1. Home
  2. AZ-104 Free Questions
Free Demo Questions

Test Online Free Microsoft AZ-104 Exam Questions and Answers

Practice a live sample before buying full access. This page keeps the free AZ-104 question set organized by page so visitors and search engines can reach the canonical -questions.html URL directly.

Updated Nov 19, 2025 212 Questions 15 Pages
Get AZ-104 Full Access
Page 9 of 15
Previous Page
Next Page
Question 121 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?

Answer:
Explanation:
You should use a policy definition.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take.
By defining conventions, you can control costs and more easily manage your resources.
Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
Question 122 Selectable Answer
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
Does the solution meet the goal?

Answer:
Explanation:
You should use the Resource Group blade.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template

47 1. Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Resource Group blade.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Explanation:
To view a template from deployment history:
Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.



You see a history of deployments for the group. In your case, the portal probably lists only one deployment.
Select this deployment.



The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template.



Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
Question 123 Written Answer
Case Study 5 - Contoso, Ltd
Overview
General Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.




Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.




User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table




No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.




Requirements
Planned Changes
Contoso plans to implement the following changes:
✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
✑ Create a storage account named storage5 and configure storage replication for the Blob service.
✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.



✑ Associate NSG1 to the network interface of VM1.
✑ Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.



✑ Associate NSG2 to VNET1/Subnet2.

Technical Requirements
Contoso must meet the following technical requirements:
✑ Create container1 and share1.
✑ Use the principle of least privilege.
✑ Create an Azure AD security group named Group4.
✑ Back up the Azure file shares and virtual machines by using Azure Backup.
✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

You need to create container1 and share 1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.


Answer:


Explanation:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
Question 124 Selectable Answer
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?

Answer:
Explanation:
Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a
custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix.
The status values can be one of the following:
State: Verified Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials. State: Not verified Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified. Action Required: Verify the custom domain in Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin

18 1. You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What should you do?
A. From the Azure portal, configure the portal settings.
B. From the Azure portal, change the directory.
C. From Azure Cloud Shell, run Set-AzureRmContext.
D. From Azure Cloud Shell, run Set-AzureRmSubscription.
Answer: B
Explanation:
Change the subscription directory in the Azure portal. The classic portal feature Edit Directory, that allows you to associate an existing subscription to your Azure Active Directory (AAD), is now available in Azure portal. It used to be available only to Service Admins with Microsoft accounts, but now it's available to users with AAD accounts as well.
To get started:
Go to Subscriptions.
Select a subscription.
Select Change directory.
Incorrect Answers:
C: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information.
References: https://azure.microsoft.com/en-us/updates/edit-directory-now-in-new-portal/
Question 125 Selectable Answer
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network .
Which tunneling protocol should you use?

Answer:
Question 126 Selectable Answer
Case Study 4 - ADatum

Overview
ADatum Corporation is a financial company that has two main offices in New York and Los Angeles. ADatum has a subsidiary named Fabrikam, Inc. that shares the Los Angeles office.
ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-premises workloads to Azure.
ADatum uses Microsoft Exchange Online for email.

Existing Environment
On-Premises Environment
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an Active Directory forest named adatum.com and run Windows Server 2016.
The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and Microsoft Online Services. Routing is implemented by using Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed.

Azure Environment
You provision the Azure infrastructure by using the Azure portal.
The infrastructure contains the resources shown in the following table.



AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22.

Requirements
Planned Changes
ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery.

Infrastructure Requirements
ADatum identifies the following infrastructure requirements:
✑ A new web app named App1 that will access third-parties for credit card processing must be deployed.
✑ A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new blobs immediately.
✑ The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.
✑ The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified.
✑ All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
✑ AG1 must load balance incoming traffic in the following manner:
- http://corporate.adatum.com/video/* will be load balanced across Pool1 1.
- http://corporate.adatum.com/images/* will be load balanced across Pool12.
✑ AG2 must load balance incoming traffic in the following manner:
- http://www.adatum.com will be load balanced across Pool2 1.
- http://fabrikam.com will be load balanced across Pool22.
✑ ER1 must route traffic between the New York office and platform as a service (PaaS) services in the East US Azure region, as long as ER1 is available.
✑ ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available.
✑ ER1 and ER2 must be configured to fail over automatically.

Application Requirements
App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs.

Pricing Requirements
ADatum identifies the following pricing requirements:
✑ The cost of App1 and App2 must be minimized
✑ The transactional charges of Azure Storage accounts must be minimized

You need to recommend an environment for the deployment of App 1.
What should you recommend?

Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-control-inbound-traffic
Question 127 Selectable Answer
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?

Answer:
Explanation:
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and None. The default is All.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
http://techgenix.com/pros-and-cons-azure-ad-join/
Question 128 Selectable Answer
You manage an Azure Windows Server virtual machine (VM) that hosts several SQL Server databases.
You need to configure backup and retention policies for the VM. The backup policy must include
transaction log backups.
What should you do?

Answer:
Explanation:
You should configure a SQL Server in Azure VM backup policy from the Recovery Services Azure portal blade.
The Azure Recovery Services vault has three default policy templates:
Azure Virtual Machine
Azure File Share
SQL Server in Azure VM
Because you need to back up both the SQL Server databases as well as transaction logs, you should create a SQL Server in Azure VM backup policy. These policies also enable you to specify backup retention durations at the daily, weekly, monthly, and yearly scopes.
You should not configure point-in-time and long-term retention policies from the SQL Servers Azure portal blade. These backup and retention policies are available for the Azure SQL Database platform-as-a-service (PaaS) offering, and not for Azure virtual machines hosting SQL Server databases.
You should not configure a continuous delivery deployment group from the Virtual Machine Azure portal blade. This feature is unrelated to VM backup and recovery, and allows you to integrate a VM in a Visual Studio Team Services (VSTS) continuous integration/continuous deployment (Cl/CD) workflow.
You should not configure a point-in-time snapshot from the Disks Azure portal blade. The snapshot functionality in Azure does not have formal policy associated with it, nor does it back up VM configuration.
Question 129 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet 1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
Does this meet the goal?

Answer:
Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Question 130 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.



VM1 connects to VNET 1.
You need to connect VM1 to VNET2.
Solution: You delete VM 1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
Does this meet the goal?

Answer:
Explanation:
You should delete VM 1. You recreate VM1, and then you add the network interface for VM 1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

24 1. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.



VM1 connects to VNET 1.
You need to connect VM1 to VNET2.
Solution: You turn off VM1, and then you add a new network interface to VM 1.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead you should delete VM 1. You recreate VM1, and then you add the network interface for VM 1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Question 131 Selectable Answer
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?

Answer:
Explanation:
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
Reference: https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
Question 132 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin 1.
Does this meet the goal?

Answer:
Explanation:
Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
Question 133 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription 1. Subscription1 contains a resource group named RG 1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG 1.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
Does this meet the goal?

Answer:
Question 134 Selectable Answer
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription 1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?

Answer:
Explanation:
The Logic App Operator role only lets you read, enable and disable logic app. With it you can view the logic app and run history, and enable/disable. Cannot edit or update the definition. You would need the Logic App Contributor role.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
Question 135 Selectable Answer
You have an Azure subscription that contains the resources shown in the following table.



LB1 is configured as shown in the following table.



You plan to create new inbound NAT rules that meet the following requirements:
- Provide Remote Desktop access to VM1 from the internet by using port 3389.
- Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?

Answer:
Showing page 9 of 15
Previous Page
Next Page

All copyrights reserved 2026 PassQuestion NETWORK CO.,LIMITED. All Rights Reserved.

Passquestion doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All Passquestion content is sourced from the Internet.