Preparing for the AZ-104 Microsoft Azure Administrator Certification Exam in 2026? This comprehensive practice guide covers the most important and recently updated exam topics including Azure Active Directory, Identity and Governance, Storage Accounts, Virtual Machines, Virtual Networking, Monitoring, and Backup & Recovery. Each question mirrors the format and difficulty of the real Microsoft AZ-104 exam, with detailed explanations for every correct answer so you understand the WHY behind each choice. Whether you are a cloud engineer, system administrator, or IT professional transitioning to Azure, these questions will help you identify knowledge gaps, reinforce key concepts, and build the confidence you need to pass on your first attempt. Bookmark this page and revisit regularly as questions are updated to reflect the latest Azure feature releases and exam blueprint changes from Microsoft.
1. A company needs to allow users from a partner organization (Tenant B) to access resources in their Azure subscription (Tenant A) without creating new accounts. What should you configure?
A. Azure AD Connect
B. Azure AD B2C
C. Azure AD B2B collaboration
D. Azure AD Domain Services
Explanation: Azure AD B2B (Business-to-Business) collaboration allows external users from partner organizations to access your resources using their own credentials. No new accounts need to be created in Tenant A.
2. You need to ensure that VMs in a virtual network can communicate with each other but are isolated from the internet. Which Azure feature should you use?
A. Network Security Group (NSG)
B. Azure Firewall
C. Private Endpoint
D. Service Endpoint
Explanation: NSGs control inbound and outbound traffic to Azure resources. By denying all internet traffic while allowing VNet-internal traffic, you achieve isolation from the internet while maintaining inter-VM communication.
3. You have 200 Azure VMs and need to apply a consistent security policy across all of them to ensure they always have the latest OS patches. What should you use?
A. Azure Policy
B. Azure Update Manager
C. Azure Automation + Update Management
D. Azure Security Center
Explanation: Azure Automation with Update Management assesses the update status of all VMs and manages the process of installing required updates, supporting Windows and Linux VMs at scale
4. A team member accidentally deleted a blob container in Azure Storage. You need to recover the deleted container. Which feature must have been enabled beforehand?
A. Geo-redundant storage (GRS)
B. Blob versioning
C. Container soft delete
D. Azure Backup for blobs
Explanation: Container soft delete retains deleted containers (and their blobs) for a specified retention period. If enabled before deletion, you can restore the container from the Azure portal or via API.
5. You need to deploy a multi-region Azure application that automatically routes users to the closest healthy endpoint. Which Azure service should you use?
A. Azure Load Balancer
B. Azure Traffic Manager
C. Azure Application Gateway D. Azure Front Door
Explanation: Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic across regions. The ‘Performance’ routing method sends users to the closest healthy endpoint, minimizing latency.
6. You have an Azure VM that needs to access Azure Key Vault without storing credentials in code or configuration files. What should you configure?
A. Service Principal with client secret
B. Managed Identity for the VM
C. Azure AD Application registration
D. Shared Access Signature (SAS)
Explanation: Managed Identity provides an automatically managed identity in Azure AD for applications to use when connecting to resources that support Azure AD authentication, eliminating the need to store credentials.
7. Your organization requires that all Azure resources in a subscription must be tagged with a ‘CostCenter’ tag. How do you enforce this requirement?
A. Azure Blueprint
B. Resource Lock
C. Azure Policy with ‘Require a tag’ effect
D. Azure RBAC custom role
Explanation: Azure Policy with the ‘Require a tag and its value’ or ‘Require a tag’ built-in policy definition enforces that all resources have the specified tag. Resources without the tag will be denied or flagged for remediation.
8. You need to allow a developer to deploy resources to a resource group but prevent them from changing permissions on those resources. Which built-in RBAC role should you assign?
A. Owner
B. Contributor
C. Reader D. User Access Administrator
Explanation: The Contributor role grants full access to manage all resources but does NOT allow users to assign roles in Azure RBAC. The Owner role includes role assignment permissions, which you want to prevent.
9. You have a web application running in Azure App Service that needs to connect to an Azure SQL Database. The connection string is stored in Azure Key Vault. What is the most secure way to retrieve the connection string at runtime?
A. Hardcode the Key Vault URL in application code
B. Use App Service Key Vault references with Managed Identity
C. Store the secret in App Service Application Settings
D. Use a SAS token to access Key Vault
Explanation: App Service Key Vault references allow app settings to reference Key Vault secrets directly using the @Microsoft.KeyVault() syntax. Combined with Managed Identity, no credentials are ever stored in the app configuration.
10. You need to monitor Azure resource costs and receive an alert when costs exceed 80% of a monthly budget of $10,000. What should you configure?
A. Azure Monitor alert on billing metrics
B. Azure Cost Management budget with alert threshold
C. Azure Advisor cost recommendation
D. Azure Policy cost enforcement
Explanation: Azure Cost Management budgets allow you to set spending thresholds and configure alerts at defined percentages (e.g., 80%, 100%). Alerts are sent via email or action groups when thresholds are reached.
11. A VM in a subnet must access Azure Storage over a private connection without traversing the internet. What should you configure?
A. VNet Service Endpoint for Storage
B. Public endpoint with firewall rules
C. Azure ExpressRoute
D. VNet Peering
Explanation: VNet Service Endpoints extend your virtual network’s private address space and identity to Azure services over an optimized route. Traffic between your VNet and Azure Storage never leaves the Microsoft backbone network.
12. You need to implement high availability for a web application hosted on two Azure VMs to ensure 99.95% SLA. What should you configure?
A. Place both VMs in the same Availability Zone
B. Place both VMs in an Availability Set
C. Use Azure Scale Sets with single VM
D. Use Azure Site Recovery
Explanation: An Availability Set distributes VMs across multiple Fault Domains (separate physical hardware) and Update Domains, protecting against hardware failures and planned maintenance. This configuration qualifies for the 99.95% SLA
13. You have a storage account with LRS redundancy. Your company now requires that data be replicated to a secondary region. What should you change?
A. Upgrade to Premium storage tier
B. Change replication to GRS or RA-GRS
C. Enable blob versioning
D. Change access tier to Archive
Explanation: GRS (Geo-Redundant Storage) replicates data asynchronously to a secondary region hundreds of miles away. RA-GRS additionally provides read access to the secondary region. Both support cross-region disaster recovery.
14. You need to assign a static public IP to an Azure VM and ensure the IP address does not change after VM restarts or reallocation. What type of IP allocation should you configure?
A. Dynamic public IP address
B. Static public IP address
C. Private IP with NAT gateway
D. Floating IP (Direct Server Return)
Explanation: A Static public IP address remains the same for the lifetime of the resource. A Dynamic IP may change when the VM is stopped/deallocated. Static IPs are required for DNS name resolution, SSL certificates, and firewall allow-lists.
15. You are configuring Azure AD Conditional Access to require MFA only when users sign in from outside the corporate network. What type of condition should you configure?
A. Device platform condition
B. Client apps condition
C. Named Locations (IP ranges)
D. User risk condition
Explanation: Named Locations in Conditional Access allow you to define trusted IP ranges (corporate network). You then configure the policy to require MFA when the sign-in location does NOT match a named location (outside corporate network).
16. You need to give a third-party auditor read-only access to all Azure resources across your entire organization without granting access resource-by-resource. Where should you assign the Reader role?
A. Each resource group individually
B. Each subscription individually
C. Management Group that contains all subscriptions
D. Azure Active Directory root tenant
Explanation: Assigning roles at the Management Group scope propagates permissions down to all child subscriptions, resource groups, and resources. This is the most efficient way to grant organization-wide access using RBAC inheritance.
17. You need to migrate an on-premises SQL Server database to Azure with minimal downtime. Which Azure Database Migration Service (DMS) migration mode should you use?
A. Offline migration
B. Online migration with continuous sync
C. Schema migration only
D. Backup and restore method
Explanation: Online migration in Azure DMS continuously syncs data changes from the source to the target while the source remains online. This minimizes downtime to just a brief cutover window, making it ideal for production databases.
18. An Azure VM has a network interface with both a private and a public IP. You want to prevent the VM from being accessible from the internet while still allowing outbound internet connectivity. What should you do?
A. Delete the public IP and attach a NAT Gateway to the subnet
B. Apply an NSG rule to block all inbound traffic
C. Remove the VM from the VNet
D. Disable the network interface
Explanation: Removing the public IP and using Azure NAT Gateway allows the VM to make outbound connections to the internet while being completely inaccessible inbound from the internet. NAT Gateway provides SNAT (Source Network Address Translation) for outbound traffic.
19. You need to implement disaster recovery for Azure VMs to a secondary region with an RPO of less than 15 minutes. Which service should you use?
A. Azure Backup with cross-region restore
B. Azure Site Recovery (ASR)
C. Azure Storage GRS replication
D. Manual VM snapshot copy
Explanation: Azure Site Recovery replicates VMs continuously to a secondary region, typically achieving RPO of under 5 minutes. It supports automated failover and failback, and provides orchestrated recovery plans for complex multi-tier applications.
20. You have created a custom RBAC role and need to assign it to a user at the subscription scope. The role definition includes the ‘Microsoft.Compute/virtualMachines/start/action’ permission. What does this allow the user to do?
A. Create new virtual machines
B. Start stopped virtual machines
C. Delete virtual machines
D. Resize virtual machines
Explanation: The ‘Microsoft.Compute/virtualMachines/start/action’ is an action that grants permission specifically to start (power on) existing VMs. Each Azure resource operation maps to a specific action in the RBAC permission model.
21. You need to connect your on-premises network to Azure with a guaranteed bandwidth of 1 Gbps and a private connection that does not traverse the public internet. What should you deploy?
A. Azure VPN Gateway with Site-to-Site connection
B. Azure ExpressRoute circuit
C. Azure Virtual WAN
D. Azure Bastion
Explanation: Azure ExpressRoute provides a private, dedicated connection between on-premises networks and Azure through a connectivity provider. It offers guaranteed bandwidth options (from 50 Mbps to 100 Gbps) and does not traverse the public internet.
22. You need to store diagnostic logs from multiple Azure resources in a central location for long-term retention and analysis. What should you configure?
A. Send logs to Azure Monitor Metrics
B. Configure Diagnostic Settings to send logs to a Log Analytics Workspace
C. Enable Azure Security Center
D. Use Azure Application Insights
Explanation: Log Analytics Workspace in Azure Monitor is the central repository for collecting and storing log data from Azure resources. Diagnostic Settings on each resource route logs to the workspace, enabling cross-resource queries with KQL.
23. A company requires all Azure VMs to use approved VM image sizes. Non-compliant VMs must be flagged but not prevented from running. Which Azure Policy effect should you use?
A. Deny
B. DeployIfNotExists
C. Audit
D. Append
Explanation: The ‘Audit’ effect evaluates resources against the policy rule and flags non-compliant ones in the compliance report without blocking or modifying them. Use ‘Deny’ to prevent non-compliant resources from being created or modified.
24. You need to ensure that users can only create resources in the East US and West Europe Azure regions across your organization. What is the most efficient way to enforce this?
A. Apply NSG rules to all virtual networks
B. Assign an Azure Policy at the Management Group level with ‘Allowed Locations’
C. Train users to deploy in correct regions
D. Apply resource locks to other regions
Explanation: The built-in ‘Allowed locations’ Azure Policy restricts where resources can be deployed. Assigning it at the Management Group level enforces the restriction across all subscriptions and resource groups in the organization.
25. You have a VNet with two subnets: SubnetA (web tier) and SubnetB (database tier). You need to allow web servers in SubnetA to connect to SQL Server port 1433 in SubnetB, but deny all other traffic to SubnetB. How should you configure this?
A. Apply an NSG on SubnetB allowing port 1433 from SubnetA and denying all other inbound traffic
B. Apply a route table on SubnetA directing traffic to SubnetB
C. Enable VNet peering between SubnetA and SubnetB
D. Configure Azure Firewall to allow port 1433
Explanation: NSGs on SubnetB should include: Allow rule for TCP port 1433 from SubnetA’s address range, and a Deny All rule with lower priority for all other inbound traffic. NSG rules are processed in priority order (lower number = higher priority).
26. You need to scale a web application automatically based on CPU usage of the underlying VMs. The application is deployed on Azure Virtual Machine Scale Sets (VMSS). What should you configure?
A. Scheduled scaling in Azure Automation
B. Autoscale rules in Azure Monitor for the VMSS
C. Manual scale settings on each VM
D. Azure Load Balancer health probes
Explanation: Azure Monitor Autoscale for VMSS allows you to define scale-out rules (add VMs when CPU > threshold) and scale-in rules (remove VMs when CPU < threshold). It supports metric-based, schedule-based, and predictive scaling
27. A storage account containing critical data has a ‘CanNotDelete’ resource lock applied. A developer tries to delete the storage account but is blocked. They then try to delete a blob container inside the account. What happens?
A. The blob container can be deleted; the lock only protects the storage account resource
B. The blob container cannot be deleted because the lock cascades to child resources
C. The developer needs Owner role to override the lock
D. The lock only applies to the resource group, not individual resources
Explanation: Resource locks cascade to all child resources. A ‘CanNotDelete’ lock on a storage account prevents deletion of the account AND all its child resources (containers, blobs). The lock applies to the entire resource hierarchy below the locked resource.
28. You need to provide your development team access to create and manage VMs in a specific resource group but prevent them from creating any networking resources. Which approach is most efficient?
A. Assign built-in ‘Virtual Machine Contributor’ role at the resource group scope
B. Assign ‘Contributor’ role and use Azure Policy to deny networking actions
C. Create a custom RBAC role with only VM permissions and assign at resource group scope
D. Assign ‘Owner’ role and train team not to create network resources
Explanation: The built-in ‘Virtual Machine Contributor’ role grants permissions to manage VMs (create, start, stop, delete) but does NOT include permissions to create virtual networks, NICs, or other networking resources. Assigning at resource group scope limits the blast radius