Microsoft AZ-104 Online Practice
Questions and Exam Preparation
AZ-104 Exam Details
Exam Code
:AZ-104
Exam Name
:Microsoft Azure Administrator
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:852 Q&As
Last Updated
:May 28, 2026
Microsoft AZ-104 Online Questions &
Answers
Question 551:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
- The goal is to ensure client connections from 131.107.100.50 over TCP 443 succeed.
- The proposed solution: "Create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150."
- The AzureLoadBalancer tag is primarily relevant for allowing Azure Load Balancer health probes and related load balancer infrastructure traffic. It does not necessarily allow a specific client IP (131.107.100.50) to access the service. Client traffic generally retains the client source IP; therefore, allowing AzureLoadBalancer as a source does not directly fix a block on the client's source IP. (1)
- Because the proposed rule does not address the failing source IP explicitly, it does not meet the goal.
Why the other choice is incorrect:
- Yes "Yes" would only be correct if the failure was specifically caused by blocking Azure Load Balancer probe/infrastructure traffic (which would typically show up as backend unhealthy), not "client X can't connect" as stated.
References:
1. Diagnose a VM network traffic filter problem (NSG rules, effective evaluation, and how rule matching works) https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-network/traffic-filter-problem Date Modified: 2025-04-02 Date Accessed: 01/25/2026
Microsoft Exam Tips:
- Don't confuse "AzureLoadBalancer" source tag (probes/infrastructure) with actual client traffic sources.
- If a question names a specific client IP failing, you usually need a rule that matches that client IP (or a broader allowed range that includes it).
Summary:
- Correctly matching NSG rules to the actual traffic source/destination; understanding AzureLoadBalancer source tag intent.
AZ-104 Exam Objective Hierarchy:
4.0 Implement and manage virtual networking (15?0%) |__ 4.2 Configure secure access to virtual networks |__ 4.2.2 Evaluate effective security rules in NSGs
Question 552:
HOTSPOT
You have an Azure subscription.
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: copy
Box 2: copyIndex
Why this is correct:
- The copy element is used to create multiple instances of a property/resource in an ARM template.
- copyIndex() returns the current iteration index, commonly used to generate unique names/LUNs for repeated objects (like multiple data disks).
Exam Tips:
- “copy” defines the loop; copyIndex() gives you the counter.
AZ-104 Exam Objective Hierarchy
3.0 Deploy and manage Azure compute resources (20–25%) |__3.1 Automate deployment of resources by using templates |__|__3.1.2 Modify an Azure Resource Manager template
Question 553:
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a Security group that uses the Assigned membership type B. an Office 365 group that uses the Assigned membership type C. an Office 365 group that uses the Dynamic User membership type D. a Security group that uses the Dynamic User membership type E. a Security group that uses the Dynamic Device membership type
B. an Office 365 group that uses the Assigned membership type C. an Office 365 group that uses the Dynamic User membership type
1) An Office 365 (Microsoft 365) group that uses the Assigned membership type
2) An Office 365 (Microsoft 365) group that uses the Dynamic User membership type
Why:
The key requirement is that the groups be deleted automatically after 180 days.
In Microsoft Entra ID, the "group expiration policy" (lifecycle/expiration) applies to Microsoft 365 groups. When a Microsoft 365 group reaches its configured lifetime and is not renewed, the group is deleted. Therefore, solutions that use Microsoft 365 groups satisfy the "automatic deletion after 180 days" requirement.
Security groups (assigned or dynamic) do not meet this requirement via the Microsoft 365 group expiration policy, so they are not valid for the "must be deleted automatically after 180 days" constraint.
Both of the following are Microsoft 365 groups, so either membership model is acceptable under the expiration-policy requirement:
- Assigned membership (manually manage the 3 users)
- Dynamic user membership (membership driven by a rule)
MICROSOFT LEARN REFERENCES (Official)
1) Configure the expiration policy for Microsoft 365 groups (Microsoft Entra) https://learn.microsoft.com/en-us/entra/identity/users/groups-lifecycle
- Official excerpt (key proof): "You can set an expiration policy only for Microsoft 365 groups in Microsoft Entra ID." :contentReference[oaicite:0]{index=0}
- Also describes that groups not renewed are deleted and shows setting lifetime in days (e.g., 180). :contentReference[oaicite:1]{index=1}
EXAM TIPS
- If a question requires "automatic deletion/expiration of the group," think "Microsoft 365 group expiration policy."
- Watch for traps: "Security group" options often fail lifecycle/expiration requirements (even if they work for access assignment).
- "Dynamic user membership" is valid only if you can express a rule that results in the intended membership set.
SUMMARY
Use Microsoft 365 groups because Microsoft Entra's group expiration policy applies to Microsoft 365 groups and can delete them after a configured lifetime (e.g., 180 days). Therefore, choose the two Microsoft 365 group options (Assigned and Dynamic User membership).
EXAM OBJECTIVES (AZ-104)
1.0 Manage Azure identities and governance 1.1 Manage Microsoft Entra users and groups 1.1.1 Create users and groups 1.1.2 Manage user and group properties
Question 554:
You need to implement the planned changes for the storage account content.
Which containers and file shares can you use to organize the content?
A. share1 only B. cont1 and share1 only C. share1 and share2 only D. cont1, share1, and share2 only E. cont1, cont2, share1, and share2
D. cont1, share1, and share2 only
Explanation
Correct Answer:
cont1, share1, and share2 only
Per the case study:
- storage1 hosts container cont1 and file share share1.
- storage2 hosts container cont2 and file share share2.
The planned changes require organizing content using cont1 and both file shares, and do not require cont2 for the stated organization plan.
Proof / Reasoning:
Case study storage inventory lists cont1/share1 in storage1 and share2 in storage2.
Planned changes specify using those locations for organizing the storage content.
Official Microsoft Learn / Azure references
- Storage account overview. (n.d.). Retrieved 2026-01-31 from https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview
- Create a container in Azure Storage. (n.d.). Retrieved 2026-01-31 from https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container
- Create an Azure file share. (n.d.). Retrieved 2026-01-31 from https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share
AZ-104 Exam Objective Hierarchy:
2.0 Implement and manage storage (15–20%) |__2.3 Configure Azure Files and Azure Blob Storage |__|__2.3.1 Create and configure a file share in Azure Storage
Question 555:
HOTSPOT
You plan to deploy an Azure web app named App1 that will use Azure Active Directory (Azure AD) authentication.
App1 will be accessed from the internet by the users at your company. All the users have computers that run Windows 10 and are joined to Azure AD.
You need to recommend a solution to ensure that the users can connect to App1 without being prompted for authentication and can access App1 only from company-owned computers.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
The users can connect to App1 without being prompted for authentication: An Azure AD app registration The users can access App1 only from company-owned computers: A Conditional Access policy
Explanation (Why this is correct):
- App registration is required so App1 can use Microsoft Entra ID (Azure AD) authentication (App1 must be known to Entra ID).
- Conditional Access is how you enforce device-based access restrictions (for example: require compliant device and/or hybrid Azure AD joined) to limit access to company-owned computers.
Explanation (Why the other options are incorrect):
- Azure AD managed identity: Used for app-to-Azure-resource access, not for interactive user sign-in to App1.
- Azure AD Application Proxy: Used to publish on-prem apps externally; not required just to avoid repeated prompts.
- Administrative unit / Application Gateway / Private Link / Azure Policy: None of these are the control plane mechanism for “only company-owned computers.” That’s Conditional Access.
Exam Tips:
- “Only company-owned computers” is a Conditional Access signal/control (device compliance/join state).
- “Use Azure AD authentication” requires an app registration (or an enterprise app created from one).
Summary:
Register the app in Entra ID and enforce device restrictions with Conditional Access.
References:
[1] Microsoft. (n.d.). Register an application with Microsoft identity platform. https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app (Accessed January 28, 2026).
1.0 Manage Azure identities and governance (20–25%) |__1.1 Manage Microsoft Entra users and groups
Question 556:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User1 to create the user accounts.
Does that meet the goal?
A. Yes B. No
A. Yes
Explanation
Item 54 of 253 Answer Yes User1 created the new Microsoft Entra (Azure AD) tenant: external.contoso.onmicrosoft.com.
In Microsoft Entra ID, the user who creates a tenant becomes the first user in that tenant and is automatically assigned the Global Administrator role. A Global Administrator can manage all aspects of the tenant, including creating user accounts.
Therefore, instructing User1 to create the new user accounts in the new tenant meets the goal.
Why the other solutions in this series are "No" (context)
- Instructing User4 (Azure Subscription Owner) doesn't help for creating users in a different Entra tenant because Owner is an Azure RBAC role, not a tenant directory role.
- Instructing someone who is not a tenant admin in the *new* tenant would not be sufficient.
Proof (Microsoft Learn)
- Tenant creator becomes Global Administrator in the new tenant: "Once tenant is created, you're the first user ... automatically assigned the Global Administrator role."
- Global Administrator capabilities: "Can manage all aspects of Microsoft Entra ID..." :contentReference[oaicite:1]{index=1} Exam objective (AZ-104 hierarchy) 1.0 Manage Azure identities and governance (20?5%) 1.1 Manage Microsoft Entra users and groups 1.1.1 Create users and groups
Question 557:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
The goal is to ensure that connections to App1 from **131.107.100.50 over TCP 443** succeed.
The proposed change is to **create an inbound security rule that denies all traffic from 131.107.100.50** (even at a very low priority like 64999). That directly **blocks** the required source IP, so it cannot meet the goal.
Why "Yes" is incorrect:
- Denying the exact required source address guarantees failure, not success.
1. Network security group (NSG) rule priority and evaluation (lower number = higher priority) https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview Date Modified: Unable to locate date modified Date Accessed: 01/25/2026
---------------------------------------------------------------------------------------------------- Microsoft Exam Tips:
- In NSG troubleshooting, validate whether the proposed change **permits** or **blocks** the target flow (source/destination/port/protocol).
- "Deny from the source that must work" is almost always an automatic **No**.
4.0 Implement and manage virtual networking (15?0%) | |__ 4.2 Configure secure access to virtual networks | |__ 4.2.2 Evaluate effective security rules in NSGs
Question 558:
HOTSPOT
You have an Azure subscription named Subscription1 that contains the following resource group:
1. Name: RG1 2. Region: West US 3. Tag: "tag1": "value1"
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
1. Exclusions: None 2. Policy definition: Append tag and its default value 3. Assignment name: Policy1 4. Parameters:
-Tag name: Tag2
-Tag value: Value2
After Policy1 is assigned, you create a storage account that has the following configurations:
1. Name: storage1 2. Location: West US 3. Resource group: RG1 4. Tags: "tag3": "value3"
You need to identify which tags are assigned to each resource. What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Tags assigned to RG1: "tag1": "value1" only
Box 2: Tags assigned to storage1: "tag2": "value2" and "tag3": "value3"
Policy details:
Policy effect: Append tag and its default value
Parameters: Tag name = tag2, Tag value = value2
Existing:
RG1 has tag1=value1
storage1 is created with tag3=value3
Append effect behavior:
“Append” modifies the resource write request to add a tag if it is missing. It applies to resources being created or updated (here: the storage account).
It does not automatically re-tag the resource group simply because the resource group is within scope.
Therefore:
Box 1: RG1 remains with its original tag1=value1 only.
Box 2: storage1 keeps tag3=value3 and gets tag2=value2 appended.
Why the other options are not correct:
Including tag2 on RG1 would require a policy assignment or effect that targets the RG resource itself (and/or a remediation task if using modify or deployIfNotExists where supported).
Including tag1 on storage1 assumes inheritance; Azure tags do not automatically inherit from a resource group to its resources.
Microsoft Exam Tips:
Tags do not inherit automatically (RG → resource).
“Append” adds tags to the target resource at write time; it is not the same as inheritance.
Summary:
This question tested Azure Policy “Append” behavior and common misconceptions about tag inheritance.
AZ-104 Exam Objective Hierarchy:
1.0 - Manage Azure identities and governance (20–25%)
|__ 1.3 - Manage Azure subscriptions and governance
|__ 1.3.1 - Implement and manage Azure Policy
Question 559:
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
All the virtual machines have only private IP addresses.
You deploy an Azure Bastion host named Bastion1 to VNet1.
To which virtual machines can you connect through Bastion1?
A. VM1 only B. VM1 and VM2 only C. VM1 and VM3 only D. VM1, VM2, and VM3
B. VM1 and VM2 only
VM1 and VM2 only
- Bastion1 is deployed to VNet1, so you can connect to VM1 (same VNet).
- Azure Bastion can be used to connect to virtual machines in a peered VNet (VNet2 is directly peered with VNet1), so you can connect to VM2 through Bastion1.
- You cannot connect to VM3 because VNet peering is not transitive: VNet1 is not peered directly with VNet3, even though both peer with VNet2.
Why the other options are not correct:
- VM1 only: Would be true if Bastion connectivity to peered VNets were not considered; however, Bastion supports peered-VNet connectivity when configured appropriately.
- VM1 and VM3 only: VNet1 is not peered with VNet3, so Bastion1 cannot reach VM3 directly.
- VM1, VM2, and VM3: Requires transitive connectivity (VNet1 --> VNet2 --> VNet3), which Azure VNet peering does not provide.
Microsoft Exam Tips:
- AZ-104: Expect "peering is not transitive" to eliminate options.
- Bastion questions often combine: private-only VMs + secure access method + VNet topology (direct peer vs transitive).
Summary:
- Azure Bastion connectivity scope: same VNet and directly peered VNets; not transitive across multi-hop peer chains.
AZ-104 Exam Objective Hierarchy:
4.0 Implement and manage virtual networking |__ 4.2 Configure secure access to virtual networks | |__ 4.2.3 Implement Azure Bastion
Question 560:
You plan to migrate an on-premises Hyper-V environment to Azure by using Azure Site Recovery. The Hyper-V environment is managed by using Microsoft System Center Virtual Machine Manager (VMM).
The Hyper-V environment contains the virtual machines in the following table.
Which virtual machine can be migrated by using Azure Site Recovery?
In this scenario, you are migrating from a VMM-managed Hyper-V environment using Azure Site Recovery. The VM CA1 has BitLocker enabled on the OS disk, which is a common blocker for replication/migration scenarios because encryption can prevent the replication mechanism from processing the disk as required. Based on the provided answer key, SQL1 is the VM that satisfies the migration prerequisites in this set.
Why the other selections are incorrect:
- DC1: Not selected by the answer key for this scenario.
- FS1: Not selected by the answer key for this scenario.
- CA1: BitLocker enabled on the OS disk is a disqualifying characteristic for many ASR replication scenarios.
1. Azure Site Recovery support matrix (encryption/BitLocker considerations) (Microsoft Learn) https://learn.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix Date Modified: 07/26/2025 Date Accessed: 01/25/2026
----------------------------------------------------------------------- Microsoft Exam Tips:
- Watch for "BitLocker enabled on OS disk" as a migration/replication constraint in DR tooling questions.
- For ASR questions, always validate OS, disk, and platform support matrix constraints.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-104 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.
