Courseiva

Microsoft · Free Practice Questions · Last reviewed May 2026

AZ-104 Exam Questions and Answers

30 real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

110 exam questions
120 min time limit
Pass at 700 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1

Domain 1: Manage Azure Identities and Governance

20% of exam · 6 sample questions below

All Manage Azure Identities and Governance questions
Q1
mediumFull explanation →

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

A

Assign the custom role to VMOperators at the subscription scope.

B

Assign the custom role to VMOperators at the RG-Prod scope.

This applies the permissions only to resources in the RG-Prod resource group and follows least privilege.

C

Assign the Virtual Machine Contributor role to VMOperators at the RG-Prod scope.

D

Assign the custom role to VMOperators at the management group scope.

Why: Azure RBAC permissions are assigned at a scope and inherited by child resources. Assigning the custom role at the RG-Prod resource group scope grants the required permissions only within that resource group. Assigning at the subscription or management group scope would grant broader access than required, while Virtual Machine Contributor would provide more permissions than necessary.
Q2
hardFull explanation →

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

A

Remove the policy assignment from Corp-MG.

B

Create a policy exemption at the Prod-Sub or RG-App scope.

A scoped exemption allows the deployment while preserving the broader governance model.

C

Change the policy effect from Deny to Audit for all assignments.

D

Move Prod-Sub out of Corp-MG.

Why: A policy exemption is the correct way to allow a scoped exception while preserving the existing policy assignment and enforcement elsewhere. Removing the assignment or changing the effect to Audit would weaken governance more broadly than necessary. Moving the subscription out of the management group is an excessive administrative change for a single exception.
Q3
hardFull explanation →

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

A

Global Administrator

B

User Administrator

This aligns with the least-privilege requirement for user management tasks like password resets.

C

Reader

D

Billing Administrator

Why: User Administrator can manage user and group aspects such as password resets without the broad privileges of Global Administrator. Reader has no write permissions, and Billing Administrator is unrelated.
Q4
easyFull explanation →

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

A

A Microsoft Entra group and a single role assignment to the group.

This is the most scalable and maintainable approach.

B

A separate custom role assignment for each administrator.

C

A resource lock on every virtual machine.

D

A policy exemption for the administrators.

Why: Assigning the role to a Microsoft Entra group centralizes membership management. When users join or leave the group, access changes automatically without editing multiple role assignments.
Q5
mediumFull explanation →

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

A

A CanNotDelete lock on stfinance01.

This prevents accidental deletion while allowing permitted write operations.

B

A ReadOnly lock on stfinance01.

C

A policy assignment that audits storage accounts.

D

An NSG rule denying outbound traffic from the subnet.

Why: A CanNotDelete lock prevents deletion of the resource while still allowing authorized changes such as data access and configuration updates. A ReadOnly lock would block management changes, and Azure Policy in Audit mode would not prevent deletion.
Q6
mediumFull explanation →

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

A

Assign Contributor to the administrator at the management group scope.

B

Assign Contributor to the administrator at the Dev-Sub scope.

This limits the contributor permissions to Dev-Sub, which matches the requirement.

C

Assign Owner to the administrator at the resource group scope in Dev-Sub.

D

Assign Reader to the administrator at the Prod-Sub scope and Contributor at the tenant root group.

Why: Assigning the Contributor role at the Dev-Sub subscription scope grants the ability to create and manage resource groups and other resources in that subscription only. Assigning roles at a management group or tenant root scope would be broader than required, while Reader in Prod-Sub plus Contributor at tenant root would still grant excessive permissions.

Want more Manage Azure Identities and Governance practice?

Practice this domain
2

Domain 2: Implement and Manage Storage

15% of exam · 6 sample questions below

All Implement and Manage Storage questions
Q1
hardFull explanation →

Your company stores departmental documents in an Azure file share. Users need to be able to recover previous versions of files that were deleted or modified accidentally. You need a solution that supports recovery at the file share level without deploying additional virtual machines. What should you configure?

A

Enable blob versioning.

B

Configure Azure File Sync cloud tiering.

C

Create share snapshots for the Azure file share.

Share snapshots provide point-in-time recovery for Azure Files without adding extra infrastructure.

D

Enable immutable blob storage.

Why: Share snapshots for Azure Files provide point-in-time copies of the file share and support recovery of files and folders. Blob versioning and immutable blob storage apply to blob storage rather than Azure Files. Azure File Sync cloud tiering optimizes storage usage and caching but does not provide the required recovery mechanism by itself.
Q2
mediumFull explanation →

A business-critical application uses an Azure storage account. The company requires that data remain available even if an entire Azure region becomes unavailable. Which redundancy option should you choose?

A

LRS

B

ZRS

C

GRS

D

GZRS

This best matches the requirement for both zone and region resilience.

Why: GZRS replicates data synchronously across availability zones in the primary region and asynchronously to a secondary region, giving both zonal resilience and regional disaster protection. LRS and ZRS do not provide secondary-region copies, while GRS lacks the same zonal protection in the primary region.
Q3
hardFull explanation →

A partner needs temporary read-only access to a single blob in a storage account for the next 24 hours. The partner must not be able to list other blobs or write data. What should you provide?

A

The storage account access key.

B

A service SAS scoped to the blob with read permission and an expiry time.

This is the least-privilege option for temporary, blob-specific access.

C

A private endpoint to the storage account.

D

Contributor access to the storage account.

Why: A service SAS can be scoped narrowly to a specific blob, permission set, and expiry time. This provides least-privilege temporary access. Account keys and Contributor access are far too broad, while a private endpoint changes network access rather than granting time-bound permissions.
Q4
mediumFull explanation →

You have a storage account named stlogs01. An application running on VM-App01 in Azure must access blobs in the account without storing account keys in code or configuration files. What should you use?

A

A shared access signature stored in a text file on VM-App01.

B

The storage account access key hard-coded in the application.

C

A managed identity for VM-App01 and Azure RBAC on the storage account.

This removes secret storage and uses identity-based access.

D

Anonymous public access for the blob container.

Why: A managed identity allows the VM-hosted application to obtain tokens from Microsoft Entra ID and access Azure Storage through RBAC without storing secrets. Hard-coded keys and local SAS storage increase secret-management risk, while anonymous access is insecure and inappropriate.
Q5
mediumFull explanation →

You need to grant an external partner temporary read access to a single blob in an Azure storage account without giving access to the account key. What should you create?

A

A storage account access key

B

A shared access signature (SAS)

A SAS provides scoped, time-limited access to the specific blob.

C

A resource lock

D

A private endpoint

Why: A shared access signature (SAS) can delegate limited permissions to a specific blob for a defined time period. Sharing account keys would be overly permissive, and RBAC may not be practical for an external partner needing temporary access to one object.
Q6
hardFull explanation →

You have an application that writes heavily to Azure-managed disks and requires the highest consistent IOPS and lowest latency. Which disk type should you choose?

A

Standard HDD

B

Standard SSD

C

Premium SSD v2

Premium SSD v2 is optimized for high IOPS and low latency workloads.

D

Archive storage

Why: Premium SSD v2 is designed for high-performance disk workloads with configurable IOPS and throughput. Standard HDD and Standard SSD are lower-cost options with lower performance characteristics.

Want more Implement and Manage Storage practice?

Practice this domain
3

Domain 3: Deploy and Manage Azure Compute

20% of exam · 6 sample questions below

All Deploy and Manage Azure Compute questions
Q1
mediumFull explanation →

You need to deploy 20 identical Azure virtual machines that host the same web application. The solution must support automatic scale-out based on CPU usage and should minimize administrative overhead. What should you deploy?

A

20 individual virtual machines in the same resource group.

B

A Virtual Machine Scale Set.

VM Scale Sets provide a managed group of identical VMs with autoscaling support.

C

An availability set.

D

Azure Container Instances.

Why: Virtual Machine Scale Sets are designed to deploy and manage a group of identical VMs and support autoscaling based on metrics such as CPU. Individual VMs do not provide native group autoscaling, availability sets improve fault tolerance but not scaling, and Azure Container Instances are not a drop-in replacement for managing a fleet of identical VMs in this scenario.
Q2
hardFull explanation →

A virtual machine named VM-App01 hosts a critical internal application. You need to protect the VM so that it can be restored if the VM is deleted or corrupted. The solution must provide centralized backup management and retention policies. What should you use?

A

Azure Backup with a Recovery Services vault.

This provides centralized VM protection, retention policies, and restore capabilities.

B

Managed disk snapshots only.

C

Azure Site Recovery only.

D

Boot diagnostics.

Why: Azure Backup with a Recovery Services vault is the standard Azure-native solution for centrally protecting virtual machines with retention and restore capabilities. Managed disk snapshots are useful for point-in-time copies but are not the best centralized backup and retention solution. Azure Site Recovery is primarily for disaster recovery and replication, while boot diagnostics is used for troubleshooting startup issues.
Q3
mediumFull explanation →

You need to restore a deleted file from a backed-up Azure virtual machine without restoring the entire VM. Which Azure Backup capability should you use?

A

Cross-region restore

B

File Recovery

This is the feature designed for restoring specific files and folders.

C

Azure Site Recovery failover

D

Boot diagnostics

Why: Azure Backup File Recovery allows individual files and folders to be restored from VM backups without performing a full VM restore. Cross-region restore is about region-level recovery, Site Recovery is for disaster recovery replication, and boot diagnostics is for troubleshooting startup issues.
Q4
mediumFull explanation →

You deploy several Windows virtual machines and need to install Microsoft Antimalware on each VM without logging on manually. What should you use?

A

An NSG application security group.

B

A VM extension.

This is the standard mechanism for automated VM guest configuration tasks.

C

A route table.

D

A blob lifecycle rule.

Why: VM extensions are used to automate post-deployment configuration tasks such as installing software, running scripts, or enabling monitoring agents. NSGs and route tables are networking controls, and lifecycle rules apply to storage.
Q5
hardFull explanation →

Your company hosts an internal web app in Azure App Service. Access must be limited to users connecting from the corporate virtual network over private IP addresses only. What should you configure?

A

An App Service Environment only.

B

Access restrictions based on public IP ranges only.

C

A private endpoint for the web app.

This provides private access from the VNet using a private IP address.

D

A public load balancer in front of the web app.

Why: A private endpoint enables private IP-based access to the App Service from the virtual network. Access restrictions using public IPs can reduce exposure but do not provide private-only access. A public load balancer would not make the app private.
Q6
mediumFull explanation →

You plan to deploy two virtual machines that run the same line-of-business application. The VMs must remain available during planned maintenance of the Azure platform, but autoscaling is not required. What should you use?

A

A Virtual Machine Scale Set.

B

An availability set.

This is the classic fit for a small set of highly available VMs.

C

Azure Container Apps.

D

A private endpoint.

Why: An availability set distributes VMs across update domains and fault domains to improve availability during platform maintenance and localized failures. A scale set is not necessary when you only need a small fixed number of VMs without autoscaling.

Want more Deploy and Manage Azure Compute practice?

Practice this domain
4

Domain 4: Implement and Manage Virtual Networking

20% of exam · 6 sample questions below

All Implement and Manage Virtual Networking questions
Q1
mediumFull explanation →

A network team wants all routers to send log messages to a centralized server at 192.0.2.50. Which command should be added to the router configuration?

A

snmp-server host 192.0.2.50

B

archive 192.0.2.50

C

ntp server 192.0.2.50

D

logging host 192.0.2.50

This is correct because `logging host` identifies the destination Syslog server.

Why: The requirement is about centralized log collection, which points directly to Syslog. In plain language, the router needs to know where to send its event messages, warnings, and errors. The `logging host 192.0.2.50` command tells the device the IP address of the remote Syslog server. Once that is in place, the router can forward log messages to that system for centralized review, alerting, and troubleshooting. The other options relate to different services. NTP is for time synchronization, SNMP is for management and monitoring, and archive is associated with configuration archiving rather than standard Syslog event delivery.
Q2
hardFull explanation →

Which statement best explains the value of enabling both centralized logging and strong access controls on network devices?

A

Access controls reduce unauthorized use, and centralized logging improves visibility and investigation.

This is correct because the two controls complement each other by combining prevention and monitoring.

B

Both features do the exact same job, so using both is redundant.

C

Centralized logging removes the need for any authentication.

D

Strong access control makes log timestamps irrelevant.

Why: The value comes from combining prevention with visibility. In plain language, strong access controls help reduce the chance of unauthorized use, while centralized logging helps administrators see what is happening and investigate events later. One reduces risk directly, and the other improves detection, auditing, and response. Together, they create a stronger operational security posture than either one alone. This is a conceptual but practical question. Good security does not depend only on stopping bad actions; it also depends on being able to observe and analyze what happened. That is why the best answer emphasizes both protection and visibility.
Q3
mediumFull explanation →

Which statement best explains why centralized logging is valuable in security operations?

A

It improves visibility by collecting events from multiple devices in one place for review and investigation.

This is correct because centralized collection is the main value of centralized logging.

B

It guarantees that no unauthorized action can occur.

C

It replaces the need for NTP and authentication.

D

It automatically assigns IP addresses to monitoring systems.

Why: Centralized logging is valuable because it brings messages from many devices into one place for review, correlation, and investigation. In plain language, instead of checking each router, switch, firewall, or controller separately, the team can analyze events centrally and more easily see patterns or timelines across the environment. That improves visibility and response. This does not replace access control or encryption, but it complements them by improving monitoring and investigation. The correct answer is the one centered on centralized visibility.
Q4
mediumFull explanation →

Why is centralized logging especially helpful during incident investigation?

A

It helps investigators analyze related events from multiple devices in one place.

This is correct because centralized collection improves visibility and correlation.

B

It guarantees that no attack can ever succeed.

C

It replaces the need for access control.

D

It forces all devices to use the same VLAN.

Why: Centralized logging is especially helpful because it collects evidence from multiple devices into one place, making timelines and cross-device patterns easier to analyze. In plain language, instead of checking each device one at a time, investigators can review related events together and understand what happened more quickly. This does not mean centralized logs prevent every incident, but they significantly improve visibility and post-event analysis. The correct answer is the one focused on better investigation and correlation.
Q5
mediumFull explanation →

Why is centralized logging especially useful during security investigations?

A

It makes related events from multiple devices easier to review and correlate.

This is correct because centralized visibility is the main investigative benefit.

B

It guarantees that attacks cannot succeed.

C

It replaces the need for authentication and authorization.

D

It forces all devices to use the same VLAN.

Why: Centralized logging is useful because it lets investigators review related events from many devices in one place. In practical terms, that makes it easier to reconstruct timelines, identify patterns, and correlate activity across routers, switches, firewalls, and other systems. Without centralization, analysts have to check many separate devices and manually stitch the story together. This does not guarantee prevention of attacks, but it significantly improves visibility and incident response.
Q6
mediumFull explanation →

Why is centralized logging valuable during security incident response?

A

It makes related events from many devices easier to collect and correlate.

This is correct because centralized visibility is the main investigative benefit.

B

It guarantees that attacks cannot succeed.

C

It replaces access control mechanisms.

D

It forces all systems to use one VLAN.

Why: Centralized logging is valuable because it lets analysts collect and review related evidence from many devices in one place. In practical terms, that makes it easier to correlate timelines, identify patterns, and reconstruct what happened across the environment. Without centralized logs, the responder has to piece the story together manually from many separate devices. This does not stop incidents by itself, but it greatly improves visibility and investigation quality.

Want more Implement and Manage Virtual Networking practice?

Practice this domain
5

Domain 5: Monitor and Maintain Azure Resources

25% of exam · 6 sample questions below

All Monitor and Maintain Azure Resources questions
Q1
mediumFull explanation →

You need to be notified whenever the average CPU usage of VM-App01 exceeds 80 percent for 10 minutes. The solution must send an email to the operations team automatically. What should you configure?

A

Create an Azure Monitor metric alert and link it to an action group.

This is the standard way to send automated notifications based on CPU thresholds.

B

Create an Azure Advisor recommendation alert.

C

Create an activity log alert for the virtual machine.

D

Create a subscription budget alert.

Why: An Azure Monitor metric alert can evaluate VM CPU metrics against a threshold and trigger an action group to send notifications such as email. Azure Advisor provides recommendations rather than real-time threshold alerting, activity log alerts focus on control-plane events, and a budget alert is for cost monitoring.
Q2
hardFull explanation →

Your company wants to query performance and event data from multiple Azure virtual machines by using Kusto Query Language. The operations team also wants to centralize retention and analysis of this data. What should you deploy?

A

A Log Analytics workspace.

This provides centralized collection, retention, and KQL-based querying for Azure Monitor Logs.

B

Azure Advisor.

C

Azure Network Watcher only.

D

A network security group.

Why: A Log Analytics workspace is the central data store used by Azure Monitor Logs and supports Kusto Query Language for querying collected log and performance data. Azure Advisor is not a log repository, Network Watcher focuses on network diagnostics, and an NSG is a traffic-filtering control rather than a logging analytics platform.
Q3
hardFull explanation →

You need to retain Azure Firewall logs for long-term analysis in a Log Analytics workspace and also archive them in a storage account for compliance. What should you configure on the Azure Firewall resource?

A

Diagnostic settings

This is the Azure-native mechanism for routing logs and metrics to monitoring destinations.

B

A resource lock

C

An availability set

D

A VNet peering connection

Why: Diagnostic settings allow supported Azure resources to send logs and metrics to destinations such as Log Analytics, Event Hubs, and storage accounts. The other choices do not provide telemetry export.
Q4
mediumFull explanation →

You need to notify the security team whenever anyone deletes a resource group in the subscription. Which alert type should you configure?

A

A metric alert on CPU percentage

B

A budget alert

C

An activity log alert

This targets Azure control-plane events such as deletions.

D

A log alert based only on guest OS event logs

Why: Deleting a resource group is a control-plane operation recorded in the Azure Activity Log. An activity log alert is the correct way to notify on that type of administrative event.
Q5
hardFull explanation →

Your operations team needs to run Kusto queries across collected sign-in logs, VM performance counters, and Azure Activity Log data in a central location. What should you deploy?

A

A Log Analytics workspace

This is the service designed for centralized log retention and KQL-based analysis.

B

An availability zone

C

A NAT gateway

D

A standard public IP address

Why: A Log Analytics workspace is the central repository and query engine for Azure Monitor Logs, including data from multiple Azure sources that can be queried with Kusto Query Language.
Q6
mediumFull explanation →

A Virtual Machine Scale Set must add instances automatically when average CPU usage is above 75 percent and remove instances when CPU drops below 30 percent. Which feature should you configure?

A

Autoscale rules in Azure Monitor

This directly implements metric-based scaling logic for the VM Scale Set.

B

A Recovery Services vault policy

C

Boot diagnostics

D

Azure Advisor only

Why: Autoscale rules in Azure Monitor can increase or decrease the instance count of supported resources such as VM Scale Sets based on metrics like CPU usage. The other options do not control scale behavior.

Want more Monitor and Maintain Azure Resources practice?

Practice this domain

Frequently asked questions

How many questions are on the AZ-104 exam?

The AZ-104 exam has up to 110 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the AZ-104 exam?

The AZ-104 exam uses multiple-choice, multiple-select, drag-and-drop, and exhibit-based questions. Exhibit questions show CLI output, network diagrams, or routing tables and ask you to interpret them — exactly the format Courseiva uses.

How are AZ-104 questions organised by domain?

The exam covers 5 domains: Manage Azure Identities and Governance, Implement and Manage Storage, Deploy and Manage Azure Compute, Implement and Manage Virtual Networking, Monitor and Maintain Azure Resources. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual AZ-104 exam questions?

No. These are original exam-style practice questions written against the official Microsoft AZ-104 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 110 AZ-104 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all AZ-104 questionsTake a timed practice test