerating the second key.
Delete and recreate the storage account to get new access keys.
Regenerate both access keys simultaneously to ensure security compliance.
Answer Description
To minimize downtime, you should regenerate one of the access keys, update the applications to use the regenerated key, and then regenerate the second key. This method ensures that at any given time, one valid key is available for the applications to use, preventing service interruption. Regenerating both keys simultaneously would invalidate both keys, causing the applications to lose access immediately. Deleting and recreating the storage account is unnecessary and could result in data loss. Pausing the applications leads to downtime, which the goal is to avoid.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Azure storage account access keys?
Why does Azure provide two access keys for storage accounts?
How do you update an application to use a regenerated access key?
Your company's Azure environment includes several virtual machines that support different application workloads within the same virtual network. You need to manage network security by grouping virtual machines based on their application roles to simplify the management of inbound and outbound traffic rules. What is the best way to achieve this goal?
Implement Azure Firewall to control traffic to the virtual machines.
Assign the same network security group to all virtual machines.
Use application security groups to group the virtual machines and apply network security group rules to these groups.
Place each application workload in a separate subnet and associate a network security group with each subnet.
Answer Description
Application Security Groups (ASGs) allow you to group virtual machines based on their application roles, enabling you to apply network security group (NSG) rules to these groups rather than individual IP addresses or subnets. This approach simplifies the management of network security by providing a scalable method to control traffic flow for different workloads. Assigning the same NSG to all VMs does not provide the necessary granularity for different applications. Placing workloads in separate subnets with individual NSGs increases complexity and reduces flexibility. Implementing Azure Firewall is unnecessary for controlling traffic within a virtual network and adds unnecessary cost and complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Application Security Groups (ASGs) in Azure?
How do NSGs and ASGs work together in Azure?
Why is using ASGs more efficient than managing NSGs by IP or subnet?
You are an Azure administrator for Contoso Ltd. You have a Windows Server virtual machine named VM1 running in Azure. VM1 is backed up daily using Azure Backup with the default backup policy. VM1 experiences data corruption, and you need to restore a single file from the backup taken two days ago. What should you do first?
Use the Azure portal to create a snapshot of VM1 and extract the file.
Use Azure Storage Explorer to access the backup and retrieve the file.
Use Azure Backup to initiate a file recovery, which mounts the recovery point as a disk on VM1.
Restore the entire VM1 to a new virtual machine.
Answer Description
To restore individual files from a VM backup, you should use Azure Backup to initiate a file recovery. This process allows you to browse and restore files and folders from a recovery point without restoring the entire VM. Azure Backup mounts the recovery point as a disk on VM1, enabling you to access and copy the required files.
Restoring the entire VM to a new virtual machine is unnecessary when only a single file needs to be restored, and it is more time-consuming.
Creating a snapshot of VM1 does not help in this situation because the current VM is already corrupted, and snapshots only capture the current state.
Azure Storage Explorer cannot access Azure Backup recovery points directly; it is used to manage Azure Storage resources, not to retrieve files from VM backups.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a recovery point in Azure Backup?
How does Azure Backup mount a recovery point as a disk?
Why can't Azure Storage Explorer access Azure Backup recovery points?
An administrator needs to grant temporary read access to blobs in a container to clients who cannot authenticate using the storage account's keys or existing authentication mechanisms. What should they configure to achieve this?
Role-Based Access Control
Stored access policies
Account keys
Shared Access Signatures
Answer Description
Using Shared Access Signatures (SAS) allows the administrator to grant temporary, limited access to resources in the storage account without sharing the account keys or requiring standard authentication. SAS tokens can specify permissions, such as read access, and set an expiration time, providing secure and granular access control. Stored access policies are used with SAS to manage constraints for one or more shared access signatures but don't grant access on their own. Distributing account keys is insecure and provides full access to the storage account. Role-Based Access Control (RBAC) requires clients to authenticate, which these clients cannot do.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Shared Access Signature (SAS) in Azure?
How are Stored Access Policies related to SAS?
Why is using Account Keys considered insecure in granting access?
You need to configure replication of an Azure virtual machine to a secondary region for disaster recovery purposes. Which resource must you create first?
A Recovery Services vault
An Azure Container Registry
A Traffic Manager profile
A Network Security Group
Answer Description
To enable replication of Azure virtual machines to a secondary region using Azure Site Recovery, you must first create a Recovery Services vault. This vault holds the configuration and management settings for site recovery and orchestrates the replication process. The other options—Azure Container Registry, Traffic Manager profile, and Network Security Group—do not facilitate VM replication for disaster recovery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Recovery Services vault?
How does Azure Site Recovery work with a Recovery Services vault?
Why are Azure Container Registry, Traffic Manager, and Network Security Group incorrect for this purpose?
You are an Azure administrator for your company. The company has a critical resource group named ProdRG that contains production workloads. You need to protect resources within ProdRG from accidental deletion without restricting authorized users from modifying them as needed. What should you do?
Apply a Read-only lock to ProdRG.
Assign the Owner role to yourself on ProdRG.
Apply a CanNotDelete lock to ProdRG.
Enable soft delete on resources in ProdRG.
Answer Description
Applying a CanNotDelete lock to the resource group ProdRG is the appropriate action. A CanNotDelete lock prevents users from deleting the resource group or any resources within it but allows modifications. This ensures that critical resources are protected from accidental deletion while remaining editable. Applying a Read-only lock would be too restrictive, as it prevents any modifications to the resources, which might hinder normal operations. Assigning the Owner role to yourself does not prevent others with sufficient permissions from deleting resources. Enabling soft delete is not a feature that applies universally to all resources within a resource group.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CanNotDelete lock in Azure?
How is a CanNotDelete lock different from a Read-only lock?
At which levels can resource locks be applied in Azure?
You are an Azure administrator for a company developing web applications. You need to create an App Service plan for a new web application that must:
- Automatically scale out to multiple instances based on demand
- Support custom domains and SSL certificates
- Provide deployment slots for testing
You want to minimize costs while meeting these requirements.
Which App Service plan tier should you select?
Premium (P1)
Shared (D1)
Basic (B1)
Standard (S1)
Answer Description
Standard (S1) is the appropriate App Service plan tier because it provides all the required features at the lowest cost tier that supports them. The Standard tier supports automatic scaling to multiple instances, custom domains and SSL certificates, and deployment slots for testing. The Basic tier does not support auto-scaling or deployment slots. The Shared tier lacks support for custom domains, SSL, and auto-scaling. The Premium tier also meets the requirements but is more expensive and includes additional features not necessary in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an App Service plan in Azure?
What are deployment slots in Azure App Service?
Why doesn’t the Basic App Service plan support auto-scaling?
You need to ensure that only certain internet-based clients can access your Azure Storage account. Which feature should you configure to achieve this?
Use a Network Security Group to allow incoming traffic from those clients
Set up a Virtual Network Service Endpoint for the storage account
Configure the storage account's firewall to permit access from those clients
Enable Azure DDoS Protection for the storage account
Answer Description
To allow access only from specific internet-based clients, you should configure the storage account's firewall settings to permit those clients. The firewall allows you to specify which public network locations (such as IP addresses) are allowed to access the storage account. Network Security Groups (NSGs) are used to control traffic at the subnet or network interface level within Azure Virtual Networks and cannot be applied directly to storage accounts. Azure DDoS Protection helps mitigate distributed denial-of-service attacks but does not restrict access to specific clients. Virtual Network Service Endpoints secure access to storage accounts from within Azure Virtual Networks, not from external clients on the internet.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure Storage Account Firewall?
How do IP rules in the Azure Storage Account Firewall work?
How does a Network Security Group (NSG) differ from a Storage Account Firewall?
You need to provide a group of users with read access to data in an Azure Storage account by using their Microsoft Entra ID credentials. Which action should you take?
Generate a storage account access key and share it with the users.
Enable the 'Allow Blob public access' setting on the storage account.
Create a Shared Access Signature (SAS) token and distribute it to the users.
Assign the 'Storage Blob Data Reader' role to the users at the storage account level.
Answer Description
Assigning the 'Storage Blob Data Reader' role to the users at the storage account level enables them to authenticate by using their Microsoft Entra ID credentials and grants them read access to the data. Distributing a Shared Access Signature (SAS) token or access keys involves sharing sensitive secrets and does not leverage Microsoft Entra ID authentication. Enabling public access would expose the data to anonymous users, compromising security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the 'Storage Blob Data Reader' role in Azure?
What is the role of Microsoft Entra ID in Azure storage access?
What are the risks of using Shared Access Signatures (SAS) or access keys?
Your company needs to collect specific Windows event logs and performance counters from Azure virtual machines for centralized analysis. You have installed the Azure Monitor Agent on the virtual machines. What should you configure next to collect the required data?
Create data collection rules in Azure Monitor to specify the data to collect.
Configure diagnostic settings on the virtual machines to send logs.
Enable Boot Diagnostics on the virtual machines.
Install the Azure Diagnostics Agent on the virtual machines.
Answer Description
After installing the Azure Monitor Agent, you need to create data collection rules in Azure Monitor to specify which data to collect from the virtual machines. Data collection rules define the events and performance counters to be gathered and sent to a Log Analytics workspace for analysis. Configuring diagnostic settings on the virtual machines is used for collecting platform metrics and logs to destinations like storage accounts or event hubs, but it does not involve the Azure Monitor Agent. Enabling Boot Diagnostics collects boot logs for troubleshooting startup issues and does not help in collecting Windows event logs or performance counters. Installing the Azure Diagnostics Agent is deprecated; the Azure Monitor Agent is the recommended solution for data collection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Data Collection Rules in Azure Monitor?
What is the difference between Azure Monitor Agent and Azure Diagnostics Agent?
Why is configuring diagnostic settings not the correct solution here?
An administrator at Contoso Ltd needs to allow external users to collaborate on a project with internal staff using Azure Entra ID. The external users should be able to sign in using their existing email accounts without creating new credentials. How should the administrator accomplish this?
Implement a custom authentication solution for guest access
Use Azure Entra ID B2B collaboration to invite guest users
Enable Azure Entra ID B2C and configure user flows for external users
Create new user accounts in Azure Entra ID for the external users
Answer Description
The administrator should use Azure Entra ID B2B collaboration to invite guest users. This feature allows external users to access resources using their existing identities without the need to create new credentials. Azure Entra ID B2B provides secure collaboration capabilities for external users in a business-to-business scenario.
Creating new user accounts for external users is inefficient and does not leverage guest account features. Azure Entra ID B2C (Business-to-Consumer) is intended for consumer-facing applications and is not suitable for internal collaboration. Implementing a custom authentication solution is unnecessary when Azure Entra ID provides built-in features for guest access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Entra ID B2B collaboration?
How does Azure Entra ID B2B differ from Azure Entra ID B2C?
What are some security features of Azure Entra ID B2B collaboration?
You need to implement a daily backup solution for an Azure virtual machine named VM1. The solution must allow you to restore individual files from the backup as needed. What should you do?
Use Azure Site Recovery to replicate VM1 to another region.
Enable disk snapshots on VM1 and schedule daily snapshots.
Configure a custom script to copy VM1’s VHD files to Azure Blob storage daily.
Use Azure Backup to back up VM1 with a daily backup policy.
Answer Description
Using Azure Backup to back up VM1 with a daily backup policy is the best solution because Azure Backup provides VM-level backups with the ability to restore individual files or folders (file-level recovery). It supports scheduling daily backups and allows you to recover data at the file level without restoring the entire virtual machine.
Using Azure Site Recovery is intended for disaster recovery and replicates entire virtual machines to another region. It does not provide a straightforward way to restore individual files.
Enabling disk snapshots captures the state of VM disks at a point in time but does not support restoring individual files easily. Restoring from snapshots typically involves replacing entire disks.
Configuring a custom script to copy VM1’s VHD files to Azure Blob storage is not efficient and does not provide capabilities for file-level recovery. It also lacks the management and automation features provided by Azure Backup.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Azure Backup enable file-level recovery?
What scenarios is Azure Site Recovery best suited for?
What is the difference between Azure Backup and disk snapshots?
You are an Azure administrator responsible for a hybrid cloud environment. Users in the on-premises network are experiencing intermittent connectivity issues when accessing resources in Azure. You need to monitor and diagnose these connectivity issues by analyzing communication between the on-premises network and Azure resources. Which tool should you use to achieve this?
Azure Log Analytics
Azure Monitor Metrics
Azure Advisor
Azure Network Watcher Connection Monitor
Answer Description
Azure Network Watcher Connection Monitor provides end-to-end monitoring of connectivity between Azure and on-premises resources. It enables you to analyze communication, measure latency, and diagnose issues, making it the appropriate tool for troubleshooting connectivity problems in a hybrid environment.
Azure Monitor Metrics collects and visualizes numerical data from Azure resources but does not specifically monitor communication between on-premises and Azure.
Azure Advisor offers recommendations to optimize Azure deployments but does not assist in monitoring network connectivity.
Azure Log Analytics collects and analyzes log data but does not actively monitor real-time communication between on-premises networks and Azure resources.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Azure Network Watcher Connection Monitor work?
What is the difference between Azure Network Watcher Connection Monitor and Azure Monitor Metrics?
Can Azure Log Analytics be integrated with Azure Network Watcher?
You have an Azure Storage Account that must be accessible only from a specific subnet in your virtual network. You need to prevent internet access to the storage account and deny access from other subnets. What should you configure to meet these requirements?
Configure a network security group to allow traffic from the subnet to the storage account
Implement virtual network peering between the subnet and the storage account
Create a service endpoint for Azure Storage on the subnet
Create a private endpoint for the storage account
Answer Description
Creating a private endpoint for the storage account is the correct solution. A private endpoint assigns the storage account a private IP address within the specified subnet, which brings the service into the virtual network. By disabling public network access on the storage account, you ensure it is only accessible via its private IP, which meets the requirement to prevent internet access. A service endpoint secures the connection from a subnet to an Azure service's public endpoint over the Azure backbone network. While you can use firewall rules to restrict access to only the subnet with the service endpoint, the public endpoint itself is not disabled. Configuring a network security group (NSG) controls traffic flow within a virtual network but cannot prevent access to the storage account's public endpoint from the internet. Virtual network peering connects virtual networks to each other and does not directly control access to a storage account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a private endpoint in Azure?
How does a service endpoint differ from a private endpoint?
What are the limitations of using only a Network Security Group (NSG) to restrict storage access?
Your company owns the domain 'contoso.com', which is managed as a public zone in Azure DNS. You have a web application running on an Azure Virtual Machine that is accessible via a public network address. You need to configure settings so that users on the internet can access the web application using 'app.contoso.com'. What should you do to accomplish this?
Create an A record in the 'contoso.com' zone mapping 'app' to the address of the virtual machine
Create a CNAME record in the 'contoso.com' zone pointing 'app' to the address of the virtual machine
Create an MX record in the 'contoso.com' zone pointing 'app' to the address of the virtual machine
Create an NS record in the 'contoso.com' zone for 'app' pointing to the name servers of the virtual machine
Answer Description
To allow users on the internet to access 'app.contoso.com', you need to create an A record in the 'contoso.com' zone that maps 'app' to the public IP address of the virtual machine. An A record associates a domain name with an IPv4 address, enabling clients to resolve the domain name to the address of the web application. A CNAME record cannot point directly to an IP address; it aliases one domain name to another domain name. NS records are used to delegate a subdomain to different name servers, and MX records are used for email routing. Therefore, creating an A record is the appropriate action.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an A record in DNS?
Why can't you use a CNAME record to map to an IP address?
When should you use an NS record in DNS?
Your company has an on-premises network connected to Azure via an ExpressRoute connection. You need to configure access from your on-premises servers to an Azure Storage Account, ensuring that the traffic uses private IP addresses and does not traverse the internet. Which Azure feature should you implement?
Configure a Private Endpoint for the Storage Account.
Enable Service Endpoint for the Storage Account.
Use Azure Traffic Manager to route traffic.
Enable Azure DDoS Protection on the Storage Account.
Answer Description
By configuring a Private Endpoint for the Storage Account, you assign it a private IP address within your virtual network. This allows on-premises servers to access the Storage Account over the ExpressRoute connection without the traffic traversing the internet. Service Endpoints do not extend to on-premises networks and still rely on public IP addresses for the service. Azure Traffic Manager provides DNS-based traffic routing and does not facilitate private connectivity. Enabling Azure DDoS Protection enhances security but does not address the requirement for private network access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Private Endpoint in Azure?
How does ExpressRoute work with Private Endpoints?
Why can’t Service Endpoints be used for on-premises connectivity?
Gnarly!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.