Detailed Exam Domain Coverage

To earn your Microsoft Certified: Azure Administrator Associate credential, you must demonstrate a deep technical understanding of how to manage cloud services that span storage, security, networking, and compute. This practice test bank is meticulously aligned with the official exam objectives:

• Manage Azure Identities and Governance (15–20%): Mastering Azure AD (Entra ID), RBAC, and governance tools like Azure Policy and Cost Management.

• Implement and Manage Storage (15–20%): Configuring Azure Files, Blob Storage, and data security.

• Deploy and Manage Azure Compute Resources (20–25%): Managing Virtual Machines, Containers, and App Services.

• Configure and Manage Virtual Networking (20–25%): Implementing VNets, DNS, Network Security Groups, and Load Balancers.

• Monitor and Maintain Azure Resources (10–15%): Using Azure Monitor, Log Analytics, and Backup/Recovery strategies.

Manage Azure Identities and Governance (15–20%): Mastering Azure AD (Entra ID), RBAC, and governance tools like Azure Policy and Cost Management.

Implement and Manage Storage (15–20%): Configuring Azure Files, Blob Storage, and data security.

Deploy and Manage Azure Compute Resources (20–25%): Managing Virtual Machines, Containers, and App Services.

Configure and Manage Virtual Networking (20–25%): Implementing VNets, DNS, Network Security Groups, and Load Balancers.

Monitor and Maintain Azure Resources (10–15%): Using Azure Monitor, Log Analytics, and Backup/Recovery strategies.

Course Description

I have designed this comprehensive resource for IT professionals who are serious about clearing the AZ-104 exam. With a massive bank of original practice questions, I provide the high-pressure environment you need to build the stamina and technical knowledge required for the actual 85-minute exam.

Every single question in this course comes with a detailed breakdown. I don’t just tell you which answer is right; I explain the architectural "why" behind every option. This ensures you aren't just memorizing answers but actually learning how to administer Azure environments effectively.

Sample Practice Questions

• Question 1: Your company has an Azure subscription named Sub1. You need to ensure that all virtual machines created in Sub1 are restricted to a specific set of allowed SKUs. What should you implement?

  • A. A Resource Lock on the subscription.

  • B. An Azure Policy with an "Allowed virtual machine size SKUs" definition.

  • C. An Azure Role-Based Access Control (RBAC) role assignment.

  • D. A Management Group with cost alerts.

  • E. A tags-only requirement on the Resource Group.

  • F. An Azure Blueprint with a specific ARM template.

  • Correct Answer: B

  • Explanation:

    • B (Correct): Azure Policy is the primary tool for governing resources and enforcing specific configurations, such as restricting VM sizes, across a subscription.

    • A (Incorrect): Resource Locks prevent accidental deletion or modification but do not control the type or size of resources being created.

    • C (Incorrect): RBAC controls who can do something, but Policy controls what can be done to the resources themselves.

    • D (Incorrect): Management Groups help organize subscriptions but don't inherently restrict VM SKUs without an attached Policy.

    • E (Incorrect): Tags are for metadata and organization, they cannot stop a user from deploying an unapproved VM size.

    • F (Incorrect): Blueprints can deploy policies, but the policy itself is what enforces the SKU restriction.

• Question 2: You are configuring Azure File Sync. You have an on-premises server named Server1 that contains a share named Data. You need to sync the Data share to an Azure file share. Which component must you install on Server1 first?

  • A. Azure PowerShell module.

  • B. The Azure File Sync agent.

  • C. The Azure Storage Explorer.

  • D. The AzCopy utility.

  • E. A VPN Gateway client.

  • F. Microsoft Entra Connect.

  • Correct Answer: B

  • Explanation:

    • B (Correct): The Azure File Sync agent is the mandatory software required on an on-premises Windows Server to enable synchronization with a Storage Sync Service.

    • A (Incorrect): PowerShell is used for management, but it is not the background service that performs the synchronization.

    • C (Incorrect): Storage Explorer is a GUI for viewing files, not a synchronization engine.

    • D (Incorrect): AzCopy is for one-time or scheduled data transfers, not continuous file synchronization.

    • E (Incorrect): While a VPN may be used for security, it is not a prerequisite for the File Sync service itself.

    • F (Incorrect): Entra Connect is for identity synchronization, not file system data.

• Question 3: You have a virtual network named VNET1 that contains two subnets: SubnetA and SubnetB. You need to block all traffic from SubnetA to SubnetB while allowing SubnetB to access the internet. What is the most efficient way to achieve this?

  • A. Create a User Defined Route (UDR).

  • B. Modify the default Azure Firewall rules.

  • C. Create a Network Security Group (NSG) and associate it with SubnetB.

  • D. Disable VNET peering between the subnets.

  • E. Enable Service Endpoints on SubnetA.

  • F. Use a Virtual Network Gateway.

  • Correct Answer: C

  • Explanation:

    • C (Correct): An NSG associated with SubnetB with an "Inbound" rule to deny traffic from the IP range of SubnetA is the most efficient and standard way to control internal traffic.

    • A (Incorrect): Routes determine where traffic goes, but NSGs are better suited for "Allow/Deny" security logic.

    • B (Incorrect): Azure Firewall is powerful but "less efficient" for simple internal subnet filtering compared to a free NSG.

    • D (Incorrect): Subnets in the same VNET are not peered; they have default connectivity that cannot be "deleted" like a peering link.

    • E (Incorrect): Service Endpoints are used to secure Azure Services (like SQL or Storage) to a VNET, not for subnet-to-subnet filtering.

    • F (Incorrect): Gateways are for cross-premises or VNET-to-VNET connectivity, not internal subnet security.

Question 1: Your company has an Azure subscription named Sub1. You need to ensure that all virtual machines created in Sub1 are restricted to a specific set of allowed SKUs. What should you implement?

• A. A Resource Lock on the subscription.

• B. An Azure Policy with an "Allowed virtual machine size SKUs" definition.

• C. An Azure Role-Based Access Control (RBAC) role assignment.

• D. A Management Group with cost alerts.

• E. A tags-only requirement on the Resource Group.

• F. An Azure Blueprint with a specific ARM template.

• Correct Answer: B

• Explanation:

  • B (Correct): Azure Policy is the primary tool for governing resources and enforcing specific configurations, such as restricting VM sizes, across a subscription.

  • A (Incorrect): Resource Locks prevent accidental deletion or modification but do not control the type or size of resources being created.

  • C (Incorrect): RBAC controls who can do something, but Policy controls what can be done to the resources themselves.

  • D (Incorrect): Management Groups help organize subscriptions but don't inherently restrict VM SKUs without an attached Policy.

  • E (Incorrect): Tags are for metadata and organization, they cannot stop a user from deploying an unapproved VM size.

  • F (Incorrect): Blueprints can deploy policies, but the policy itself is what enforces the SKU restriction.

A. A Resource Lock on the subscription.

B. An Azure Policy with an "Allowed virtual machine size SKUs" definition.

C. An Azure Role-Based Access Control (RBAC) role assignment.

D. A Management Group with cost alerts.

E. A tags-only requirement on the Resource Group.

F. An Azure Blueprint with a specific ARM template.

Correct Answer: B

Explanation:

• B (Correct): Azure Policy is the primary tool for governing resources and enforcing specific configurations, such as restricting VM sizes, across a subscription.

• A (Incorrect): Resource Locks prevent accidental deletion or modification but do not control the type or size of resources being created.

• C (Incorrect): RBAC controls who can do something, but Policy controls what can be done to the resources themselves.

• D (Incorrect): Management Groups help organize subscriptions but don't inherently restrict VM SKUs without an attached Policy.

• E (Incorrect): Tags are for metadata and organization, they cannot stop a user from deploying an unapproved VM size.

• F (Incorrect): Blueprints can deploy policies, but the policy itself is what enforces the SKU restriction.

B (Correct): Azure Policy is the primary tool for governing resources and enforcing specific configurations, such as restricting VM sizes, across a subscription.

A (Incorrect): Resource Locks prevent accidental deletion or modification but do not control the type or size of resources being created.

C (Incorrect): RBAC controls who can do something, but Policy controls what can be done to the resources themselves.

D (Incorrect): Management Groups help organize subscriptions but don't inherently restrict VM SKUs without an attached Policy.

E (Incorrect): Tags are for metadata and organization, they cannot stop a user from deploying an unapproved VM size.

F (Incorrect): Blueprints can deploy policies, but the policy itself is what enforces the SKU restriction.

Question 2: You are configuring Azure File Sync. You have an on-premises server named Server1 that contains a share named Data. You need to sync the Data share to an Azure file share. Which component must you install on Server1 first?

• A. Azure PowerShell module.

• B. The Azure File Sync agent.

• C. The Azure Storage Explorer.

• D. The AzCopy utility.

• E. A VPN Gateway client.

• F. Microsoft Entra Connect.

• Correct Answer: B

• Explanation:

  • B (Correct): The Azure File Sync agent is the mandatory software required on an on-premises Windows Server to enable synchronization with a Storage Sync Service.

  • A (Incorrect): PowerShell is used for management, but it is not the background service that performs the synchronization.

  • C (Incorrect): Storage Explorer is a GUI for viewing files, not a synchronization engine.

  • D (Incorrect): AzCopy is for one-time or scheduled data transfers, not continuous file synchronization.

  • E (Incorrect): While a VPN may be used for security, it is not a prerequisite for the File Sync service itself.

  • F (Incorrect): Entra Connect is for identity synchronization, not file system data.

A. Azure PowerShell module.

B. The Azure File Sync agent.

C. The Azure Storage Explorer.

D. The AzCopy utility.

E. A VPN Gateway client.

F. Microsoft Entra Connect.

Correct Answer: B

Explanation:

• B (Correct): The Azure File Sync agent is the mandatory software required on an on-premises Windows Server to enable synchronization with a Storage Sync Service.

• A (Incorrect): PowerShell is used for management, but it is not the background service that performs the synchronization.

• C (Incorrect): Storage Explorer is a GUI for viewing files, not a synchronization engine.

• D (Incorrect): AzCopy is for one-time or scheduled data transfers, not continuous file synchronization.

• E (Incorrect): While a VPN may be used for security, it is not a prerequisite for the File Sync service itself.

• F (Incorrect): Entra Connect is for identity synchronization, not file system data.

B (Correct): The Azure File Sync agent is the mandatory software required on an on-premises Windows Server to enable synchronization with a Storage Sync Service.

A (Incorrect): PowerShell is used for management, but it is not the background service that performs the synchronization.

C (Incorrect): Storage Explorer is a GUI for viewing files, not a synchronization engine.

D (Incorrect): AzCopy is for one-time or scheduled data transfers, not continuous file synchronization.

E (Incorrect): While a VPN may be used for security, it is not a prerequisite for the File Sync service itself.

F (Incorrect): Entra Connect is for identity synchronization, not file system data.

Question 3: You have a virtual network named VNET1 that contains two subnets: SubnetA and SubnetB. You need to block all traffic from SubnetA to SubnetB while allowing SubnetB to access the internet. What is the most efficient way to achieve this?

• A. Create a User Defined Route (UDR).

• B. Modify the default Azure Firewall rules.

• C. Create a Network Security Group (NSG) and associate it with SubnetB.

• D. Disable VNET peering between the subnets.

• E. Enable Service Endpoints on SubnetA.

• F. Use a Virtual Network Gateway.

• Correct Answer: C

• Explanation:

  • C (Correct): An NSG associated with SubnetB with an "Inbound" rule to deny traffic from the IP range of SubnetA is the most efficient and standard way to control internal traffic.

  • A (Incorrect): Routes determine where traffic goes, but NSGs are better suited for "Allow/Deny" security logic.

  • B (Incorrect): Azure Firewall is powerful but "less efficient" for simple internal subnet filtering compared to a free NSG.

  • D (Incorrect): Subnets in the same VNET are not peered; they have default connectivity that cannot be "deleted" like a peering link.

  • E (Incorrect): Service Endpoints are used to secure Azure Services (like SQL or Storage) to a VNET, not for subnet-to-subnet filtering.

  • F (Incorrect): Gateways are for cross-premises or VNET-to-VNET connectivity, not internal subnet security.

A. Create a User Defined Route (UDR).

B. Modify the default Azure Firewall rules.

C. Create a Network Security Group (NSG) and associate it with SubnetB.

D. Disable VNET peering between the subnets.

E. Enable Service Endpoints on SubnetA.

F. Use a Virtual Network Gateway.

Correct Answer: C

Explanation:

• C (Correct): An NSG associated with SubnetB with an "Inbound" rule to deny traffic from the IP range of SubnetA is the most efficient and standard way to control internal traffic.

• A (Incorrect): Routes determine where traffic goes, but NSGs are better suited for "Allow/Deny" security logic.

• B (Incorrect): Azure Firewall is powerful but "less efficient" for simple internal subnet filtering compared to a free NSG.

• D (Incorrect): Subnets in the same VNET are not peered; they have default connectivity that cannot be "deleted" like a peering link.

• E (Incorrect): Service Endpoints are used to secure Azure Services (like SQL or Storage) to a VNET, not for subnet-to-subnet filtering.

• F (Incorrect): Gateways are for cross-premises or VNET-to-VNET connectivity, not internal subnet security.

C (Correct): An NSG associated with SubnetB with an "Inbound" rule to deny traffic from the IP range of SubnetA is the most efficient and standard way to control internal traffic.

A (Incorrect): Routes determine where traffic goes, but NSGs are better suited for "Allow/Deny" security logic.

B (Incorrect): Azure Firewall is powerful but "less efficient" for simple internal subnet filtering compared to a free NSG.

D (Incorrect): Subnets in the same VNET are not peered; they have default connectivity that cannot be "deleted" like a peering link.

E (Incorrect): Service Endpoints are used to secure Azure Services (like SQL or Storage) to a VNET, not for subnet-to-subnet filtering.

F (Incorrect): Gateways are for cross-premises or VNET-to-VNET connectivity, not internal subnet security.

Welcome to the Exams Practice Tests Academy to help you prepare for your Microsoft Certified: Azure Administrator Associate (AZ-104).

• You can retake the exams as many times as you want

• This is a huge original question bank

• You get support from instructors if you have questions

• Each question has a detailed explanation

• Mobile-compatible with the Udemy app

• 30-days money-back guarantee if you're not satisfied

You can retake the exams as many times as you want

This is a huge original question bank

You get support from instructors if you have questions

Each question has a detailed explanation

Mobile-compatible with the Udemy app

30-days money-back guarantee if you're not satisfied

We hope that by now you're convinced! And there are a lot more questions inside the course.