
- November 6, 2024
- Deepak
- 2

AZ-104 Assessment
Azure Administrator Assessment
AZ-104 Exam Renewal Test
You are in charge of MSCloudApp2025, an Azure App Service that is currently using the Standard App Service Plan and has five deployment slots available. The Contributor role for MSCloudApp2025 is held by a user, User1. You must give User1 permission to add more deployment slots.
What ought one to do?
Assign User1 the Owner role for MSCloudApp2025.
Assign User1 the Website Contributor role for MSCloudApp2025.
Scale out the MSCloudApp2025 App Service plan.
Scale up the MSCloudApp2025 App Service plan.
Reveal Solution
Correct Answer: Assign User1 the Owner role for MSCloudApp2025.
Explanation: The Contributor role does not grant permission to add deployment slots. Only the Owner role provides full control, including creating deployment slots. Scaling options do not impact user permissions.
The following Azure web apps are being deployed by you:
Web-App1: Windows Server 2016
Web-App2: Windows Server 2022
Web-App3: Ubuntu Server
Web-App4: Red Hat Enterprise Linux
How many App Service Plans is the bare minimum needed?
1
2
3
4
Reveal Solution
Correct Answer: 2
Explanation: Windows-based apps (Web-App1 and Web-App2) can share one App Service Plan. Similarly, Linux-based apps (Web-App3 and Web-App4) can share another. So, only two plans are needed—one for each OS type.
You are preparing to deploy a web application named WebApp1 with the following specifications:
Publish Method: Docker Container
Operating System: Windows
Deployment Region: West US
App Service Plan: ASP-RG1-8bcf
Your goal is to have WebApp1 run using the ASP.NET V4.8 runtime.
Which configuration setting needs to be modified to meet this requirement?
Operating System
Publish
Region
Windows Plan
Reveal Solution
Correct Answer: Publish
Explanation: ASP.NET V4.8 is available only for apps published as “Code,” not containers. To use this runtime, switch the Publish setting from Docker Container to Code.
You are managing a web application named SalesPortalApp, which is currently hosted on a Standard App Service Plan. You intend to configure deployment slots for this application.
What is the maximum number of deployment slots you can add in this App Service Plan?
1
4
6
9
Reveal Solution
Correct Answer: 4
Explanation: The Standard App Service Plan allows up to five slots, including the production slot. Therefore, you can add four additional slots.
Your Azure virtual network includes the following subnets:
AppSubnet – contains virtual machines
WebSubnet – used by a web application
ContainerSubnet – currently hosting container instances
You are planning to deploy a new container instance named InventoryContainer.
Which subnet(s) are suitable for deploying InventoryContainer?
AppSubnet and ContainerSubnet only
AppSubnet, WebSubnet, and ContainerSubnet
WebSubnet and ContainerSubnet only
ContainerSubnet only
Reveal Solution
Correct Answer: ContainerSubnet only
Explanation: Azure Container Instances must be deployed in subnets configured to support them. ContainerSubnet only is explicitly prepared for containers.
You have a Windows Server 2022 virtual machine named AppServer01, and an Azure Container Registry that stores a container image called Image1.
What must be installed on AppServer01 to run Image1?
Azure Portal
Docker
Hyper-V role
.NET Framework 4.7
Reveal Solution
Correct Answer: Docker
Explanation: Docker provides the necessary container runtime to run images pulled from the Azure Container Registry.
Your Azure subscription for MSCloudExplorers includes the following resources:
Storage Account:
msceprodstorageContainer Instance:
msce-app-containerVirtual Network:
MSCE-VNetwith the following subnets:Subnet-Storage – configured with a service endpoint for
Microsoft.StorageSubnet-Containers – currently hosting the
msce-app-containerSubnet-Backup – currently not in use
You are planning to deploy a new container instance named msce-container5.
Which subnet(s) are eligible for deploying msce-container5?
Subnet-Storage, Subnet-Containers, and Subnet-Backup
Subnet-Containers and Subnet-Backup only
Subnet-Containers only
Subnet-Backup only
Reveal Solution
Correct Answer: Subnet-Containers and Subnet-Backup only
Explanation:
Subnet-Storage is configured with a service endpoint specifically for Microsoft.Storage, which limits its use to storage-related resources and is not suitable for container instances.
On the other hand, Subnet-Containers is already hosting container workloads, and Subnet-Backup is currently unused and can be configured for container deployments—making both subnets valid options for deploying msce-container5.
Your organization, MSCloudExplorers, has an Azure Storage Account with a blob container named container1. You need to control and manage access to this container.
Which of the following authorization methods can be used to grant access to container1?
Microsoft Entra ID only
Microsoft Entra ID, Shared Access Signature, or Certificate only
Microsoft Entra ID, Storage Account Key, or Shared Access Signature only
Microsoft Entra ID, Storage Account Key, Shared Access Signature, or Certificate
Storage Account Key or Shared Access Signature only
Reveal Solution
Correct Answer: Microsoft Entra ID, Storage Key, or Shared Access Signature only
Explanation: Certificates are not valid for direct blob access. Valid methods include Entra ID, storage account keys, and SAS.
Your organization, MSCloudExplorers, has the following Azure storage accounts:
msceprodstorage – configured as StorageV2
mscearchivestorage – configured as BlobStorage
mscefilestorage – configured as FileStorage
You want to implement lifecycle management policies to automatically transition or delete data based on rules.
Which of these storage accounts support lifecycle management?
msceprodstorage and mscearchivestorage only
msceprodstorage and mscefilestorage only
msceprodstorage only
All three: msceprodstorage, mscearchivestorage, and mscefilestorage
mscearchivestorage and mscefilestorage only
Reveal Solution
Correct Answer: A. msceprodstorage and mscearchivestorage only
Explanation: Lifecycle management is supported for StorageV2 and BlobStorage accounts because they both support blob-level tiering and automatic rule-based management.
FileStorage accounts do not support lifecycle management policies, as these policies are specific to blob data.
In your MSCloudExplorers environment, you have an Azure Storage account named msceprodstorage. You configure two encryption scopes:
Scope1 – uses Microsoft-managed keys
Scope2 – uses Customer-managed keys (CMK)
You plan to use Scope2 for data encryption.
Which Azure Storage services can use Scope2 for encryption with customer-managed keys?
Blob and File only
Blob, File, Table, and Queue
Blob only
File only
Table and Queue only
Reveal Solution
Correct Answer: C. Blob only
Explanation: Currently, encryption scopes with Customer-managed keys (CMK) are supported only for blob data within an Azure Storage account. Services like File, Table, and Queue storage do not support CMK-based encryption scopes.
In your MSCloudExplorers environment, you have an Azure Storage account named msceprodstorage. You configure two encryption scopes:
Scope1 – uses Microsoft-managed keys
Scope2 – uses Customer-managed keys (CMK)
You plan to use Scope2 for data encryption.
Which Azure Storage services can use Scope2 for encryption with customer-managed keys?
Blob and File only
Blob, File, Table, and Queue
Blob only
File only
Table and Queue only
Reveal Solution
Correct Answer: C. Blob only
Explanation: Currently, encryption scopes with Customer-managed keys (CMK) are supported only for blob data within an Azure Storage account. Services like File, Table, and Queue storage do not support CMK-based encryption scopes.
You have an Azure subscription that includes the following App Services web apps:
- WebApp1, which runs code in a Windows operating system.
- WebApp2, which runs code in a Linux operating system.
- WebApp3, which runs in a Docker container on Windows.
- WebApp4, which runs in a Docker container on Linux.
From which web apps can you use WebJobs?
- WebApp1 and WebApp2 only
- WebApp1 and Web3 only
- WebApp1 only
- WebApp1, WebApp2, WebApp3 and WebApp4
Reveal Solution
✅ Correct Answer: WebApp1 only
Explanation
WebJobs is a feature of Azure App Service that allows you to run background tasks, scripts, or programs alongside your web app.
However, WebJobs are supported only on App Service running on Windows and are not supported for Linux App Service or containerized App Services.
Let’s evaluate each app:
Web App | Configuration | WebJobs Supported? |
WebApp1 | Windows App Service | ✅ Yes |
WebApp2 | Linux App Service | ❌ No |
WebApp3 | Windows Container | ❌ No |
WebApp4 | Linux Container | ❌ No |
Why?
Microsoft Learn states that:
- WebJobs are available for Windows-based App Service apps.
- WebJobs are not supported for:
- Linux App Service
Custom Containers (Windows or Linux)
You plan to deploy an Azure App Service web app that will have the following settings:
- Name: WebApp1
- Publish: Docker Container
- Operating system: Windows
- Region: West US
- Windows Plan (West US): ASP-RG1-8bcf
You need to ensure that WebApp1 can use the ASP.NET V4.8 runtime stack.
Which setting should you modify?
- Operating system
- Publish
- Region
- Windows Plan
Reveal Solution
✅ Correct Answer: Publish
Explanation
The key detail is:
- Publish = Docker Container
- User wants to use ASP.NET V4.8 runtime stack
When you deploy an App Service as a Docker Container, Azure does not provide a built-in runtime stack such as ASP.NET 4.8, .NET, Node.js, PHP, etc. The runtime must be included inside the container image.
To use the built-in ASP.NET V4.8 runtime stack, the App Service must be deployed as Code, not Docker Container.
Review the options
Setting | Modify? | Reason |
Operating system | ❌ No | ASP.NET 4.8 runs on Windows, which is already selected. |
Publish | ✅ Yes | Change from Docker Container to Code to access the built-in ASP.NET V4.8 runtime stack. |
Region | ❌ No | Runtime stack availability is not determined by region. |
Windows Plan | ❌ No | The App Service Plan doesn’t control the runtime stack selection. |
You have Azure App Service web app named WebApp1.
You need to integrate GitHub as a source code repository for WebApp1.
What should you use?
- Deployment Center
- Deployment slots
- Extensions
- Service Connector
Reveal Solution
✅ Correct Answer: Deployment Center
Explanation
Deployment Center is the App Service feature used to configure continuous deployment (CI/CD) from source code repositories such as:
- GitHub
- Azure DevOps
- Bitbucket
- Local Git
Using Deployment Center, you can connect WebApp1 to a GitHub repository and automatically deploy code whenever changes are pushed.
Why the other options are incorrect
Option | Why it’s incorrect |
Deployment slots | Used for staging and swapping deployments, not for connecting source repositories. |
Extensions | Used to add functionality to App Service, not to configure source control integration. |
Service Connector | Used to connect App Service to services such as databases, storage accounts, and other Azure services. |
You plan to deploy the following Azure web apps:
- WebApp1, that uses the .NET 9 runtime stack
- WebApp2, that uses the ASP.NET V4.8 runtime stack
- WebApp3, that uses the Java 21 runtime stack
- WebApp4, that uses the PHP 8.4 runtime stack
You need to create the app service plans for the web apps.
What is the minimum number of app service plans that should be created?
- 1
- 2
- 3
- 4
Reveal Solution
✅ Correct Answer: 2
Explanation
The key concept is that an App Service Plan’s operating system (Windows or Linux) determines which runtime stacks it can host.
Let’s look at the runtimes:
Web App | Runtime | Requires |
WebApp1 | .NET 9 | Windows or Linux |
WebApp2 | ASP.NET V4.8 | Windows only |
WebApp3 | Java 21 | Windows or Linux |
WebApp4 | PHP 8.4 | Windows or Linux |
Critical Fact
ASP.NET V4.8 requires Windows App Service.
Since an App Service Plan cannot contain both Windows and Linux apps, you need:
- One Windows App Service Plan for WebApp2 (ASP.NET V4.8)
- One Linux App Service Plan for the remaining apps (WebApp1, WebApp3, WebApp4)
Therefore, the minimum number of App Service Plans is:
2
Why not 1?
A single App Service Plan cannot host both Windows and Linux web apps.
Why not 3 or 4?
Multiple apps that use supported runtimes can share the same App Service Plan as long as:
- They are in the same region.
- They use the same OS (Windows or Linux).
You have Azure subscription that includes virtual network with following subnets:
- Subnet1, which has connected virtual machine
- Subnet2, which has connected app service web app
- Subnet3, which has deployed container instance
You plan to deploy container instance named container1.
To which subnets can you deploy container1?
- Subnet1 and Subnet3 only
- Subnet1, Subnet2 and Subnet3
- Subnet2 and Subnet3 only
- Subnet3 only
Reveal Solution
✅ Correct Answer: Subnet3 only
Explanation
When deploying an Azure Container Instance (ACI) into a virtual network:
- The subnet must be delegated to Azure Container Instances (Microsoft.ContainerInstance/containerGroups).
- A delegated subnet used for ACI can’t contain other resource types, such as virtual machines.
- Multiple container instances/container groups can be deployed to the same delegated subnet.
Let’s evaluate each subnet:
Subnet | Existing Resource | Can deploy Container1? |
Subnet1 | Virtual Machine | ❌ No |
Subnet2 | App Service Web App (VNet integration) | ❌ No |
Subnet3 | Container Instance | ✅ Yes |
Since Subnet3 already contains a container instance, it indicates that it is configured appropriately for ACI deployment, and additional container instances can be deployed there.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1.
You need to ensure that container1 has persistent storage.
Which Azure resources should you deploy for the persistent storage?
- an Azure container registry
- an Azure SQL database
- an Azure Storage account and a blob container
- an Azure Storage account and a file share
Reveal Solution
✅ Correct Answer: an Azure Storage account and a file share
Explanation
Azure Container Instances (ACI) are stateless by default. If the container is restarted, any data stored inside the container is lost.
To provide persistent storage, ACI supports mounting an Azure Files share into the container.
Therefore, you need:
- An Azure Storage account
- An Azure Files file share
The file share is mounted into the container and remains available even if the container is stopped, restarted, or recreated.
Why the other options are wrong
Option | Reason |
Azure Container Registry | ❌ Stores container images, not persistent data. |
Azure SQL Database | ❌ Can store application data, but is not used as mounted persistent storage for the container filesystem. |
Azure Storage account and a blob container | ❌ ACI does not support mounting Azure Blob Storage as a volume. |
Azure Storage account and a file share | ✅ Supported persistent volume for ACI. |
You have an Azure subscription that contains the following resources:
- a storage account named storage123
- a container instance named container1
The subscription contains a virtual network named VirtualNet4 that has the following subnets:
- SubnetA- has a Microsoft.Storage service endpoint.
- SubnetB- container1 is deployed to SubnetB.
- SubnetC- No resources are connected to SubnetC.
- You plan to deploy an Azure container instance named container5 to VirtualNet4.
To which subnets can you deploy container5?
- SubnetA, SubnetB, and SubnetC
- SubnetB and SubnetC only
- SubnetB only
- SubnetC only
Reveal Solution
✅ Correct Answer: SubnetB and SubnetC only
Explanation
Azure Container Instances deployed into a virtual network require a delegated subnet that is used only for container groups.
Let’s evaluate each subnet:
Subnet | Current Configuration | Can deploy container5? |
SubnetA | Has a Microsoft.Storage service endpoint | ❌ No |
SubnetB | Already contains container1 | ✅ Yes |
SubnetC | Empty subnet | ✅ Yes |
Why not SubnetA?
A subnet used for Azure Container Instances can’t have service endpoint configurations such as Microsoft.Storage. Therefore, SubnetA isn’t a valid target for deploying container5.
Why SubnetB?
Since container1 is already deployed there, the subnet is already configured for Azure Container Instances. Multiple container groups can be deployed to the same delegated subnet.
Why SubnetC?
SubnetC is empty and can be delegated to Azure Container Instances before deployment, making it a valid target.
You have an Azure storage account named storage1.
You need to ensure that a user named User1 can access storage1 only from January 1st to January 31st 2026.
What should you do?
- Create a conditional access policy for User1
- Provide User1 with a shared access signature (SAS)
- Provide User1 with a storage1 access key
- Use a condition when assigning User1 an RBAC role on storage1
Reveal Solution
✅ Correct Answer: Provide User1 with a shared access signature (SAS)
Explanation
A Shared Access Signature (SAS) provides delegated access to storage resources and can include:
- Start time
- Expiry time
- Permissions (Read, Write, Delete, List, etc.)
- Allowed IP addresses (optional)
You can create a SAS that:
- Starts on January 1, 2026
- Expires on January 31, 2026
After the expiration date, User1 automatically loses access.
Why the other options are wrong
Option | Reason |
Conditional Access Policy | ❌ Controls sign-in conditions (location, device, MFA, etc.), not access within a specific date range to a storage account. |
Storage Account Access Key | ❌ Provides full access to the storage account and has no built-in expiration date. |
RBAC Role with Condition | ❌ Azure RBAC conditions can restrict certain actions, but they don’t provide a simple time-based access window like a SAS. |
You have an Azure Storage account named storage1 that is configured to use the Hot access tier.
Storage1 has a container named container1 and the lifecycle management rule with following settings:
- Move blob to cool storage: Selected
- Days after last modification: 3
- Move blob to archive storage: Selected
- Days after last modification: 5
On December 1, you create a file named File1 in container1.
On December 10, you rehydrate File1 and move the file to the Hot access tier.
When will File1 be moved to archive storage?
- on December 15
- on December 18
- on January 1
- within 24 hours
Reveal Solution
✅ Correct Answer: within 24 hours
Explanation
The lifecycle management rule is based on:
Days after last modification
File1 was:
- Created on December 1
- Last modified on December 1
Lifecycle actions:
- Move to Cool after 3 days → approximately December 4
- Move to Archive after 5 days → approximately December 6
On December 10, you rehydrate File1 and move it back to the Hot tier.
Important: Rehydrating a blob or changing its access tier does not update the blob’s Last Modified timestamp. The last modification date remains December 1.
Therefore, after rehydration, the lifecycle policy still sees the blob as having been last modified more than 5 days ago, making it immediately eligible for archiving again.
Lifecycle management runs periodically (not instantly), so the blob will be moved back to the Archive tier within the next lifecycle processing cycle, typically within 24 hours.
You have an Azure storage account that contains a blob container named container1.
You need to configure access to container1.
Which authorization types can you use?
- Microsoft Entra ID only
- Microsoft Entra ID, shared access signature or certificate only
- Microsoft Entra ID, storage key or shared access signature only
- Microsoft Entra ID, storage key, shared access signature or certificate
- Storage key or shared access signature only
Reveal Solution
✅ Correct Answer: Microsoft Entra ID, storage key or shared access signature only
Explanation
Azure Blob Storage supports three primary authorization methods:
- Microsoft Entra ID (Azure AD) ✅
- Recommended method
- Uses RBAC roles such as Storage Blob Data Reader/Contributor
- Storage Account Access Keys ✅
- Provides access using the account key
- Shared Access Signatures (SAS) ✅
- Delegated, time-limited access
Why not Certificates?
❌ Certificates are not a supported authorization method for accessing Azure Blob containers directly.
Certificates may be used for authentication scenarios involving applications or service principals, but they are not an authorization type for blob container access.
Review the options
Option | Correct? |
Microsoft Entra ID only | ❌ Storage keys and SAS are also supported |
Microsoft Entra ID, SAS, or certificate only | ❌ Certificates are not a blob authorization method |
Microsoft Entra ID, storage key, or SAS only | ✅ Correct |
Microsoft Entra ID, storage key, SAS, or certificate | ❌ Certificate makes it incorrect |
Storage key or SAS only | ❌ Entra ID is also supported |
You have an Azure subscription that contains the following storage accounts:
- storage1, configured as StorageV2 kind
- storage2, configured as BlobStorage kind
- storage3, configured as FileStorage kind
Which storage account or storage accounts can you use Lifecycle management?
- storage1 and storage2 only
- storage1 and storage3 only
- storage1 only
- storage1, storage2 and storage3
- storage2 and storage3 only
Reveal Solution
✅ Correct Answer: storage1 only
Explanation
Azure Lifecycle Management is supported only for:
- General-purpose v2 (StorageV2) accounts
- Blob data (Blob Storage features within StorageV2)
Let’s examine each storage account:
Storage Account | Kind | Lifecycle Management Supported? |
storage1 | StorageV2 | ✅ Yes |
storage2 | BlobStorage | ❌ No |
storage3 | FileStorage | ❌ No |
Key AZ-104 Fact
Lifecycle management policies are supported only on:
- Standard General-purpose v2 (StorageV2) accounts
They are not supported on:
- BlobStorage accounts
- FileStorage accounts
- Premium storage accounts
You have an Azure subscription that contains a virtual network named VNET1. VNET1 uses the following address spaces:
- 10.10.1.0/24
- 10.10.2.0/28
VNET1 contains the following subnets:
- Subnet1- has an address space of 10.10.1.0/24
- Subnet2- has an address space of 10.10.2.0/28
To Subnet1, you deploy a virtual machine named VM1 that runs Windows Server. VM1 has Remote Desktop enabled.
VM1 does NOT have a public IP address.
You need to be able to deploy Azure Bastion to protect VM1.
What should you do first?
- Add a new subnet to VNET1.
- Add a public IP address to VM1.
- Add an extension to VM1.
- Modify the address space of VNET1.
Reveal Solution
✅ Correct Answer: Modify the address space of VNET1
Explanation
To deploy Azure Bastion, the virtual network must contain a dedicated subnet named:
AzureBastionSubnet
And that subnet must be at least /26 (current requirement).
Let’s examine VNET1:
Current Address Spaces
- 10.10.1.0/24 → fully used by Subnet1
- 10.10.2.0/28 → fully used by Subnet2
There is no unused IP address space available in VNET1 to create the required AzureBastionSubnet (/26 or larger).
Therefore, before you can add the AzureBastionSubnet, you must:
✅ Expand/modify the address space of VNET1
Why the other answers are wrong
Option | Reason |
Add a new subnet to VNET1 | ❌ No free address space exists to create another subnet. |
Add a public IP address to VM1 | ❌ Bastion is specifically used to avoid exposing VMs with public IPs. |
Add an extension to VM1 | ❌ Bastion does not require a VM extension. |
Modify the address space of VNET1 | ✅ Required first so that an AzureBastionSubnet can be created. |
You have an Azure subscription that includes the following resources:
- VNet1, a virtual network
- Subnet1, a subnet in VNet1
- WebApp1, an App Service web app
- NSG1, a network security group
You create an application security group named ASG1.
Which resource can use ASG1?
- NSG1
- Subnet1
- VNet1
- WebApp1
Reveal Solution
✅ Correct Answer: NSG1
Explanation
An Application Security Group (ASG) is used to simplify Network Security Group (NSG) rules.
Instead of specifying IP addresses in NSG rules, you can reference ASGs and group VMs logically (e.g., Web Servers, Database Servers).
How ASGs are used
ASGs can be referenced in:
- Source of an NSG rule
- Destination of an NSG rule
Therefore, the resource that can use ASG1 is:
✅ NSG1
Why the other options are wrong
Resource | Can use ASG1? | Reason |
NSG1 | ✅ Yes | NSG rules can reference ASGs. |
Subnet1 | ❌ No | Subnets are associated with NSGs, not ASGs. |
VNet1 | ❌ No | VNets do not use ASGs directly. |
WebApp1 | ❌ No | App Service web apps cannot be members of ASGs. ASGs are for VM network interfaces. |
You have an Azure subscription that includes following resources:
- VNet1, a virtual network
- Subnet1, a subnet in VNet1
- VM1, a virtual machine
- NIC1, a network interface of VM1
- LB1, a load balancer
You create a network security group named NSG1.
To which two Azure resources can you associate NSG1?
- LB1
- NIC1
- Subnet1
- VM1
- VNet1
Reveal Solution
✅ Correct Answers: NIC1 and Subnet1
Explanation
A Network Security Group (NSG) can be associated with:
- Subnet ✅
- Network Interface (NIC) ✅
NSGs cannot be associated directly with:
- Virtual Machines ❌
- Virtual Networks ❌
- Load Balancers ❌
Evaluate each option
Resource | Can associate NSG1? |
LB1 (Load Balancer) | ❌ No |
NIC1 | ✅ Yes |
Subnet1 | ✅ Yes |
VM1 | ❌ No (associate to the VM’s NIC instead) |
VNet1 | ❌ No |
You have an Azure subscription that includes a network security group named NSG1.
You plan to add an inbound security rule named Rule1 to NSG1.
You need to configure a priority for Rule1. Rule1 must have the highest priority for inbound security rules in NSG1.
Which priority should you configure for Rule1?
- 0
- 1
- 10
- 100
- 1000
Reveal Solution
✅ Correct Answer: 100
Explanation
For Network Security Group (NSG) rules:
- Priority values range from 100 to 4096
- Lower numbers = higher priority
- Rules are processed in ascending priority order
Therefore:
Priority | Valid? | Higher Priority? |
0 | ❌ Invalid | |
1 | ❌ Invalid | |
10 | ❌ Invalid | |
100 | ✅ Valid and highest possible priority | |
1000 | ✅ Valid but lower priority than 100 |
Since Rule1 must have the highest priority, assign the lowest valid priority number, which is:
✅ 100
You have an Azure subscription that contains an Azure disk named Disk1.
You plan to use an Azure Backup to backup Disk1.
What should you deploy first?
- a Backup vault
- a Storage account
- a Recovery Services vault
- an Azure Backup Server
Reveal Solution
✅ Correct Answer: a Backup vault
Explanation
This question is testing the newer Azure Backup architecture.
For Azure Disk Backup (backup of managed disks directly), you must use a:
✅ Backup vault
Azure Disk Backup stores backup data and policies in a Backup vault, not a Recovery Services vault.
Why the other options are wrong
Option | Reason |
Backup vault | ✅ Required for Azure Disk Backup |
Storage account | ❌ Not required to initiate Azure Disk Backup |
Recovery Services vault | ❌ Used for VM backups, Azure Files backup, etc., but not Azure Disk Backup |
Azure Backup Server | ❌ Used for on-premises workloads, not Azure managed disk backup |
You have a Recovery Services vault named Recovery1 that includes a backup policy named Policy1.
You back up several Azure virtual machines to Recovery1 by using Policy1.
You need to view the Azure Backup reports.
What should you do first?
- Configure the Diagnostics settings of Recovery1.
- Create an Azure Log Analytics workspace.
- Modify the Backup Configuration settings of Recovery1.
Reveal Solution
✅ Correct Answer: Create an Azure Log Analytics workspace
Explanation
Azure Backup Reports are built on Azure Monitor Logs and require a Log Analytics workspace as the data source.
To view Azure Backup reports, the first prerequisite is to:
✅ Create a Log Analytics workspace
After the workspace exists, you can configure the Recovery Services vault to send backup data to that workspace.
Why the other answers are wrong
Option | Reason |
Configure Diagnostic Settings of Recovery1 | ❌ This is done after a Log Analytics workspace exists. |
Create an Azure Log Analytics workspace | ✅ First prerequisite for Azure Backup Reports. |
Modify Backup Configuration settings of Recovery1 | ❌ Not required to enable Backup Reports. |
Your company’s Azure subscription contains an Azure virtual machine.
You need to back up the virtual machine every 12 hours.
What should you create first?
- a backup policy in a backup vault
- a standard backup policy in a recovery services vault
- an enhanced backup policy in a recovery services vault
Reveal Solution
✅ Correct Answer: an enhanced backup policy in a recovery services vault
Explanation
The key detail is:
Back up the virtual machine every 12 hours
For Azure VM Backup:
- Standard backup policy supports one backup per day only.
- Enhanced backup policy supports multiple backups per day (up to every 4 hours).
Therefore, to achieve backups every 12 hours (twice per day), you must use:
✅ Enhanced backup policy in a Recovery Services vault
Why the other options are wrong
Option | Reason |
Backup policy in a Backup vault | ❌ Backup vaults are used for workloads such as Azure Disk Backup, not Azure VM Backup. |
Standard backup policy in a Recovery Services vault | ❌ Supports only one backup per day. |
Enhanced backup policy in a Recovery Services vault | ✅ Supports multiple backups per day, including every 12 hours. |
You have an Azure subscription and an availability set named AS1 that has 5 update domains.
You deploy 27 virtual machines to AS1.
During a planned update, what is the minimum number of virtual machines that are available?
- 14
- 20
- 21
- 22
- 26
Reveal Solution
✅ Correct Answer: 21
Explanation
An Availability Set distributes VMs across Update Domains (UDs).
During a planned maintenance update, Azure updates one Update Domain at a time.
Step 1: Distribute the VMs
- Total VMs = 27
- Update Domains = 5
Azure distributes them as evenly as possible:
Update Domain | VMs |
UD1 | 6 |
UD2 | 6 |
UD3 | 5 |
UD4 | 5 |
UD5 | 5 |
Step 2: Determine the worst case
During a planned update, one Update Domain is unavailable.
The largest Update Domain contains 6 VMs.
Therefore:
Available VMs = 27 − 6 = 21
Why the other answers are wrong
Answer | Reason |
14 | ❌ Too many VMs assumed unavailable |
20 | ❌ Would require 7 VMs in one UD |
21 | ✅ Correct |
22 | ❌ Assumes only 5 VMs are updated |
26 | ❌ Only one VM would be unavailable, which isn’t how Update Domains work |
You have an Azure subscription.
You need to deploy a virtual machine that runs Windows Server 2025 Datacenter: Azure Edition.
Which security type can you select when deploying virtual machine?
- Standard only
- Standard or trusted launch only
- Standard, trusted launch or confidential
- Trusted launch or confidential only
Reveal Solution
✅ Correct Answer: Standard, trusted launch or confidential
Explanation
When deploying a VM running Windows Server 2025 Datacenter: Azure Edition, Azure supports all three VM security types:
- Standard ✅
- Trusted Launch ✅
- Confidential VM ✅
Therefore, you can choose any of the three security types during deployment.
Security Types Overview
Security Type | Features |
Standard | Traditional VM deployment |
Trusted Launch | Secure Boot + vTPM + integrity monitoring |
Confidential | Hardware-based memory encryption and protection of data in use |
Why the other options are wrong
Option | Reason |
Standard only | ❌ Trusted Launch and Confidential are also supported |
Standard or Trusted Launch only | ❌ Confidential is also supported |
Trusted Launch or Confidential only | ❌ Standard is also available |
Standard, Trusted Launch or Confidential | ✅ Correct |
You have an Azure virtual machine named VM1.
VM1 contains the following:
- a File named File1 that is stored on volume C:\
- a File named File2 that is stored on volume D:\
- an App named App1 that is in a running state
- a user named User1 that is connected to VM1
You plan to resize VM1.
What is preserved after the resize?
- File1 and File2 only
- File1 and the state of App1 only
- File1, File2 and the state of App1 only
- File1, File2, the state of App1 and the connection of User1
- File1 only
Reveal Solution
✅ Correct Answer: File1 only
Explanation
When you resize an Azure VM, Azure may move the VM to different host hardware. The VM is restarted during the resize operation.
Let’s examine what is preserved:
Item | Preserved? | Reason |
File1 on C:\ | ✅ Yes | Stored on the OS disk, which is persistent. |
File2 on D:\ | ❌ No | D:\ is typically the temporary disk, and its contents can be lost during resize, redeployment, or host maintenance. |
State of App1 | ❌ No | The VM is restarted, so running applications are stopped. |
Connection of User1 | ❌ No | Active user sessions are disconnected during the restart. |
Key AZ-104 Fact
The temporary disk (D:):
- Is not backed by Azure managed storage.
- Can lose data during:
- VM resize
- Redeploy
- Host maintenance
- VM migration
You have an Azure subscription.
You plan to use fault domains.
From which Azure resource can you configure the fault domains?
- Availability set
- Virtual machine
- Virtual machine scale set
- Virtual network
Reveal Solution
✅ Correct Answer: Availability set
Explanation
Fault Domains (FDs) define groups of hardware that share a common power source and network switch.
You configure the number of fault domains when creating an Availability Set.
Why the other options are wrong
Resource | Can configure Fault Domains? |
Availability Set | ✅ Yes |
Virtual Machine | ❌ No, a VM can be placed in an Availability Set but doesn’t define fault domains itself. |
Virtual Machine Scale Set | ❌ No, VMSS uses Availability Zones and placement groups rather than user-configured fault domains. |
Virtual Network | ❌ No relationship to fault domains. |
You have a Microsoft Entra tenant that contains two users named User1 and User2. The tenant has security defaults disabled.
You need to enable self-service password reset (SSPR) for User1. SSPR must NOT be enabled for User2.
What should you do first?
- Enable security defaults.
- Create a security group.
- Create a lifecycle workflow.
- Configure an authentication method policy.
Reveal Solution
✅ Correct Answer: Create a security group
Explanation
To enable Self-Service Password Reset (SSPR) for only specific users, you configure SSPR for:
- All users, or
- Selected users (via a group)
Since:
- User1 should have SSPR enabled ✅
- User2 should NOT have SSPR enabled ❌
You must first create a security group, add User1 to that group, and then configure SSPR for the selected group.
Why the other options are wrong
Option | Reason |
Enable security defaults | ❌ Security defaults are unrelated to enabling SSPR for specific users. |
Create a security group | ✅ Required to scope SSPR to selected users. |
Create a lifecycle workflow | ❌ Used for user lifecycle automation, not SSPR. |
Configure an authentication method policy | ❌ Controls allowed authentication methods, but doesn’t scope SSPR to specific users. |
You have a Microsoft Entra tenant that contains a user named User1.
You delete User1.
You plan to restore the User1 object.
What is the maximum number of days you have to restore User1?
- 7 days
- 30 days
- 90 days
- 48 hours
Reveal Solution
✅ Correct Answer: 30 days
Explanation
When a user is deleted from Microsoft Entra ID (Azure AD), the user is moved to Deleted users (soft-deleted state).
The user can be restored for up to:
30 days
After 30 days, the user is permanently deleted and can no longer be restored.
Why the other answers are wrong
Option | Reason |
48 hours | ❌ Too short; no such restoration limit exists. |
7 days | ❌ Not the Entra ID user retention period. |
30 days | ✅ Correct. |
90 days | ❌ Users are not retained for 90 days after deletion. |
Your company has multiple departments and one Azure subscription. The user accounts for all employees are in the same Microsoft Entra tenant.
You need to delegate permissions for managing users in a single department only.
What should you use to organize the user accounts?
- administrative unit
- security group
- resource group
- workspace
Reveal Solution
✅ Correct Answer: Administrative unit
Explanation
An Administrative Unit (AU) in Microsoft Entra ID allows you to delegate administrative permissions over a subset of users, groups, or devices.
In this scenario:
- All users are in the same Entra tenant.
- You want admins to manage only one department’s users.
- You need scoped administration.
✅ Administrative Units are specifically designed for this purpose.
Why the other options are wrong
Option | Reason |
Administrative unit | ✅ Allows delegation of user management to a subset of users/groups/devices. |
Security group | ❌ Used for permissions and access control, not delegated administration. |
Resource group | ❌ Organizes Azure resources, not Entra users. |
Workspace | ❌ Used by services such as Log Analytics, not for user administration. |
We’d love your feedback!
Share your thoughts on the Renewal Test and help us improve by reporting any inaccurate answers.
🔗 Explore more Renewal Tests at mscloudexplorers.com/learn
📘 Discover more Microsoft 365 & Intune-related blogs at mscloudexplorers.com/blog
📰 Join our newsletter to get the latest Microsoft Cloud updates directly in your inbox.
🔔 Follow us on LinkedIn for regular updates, tips, and community insights.








Thanks for providing all the assessment questions and answers. However, it seems a couple of the answers might not be correct.
Thank you for pointing that out—we really appreciate the feedback! 🙏
While we strive to ensure all answers are accurate and up to date, occasional changes in Microsoft’s assessment content can lead to discrepancies. If you could let us know which questions seemed off, we’ll double-check and update the post accordingly. Thanks again for helping us keep the content reliable for everyone!