Microsoft AZ-104 Online Practice Questions and Exam Preparation

Microsoft AZ-104 Online Questions & Answers

• Question 601:

  HOTSPOT

  You have an Azure subscription that contains the virtual networks shown in the following table.

  

  The subscription contains the virtual machines shown in the following table.

  

  The subscription contains the Azure App Service web apps shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  

  

  ---

  • WebApp1 can communicate with VM2: Yes
  • NSG1 controls inbound traffic to WebApp1: No
  • WebApp2 can communicate with VM1: Yes

  WebApp1 has VNet Integration with VNet1, and VNet1 is peered with VNet2, so outbound connectivity from WebApp1 can reach VM2 (subject to routing and NSG rules).

  NSGs do not govern inbound traffic to a multi-tenant App Service public endpoint, so NSG1 does not control inbound traffic to WebApp1.

  WebApp2 is in the Isolated tier (ASE) in Subnet2 of VNet2, so it has VNet-based connectivity and (via peering) can reach VM1 in VNet1.

  Exam Tips:

  App Service VNet Integration is primarily outbound. Inbound control is configured via access restrictions, private endpoints, or ASE, not by subnet NSGs on the integrated VNet.

• Question 602:

  You have two Azure subscriptions named Sub1 and Sub2 that are linked to separate Microsoft Entra tenants.

  

  You have the virtual networks shown in the following table.

  Which virtual networks can you peer with VNet1?

  A. VNet2 only
  B. VNet2 and VNet3 only
  C. VNet2 and VNet4 only
  D. VNet2, VNet3, and VNet4 only
  E. VNet2, VNet3, VNet4, and VNet5
  E. VNet2, VNet3, VNet4, and VNet5

  ---

  VNet2, VNet3, VNet4, and VNet5

  VNet peering can be configured across VNets in different subscriptions and even different Microsoft Entra tenants (cross-tenant peering). Region differences are also supported (global VNet peering). Therefore, VNet1 (Sub1) can peer with:

  - VNet2 (same subscription/tenant)

  - VNet3 (same subscription, different region)

  - VNet4 and VNet5 (different subscription and different tenant) Not selected:

  - Any option that excludes VNet4/VNet5 incorrectly assumes cross-tenant peering is not possible.

  Microsoft Exam Tips:

  - AZ-104 tests whether you know peering can cross subscriptions/tenants when permissions exist; it's not limited to same tenant.

  Summary:

  Cross-subscription and cross-tenant VNet peering eligibility.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking | |__ 4.1 Configure and manage virtual networks in Azure | |__ 4.1.2 Create and configure virtual network peering

• Question 603:

  Which blade should you instruct the finance department auditors to use?

  A. Partner information
  B. Overview
  C. Payment methods
  D. Invoices
  D. Invoices

• Question 604:

  HOTSPOT

  You have an Azure web app named WebApp1.

  You need to provide developers with a copy of WebApp1 that they can modify without affecting the production WebApp1.

  When the developers finish testing their changes, you must be able to switch the current line version of WebApp1 to the new version.

  Which command should you run prepare the environment? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Command: New-AzureRmWebAppSlot Parameter: -SourceWebApp

  Explanation (Why this is correct)

  - Creating a new slot from an existing web app uses New-AzureRmWebAppSlot.

  - The -SourceWebApp parameter specifies the source web app for copying settings.

  Explanation (Why the other options are not correct)

  - Other cmdlets/parameters do not create a slot by copying from a specified source web app.

  Exam Tip

  - “Create slot from existing app” = **New-AzureRmWebAppSlot + -SourceWebApp**.

  References (APA)

  - Microsoft. (n.d.). New-AzureRmWebAppSlot. https://learn.microsoft.com/en-us/powershell/module/azurerm.websites/new-azurermwebappslot

  AZ-104 Exam Objective Hierarchy 3.0 Deploy and manage Azure compute resources (20–25%) |__3.1 Configure and manage virtual machines |__|__3.1.4 Configure and troubleshoot Web Apps

• Question 605:

  You have an Azure subscription that contains 10 virtual machines, a key vault named Vault 1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region.

  The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet.

  You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort.

  What should you configure as the destination of the outbound security rule for NSG1?

  A. an application security group
  B. an IP address range
  C. a service tag
  C. a service tag

  ---

  a service tag

  To allow outbound access from VMs to an Azure Key Vault while NSG1 blocks all outbound internet traffic-and to do it with least privilege and minimal admin effort-you set the NSG outbound rule Destination to the appropriate service tag (for Key Vault, commonly AzureKeyVault). Service tags are maintained by Microsoft and represent the IP ranges for that Azure service.

  Why the other options are not correct:

  - an application security group: ASGs group NICs/VMs for NSG rules; they do not represent Key Vault destinations.

  - an IP address range: Key Vault IPs can change; maintaining ranges is higher effort and not "least admin."

  - a service tag is the correct abstraction for Azure PaaS destinations.

  Exam Tips:

  - AZ-104: For NSG rules targeting Azure PaaS, prefer service tags over raw IP ranges.

  - "Least privilege + minimal admin effort" is a strong hint toward service tags.

  Summary:

  NSG outbound rule design using service tags for Azure PaaS destinations (Key Vault).

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking  |__ 4.2 Configure secure access to virtual networks |__ 4.2.1 Create and configure network security groups (NSGs) and application security groups

• Question 606:

  You have an Active Directory forest named contoso.com.

  You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.

  You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.

  You need to ensure that the synchronization completes successfully.

  What should you do?

  A. From Synchronization Service Manager, run a full import.
  B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
  C. From Azure PowerShell, run Start-AdSyncSyncCycle -PolicyType Initial.
  D. Run Azure AD Connect and disable staging mode.
  D. Run Azure AD Connect and disable staging mode.

  ---

  Explanation

  --------------------------------------------------------------------------------

  Run Azure AD Connect and disable staging mode.

  --------------------------------------------------------------------------------

  When staging mode is enabled, Azure AD Connect is configured not to perform active synchronization (it is commonly used for standby/disaster recovery scenarios). To ensure synchronization completes successfully and sync jobs appear/ run, you must disable staging mode on the server intended to be the active synchronizing server. (1)

  Why the other options are not correct:

  - From Synchronization Service Manager, run a full import: Import alone doesn't change the fact the server is in staging mode (not actively exporting/syncing).

  - Run Azure AD Connect and set the SSO method to Pass-through Authentication: Changing sign-in method doesn't address the immediate issue of staging mode preventing active sync jobs.

  - From Azure PowerShell, run Start-ADSyncSyncCycle -PolicyType Initial: Triggering a cycle is not the right fix when staging mode prevents the server from operating as active.

  References:

  1. Microsoft Entra Connect: Staging server and disaster recovery https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server Date Modified: 04/09/2025 Date Accessed: 01/25/2026

  Microsoft Exam Tips:

  - AZ-104: "Staging mode enabled" is a strong signal-expected remediation is to disable staging mode on the intended active server.

  - Don't confuse "manual sync triggers" with "configuration states" that prevent active sync.

  Summary:

  This question covered Azure AD Connect staging mode and ensuring the directory synchronization engine runs actively.

  AZ-104 Exam Objective Hierarchy:

  1.0 Manage Azure identities and governance (20?5%) |__ 1.1 Manage Microsoft Entra users and groups |__ 1.1.2 Manage user and group properties

• Question 607:

  HOTSPOT

  You have a Microsoft Entra tenant that contains the users shown in the following table.

  

  The tenant contains the groups shown in the following table.

  

  Self-service password reset (SSPR) needs to be configured for the tenant.

  Which users can configure SSPR, and for which group can SSPR be enabled? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 608:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit.

  

  You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.

  You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.

  Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  No

  Why "No" is correct:

  - The goal is to ensure the client (131.107.100.50) can connect to App1 over TCP 443.

  - The proposed solution: "Create an inbound security rule that denies all traffic from 131.107.100.50 ..."

  - Denying traffic from the very client that must be able to connect directly contradicts the goal. Therefore, the solution cannot meet the goal. (1)

  Why the other choice is incorrect:

  - Yes. A deny rule for the required client would never be a valid fix for "connections fail" when the desired outcome is "connections succeed."

  Microsoft Exam Tips:

  - For "Does this meet the goal?" always sanity-check the direction of change: allow vs deny, source vs destination, and priority.

  Summary:

  - NSG rule intent verification; denying required traffic fails the stated objective.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking |__ 4.2 Configure secure access to virtual networks |__ 4.2.2 Evaluate effective security rules in NSGs

• Question 609:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.

  The effective network security configurations for VM2 are shown in the following exhibit.

  

  You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.

  You verify that the Load Balancer rules are configured correctly.

  You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.

  Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  ----------------------------------------------------------------------------------------------------

  No

  ----------------------------------------------------------------------------------------------------

  The goal is to ensure connections from 131.107.100.50 over TCP 443 succeed. Creating an inbound deny rule for that source IP (even at a different priority) directly contradicts the requirement by explicitly blocking the traffic you want to allow.

  Additionally, NSG processing is priority-based (lower number = higher priority). Introducing a deny rule aimed at the source would either:

  - override allows (if higher priority), or

  - be irrelevant (if lower priority), but in no case does it enable the desired connectivity.

  Therefore, the solution does not meet the goal.

  ---------------------------------------------------------------------------------------------------- References:

  1. Network security groups and security rules (priority evaluation) https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview Date Modified: Unable to locate date modified (page access limited in tool) Date Access: 01/24/2026

  ---------------------------------------------------------------------------------------------------- Microsoft Exam Tips:

  - If the requirement is "make traffic succeed," do not add deny rules for that source/port.

  - Remember NSG rule priority: smaller number wins.

  ---------------------------------------------------------------------------------------------------- Summary:

  A deny rule for the client IP breaks the required connectivity over TCP 443.

  ---------------------------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15?0%) | |__ 4.2 Configure secure access to virtual networks | |__ 4.2.2 Evaluate effective security rules in NSGs

• Question 610:

  HOTSPOT

  You have an Azure subscription named Subscription1.

  You plan to deploy an Ubuntu Server virtual machine named VM1 to Subscription1. You need to perform a custom deployment of the virtual machine. A specific trusted root certification authority (CA) must be added during the deployment.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  To create cloud-init.txt, use: cloud-init.txt To deploy the Azure VM and use cloud-init.txt, use: az vm create

  Explanation (Why this is correct)

  - The hotspot is asking for the filename that contains the cloud-init configuration and the Azure CLI command used to create the VM while applying that cloud-init configuration.

  - `az vm create` supports supplying cloud-init via custom data, which is the standard approach for cloud-init during VM provisioning.

  Explanation (Why the other options are incorrect)

  - Any filename other than cloud-init.txt would not match the required selection in the hotspot.

  - Any command other than `az vm create` would not be the VM provisioning step.

  Exam Tip

  - Cloud-init is applied at provisioning time via “custom data” when creating the VM.

  References (APA)

  - Microsoft. (n.d.). Create a Linux VM using Azure CLI. Microsoft Learn. https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-cli

  AZ-104 Exam Objective Hierarchy:

  3.0 Deploy and manage Azure compute resources (20–25%) |__3.2 Create and configure virtual machines |__|__3.2.4 Provision virtual machines