AZ-104 Microsoft Azure Administrator Sample Exam Questions

PLEASE COMPLETE THIS SURVEY (https://aka.ms/samplequestions)

Microsoft is exploring the possibility of providing sample questions as an exam preparation resource, and we would like your feedback. While we prefer that you complete the survey after taking the exam, you may complete it at any time. Thank You!

User Guide

These sample questions are intended to showcase the difficulty of the questions that you are likely to experience on this exam. These questions are not the same as what you will see on the exam nor is this document illustrative of the length of the exam or its complexity (e.g., you may see additional question types, multiple case studies, and possibly labs). These questions are examples only to give you insight into the difficulty of the exam and help you determine if additional preparation is required.

For each question, the answer, a rationale, and a URL that will link you to additional information is provided immediately below it.

Questions

Question # 1 (Multiple Choice)

Your company has a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. The company uses several Azure Files shares. Each share is assigned to a different department at the company. The department attribute in Azure AD is populated for all users.

You need to ensure that the users can access the departmental file shares. The solution must minimize administrative effort.

Which two types of groups should you use? Each correct presents a complete solution.

A. a security group that uses the dynamic membership type
B. a Microsoft 365 group that uses the dynamic membership type
C. a distribution group
D. a security group that uses the assigned membership type
E. a Microsoft 365 group that uses the assigned membership type

Item Description
Answer: A AND B
Objective: 1.1 Manage Azure Active Directory (Azure AD) objects
Rationale: Groups that use dynamic membership rules reduce the overhead of access management by providing attribute-based membership and access to resources. Based on membership rules the membership, and resulting access, can be granted and removed automatically.
URL: Rules for dynamically populated groups membership - Azure AD | Microsoft Docs

Question # 2 (Multiple Choice)

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You need to ensure that a user named User1 can review all the settings of the tenant. User1 must be prevented from changing any settings.

Which role should you assign to User1?

A. Directory readers
B. Security reader
C. Reports reader
D. Global reader

Item Description
Answer: D
Objective: 1.2 Manage access control
Rationale: A user that is assigned the Global reader role is prevented from making any modifications. The role is a read-only version of Global Administrator that allows the user to read settings and administrative information across all services but can't take management actions.
URL: Azure AD built-in roles - Azure Active Directory | Microsoft Docs

Question # 3 (Multiple Choice)

You have a production Azure Active Directory (Azure AD) tenant named contoso.com.

You deploy a development Azure Active Directory (AD) tenant, and then you create several custom administrative roles in the development tenant.

You need to copy the roles to the production tenant.

What should you do first?

A. From the development tenant, export the custom roles to JSON.
B. From the production tenant, create a new custom role.
C. From the development tenant, perform a backup.
D. From the production tenant, create an administrative unit.

Item Description
Answer: A
Objective: 1.2 Manage access control
Rationale: Creating Custom roles in Azure can be complex due to thousands of permissions so custom roles can be exported as JSON and then imported into a new custom role. The first step is to export the role to a JSON format. A JSON file can then be imported into another tenant; containing all of the details in the custom role.
URL: Azure custom roles - Azure RBAC | Microsoft Docs

Question # 4 (Multiple Choice)

You have an Azure subscription that contains several hundred virtual machines. You plan to create an Azure Monitor action rule that triggers when a virtual machine uses more than 80% of processor resources for five minutes.

You need to specify the recipient of the action rule notification.

What should you create?

A. Action group
B. Security group
C. Distribution group
D. Microsoft 365 group

Item Description
Answer: A
Objective: 5.1 Monitor resources by using Azure Monitor
Rationale: An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor, Service Health and Azure Advisor alerts use action groups to notify users that an alert has been triggered.
URL: /azure/azure-monitor/alerts/action-groups

Question # 5 (Multiple Choice)

Your company has 10 different departments.

You have an Azure subscription that contains several hundred virtual machines. The users of each department use only their department’s virtual machines.

You plan to apply resource tags for each department to the virtual machines.

Which two solutions should you use? Each correct presents a complete solution.

A. PowerShell
B. Azure Resource Manager (ARM) templates
C. app registrations
D. Azure Advisor

Item Description
Answer: A AND B
Objective: 1.3 Manage Azure subscriptions and governance.
Rationale: Assigning Tags to Virtual machines will allow you create reports and dashboards for Alerting, budget and performance management. Tags can be applied by using PowerShell, Azure CLI, and ARM templates.
URL: /azure/cloud-adoption-framework/decision-guides/resource-tagging/

Question # 6 (Multiple Choice)

You have an Azure subscription that contains the storage accounts shown in the following table.

Name Kind Performance Replication
storage1 StorageV2 (general purpose v2) Standard Zone-redundant storage (ZRS)
storage2 BlobStorage Standard Locally-redundant storage (LRS)
storage3 FileStorage Premium Zone-redundant storage (ZRS)
storage4 Storage (general purpose v1) Premium Locally-redundant storage (LRS)

You need to identify which storage accounts can be switched to geo-redundant storage (GRS).

Which storage accounts should you identify?

A. storage1 only
B. storage2 only
C. storage3 only
D. storage4 only
E. storage1 and storage4 only
F. storage2 and storage3 only

Item Description
Answer: B
Objective: 2.1 Configure access to storage
Rationale: Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region. Storage accounts configured with the Premium performance setting only support LRS. Any storage account already configured with ZRS cannot be changed or directly switched to another replication setting. In this scenario, the only storage account that is not set to LRS or Premium performance is storage2, which can be switched to use Geo-redundant storage.
URL: /azure/storage/common/storage-redundancy

Question # 7 (Multiple Choice)

You have an Azure subscription.

You plan to deploy multiple Azure virtual machines by using an Azure Resource Manager (ARM) template.

You need to securely store the credentials that will be used for the deployment.

What should you use?

A. Azure Active Directory (Azure AD) Identity Protection
B. Azure Key Vault
C. Azure storage account
D. Azure Encryption scopes

Item Description
Answer: B
Objective: 3.2 Automate deployment of resources by using templates
Rationale: You can retrieve secrets from an Azure key vault and pass the secrets as parameters when you deploy an Azure Resource Manager template (ARM template). The parameter value is never exposed, because you can reference only the key vault ID and not the credentials directly.
URL: /azure/azure-resource-manager/templates/template-tutorial-use-key-vault

Question # 8 (Multiple Choice)

You have a resource group named RG1 that contains several unused resources.

You need to use the Azure CLI to remove RG1 and all its resources, without requiring a confirmation.

Which command should you use?

A. az group delete --name rg1 --no-wait --yes
B. az group deployment delete --name rg1 --no-wait
C. az group update --name rg1 --remove
D. az group wait –deleted –resource-group rg1

Item Description
Answer: A
Objective: 1.3 Manage Azure subscriptions and governance
Rationale: To remove a resource group using Azure CLI you would use the az group delete command. The –no-wait switch specifies to not wait for long-running operations before you can continue using the open command prompt for additional commands, and the –yes switch specifies no prompt for confirmation.
URL: /cli/azure/group?view=azure-cli-latest#az_group_delete&preserve-view=true

Question # 9 (Multiple Choice)

You have an Azure virtual machine named VM1.

You need to create five additional virtual machines that have the same configurations as VM1. The solution must ensure that VM1 remains available.

From the Azure portal, you open the blade for VM1.

What should you do next?

A. Select Capture.
B. Select Availability and scaling.
C. Select Redeploy + reapply.
D. Select Export template.

Item Description
Answer: D
Objective: 3.1 Automate deployment of resources by using templates
Rationale: If you need to create multiple Azure resources based upon an existing resource, you should export and use a JSON template. You can export a template from the resource itself, from a resource group, or from the deployment history. In this scenario, you would export the template from the VM1 blade.
You would only use Capture if you wanted to create an image of the existing VM. However, this will make the source VM unusable. There are also several preparation tasks to complete before capturing the VM image. You would not select Redeploy + reapply as these two options are used to address failed connections or VM states. Availability and scaling is used to set up and manage VM high availability, not for creating additional VMs based upon a set configuration setting.
URL: /azure/azure-resource-manager/templates/export-template-portal

Question # 10 (Multiple Choice)

You have an Azure subscription that contains an Azure App Service web app named webapp1. Webapp1 uses a domain name of webapp1.azurewebsites.net.

You need to add a custom domain named www.contoso.com to webapp1.

You verify the domain ownership.

Which DNS record should you use next?

A. SRV
B. CNAME
C. TXT
D. PTR

Item Description
Answer: B
Objective: 3.4 Create and configure an Azure App Service
Rationale: When you add a custom domain to an App Service, you need to validate the domain to verify domain ownership. To verify domain ownership for contoso.com you will create a txt record that contains the Custom Domain Verification ID. The CNAME record is used to map www.contoso.com to webapp.azurewebsites.net.
URL: /azure/app-service/app-service-web-tutorial-custom-domain?tabs=cname; /azure/app-service/manage-custom-dns-buy-domain

Question # 11 (Multiple Choice)

You have an Azure subscription that contains a virtual machine named VM1.

VM1 requires volume encryption for its operating system and data disks.

You create an Azure key vault named vault1.

You need to configure vault1 to support Azure Disk Encryption for volume encryption.

Which setting should you modify for vault1?

A. Keys
B. Secrets
C. Access policies
D. Security

Item Description
Answer: C
Objective: 3.2 Create and configure VMs
Rationale: To enable support for Azure Disk Encryption, you need to modify the Access policies for the key vault. This provides an option to enable access to Azure Disk Encryption for volume encryption.
URL: /azure/virtual-machines/windows/disk-encryption-key-vault

Question # 12 (Multiple Choice)

You have an Azure subscription that contains the resources shown in the following table.

Name Description
VM1 Azure virtual machine
blob1 Azure Blob Storage
Disk1 Azure Disk
share1 Azure Files storage
Database1 Azure Database for PostgreSQL servers

Which two resources can you back up to a Recovery Services vault? Each correct presents part of the solution.

A. VM1
B. blob1
C. Disk1
D. share1
E. Database1

Item Description
Answer: A AND D
Objective: 5.2 Implement backup and recovery
Rationale: Recovery Services vault supports Azure Virtual Machines, SQL in Azure VM, Azure Files, SAP HANA in Azure VM, Azure Backup Server, Azure Backup Agent, and DPM. Backup vault supports Azure Database for PostgreSQL servers, Azure Blobs, and Azure disks.
URL: /azure/backup/backup-support-matrix#vault-support; /azure/backup/backup-azure-recovery-services-vault-overview; /azure/backup/backup-vault-overview

Case Study

Overview

Contoso, Ltd. is a consulting company. The company has a main office in Vancouver and branch offices in Seattle and New York.

Existing Environment

Azure Environment

Contoso has two Azure subscriptions named ContosoSub1 and ContosoSub2.

ContosoSub1 has the resource group shown in the following table.

Name Lock name Lock type Location
ResourceGroup1 Lock1 Read Only West US

ResourceGroup1 contains the resources shown in the following table.

Name Type Tag IP address space Location
Disk1 Managed disk RG:1 Not applicable West US
Vnet1 Virtual network RG:1 10.40.0.0/20 West US

ContosoSub2 has the resource group shown in the following table.

Name Lock name Lock type Region
ResourceGroup2 Lock 2 Delete East US

ResourceGroup2 contains the resources shown in the following table.

Name Type Tag IP address space Location
Disk2 Managed disk RG:2 Not applicable East US
Vnet2 Virtual network RG:2 10.40.0.0/22 East US

Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com that contains the user accounts shown in the following table.

Name Role Office
Admin1 Domain name administrator Vancouver
Admin2 User administrator Vancouver
Admin3 Helpdesk administrator Vancouver
User1 Not applicable New York
User2 Not applicable Seattle

Azure Storage Environment

ContosoSub1 contains the storage accounts shown in the following table.

Name Kind
contosostorage1 StorageV2 (general purpose v2)
contosostorage2 FileStorage
contosostorage3 BlockBlobStorage
contosostorage4 Storage (general purpose v1)

Contoso has the Recovery Service vaults shown in the following table.

Name Backup contains Storage replication type
Rsv1 Azure File shares Geo-redundant storage (GRS)
Rsv2 Virtual machines Geo-redundant storage (GRS)
Rsv3 No items Geo-redundant storage (GRS)

Problem Statement

  • Administrators share the contosostorage2 access key with external users.
  • Replication costs for backups are over budget.

Requirements

Planned Changes

Contoso plans to implement the following changes:

  • Configure backups to use locally-redundant storage (LRS) replication whenever possible.
  • Hire 125 new employees, each of whom will require an account created in the tenant.
  • Delegate User1 to manage all the user and group accounts in the New York office.
  • Delegate User2 to manage all the user and group accounts in the Seattle office.
  • Deploy a new Azure virtual machine named DevVM1 that will run Windows 10.
  • Create peering between Vnet1 and Vnet2.
  • Move Disk1 to ResourceGroup2.

Technical Requirements

Contoso must meet the following technical requirements:

  • For supported storage accounts, data not accessed for 60 days must be moved automatically to cool storage. Data not accessed for 120 days must be moved automatically to archive storage.
  • DevVM1 must be accessible from the Azure portal over TLS and provide seamless RDP/SSH connectivity.
  • Delegated administrative permissions must be scoped to specific locations.
  • Administrative effort and costs must be minimized whenever possible.
  • The principle of least privilege must be used.

Security Requirements

Contoso must meet the following security requirements:

  • User access to storage account data must be granted for a specified start and expiration date and time.
  • DevVM1 must be protected from port scanning from outside the virtual network.
  • Storage account access keys must not be shared directly with users.

Question # 13 (Multiple Choice)

Answer the following question based on the information presented in the case study.

Which administrator can implement the planned changes for the new employees?

A. Admin1 only
B. Admin2 only
C. Admin3 only
D. Admin1 and Admin2 only
E. Admin1 and Admin3 only

Item Description
Answer: B
Objective: Objective 1.1: Manage Azure Active Directory (Azure AD) objects
Rationale: To bulk create users in the Azure AD administration portal, you must be signed in as a Global administrator or User administrator. Only Admin2 has the User administrator role to perform the task.
=====================
From the Case Study:
Azure Environment:
NameAdministrative RoleLocation
Admin1Domain name administratorVancouver
Admin2User administratorVancouver
Admin3Helpdesk administratorVancouver
User1N/ANew York
User2N/ASeattle

Planned Changes:
Hire 125 new employees with each needing an account created in the tenant.

Technical requirements:
Minimize administrative effort and cost whenever possible.
====================
URL: /azure/active-directory/enterprise-users/users-bulk-add

Question # 14 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to implement the planned changes for User1 and User2.

What should you do first?

A. Create two new resource groups.
B. Create two new management groups.
C. Create two new named locations.
D. Create two new administrative units.

Item Description
Answer: D
Objective: Objective 1.1: Manage Azure Active Directory (Azure AD) objects
Rationale: You use Administrative units to logically group Azure AD resources. You first create the Administrative units for each location. You can then assign User1 and User2 the User administrator role for each of their associated Administrative units and then add the users and groups that should be managed members.
=====================
From the Case Study:
Azure Environment:
NameAdministrative RoleLocation
Admin1Domain name administratorVancouver
Admin2User administratorVancouver
Admin3Helpdesk administratorVancouver
User1N/ANew York
User2N/ASeattle

Planned Changes:
Delegate User1 to manage all user and group accounts in New York.
Delegate User2 to manage all user and group accounts in Seattle.

Technical requirements:
Delegated administrative permissions must be scoped to specific locations.
Minimize administrative effort and cost whenever possible.
====================
URL: /azure/active-directory/roles/administrative-units

Question # 15 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to implement the planned changes for Disk1.

What should you do first?

A. Add ContosoSub1 and ContosoSub2 to a new management group.
B. Remove Lock1 from ResourceGroup1.
C. Modify the RG:1 tag.
D. Remove Lock2 from ResourceGroup2.

Item Description
Answer: B
Objective: 1.3 Manage Azure subscriptions and governance
Rationale: To move a resource between resource groups, you need to first remove any locks associated with the resource. Disk1 has an inherited lock from ResourceGroup1. To move Disk1 you must first remove the lock.
ResourceGroup2 has a Delete lock. However, this will not affect the ability to move or create resources in this resource group.
Adding ContosoSub1 or ContosoSub2 to a new Management group has no relevance to the planned changes for Disk1.
Modifying the RG:1 tag will have no effect on the ability to move Disk1.
=====================
From the Case Study:
Azure Environment:
Contoso has two Azure subscriptions named ContosoSub1 and ContosoSub2.
ContosoSub1 has the following resource group:
NameLock nameLock typeRegion
ResourceGroup1Lock1Read OnlyWest US
ResourceGroup1 contains the following resources:
NameTypeTagsAddress spaceRegion
Disk1Managed diskRG:1N/AWest US
Vnet1Virtual networkRG:110.40.0.0/20West US
ContosoSub2 has the following resource group:
NameLock nameLock typeRegion
ResourceGroup2Lock 2DeleteEast US
ResourceGroup2 contains the following resources:
NameTypeTagsAddress spaceRegion
Disk2Managed diskRG:2N/AEast US
Vnet2Virtual networkRG:210.40.0.0/22East US

Planned Changes:
Move Disk1 to ResourceGroup2.
====================
URL: /azure/azure-resource-manager/management/lock-resources?tabs=json

Question # 16 (Multiple Choice)

Answer the following question based on the information presented in the case study.

Which storage accounts meet the technical requirements?

A. contosostorage1 and contosostorage4 only
B. contosostorage2 and contosostorage3 only
C. contosostorage1 and contosostorage3 only
D. contosostorage2 and contosostorage4 only

Item Description
Answer: C
Objective: 2.3 Configure Azure files and Azure Blob Storage
Rationale: Lifecycle management policies apply rules to supported storage accounts to control the transition of data to cooler storage tiers. Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts. FileStorage and general purpose v1 storage accounts do not support lifecycle management.
=====================
From the Case Study:
Azure Storage Environment:
ContosoSub1 contains the following storage accounts:
NameKind
ContosoStorage1StorageV2 (general purpose v2)
ContosoStorage2FileStorage
ContosoStorage3BlockBlobStorage
ContosoStorage4Storage (general purpose v1)

Technical requirements:
For supported storage accounts, data not accessed for 60 days must be automatically moved to cool storage. Data not accessed for 120 days must be automatically moved to archive storage.
=====================
URL: /azure/storage/blobs/lifecycle-management-overview

Question # 17 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to address the issue that relates to contosostorage2. The solution must meet the security requirements.

What should you do?

A. Set a rotation reminder for the access keys.
B. Configure a lifecycle management rule.
C. Create a new access review.
D. Generate a shared access signature (SAS).

Item Description
Answer: D
Objective: 2.1 Configure access to storage
Rationale: A shared access signature (SAS) provides secure delegated access to resources in your storage account. You can use a SAS to provide granular control such as how long access is valid, what permissions they have to the resources, and what resources the client may access.
=====================
From the Case Study:
Azure Storage Environment:
ContosoSub1 contains the following storage accounts:
NameKind
ContosoStorage1StorageV2 (general purpose v2)
ContosoStorage2FileStorage
ContosoStorage3BlockBlobStorage
ContosoStorage4Storage (general purpose v1)

Problem Statement:
Administrators have been sharing the ContosoStorage2 access key with external users.
Security Requirements:
User access to storage account data must be granted for a specified start and expiration date and time.
Storage account access keys must not be directly shared with users.
=====================
URL: /azure/storage/common/storage-sas-overview?toc=/azure/storage/blobs/toc.json

Question # 18 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to implement the planned changes for Vnet1 and Vnet2.

What should you do first?

A. Move Vnet1 to the East US Azure region.
B. Move Vnet2 to the ContosoSub1 subscription.
C. Modify the tag for Vnet2.
D. Modify the address space for Vnet1.

Item Description
Answer: D
Objective: 4.1 Configure virtual networks
Rationale: The virtual networks you peer must have non-overlapping IP address spaces. As shown in the case study Vnet1 and Vnet2 have overlapping IP address spaces. Because of this, you will need to modify the address space for one of the virtual networks. You can peer virtual networks from different regions and from different subscriptions, and so A and B do not address the issue.
Modifying the tag for Vnet2 does not address the issue.
From the Case Study:
Azure Environment
Contoso has two Azure subscriptions named ContosoSub1 and ContosoSub2.
ContosoSub1 has the following resource group:
NameLock nameLock typeRegion
ResourceGroup1Lock1Read OnlyWest US
ResourceGroup1 contains the following resources:
NameTypeTagsAddress spaceRegion
Disk1Managed diskRG:1N/AWest US
Vnet1Virtual networkRG:110.40.0.0/20West US
ContosoSub2 has the following resource group:
NameLock nameLock typeRegion
ResourceGroup2Lock 2DeleteEast US
ResourceGroup2 contains the following resources:
NameTypeTagsAddress spaceRegion
Disk2Managed diskRG:2N/AEast US
Vnet2Virtual networkRG:210.40.0.0/22East US

Planned Changes:
Peering between Vnet1 and Vnet2.
=====================
URL: /azure/virtual-network/virtual-network-manage-peering

Question # 19 (Multiple Choice)

Answer the following question based on the information presented in the case study.

Before you deploy DevVM1, you need to consider the technical and security requirements.

What should you do to ensure that access to DevVM1 is secure?

A. Install the Remote Desktop client on all the devices that will connect to DevVM1.
B. Deploy the Azure Bastion service.
C. Configure Remote Desktop Gateway on all the devices that will connect to DevVM1.
D. Configure the Azure Network Watcher service.

Item Description
Answer: B
Objective: 4.2 Configure secure access to virtual networks
Rationale: Azure Bastion is a service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software. Not requiring a public IP address protects the virtual machine from outside port scanning.
=====================
From the Case Study:
Planned Changes:
Deploy a new Windows 10 Azure VM named DevVM1.
Technical requirements:
DevVM1 must be accessible from the Azure portal over TLS and provide seamless RDP/SSH connectivity.
Security Requirements:
DevVM1 must be protected from port scanning from outside the virtual network.
=====================
URL: /azure/bastion/bastion-overview

Question # 20 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to resolve the issue that relates to the replication costs for backups.

Which Recovery Services vault can be configured to use locally-redundant storage (LRS) replication?

A. Rsv1 only
B. Rsv2 only
C. Rsv3 only
D. Rsv1 and Rsv2 only
E. Rsv1, Rsv2, and Rsv3

Item Description
Answer: C
Objective: 5.2 Implement backup and recovery
Rationale: The storage replication type cannot be changed after protecting items. Since Rsv3 is the only Recovery services vault that does not contain items, it is the only one that can be modified to use the Locally-redundant storage replication type.
=====================
From the Case Study:
Azure Storage Environment:
Recovery service vaults have been configured as follows:
NameBackup contains:Storage replication type:
Rsv1Azure file sharesGeo-redundant
Rsv2Virtual machinesGeo-redundant
Rsv3No itemsGeo-redundant

Problem Statement:
Replication costs for backups are over budget.
Planned Changes:
Configure backups to use Locally-redundant replication when possible.
=====================
URL: /azure/backup/backup-create-rs-vault