AZ-104 Microsoft Azure Administrator Sample

Exam Questions
Article09/22/202220 minutes to read

PLEASE COMPLETE THIS SURVEY (https://aka.ms/samplequestions)

Microsoft is exploring the possibility of providing sample questions as an exam preparation resource,
and we would like your feedback. While we prefer that you complete the survey after taking the exam,
you may complete it at any time. Thank You!

User Guide
These sample questions are intended to showcase the difficulty of the questions that you are likely to
experience on this exam. These questions are not the same as what you will see on the exam nor is
this document illustrative of the length of the exam or its complexity (e.g., you may see additional
question types, multiple case studies, and possibly labs). These questions are examples only to give
you insight into the difficulty of the exam and help you determine if additional preparation is required.

For each question, the answer, a rationale, and a URL that will link you to additional information is
provided immediately below it.

Questions

Question # 1 (Multiple Choice)

Your company has a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named
contoso.com. The company uses several Azure Files shares. Each share is assigned to a different
department at the company. The department attribute in Azure AD is populated for all users.

You need to ensure that the users can access the departmental file shares. The solution must minimize
administrative effort.

Which two types of groups should you use? Each correct presents a complete solution.

A. a security group that uses the dynamic membership type

B. a Microsoft 365 group that uses the dynamic membership
type
C. a distribution group

D. a security group that

uses the assigned membership type
E. a Microsoft 365 group that uses the assigned membership
type

Item Description
 Item Description

Answer: A AND B

Objective: 1.1 Manage Azure Active Directory (Azure AD) objects

Rationale: Groups that use dynamic membership rules reduce the overhead of access management
by providing attribute-based membership and access to resources. Based on
membership rules the membership, and resulting access, can be granted and removed
automatically.

URL: Rules for dynamically populated groups membership - Azure AD | Microsoft Docs

Question # 2 (Multiple Choice)

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You need to ensure that a user named User1 can review all the settings of the tenant. User1 must be
prevented from changing any settings.

Which role should you assign to User1?

A. Directory readers
B. Security reader

C. Reports reader

D. Global reader

Item Description

Answer: D

Objective: 1.2 Manage access control

Rationale: A user that is assigned the Global reader role is prevented from making any
modifications. The role is a read-only version of Global Administrator that allows the
user to read settings and administrative information across all services but can't take
management actions.

URL: Azure AD built-in roles - Azure Active Directory | Microsoft Docs

Question # 3 (Multiple Choice)

You have a production Azure Active Directory (Azure AD) tenant named contoso.com.

You deploy a development Azure Active Directory (AD) tenant, and then you create several custom
administrative roles in the development tenant.
You need to copy the roles to the production tenant.

What should you do first?

A. From the development tenant, export the custom roles to JSON.

B. From the production tenant, create a new custom role.
C. From the development tenant, perform a backup.
D. From the production tenant, create an administrative unit.

Item Description

Answer: A

Objective: 1.2 Manage access control

Rationale: Creating Custom roles in Azure can be complex due to thousands of permissions so
custom roles can be exported as JSON and then imported into a new custom role. The
first step is to export the role to a JSON format. A JSON file can then be imported into
another tenant; containing all of the details in the custom role.

URL: Azure custom roles - Azure RBAC | Microsoft Docs

Question # 4 (Multiple Choice)

You have an Azure subscription that contains several hundred virtual machines. You plan to create an
Azure Monitor action rule that triggers when a virtual machine uses more than 80% of processor
resources for five minutes.

You need to specify the recipient of the action rule notification.

What should you create?

A. Action group
B. Security group

C. Distribution group

D. Microsoft 365 group

Item Description

Answer: A

Objective: 5.1 Monitor resources by using Azure Monitor

Rationale: An action group is a collection of notification preferences defined by the owner of an

Azure subscription. Azure Monitor, Service Health and Azure Advisor alerts use action
groups to notify users that an alert has been triggered.
 Item Description

URL: /azure/azure-monitor/alerts/action-groups

Question # 5 (Multiple Choice)

Your company has 10 different departments.

You have an Azure subscription that contains several hundred virtual machines. The users of each
department use only their department’s virtual machines.

You plan to apply resource tags for each department to the virtual machines.

Which two solutions should you use? Each correct presents a complete solution.

A. PowerShell

B. Azure Resource Manager (ARM) templates

C. app registrations

D. Azure Advisor

Item Description

Answer: A AND B

Objective: 1.3 Manage Azure subscriptions and governance.

Rationale: Assigning Tags to Virtual machines will allow you create reports and dashboards for
Alerting, budget and performance management. Tags can be applied by using
PowerShell, Azure CLI, and ARM templates.

URL: /azure/cloud-adoption-framework/decision-guides/resource-tagging/

Question # 6 (Multiple Choice)

You have an Azure subscription that contains the storage accounts shown in the following table.

Name Kind Performance Replication

storage1 StorageV2 (general purpose v2) Standard Zone-redundant storage (ZRS)

storage2 BlobStorage Standard Locally-redundant storage (LRS)

storage3 FileStorage Premium Zone-redundant storage (ZRS)

storage4 Storage (general purpose v1) Premium Locally-redundant storage (LRS)

You need to identify which storage accounts can be switched to geo-redundant storage (GRS).

Which storage accounts should you identify?

A. storage1 only
B. storage2 only
C. storage3 only
D. storage4 only
E. storage1 and storage4 only
F. storage2 and storage3 only

Item Description

Answer: B

Objective: 2.1 Configure access to storage

Rationale: Geo-redundant storage (GRS) copies your data synchronously three times within a single
physical location in the primary region using LRS. It then copies your data
asynchronously to a single physical location in a secondary region that is hundreds of
miles away from the primary region. Storage accounts configured with the Premium
performance setting only support LRS. Any storage account already configured with ZRS
cannot be changed or directly switched to another replication setting. In this scenario,
the only storage account that is not set to LRS or Premium performance is storage2,
which can be switched to use Geo-redundant storage.

URL: /azure/storage/common/storage-redundancy

Question # 7 (Multiple Choice)

You have an Azure subscription.

You plan to deploy multiple Azure virtual machines by using an Azure Resource Manager (ARM)
template.

You need to securely store the credentials that will be used for the deployment.

What should you use?

A. Azure Active Directory (Azure AD) Identity Protection

B. Azure Key Vault

C. Azure storage account

D. Azure Encryption scopes

Item Description

Answer: B
 Item Description

Objective: 3.2 Automate deployment of resources by using templates

Rationale: You can retrieve secrets from an Azure key vault and pass the secrets as parameters
when you deploy an Azure Resource Manager template (ARM template). The parameter
value is never exposed, because you can reference only the key vault ID and not the
credentials directly.

URL: /azure/azure-resource-manager/templates/template-tutorial-use-key-vault

Question # 8 (Multiple Choice)

You have a resource group named RG1 that contains several unused resources.

You need to use the Azure CLI to remove RG1 and all its resources, without requiring a confirmation.

Which command should you use?

A. az group delete --name rg1 --no-wait --yes

B. az group deployment delete --name rg1 --no-wait

C. az group update --name rg1 --remove

rg1
D. az group wait –deleted –resource-group

Item Description

Answer: A

Objective: 1.3 Manage Azure subscriptions and governance

Rationale: To remove a resource group using Azure CLI you would use the az group delete
command. The –no-wait switch specifies to not wait for long-running operations before
you can continue using the open command prompt for additional commands, and the –
yes switch specifies no prompt for confirmation.

URL: /cli/azure/group?view=azure-cli-latest#az_group_delete&preserve-view=true

Question # 9 (Multiple Choice)

You have an Azure virtual machine named VM1.

You need to create five additional virtual machines that have the same configurations as VM1. The
solution must ensure that VM1 remains available.

From the Azure portal, you open the blade for VM1.
What should you do next?

A. Select Capture.
B. Select Availability and scaling.
C. Select Redeploy + reapply.
D. Select Export template.

Item Description

Answer: D

Objective: 3.1 Automate deployment of resources by using templates

Rationale: If you need to create multiple Azure resources based upon an existing resource, you
should export and use a JSON template. You can export a template from the resource
itself, from a resource group, or from the deployment history. In this scenario, you would
export the template from the VM1 blade.
You would only use Capture if you wanted to create an image of the existing VM.
However, this will make the source VM unusable. There are also several preparation
tasks to complete before capturing the VM image. You would not select Redeploy +
reapply as these two options are used to address failed connections or VM states.
Availability and scaling is used to set up and manage VM high availability, not for
creating additional VMs based upon a set configuration setting.

URL: /azure/azure-resource-manager/templates/export-template-portal

Question # 10 (Multiple Choice)

You have an Azure subscription that contains an Azure App Service web app named webapp1.
Webapp1 uses a domain name of webapp1.azurewebsites.net.

You need to add a custom domain named www.contoso.com to webapp1.

You verify the domain ownership.

Which DNS record should you use next?

A. SRV

B. CNAME
C. TXT

D. PTR

Item Description

Answer: B

Objective: 3.4 Create and configure an Azure App Service

 Item Description

Rationale: When you add a custom domain to an App Service, you need to validate the domain to
verify domain ownership. To verify domain ownership for contoso.com you will create a
txt record that contains the Custom Domain Verification ID. The CNAME record is used
to map www.contoso.com to webapp.azurewebsites.net.

URL: /azure/app-service/app-service-web-tutorial-custom-domain?tabs=cname; /azure/app-
service/manage-custom-dns-buy-domain

Question # 11 (Multiple Choice)

You have an Azure subscription that contains a virtual machine named VM1.

VM1 requires volume encryption for its operating system and data disks.

You create an Azure key vault named vault1.

You need to configure vault1 to support Azure Disk Encryption for volume encryption.

Which setting should you modify for vault1?

A. Keys

B. Secrets
C. Access
policies
D. Security

Item Description

Answer: C

Objective: 3.2 Create and configure VMs

Rationale: To enable support for Azure Disk Encryption, you need to modify the Access policies for
the key vault. This provides an option to enable access to Azure Disk Encryption for
volume encryption.

URL: /azure/virtual-machines/windows/disk-encryption-key-vault

Question # 12 (Multiple Choice)

You have an Azure subscription that contains the resources shown in the following table.

Name Description

VM1 Azure virtual machine

 Name Description

blob1 Azure Blob Storage

Disk1 Azure Disk

share1 Azure Files storage

Database1 Azure Database for PostgreSQL servers

Which two resources can you back up to a Recovery Services vault? Each correct presents part of the
solution.

A. VM1
B. blob1

C. Disk1

D. share1

E. Database1

Item Description

Answer: A AND D

Objective: 5.2 Implement backup and recovery

Rationale: Recovery Services vault supports Azure Virtual Machines, SQL in Azure VM, Azure Files,
SAP HANA in Azure VM, Azure Backup Server, Azure Backup Agent, and DPM. Backup
vault supports Azure Database for PostgreSQL servers, Azure Blobs, and Azure disks.

URL: /azure/backup/backup-support-matrix#vault-support; /azure/backup/backup-azure-
recovery-services-vault-overview; /azure/backup/backup-vault-overview

Case Study

Overview
Contoso, Ltd. is a consulting company. The company has a main office in Vancouver and branch offices
in Seattle and New York.

Existing Environment

Azure Environment
Contoso has two Azure subscriptions named ContosoSub1 and ContosoSub2.

ContosoSub1 has the resource group shown in the following table.

Name Lock name Lock type Location

ResourceGroup1 Lock1 Read Only West US

ResourceGroup1 contains the resources shown in the following table.

Name Type Tag IP address space Location

Disk1 Managed disk RG:1 Not applicable West US

Vnet1 Virtual network RG:1 10.40.0.0/20 West US

ContosoSub2 has the resource group shown in the following table.

Name Lock name Lock type Region

ResourceGroup2 Lock 2 Delete East US

ResourceGroup2 contains the resources shown in the following table.

Name Type Tag IP address space Location

Disk2 Managed disk RG:2 Not applicable East US

Vnet2 Virtual network RG:2 10.40.0.0/22 East US

Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com that contains the user
accounts shown in the following table.

Name Role Office

Admin1 Domain name administrator Vancouver

Admin2 User administrator Vancouver

Admin3 Helpdesk administrator Vancouver

User1 Not applicable New York

User2 Not applicable Seattle

Azure Storage Environment

ContosoSub1 contains the storage accounts shown in the following table.

Name Kind

contosostorage1 StorageV2 (general purpose v2)

contosostorage2 FileStorage

contosostorage3 BlockBlobStorage

contosostorage4 Storage (general purpose v1)

Contoso has the Recovery Service vaults shown in the following table.

Name Backup contains Storage replication type

Rsv1 Azure File shares Geo-redundant storage (GRS)

Rsv2 Virtual machines Geo-redundant storage (GRS)

Rsv3 No items Geo-redundant storage (GRS)

Problem Statement
Administrators share the contosostorage2 access key with external users.
Replication costs for backups are over budget.

Requirements

Planned Changes
Contoso plans to implement the following changes:

Configure backups to use locally-redundant storage (LRS) replication whenever possible.

Hire 125 new employees, each of whom will require an account created in the tenant.
Delegate User1 to manage all the user and group accounts in the New York office.
Delegate User2 to manage all the user and group accounts in the Seattle office.
Deploy a new Azure virtual machine named DevVM1 that will run Windows 10.
Create peering between Vnet1 and Vnet2.
Move Disk1 to ResourceGroup2.

Technical Requirements
Contoso must meet the following technical requirements:
 For supported storage accounts, data not accessed for 60 days must be moved automatically to
cool storage. Data not accessed for 120 days must be moved automatically to archive storage.
DevVM1 must be accessible from the Azure portal over TLS and provide seamless RDP/SSH
connectivity.
Delegated administrative permissions must be scoped to specific locations.
Administrative effort and costs must be minimized whenever possible.
The principle of least privilege must be used.

Security Requirements
Contoso must meet the following security requirements:

User access to storage account data must be granted for a specified start and expiration date
and time.
DevVM1 must be protected from port scanning from outside the virtual network.
Storage account access keys must not be shared directly with users.

Question # 13 (Multiple Choice)

Answer the following question based on the information presented in the case study.

Which administrator can implement the planned changes for the new employees?

A. Admin1 only
B. Admin2 only

C. Admin3 only

D. Admin1 and
Admin2 only
E. Admin1 and Admin3 only

Item Description

Answer: B

Objective: Objective 1.1: Manage Azure Active Directory (Azure AD) objects
 Item Description

Rationale: To bulk create users in the Azure AD administration portal, you must be signed in as a
Global administrator or User administrator. Only Admin2 has the User administrator role
to perform the task.
=====================

From the Case Study:

Azure Environment:

Name Administrative Role Location

Admin1 Domain name administrator Vancouver

Admin2 User administrator Vancouver

Admin3 Helpdesk administrator Vancouver

User1 N/A New York

User2 N/A Seattle

Planned Changes:

Hire 125 new employees with each needing an account created in the tenant.

Technical requirements:
Minimize administrative
effort and cost whenever possible.
====================

URL: /azure/active-directory/enterprise-users/users-bulk-add

Question # 14 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to implement the planned changes for User1 and User2.

What should you do first?

A. Create two new resource groups.

B. Create two new management groups.

C. Create two new named locations.

D. Create two new administrative units.

Item Description

Answer: D
 Item Description

Objective: Objective 1.1: Manage Azure Active Directory (Azure AD) objects

Rationale: You use Administrative units to logically group Azure AD resources. You first create the
Administrative units for each location. You can then assign User1 and User2 the User
administrator role for each of their associated Administrative units and then add the
users and groups that should be managed members.
=====================

From the Case Study:

Azure Environment:

Name Administrative Role Location

Admin1 Domain name administrator Vancouver

Admin2 User administrator Vancouver

Admin3 Helpdesk administrator Vancouver

User1 N/A New York

User2 N/A Seattle

Planned Changes:
Delegate User1 to
manage all user and group accounts in New York.
Delegate User2 to manage all user and group accounts in Seattle.

Technical requirements:
Delegated administrative
permissions must be scoped to specific locations.
Minimize administrative effort and cost whenever possible.

====================

URL: /azure/active-directory/roles/administrative-units

Question # 15 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to implement the planned changes for Disk1.

What should you do first?

A. Add ContosoSub1 and ContosoSub2 to a new management group.

B. Remove Lock1 from ResourceGroup1.

C. Modify the RG:1 tag.

D. Remove Lock2 from

ResourceGroup2.
Item Description

Answer: B

Objective: 1.3 Manage Azure subscriptions and governance

Item Description

Rationale: To move a resource between resource groups, you need to first remove any locks
associated with the resource. Disk1 has an inherited lock from ResourceGroup1. To move
Disk1 you must first remove the lock.
ResourceGroup2 has a Delete lock. However, this will not affect the ability to move or
create resources in this resource group.
Adding ContosoSub1 or ContosoSub2 to a new Management group has no relevance to
the planned changes for Disk1.
Modifying the RG:1 tag will have no effect on the ability to move Disk1.
=====================
From the Case Study:
Azure Environment:
Contoso has two Azure subscriptions named ContosoSub1 and ContosoSub2.
ContosoSub1 has the following resource group:

Name Lock name Lock type Region

ResourceGroup1 Lock1 Read Only West US

ResourceGroup1 contains the following resources:

Name Type Tags Address space Region

Disk1 Managed disk RG:1 N/A West US

Vnet1 Virtual network RG:1 10.40.0.0/20 West US

ContosoSub2 has the following resource group:

Name Lock name Lock type Region

ResourceGroup2 Lock 2 Delete East US

ResourceGroup2 contains the following resources:

Name Type Tags Address space Region

Disk2 Managed disk RG:2 N/A East US

Vnet2 Virtual network RG:2 10.40.0.0/22 East US

Planned Changes:
Move Disk1 to ResourceGroup2.
====================

URL: /azure/azure-resource-manager/management/lock-resources?tabs=json
Question # 16 (Multiple Choice)
Answer the following question based on the information presented in the case study.

Which storage accounts meet the technical requirements?

A. contosostorage1 and contosostorage4 only

B. contosostorage2 and contosostorage3 only

C. contosostorage1 and contosostorage3 only

D. contosostorage2 and contosostorage4 only

Item Description

Answer: C

Objective: 2.3 Configure Azure files and Azure Blob Storage

Rationale: Lifecycle management policies apply rules to supported storage accounts to control the
transition of data to cooler storage tiers. Lifecycle management policies are supported
for block blobs and append blobs in general-purpose v2, premium block blob, and Blob
Storage accounts. FileStorage and general purpose v1 storage accounts do not support
lifecycle management.
=====================

From the Case Study:

Azure Storage Environment:

ContosoSub1 contains the following storage accounts:

Name Kind

ContosoStorage1 StorageV2 (general purpose v2)

ContosoStorage2 FileStorage

ContosoStorage3 BlockBlobStorage

ContosoStorage4 Storage (general purpose v1)

Technical requirements:

For supported storage accounts, data not accessed for 60 days must be automatically
moved to cool storage. Data not accessed for 120 days must be automatically moved to
archive storage.

=====================

URL: /azure/storage/blobs/lifecycle-management-overview

Question # 17 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to address the issue that relates to contosostorage2. The solution must meet the security
requirements.

What should you do?

A. Set a rotation reminder for the access keys.

B. Configure a lifecycle management rule.
C. Create a new access review.
D. Generate a shared access signature (SAS).

Item Description

Answer: D

Objective: 2.1 Configure access to storage

Rationale: A shared access signature (SAS) provides secure delegated access to resources in your
storage account. You can use a SAS to provide granular control such as how long access
is valid, what permissions they have to the resources, and what resources the client may
access.
=====================
From the Case Study:
Azure Storage Environment:
ContosoSub1 contains the following storage accounts:

Name Kind

ContosoStorage1 StorageV2 (general purpose v2)

ContosoStorage2 FileStorage

ContosoStorage3 BlockBlobStorage

ContosoStorage4 Storage (general purpose v1)

Problem Statement:
Administrators have been sharing the ContosoStorage2 access key with external users.
Security Requirements:
User access to storage account data must be granted for a specified start and expiration
date and time.
Storage account access keys must not be directly shared with users.
=====================

URL: /azure/storage/common/storage-sas-overview?toc=/azure/storage/blobs/toc.json
Question # 18 (Multiple Choice)
Answer the following question based on the information presented in the case study.

You need to implement the planned changes for Vnet1 and Vnet2.

What should you do first?

A. Move Vnet1 to the East US Azure region.

B. Move Vnet2 to the ContosoSub1 subscription.

C. Modify the tag for Vnet2.

D. Modify the address space

for Vnet1.

Item Description

Answer: D

Objective: 4.1 Configure virtual networks

Item Description

Rationale: The virtual networks you peer must have non-overlapping IP address spaces. As shown
in the case study Vnet1 and Vnet2 have overlapping IP address spaces. Because of this,
you will need to modify the address space for one of the virtual networks. You can peer
virtual networks from different regions and from different subscriptions, and so A and B
do not address the issue.

does not address the issue.
Modifying the tag for Vnet2
From the Case Study:

Azure Environment

Contoso has two Azure subscriptions named ContosoSub1 and ContosoSub2.

ContosoSub1 has the following resource group:

Name Lock name Lock type Region

ResourceGroup1 Lock1 Read Only West US

ResourceGroup1 contains the following resources:

Name Type Tags Address space Region

Disk1 Managed disk RG:1 N/A West US

Vnet1 Virtual network RG:1 10.40.0.0/20 West US

ContosoSub2 has the following resource group:

Name Lock name Lock type Region

ResourceGroup2 Lock 2 Delete East US

ResourceGroup2 contains the following resources:

Name Type Tags Address space Region

Disk2 Managed disk RG:2 N/A East US

Vnet2 Virtual network RG:2 10.40.0.0/22 East US

Planned Changes:

Peering between Vnet1 and Vnet2.

=====================

URL: /azure/virtual-network/virtual-network-manage-peering

Question # 19 (Multiple Choice)

Answer the following question based on the information presented in the case study.

Before you deploy DevVM1, you need to consider the technical and security requirements.

What should you do to ensure that access to DevVM1 is secure?

A. Install the Remote Desktop client on all the devices that will connect to DevVM1.
B. Deploy the Azure Bastion service.
C. Configure Remote Desktop Gateway on all the devices that will connect to DevVM1.
D. Configure the Azure Network Watcher service.

Item Description

Answer: B

Objective: 4.2 Configure secure access to virtual networks

Rationale: Azure Bastion is a service that provides secure and seamless RDP/SSH connectivity to
your virtual machines directly from the Azure portal over TLS. When you connect via
Azure Bastion, your virtual machines do not need a public IP address, agent, or special
client software. Not requiring a public IP address protects the virtual machine from
outside port scanning.
=====================
From the Case Study:
Planned Changes:
Deploy a new Windows 10 Azure VM named DevVM1.
Technical requirements:
DevVM1 must be accessible from the Azure portal over TLS and provide seamless
RDP/SSH connectivity.
Security Requirements:
DevVM1 must be protected from port scanning from outside the virtual network.
=====================

URL: /azure/bastion/bastion-overview

Question # 20 (Multiple Choice)

Answer the following question based on the information presented in the case study.

You need to resolve the issue that relates to the replication costs for backups.

Which Recovery Services vault can be configured to use locally-redundant storage (LRS) replication?

A. Rsv1 only
B. Rsv2 only

C. Rsv3 only

D. Rsv1 and Rsv2 only

E. Rsv1, Rsv2, and Rsv3

Item Description

Answer: C

Objective: 5.2 Implement backup and recovery

Rationale: The storage replication type cannot be changed after protecting items. Since Rsv3 is the
only Recovery services vault that does not contain items, it is the only one that can be
modified to use the Locally-redundant storage replication type.
=====================
From the Case Study:
Azure Storage Environment:
Recovery service vaults have been configured as follows:

Name Backup contains: Storage replication type:

Rsv1 Azure file shares Geo-redundant

Rsv2 Virtual machines Geo-redundant

Rsv3 No items Geo-redundant

Problem Statement:
Replication costs for backups are over budget.
Planned Changes:
Configure backups to use Locally-redundant replication when possible.
=====================

URL: /azure/backup/backup-create-rs-vault