Microsoft AZ-104 Online Practice Questions and Exam Preparation

Microsoft AZ-104 Online Questions & Answers

• Question 391:

  You create a private endpoint for an Azure SQL Database in VNetA.

  You also create a private DNS zone named privatelink.database.windows.net and link it to VNetA.

  You peer VNetA with VNetB. Virtual machines in VNetB must resolve the SQL Database FQDN to the private endpoint IP address.

  A. Create a public DNS A record for the SQL Database name that points to the private endpoint IP
  B. Link the private DNS zone to VNetB
  C. Create an NSG rule that allows UDP 53 from VNetB to VNetA
  D. Enable Azure DNS proxy on the virtual network gateway in VNetA
  B. Link the private DNS zone to VNetB

  ---

  Explanation

  --------------------------------------------------------------------------------

  Link the private DNS zone to VNetB

  --------------------------------------------------------------------------------

  Private endpoint name resolution is normally handled through a corresponding **Private DNS zone** (for example, privatelink.database.windows.net). Any virtual network that must resolve the private endpoint FQDN to the **private IP** must have the private DNS zone **linked** to that VNet. Linking the zone to **VNetB** enables VMs in VNetB to resolve the SQL Database FQDN to the private endpoint IP, even when VNets are peered.

  Why the other selections are incorrect:

  Create a public DNS A record for the SQL Database name that points to the private endpoint IP: This exposes a private IP in public DNS and does not follow private endpoint DNS integration patterns.

  Create an NSG rule that allows UDP 53 from VNetB to VNetA: NSGs do not provide DNS name resolution; the core requirement is correct DNS zone linking/records.

  Enable Azure DNS proxy on the virtual network gateway in VNetA: DNS proxy is not the standard requirement for private endpoint DNS; the expected control is the private DNS zone link (and appropriate DNS forwarders if using custom DNS).

  -------------------------------------------------------------------------------- References:

  1. Private endpoint DNS integration https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns Date Modified: Unable to locate exact date in this session Date Access: 01/25/2026 2. Azure Private DNS zones and virtual network links https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone Date Modified: Unable to locate exact date in this session Date Access: 01/25/2026

  -------------------------------------------------------------------------------- Microsoft Exam Tips:

  - Private Endpoint DNS questions usually reduce to: **create/associate the Private DNS zone** and **link it to every VNet that needs resolution**.

  - VNet peering alone does not automatically "share" Private DNS zone links.

  Summary:

  Private endpoint DNS resolution across peered VNets using Private DNS zone links.

  AZ-104 Exam Objective Hierarchy:

  4.0 Configure and manage virtual networking |__ 4.3 Configure name resolution and load balancing |__ 4.3.1 Configure Azure DNS (best fit)

• Question 392:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit.

  

  You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.

  You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.

  Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  No

  Why "No" is correct:

  • The scenario shows effective security rules and states that connections from 131.107.100.50 to TCP 443 fail.
  • The proposed solution is: "You modify the priority of the Allow_131.107.100.50 inbound security rule."
  • In an NSG, rules are processed in priority order (lower number = evaluated first). If an allow rule already has a higher priority than the blocking rule, changing its priority may not resolve the problem (and could even make it worse if you accidentally lower its priority below the deny).
  • Given the exhibit, the failure is more consistent with the presence of a deny rule that still takes effect (for example, because the allow rule's destination/port/scope does not actually match the failing flow, or because another path/NSG is applying). Simply changing the priority of that allow rule is not guaranteed to meet the goal as stated, so "No" is the correct evaluation.

  Why the other choice is incorrect:

  • Yes: "Yes" would only be correct if the problem were clearly caused by the allow rule being evaluated after a conflicting deny rule and modifying the priority would definitively fix the effective rule set. The exhibit/wording does not support that certainty.

  Exam Tips:

  • When judging "Does this meet the goal?" focus on whether the proposed change is both necessary and sufficient.
  • NSG priority questions: lower number wins; be careful not to "fix" the issue by moving an allow rule in the wrong direction.

  Summary:

  • NSG effective rules and priority evaluation; validating whether a proposed remediation is sufficient.

  AZ-104 Exam Objective Hierarchy:
  
  4.0 Implement and Manage Virtual Networking (15–20%)
  |__ 4.2 Configure Secure Access to Virtual Networks
  |__ 4.2.2 Evaluate Effective Security Rules in NSGs

• Question 393:

  DRAG DROP

  You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.

  In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24.

  You need to create a site-to-site VPN to Azure.

  Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select.

  Select and Place:

  

  

  ---

  Step 1: Create a gateway subnet.

  Step 2: Create a VPN gateway.

  Step 3: Create a local gateway.

  Step 4: Create a VPN connection.

  Explanation:

  To connect an on-premises network to Azure using a site-to-site (S2S) VPN, you build the VPN Gateway architecture in a specific sequence.

  Why the steps are correct (and why order matters):

  Step 1: Create a gateway subnet.

  - A VPN gateway must be deployed into a dedicated subnet named GatewaySubnet. Azure uses this subnet to host the managed gateway instances and services. :contentReference[oaicite:0]{index=0}

  Step 2: Create a VPN gateway.

  - The VPN gateway (virtual network gateway) is the Azure-side VPN endpoint that terminates the IPsec/IKE tunnel. You can’t create the tunnel without first deploying the gateway. :contentReference[oaicite:1]{index=1}

  Step 3: Create a local gateway.

  - “Local gateway” here corresponds to the Local network gateway object, which represents your on-premises VPN device/public IP and on-prem address prefixes for routing. :contentReference[oaicite:2]{index=2}

  Step 4: Create a VPN connection.

  - The connection binds the Azure VPN gateway to the local network gateway using a shared key and the selected connection settings. :contentReference[oaicite:3]{index=3}

  Why the other actions are not correct:

  - Create a custom DNS server.

  - DNS configuration is unrelated to establishing the S2S VPN tunnel.

  - Create an Azure Content Delivery Network (CDN) profile.

  - CDN is for content caching/edge delivery, not private connectivity.

  References:

  1. Microsoft Learn. Tutorial: Create a site-to-site VPN connection in the Azure portal.

  https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal Last updated: 07/09/2025. Date Accessed: 01/26/2026. :contentReference[oaicite:4]{index=4}

  2. Microsoft Learn. Azure VPN Gateway configuration settings (Gateway subnet; Local network gateways).

  https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings Last updated: 03/31/2025. Date Accessed: 01/26/2026. :contentReference[oaicite:5]{index=5}

  Microsoft Exam Tips:

  - For S2S VPN, remember the object chain: GatewaySubnet --> VPN gateway --> Local network gateway --> Connection.

  - If you see “GatewaySubnet” in options, it’s usually an early step because the VPN gateway can’t exist without it.

  - “Local network gateway” = the on-prem representation (public IP/FQDN + on-prem prefixes).

  Summary:

  This question covered the correct build order for establishing an Azure site-to-site VPN: create the gateway subnet, deploy the VPN gateway, define the on-premises representation (local network gateway), then create the VPN connection.

  AZ-104 Exam Objective Hierarchy:

  4.0 - Implement and manage virtual networking (15–20%) |__ 4.2 - Configure secure access to virtual networks |__ 4.2.1 - Create and configure network security groups (NSGs) and application security groups

  A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.

  

  1. Create a virtual network You can create a VNet with the Resource Manager deployment model and the Azure portal 2. Create the gateway subnet :

  The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

  3. Create the VPN gateway :

  You create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

  4. Create the local network gateway:

  The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on- premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

  5. Configure your VPN device:

  Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:

  A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.

  The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

  6. Create the VPN connection:

  Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource- manager-portal

• Question 394:

  You have a .NET Core application running in Azure App Services. You are expecting a huge influx of traffic to your application in the coming days.

  When your application experiences this spike in traffic, you want to detect any anomalies such as request errors or failed queries immediately.

  What service can you use to assure that you know about these types of errors related to your .NET application immediately?

  A. Application Insights Search
  B. Log analytics workspace
  C. Client-side monitoring
  D. Live Metrics Stream in Application Insights
  D. Live Metrics Stream in Application Insights

  ---

  Explanation

  --------------------------------------------------------------------------------

  Live Metrics Stream in Application Insights

  --------------------------------------------------------------------------------

  Live Metrics Stream provides near real-time telemetry (including request rate, failures, and dependency calls) so you can detect request errors and failed requests immediately during a traffic spike. That matches the requirement for immediate anomaly detection. (1)

  Why the other selections are not correct:

  - Application Insights Search: Useful for querying/inspecting collected telemetry, but not the most immediate "live stream" view.

  - Log analytics workspace: Strong for analysis and queries, but not the quickest live signal for immediate detection during a spike.

  - Client-side monitoring: Focuses on client/browser telemetry; does not directly provide immediate server request/dependency live stream view like Live Metrics. (1)

  -------------------------------------------------------------------------------- References:

  { 1. Azure Monitor Logs overview (context: telemetry + analysis; Live monitoring is part of observability stack) https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs Date Modified: Apr 1, 2025 Date Accessed: 01/25/2026

  }

  --------------------------------------------------------------------------------

  Microsoft Exam Tips:

  - "Immediately / real-time" with Application Insights typically maps to Live Metrics Stream.

  Summary:

  Real-time application observability using Application Insights Live Metrics.

  -------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  5 Monitor and maintain Azure resources (10?5%) |__ 5.1 Monitor resources in Azure |__ 5.1.1 Interpret metrics in Azure Monitor

• Question 395:

  You deploy Azure virtual machines to three Azure regions

  Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology.

  Each subnet contains a network security group (NSG) that has defined rules.

  A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region.

  Which two options can you use to diagnose the issue? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. Azure Virtual Network Manager
  B. IP flow verify
  C. Azure Monitor Network Insights
  D. Connection troubleshoot
  E. elective security rules
  B. IP flow verify
  D. Connection troubleshoot

  ---

  Explanation

  {template for answering question}

  --------------------------------------------------------------------------------

  IP flow verify Connection troubleshoot

  --------------------------------------------------------------------------------

  To diagnose why port 33000 traffic is failing across regions (with peered VNets and NSGs), you use Network Watcher tools:

  - **IP flow verify** determines whether the traffic is allowed/denied and identifies the NSG (and other) rule responsible. :contentReference[oaicite:11]{index=11}

  - **Connection troubleshoot** tests end-to-end connectivity between source and destination and provides diagnostic results to pinpoint configuration vs. platform issues. :contentReference[oaicite:12]{index=12}

  Why other selections are not correct (as "complete solutions" for diagnosis):

  - Azure Virtual Network Manager: Primarily governance/management of VNets; not a direct diagnostic tool for a specific blocked port scenario.

  - Azure Monitor Network Insights: Great for dashboards/topology/health, but the question asks for two options that each present a complete diagnostic solution for this specific connectivity failure; the direct diagnostic tools are IP flow verify and Connection troubleshoot. :contentReference[oaicite:13]{index=13}

  - effective security rules: Useful for reviewing resultant NSG rules, but IP flow verify already provides allowed/denied and the rule hit; effective rules alone typically isn't an end-to-end diagnostic "complete solution." :contentReference [oaicite:14]{index=14}

  -------------------------------------------------------------------------------- References:

  1. IP flow verify overview (Network Watcher) https://learn.microsoft.com/en-us/azure/network-watcher/ip-flow-verify-overview Modified: 09/23/2025 Date Access: 01/24/2026

  2. Connection troubleshoot overview (Network Watcher) https://learn.microsoft.com/en-us/azure/network-watcher/connection-troubleshoot-overview Modified: 11/18/2025 Date Access: 01/24/2026

  -------------------------------------------------------------------------------- Microsoft Exam Tips:

  - For "is traffic allowed/denied by NSG?" --> **IP flow verify**.

  - For "end-to-end connectivity test + root cause hints" --> **Connection troubleshoot**.

  - These are commonly tested under Network Watcher/Connection Monitor tooling.

  -------------------------------------------------------------------------------- Summary:

  Using Network Watcher tools to troubleshoot cross-VNet connectivity and NSG-related port blocking.

  -------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  5.0 Monitor and maintain Azure resources (10?5%) |__ 5.1 Monitor resources in Azure |__ 5.1.6 Use Azure Network Watcher and Connection Monitor

• Question 396:

  HOTSPOT

  You need to deploy two Azure web apps named WebApp1 and WebApp2. The web apps have the following requirements:

  1. WebApp1 must be able to use staging slots 2. WebApp2 must be able to access the resources located on an Azure virtual network

  What is the least costly plan that you can use to deploy each web app? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  WebApp1: S1 WebApp2: S1

  Explanation (Why this is correct)

  - Deployment slots (staging slots) require Standard tier or higher; among the provided options, S1 is the least expensive that supports slots.

  - App Service VNet Integration is supported on Standard tier (and above) for typical exam assumptions; S1 is the least costly option listed that meets the requirement.

  Explanation (Why the other options are incorrect)

  - F1/D1/I1: Do not meet the feature requirements (slots and/or VNet integration).

  - P3: Meets requirements but is not the least costly.

  Exam Tip

  - If a question says “staging slot”, think **Standard or better**.

  References (APA)

  - Microsoft. (n.d.). App Service plan overview. Microsoft Learn. https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans

  - Microsoft. (n.d.). Set up staging environments in Azure App Service. Microsoft Learn. https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots

  AZ-104 Exam Objective Hierarchy:

  5.0 Monitor and maintain Azure resources (10–15%) |__5.2 Implement backup and recovery |__|__5.2.5 Configure Azure Site Recovery for Azure resources

• Question 397:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2.

  Connections to App1 are managed by using an Azure Load Balancer.

  The effective network security configurations for VM2 are shown in the following exhibit.

  

  You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.

  You verify that the Load Balancer rules are configured correctly.

  You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.

  Solution: You create an inbound security rule that allows any traffic from the Azure Load Balancer source and has a priority of 150.

  A. Yes
  B. No
  A. Yes

  ---

  Yes

  The effective rules include a custom deny rule that blocks all other inbound TCP/443 traffic (priority 200). Azure Load Balancer health probes originate from the AzureLoadBalancer service tag (168.63.129.16). If probes (or required load balancer-originated checks) are blocked by a higher-priority deny rule, the backend can be marked unhealthy and client connections can fail.

  Creating an inbound allow rule for source AzureLoadBalancer with priority 150 places it above the deny rule (200), allowing the health probe traffic to succeed, which supports restoring successful connections through the load balancer.

  Not selected:

  No: Incorrect because the higher-priority allow rule resolves the probe-blocking condition created by the deny rule.

  Microsoft Exam Tips:

  With NSGs, a lower priority number wins. A broad deny rule on TCP/443 can break load balancer probes unless you add a higher-priority allow rule.

  Summary:

  NSG priority and rule order: allowing Azure Load Balancer health probe traffic restores connectivity.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15–20%)
  4.2 Configure secure access to virtual networks
  4.2.2 Evaluate effective security rules in NSGs

• Question 398:

  You have an Azure App Service plan named AdatumASP1 that uses the P2v2 pricing tier. AdatumASP1 hosts Ml Azure web app named adatumwebapp1. You need to delegate the management of adatumwebapp1 to a group named Devs.

  Devs must be able to perform the following tasks:

  1. Add deployment slots.

  2. View the configuration of AdatumASP1.

  3. Modify the role assignment for adatumwebapp1.

  Which role should you assign to the Devs group?

  A. Owner
  B. Contributor
  C. Web Plan Contributor
  D. Website Contributor
  A. Owner

  ---

  Explanation

  --------------------------------------------------------------------------------

  Owner

  --------------------------------------------------------------------------------

  The Devs group must be able to add deployment slots and manage the App Service plan configuration, and also modify role assignments for the web app. Modifying role assignments requires the ability to manage access (role assignments), which is included in the Owner role. The Contributor role explicitly does not grant permission to manage access/role assignments.

  Why other options are not correct:

  - Contributor: Can manage resources but cannot grant access (cannot create role assignments).

  - Web Plan Contributor / Website Contributor: More limited scopes; do not grant access-management permissions needed to modify role assignments.

  -------------------------------------------------------------------------------- References:

  1. Azure built-in roles (Owner vs Contributor) https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Date Modified: 07/18/2025 Date Access: 01/25/2026

  -------------------------------------------------------------------------------- Microsoft Exam Tips:

  - AZ-104: Any requirement that includes "manage role assignments" typically implies Owner or User Access Administrator.

  - Keep least privilege in mind; in real-world you'd often pair Contributor + User Access Administrator rather than Owner.

  -------------------------------------------------------------------------------- Summary:

  Owner is required because the tasks include changing role assignments.

  -------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  1.0 Manage Azure identities and governance (20?5%) |__ 1.2 Manage access to Azure resources |__ 1.2.2 Assign roles at different scopes

• Question 399:

  HOTSPOT

  You are evaluating the name resolution for the virtual machines after the planned implementation of the Azure networking infrastructure.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  

  

• Question 400:

  You set the multi-factor authentication status for a user named [email protected] to Enabled.

  Admin1 accesses the Azure portal by using a web browser.

  Which additional security verifications can Admin1 use when accessing the Azure portal?

  A. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app
  B. an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app
  C. an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app
  D. a phone call, an email message that contains a verification code, and a text message that contains an app password
  A. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app

  ---

  Explanation

  --------------------------------------------------------------------------------

  a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app

  --------------------------------------------------------------------------------

  For Microsoft Entra MFA, typical additional verification methods include:

  - Voice call (phone call),

  - SMS (text message with a verification code),

  - Microsoft Authenticator (push notification and/or verification code).

  Why the other choices are not correct:

  - Any option that includes "app password" as an additional verification:

  App passwords are for legacy apps that cannot do modern MFA prompts; they are not an interactive MFA verification method for signing into the portal.

  - Any option that uses "email message that contains a verification code" as the MFA verification method:

  Email verification is not a standard MFA method for Azure portal sign-in in Entra MFA.

  -------------------------------------------------------------------------------- References:

  1. Microsoft. (n.d.). Multifactor authentication (MFA) FAQ. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks Date Modified: Unable to locate date modified Date Accessed: 01/25/2026

  -------------------------------------------------------------------------------- Microsoft Exam Tips:

  - AZ-104: Treat "app password" as a legacy workaround, not a primary verification method for portal sign-in.

  - Know the "big three" MFA methods: voice call, SMS, authenticator app.

  -------------------------------------------------------------------------------- Summary:

  MFA verification methods supported for interactive sign-in (phone/SMS/Authenticator).

  -------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  1.0 Manage Azure identities and governance (20?5%) |__ 1.1 Manage Microsoft Entra users and groups |__ 1.1.2 Manage user and group properties