Back to AZ-104 questions

Scenario-based practice

Hard Difficulty Questions

Practise AZ-104 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
AZ-104
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-104 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A storage account becomes unavailable because Azure has a regional platform issue. The operations team wants a notification whenever Azure marks the resource or region unhealthy, and they want to avoid continuous log ingestion just to detect the outage. What should they configure?

Question 2hardmulti select
Full question →

A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.

Question 3hardmultiple choice
Full question →

A team needs one Azure Files share that can be mounted by both Windows and Linux VMs. The VMs are joined to the same on-premises Active Directory Domain Services domain, and the security team forbids storage account keys. The team also wants to manage access with existing AD group memberships. What should the administrator configure?

Question 4hardmulti select
Full question →

A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Question 5hardmultiple choice
Full question →

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

Question 6hardmultiple choice
Full question →

A virtual machine scale set must increase instance count when average CPU exceeds 75 percent and decrease when it stays below 30 percent. What Azure feature should you configure?

Question 7hardmultiple choice
Full question →

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

Question 8hardmultiple choice
Full question →

An application in a VNet must access an Azure Storage account over a private IP address. Public network access is disabled on the storage account, and the app must resolve the normal blob FQDN to that private address only from within the VNet. What should the administrator configure?

Question 9hardmulti select
Full question →

An Azure application and an Azure Automation account need Azure access without any stored secrets. The same identity should be reusable and should not require manual secret rotation. Which two identity choices meet the requirement? Select two.

Question 10hardmultiple choice
Review the full subnetting walkthrough →

A subnet has a user-defined route for 10.0.0.0/8 with next hop Virtual appliance 10.1.1.4. The VNet is peered with VNet-Shared, whose address space is 10.12.0.0/16. A VM in the subnet sends traffic to 10.12.4.25. Which next hop will Azure use?

Question 11hardmultiple choice
Review the full routing breakdown →

Traffic from VM-App01 is unexpectedly reaching the internet through a network virtual appliance. You need to determine which route is currently applied to the virtual machine network interface. Which Azure tool should you use?

Question 12hardmultiple choice
Full question →

A team already has a metric alert on a production VM. The alert should continue evaluating 24/7, but email notifications must be sent only Monday through Friday from 08:00 to 18:00 local time. What should the administrator add or change?

Question 13hardmultiple choice
Full question →

You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data by using Kusto Query Language. Which Azure resource should you use?

Question 14hardmultiple choice
Read the full VPN explanation →

Third-party support engineers connect from the public internet and need browser-based RDP and SSH access to Azure VMs that have only private IPs. The security team will not allow public IPs on the VMs, inbound 3389 or 22 from the internet, or a client VPN on each laptop. What should you deploy?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

Traffic from Subnet-App to the internet is being routed through a virtual appliance unexpectedly. You need to identify which route is being applied to the network interface of VM-App01. Which Azure feature should you use?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

Traffic from VM-App01 is taking an unexpected path to the internet through a network virtual appliance. You need to determine which routes are actually applied to the VM network interface. Which Azure feature should you use?

Question 17hardmultiple choice
Review the full routing breakdown →

Traffic from VM-App01 is unexpectedly reaching the internet through a virtual appliance. You need to see which routes are currently applied to the VM network interface. Which Azure tool should you use?

Question 18hardmultiple choice
Full question →

You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

Question 19hardmultiple choice
Full question →

A 180-GB blob was moved to the Archive tier last week. A legal team now needs the file available later today for repeated review, and they are willing to pay more to shorten the wait. Which action should the administrator take first?

Question 20hardmulti select
Full question →

A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.

These AZ-104 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-104 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.