Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-104Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

AZ-104 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Manage Azure Identities and Governance2. Implement and Manage Storage3. Deploy and Manage Azure Compute4. Implement and Manage Virtual Networking5. Monitor and Maintain Azure Resources
1

Domain 1: Manage Azure Identities and Governance

20% of exam · 6 sample questions below

All Manage Azure Identities and Governance questions
Q1
mediumFull explanation →

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

A

Assign the custom role to VMOperators at the subscription scope.

B

Assign the custom role to VMOperators at the RG-Prod scope.

This applies the permissions only to resources in the RG-Prod resource group and follows least privilege.

C

Assign the Virtual Machine Contributor role to VMOperators at the RG-Prod scope.

D

Assign the custom role to VMOperators at the management group scope.

Why: Option B is correct because assigning the custom role at the RG-Prod scope restricts the role's permissions to only the virtual machines within that specific resource group. This meets the requirement that VMOperators can restart VMs but not create, delete, or resize them, and only within RG-Prod.
Q2
hardFull explanation →

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

A

Remove the policy assignment from Corp-MG.

B

Create a policy exemption at the Prod-Sub or RG-App scope.

A scoped exemption allows the deployment while preserving the broader governance model.

C

Change the policy effect from Deny to Audit for all assignments.

D

Move Prod-Sub out of Corp-MG.

Why: A policy exemption allows you to exclude a specific scope (like Prod-Sub or RG-App) from the enforcement of a policy assignment without modifying or removing the policy itself. This lets the single deployment proceed while maintaining the Deny effect for all other resources under Corp-MG. Exemptions can be created with an expiration date to ensure temporary relief does not become permanent.
Q3
hardFull explanation →

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

A

Global Administrator

B

User Administrator

This aligns with the least-privilege requirement for user management tasks like password resets.

C

Reader

D

Billing Administrator

Why: The User Administrator role in Microsoft Entra ID (formerly Azure AD) grants permissions to reset passwords for cloud users, but explicitly excludes the ability to create or delete users. This makes it the correct choice for a help desk team that needs password reset capabilities without broader user management rights.
Q4
easyFull explanation →

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

A

A Microsoft Entra group and a single role assignment to the group.

This is the most scalable and maintainable approach.

B

A separate custom role assignment for each administrator.

C

A resource lock on every virtual machine.

D

A policy exemption for the administrators.

Why: Option A is correct because assigning a single RBAC role to a Microsoft Entra group allows you to manage permissions centrally. When membership changes, you only need to add or remove users from the group, and the role assignment automatically applies to the new members. This minimizes ongoing administrative effort compared to managing individual role assignments.
Q5
mediumFull explanation →

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

A

A CanNotDelete lock on stfinance01.

This prevents accidental deletion while allowing permitted write operations.

B

A ReadOnly lock on stfinance01.

C

A policy assignment that audits storage accounts.

D

An NSG rule denying outbound traffic from the subnet.

Why: A CanNotDelete lock on stfinance01 prevents the storage account from being deleted while still allowing administrators to read and modify data. This lock type blocks delete operations at the resource level, but does not restrict read or write access, which is exactly what the requirement specifies.
Q6
mediumFull explanation →

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

A

Assign Contributor to the administrator at the management group scope.

B

Assign Contributor to the administrator at the Dev-Sub scope.

This limits the contributor permissions to Dev-Sub, which matches the requirement.

C

Assign Owner to the administrator at the resource group scope in Dev-Sub.

D

Assign Reader to the administrator at the Prod-Sub scope and Contributor at the tenant root group.

Why: Option B is correct because assigning the Contributor role at the Dev-Sub scope grants the administrator full permissions to create and manage resource groups within that subscription, while the role assignment is scoped exclusively to Dev-Sub, ensuring no permissions in Prod-Sub. Azure RBAC is hierarchical, so a role assigned at a subscription scope applies to all resource groups within it, but does not cross subscription boundaries. This meets the requirement of allowing resource group creation only in Dev-Sub with no access to Prod-Sub.

Want more Manage Azure Identities and Governance practice?

Practice this domain
2

Domain 2: Implement and Manage Storage

15% of exam · 6 sample questions below

All Implement and Manage Storage questions
Q1
hardFull explanation →

Your company stores departmental documents in an Azure file share. Users need to be able to recover previous versions of files that were deleted or modified accidentally. You need a solution that supports recovery at the file share level without deploying additional virtual machines. What should you configure?

A

Enable blob versioning.

B

Configure Azure File Sync cloud tiering.

C

Create share snapshots for the Azure file share.

Share snapshots provide point-in-time recovery for Azure Files without adding extra infrastructure.

D

Enable immutable blob storage.

Why: Option C is correct because Azure file share snapshots provide point-in-time, read-only copies of the entire file share, allowing users to recover previous versions of files that were deleted or modified accidentally. This feature operates at the file share level without requiring any additional virtual machines, making it a straightforward and cost-effective solution for version recovery.
Q2
mediumFull explanation →

A business-critical application uses an Azure storage account. The company requires that data remain available even if an entire Azure region becomes unavailable. Which redundancy option should you choose?

A

LRS

B

ZRS

C

GRS

D

GZRS

This best matches the requirement for both zone and region resilience.

Why: D (GZRS) is correct because it combines zone-redundant storage (ZRS) within a primary region with geo-redundant replication to a secondary region, ensuring data remains available even if an entire Azure region becomes unavailable. This meets the business-critical requirement for regional disaster recovery while maintaining high durability and availability.
Q3
hardFull explanation →

A partner needs temporary read-only access to a single blob in a storage account for the next 24 hours. The partner must not be able to list other blobs or write data. What should you provide?

A

The storage account access key.

B

A service SAS scoped to the blob with read permission and an expiry time.

This is the least-privilege option for temporary, blob-specific access.

C

A private endpoint to the storage account.

D

Contributor access to the storage account.

Why: A service SAS scoped to a specific blob with read permission and an expiry time provides the exact temporary, read-only access required. It restricts access to only that blob, prevents listing other blobs, and automatically expires after 24 hours, meeting all security and functional requirements.
Q4
mediumFull explanation →

You have a storage account named stlogs01. An application running on VM-App01 in Azure must access blobs in the account without storing account keys in code or configuration files. What should you use?

A

A shared access signature stored in a text file on VM-App01.

B

The storage account access key hard-coded in the application.

C

A managed identity for VM-App01 and Azure RBAC on the storage account.

This removes secret storage and uses identity-based access.

D

Anonymous public access for the blob container.

Why: Option C is correct because using a managed identity for VM-App01 allows the application to authenticate to Azure Storage without storing any credentials in code or configuration files. The managed identity is automatically managed by Azure AD, and you grant it access to the blob container using Azure RBAC (e.g., the Storage Blob Data Contributor role). This eliminates the need for account keys or shared access signatures.
Q5
mediumFull explanation →

You need to grant an external partner temporary read access to a single blob in an Azure storage account without giving access to the account key. What should you create?

A

A storage account access key

B

A shared access signature (SAS)

A SAS provides scoped, time-limited access to the specific blob.

C

A resource lock

D

A private endpoint

Why: A shared access signature (SAS) is the correct solution because it provides delegated, time-limited access to a specific Azure storage resource (such as a single blob) without exposing the storage account key. You can configure the SAS with read-only permissions, an expiration time, and apply it to a specific blob URL, meeting the requirement for temporary external read access.
Q6
mediumFull explanation →

You have a storage account that stores infrequently accessed data that must remain available immediately when requested. You need to minimize storage costs. Which access tier should you use?

A

Premium

B

Hot

C

Cool

Cool is appropriate for infrequently accessed data that still needs immediate availability.

D

Archive

Why: The Cool access tier is designed for data that is infrequently accessed but still requires immediate availability when requested, offering lower storage costs than the Hot tier while maintaining low latency access. Since the data must remain available immediately, the Archive tier is unsuitable due to its multi-hour retrieval latency, and the Premium tier is optimized for high-performance scenarios, not cost minimization.

Want more Implement and Manage Storage practice?

Practice this domain
3

Domain 3: Deploy and Manage Azure Compute

20% of exam · 6 sample questions below

All Deploy and Manage Azure Compute questions
Q1
mediumFull explanation →

You need to deploy 20 identical Azure virtual machines that host the same web application. The solution must support automatic scale-out based on CPU usage and should minimize administrative overhead. What should you deploy?

A

20 individual virtual machines in the same resource group.

B

A Virtual Machine Scale Set.

VM Scale Sets provide a managed group of identical VMs with autoscaling support.

C

An availability set.

D

Azure Container Instances.

Why: A Virtual Machine Scale Set (VMSS) is the correct choice because it automates the deployment and management of identical VMs, supports autoscaling based on CPU usage metrics, and minimizes administrative overhead by handling VM creation, load balancing, and scaling policies as a single resource. This aligns with the requirement for 20 identical VMs with automatic scale-out based on CPU usage.
Q2
hardFull explanation →

A virtual machine named VM-App01 hosts a critical internal application. You need to protect the VM so that it can be restored if the VM is deleted or corrupted. The solution must provide centralized backup management and retention policies. What should you use?

A

Azure Backup with a Recovery Services vault.

This provides centralized VM protection, retention policies, and restore capabilities.

B

Managed disk snapshots only.

C

Azure Site Recovery only.

D

Boot diagnostics.

Why: Azure Backup with a Recovery Services vault is the correct choice because it provides centralized backup management, configurable retention policies, and the ability to restore a VM even if it is deleted or corrupted. Unlike snapshots, Azure Backup stores backups in a separate vault, supports application-consistent backups via the Volume Shadow Copy Service (VSS), and offers long-term retention with backup policies.
Q3
mediumFull explanation →

You need to restore a deleted file from a backed-up Azure virtual machine without restoring the entire VM. Which Azure Backup capability should you use?

A

Cross-region restore

B

File Recovery

This is the feature designed for restoring specific files and folders.

C

Azure Site Recovery failover

D

Boot diagnostics

Why: Azure Backup's File Recovery capability allows you to mount the VM's recovery point as a drive on your local machine, enabling you to browse and restore individual files without restoring the entire VM. This is achieved by creating an iSCSI target from the recovery point snapshot, which you can connect to from a compatible OS. It is the correct choice for granular file-level recovery from a VM backup.
Q4
mediumFull explanation →

You deploy several Windows virtual machines and need to install Microsoft Antimalware on each VM without logging on manually. What should you use?

A

An NSG application security group.

B

A VM extension.

This is the standard mechanism for automated VM guest configuration tasks.

C

A route table.

D

A blob lifecycle rule.

Why: VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. The Microsoft Antimalware extension can be deployed to multiple VMs at scale via Azure PowerShell, CLI, ARM templates, or policies, enabling silent installation without manual login.
Q5
hardFull explanation →

Your company hosts an internal web app in Azure App Service. Access must be limited to users connecting from the corporate virtual network over private IP addresses only. What should you configure?

A

An App Service Environment only.

B

Access restrictions based on public IP ranges only.

C

A private endpoint for the web app.

This provides private access from the VNet using a private IP address.

D

A public load balancer in front of the web app.

Why: Option C is correct because a private endpoint assigns a private IP address from your virtual network to the web app, making it accessible only over the corporate network via private IPs. This ensures traffic never traverses the public internet, meeting the requirement for private IP-only access.
Q6
mediumFull explanation →

You plan to deploy two virtual machines that run the same line-of-business application. The VMs must remain available during planned maintenance of the Azure platform, but autoscaling is not required. What should you use?

A

A Virtual Machine Scale Set.

B

An availability set.

This is the classic fit for a small set of highly available VMs.

C

Azure Container Apps.

D

A private endpoint.

Why: An availability set ensures that VMs are distributed across multiple fault domains and update domains within an Azure datacenter. This protects against both hardware failures (fault domains) and planned Azure platform maintenance (update domains), as only one update domain is rebooted at a time. Since autoscaling is not required, an availability set is the correct choice for high availability during planned maintenance.

Want more Deploy and Manage Azure Compute practice?

Practice this domain
4

Domain 4: Implement and Manage Virtual Networking

20% of exam · 6 sample questions below

All Implement and Manage Virtual Networking questions
Q1
mediumFull explanation →

A network team wants all routers to send log messages to a centralized server at 192.0.2.50. Which command should be added to the router configuration?

A

snmp-server host 192.0.2.50

B

archive 192.0.2.50

C

ntp server 192.0.2.50

D

logging host 192.0.2.50

This is correct because `logging host` identifies the destination Syslog server.

Why: The correct command is 'logging host 192.0.2.50' because it configures the router to send syslog messages to a centralized syslog server at that IP address. Syslog is the standard protocol (UDP port 514) used by network devices for event logging, and the 'logging host' command directs the router to forward all configured logging levels to the specified server.
Q2
hardFull explanation →

Which statement best explains the value of enabling both centralized logging and strong access controls on network devices?

A

Access controls reduce unauthorized use, and centralized logging improves visibility and investigation.

This is correct because the two controls complement each other by combining prevention and monitoring.

B

Both features do the exact same job, so using both is redundant.

C

Centralized logging removes the need for any authentication.

D

Strong access control makes log timestamps irrelevant.

Why: Enabling centralized logging (e.g., syslog) on network devices provides a single, tamper-evident repository for all device events, which is critical for post-incident forensic analysis and compliance auditing. Strong access controls (e.g., RBAC, ACLs, 802.1X) directly prevent unauthorized configuration changes and network access, reducing the attack surface. Together, they form a defense-in-depth strategy: access controls block threats, while centralized logging captures evidence of any attempts or breaches for investigation.
Q3
mediumFull explanation →

Which statement best explains why centralized logging is valuable in security operations?

A

It improves visibility by collecting events from multiple devices in one place for review and investigation.

This is correct because centralized collection is the main value of centralized logging.

B

It guarantees that no unauthorized action can occur.

C

It replaces the need for NTP and authentication.

D

It automatically assigns IP addresses to monitoring systems.

Why: Centralized logging aggregates security events (e.g., Windows Event Log, syslog, Azure Activity Log) from multiple sources into a single repository like Azure Log Analytics or a SIEM. This consolidation enables security analysts to correlate events across devices, detect patterns indicative of attacks, and perform efficient forensic investigations without needing to access each device individually.
Q4
mediumFull explanation →

Why is centralized logging especially helpful during incident investigation?

A

It helps investigators analyze related events from multiple devices in one place.

This is correct because centralized collection improves visibility and correlation.

B

It guarantees that no attack can ever succeed.

C

It replaces the need for access control.

D

It forces all devices to use the same VLAN.

Why: Centralized logging aggregates logs from multiple sources (servers, firewalls, applications) into a single repository, enabling investigators to correlate events across devices during an incident. This eliminates the need to manually access each device's local logs, speeding up root cause analysis and providing a unified timeline of activities.
Q5
mediumFull explanation →

Why is centralized logging especially useful during security investigations?

A

It makes related events from multiple devices easier to review and correlate.

This is correct because centralized visibility is the main investigative benefit.

B

It guarantees that attacks cannot succeed.

C

It replaces the need for authentication and authorization.

D

It forces all devices to use the same VLAN.

Why: Centralized logging aggregates logs from multiple sources (e.g., firewalls, servers, Azure Network Watcher) into a single repository, such as Azure Log Analytics. During security investigations, this enables security analysts to correlate events across devices (e.g., matching a suspicious IP address in firewall logs with authentication failures in domain controller logs) without manually connecting to each device. This correlation is critical for reconstructing attack timelines and identifying lateral movement, which is impossible with siloed logs.
Q6
mediumFull explanation →

Why is centralized logging valuable during security incident response?

A

It makes related events from many devices easier to collect and correlate.

This is correct because centralized visibility is the main investigative benefit.

B

It guarantees that attacks cannot succeed.

C

It replaces access control mechanisms.

D

It forces all systems to use one VLAN.

Why: Centralized logging aggregates logs from multiple sources (e.g., Azure VMs, network security groups, Azure Firewall) into a single repository like Azure Log Analytics or Azure Sentinel. This correlation enables security analysts to identify patterns across devices, such as a chain of events from an initial breach to lateral movement, which is critical for incident response. Without centralization, manually correlating timestamps and log formats from disparate systems would be impractical during an active attack.

Want more Implement and Manage Virtual Networking practice?

Practice this domain
5

Domain 5: Monitor and Maintain Azure Resources

25% of exam · 6 sample questions below

All Monitor and Maintain Azure Resources questions
Q1
mediumFull explanation →

You need to be notified whenever the average CPU usage of VM-App01 exceeds 80 percent for 10 minutes. The solution must send an email to the operations team automatically. What should you configure?

A

Create an Azure Monitor metric alert and link it to an action group.

This is the standard way to send automated notifications based on CPU thresholds.

B

Create an Azure Advisor recommendation alert.

C

Create an activity log alert for the virtual machine.

D

Create a subscription budget alert.

Why: Option A is correct because Azure Monitor metric alerts can evaluate performance counters like CPU usage over a specified time window (e.g., 10 minutes) and trigger an action group when the threshold (80%) is exceeded. The action group can be configured with an email notification to the operations team, meeting the requirement automatically.
Q2
hardFull explanation →

Your company wants to query performance and event data from multiple Azure virtual machines by using Kusto Query Language. The operations team also wants to centralize retention and analysis of this data. What should you deploy?

A

A Log Analytics workspace.

This provides centralized collection, retention, and KQL-based querying for Azure Monitor Logs.

B

Azure Advisor.

C

Azure Network Watcher only.

D

A network security group.

Why: A Log Analytics workspace is the correct choice because it is the central repository in Azure Monitor for collecting telemetry and log data from Azure virtual machines. It supports Kusto Query Language (KQL) for querying performance and event data, and it provides centralized retention, analysis, and alerting capabilities, meeting both requirements.
Q3
hardFull explanation →

You need to retain Azure Firewall logs for long-term analysis in a Log Analytics workspace and also archive them in a storage account for compliance. What should you configure on the Azure Firewall resource?

A

Diagnostic settings

This is the Azure-native mechanism for routing logs and metrics to monitoring destinations.

B

A resource lock

C

An availability set

D

A VNet peering connection

Why: Diagnostic settings on the Azure Firewall resource allow you to stream platform logs and metrics to a Log Analytics workspace for long-term analysis and to a storage account for archival and compliance. This is the only configuration that simultaneously supports both destinations for the firewall's log data.
Q4
mediumFull explanation →

You need to notify the security team whenever anyone deletes a resource group in the subscription. Which alert type should you configure?

A

A metric alert on CPU percentage

B

A budget alert

C

An activity log alert

This targets Azure control-plane events such as deletions.

D

A log alert based only on guest OS event logs

Why: Option C is correct because an activity log alert monitors subscription-level events recorded in the Azure Activity Log, including resource group deletion operations. When a user deletes a resource group, the 'Microsoft.Resources/subscriptions/resourceGroups/delete' operation is logged, and an activity log alert can be configured to trigger on that specific operation, sending notifications to the security team.
Q5
hardFull explanation →

Your operations team needs to run Kusto queries across collected sign-in logs, VM performance counters, and Azure Activity Log data in a central location. What should you deploy?

A

A Log Analytics workspace

This is the service designed for centralized log retention and KQL-based analysis.

B

An availability zone

C

A NAT gateway

D

A standard public IP address

Why: A Log Analytics workspace is the central repository in Azure that ingests and stores diagnostic data from multiple sources, including sign-in logs (Azure AD), VM performance counters (Azure Monitor for VMs), and Azure Activity Logs. It supports Kusto Query Language (KQL) for running complex queries across all collected data, making it the correct choice for this requirement.
Q6
mediumFull explanation →

A Virtual Machine Scale Set must add instances automatically when average CPU usage is above 75 percent and remove instances when CPU drops below 30 percent. Which feature should you configure?

A

Autoscale rules in Azure Monitor

This directly implements metric-based scaling logic for the VM Scale Set.

B

A Recovery Services vault policy

C

Boot diagnostics

D

Azure Advisor only

Why: Autoscale rules in Azure Monitor allow you to define conditions for automatically scaling a Virtual Machine Scale Set (VMSS) based on metrics like average CPU usage. You can set a scale-out rule to add instances when CPU exceeds 75% and a scale-in rule to remove instances when CPU drops below 30%, with a cool-down period to prevent flapping. This is the native Azure feature designed for such metric-based auto-scaling scenarios.

Want more Monitor and Maintain Azure Resources practice?

Practice this domain

Frequently asked questions

How many questions are on the AZ-104 exam?

The AZ-104 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the AZ-104 exam?

Scenario questions on Azure administration covering identities, governance, storage, compute, networking, and monitoring using Azure portal and CLI. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are AZ-104 questions organised by domain?

The exam covers 5 domains: Manage Azure Identities and Governance, Implement and Manage Storage, Deploy and Manage Azure Compute, Implement and Manage Virtual Networking, Monitor and Maintain Azure Resources. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual AZ-104 exam questions?

No. These are original exam-style practice questions written against the official Microsoft AZ-104 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 110 AZ-104 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all AZ-104 questionsTake a timed practice test