Microsoft AZ-104 Online Practice Questions and Exam Preparation

Microsoft AZ-104 Online Questions & Answers

• Question 451:

  HOTSPOT

  You have an Azure Resource Manager template for a virtual machine named Template1. Template1 has the following parameters section.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Statement 1: Yes Statement 2: No Statement 3: Yes

  Explanation (Why this is correct):

  - Statement 1 (Yes): The resource group is selected at deployment time because the deployment scope (resource group) is chosen when you run the template deployment.

  - Statement 2 (No): The template shows a default value for windowsOSVersion. With a defaultValue, the deployment can proceed without requiring you to choose a different OS version.

  - Statement 3 (Yes): The location parameter has allowedValues but no defaultValue, so you must provide a value at deployment.

  Explanation (Why the other option is incorrect):

  - If you chose “Yes” for Statement 2: a defaultValue means the deployment does not require additional user input for that parameter (unless you decide to override it).

  Exam Tips:

  - In ARM templates, a parameter without a defaultValue is commonly treated as “required input.”

  - A parameter with defaultValue can typically be left as-is during deployment.

  Summary:

  You must select a resource group and a location during deployment, but you don’t have to select the Windows OS version because a default is provided.

  References:

  [1] Microsoft. (n.d.). Parameters in ARM templates. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/parameters (Accessed January 28, 2026).

  [2] Microsoft. (n.d.). Deploy resources with ARM templates. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-portal (Accessed January 28, 2026).

  AZ-104 Exam Objective Hierarchy:

  3.0 Deploy and manage Azure compute resources (20–25%) |__3.1 Automate deployment of resources by using templates |__|__3.1.1 Interpret an Azure Resource Manager template or a Bicep file

• Question 452:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.

  You receive a notification that VM1 will be affected by maintenance.

  You need to move VM1 to a different host immediately.

  Solution: From the VM1 Updates blade, select One-time update.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  No

  A “one-time update” from the Updates blade relates to patching and updates and does not inherently move the VM to a different host. Therefore, it does not meet the requirement to move the VM to a different host immediately.

  If the intent is to move the VM to a different host, the correct action is typically Redeploy.

  Exam Tips:

  • Do not confuse maintenance or host move operations with updates or patching. The tested operation for moving a VM to a different host is usually Redeploy.

  Summary:

  • Distinguishing VM update operations from host redeploy operations.

  AZ-104 Exam Objective Hierarchy:
  
  3.0 Deploy and manage Azure compute resources (20–25%)
  └── 3.2 Create and configure virtual machines
    └── 3.2.3 Move a virtual machine to another resource group, subscription, or region

• Question 453:

  Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

  Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.

  A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.

  You want to review the ARM template that was used by Jon Ross.

  Solution: You access the Virtual Machine blade.

  Does the solution meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  --------------------------------------------------------------------------------

  No

  --------------------------------------------------------------------------------

  To review the ARM template used for a deployment in Azure, you typically access the deployment history and export/view the template from the deployment (commonly from the resource group's deployments area, or via the export template workflow). Accessing the Virtual Machine blade is not the correct place to retrieve the ARM template that was used in a resource group deployment. Therefore, this solution does not meet the goal. [1]

  References:

  [1] Microsoft. "Export template in Azure portal." Microsoft Learn. Date modified: 2025-10-29. Date accessed: 2026-01-25. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal

  --------------------------------------------------------------------------------

  Microsoft Exam Tips:

  - "Review the ARM template that was used" usually means "deployment history/export template," most commonly found at the resource group level.

  Summary:

  Where to export/review an ARM template used for deployment.

  AZ-104 Exam Objective Hierarchy:

  3.0 Deploy and manage Azure compute resources (20?5%) |__ 3.1 Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files |__ 3.1.5 Export a deployment as an Azure Resource Manager template or convert an Azure Resource Manager template to a Bicep file

• Question 454:

  HOTSPOT

  You have an Azure subscription that contains the public load balancers shown in the following table.

  

  You plan to create six virtual machines and to load balancer requests to the virtual machines. Each load balancer will load balance three virtual machines.

  You need to create the virtual machines for the planned solution. How should you create the virtual machines? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  The virtual machines that will be load balanced by using LB1 must: be created in the same availability set or virtual machine scale set

  The virtual machines that will be load balanced by using LB2 must: be connected to the same virtual network

  You have two public load balancers with different SKUs:

  LB1 = Basic

  Basic Load Balancer backend pool endpoints are limited (compared to Standard) and are associated with a single availability set or virtual machine scale set design pattern. The SKU guidance lists Basic backend pool endpoints as virtual machines in a single availability set or virtual machine scale set. Therefore, the safest “must” requirement from the choices for LB1 is:

  be created in the same availability set or virtual machine scale set.

  LB2 = Standard

  Standard Load Balancer backend pool endpoints are any virtual machines or virtual machine scale sets in a single virtual network.

  Backend pool management guidance also reinforces that backend IP configurations must be in the same virtual network. Therefore, the “must” requirement from the choices for LB2 is:

  be connected to the same virtual network.

  Why the other options are not the “must” constraints here:

  “Same resource group” is not required by Load Balancer SKUs.

  “Same operating system” is not required for being in a backend pool.

  Microsoft Exam Tips:

  Always key off the SKU: Basic vs. Standard changes backend pool constraints and features.

  For Standard Load Balancer, think single virtual network for backend pool endpoints (then consider zones, scale, and high availability after that).

  Summary:

  Basic Load Balancer backends align to a single availability set or virtual machine scale set pattern; Standard Load Balancer backends must be within the same virtual network.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15–20%)
  
  |__ 4.3 Configure name resolution and load balancing
  
  |__ 4.3.2 Configure an internal or public load balancer

• Question 455:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure container registry named Registry1 that contains an image named image1.

  You receive an error message when you attempt to deploy a container instance by using image1.

  You need to be able to deploy a container instance by using image1.

  Solution: You assign the AcrPull role to ACR-Tasks-Network for Registry1.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  No

  AcrPull must be assigned to the identity that the container runtime uses to pull the image (for example, the managed identity or service principal configured for the container instance).

  Assigning AcrPull to an unrelated principal (as shown) does not necessarily grant the container instance the permission it needs, so it does not meet the goal as stated.

  Why the other option is incorrect:

  Yes: The proposed role assignment is not correctly targeted to the consuming identity.

  Microsoft Exam Tips:

  When you see AcrPull, always ask: “Assigned to which identity is actually pulling the image?”

  Summary:

  RBAC scoping and correct identity targeting for image pulls from ACR.

  AZ-104 Exam Objective Hierarchy:

  1.0 Manage Azure identities and governance (20–25%)
  
  |__ 1.2 Manage access to Azure resources
  
  |__ 1.2.1 Manage built-in Azure roles
  
  |__ 1.2.2 Assign roles at different scopes

  3.0 Deploy and manage Azure compute resources (20–25%)
  
  |__ 3.3 Provision and manage containers in the Azure portal
  
  |__ 3.3.1 Create and manage an Azure container registry

• Question 456:

  You need to add VM1 and VM2 to the backend pool of LB1.

  What should you do first?

  A. Create a new NSG and associate the NSG to VNET1/Subnet1.
  B. Connect VM2 to VNET1/Subnet1.
  C. Redeploy VM1 and VM2 to the same availability zone.
  D. Redeploy VM1 and VM2 to the same availability set.
  D. Redeploy VM1 and VM2 to the same availability set.

  ---

  Explanation

  Redeploy VM1 and VM2 to the same availability set.

  In the case study, LB1 is a **Basic** (internal) load balancer. Basic Load Balancer backend pools are restricted to virtual machines that are deployed in the **same availability set** (or VM scale set, depending on scenario).

  VM1 and VM2 are currently standalone virtual machines (no availability set stated). To satisfy the Basic load balancer backend pool requirement, you must redeploy both VMs into the same availability set before you can add them to the backend pool.

  Case study (Contoso, Ltd. 2 Case Study.pdf), “Existing environment – Load balancers / LB1”.

  Microsoft Learn – Load Balancer SKUs (Basic vs Standard behavior). URL: https://learn.microsoft.com/en-us/azure/load-balancer/skus. Retrieved January 31, 2026. (Last updated 2025-10-17.)

  - Basic vs Standard Load Balancer differences get tested: Basic has legacy constraints (availability set requirement) while Standard is more flexible.

  - Always validate the SKU first; the required remediation often follows from SKU limitations.

  4.0 Implement and manage virtual networking (15–20%) |__4.3 Configure name resolution and load balancing |__|__4.3.2 Configure an internal or public load balancer

• Question 457:

  HOTSPOT

  You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Containers will be assigned an IP address in the: 10.244.0.0/16 subnet Services in the AKS cluster will be assigned an IP address in the: 10.0.0.0/16 subnet

  Explanation:

  From the AKS network profile:

  - Pod CIDR = 10.244.0.0/16

  - Service CIDR = 10.0.0.0/16

  - DNS service IP = 10.0.0.10 (which fits inside the Service CIDR)

  Containers (pods):

  - Pod IPs come from the Pod CIDR range --> 10.244.0.0/16.

  Services:

  - ClusterIP service addresses come from the Service CIDR range --> 10.0.0.0/16.

  Why other options are incorrect:

  - 172.17.0.1/16 is the Docker bridge CIDR, not the Kubernetes pod/service address allocation range.

  - Swapping Pod CIDR and Service CIDR contradicts the AKS network profile definitions.

  References (APA):

  1. Microsoft Learn. (n.d.). Managed cluster (AKS) network profile (podCidr/serviceCidr). https://learn.microsoft.com/en-us/rest/api/aks/managed-clusters/create-or-update#networkprofile

  - Last updated: Unable to locate on page. Date accessed: 01/27/2026.

  2. Microsoft Learn. (n.d.). Configure Azure CNI networking in AKS (CIDR concepts). https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni

  - Last updated: Unable to locate on page. Date accessed: 01/27/2026.

  Microsoft Exam Tips:

  - Pod CIDR = pod/container IPs.

  - Service CIDR = ClusterIP service IPs (DNS service IP is inside this range).

  Summary:

  - Mapping AKS Pod CIDR and Service CIDR to container and service IP assignment.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15–20%) └── 4.1 Configure and manage virtual networks └── 4.1.4 Configure IP addressing and subnetting (CIDR fundamentals) (Borderline: AKS-specific networking details can appear as contextual knowledge.)

• Question 458:

  You have an Azure subscription that contains two peered virtual networks named VNet1 and VNet2.

  You have a Network Virtual Appliance (NVA) named NetVA1.

  You need to ensure that the traffic from VNet1 to VNet2 is inspected by using NetVA1.

  What should you use?

  A. a local network gateway
  B. a route table that has custom routes
  C. a service endpoint
  D. IP address reservations
  B. a route table that has custom routes

  ---

  Explanation

  ----------------------------------------------------------------------------------------------------

  a route table that has custom routes

  ----------------------------------------------------------------------------------------------------

  To force traffic from VNet1 to VNet2 through a Network Virtual Appliance (NVA), you must override the system routes by using a route table (UDR). You create a custom route for the VNet2 address space and set the next hop type to a

  **Virtual appliance** (the NVA's IP). This ensures the packet path is steered through NetVA1 for inspection instead of taking the default peering path.

  Why the other choices are not correct:

  - a local network gateway: Used for VPN/ExpressRoute on-premises connectivity definitions, not for steering east-west traffic between peered VNets through an NVA.

  - a service endpoint: Secures PaaS access over the Azure backbone; it does not change routing between VNets.

  - IP address reservations: Reserving an IP does not control traffic paths.

  ---------------------------------------------------------------------------------------------------- References:

  1. Azure virtual network traffic routing https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-traffic-routing Date Modified: Unable to locate date modified Date Access: 01/26/2026 2. Configure subnet peering - Azure Virtual Network https://learn.microsoft.com/en-us/azure/virtual-network/how-to-configure-subnet-peering Date Modified: 12/15/2025 Date Access: 01/26/2026

  ---------------------------------------------------------------------------------------------------- Microsoft Exam Tips:

  - AZ-104 frequently tests *traffic steering* patterns: UDR + "Virtual appliance" next hop is the canonical method to force inspection through an NVA.

  - Distinguish "securing PaaS access" (service endpoints/private endpoints) from "routing control" (UDR).

  ---------------------------------------------------------------------------------------------------- Summary:

  Routes and traffic steering in Azure virtual networks using route tables (UDRs) to force NVA inspection.

  ---------------------------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15?0%) |__ 4.1 Configure and manage virtual networks in Azure |__ 4.1.4 Configure user-defined network routes

• Question 459:

  You need to recommend an identify solution that meets the technical requirements.

  What should you recommend?

  A. federated single-on (SSO) and Active Directory Federation Services (AD FS)
  B. password hash synchronization and single sign-on (SSO)
  C. cloud-only user accounts
  D. Pass-through Authentication and single sign-on (SSO)
  A. federated single-on (SSO) and Active Directory Federation Services (AD FS)

  ---

  Explanation

  Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company's network.

  Scenario: Technical Requirements include:

  Prevent user passwords or hashes of passwords from being stored in Azure.

  References: https://www.sherweb.com/blog/active-directory-federation-services/

• Question 460:

  HOTSPOT

  You have an Azure Storage account named contoso2024 that contains the resources shown in the following table.

  

  You have users that have permissions for contoso2024 as shown in the following table.

  

  The contoso2024 account is configured as shown in the following exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Scenario summary (from exhibit):

  Storage account contoso2024 contains container1 (Blob) with File1 and share1 (Azure Files) with File2.

  User permissions: User1 = Reader role; User2 = Storage Account Contributor role; User3 = has an access key.

  Storage account setting: Allow storage account key access = Disabled.

  User1 can read File1: No User2 can read File2: No User3 can read File1 and File2: No

  Reader and Storage Account Contributor are **management-plane (Azure Resource Manager) roles** and do not grant storage **data-plane** read permissions to blobs or files.

  When 'Allow storage account key access' is disabled, requests authorized with the account access keys (Shared Key) are rejected.

  To read blob data using Microsoft Entra ID, the user needs a data-plane role such as **Storage Blob Data Reader** at the appropriate scope. Azure Files has its own data access roles.

  Shared Key disabled: “Azure Storage rejects all subsequent requests … authorized with the account access keys or shared access signatures (SAS).” Reader role limitation: “It doesn't provide read permissions to data in Azure Storage …” Management-plane vs data-plane: “These roles do not provide access to data in a storage account.”

  2.0 Implement and manage storage (15–20%) 2.1 Configure access to storage |__2.1.4 Manage access keys