Microsoft AZ-104 Online Practice
Questions and Exam Preparation
AZ-104 Exam Details
Exam Code
:AZ-104
Exam Name
:Microsoft Azure Administrator
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:852 Q&As
Last Updated
:May 28, 2026
Microsoft AZ-104 Online Questions &
Answers
Question 661:
Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1.
The company has users that work remotely. The remote workers require access to the VMs on VNet1.
You need to provide access for the remote workers.
What should you do?
A. Configure a Site-to-Site (S2S) VPN. B. Configure a VNet-toVNet VPN. C. Configure a Point-to-Site (P2S) VPN. D. Configure DirectAccess on a Windows Server 2012 server VM. E. Configure a Multi-Site VPN
Remote workers (individual clients) needing access into a single Azure virtual network is the classic use case for a point-to-site (P2S) VPN. P2S provides client-to-VNet connectivity without requiring an on-premises VPN device per user.
Why the other choices are not correct:
- Configure a Site-to-Site (S2S) VPN: designed for connecting an on-premises site/network to Azure, not individual remote users.
- Configure a VNet-to-VNet VPN: connects two Azure VNets to each other, not remote-user clients.
- Configure DirectAccess on a Windows Server 2012 VM: not the standard Azure-native approach for remote access into a VNet and is legacy/OS-specific.
- Configure a Multi-Site VPN: an S2S variant for multiple on-prem sites; still not a remote-user solution.
References:
1. Microsoft Learn. "Point-to-site VPN." https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about. Accessed 2026-01-25.
2. Microsoft Learn. "Site-to-site VPN." https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal. Accessed 2026-01-25.
Microsoft Exam Tips:
- If the stem says "remote workers/users," default mental model is P2S. If it says "branch office/on-prem site," default is S2S.
Summary:
Selecting the correct VPN model for remote user access to an Azure VNet.
AZ-104 Exam Objective Hierarchy:
4.0 Implement and manage virtual networking (15?0%) |__ 4.2 Configure secure access to virtual networks |__ 4.2.3 Implement Azure Bastion |__ 4.1 Configure and manage virtual networks in Azure |__ 4.1.5 Troubleshoot network connectivity
Question 662:
HOTSPOT
You have an Azure subscription named Subscription1.
In Subscription1, you create an Azure web app named WebApp1. WebApp1 will access an external service that requires certificate authentication.
You plan to require the use of HTTPS to access WebApp1.
You need to upload certificates to WebApp1.
In which formats should you upload the certificate?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Certificate format for HTTPS access: PFX Certificate format for external service access: PFX
Explanation (Why this is correct):
- HTTPS/TLS bindings in App Service require a certificate that includes the private key, which is provided by a PFX.
- If the web app must authenticate *to an external service* using certificate authentication, the app must present a client certificate that also includes the private key. A CER is public-key only (no private key), so it cannot be used by the app to authenticate outbound as a client certificate.
Explanation (Why the other options are incorrect):
- CER for external service access: a CER lacks the private key and therefore cannot be used by the application to perform client-certificate authentication.
Exam Tips:
- In App Service: outbound client-certificate auth requires access to a private key --> think PFX.
- CER is typically for trust/chain scenarios (public cert), not for presenting client credentials.
Summary:
Use PFX for both inbound HTTPS and outbound client certificate authentication.
References (APA):
Microsoft. (n.d.). App Service certificates (concepts and usage). https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate (Accessed January 28, 2026).
AZ-104 Exam Objective Hierarchy:
3.0 Deploy and manage Azure compute resources (20–25%) |__3.4 Configure and manage web apps |__|__3.4.4 Configure TLS for an app
Question 663:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Operator role to the Developers group.
Logic App Operator is intended for operating/running logic apps (view, open, read, run, enable/disable) but not for creating or updating logic apps/workflows. Since the requirement is to create logic apps in the Dev resource group, assigning Logic App Operator does not meet the goal.
Why the "Yes" option is not correct:
- "Yes" would only be true if the assigned role included create/write permissions (for example, Logic App Contributor or Contributor at the correct scope).
References:
1. Secure access and data in Azure Logic Apps (role capabilities: Logic App Operator cannot edit/update) https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app Date Modified: 05/02/2025 Date Accessed: 01/24/2026
Microsoft Exam Tips:
- If the goal is "create" resources, verify the role has write permissions (Contributor-like), not Operator/Reader.
Summary:
- RBAC role capability check: operator vs contributor
AZ-104 Exam Objective Hierarchy:
1.0 Manage Azure identities and governance (20?5%) |__ 1.2 Manage access to Azure resources |__ 1.2.1 Manage built-in Azure roles
Question 664:
You have an Azure subscription that contains an Azure Log Analytics workspace.
You have a resource group that contains 100 virtual machines.
The virtual machines run Linux.
You need to collect events from the virtual machines to the Log Analytics workspace.
Which type of data source should you configure in the workspace?
A. Syslog B. Linux performance counters C. custom fields
For Linux virtual machines, OS events and many system services write to syslog. To collect Linux events into a Log Analytics workspace, you configure the Syslog data source.
Why the other choices are not correct:
- Linux performance counters:
These capture performance metrics (CPU, memory, disk), not general event logs.
- Custom fields:
Custom fields enrich/parse logs; they are not the primary "data source type" for Linux event collection.
1. Microsoft. (n.d.). Collect Syslog events with Azure Monitor Agent (AMA). https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-syslog Date Modified: Unable to locate date modified Date Accessed: 01/25/2026
-------------------------------------------------------------------------------- Microsoft Exam Tips:
- AZ-104: Windows --> "Windows Event Logs"; Linux --> "Syslog."
- Separate "logs" (syslog/events) from "metrics" (performance counters).
5 Monitor and maintain Azure resources (10?5%) |__ 5.1 Monitor resources in Azure |__ 5.1.2 Configure log settings in Azure Monitor
Question 665:
HOTSPOT
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
1. A SQL database 2. A web front end 3. A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements include:
1. Move all the virtual machines for App1 to Azure.
2. Minimize the number of open ports between the App1 tiers.
A SAS provides time-bound, permission-scoped delegated access to storage resources. To allow ten finance users to access blobs only during April, you issue SAS tokens with an appropriate start time and expiry time covering only that month.
Why the other choices are not correct:
- Conditional Access policies:
Conditional Access governs sign-in/session conditions in Entra ID; it does not natively grant time-scoped access to blobs themselves.
- Certificates:
Certificates can be used for authentication scenarios, but they do not provide a simple "April-only" delegated access mechanism for blob access like a SAS.
- Access keys:
Access keys grant broad account-level access and violate least privilege; they are not a best practice for limited-time delegated access.
1. Microsoft. (n.d.). Shared access signatures (SAS) in Azure Storage (overview). https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview Date Modified: Unable to locate date modified Date Accessed: 01/25/2026
-------------------------------------------------------------------------------- Microsoft Exam Tips:
- AZ-104: "Time-limited access to storage" almost always maps to SAS (user delegation SAS/service SAS as appropriate).
- Avoid access keys unless explicitly required; they are high-privilege secrets.
2.0 Implement and manage storage (15?0%) |__ 2.1 Configure access to storage |__ 2.1.2 Create and use shared access signature (SAS) tokens
Question 667:
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is backed up to RSV1.
You need to back up VM2 to RSV2.
What should you do first?
A. From the RSV1 blade, click Backup items and stop the VM2 backup B. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault D. From the RSV1 blade, click Backup Jobs and export the VM2 job
A. From the RSV1 blade, click Backup items and stop the VM2 backup
An Azure VM can be protected by **one Recovery Services vault at a time**. To start protecting (backing up) VM2 in RSV2, you must first **stop protection** (stop backup) for VM2 in RSV1. Once protection is stopped, you can enable backup from RSV2.
Why the other options are not correct:
- From RSV2, click Backup and proceed: this will fail or be blocked while VM2 is still protected by RSV1.
- Disaster recovery / replication settings: that is Azure Site Recovery (DR), not Azure VM Backup vault selection.
- Export backup jobs: not a method to move backup protection between vaults.
1. Manage Azure VM backups in a Recovery Services vault (stop backup/protection workflow) https://learn.microsoft.com/en-us/azure/backup/backup-azure-manage-vms Date Modified: 10/02/2024 Date Accessed: 01/25/2026
5.0 Monitor and maintain Azure resources (10?5%) | |__ 5.2 Implement backup and recovery | |__ 5.2.4 Perform backup and restore operations by using Azure Backup
Question 668:
HOTSPOT
You have the role assignment file shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
- [Answer choice] assigned the Owner role for VM1: User1 and User3 are
- [Answer choice] can create a virtual machine in RG1: User1 and User4
Why this is correct
- User1 has Owner at the subscription scope, which applies (is inherited) to RG1 and all resources in RG1, including VM1.
- User3 has Owner scoped directly to the VM1 resource, so they are also an Owner for VM1.
- Creating a new VM in RG1 requires rights at RG1 (or higher). User4 has Contributor at RG1, which includes Microsoft.Compute resource creation in that resource group.
AZ-104 Exam Objective Hierarchy
1.0 Manage Azure identities and governance (20–25%) └── 1.2 Manage access to Azure resources └── 1.2.2 Assign roles at different scopes └── 1.2.3 Interpret access assignments
Question 669:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
A. Yes B. No
B. No
No
A resource lock (CanNotDelete/ReadOnly) protects resources from accidental deletion or modification. It does not enforce configuration standards on newly created resources and it cannot automatically insert NSG security rules (such as a deny rule for TCP/8080 between VNets).
To "automatically block" traffic when NSGs are created, you would use governance enforcement (typically Azure Policy with an appropriate effect such as deny/modify/deployIfNotExists), not resource locks.
Microsoft Exam Tips:
- When you see "automatically enforce on creation," think Azure Policy (deny/modify/deployIfNotExists), not resource locks.
- Locks are for protection; Policy is for compliance/enforcement (AZ-104).
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)
You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?
A. Update the DNS suffix on VM1 to be adatum.com. B. Create an SRV record in the contoso.com zone. C. Configure the name servers for adatum.com at the domain registrar. D. Modify the Access control (IAM) settings for link1.
C. Configure the name servers for adatum.com at the domain registrar.
VM1 can resolve Internet names (for example, contoso.com) but cannot resolve names in adatum.com, even though a public Azure DNS zone for adatum.com exists.
A public Azure DNS zone will not be used for Internet name resolution until the domain is delegated to Azure DNS. Delegation is performed by updating the domain's authoritative name servers (NS records) at the domain registrar (or current DNS host) to the Azure DNS name servers assigned to the zone. Without this, queries for adatum.com will not be answered by Azure DNS, so VM1 will not resolve host names in adatum.com using your Azure DNS zone.
Why the other options are not correct:
- Update the DNS suffix on VM1 to adatum.com:
This only affects how unqualified names are formed on the client. It does not change which DNS servers are authoritative for adatum.com on the Internet.
- Create an SRV record in the contoso.com zone:
This affects contoso.com records only and does not establish public name resolution for adatum.com.
- Modify the Access control (IAM) settings for link1:
link1 relates to a private DNS virtual network link for the contoso.com private zone. IAM settings and private zone links do not delegate adatum.com on the public Internet.
(1) Microsoft Learn - Tutorial: Host your domain in Azure DNS Link: https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns Date accessed: 2026-01-22 Last updated on: 2024-06-11
(2) Microsoft Learn - Azure DNS delegation overview Link: https://learn.microsoft.com/en-us/azure/dns/dns-domain-delegation Date accessed: 2026-01-22 Last updated on: 2024-06-11
(3) Microsoft Learn - Virtual network link (Azure DNS Private Resolver / Private DNS zones) Link: https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links Date accessed: 20
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-104 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.
