Reinforce AZ-104 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For AZ-104 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the AZ-104 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your AZ-104 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real AZ-104 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass AZ-104.
Sample cards from the AZ-104 flashcard bank. Read the question, think of the answer, then read the explanation below.
Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?
Assign the custom role to VMOperators at the RG-Prod scope.
Option B is correct because assigning the custom role at the RG-Prod scope restricts the role's permissions to only the virtual machines within that specific resource group. This meets the requirement that VMOperators can restart VMs but not create, delete, or resize them, and only within RG-Prod.
Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?
Create a policy exemption at the Prod-Sub or RG-App scope.
A policy exemption allows you to exclude a specific scope (like Prod-Sub or RG-App) from the enforcement of a policy assignment without modifying or removing the policy itself. This lets the single deployment proceed while maintaining the Deny effect for all other resources under Corp-MG. Exemptions can be created with an expiration date to ensure temporary relief does not become permanent.
A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?
User Administrator
The User Administrator role in Microsoft Entra ID (formerly Azure AD) grants permissions to reset passwords for cloud users, but explicitly excludes the ability to create or delete users. This makes it the correct choice for a help desk team that needs password reset capabilities without broader user management rights.
Your company stores departmental documents in an Azure file share. Users need to be able to recover previous versions of files that were deleted or modified accidentally. You need a solution that supports recovery at the file share level without deploying additional virtual machines. What should you configure?
Create share snapshots for the Azure file share.
Option C is correct because Azure file share snapshots provide point-in-time, read-only copies of the entire file share, allowing users to recover previous versions of files that were deleted or modified accidentally. This feature operates at the file share level without requiring any additional virtual machines, making it a straightforward and cost-effective solution for version recovery.
A business-critical application uses an Azure storage account. The company requires that data remain available even if an entire Azure region becomes unavailable. Which redundancy option should you choose?
GZRS
D (GZRS) is correct because it combines zone-redundant storage (ZRS) within a primary region with geo-redundant replication to a secondary region, ensuring data remains available even if an entire Azure region becomes unavailable. This meets the business-critical requirement for regional disaster recovery while maintaining high durability and availability.
You need to deploy 20 identical Azure virtual machines that host the same web application. The solution must support automatic scale-out based on CPU usage and should minimize administrative overhead. What should you deploy?
A Virtual Machine Scale Set.
A Virtual Machine Scale Set (VMSS) is the correct choice because it automates the deployment and management of identical VMs, supports autoscaling based on CPU usage metrics, and minimizes administrative overhead by handling VM creation, load balancing, and scaling policies as a single resource. This aligns with the requirement for 20 identical VMs with automatic scale-out based on CPU usage.
A virtual machine named VM-App01 hosts a critical internal application. You need to protect the VM so that it can be restored if the VM is deleted or corrupted. The solution must provide centralized backup management and retention policies. What should you use?
Azure Backup with a Recovery Services vault.
Azure Backup with a Recovery Services vault is the correct choice because it provides centralized backup management, configurable retention policies, and the ability to restore a VM even if it is deleted or corrupted. Unlike snapshots, Azure Backup stores backups in a separate vault, supports application-consistent backups via the Volume Shadow Copy Service (VSS), and offers long-term retention with backup policies.
You need to restore a deleted file from a backed-up Azure virtual machine without restoring the entire VM. Which Azure Backup capability should you use?
File Recovery
Azure Backup's File Recovery capability allows you to mount the VM's recovery point as a drive on your local machine, enabling you to browse and restore individual files without restoring the entire VM. This is achieved by creating an iSCSI target from the recovery point snapshot, which you can connect to from a compatible OS. It is the correct choice for granular file-level recovery from a VM backup.
A network team wants to send diagnostic logs from an Azure VPN gateway to a Log Analytics workspace. Which command should be used to configure this?
New-AzDiagnosticSetting -ResourceId $gw.Id -WorkspaceId $ws.Id
The correct command is 'New-AzDiagnosticSetting -ResourceId $gw.Id -WorkspaceId $ws.Id' (option B) because it creates a diagnostic setting for the specified Azure resource (VPN gateway) to stream logs to the specified Log Analytics workspace. This is the Azure-native way to forward logs to a centralized monitoring solution. Option D, 'Add-AzLogAnalyticsSolution', adds a management solution (like VPN Gateway solution) to a workspace, but it does not configure diagnostic logging from a specific resource; it only enables log collection for the solution type if logs are already flowing. Therefore, option B is the correct approach.
Which statement best explains the value of enabling both centralized logging and strong access controls on network devices?
Access controls reduce unauthorized use, and centralized logging improves visibility and investigation.
Enabling centralized logging (e.g., syslog) on network devices provides a single, tamper-evident repository for all device events, which is critical for post-incident forensic analysis and compliance auditing. Strong access controls (e.g., RBAC, ACLs, 802.1X) directly prevent unauthorized configuration changes and network access, reducing the attack surface. Together, they form a defense-in-depth strategy: access controls block threats, while centralized logging captures evidence of any attempts or breaches for investigation.
Which statement best explains why centralized logging is valuable in security operations?
It improves visibility by collecting events from multiple devices in one place for review and investigation.
Centralized logging aggregates security events (e.g., Windows Event Log, syslog, Azure Activity Log) from multiple sources into a single repository like Azure Log Analytics or a SIEM. This consolidation enables security analysts to correlate events across devices, detect patterns indicative of attacks, and perform efficient forensic investigations without needing to access each device individually.
You need to be notified whenever the average CPU usage of VM-App01 exceeds 80 percent for 10 minutes. The solution must send an email to the operations team automatically. What should you configure?
Create an Azure Monitor metric alert and link it to an action group.
Option A is correct because Azure Monitor metric alerts can evaluate performance counters like CPU usage over a specified time window (e.g., 10 minutes) and trigger an action group when the threshold (80%) is exceeded. The action group can be configured with an email notification to the operations team, meeting the requirement automatically.
Your company wants to query performance and event data from multiple Azure virtual machines by using Kusto Query Language. The operations team also wants to centralize retention and analysis of this data. What should you deploy?
A Log Analytics workspace.
A Log Analytics workspace is the correct choice because it is the central repository in Azure Monitor for collecting telemetry and log data from Azure virtual machines. It supports Kusto Query Language (KQL) for querying performance and event data, and it provides centralized retention, analysis, and alerting capabilities, meeting both requirements.
You need to retain Azure Firewall logs for long-term analysis in a Log Analytics workspace and also archive them in a storage account for compliance. What should you configure on the Azure Firewall resource?
Diagnostic settings
Diagnostic settings on the Azure Firewall resource allow you to stream platform logs and metrics to a Log Analytics workspace for long-term analysis and to a storage account for archival and compliance. This is the only configuration that simultaneously supports both destinations for the firewall's log data.
You need to notify the security team whenever anyone deletes a resource group in the subscription. Which alert type should you configure?
An activity log alert
Option C is correct because an activity log alert monitors subscription-level events recorded in the Azure Activity Log, including resource group deletion operations. When a user deletes a resource group, the 'Microsoft.Resources/subscriptions/resourceGroups/delete' operation is logged, and an activity log alert can be configured to trigger on that specific operation, sending notifications to the security team.
The AZ-104 flashcard bank covers all 5 official blueprint domains published by Microsoft. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Manage Azure Identities and Governance
Implement and Manage Storage
Deploy and Manage Azure Compute
Implement and Manage Virtual Networking
Monitor and Maintain Azure Resources
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that AZ-104 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.AZ-104 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective AZ-104 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free AZ-104 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1170+ original AZ-104 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Microsoft exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official AZ-104 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included