Free AZ-104 Practice Questions with Detailed Explanations

25 free practice questions covering Azure Administrator exam domains. Created by certified Azure professionals.

20 min readUpdated January 2026

The AZ-104 Azure Administrator certification is one of the most sought-after credentials for cloud professionals. Unlike AZ-900, this is an Associate-level exam that tests your practical ability to manage Azure resources across identity, governance, storage, compute, and virtual networking.

These 25 free practice questions are scenario-based, matching the real exam format. Each question includes detailed explanations to help you understand not just the correct answer, but the reasoning behind Azure administrative best practices.

What You'll Get:

  • 25 practice questions across all AZ-104 exam domains
  • Detailed explanations for correct and incorrect answers
  • Real-world scenarios testing administrative skills
  • Coverage of VMs, networking, storage, Azure AD, and monitoring

How to Use These Practice Questions

AZ-104 is a hands-on exam. These questions simulate the scenario-based format you'll encounter:

6
Identity & Governance
Azure AD, RBAC, Azure Policy
6
Storage & Data
Storage accounts, blob, files, backup
6
Compute
VMs, App Service, containers, scale sets
7
Networking
VNets, NSGs, load balancing, VPN

Practice Test Instructions

  • • Each question has ONE correct answer
  • • Read scenarios carefully—details matter for admin tasks
  • • Time yourself: 25 minutes for 25 questions
  • • Review all explanations, even correct answers
🔑

Manage Azure Identities & Governance

Questions 1-6

1

Azure AD User Management

Your organization has 500 employees joining next month from an acquired company. All users need Azure AD accounts with the same default settings. The HR system can export user data to a CSV file with names, emails, and departments.

What is the MOST efficient way to create these user accounts?

A)Create each user manually in the Azure portal
B)Use Azure AD bulk operations to import users from CSV
C)Use PowerShell to create users individually in a loop
D)Configure Azure AD Connect to sync from on-premises AD
2

RBAC Role Assignment

A developer needs to start, stop, and restart virtual machines in the production resource group, but should not be able to delete VMs, modify network settings, or access any other resource groups. You want to follow the principle of least privilege.

Which role should you assign at the resource group scope?

A)Contributor
B)Virtual Machine Contributor
C)Virtual Machine Operator
D)Reader
3

Azure Policy Implementation

Your company's compliance team requires that all Azure resources must be tagged with a "CostCenter" tag. Resources without this tag should not be deployable. You need to enforce this requirement across all subscriptions.

What should you implement?

A)Azure RBAC custom role that requires tags
B)Azure Policy with "Deny" effect for resources without CostCenter tag
C)Resource lock on all resource groups
D)Azure Advisor recommendation
4

Resource Locks

A critical production resource group contains VMs, storage accounts, and databases. You need to prevent accidental deletion of these resources, but administrators should still be able to modify configurations and settings when needed.

Which type of lock should you apply to the resource group?

A)ReadOnly lock
B)CanNotDelete lock
C)DoNotModify lock
D)No lock is needed; use RBAC instead
5

Cost Management

Your Azure costs have increased unexpectedly. You need to identify which resource group is consuming the most resources this month and set up alerts if spending exceeds $5,000 in any resource group.

Which tool should you use?

A)Azure Advisor
B)Azure Cost Management + Billing
C)Azure Monitor
D)Azure Policy
6

Azure AD Groups

You need to create a group that automatically includes all users from the Marketing department based on their department attribute in Azure AD. When users join or leave the Marketing department, group membership should update automatically.

Which type of Azure AD group should you create?

A)Security group with Assigned membership
B)Microsoft 365 group with Dynamic membership
C)Security group with Dynamic User membership
D)Distribution list

Ready for AZ-104?

Access hundreds of advanced practice questions covering all Azure Administrator topics.

Start Free Practice
💾

Implement & Manage Storage

Questions 7-12

7

Storage Account Performance Tiers

Your company is deploying a high-performance database that requires low-latency storage with consistent sub-millisecond response times. The database will handle thousands of small random I/O operations per second.

Which storage account performance tier should you use?

A)Standard performance with LRS replication
B)Premium performance with SSD-based storage
C)Standard performance with GRS replication
D)Cool tier with standard performance
8

Blob Access Tiers

You have 10 TB of log files that must be retained for 7 years for compliance. The logs are rarely accessed after 30 days but must be available within hours if needed. You want to minimize storage costs.

Which blob access tier should you configure for these log files after 30 days?

A)Hot tier
B)Cool tier
C)Archive tier
D)Premium tier
9

Azure Files Integration

Your company has multiple on-premises Windows servers that need to access a shared file system in Azure. Users should be able to map a network drive using SMB protocol and access files as if they were on a local file server.

Which Azure storage solution should you implement?

A)Azure Blob Storage with NFS protocol
B)Azure Files with SMB protocol
C)Azure Disk Storage mounted as network drive
D)Azure Table Storage with REST API
10

Storage Replication

You need to configure a storage account that can survive a regional disaster. If the primary region becomes unavailable, your application must be able to fail over to a secondary region with read access to the data.

Which replication option should you configure?

A)Locally-redundant storage (LRS)
B)Zone-redundant storage (ZRS)
C)Geo-redundant storage (GRS)
D)Read-access geo-redundant storage (RA-GRS)
11

Azure Backup Configuration

You need to implement a backup solution for 50 Azure VMs. Backups should be retained for 30 days, with the ability to restore individual files or the entire VM. The solution must be centrally managed and meet compliance requirements.

Which Azure service should you use?

A)Azure Blob Storage with lifecycle management
B)Azure Site Recovery
C)Recovery Services vault with Azure Backup
D)Managed disk snapshots
12

Shared Access Signatures (SAS)

You need to provide a third-party vendor temporary access to upload files to a specific blob container. The access should expire after 48 hours and only allow write operations to that container, with no access to other containers.

What should you create?

A)Account-level SAS with full permissions
B)Container-level SAS with write permission and 48-hour expiry
C)Storage account access key
D)Azure AD service principal with Contributor role

Deploy & Manage Compute Resources

Questions 13-18

13

VM Availability Sets

You're deploying a web application across multiple VMs in the same Azure region. The application must remain available during planned maintenance events, and you need to protect against rack-level failures within the datacenter.

What should you configure?

A)Deploy VMs in an availability set with 2 fault domains and 5 update domains
B)Deploy VMs in different resource groups
C)Deploy VMs with managed disks only
D)Deploy VMs in an availability zone
14

Virtual Machine Scale Sets

Your application experiences predictable traffic spikes every weekday from 9 AM to 5 PM. You need to automatically scale from 2 VM instances during off-hours to 10 instances during peak hours based on CPU utilization above 70%.

What should you implement?

A)Virtual Machine Scale Set with autoscale rules based on CPU metrics
B)Multiple individual VMs with manual scaling
C)Azure Load Balancer with static VMs
D)Azure Kubernetes Service cluster
15

Azure App Service Plans

You're migrating a .NET web application to Azure App Service. The app requires custom SSL certificates, custom domain names, and the ability to scale up to 10 instances. Development and staging slots are also required.

Which App Service plan tier should you choose?

A)Free (F1)
B)Basic (B1)
C)Standard (S1)
D)Premium (P1V2)
16

Azure Container Instances

You need to run a containerized batch job that processes data files uploaded to blob storage. The job runs for 10-15 minutes and should start automatically when files are uploaded. You want to minimize costs and avoid managing infrastructure.

Which solution should you implement?

A)Azure Kubernetes Service with persistent pods
B)Azure Container Instances triggered by Azure Functions
C)Virtual Machine with Docker installed
D)Azure App Service with Docker container support
17

VM Disk Configuration

You're deploying a SQL Server VM that requires high IOPS and low latency for the database files. The VM will host a production database with thousands of transactions per second. Cost is a secondary concern to performance.

Which disk type should you use for the database data files?

A)Standard HDD managed disk
B)Standard SSD managed disk
C)Premium SSD managed disk
D)Ultra Disk
18

VM Extensions

After deploying 20 Windows VMs, you need to install and configure the Microsoft Monitoring Agent on all of them to enable Azure Monitor. You want to automate this process and ensure consistent configuration.

What should you use?

A)Remote Desktop to each VM and install manually
B)Azure VM extension for Microsoft Monitoring Agent
C)Azure Policy to enforce agent installation
D)PowerShell script run on each VM locally
🌐

Configure & Manage Virtual Networking

Questions 19-25

19

Virtual Network Peering

You have two virtual networks in the same Azure region: VNet1 (10.1.0.0/16) and VNet2 (10.2.0.0/16). Resources in VNet1 need to communicate with resources in VNet2 using private IP addresses with low latency.

What should you configure?

A)VPN Gateway connection between VNet1 and VNet2
B)Virtual network peering between VNet1 and VNet2
C)ExpressRoute connection
D)Azure Load Balancer
20

Network Security Groups (NSG)

You need to allow inbound HTTPS traffic (port 443) from the internet to web servers in a subnet, but block all other inbound traffic. Outbound internet access should be allowed for Windows updates.

What should you configure?

A)NSG with inbound rule allowing port 443 and default outbound rules
B)Azure Firewall with application rules
C)Application Gateway with WAF
D)Route table with custom routes
21

Azure Load Balancer

You have three web servers in an availability set that need to distribute HTTP traffic evenly. If a server fails health checks, traffic should be routed only to healthy servers. The load balancer must handle internal traffic only.

Which load balancer should you deploy?

A)Public Azure Load Balancer (Basic SKU)
B)Internal Azure Load Balancer (Standard SKU)
C)Azure Application Gateway
D)Azure Traffic Manager
22

VPN Gateway Configuration

Your company needs a secure connection between the on-premises datacenter and Azure VNet. The connection requires IPsec/IKE VPN tunnel with up to 1.25 Gbps throughput and must support multiple site-to-site connections.

Which VPN Gateway SKU should you choose?

A)Basic
B)VpnGw1
C)VpnGw2
D)ExpressRoute Gateway
23

Azure DNS

You've registered the domain contoso.com with a third-party registrar. You want to host the DNS zone in Azure to manage DNS records for web apps and VMs. Users worldwide should resolve the domain to Azure resources.

What should you do?

A)Create an Azure DNS zone for contoso.com and update the domain's nameservers at the registrar
B)Create a private DNS zone in Azure
C)Use Azure Traffic Manager for DNS resolution
D)Configure custom DNS servers on the VNet
24

Service Endpoints

VMs in your Azure VNet need to access an Azure Storage account. You want to ensure traffic stays on the Microsoft backbone network and doesn't traverse the public internet. The storage account should only be accessible from your VNet.

What should you configure?

A)VPN Gateway connection to storage account
B)Service endpoint for Microsoft.Storage on the subnet and storage firewall rules
C)ExpressRoute private peering
D)Network Security Group rule
25

Network Watcher

You're troubleshooting connectivity issues between a VM in Azure and an on-premises server. You need to verify if packets are being dropped and identify which network security rules are blocking traffic.

Which Network Watcher feature should you use?

A)Connection Monitor
B)IP Flow Verify
C)NSG Flow Logs
D)Topology view

Answer Key with Detailed Explanations

Review each explanation carefully, even for questions you answered correctly

Scoring Guide for AZ-104

  • 20-25 correct: Strong foundation. Continue with full practice exams
  • 15-19 correct: Good progress. Review weak domains
  • 10-14 correct: More hands-on practice needed
  • Below 10: Focus on fundamentals and Azure portal experience
1

Question 1: Azure AD User Management

Correct Answer: B) Use Azure AD bulk operations to import users from CSV

Why this is correct:

Azure AD bulk operations allow you to import hundreds or thousands of users efficiently from a CSV file through the Azure portal. This feature validates the data, shows you any errors before committing, and processes all users in a single operation. It's the most efficient method for this scenario since you already have the CSV export from HR.

Why other answers are incorrect:

A) Create manually: Creating 500 users manually would be time-consuming, error-prone, and inefficient. This approach doesn't scale and increases the risk of inconsistent configurations.
C) PowerShell loop: While PowerShell can create users, looping through individual creation commands is less efficient than bulk operations and requires more scripting knowledge. Bulk operations provide better error handling.
D) Azure AD Connect: Azure AD Connect is for syncing from on-premises Active Directory. This scenario involves new users from an acquisition without mention of an existing on-premises AD infrastructure.
2

Question 2: RBAC Role Assignment

Correct Answer: C) Virtual Machine Operator

Why this is correct:

The Virtual Machine Operator role is designed specifically for this scenario. It allows users to start, stop, and restart VMs, but doesn't grant permissions to delete VMs, modify networking, or manage other resource types. This follows the principle of least privilege by providing exactly the permissions needed, nothing more.

Why other answers are incorrect:

A) Contributor: The Contributor role grants full management permissions for all resources in the scope, including the ability to delete VMs and modify networking. This violates the principle of least privilege.
B) Virtual Machine Contributor: This role allows managing all aspects of VMs including deletion and configuration changes. It provides more permissions than required for simply starting/stopping VMs.
D) Reader: The Reader role only allows viewing resources, not performing any management operations like starting or stopping VMs.
3

Question 3: Azure Policy Implementation

Correct Answer: B) Azure Policy with "Deny" effect for resources without CostCenter tag

Why this is correct:

Azure Policy with a "Deny" effect is the correct solution for enforcing compliance requirements. You can create a policy that requires the CostCenter tag and prevents deployment of any resource that doesn't include it. Policies can be assigned at the subscription or management group level to enforce across all subscriptions.

Why other answers are incorrect:

A) Custom RBAC role: RBAC controls who can perform actions, not what conditions must be met for resources. RBAC cannot enforce tagging requirements on resource deployments.
C) Resource lock: Resource locks prevent deletion or modification of existing resources. They don't enforce requirements for new resource deployments or tag presence.
D) Azure Advisor: Azure Advisor provides recommendations for best practices but doesn't enforce compliance. It's reactive (recommendations) rather than proactive (enforcement).
4

Question 4: Resource Locks

Correct Answer: B) CanNotDelete lock

Why this is correct:

CanNotDelete lock prevents deletion of resources but still allows modifications and configuration changes. This meets both requirements: protecting against accidental deletion while allowing administrators to update settings, resize VMs, modify database configurations, etc. The lock applies to all resources within the resource group.

Why other answers are incorrect:

A) ReadOnly lock: ReadOnly locks prevent both deletion AND modification. While it prevents deletion, it would also block administrators from making necessary configuration changes, which doesn't meet the requirement.
C) DoNotModify lock: This is not a valid Azure resource lock type. The two valid types are CanNotDelete and ReadOnly.
D) No lock, use RBAC: While RBAC controls who can delete resources, it doesn't prevent accidental deletion by authorized users. Even administrators with proper permissions can accidentally delete resources without a lock.
5

Question 5: Cost Management

Correct Answer: B) Azure Cost Management + Billing

Why this is correct:

Azure Cost Management + Billing provides comprehensive cost analysis, allowing you to break down spending by resource group, service, tag, and time period. You can create budgets with alerts that notify you when spending exceeds thresholds (like $5,000). It's the dedicated tool for cost tracking and budget management in Azure.

Why other answers are incorrect:

A) Azure Advisor: Advisor provides cost optimization recommendations but doesn't provide detailed cost analysis by resource group or budget alerting capabilities.
C) Azure Monitor: Monitor tracks performance metrics and logs but isn't designed for cost analysis. While it can alert on metrics like CPU usage, it doesn't track spending or provide cost breakdowns.
D) Azure Policy: Policy enforces compliance and governance rules but doesn't provide cost tracking or analysis. It can prevent deployments but can't alert on spending thresholds.
6

Question 6: Azure AD Groups

Correct Answer: C) Security group with Dynamic User membership

Why this is correct:

Security groups with Dynamic User membership use rules to automatically add or remove members based on user attributes. You can create a rule like "user.department -eq 'Marketing'" to automatically populate the group. As users' department attributes change, group membership updates automatically without manual intervention.

Why other answers are incorrect:

A) Assigned membership: Assigned membership requires manually adding and removing users from the group. This doesn't meet the requirement for automatic updates based on department changes.
B) Microsoft 365 group with Dynamic membership: While Microsoft 365 groups support dynamic membership, they're designed for collaboration features (Teams, SharePoint, Outlook). For RBAC and access control, Security groups are the appropriate choice.
D) Distribution list: Distribution lists are for email distribution and don't support dynamic membership or access control scenarios. They're legacy Exchange objects, not Azure AD groups.
7

Question 7: Storage Account Performance Tiers

Correct Answer: B) Premium performance with SSD-based storage

Why this is correct:

Premium performance storage accounts use SSD-based storage and are specifically designed for high-performance scenarios requiring low latency and high IOPS. They provide consistent sub-millisecond response times and are ideal for databases with thousands of small random I/O operations per second. This is the recommended tier for production databases.

Why other answers are incorrect:

A) & C) Standard performance: Standard performance tiers use HDD-based storage (or standard SSD) which cannot provide the consistent sub-millisecond latency required. Replication type (LRS vs GRS) doesn't affect performance tier.
D) Cool tier: Cool tier is an access tier for blob storage, optimized for infrequent access with lower storage costs but higher access costs. It's not designed for high-performance database workloads.
8

Question 8: Blob Access Tiers

Correct Answer: B) Cool tier

Why this is correct:

Cool tier is optimized for data that is infrequently accessed but must remain readily available (within milliseconds to hours). It offers lower storage costs than Hot tier while maintaining reasonable access speeds. For compliance data retained 7 years but rarely accessed after 30 days, Cool tier provides the best balance of cost and availability.

Why other answers are incorrect:

A) Hot tier: Hot tier is for frequently accessed data. Since these logs are rarely accessed after 30 days, Hot tier would be unnecessarily expensive for this scenario.
C) Archive tier: Archive tier has the lowest storage cost but retrieval takes hours (up to 15 hours for some tiers) and incurs higher access costs. The requirement states data must be "available within hours," making Archive borderline acceptable but Cool is more appropriate given the access needs.
D) Premium tier: Premium tier is for high-performance scenarios requiring low latency. It's the most expensive option and unnecessary for archived log files that are rarely accessed.
9

Question 9: Azure Files Integration

Correct Answer: B) Azure Files with SMB protocol

Why this is correct:

Azure Files provides fully managed file shares in the cloud accessible via SMB protocol. Windows servers can mount Azure file shares as network drives using standard SMB protocol, just like traditional on-premises file servers. This provides seamless integration with existing Windows applications and workflows.

Why other answers are incorrect:

A) Blob Storage with NFS: While Blob Storage supports NFS protocol, it's designed for object storage scenarios, not traditional file share scenarios. SMB is the native protocol for Windows file sharing.
C) Disk Storage as network drive: Azure Disk Storage is for attaching disks to individual VMs, not for creating shared file systems accessible by multiple servers. Disks can only be attached to one VM at a time.
D) Table Storage with REST API: Table Storage is a NoSQL data store accessed via REST API, not a file sharing solution. It doesn't support SMB protocol or network drive mapping.
10

Question 10: Storage Replication

Correct Answer: D) Read-access geo-redundant storage (RA-GRS)

Why this is correct:

RA-GRS replicates data to a secondary region hundreds of miles away from the primary region. Crucially, it provides read access to the data in the secondary region at all times, even before a failover. This meets both requirements: regional disaster protection and the ability to read data from the secondary region if the primary becomes unavailable.

Why other answers are incorrect:

A) LRS: Locally-redundant storage replicates data within a single datacenter in one region. It doesn't protect against regional disasters or provide a secondary region for failover.
B) ZRS: Zone-redundant storage replicates across availability zones within a single region. While it protects against zone failures, it doesn't provide regional disaster recovery.
C) GRS: Geo-redundant storage does replicate to a secondary region, but the secondary region data is not readable until Microsoft initiates a failover. RA-GRS provides the additional read access capability needed.
11

Question 11: Azure Backup Configuration

Correct Answer: C) Recovery Services vault with Azure Backup

Why this is correct:

Recovery Services vault with Azure Backup is the native Azure solution for VM backups. It provides centralized backup management, configurable retention policies (30 days in this case), and supports both item-level recovery (individual files) and full VM recovery. It also meets compliance requirements with built-in policies and reporting.

Why other answers are incorrect:

A) Blob Storage with lifecycle management: While you could manually create VM backups to blob storage, this doesn't provide the automated backup features, item-level recovery, or centralized management that Azure Backup offers.
B) Azure Site Recovery: Site Recovery is for disaster recovery and VM replication, not for backup and retention scenarios. It's designed for keeping VMs running in a secondary location, not creating restore points.
D) Managed disk snapshots: While snapshots can back up VMs, they require manual management, don't provide item-level file recovery, lack centralized management, and don't have the compliance features of Azure Backup.
12

Question 12: Shared Access Signatures (SAS)

Correct Answer: B) Container-level SAS with write permission and 48-hour expiry

Why this is correct:

A container-level SAS token provides granular access to a specific container only. You can configure it with write permission, 48-hour expiration, and no access to other containers. This follows the principle of least privilege by granting exactly the access needed for the vendor to upload files, nothing more.

Why other answers are incorrect:

A) Account-level SAS: Account-level SAS grants access to multiple services and containers within the storage account. This violates least privilege by providing broader access than necessary.
C) Storage account access key: Access keys provide full administrative access to the entire storage account with no expiration. This is far too permissive and doesn't allow for automatic expiration after 48 hours.
D) Azure AD service principal: While service principals can be used for access control, SAS tokens are the simpler, more appropriate solution for temporary third-party access with built-in expiration.
13

Question 13: VM Availability Sets

Correct Answer: A) Deploy VMs in an availability set with 2 fault domains and 5 update domains

Why this is correct:

Availability sets with fault domains and update domains are specifically designed for this scenario. Fault domains protect against rack-level failures (power, network) by spreading VMs across different physical racks. Update domains ensure VMs are rebooted in batches during planned maintenance, keeping the application available. This configuration provides 99.95% SLA.

Why other answers are incorrect:

B) Different resource groups: Resource groups are logical containers for management purposes. They don't provide any physical redundancy or availability features.
C) Managed disks only: While managed disks are recommended for VMs in availability sets, they don't by themselves provide high availability or protection against failures.
D) Availability zone: While availability zones provide even higher availability (99.99%), the question specifies protection within the same region against rack-level failures, which is what availability sets address. Availability zones are physically separate datacenters.
14

Question 14: Virtual Machine Scale Sets

Correct Answer: A) Virtual Machine Scale Set with autoscale rules based on CPU metrics

Why this is correct:

VM Scale Sets are designed specifically for autoscaling scenarios. You can configure rules to automatically scale out when CPU exceeds 70% and scale in when demand decreases. Scale sets support both metric-based (CPU, memory) and schedule-based scaling rules, making them perfect for predictable traffic patterns with variable load.

Why other answers are incorrect:

B) Individual VMs with manual scaling: Manual scaling requires human intervention to add/remove VMs, which is slow, error-prone, and doesn't meet the "automatic" requirement. It also increases operational overhead.
C) Load Balancer with static VMs: Load balancers distribute traffic but don't provide autoscaling capabilities. You'd still need to manually add/remove VMs behind the load balancer.
D) Azure Kubernetes Service: While AKS supports autoscaling, it's designed for containerized applications. For VM-based workloads, VM Scale Sets are the more appropriate and simpler solution.
15

Question 15: Azure App Service Plans

Correct Answer: C) Standard (S1)

Why this is correct:

Standard tier is the minimum tier that supports deployment slots (needed for dev/staging), custom domains, and SSL certificates. It supports scaling up to 10 instances and provides all the features required in the scenario. Standard offers a good balance of features and cost for production workloads that don't require Premium features.

Why other answers are incorrect:

A) Free (F1): Free tier doesn't support custom domains, SSL certificates, or deployment slots. It's for development/testing only with significant limitations.
B) Basic (B1): Basic tier supports custom domains and SSL but does NOT support deployment slots, which are required for staging environments. Basic tier lacks autoscaling capabilities.
D) Premium (P1V2): While Premium would work, it's more expensive and provides features (better performance, more instances, VNet integration) that aren't required in this scenario. Standard meets all requirements at lower cost.
16

Question 16: Azure Container Instances

Correct Answer: B) Azure Container Instances triggered by Azure Functions

Why this is correct:

Azure Container Instances (ACI) provides on-demand containers with per-second billing, perfect for short-running batch jobs. Azure Functions can be triggered by blob storage events (file uploads) and then start ACI containers to process the files. You only pay for the compute time used (10-15 minutes), with no infrastructure management required.

Why other answers are incorrect:

A) AKS with persistent pods: AKS is designed for long-running, orchestrated container workloads. For short batch jobs, you'd be paying for cluster nodes even when not processing files. AKS adds unnecessary complexity and cost.
C) VM with Docker: Running a VM requires managing the infrastructure and paying for the VM even when it's idle. This doesn't minimize costs or avoid infrastructure management as required.
D) App Service with containers: App Service is for long-running web applications, not short batch jobs. You'd pay for the App Service plan continuously, not just during the 10-15 minute processing windows.
17

Question 17: VM Disk Configuration

Correct Answer: D) Ultra Disk

Why this is correct:

Ultra Disk provides the highest performance tier with sub-millisecond latency and up to 160,000 IOPS per disk. It's specifically designed for I/O-intensive workloads like SQL Server production databases handling thousands of transactions per second. While it's the most expensive option, the scenario states "cost is a secondary concern to performance."

Why other answers are incorrect:

A) Standard HDD: Standard HDD provides the lowest performance and highest latency. It's suitable for backups and infrequent access, not production databases with thousands of transactions per second.
B) Standard SSD: Standard SSD offers better performance than HDD but still doesn't meet the requirements for high IOPS and sub-millisecond latency needed for production SQL Server workloads.
C) Premium SSD: Premium SSD is a good general-purpose high-performance option and would work for many database scenarios. However, for the "thousands of transactions per second" requirement with cost as secondary concern, Ultra Disk provides superior performance.
18

Question 18: VM Extensions

Correct Answer: B) Azure VM extension for Microsoft Monitoring Agent

Why this is correct:

VM extensions are small applications that provide post-deployment configuration and automation on Azure VMs. The Microsoft Monitoring Agent extension can be deployed to multiple VMs simultaneously with consistent configuration, either through the portal, PowerShell, or ARM templates. This ensures automation and consistency across all 20 VMs.

Why other answers are incorrect:

A) Remote Desktop manually: Manually connecting to 20 VMs to install the agent is time-consuming, error-prone, and doesn't ensure consistent configuration. This approach doesn't scale well and increases the risk of misconfiguration.
C) Azure Policy: While Azure Policy can audit or report on VMs that don't have the agent installed, it doesn't actually install the agent. Policy is for compliance enforcement and reporting, not for software deployment.
D) PowerShell script locally: Running scripts locally on each VM still requires connecting to each VM individually. VM extensions can be deployed from Azure management plane without logging into each VM.
19

Question 19: Virtual Network Peering

Correct Answer: B) Virtual network peering between VNet1 and VNet2

Why this is correct:

Virtual network peering connects two Azure VNets directly through the Microsoft backbone network, allowing resources to communicate using private IP addresses. Peering provides low latency (same as within a single VNet), high bandwidth, and doesn't require gateways or encryption overhead. It's the simplest and most performant solution for VNet-to-VNet connectivity in the same or different regions.

Why other answers are incorrect:

A) VPN Gateway: VPN Gateways connect VNets through encrypted tunnels, adding latency and complexity. While they work, they're unnecessary overhead when both VNets are in Azure. VPN is typically for on-premises-to-Azure connections.
C) ExpressRoute: ExpressRoute provides private connections from on-premises to Azure, not VNet-to-VNet connectivity within Azure. It's also significantly more expensive and complex than needed.
D) Load Balancer: Load balancers distribute traffic across multiple backends but don't provide network connectivity between VNets. They operate at different network layers and serve different purposes.
20

Question 20: Network Security Groups

Correct Answer: A) NSG with inbound rule allowing port 443 and default outbound rules

Why this is correct:

NSGs are perfect for this scenario. Create an inbound security rule to allow port 443 (HTTPS) from the internet, and NSG's default outbound rules allow all outbound traffic (including Windows updates). NSGs deny all inbound traffic by default, so you only need to explicitly allow port 443. This is the simplest, most cost-effective solution.

Why other answers are incorrect:

B) Azure Firewall: Azure Firewall is a managed, cloud-based network security service that's more expensive and complex than needed. While it can do this job, NSGs are the appropriate tool for basic port-based filtering at the subnet level.
C) Application Gateway with WAF: Application Gateway is a Layer 7 load balancer with optional Web Application Firewall. It's designed for HTTP/HTTPS routing and load balancing, not basic port filtering. It's more expensive and complex than needed.
D) Route table: Route tables control routing of traffic between subnets and networks, not filtering or allowing/blocking specific ports. They work at Layer 3 (routing), not Layer 4 (ports).
21

Question 21: Azure Load Balancer

Correct Answer: B) Internal Azure Load Balancer (Standard SKU)

Why this is correct:

Internal Load Balancer distributes traffic within a VNet (not from the internet), perfect for internal-only traffic. Standard SKU provides health probes to monitor server health and automatically routes traffic only to healthy instances. It supports availability sets and provides the 99.99% SLA needed for production workloads.

Why other answers are incorrect:

A) Public Load Balancer: Public Load Balancer is for internet-facing traffic with public IP addresses. The scenario specifically states "internal traffic only," making Public LB inappropriate.
C) Application Gateway: Application Gateway is a Layer 7 load balancer for HTTP/HTTPS traffic with advanced routing capabilities (URL-based routing, SSL termination). For simple Layer 4 load balancing of internal HTTP traffic, Azure Load Balancer is simpler and more cost-effective.
D) Traffic Manager: Traffic Manager is a DNS-based global load balancer for distributing traffic across regions or geographic locations. It doesn't handle traffic within a single availability set.
22

Question 22: VPN Gateway Configuration

Correct Answer: C) VpnGw2

Why this is correct:

VpnGw2 supports up to 1.25 Gbps throughput and allows up to 30 site-to-site/VNet-to-VNet tunnels. It provides the bandwidth required and supports multiple site-to-site connections. VpnGw2 also includes features like BGP support and active-active configurations for production scenarios.

Why other answers are incorrect:

A) Basic: Basic SKU only supports up to 100 Mbps throughput (far below the 1.25 Gbps requirement) and has limited tunnel support. It also doesn't support BGP or active-active configurations. Basic is for dev/test only.
B) VpnGw1: VpnGw1 supports up to 650 Mbps, which is below the required 1.25 Gbps. While it supports multiple connections, the bandwidth is insufficient for this scenario.
D) ExpressRoute Gateway: ExpressRoute Gateways are for ExpressRoute circuits (private connections from telco providers), not VPN connections over the internet. ExpressRoute is also significantly more expensive.
23

Question 23: Azure DNS

Correct Answer: A) Create an Azure DNS zone for contoso.com and update the domain's nameservers at the registrar

Why this is correct:

Azure DNS provides reliable, secure DNS hosting with global reach. Create a DNS zone for contoso.com in Azure, then update the nameserver (NS) records at your domain registrar to point to Azure's DNS nameservers. This delegates DNS management to Azure while keeping the domain registration with the original registrar. Azure DNS will then resolve queries globally.

Why other answers are incorrect:

B) Private DNS zone: Private DNS zones are for name resolution within Azure VNets, not for public internet-facing domains. Private zones can't be queried from the public internet.
C) Traffic Manager: Traffic Manager provides DNS-based traffic routing and load balancing but doesn't host DNS zones. It's used in addition to DNS hosting, not instead of it, for geographic routing decisions.
D) Custom DNS servers on VNet: Custom DNS servers on VNets are for resolving names within the VNet, not for hosting public DNS zones accessible worldwide. This doesn't provide global DNS resolution.
24

Question 24: Service Endpoints

Correct Answer: B) Service endpoint for Microsoft.Storage on the subnet and storage firewall rules

Why this is correct:

Service endpoints extend your VNet's private address space to Azure services over the Microsoft backbone network. Enable the Microsoft.Storage service endpoint on your subnet, then configure the storage account firewall to only allow access from that subnet. Traffic stays on Microsoft's network and the storage account is secured to your VNet only.

Why other answers are incorrect:

A) VPN Gateway: VPN Gateways are for connecting on-premises networks to Azure or VNet-to-VNet connections. You cannot create a VPN connection directly to a storage account, and it's unnecessary when both resources are in Azure.
C) ExpressRoute private peering: ExpressRoute is for connecting on-premises networks to Azure via private circuits. Service endpoints are the simpler, more appropriate solution for Azure VNet to Azure service connectivity.
D) NSG rule: NSGs control traffic flow between subnets and to/from the internet but don't secure storage accounts or ensure traffic stays on Microsoft's backbone network. NSGs work at the network level, not the service level.
25

Question 25: Network Watcher

Correct Answer: B) IP Flow Verify

Why this is correct:

IP Flow Verify tests whether a packet is allowed or denied to/from a VM based on 5-tuple information (source/destination IP, port, protocol). It tells you exactly which security rule is allowing or blocking traffic and shows whether packets would be dropped. This is perfect for troubleshooting connectivity issues and identifying blocking NSG rules.

Why other answers are incorrect:

A) Connection Monitor: Connection Monitor provides ongoing monitoring of connectivity between endpoints over time, showing latency and packet loss trends. While useful for monitoring, it doesn't immediately show which specific security rule is blocking traffic.
C) NSG Flow Logs: NSG Flow Logs record all traffic flowing through NSGs over time for analysis. While they show what happened, they're not as immediate or specific as IP Flow Verify for troubleshooting a specific connectivity issue right now.
D) Topology view: Topology view shows the network architecture and relationships between resources but doesn't test connectivity or identify which rules are blocking traffic. It's for visualization, not troubleshooting.

Frequently Asked Questions

How difficult is AZ-104 compared to AZ-900?

AZ-104 is significantly more challenging. It is an Associate-level certification requiring hands-on Azure administration experience. Questions are scenario-based and test your ability to implement and manage resources.

Do I need hands-on Azure experience?

Yes. Microsoft recommends at least 6 months of hands-on Azure administration experience. The exam includes performance-based tasks requiring practical knowledge of the Azure portal, CLI, and PowerShell.

How many practice questions should I complete?

For AZ-104, practicing with 500-600 unique questions is recommended due to the exam's breadth and depth. This ensures coverage of all administrative tasks.

Can I skip AZ-900 and go straight to AZ-104?

Yes, if you have Azure experience. However, AZ-900 provides a solid foundation that is helpful for AZ-104. Many candidates take both sequentially.

Related Resources

Is AZ-104 Worth It in 2026?

Salary data, job market analysis, and career impact.

AZ-900 vs AZ-104: Certification Path

When to take each Azure certification.

Full AZ-104 Practice Quiz

Access hundreds of questions in exam mode.

All Certification Guides

Browse all Microsoft certification resources.