1. Home
  2. AZ-104 Free Questions
Free Demo Questions

Test Online Free Microsoft AZ-104 Exam Questions and Answers

Practice a live sample before buying full access. This page keeps the free AZ-104 question set organized by page so visitors and search engines can reach the canonical -questions.html URL directly.

Updated Nov 19, 2025 212 Questions 15 Pages
Get AZ-104 Full Access
Page 7 of 15
Previous Page
Next Page
Question 91 Selectable Answer
You are the global administrator for an Azure Directory (Azure AD) tenant named adatum.com.
You need to enable two-step verification for Azure users.
What should you do?

Answer:
Explanation:
With Azure Active Directory Identity Protection, you can:
require users to register for multi-factor authentication
handle risky sign-ins and compromised users
References: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/flows
Question 92 Written Answer
You have an Azure Storage accounts as shown in the following exhibit.



Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
Box 1: storageaccount1 and storageaccount2 only
Box 2: All the storage accounts
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts. General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
Question 93 Selectable Answer
You manage an on-premises infrastructure based on VMware vSphere 6.0 with 250 virtual machines (VMs). You are evaluating the possibility of moving those VMs to Azure.
You decide to use the Azure Migrate service to help you with the assessment of your on-premises infrastructure.
You configure the default data collection level for your VMware vCenter server.
After performing the initial assessment, you find that there is some missing information in the assessment.
You need to make needed configurations so Azure Migrate service can collect all of the available information.
What should you do?

Answer:
Question 94 Selectable Answer
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network. You verify that other users can join their devices to Azure AD.
You need to ensure that User1 can join the device to Azure AD.
What should you do?

Answer:
Explanation:
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed. Incorrect Answers:
A: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and None. The default is All.
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
http://techgenix.com/pros-and-cons-azure-ad-join/
Question 95 Selectable Answer
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor
Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
Does the solution meet the goal?

Answer:
Question 96 Selectable Answer
You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
Question 97 Selectable Answer
You have an Azure subscription named Subscription1 that is used by several departments at your company.
Subscription1 contains the resources in the following table:



Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?

Answer:
Explanation:
View template from deployment history
Question 98 Written Answer
Case Study 4 - ADatum

Overview
ADatum Corporation is a financial company that has two main offices in New York and Los Angeles. ADatum has a subsidiary named Fabrikam, Inc. that shares the Los Angeles office.
ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-premises workloads to Azure.
ADatum uses Microsoft Exchange Online for email.

Existing Environment
On-Premises Environment
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an Active Directory forest named adatum.com and run Windows Server 2016.
The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and Microsoft Online Services. Routing is implemented by using Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed.

Azure Environment
You provision the Azure infrastructure by using the Azure portal.
The infrastructure contains the resources shown in the following table.



AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22.

Requirements
Planned Changes
ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery.

Infrastructure Requirements
ADatum identifies the following infrastructure requirements:
✑ A new web app named App1 that will access third-parties for credit card processing must be deployed.
✑ A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new blobs immediately.
✑ The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.
✑ The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified.
✑ All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
✑ AG1 must load balance incoming traffic in the following manner:
- http://corporate.adatum.com/video/* will be load balanced across Pool11.
- http://corporate.adatum.com/images/* will be load balanced across Pool12.
✑ AG2 must load balance incoming traffic in the following manner:
- http://www.adatum.com will be load balanced across Pool21.
- http://fabrikam.com will be load balanced across Pool22.
✑ ER1 must route traffic between the New York office and platform as a service (PaaS) services in the East US Azure region, as long as ER1 is available.
✑ ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available.
✑ ER1 and ER2 must be configured to fail over automatically.

Application Requirements
App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs.

Pricing Requirements
ADatum identifies the following pricing requirements:
✑ The cost of App1 and App2 must be minimized
✑ The transactional charges of Azure Storage accounts must be minimized

You need to implement App2 to meet the application requirements.
What should you include in the implementation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
A newly developed API must be implemented as an Azure function named App2.
App2 will use a blob storage trigger. App2 must process new blobs immediately.
This requires "Always On".
The cost of App1 and App2 must be minimized
The Standard pricing tier is the cheapest tier that supports Always On.
Question 99 Selectable Answer
SIMULATION

Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

To start the lab
You may start the lab by clicking the Next button.
You recently created a virtual machine named Web01.
You need to attach a new 80-GB standard data disk named Web01-Disk1 to Web01.

What should you do from the Azure portal?

Answer:
Explanation:
Add a data disk
Step 1. In the Azure portal, from the menu on the left, select Virtual machines.
Step 2. Select the Web01 virtual machine from the list.
Step 3. On the Virtual machine page, , in Essentials, select Disks.



Step 4. On the Disks page, select the Web01-Disk1 from the list of existing disks.
Step 5. In the Disks pane, click + Add data disk.
Step 6. Click the drop-down menu for Name to view a list of existing managed disks accessible to your Azure subscription. Select the managed disk Web01-Disk1 to attach:



References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/attach-disk-portal
Question 100 Selectable Answer
Case Study 3 - Contoso, Ltd

Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.

Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.

The virtualization environment contains the servers in the following table.



Litware uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.
The Azure subscription contains the resources in the following table.



The network security team implements several network security groups (NSGs).

Planned Changes
Litware plans to implement the following changes:
• Deploy Azure ExpressRoute to the Montreal office.
• Migrate the virtual machines hosted on Server1 and Server2 to Azure.
• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
• Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.

Technical requirements
Litware must meet the following technical requirements:
• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
• Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
• Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
• Create a workflow to send an email message when the settings of VM4 are modified.
• Create a custom Azure role named Role1 that is based on the Reader role.
• Minimize costs whenever possible.

You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.
What should you include in the recommendation?

Answer:
Explanation:
Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups ofusers, specific applications, or other conditions.
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Question 101 Written Answer
You have an Azure subscription named Subscription1.
Subscription1 contains the resources in the following table.



VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and Vnet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1.
M1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to Vnet2.
The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
We cannot just move a virtual machine between networks.
What we need to do is identify the disk
used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the targetvirtual network and then attach the original disk to it.
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets
Question 102 Selectable Answer
Case Study 5 - Contoso, Ltd

Overview
General Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.




Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.




User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table




No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.




Requirements
Planned Changes
Contoso plans to implement the following changes:
✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
✑ Create a storage account named storage5 and configure storage replication for the Blob service.
✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.



✑ Associate NSG1 to the network interface of VM1.
✑ Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.



✑ Associate NSG2 to VNET1/Subnet2.

Technical Requirements
Contoso must meet the following technical requirements:
✑ Create container1 and share1.
✑ Use the principle of least privilege.
✑ Create an Azure AD security group named Group4.
✑ Back up the Azure file shares and virtual machines by using Azure Backup.
✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

You need to add VM1 and VM2 to the backend pool of LB1.
What should you do first?

Answer:
Question 103 Selectable Answer
You have an Azure subscription.
In the Azure portal, you plan to create a storage account named storage1 that will have the following settings:
- Performance: Standard
- Replication: Zone-redundant storage (ZRS)
- Access tier (default): Cool
- Hierarchical namespace: Disabled
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.
Which setting should you modify first?

Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-performance-tiers
Question 104 Written Answer
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines named VM1 and VM2.
VM1 and VM2 run Windows Server 2016. VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
Box 1: VM1 only
To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.
Box 2: A new Azure virtual machine only
On the Restore configuration blade, you have two choices:
Create virtual machine
Restore disks
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
Question 105 Selectable Answer
You have an Azure subscription that contains three virtual networks named VNet1, VNet2, VNet3.
VNet2 contains a virtual appliance named VM2 that operates as a router. You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.
You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.
You need to provide connectivity between VNet1 and VNet3 through VNet2.
Which two configurations should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
You need to provide connectivity between VNet1 and VNet3 through VNet2." It's not about remote gateways or connectivity outside the Vnets. So A (to forward traffic from a spoke vnet to another spoke) and C (without UDR and NVA as next hop IP traffic won't flow between the spokes).
Showing page 7 of 15
Previous Page
Next Page

All copyrights reserved 2026 PassQuestion NETWORK CO.,LIMITED. All Rights Reserved.

Passquestion doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All Passquestion content is sourced from the Internet.