Azure Administrator AZ-104
  • AZ-104 Assessment

  • Azure Administrator Assessment

  • AZ-104 Exam Renewal Test

You are in charge of MSCloudApp2025, an Azure App Service that is currently using the Standard App Service Plan and has five deployment slots available. The Contributor role for MSCloudApp2025 is held by a user, User1. You must give User1 permission to add more deployment slots.

What ought one to do?

  • Assign User1 the Owner role for MSCloudApp2025.

  • Assign User1 the Website Contributor role for MSCloudApp2025.

  • Scale out the MSCloudApp2025 App Service plan.

  • Scale up the MSCloudApp2025 App Service plan.

Correct Answer: Assign User1 the Owner role for MSCloudApp2025.
Explanation: The Contributor role does not grant permission to add deployment slots. Only the Owner role provides full control, including creating deployment slots. Scaling options do not impact user permissions.

The following Azure web apps are being deployed by you:

  • Web-App1: Windows Server 2016

  • Web-App2: Windows Server 2022

  • Web-App3: Ubuntu Server

  • Web-App4: Red Hat Enterprise Linux

How many App Service Plans is the bare minimum needed?

  • 1

  • 2

  • 3

  • 4

Correct Answer: 2
Explanation: Windows-based apps (Web-App1 and Web-App2) can share one App Service Plan. Similarly, Linux-based apps (Web-App3 and Web-App4) can share another. So, only two plans are needed—one for each OS type.

You are preparing to deploy a web application named WebApp1 with the following specifications:

  • Publish Method: Docker Container

  • Operating System: Windows

  • Deployment Region: West US

  • App Service Plan: ASP-RG1-8bcf

Your goal is to have WebApp1 run using the ASP.NET V4.8 runtime.

Which configuration setting needs to be modified to meet this requirement?

  • Operating System

  • Publish

  • Region

  • Windows Plan

Correct Answer: Publish
Explanation: ASP.NET V4.8 is available only for apps published as “Code,” not containers. To use this runtime, switch the Publish setting from Docker Container to Code.

You are managing a web application named SalesPortalApp, which is currently hosted on a Standard App Service Plan. You intend to configure deployment slots for this application.

What is the maximum number of deployment slots you can add in this App Service Plan?

  • 1

  • 4

  • 6

  • 9

Correct Answer: 4
Explanation: The Standard App Service Plan allows up to five slots, including the production slot. Therefore, you can add four additional slots.

Your Azure virtual network includes the following subnets:

  • AppSubnet – contains virtual machines

  • WebSubnet – used by a web application

  • ContainerSubnet – currently hosting container instances

You are planning to deploy a new container instance named InventoryContainer.

Which subnet(s) are suitable for deploying InventoryContainer?

  • AppSubnet and ContainerSubnet only

  • AppSubnet, WebSubnet, and ContainerSubnet

  • WebSubnet and ContainerSubnet only

  • ContainerSubnet only

Correct Answer: ContainerSubnet only
Explanation: Azure Container Instances must be deployed in subnets configured to support them. ContainerSubnet only is explicitly prepared for containers.

You have a Windows Server 2022 virtual machine named AppServer01, and an Azure Container Registry that stores a container image called Image1.

What must be installed on AppServer01 to run Image1?

  • Azure Portal

  • Docker

  • Hyper-V role

  • .NET Framework 4.7

Correct Answer: Docker
Explanation: Docker provides the necessary container runtime to run images pulled from the Azure Container Registry.

Your Azure subscription for MSCloudExplorers includes the following resources:

  • Storage Account: msceprodstorage

  • Container Instance: msce-app-container

  • Virtual Network: MSCE-VNet with the following subnets:

    • Subnet-Storage – configured with a service endpoint for Microsoft.Storage

    • Subnet-Containers – currently hosting the msce-app-container

    • Subnet-Backup – currently not in use

You are planning to deploy a new container instance named msce-container5.

Which subnet(s) are eligible for deploying msce-container5?

  • Subnet-Storage, Subnet-Containers, and Subnet-Backup

  • Subnet-Containers and Subnet-Backup only

  • Subnet-Containers only

  • Subnet-Backup only

Correct Answer: Subnet-Containers and Subnet-Backup only
Explanation:

Subnet-Storage is configured with a service endpoint specifically for Microsoft.Storage, which limits its use to storage-related resources and is not suitable for container instances.
On the other hand, Subnet-Containers is already hosting container workloads, and Subnet-Backup is currently unused and can be configured for container deployments—making both subnets valid options for deploying msce-container5.

Your organization, MSCloudExplorers, has an Azure Storage Account with a blob container named container1. You need to control and manage access to this container.

Which of the following authorization methods can be used to grant access to container1?

  • Microsoft Entra ID only

  • Microsoft Entra ID, Shared Access Signature, or Certificate only

  • Microsoft Entra ID, Storage Account Key, or Shared Access Signature only

  • Microsoft Entra ID, Storage Account Key, Shared Access Signature, or Certificate

  • Storage Account Key or Shared Access Signature only

Correct Answer: Microsoft Entra ID, Storage Key, or Shared Access Signature only
Explanation: Certificates are not valid for direct blob access. Valid methods include Entra ID, storage account keys, and SAS.

Your organization, MSCloudExplorers, has the following Azure storage accounts:

  • msceprodstorage – configured as StorageV2

  • mscearchivestorage – configured as BlobStorage

  • mscefilestorage – configured as FileStorage

You want to implement lifecycle management policies to automatically transition or delete data based on rules.

Which of these storage accounts support lifecycle management?

  • msceprodstorage and mscearchivestorage only

  • msceprodstorage and mscefilestorage only

  • msceprodstorage only

  • All three: msceprodstorage, mscearchivestorage, and mscefilestorage

  • mscearchivestorage and mscefilestorage only

Correct Answer: A. msceprodstorage and mscearchivestorage only
Explanation: Lifecycle management is supported for StorageV2 and BlobStorage accounts because they both support blob-level tiering and automatic rule-based management.
FileStorage accounts do not support lifecycle management policies, as these policies are specific to blob data.

In your MSCloudExplorers environment, you have an Azure Storage account named msceprodstorage. You configure two encryption scopes:

  • Scope1 – uses Microsoft-managed keys

  • Scope2 – uses Customer-managed keys (CMK)

You plan to use Scope2 for data encryption.

Which Azure Storage services can use Scope2 for encryption with customer-managed keys?

  • Blob and File only

  • Blob, File, Table, and Queue

  • Blob only

  • File only

  • Table and Queue only

Correct Answer: C. Blob only
Explanation: Currently, encryption scopes with Customer-managed keys (CMK) are supported only for blob data within an Azure Storage account. Services like File, Table, and Queue storage do not support CMK-based encryption scopes.

In your MSCloudExplorers environment, you have an Azure Storage account named msceprodstorage. You configure two encryption scopes:

  • Scope1 – uses Microsoft-managed keys

  • Scope2 – uses Customer-managed keys (CMK)

You plan to use Scope2 for data encryption.

Which Azure Storage services can use Scope2 for encryption with customer-managed keys?

  • Blob and File only

  • Blob, File, Table, and Queue

  • Blob only

  • File only

  • Table and Queue only

Correct Answer: C. Blob only
Explanation: Currently, encryption scopes with Customer-managed keys (CMK) are supported only for blob data within an Azure Storage account. Services like File, Table, and Queue storage do not support CMK-based encryption scopes.

You have an Azure subscription that includes the following App Services web apps:

  • WebApp1, which runs code in a Windows operating system.
  • WebApp2, which runs code in a Linux operating system.
  • WebApp3, which runs in a Docker container on Windows.
  • WebApp4, which runs in a Docker container on Linux.

From which web apps can you use WebJobs?

  • WebApp1 and WebApp2 only
  • WebApp1 and Web3 only
  • WebApp1 only
  • WebApp1, WebApp2, WebApp3 and WebApp4

Correct Answer: WebApp1 only

Explanation

WebJobs is a feature of Azure App Service that allows you to run background tasks, scripts, or programs alongside your web app.

However, WebJobs are supported only on App Service running on Windows and are not supported for Linux App Service or containerized App Services.

Let’s evaluate each app:

Web App

Configuration

WebJobs Supported?

WebApp1

Windows App Service

✅ Yes

WebApp2

Linux App Service

❌ No

WebApp3

Windows Container

❌ No

WebApp4

Linux Container

❌ No

Why?

Microsoft Learn states that:

  • WebJobs are available for Windows-based App Service apps.
  • WebJobs are not supported for:
    • Linux App Service

Custom Containers (Windows or Linux)

You plan to deploy an Azure App Service web app that will have the following settings:

  • Name: WebApp1
  • Publish: Docker Container
  • Operating system: Windows
  • Region: West US
  • Windows Plan (West US): ASP-RG1-8bcf

You need to ensure that WebApp1 can use the ASP.NET V4.8 runtime stack.

Which setting should you modify?

  • Operating system
  • Publish
  • Region
  • Windows Plan

Correct Answer: Publish

Explanation

The key detail is:

  • Publish = Docker Container
  • User wants to use ASP.NET V4.8 runtime stack

When you deploy an App Service as a Docker Container, Azure does not provide a built-in runtime stack such as ASP.NET 4.8, .NET, Node.js, PHP, etc. The runtime must be included inside the container image.

To use the built-in ASP.NET V4.8 runtime stack, the App Service must be deployed as Code, not Docker Container.

Review the options

Setting

Modify?

Reason

Operating system

❌ No

ASP.NET 4.8 runs on Windows, which is already selected.

Publish

✅ Yes

Change from Docker Container to Code to access the built-in ASP.NET V4.8 runtime stack.

Region

❌ No

Runtime stack availability is not determined by region.

Windows Plan

❌ No

The App Service Plan doesn’t control the runtime stack selection.

You have Azure App Service web app named WebApp1.

You need to integrate GitHub as a source code repository for WebApp1.

What should you use?

  • Deployment Center
  • Deployment slots
  • Extensions
  • Service Connector

Correct Answer: Deployment Center

Explanation

Deployment Center is the App Service feature used to configure continuous deployment (CI/CD) from source code repositories such as:

  • GitHub
  • Azure DevOps
  • Bitbucket
  • Local Git

Using Deployment Center, you can connect WebApp1 to a GitHub repository and automatically deploy code whenever changes are pushed.

Why the other options are incorrect

Option

Why it’s incorrect

Deployment slots

Used for staging and swapping deployments, not for connecting source repositories.

Extensions

Used to add functionality to App Service, not to configure source control integration.

Service Connector

Used to connect App Service to services such as databases, storage accounts, and other Azure services.

You plan to deploy the following Azure web apps:

  • WebApp1, that uses the .NET 9 runtime stack
  • WebApp2, that uses the ASP.NET V4.8 runtime stack
  • WebApp3, that uses the Java 21 runtime stack
  • WebApp4, that uses the PHP 8.4 runtime stack

You need to create the app service plans for the web apps.

What is the minimum number of app service plans that should be created?

  • 1
  • 2
  • 3
  • 4

Correct Answer: 2

Explanation

The key concept is that an App Service Plan’s operating system (Windows or Linux) determines which runtime stacks it can host.

Let’s look at the runtimes:

Web App

Runtime

Requires

WebApp1

.NET 9

Windows or Linux

WebApp2

ASP.NET V4.8

Windows only

WebApp3

Java 21

Windows or Linux

WebApp4

PHP 8.4

Windows or Linux

Critical Fact

ASP.NET V4.8 requires Windows App Service.

Since an App Service Plan cannot contain both Windows and Linux apps, you need:

  1. One Windows App Service Plan for WebApp2 (ASP.NET V4.8)
  2. One Linux App Service Plan for the remaining apps (WebApp1, WebApp3, WebApp4)

Therefore, the minimum number of App Service Plans is:

2

Why not 1?

A single App Service Plan cannot host both Windows and Linux web apps.

Why not 3 or 4?

Multiple apps that use supported runtimes can share the same App Service Plan as long as:

  • They are in the same region.
  • They use the same OS (Windows or Linux).

You have Azure subscription that includes virtual network with following subnets:

  • Subnet1, which has connected virtual machine
  • Subnet2, which has connected app service web app
  • Subnet3, which has deployed container instance

You plan to deploy container instance named container1.

To which subnets can you deploy container1?

  • Subnet1 and Subnet3 only
  • Subnet1, Subnet2 and Subnet3
  • Subnet2 and Subnet3 only
  • Subnet3 only

Correct Answer: Subnet3 only

Explanation

When deploying an Azure Container Instance (ACI) into a virtual network:

  • The subnet must be delegated to Azure Container Instances (Microsoft.ContainerInstance/containerGroups).
  • A delegated subnet used for ACI can’t contain other resource types, such as virtual machines.
  • Multiple container instances/container groups can be deployed to the same delegated subnet.

Let’s evaluate each subnet:

Subnet

Existing Resource

Can deploy Container1?

Subnet1

Virtual Machine

❌ No

Subnet2

App Service Web App (VNet integration)

❌ No

Subnet3

Container Instance

✅ Yes

Since Subnet3 already contains a container instance, it indicates that it is configured appropriately for ACI deployment, and additional container instances can be deployed there.

You plan to create an Azure container instance named container1 that will use a Docker image named Image1.

You need to ensure that container1 has persistent storage.

Which Azure resources should you deploy for the persistent storage?

  • an Azure container registry
  • an Azure SQL database
  • an Azure Storage account and a blob container
  • an Azure Storage account and a file share

Correct Answer: an Azure Storage account and a file share

Explanation

Azure Container Instances (ACI) are stateless by default. If the container is restarted, any data stored inside the container is lost.

To provide persistent storage, ACI supports mounting an Azure Files share into the container.

Therefore, you need:

  1. An Azure Storage account
  2. An Azure Files file share

The file share is mounted into the container and remains available even if the container is stopped, restarted, or recreated.

Why the other options are wrong

Option

Reason

Azure Container Registry

❌ Stores container images, not persistent data.

Azure SQL Database

❌ Can store application data, but is not used as mounted persistent storage for the container filesystem.

Azure Storage account and a blob container

❌ ACI does not support mounting Azure Blob Storage as a volume.

Azure Storage account and a file share

✅ Supported persistent volume for ACI.

You have an Azure subscription that contains the following resources:

  • a storage account named storage123
  • a container instance named container1

The subscription contains a virtual network named VirtualNet4 that has the following subnets:

  • SubnetA- has a Microsoft.Storage service endpoint.
  • SubnetB- container1 is deployed to SubnetB.
  • SubnetC- No resources are connected to SubnetC.
  • You plan to deploy an Azure container instance named container5 to VirtualNet4.

To which subnets can you deploy container5?

  • SubnetA, SubnetB, and SubnetC
  • SubnetB and SubnetC only
  • SubnetB only
  • SubnetC only

Correct Answer: SubnetB and SubnetC only

Explanation

Azure Container Instances deployed into a virtual network require a delegated subnet that is used only for container groups.

Let’s evaluate each subnet:

Subnet

Current Configuration

Can deploy container5?

SubnetA

Has a Microsoft.Storage service endpoint

❌ No

SubnetB

Already contains container1

✅ Yes

SubnetC

Empty subnet

✅ Yes

Why not SubnetA?

A subnet used for Azure Container Instances can’t have service endpoint configurations such as Microsoft.Storage. Therefore, SubnetA isn’t a valid target for deploying container5.

Why SubnetB?

Since container1 is already deployed there, the subnet is already configured for Azure Container Instances. Multiple container groups can be deployed to the same delegated subnet.

Why SubnetC?

SubnetC is empty and can be delegated to Azure Container Instances before deployment, making it a valid target.

You have an Azure storage account named storage1.

You need to ensure that a user named User1 can access storage1 only from January 1st to January 31st 2026.

What should you do?

  • Create a conditional access policy for User1
  • Provide User1 with a shared access signature (SAS)
  • Provide User1 with a storage1 access key
  • Use a condition when assigning User1 an RBAC role on storage1

Correct Answer: Provide User1 with a shared access signature (SAS)

Explanation

A Shared Access Signature (SAS) provides delegated access to storage resources and can include:

  • Start time
  • Expiry time
  • Permissions (Read, Write, Delete, List, etc.)
  • Allowed IP addresses (optional)

You can create a SAS that:

  • Starts on January 1, 2026
  • Expires on January 31, 2026

After the expiration date, User1 automatically loses access.

Why the other options are wrong

Option

Reason

Conditional Access Policy

❌ Controls sign-in conditions (location, device, MFA, etc.), not access within a specific date range to a storage account.

Storage Account Access Key

❌ Provides full access to the storage account and has no built-in expiration date.

RBAC Role with Condition

❌ Azure RBAC conditions can restrict certain actions, but they don’t provide a simple time-based access window like a SAS.

You have an Azure Storage account named storage1 that is configured to use the Hot access tier.

Storage1 has a container named container1 and the lifecycle management rule with following settings:

  • Move blob to cool storage: Selected
    • Days after last modification: 3
  • Move blob to archive storage: Selected
    • Days after last modification: 5

On December 1, you create a file named File1 in container1.

On December 10, you rehydrate File1 and move the file to the Hot access tier.

When will File1 be moved to archive storage?

  • on December 15
  • on December 18
  • on January 1
  • within 24 hours

Correct Answer: within 24 hours

Explanation

The lifecycle management rule is based on:

Days after last modification

File1 was:

  • Created on December 1
  • Last modified on December 1

Lifecycle actions:

  • Move to Cool after 3 days → approximately December 4
  • Move to Archive after 5 days → approximately December 6

On December 10, you rehydrate File1 and move it back to the Hot tier.

Important: Rehydrating a blob or changing its access tier does not update the blob’s Last Modified timestamp. The last modification date remains December 1.

Therefore, after rehydration, the lifecycle policy still sees the blob as having been last modified more than 5 days ago, making it immediately eligible for archiving again.

Lifecycle management runs periodically (not instantly), so the blob will be moved back to the Archive tier within the next lifecycle processing cycle, typically within 24 hours.

You have an Azure storage account that contains a blob container named container1.

You need to configure access to container1.

Which authorization types can you use?

  • Microsoft Entra ID only
  • Microsoft Entra ID, shared access signature or certificate only
  • Microsoft Entra ID, storage key or shared access signature only
  • Microsoft Entra ID, storage key, shared access signature or certificate
  • Storage key or shared access signature only

Correct Answer: Microsoft Entra ID, storage key or shared access signature only

Explanation

Azure Blob Storage supports three primary authorization methods:

  1. Microsoft Entra ID (Azure AD)
    • Recommended method
    • Uses RBAC roles such as Storage Blob Data Reader/Contributor
  2. Storage Account Access Keys
    • Provides access using the account key
  3. Shared Access Signatures (SAS)
    • Delegated, time-limited access

Why not Certificates?

Certificates are not a supported authorization method for accessing Azure Blob containers directly.

Certificates may be used for authentication scenarios involving applications or service principals, but they are not an authorization type for blob container access.

Review the options

Option

Correct?

Microsoft Entra ID only

❌ Storage keys and SAS are also supported

Microsoft Entra ID, SAS, or certificate only

❌ Certificates are not a blob authorization method

Microsoft Entra ID, storage key, or SAS only

✅ Correct

Microsoft Entra ID, storage key, SAS, or certificate

❌ Certificate makes it incorrect

Storage key or SAS only

❌ Entra ID is also supported

You have an Azure subscription that contains the following storage accounts:

  • storage1, configured as StorageV2 kind
  • storage2, configured as BlobStorage kind
  • storage3, configured as FileStorage kind

Which storage account or storage accounts can you use Lifecycle management?

  • storage1 and storage2 only
  • storage1 and storage3 only
  • storage1 only
  • storage1, storage2 and storage3
  • storage2 and storage3 only

Correct Answer: storage1 only

Explanation

Azure Lifecycle Management is supported only for:

  • General-purpose v2 (StorageV2) accounts
  • Blob data (Blob Storage features within StorageV2)

Let’s examine each storage account:

Storage Account

Kind

Lifecycle Management Supported?

storage1

StorageV2

✅ Yes

storage2

BlobStorage

❌ No

storage3

FileStorage

❌ No

Key AZ-104 Fact

Lifecycle management policies are supported only on:

  • Standard General-purpose v2 (StorageV2) accounts

They are not supported on:

  • BlobStorage accounts
  • FileStorage accounts
  • Premium storage accounts



You have an Azure subscription that contains a virtual network named VNET1. VNET1 uses the following address spaces:

  • 10.10.1.0/24
  • 10.10.2.0/28

VNET1 contains the following subnets:

  • Subnet1- has an address space of 10.10.1.0/24
  • Subnet2- has an address space of 10.10.2.0/28

To Subnet1, you deploy a virtual machine named VM1 that runs Windows Server. VM1 has Remote Desktop enabled.

VM1 does NOT have a public IP address.

You need to be able to deploy Azure Bastion to protect VM1.

What should you do first?

  • Add a new subnet to VNET1.
  • Add a public IP address to VM1.
  • Add an extension to VM1.
  • Modify the address space of VNET1.

Correct Answer: Modify the address space of VNET1

Explanation

To deploy Azure Bastion, the virtual network must contain a dedicated subnet named:

AzureBastionSubnet

And that subnet must be at least /26 (current requirement).

Let’s examine VNET1:

Current Address Spaces

  • 10.10.1.0/24 → fully used by Subnet1
  • 10.10.2.0/28 → fully used by Subnet2

There is no unused IP address space available in VNET1 to create the required AzureBastionSubnet (/26 or larger).

Therefore, before you can add the AzureBastionSubnet, you must:

Expand/modify the address space of VNET1

Why the other answers are wrong

Option

Reason

Add a new subnet to VNET1

❌ No free address space exists to create another subnet.

Add a public IP address to VM1

❌ Bastion is specifically used to avoid exposing VMs with public IPs.

Add an extension to VM1

❌ Bastion does not require a VM extension.

Modify the address space of VNET1

✅ Required first so that an AzureBastionSubnet can be created.

You have an Azure subscription that includes the following resources:

  • VNet1, a virtual network
  • Subnet1, a subnet in VNet1
  • WebApp1, an App Service web app
  • NSG1, a network security group

You create an application security group named ASG1.

Which resource can use ASG1?

  • NSG1
  • Subnet1
  • VNet1
  • WebApp1

Correct Answer: NSG1

Explanation

An Application Security Group (ASG) is used to simplify Network Security Group (NSG) rules.

Instead of specifying IP addresses in NSG rules, you can reference ASGs and group VMs logically (e.g., Web Servers, Database Servers).

How ASGs are used

ASGs can be referenced in:

  • Source of an NSG rule
  • Destination of an NSG rule

Therefore, the resource that can use ASG1 is:

NSG1

Why the other options are wrong

Resource

Can use ASG1?

Reason

NSG1

✅ Yes

NSG rules can reference ASGs.

Subnet1

❌ No

Subnets are associated with NSGs, not ASGs.

VNet1

❌ No

VNets do not use ASGs directly.

WebApp1

❌ No

App Service web apps cannot be members of ASGs. ASGs are for VM network interfaces.



You have an Azure subscription that includes following resources:

  • VNet1, a virtual network
  • Subnet1, a subnet in VNet1
  • VM1, a virtual machine
  • NIC1, a network interface of VM1
  • LB1, a load balancer

You create a network security group named NSG1.

To which two Azure resources can you associate NSG1?

  • LB1
  • NIC1
  • Subnet1
  • VM1
  • VNet1

Correct Answers: NIC1 and Subnet1

Explanation

A Network Security Group (NSG) can be associated with:

  1. Subnet
  2. Network Interface (NIC)

NSGs cannot be associated directly with:

  • Virtual Machines ❌
  • Virtual Networks ❌
  • Load Balancers ❌

Evaluate each option

Resource

Can associate NSG1?

LB1 (Load Balancer)

❌ No

NIC1

✅ Yes

Subnet1

✅ Yes

VM1

❌ No (associate to the VM’s NIC instead)

VNet1

❌ No

You have an Azure subscription that includes a network security group named NSG1.

You plan to add an inbound security rule named Rule1 to NSG1.

You need to configure a priority for Rule1. Rule1 must have the highest priority for inbound security rules in NSG1.

Which priority should you configure for Rule1?

  • 0
  • 1
  • 10
  • 100
  • 1000

Correct Answer: 100

Explanation

For Network Security Group (NSG) rules:

  • Priority values range from 100 to 4096
  • Lower numbers = higher priority
  • Rules are processed in ascending priority order

Therefore:

Priority

Valid?

Higher Priority?

0

❌ Invalid

 

1

❌ Invalid

 

10

❌ Invalid

 

100

✅ Valid and highest possible priority

 

1000

✅ Valid but lower priority than 100

 

Since Rule1 must have the highest priority, assign the lowest valid priority number, which is:

100

You have an Azure subscription that contains an Azure disk named Disk1.

You plan to use an Azure Backup to backup Disk1.

What should you deploy first?

  • a Backup vault
  • a Storage account
  • a Recovery Services vault
  • an Azure Backup Server

Correct Answer: a Backup vault

Explanation

This question is testing the newer Azure Backup architecture.

For Azure Disk Backup (backup of managed disks directly), you must use a:

Backup vault

Azure Disk Backup stores backup data and policies in a Backup vault, not a Recovery Services vault.

Why the other options are wrong

Option

Reason

Backup vault

✅ Required for Azure Disk Backup

Storage account

❌ Not required to initiate Azure Disk Backup

Recovery Services vault

❌ Used for VM backups, Azure Files backup, etc., but not Azure Disk Backup

Azure Backup Server

❌ Used for on-premises workloads, not Azure managed disk backup

You have a Recovery Services vault named Recovery1 that includes a backup policy named Policy1.

You back up several Azure virtual machines to Recovery1 by using Policy1.

You need to view the Azure Backup reports.

What should you do first?

  • Configure the Diagnostics settings of Recovery1.
  • Create an Azure Log Analytics workspace.
  • Modify the Backup Configuration settings of Recovery1.

Correct Answer: Create an Azure Log Analytics workspace

Explanation

Azure Backup Reports are built on Azure Monitor Logs and require a Log Analytics workspace as the data source.

To view Azure Backup reports, the first prerequisite is to:

Create a Log Analytics workspace

After the workspace exists, you can configure the Recovery Services vault to send backup data to that workspace.

Why the other answers are wrong

Option

Reason

Configure Diagnostic Settings of Recovery1

❌ This is done after a Log Analytics workspace exists.

Create an Azure Log Analytics workspace

✅ First prerequisite for Azure Backup Reports.

Modify Backup Configuration settings of Recovery1

❌ Not required to enable Backup Reports.



Your company’s Azure subscription contains an Azure virtual machine.

You need to back up the virtual machine every 12 hours.

What should you create first?

  • a backup policy in a backup vault
  • a standard backup policy in a recovery services vault
  • an enhanced backup policy in a recovery services vault

Correct Answer: an enhanced backup policy in a recovery services vault

Explanation

The key detail is:

Back up the virtual machine every 12 hours

For Azure VM Backup:

  • Standard backup policy supports one backup per day only.
  • Enhanced backup policy supports multiple backups per day (up to every 4 hours).

Therefore, to achieve backups every 12 hours (twice per day), you must use:

Enhanced backup policy in a Recovery Services vault

Why the other options are wrong

Option

Reason

Backup policy in a Backup vault

❌ Backup vaults are used for workloads such as Azure Disk Backup, not Azure VM Backup.

Standard backup policy in a Recovery Services vault

❌ Supports only one backup per day.

Enhanced backup policy in a Recovery Services vault

✅ Supports multiple backups per day, including every 12 hours.

 

You have an Azure subscription and an availability set named AS1 that has 5 update domains.

You deploy 27 virtual machines to AS1.

During a planned update, what is the minimum number of virtual machines that are available?

  • 14
  • 20
  • 21
  • 22
  • 26

Correct Answer: 21

Explanation

An Availability Set distributes VMs across Update Domains (UDs).

During a planned maintenance update, Azure updates one Update Domain at a time.

Step 1: Distribute the VMs

  • Total VMs = 27
  • Update Domains = 5

Azure distributes them as evenly as possible:

Update Domain

VMs

UD1

6

UD2

6

UD3

5

UD4

5

UD5

5

Step 2: Determine the worst case

During a planned update, one Update Domain is unavailable.

The largest Update Domain contains 6 VMs.

Therefore:

Available VMs = 27 − 6 = 21

Why the other answers are wrong

Answer

Reason

14

❌ Too many VMs assumed unavailable

20

❌ Would require 7 VMs in one UD

21

✅ Correct

22

❌ Assumes only 5 VMs are updated

26

❌ Only one VM would be unavailable, which isn’t how Update Domains work

 

You have an Azure subscription.

You need to deploy a virtual machine that runs Windows Server 2025 Datacenter: Azure Edition.

Which security type can you select when deploying virtual machine?

  • Standard only
  • Standard or trusted launch only
  • Standard, trusted launch or confidential
  • Trusted launch or confidential only

Correct Answer: Standard, trusted launch or confidential

Explanation

When deploying a VM running Windows Server 2025 Datacenter: Azure Edition, Azure supports all three VM security types:

  1. Standard
  2. Trusted Launch
  3. Confidential VM

Therefore, you can choose any of the three security types during deployment.

Security Types Overview

Security Type

Features

Standard

Traditional VM deployment

Trusted Launch

Secure Boot + vTPM + integrity monitoring

Confidential

Hardware-based memory encryption and protection of data in use

Why the other options are wrong

Option

Reason

Standard only

❌ Trusted Launch and Confidential are also supported

Standard or Trusted Launch only

❌ Confidential is also supported

Trusted Launch or Confidential only

❌ Standard is also available

Standard, Trusted Launch or Confidential

✅ Correct

 

You have an Azure virtual machine named VM1.

VM1 contains the following:

  • a File named File1 that is stored on volume C:\
  • a File named File2 that is stored on volume D:\
  • an App named App1 that is in a running state
  • a user named User1 that is connected to VM1

You plan to resize VM1.

What is preserved after the resize?

  • File1 and File2 only
  • File1 and the state of App1 only
  • File1, File2 and the state of App1 only
  • File1, File2, the state of App1 and the connection of User1
  • File1 only

Correct Answer: File1 only

Explanation

When you resize an Azure VM, Azure may move the VM to different host hardware. The VM is restarted during the resize operation.

Let’s examine what is preserved:

Item

Preserved?

Reason

File1 on C:\

✅ Yes

Stored on the OS disk, which is persistent.

File2 on D:\

❌ No

D:\ is typically the temporary disk, and its contents can be lost during resize, redeployment, or host maintenance.

State of App1

❌ No

The VM is restarted, so running applications are stopped.

Connection of User1

❌ No

Active user sessions are disconnected during the restart.

Key AZ-104 Fact

The temporary disk (D:):

  • Is not backed by Azure managed storage.
  • Can lose data during:
    • VM resize
    • Redeploy
    • Host maintenance
    • VM migration

 

You have an Azure subscription.

You plan to use fault domains.

From which Azure resource can you configure the fault domains?

  • Availability set
  • Virtual machine
  • Virtual machine scale set
  • Virtual network

Correct Answer: Availability set

Explanation

Fault Domains (FDs) define groups of hardware that share a common power source and network switch.

You configure the number of fault domains when creating an Availability Set.

Why the other options are wrong

Resource

Can configure Fault Domains?

Availability Set

✅ Yes

Virtual Machine

❌ No, a VM can be placed in an Availability Set but doesn’t define fault domains itself.

Virtual Machine Scale Set

❌ No, VMSS uses Availability Zones and placement groups rather than user-configured fault domains.

Virtual Network

❌ No relationship to fault domains.

You have a Microsoft Entra tenant that contains two users named User1 and User2. The tenant has security defaults disabled.

You need to enable self-service password reset (SSPR) for User1. SSPR must NOT be enabled for User2.

What should you do first?

  • Enable security defaults.
  • Create a security group.
  • Create a lifecycle workflow.
  • Configure an authentication method policy.

Correct Answer: Create a security group

Explanation

To enable Self-Service Password Reset (SSPR) for only specific users, you configure SSPR for:

  • All users, or
  • Selected users (via a group)

Since:

  • User1 should have SSPR enabled ✅
  • User2 should NOT have SSPR enabled ❌

You must first create a security group, add User1 to that group, and then configure SSPR for the selected group.

Why the other options are wrong

Option

Reason

Enable security defaults

❌ Security defaults are unrelated to enabling SSPR for specific users.

Create a security group

✅ Required to scope SSPR to selected users.

Create a lifecycle workflow

❌ Used for user lifecycle automation, not SSPR.

Configure an authentication method policy

❌ Controls allowed authentication methods, but doesn’t scope SSPR to specific users.



You have a Microsoft Entra tenant that contains a user named User1.

You delete User1.

You plan to restore the User1 object.

What is the maximum number of days you have to restore User1?

  • 7 days
  • 30 days
  • 90 days
  • 48 hours

Correct Answer: 30 days

Explanation

When a user is deleted from Microsoft Entra ID (Azure AD), the user is moved to Deleted users (soft-deleted state).

The user can be restored for up to:

30 days

After 30 days, the user is permanently deleted and can no longer be restored.

Why the other answers are wrong

Option

Reason

48 hours

❌ Too short; no such restoration limit exists.

7 days

❌ Not the Entra ID user retention period.

30 days

✅ Correct.

90 days

❌ Users are not retained for 90 days after deletion.

 

Your company has multiple departments and one Azure subscription. The user accounts for all employees are in the same Microsoft Entra tenant.

You need to delegate permissions for managing users in a single department only.

What should you use to organize the user accounts?

  • administrative unit
  • security group
  • resource group
  • workspace

Correct Answer: Administrative unit

Explanation

An Administrative Unit (AU) in Microsoft Entra ID allows you to delegate administrative permissions over a subset of users, groups, or devices.

In this scenario:

  • All users are in the same Entra tenant.
  • You want admins to manage only one department’s users.
  • You need scoped administration.

Administrative Units are specifically designed for this purpose.

Why the other options are wrong

Option

Reason

Administrative unit

✅ Allows delegation of user management to a subset of users/groups/devices.

Security group

❌ Used for permissions and access control, not delegated administration.

Resource group

❌ Organizes Azure resources, not Entra users.

Workspace

❌ Used by services such as Log Analytics, not for user administration.

 

We’d love your feedback!
Share your thoughts on the Renewal Test and help us improve by reporting any inaccurate answers.

🔗 Explore more Renewal Tests at mscloudexplorers.com/learn
📘 Discover more Microsoft 365 & Intune-related blogs at mscloudexplorers.com/blog
📰 Join our newsletter to get the latest Microsoft Cloud updates directly in your inbox.
🔔 Follow us on LinkedIn for regular updates, tips, and community insights.

Tags:

2 comments on “Azure Administrator Exam Renewal Assessment Solved (AZ-104)

  1. Thanks for providing all the assessment questions and answers. However, it seems a couple of the answers might not be correct.

  2. Thank you for pointing that out—we really appreciate the feedback! 🙏
    While we strive to ensure all answers are accurate and up to date, occasional changes in Microsoft’s assessment content can lead to discrepancies. If you could let us know which questions seemed off, we’ll double-check and update the post accordingly. Thanks again for helping us keep the content reliable for everyone!

Leave a Reply