Microsoft AZ-104 Online Practice
Questions and Exam Preparation
AZ-104 Exam Details
Exam Code
:AZ-104
Exam Name
:Microsoft Azure Administrator
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:852 Q&As
Last Updated
:May 28, 2026
Microsoft AZ-104 Online Questions &
Answers
Question 171:
HOTSPOT
You have an Azure subscription that contains a virtual network named VNET in the East Us 2 region. A network interface named VM1-NI is connected to VNET1.
You successfully deploy the following Azure Resource Manager template.'
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
VM1 and VM2 can connect to VNET1. - Yes
If an Azure datacenter becomes unavailable, VM1 or VM2 will be available. - Yes
If the East US 2 region becomes unavailable, VM1 or VM2 will be available. - No
- Both VMs are deployed with NICs in the same virtual network, so network connectivity to VNET1 is expected.
- Deploying across Availability Zones in a region provides resiliency against a single datacenter/zone failure.
- Availability Zones do *not* provide protection from a *regional* outage. To survive a full region outage, you need cross-region disaster recovery (paired regions, geo-redundant design, etc.
AZ-104 Exam Objective Hierarchy (map for this question) 3.0 Deploy and manage Azure compute resources |__3.1 Configure virtual machines |__|__3.1.3 Configure high availability 4.0 Configure and manage virtual networking |__4.1 Configure virtual networks
Question 172:
You have an Azure subscription that contains the resources shown in the following table.
You configure Azure Site Recovery to replicate VM1 between the US East and West US regions.
You perform a test failover of VM1 and specify VNET2 as the target virtual network.
When the test version of VM1 is created, to which subnet will the virtual machine be connected?
A. TestSubnet1 B. DemoSubnet1 C. RecoverySubnetA D. RecoverySubnetB
B. DemoSubnet1
DemoSubnet1
In many ASR test failover flows, if a specific subnet mapping isn't explicitly selected for the test failover VM NIC, the system uses the default subnet selection behavior for the target VNet (commonly the first/default subnet selection available in the workflow). Given the provided choices and the scenario wording (only the target VNet is explicitly specified), DemoSubnet1 is the expected subnet.
Why the other coptions are not correct:
- The stem does not state that you configured explicit subnet mapping to align address prefixes or subnet names; therefore selecting a "matching prefix" subnet is not guaranteed by the information provided.
Microsoft Exam Tips:
- If the question says only "specify target VNet" (and says nothing about NIC/subnet mapping), expect "default subnet selection" behavior to be tested.
Summary:
- ASR test failover target network behavior and subnet selection assumptions when subnet mapping is not specified.
AZ-104 Exam Objective Hierarchy:
5.0 Monitor and maintain Azure resources |__ 5.2 Implement backup and recovery |__ |__ 5.2.5 Configure Azure Site Recovery for Azure resources.
Question 173:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.
You have implemented Azure Backup to protect on-premises virtual machines (VMs).
A user accidentally deletes a file from an on-premises VM named VM1.
You need to recover the deleted file to an on-premises computer as quickly as possible.
Solution: You use Azure File Sync to recover the file.
Azure File Sync is used to synchronize Azure Files with on-premises Windows Servers via a sync group and server endpoints. It is not an Azure Backup restore mechanism for recovering deleted files from an on-prem VM backup set. The requirement is specifically to recover a deleted file "as quickly as possible" from Azure Backup protection-this is done via Azure Backup restore operations, not by enabling Azure File Sync. (1)
Why the other selection is not correct:
- Yes: File Sync does not replace Azure Backup restore operations for recovering deleted files from backups. (1)
{ 1. Tutorial: Recover files from Azure to a Windows Server (Azure Backup / MARS) https://learn.microsoft.com/en-us/azure/backup/tutorial-backup-restore-files-windows-server Date Modified: Apr 30, 2025 Date Accessed: 01/25/2026
5 Monitor and maintain Azure resources (10?5%) |__ 5.2 Implement backup and recovery |__ 5.2.4 Perform backup and restore operations by using Azure Backup
Question 174:
HOTSPOT
You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a container named container1.
You create a blob lifecycle rule named rule1.
You need to configure rule1 to automatically move blobs that were NOT updated for 45 days from contained to the Cool access tier.
How should you complete the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Property: daysAfterModificationGreaterThan
Blob type: Blockblob
Why these are correct:
- “NOT updated for 45 days” maps to last-modified time, which corresponds to daysAfterModificationGreaterThan.
- The scenario is targeting blob objects in the container; the correct blob type selection shown is Blockblob.
Why the other options are incorrect:
- daysAfterCreationGreaterThan keys off creation time, not last modification time.
- daysAfterLastAccessTimeGreaterThan is last-access time, not “updated/modified.”
- Pageblob is a different blob type and would not match the intended object type selection.
Exam Tips:
- If the stem says “not updated/modified,” think “Modification,” not “Creation.”
- “Last access time” requires separate enablement and is a different signal than modification.
Summary:
Use daysAfterModificationGreaterThan and Blockblob.
AZ-104 Exam Objective Hierarchy:
2.0 Implement and manage storage (15–20%) |__2.2 Configure storage accounts
Question 175:
You have an Azure App Service app named App1 that contains two running instances.
You have an autoscale rule configured as shown in the following exhibit.
For the Instance limits scale condition setting, you set Maximum to 5.
During a 30-minute period, App1 uses 80 percent of the available memory.
What is the maximum number of instances for App1 during the 30-minute period?
A. 2 B. 3 C. 4 D. 5
D. 5
The autoscale rule scales out by 1 when the memory threshold is exceeded for the configured evaluation window, and it can continue scaling out after cooldown until it hits the instance maximum. Since the maximum is set to 5 and the memory condition remains high for the entire 30-minute period, autoscale can increase the instance count up to the configured maximum.
Why the other choices are not correct:
- 2, 3, and 4 do not reflect the configured maximum (5) when the scale-out condition is sustained long enough to trigger multiple scale actions.
Exam Tips:
- If the stem says the metric stays above threshold for a long interval and a Maximum is defined, the "maximum instances" answer is frequently the configured Maximum.
Summary:
- Azure Monitor autoscale behavior: scale-out actions, cooldown, and maximum instance limit.
AZ-104 Exam Objective Hierarchy:
3.0 Deploy and manage Azure compute resources |__ 3.4 Create and configure Azure App Service |__ |__ 3.4.2 Configure scaling for an App Service plan
Question 176:
You have an Azure web app named App1.
App1 runs in an Azure App Service plan named Plan1.
Plan1 is associated to the Free pricing tier.
You discover that App1 stops each day after running continuously for 60 minutes.
You need to ensure that App1 can run continuously for the entire day.
Solution: You change the pricing tier of Plan1 to Shared.
Free tier App Service plans enforce tight quota limits. If the app stops after running continuously for a short period due to quotas, moving from Free to Shared does not guarantee "continuous for the entire day," because Shared also has strict limitations/quota behavior. Typically, to run continuously and avoid Free/Shared limitations, you move to a dedicated tier such as Basic/Standard (as applicable), depending on the exact feature/quota constraint.
Why the other choices are not correct:
- Yes:
Changing from Free to Shared does not inherently remove the class of Free/Shared quota constraints that commonly cause sites to stop.
1. Microsoft. (2025, March 31). Azure App Service quotas and metrics. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-app-service-limits Date Modified: 03/31/2025 Date Accessed: 01/25/2026
-------------------------------------------------------------------------------- Microsoft Exam Tips:
- AZ-104: If an App Service question mentions "Free" (or "Shared") and the symptom is a workload stopping, immediately think "quota/limitations" and "scale to a dedicated tier."
- "Scale up" (pricing tier) is different from "scale out" (instance count).
3.0 Deploy and manage Azure compute resources (20?5%) |__ 3.4 Create and configure Azure App Service |__ 3.4.1 Provision an App Service plan
Question 177:
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Access Control tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Statement 1: Yes Statement 2: Yes Statement 3: No
Explanation (Why this is correct)
- Statement 1 (Yes): A Microsoft Entra Global Administrator can elevate access to manage Azure subscriptions/management groups (when the tenant setting is enabled), which enables making role assignments at subscription scope (including assigning Owner).
- Statement 2 (Yes): Admin3 is already an Owner at the subscription scope (per exhibit). Owners can assign roles such as Owner to other users.
- Statement 3 (No): Admin2 being a Global Administrator does not inherently grant Azure resource-plane permissions (like creating a resource group) unless Azure RBAC permissions are assigned (or they elevate and then assign themselves permissions).
Exam Tip
- “Global Administrator” is a directory role. Resource group creation is an Azure RBAC permission problem.
References (APA)
- Microsoft. (n.d.). Elevate access to manage all Azure subscriptions and management groups. Microsoft Learn. https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
- Microsoft. (n.d.). Azure RBAC: Built-in roles. Microsoft Learn. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
AZ-104 Exam Objective Hierarchy 1.0 Manage Azure identities and governance (20–25%) |__1.2 Manage access to Azure resources |__|__1.2.1 Manage built-in Azure roles |__|__1.2.2 Assign roles at different scopes |__|__1.2.3 Interpret access assignments
Question 178:
You have an Azure subscription that contains 10 virtual machines.
You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated.
What is the minimum number of rules and action groups that you require?
A. three rules and three action groups B. one rule and one action group C. three rules and one action group D. one rule and three action groups
To receive email notifications for different VM state-change operations (powered off, restarted, deallocated), you typically need separate alert rules because the underlying signals/operation names differ per event type (for example, restart vs deallocate). However, you can reuse a single action group for email notification across multiple alert rules. Action groups are designed to be shared and attached to multiple alert rules. (1) (2)
Why the other selections are incorrect:
- three rules and three action groups: Incorrect because one action group can be reused across multiple alert rules; you do not need three separate action groups to send email. (2)
- one rule and one action group: Incorrect because one rule usually targets one signal/operation condition; the three events are distinct operations and typically require separate rules. (1)
- one rule and three action groups: Incorrect because you still need separate rules for distinct events, and multiple action groups are unnecessary when one shared action group can notify email. (2)
1. Create or edit an activity log, service health, or resource health alert rule https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule Date Modified: Unable to locate date modified Date Accessed: 01/25/2026 2. Create and manage action groups in Azure Monitor https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups Date Modified: 12/15/2025 Date Accessed: 01/25/2026
-------------------------------------------------------------------------------- Microsoft Exam Tips:
- "Minimum number" questions often test reuse: action groups are reusable; don't multiply them unnecessarily.
- Separate "event types/operations" generally implies multiple alert rules.
5 Monitor and maintain Azure resources (10?5%) |__ 5.1 Monitor resources in Azure |__ 5.1.4 Set up alert rules, action groups, and alert processing rules in Azure Monitor
Question 179:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure CLI, you run the kubectl client.
Using the kubectl client is the standard way to deploy a YAML manifest to a Kubernetes cluster (including AKS), typically with kubectl apply -f <file>. Therefore, this meets the goal.
Not selected:
- No: incorrect because kubectl is the correct tool for applying manifests.
References:
1. AKS quickstart (kubectl is used to manage the cluster after credentials are configured) https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-cli Date Modified: 08/19/2025 Date Accessed: 01/24/2026
Microsoft Exam Tips:
- If the question is "deploy YAML," the safest first thought is kubectl apply.
Summary:
Deploying YAML to AKS using kubectl.
AZ-104 Exam Objective Hierarchy:
3.0 Deploy and manage Azure compute resources (20?5%) | |__ 3.3 Provision and manage containers in the Azure portal
Question 180:
DRAG DROP
You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Box 1: An Azure Key Vault
Box 2: An access policy
Explanation:
The ARM template must reference an administrative password securely. Best practice is to store the password as a **secret in Azure Key Vault** and allow the deployment engine (ARM) to retrieve it during deployment.
Why these selections are correct:
- An Azure Key Vault
- Provides secure storage for secrets (like admin passwords) so you don’t hardcode credentials in the ARM template or parameter files.
- An access policy
- The template deployment needs permission to retrieve the secret during deployment (for example, enabling Key Vault access for template deployment / granting the required access). Microsoft’s ARM + Key Vault guidance explicitly calls out enabling access so the template can retrieve the secret. :contentReference[oaicite:0]{index=0}
Why the other options are not correct:
- An Azure Storage account
- Not required for securely storing the admin password for an ARM template.
- Azure Active Directory (AD) Identity Protection
- Identity Protection is about risk-based detection and remediation, not secret storage for templates.
- An Azure policy
- Azure Policy can enforce standards, but it doesn’t store or provide a secret value to a template.
- A backup policy
- Unrelated to passing an admin password into an ARM deployment.
References:
1. Microsoft Learn. Use Azure Key Vault in templates - Azure Resource Manager.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault Last updated: Oct 29, 2025. Date Accessed: 01/26/2026. :contentReference[oaicite:1]{index=1}
2. Microsoft Learn. Key Vault secret with template - Azure Resource Manager (enabledForTemplateDeployment).
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter Last updated: Unable to locate on page. Date Accessed: 01/26/2026. :contentReference[oaicite:2]{index=2}
Microsoft Exam Tips:
- If the scenario says “ARM template needs a password/secret,” think: **Key Vault + allow template deployment access**.
- Exam writers love “don’t hardcode secrets” patterns-Key Vault is the canonical answer.
Summary:
Secure secret handling for ARM template deployments by storing an admin password in Key Vault and granting the template deployment access.
AZ-104 Exam Objective Hierarchy:
3.0 - Deploy and manage Azure compute resources (20–25%) |__ 3.1 - Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files
|__ 3.1.4 - Deploy resources by using an Azure Resource Manager template or a Bicep file
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-104 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.
