1. Home
  2. AZ-104 Free Questions
Free Demo Questions

Test Online Free Microsoft AZ-104 Exam Questions and Answers

Practice a live sample before buying full access. This page keeps the free AZ-104 question set organized by page so visitors and search engines can reach the canonical -questions.html URL directly.

Updated Nov 19, 2025 212 Questions 15 Pages
Get AZ-104 Full Access
Page 10 of 15
Previous Page
Next Page
Question 136 Written Answer
You have an Azure subscription named Sub 1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.



You need to recommend a networking solution to meet the following requirements:
- Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
- Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point


Answer:


Explanation:
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
Question 137 Selectable Answer
You have an Azure subscription.
You have an on-premises virtual machine named VM 1.
The settings for VM1 are shown in the exhibit.



You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?

Answer:
Explanation:
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machine (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image

3 1. You have an Azure subscription named Subscription1 that is used by several departments at your company.
Subscription1 contains the resources in the following table:



Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. VM1
B. RG1
C. storage2
D. container1
Answer: B
Explanation:
View template from deployment history
Question 138 Selectable Answer
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You enable Floating IP.
Does the solution meet the goal?

Answer:
Question 139 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription 1. Subscription1 contains a resource group named RG 1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG 1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.
Does this meet the goal?

Answer:
Explanation:
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell

32 1. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.



VM1 connects to VNET 1.
You need to connect VM1 to VNET2.
Solution: You create a new network interface, and then you add the network interface to VM 1. Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
You should delete VM 1. You recreate VM1, and then you add the network interface for VM 1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet)
or use an existing VNet. You can change the subnet a VM is connected to after it's created, but
you cannot change the VNet.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Question 140 Written Answer
You need to create an Azure Storage account that meets the following requirements:
- Minimizes costs
- Supports hot, cool, and archive blob tiers
- Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
Box 1: StorageV2
You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.
Box 2: Standard_GRS
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.
Incorrect Answers:
Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.
Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Question 141 Written Answer
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription.
Access control for the subscription is configured as shown in the Access control exhibit. (Click the Exhibit tab.)



You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Exhibit tab.)



For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.


Answer:

Question 142 Selectable Answer
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is backed up to RSV 1.
You need to back up VM2 to RSV2.
What should you do first?

Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
Question 143 Selectable Answer
You have five Windows Server 2008 R2 physical servers. The servers satisfy all requirements for failover protection using Azure Site Recovery (ASR). ASR is correctly configured and active.
You need to ensure that only 10 minutes of data is lost in the event of an incident by using the minimum amount of effort.
Which PowerShell cmdlet should you run?

Answer:
Question 144 Selectable Answer
You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project.
RG26 contains the resources shown in the following table.



SQLDB01 is backed up to RGV 1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
What should you do first?

Answer:
Question 145 Selectable Answer
You have an Azure Storage account named storage 1.
You plan to use AzCopy to copy data to storage 1.
You need to identify the storage services in storage1 to which you can copy the data.
What should you identify?

Answer:
Explanation:
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
Incorrect Answers:
A, C, E: AzCopy does not support table and queue storage services.
D: AzCopy supports file storage services, as well as blob storage services.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
Question 146 Selectable Answer
You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.
Subscription1 is associated to Tenant 1. Multi-factor authentication (MFA) is enabled for all the users in Tenant 1.
You need to enable MFA for the users in Tenant2. The solution must maintain MFA for Tenant 1.
What should you do first?

Answer:
Question 147 Selectable Answer
You are configuring Azure Active Directory (AD) Privileged Identity Management.
You need to provide a user named Admin1 with read access to a resource group named RG1 for only one month. The user role must be assigned immediately.
What should you do?

Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

36 1. You have an Azure Active Directory (Azure AD) tenant named Tenant1 and an Azure subscription named Subscription 1.
You enable Azure AD Privileged Identity Management.
You need to secure the members of the Lab Creator role. The solution must ensure that the lab creators request access when they create labs.
What should you do first?
A. From Azure AD Privileged Identity Management, edit the role settings for Lab Creator.
B. From Subscription1, edit the members of the Lab Creator role.
C. From Azure AD Identity Protection, create a user risk policy.
D. From Azure AD Privileged Identity Management, discover the Azure resources of Subscription 1.
Answer: A
Explanation:
As a Privileged Role Administrator you can:
✑ Enable approval for specific roles
✑ Specify approver users and/or groups to approve requests
✑ View request and approval history for all privileged roles
References: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Question 148 Written Answer
You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.



You assign an Azure policy that has the following settings:
✑ Scope: Sub1
✑ Exclusions: Sub1/RG1/VNET1
✑ Policy definition: Append a tag and its value to resources
✑ Policy enforcement: Enabled
✑ Tag name: Tag4
✑ Tag value: value4
You assign tags to the resources as shown in the following table.



For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
Box 1: No
The Azure Policy will add Tag4 to RG 1.
Box 2: No
Tags applied to the resource group or subscription aren't inherited by the resources although you can enable inheritance with Azure Policy. Storage1 has Tag3: Value1 and the Azure Policy will add Tag4.
Box 3: No
Tags applied to the resource group or subscription aren't inherited by the resources so VNET1 does not have Tag2.
VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET 1.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
Question 149 Selectable Answer
Case Study 5 - Contoso, Ltd
Overview
General Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.




Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.




User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table




No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.




Requirements
Planned Changes
Contoso plans to implement the following changes:
✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
✑ Create a storage account named storage5 and configure storage replication for the Blob service.
✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.



✑ Associate NSG1 to the network interface of VM1.
✑ Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.



✑ Associate NSG2 to VNET1/Subnet2.

Technical Requirements
Contoso must meet the following technical requirements:
✑ Create container1 and share1.
✑ Use the principle of least privilege.
✑ Create an Azure AD security group named Group4.
✑ Back up the Azure file shares and virtual machines by using Azure Backup.
✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

You need to ensure that VM1 can communicate with VM4. The solution must minimize the administrative effort.
What should you do?

Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Question 150 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.



You discover that connections to App1 from 13 1. 107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 13 1. 107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_13 1. 107.100.50 inbound security rule.
Does this meet the goal?

Answer:
Explanation:
The rule currently has the highest priority.
Reference: https://fastreroute.com/azure-network-security-groups-explained/
Showing page 10 of 15
Previous Page
Next Page

All copyrights reserved 2026 PassQuestion NETWORK CO.,LIMITED. All Rights Reserved.

Passquestion doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All Passquestion content is sourced from the Internet.