Free AZ-104 Practice Questions
(Microsoft Certified Azure Administrator Associate)

The AZ-104 exam tests your skills in managing Azure resources. Practice real-world administrative scenarios to prepare for managing Azure resources.

Azure AZ-104 Practice Questions

10 Free Questions • Updated for 2026 • No dumps

Designed by experts and updated regularly based on exam changes.

1

Your organization requires that all new virtual machines deployed across multiple subscriptions must use a specific SKU size list. You need to implement this with the least administrative effort, ensuring compliance centrally. Which solution should you use?

A Resource Locks applied to all existing virtual machine resources.
B A custom Azure RBAC role that restricts VM sizes for each subscription.
C An Azure Policy definition assigned at the Management Group level.
D Multiple Azure Policy definitions, one assigned to each individual subscription.

✅ Correct Answer: C

Explanation: Assigning an Azure Policy at the Management Group level allows for a single policy definition to be inherited by all child subscriptions, providing centralized control and the least administrative effort. Creating individual policy assignments per subscription increases management overhead and can lead to inconsistencies.
2

A critical application runs on two Azure VMs requiring 99.95% uptime within a single region. The application needs protection from planned maintenance and unplanned hardware failures. What configuration provides the highest availability with cost efficiency?

A Place both VMs into the same Availability Set within the same region.
B Use Azure Site Recovery to replicate VMs to a secondary region.
C Deploy VMs into separate Availability Zones within the same region.
D Deploy VMs into a single Availability Zone without an Availability Set.

✅ Correct Answer: C

Explanation: Deploying VMs into separate Availability Zones provides protection against datacenter-level failures, offering higher availability than an Availability Set which primarily protects against rack-level failures. Azure Site Recovery is for disaster recovery across regions, which is beyond the scope of single-region high availability requirements and adds cost. A single Availability Zone without an Availability Set offers the least resilience.
3

You manage a storage account containing infrequently accessed archive data that must be retained for seven years. The data requires protection against regional outages but cost must be minimized. Which storage redundancy and tier combination should you choose?

A Geo-redundant Storage (GRS) with Archive storage tier.
B Geo-redundant Storage (GRS) with Cool storage tier.
C Locally-redundant Storage (LRS) with Archive storage tier.
D Read-access Geo-redundant Storage (RA-GRS) with Hot storage tier.

✅ Correct Answer: A

Explanation: GRS provides protection against regional outages by replicating data to a secondary region, meeting the redundancy requirement. The Archive tier is the most cost-effective for infrequently accessed, long-term data retention. LRS does not protect against regional outages. The Cool and Hot tiers are more expensive for archive data.
4

Two virtual networks (VNet1 and VNet2) in the same region need to communicate securely. VNet1 hosts production applications and VNet2 hosts development. You must ensure direct, private communication with the lowest latency and administrative overhead. What networking solution should you implement?

A A VPN Gateway connecting VNet1 and VNet2.
B VNet peering between VNet1 and VNet2.
C Network Security Groups (NSGs) configured on both VNets.
D Azure DNS Private Zones for each VNet.

✅ Correct Answer: B

Explanation: VNet peering provides a low-latency, high-bandwidth connection between virtual networks in the same region, acting as a direct private connection with minimal administrative setup. A VPN Gateway is typically used for cross-premises or cross-region connectivity and adds more complexity and latency. NSGs provide traffic filtering, not direct network connectivity. Azure DNS Private Zones resolve DNS names, not establish network communication.
5

You need to collect performance counters and event logs from multiple Azure Windows VMs into a centralized location for real-time analysis and custom alerting. The solution must minimize agent management effort. Which Azure Monitor component should you use?

A Log Analytics workspace with Azure Monitor Agent (AMA).
B Storage Account for VM diagnostics with custom scripts.
C Azure Security Center for log collection.
D Azure Diagnostics extension for each VM individually.

✅ Correct Answer: A

Explanation: A Log Analytics workspace with the Azure Monitor Agent (AMA) provides centralized collection of performance counters and event logs, enabling rich query and alerting capabilities. AMA offers a more unified and simplified management experience compared to the older Azure Diagnostics extension. Storing diagnostics in a Storage Account requires additional effort for analysis and alerting, and Security Center focuses on security posture, not general performance logging.
6

A new team requires access to manage specific resource groups, but only to deploy Azure App Services and Azure SQL Databases. They must not be able to delete any resources. How can you grant the least privileged access with minimal configuration?

A Create a custom RBAC role with specific 'deploy' actions, assigned at resource group scope.
B Grant 'Owner' permissions to the team for the specific resource groups.
C Assign the 'Reader' built-in role and individual resource locks to prevent deletion.
D Assign the 'Contributor' built-in role to the team at the subscription level.

✅ Correct Answer: A

Explanation: A custom RBAC role allows granular control, granting only the necessary deploy actions for App Services and SQL Databases without delete permissions, adhering to the principle of least privilege. Assigning 'Contributor' at subscription level gives too many permissions. 'Reader' is insufficient for deployment. 'Owner' provides full control, including deletion, which violates the requirement.
7

You need to deploy a single containerized application quickly for a short-lived batch process. The application has variable CPU and memory requirements but does not need complex orchestration or load balancing. Which Azure container service should you choose for the lowest cost and fastest deployment?

A Deploy the container on a Virtual Machine.
B Azure Container Instances (ACI).
C Azure Kubernetes Service (AKS).
D Azure Container Apps (ACA).

✅ Correct Answer: B

Explanation: Azure Container Instances (ACI) is ideal for single, ephemeral containers that don't require orchestration, offering the fastest deployment and lowest cost for this scenario as you only pay for compute seconds. Azure Container Apps is suitable for microservices and serverless containers with more advanced features like scaling and revisions, but overkill for a single batch process. AKS is for complex container orchestration. Deploying on a VM requires managing the underlying OS, increasing administrative overhead and cost.
8

An Azure virtual network hosts several web servers accessible via HTTPS (port 443). You need to restrict inbound access to these web servers only from the company's on-premises public IP address, while allowing all outbound traffic. What is the most efficient configuration?

A Azure Firewall configured to filter inbound traffic to the web server subnet.
B A custom UDR to route all inbound 443 traffic through a Network Virtual Appliance.
C An NSG associated with the web server subnet, allowing inbound 443 from the on-premises IP.
D An NSG associated with each individual web server NIC, allowing inbound 443 from the on-premises IP.

✅ Correct Answer: C

Explanation: Associating an NSG with the subnet hosting the web servers allows a single set of rules to apply to all VMs in that subnet, minimizing administrative effort. Configuring NSGs on individual NICs is less efficient for multiple servers in the same subnet. Azure Firewall provides more advanced capabilities but is overkill and more expensive for this specific requirement. Custom UDRs with NVAs add significant complexity for simple port filtering.
9

You are responsible for backing up Azure VMs daily. Recovery Point Objective (RPO) is 24 hours, and Recovery Time Objective (RTO) is 12 hours. The backup solution must minimize operational overhead. Which Azure Backup configuration should you implement?

A Implement a custom script to take VM snapshots and copy to a storage account.
B Utilize Azure Site Recovery to replicate VMs to a secondary region.
C Manually create full VM backups every day.
D Configure Azure Backup for VMs using the default policy for daily backups.

✅ Correct Answer: D

Explanation: Azure Backup for VMs with its default daily backup policy easily meets the RPO and RTO requirements while minimizing operational overhead due to its automated nature. Custom scripts for snapshots add significant administrative burden and require custom recovery procedures. Azure Site Recovery is primarily for disaster recovery and might be an over-engineered solution if only backup is required. Manual backups are highly inefficient and prone to errors.
10

A company hosts a public-facing web application on Azure App Service. During peak hours, the application experiences performance degradation. You need to ensure the application scales automatically to handle increased load with the lowest operational management. What is the best solution?

A Deploy multiple App Service instances behind an Azure Application Gateway.
B Manually scale up the App Service Plan during peak times.
C Migrate the application to an Azure Virtual Machine Scale Set.
D Configure App Service Autoscale based on CPU percentage.

✅ Correct Answer: D

Explanation: App Service Autoscale allows the application to automatically adjust its instance count based on defined metrics like CPU percentage, ensuring optimal performance during varying loads with minimal manual intervention. Manually scaling requires constant monitoring. Deploying multiple instances behind Application Gateway is possible but autoscale is a more integrated and simpler solution for App Service. Migrating to VMSS adds significant operational complexity for this scenario.

Practice More Questions

Take full-length timed quizzes and track your performance.

Start Free Practice

Frequently Asked Questions

Are these questions real exam dumps?

No, examOS does not use or promote exam dumps. All questions are concept-focused, scenario-based, and designed to help you understand architectural decisions and real-world trade-offs.

How does ExamOS help me prepare better?

ExamOS provides short, timed quizzes aligned with official exam domains. Each question includes detailed explanations so you can learn the reasoning behind the correct answer, not just memorize it.

Is ExamOS free to use?

Yes. You get free credits when you register, which you can use to take practice quizzes. You can earn additional credits through referrals or upgrade later for unlimited practice.

Related Practice Exams

Azure Fundamentals (AZ-900) Practice Questions Azure Developer Associate (AZ-204) Practice Questions Azure AI Fundamentals (AI-900) Practice Questions AWS Cloud Practioner (CLF-C02) Practice Questions AWS CloudOps Engineer Associate (SOA-C03) Practice Questions