top of page

Azure Administrator Associate Sample Questions for AZ-104 Exam

  • CertiMaan
  • Oct 10, 2025
  • 15 min read

Updated: Dec 15, 2025

Prepare for the AZ-104 certification with these carefully crafted Azure Administrator Associate sample questions. These questions are designed to match the AZ-104 exam format and include key domains like Azure services, identity, governance, storage, compute, and virtual networking. Strengthen your preparation with high-quality az 104 practice exams, azure 104 practice tests, and real-world use cases. Whether you’re revising with az 104 dumps or tackling fresh az 104 exam questions, this collection ensures you're exam-ready. Master the Microsoft Azure environment and confidently clear the AZ-104 with structured, scenario-based practice and guidance.



Azure Administrator Associate Sample Questions List :


1. Your company has a hybrid environment with an on-premises Active Directory and Azure Active Directory (Azure AD). You need to ensure that all users authenticated in the on-premises Active Directory can seamlessly access Azure resources. What is the MOST efficient way to achieve this?

  1. Create duplicate user accounts in Azure AD manually.

  2. Implement Azure AD Connect to synchronize user identities.

  3. Use PowerShell scripts to periodically export and import user data.

  4. Require users to create separate Azure AD accounts.

2. A user is reporting they can't access a storage account, but you have verified they are assigned the 'Storage Blob Data Contributor' role at the storage account level. You also confirmed there are no deny assignments involved. What is the MOST likely cause of this issue?

  1. The role assignment has not propagated yet. It can take up to 24 hours.

  2. The user's account is locked.

  3. The user is trying to access a resource within the storage account they don't have permissions for.

  4. The storage account firewall is blocking the user's access.

3. You are the Azure administrator for your company. A user reports they are unable to access a specific Azure resource, despite being part of a group that has been assigned the 'Contributor' role at the resource group level. Upon investigation, you discover the user is also a member of another group that has an explicit 'Deny Assignment' for all actions on the same resource group. What is the MOST likely cause of the access issue?

  1. Role assignments are not applied correctly.

  2. The 'Contributor' role overrides the 'Deny Assignment'.

  3. The 'Deny Assignment' takes precedence over the 'Contributor' role.

  4. The user's account is corrupted.

4. You need to implement a solution that provides detailed insights into who is doing what in your Azure environment. Which Azure service provides comprehensive auditing capabilities to track user activities and resource changes?

  1. Azure Advisor

  2. Azure Policy

  3. Azure Activity Log

  4. Azure Security Center

5. You are implementing Azure Policy to enforce naming conventions for all virtual machines created in your subscription. You want to ensure that all VM names start with 'VM-' and are no longer than 15 characters. Which Azure Policy component would you use to define the desired naming pattern and length?

  1. Initiative

  2. Remediation Task

  3. Policy Definition

  4. Policy Assignment

6. Your company is implementing Azure landing zones. You are planning to delegate access management to different teams, allowing them to manage resources within their respective landing zones. Which Azure role is BEST suited for granting a team the ability to assign roles to other users within a specific scope, without granting them excessive permissions?

  1. Owner

  2. Contributor

  3. User Access Administrator

  4. Reader

7. Your organization uses Azure Active Directory (Azure AD) Privileged Identity Management (PIM). A user needs to perform a privileged task that requires the 'Global Administrator' role for a limited time. How would you grant this user the required access?

  1. Permanently assign the 'Global Administrator' role to the user.

  2. Create a new custom role with 'Global Administrator' permissions and assign it permanently.

  3. Have the user activate the 'Global Administrator' role in PIM for the required duration.

  4. Share the 'Global Administrator' account credentials with the user.

8. You are reviewing your Azure subscription's security posture and notice several recommendations from Azure Security Center regarding multi-factor authentication (MFA). You want to quickly enable MFA for all users who are not currently enrolled. What is the MOST efficient way to achieve this?

  1. Manually enable MFA for each user in Azure AD.

  2. Configure Conditional Access policies in Azure AD to require MFA for all users.

  3. Implement a custom PowerShell script to enable MFA for all users.

  4. Require all users to reset their passwords.

9. You need to create a custom image of an Azure Virtual Machine that contains pre-installed software and specific configurations. What is the recommended way to create this image?

  1. Copy the VHD file from the VM's storage account.

  2. Create a snapshot of the VM's OS disk, then create an image from the snapshot.

  3. Export the VM configuration as a JSON file.

  4. Use Azure Resource Manager (ARM) Templates to define the VM configuration.

10. Your organization is using Azure AD Identity Protection. You notice a high number of users being flagged with 'risky sign-ins' due to unusual travel patterns. You want to minimize false positives. Which of the following actions would be the MOST appropriate first step to investigate and address this issue?

  1. Disable Azure AD Identity Protection.

  2. Immediately block all users flagged as risky.

  3. Review the sign-in details of the flagged users and investigate the reasons for the unusual travel patterns.

  4. Force all flagged users to reset their passwords.

11. Your company is migrating resources to Azure. You need to implement a centralized logging solution to collect logs from all Azure resources in your subscription, including virtual machines, storage accounts, and databases. Which Azure service is BEST suited for this purpose?

  1. Azure Monitor Log Analytics

  2. Azure Key Vault

  3. Azure Security Center

  4. Azure Resource Manager

12. Your company needs to store unstructured data like images and videos in Azure. The data will be accessed frequently and must be highly available. Which Azure storage service is MOST suitable?

  1. Azure Queue Storage

  2. Azure Blob Storage

  3. Azure Table Storage

  4. Azure File Storage

13. You are managing Azure AD users. A user has left the company, and you need to revoke their access to all Azure resources. What is the MOST secure and appropriate action to take?

  1. Delete the user account from Azure AD.

  2. Disable the user account in Azure AD.

  3. Reset the user's password.

  4. Remove the user from all Azure AD groups.

14. You need to create a storage account that will be used for storing virtual machine disk images. You want to ensure the lowest possible latency for disk I/O operations. Which performance tier should you select?

  1. Standard

  2. Premium

  3. Archive

  4. Cool

15. Your company requires that all resources deployed to Azure must be tagged with specific metadata, such as 'Department', 'Environment', and 'CostCenter'. You want to enforce this requirement using Azure Policy. What type of effect should you use in your Azure Policy definition to automatically add these tags if they are missing during resource deployment?

  1. Audit

  2. Deny

  3. Append

  4. DeployIfNotExists

16. Your company has a requirement to store data for compliance reasons for 7 years. The data will rarely be accessed after the first year. Which storage tier is the MOST cost-effective option for storing the data after the first year?

  1. Hot

  2. Cool

  3. Archive

  4. Premium

17. You are implementing Azure Blueprints to standardize the deployment of resources across multiple subscriptions in your organization. You need to ensure that specific resource groups are created with pre-defined network configurations and RBAC settings in each subscription. What is the appropriate component of an Azure Blueprint to define these resource group configurations?

  1. Artifact

  2. Definition

  3. Assignment

  4. Parameter

18. You are tasked with configuring lifecycle management for an Azure Blob Storage account. You need to move all blobs older than 90 days to the Cool tier and delete blobs older than 365 days. How would you achieve this?

  1. Use Azure Automation runbooks to periodically move and delete blobs.

  2. Configure a lifecycle management policy in the Azure portal.

  3. Write a custom application using the Azure Storage SDK to move and delete blobs.

  4. Use Azure Data Factory to copy and delete blobs based on their age.

19. You need to grant a vendor temporary access to manage a specific Azure SQL Database server for maintenance purposes. The vendor should only have the necessary permissions for a limited duration. Which approach is MOST secure and efficient?

  1. Create a new Azure AD user account for the vendor and assign the 'SQL Server Contributor' role permanently.

  2. Use an existing Azure AD user account for the vendor and assign the 'SQL Server Contributor' role permanently.

  3. Invite the vendor as a guest user to your Azure AD and grant them temporary access using Azure AD Privileged Identity Management (PIM).

  4. Share the credentials of an existing Azure AD user account with the necessary permissions with the vendor.

20. You are planning to use Azure File Sync to synchronize on-premises file shares with Azure File Shares. What is the minimum supported Windows Server version for the on-premises servers?

  1. Windows Server 2008 R2

  2. Windows Server 2012

  3. Windows Server 2016

  4. Windows Server 2019

21. You are implementing Azure Policy to enforce that all new storage accounts created in your subscription are configured with a specific minimum TLS version. However, some existing storage accounts may not meet this requirement. How can you identify and remediate the non-compliant storage accounts?

  1. Use Azure Resource Graph to query for storage accounts and manually update the TLS version.

  2. Use Azure Security Center recommendations to identify and remediate the non-compliant storage accounts.

  3. Use Azure Policy Compliance Scan and Remediation Task to identify and automatically remediate the non-compliant storage accounts.

  4. Use PowerShell scripts to iterate through all storage accounts and update the TLS version.

22. Your company wants to implement geo-redundancy for their Azure Storage account to ensure business continuity in case of a regional outage. Which replication option provides read access to the secondary region?

  1. Locally Redundant Storage (LRS)

  2. Zone-Redundant Storage (ZRS)

  3. Geo-Redundant Storage (GRS)

  4. Read-Access Geo-Redundant Storage (RA-GRS)

23. Your company has multiple Azure subscriptions. You need to manage policies across all subscriptions from a central location. What Azure service should you use?

  1. Azure Resource Manager templates

  2. Azure Management Groups

  3. Azure Cost Management

  4. Azure Active Directory

24. You need to grant a user temporary access to read data from a specific container within your Azure Blob Storage account. You want to avoid sharing your storage account key. Which method should you use?

  1. Assign the user the 'Storage Blob Data Reader' role at the storage account level.

  2. Create a Shared Access Signature (SAS) for the container with read permissions.

  3. Create a new storage account and move the data to it.

  4. Share the storage account key directly with the user.

25. You have an Azure storage account configured with the 'Hot' access tier. A significant portion of the data has not been accessed for over six months. To optimize costs, you want to move this data to a more cost-effective tier. What is the MOST appropriate action?

  1. Manually download the data and re-upload it to the 'Archive' tier.

  2. Change the storage account access tier to 'Archive'.

  3. Implement a lifecycle management policy to move the data to the 'Cool' tier and then to the 'Archive' tier after a specified period.

  4. Delete the data and recreate it in the 'Archive' tier.

26. Your company needs to store sensitive data in Azure Blob Storage and requires strong encryption. You want to manage the encryption keys yourself. Which encryption option should you use?

  1. Server-side encryption with Microsoft-managed keys (SSE-MS)

  2. Server-side encryption with customer-managed keys (SSE-C)

  3. Client-side encryption

  4. Storage account level encryption.

27. You are configuring a Virtual Machine Scale Set and need to ensure that new VM instances are updated with the latest application code immediately after they are created. Which approach should you use?

  1. Manually update each VM instance after creation.

  2. Use a custom script extension to download and install the application code during VM creation.

  3. Create a new image with the latest application code and update the scale set model.

  4. Use Azure Update Management to schedule updates.

28. You are using Azure File Sync. You want to ensure that only frequently accessed files are stored locally on your server, while less frequently accessed files are tiered to Azure. Which feature of Azure File Sync enables this?

  1. Cloud Tiering

  2. Replication

  3. Disaster Recovery

  4. Backup

29. You need to deploy a containerized application to Azure and want to minimize the management overhead of the underlying infrastructure. Which Azure service is the MOST suitable?

  1. Azure Virtual Machines

  2. Azure Container Instances

  3. Azure Kubernetes Service (AKS)

  4. Azure App Service Web App for Containers

30. You need to create an Azure File Share that can be accessed over SMB from your on-premises Windows Server. Which action is required on the on-premises server to allow access?

  1. Install the Azure CLI.

  2. Map a network drive using the storage account key.

  3. Enable SMB 1.0/CIFS File Sharing Support in Windows Features.

  4. Install the Azure File Sync agent.

31. You have deployed an Azure Virtual Machine with a public IP address. You need to restrict inbound traffic to the VM to only allow SSH (port 22) from your office network. Which Azure service or feature should you use?

  1. Azure DNS

  2. Network Security Group (NSG)

  3. Azure Load Balancer

  4. Azure Traffic Manager

32. A user reports that they are unable to upload a 300GB file to an Azure Blob Storage account. What is the MOST likely cause?

  1. The storage account type is configured as 'FileStorage'.

  2. The user does not have the necessary permissions.

  3. The blob type is set to 'Block Blob' and is using the default block size.

  4. The storage account is configured with a firewall that is blocking the user's IP address.

33. Your company needs to deploy a highly available web application using Azure Virtual Machine Scale Sets. To achieve zero downtime deployments during application updates, what deployment strategy should you implement?

  1. Rolling upgrade

  2. Manual upgrade

  3. Automatic OS Image upgrade

  4. Spot Instance Deployment

34. Your company uses Azure Blob Storage to store application logs. You need to implement a solution to analyze these logs and generate alerts when specific error messages occur. Which Azure service integrates BEST with Azure Blob Storage for this purpose?

  1. Azure SQL Database

  2. Azure Monitor Logs

  3. Azure Key Vault

  4. Azure Cosmos DB

35. Your team is using Azure Virtual Machines to host a critical application. You need to implement a cost-effective solution to ensure that the VMs are automatically shut down during off-peak hours (e.g., weekends) and restarted during business hours. Which Azure service would be MOST suitable for achieving this requirement?

  1. Azure Monitor Autoscale

  2. Azure Automation Runbooks and Schedules

  3. Azure Advisor recommendations

  4. Azure Resource Manager (ARM) Templates

36. Your company has a hybrid environment with on-premises servers and Azure VMs. You need to implement a solution to easily deploy and manage applications across both environments using declarative configuration. Which Azure service is MOST suitable?

  1. Azure Automation DSC

  2. Azure Resource Manager (ARM) Templates

  3. Azure Virtual Machine Scale Sets

  4. Azure Monitor

37. Your company has a hybrid cloud environment with an Azure virtual network (VNet) connected to your on-premises network via a VPN gateway. You need to ensure that all outbound traffic from a specific subnet in the VNet is forced to route through your on-premises network for security inspection. What should you configure?

  1. A Network Security Group (NSG) with rules to deny outbound internet traffic.

  2. A User Defined Route (UDR) on the subnet's route table that specifies the VPN gateway as the next hop for the 0.0.0.0/0 address prefix.

  3. An Azure Firewall with a rule to route traffic back to the on-premises network.

  4. Enable BGP (Border Gateway Protocol) on the Azure VPN gateway.

38. You have an Azure Virtual Machine running a critical application that requires high availability. You want to ensure that if the VM becomes unavailable, the application remains accessible with minimal downtime. What should you configure?

  1. Create a daily backup using Azure Backup

  2. Configure a Load Balancer with a single VM in the backend pool

  3. Deploy the VM within an Availability Set

  4. Enable Azure Site Recovery to a different region

39. You have an Azure virtual network named 'VNet1' with several subnets. You need to create a new subnet within VNet1 that can only communicate with a specific virtual machine named 'VM1' residing in a different subnet within VNet1. How can you achieve this?

  1. Create a Network Security Group (NSG) on the new subnet, allowing inbound traffic only from the IP address of VM1 and blocking all other inbound and outbound traffic.

  2. Create an Azure Firewall and configure network rules to allow traffic only between the new subnet and VM1's subnet.

  3. Create a User Defined Route (UDR) on the new subnet that routes all traffic to VM1's IP address.

  4. Create a private endpoint and link it to VM1's network interface.

40. You need to deploy a large number of identical Azure VMs to support a web application. The VMs should automatically scale based on CPU utilization. Which Azure service should you use?

  1. Azure Container Instances

  2. Azure Virtual Machine Scale Sets

  3. Azure App Service

  4. Azure Functions

41. You have deployed two virtual machines, VM1 and VM2, in the same Azure virtual network but different subnets. VM1 needs to access a specific service on VM2 using a non-standard port (e.g., port 8080). You are unable to connect. What is the MOST likely cause?

  1. The virtual machines are in different availability zones.

  2. A Network Security Group (NSG) is blocking the traffic on port 8080.

  3. The virtual machines are in different resource groups.

  4. The service on VM2 is not running.

42. You have a Virtual Machine Scale Set configured to automatically scale between 2 and 10 instances based on CPU usage. You need to ensure that at least 3 instances are always running, even during periods of low traffic. How can you achieve this?

  1. Set the minimum number of instances to 3 in the scale set configuration.

  2. Use Azure Automation to regularly start new VMs.

  3. Configure a scheduled task on each VM to keep CPU usage high.

  4. Implement Azure Logic Apps to monitor and maintain the instance count.

43. Your organization is migrating to Azure and wants to extend its existing on-premises network to Azure using ExpressRoute. Which of the following is a prerequisite for establishing an ExpressRoute connection?

  1. An Azure virtual network gateway configured as a VPN gateway.

  2. A public IP address assigned to the ExpressRoute circuit.

  3. A connectivity provider with the necessary peering locations and bandwidth capabilities.

  4. An Azure Firewall deployed in a virtual network.

44. You are responsible for managing several Azure VMs. You want to apply specific security configurations to these VMs consistently and ensure that any deviations from the desired state are automatically corrected. Which Azure service is BEST suited for this purpose?

  1. Azure Security Center

  2. Azure Policy

  3. Azure Automation DSC

  4. Azure Monitor

45. You have two Azure virtual networks, VNetA and VNetB, in different Azure regions. You need to enable communication between VMs in VNetA and VMs in VNetB using the Azure backbone network and private IP addresses. What is the MOST efficient way to achieve this?

  1. Create a VPN gateway in each virtual network and configure a site-to-site VPN connection.

  2. Configure virtual network peering between VNetA and VNetB using global virtual network peering.

  3. Create a User Defined Route (UDR) in each virtual network to route traffic to the other network's address space through the internet.

  4. Configure a service endpoint on each subnet within the VNets.

46. You have an Azure Virtual Machine that needs to access Azure Key Vault to retrieve secrets. What is the MOST secure and recommended way to authenticate the VM to Key Vault?

  1. Use a shared access signature (SAS) token.

  2. Use the VM's system-assigned managed identity.

  3. Store the Key Vault access key on the VM's local disk.

  4. Create a service principal and store its credentials on the VM.

47. You are designing an Azure virtual network for a new application. The application consists of three tiers: web, application, and database. Each tier should be isolated from the others for security purposes. What is the BEST approach to segment the network?

  1. Create a single subnet and use Network Security Groups (NSGs) to restrict traffic between the tiers.

  2. Create three separate virtual networks and use virtual network peering to allow communication between the tiers.

  3. Create three separate subnets within a single virtual network, and use Network Security Groups (NSGs) to restrict traffic between the subnets.

  4. Create three resource groups, each containing a tier, and apply NSGs to the resource groups.

48. You have an existing Azure Virtual Machine. You need to change the size of the VM to increase its processing power and memory. Which of the following actions is required to ensure minimal impact to the running application?

  1. Resize the VM without deallocating it.

  2. Deallocate the VM first, then resize it.

  3. Create a new VM with the desired size and migrate the application.

  4. It is not possible to resize the VM. You must always create a new one.

49. You are configuring an Azure Load Balancer to distribute traffic to a set of virtual machines. You need to ensure that traffic from a specific client IP address is always directed to the same virtual machine. Which Load Balancer distribution mode should you use?

  1. Hash-based distribution.

  2. Round Robin distribution.

  3. Source IP affinity.

  4. Destination IP affinity.

50. Your company has a virtual machine (VM1) running in Azure that needs to access an Azure Storage account. You want to secure the connection and prevent the traffic from traversing the public internet. What is the MOST secure and efficient way to achieve this?

  1. Create a Network Security Group (NSG) rule to allow outbound traffic to the Storage account's public IP address.

  2. Configure a Service Endpoint for Azure Storage on the VM1's subnet.

  3. Create a Private Endpoint for the Storage account and connect it to the VM1's virtual network.

  4. Deploy an Azure Firewall and configure a network rule to allow traffic to the Storage account.


FAQs


What is the Microsoft Azure Administrator Associate certification?

It’s a Microsoft certification that validates your ability to manage Azure cloud infrastructure, including compute, network, storage, and security.

Who should take the AZ-104 certification exam?

IT professionals involved in managing cloud services, especially Azure environments, should take this exam.

Is AZ-104 worth it in 2025?

Yes, it’s in high demand as organizations increasingly rely on Azure. It enhances career opportunities in cloud administration.

What are the prerequisites for the Azure Administrator Associate exam?

There are no strict prerequisites, but basic knowledge of Azure services and networking is recommended.

How hard is the AZ-104 certification exam?

The difficulty is moderate. With structured preparation and hands-on practice, it’s manageable for most candidates.

What skills are measured in the AZ-104 exam?

It covers Azure identity, governance, compute, storage, networking, and monitoring.

How many questions are there in the AZ-104 exam?

The exam includes around 40–60 multiple-choice and performance-based questions.

What is the format and time duration of the AZ-104 exam?

It’s a 120-minute online or test-center exam with scenario-based and multiple-choice questions.

What is the passing score for the AZ-104 certification?

You need a score of 700 out of 1000 to pass.

How do I register for the AZ-104 exam?

Visit the official Microsoft exam page to schedule your test via Pearson VUE.

Can I take the AZ-104 exam online from home?

Yes, Microsoft offers online proctoring for AZ-104 through Pearson VUE.

What is the cost of the Microsoft AZ-104 exam?

The exam fee is $165 USD, but may vary by region.

Is there a renewal requirement for the Azure Administrator certification?

Yes, it must be renewed annually via a free online assessment provided by Microsoft.

What jobs can I get with an Azure Administrator Associate certification?

Roles include Azure Administrator, Cloud Operations Engineer, and Infrastructure Specialist.

What is the average salary after passing AZ-104?

Certified professionals can expect an average salary between $85,000 and $110,000 annually.

What is the difference between AZ-104 and AZ-900?

AZ-900 is foundational and non-technical, while AZ-104 is role-based and hands-on for admins.

How long does it take to prepare for the AZ-104 exam?

Typically, 6–8 weeks with consistent study and practice is sufficient.

Where can I find updated AZ-104 dumps or mock exams?

You can access updated dumps and mock tests at CertiMaan.com.

Does CertiMaan offer AZ-104 practice tests and preparation resources?

Yes, CertiMaan provides verified dumps, topic-wise tests, and full-length practice exams.

Are there any free learning paths available for AZ-104 preparation?

Yes, Microsoft Learn offers free, structured modules for AZ-104 preparation.


Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
CertiMaan Logo

​​

Terms Of Use     |      Privacy Policy     |      Refund Policy    

   

 Copyright © 2011 - 2026  Ira Solutions -   All Rights Reserved

Disclaimer:: 

The content provided on this website is for educational and informational purposes only. We do not claim any affiliation with official certification bodies, including but not limited to Pega, Microsoft, AWS, IBM, SAP , Oracle , PMI, or others.

All practice questions, study materials, and dumps are intended to help learners understand exam patterns and enhance their preparation. We do not guarantee certification results and discourage the misuse of these resources for unethical purposes.

PayU logo
Razorpay logo
bottom of page