AZ-104 PRACTICE TEST w/ Labs | Microsoft Azure Administrator

Learn to replicate the Azure environment for each question using ARM templates, lab setup files, and PowerShell deployment steps, including resource groups and deployment verification.

Learn how hybrid Microsoft Entra ID handles user properties for on-premises synced users vs cloud users, and where to edit department and age group.

Understand how Microsoft Entra ID and Azure subscription roles interact, showing that only users with user access administrator permissions can assign a subscription owner to new users.

Assess how Azure policy denies resource creation by restricting allowed resource types and locations to ensure storage accounts are created only in East Asia within the sales tech subscription.

Apply azure policy to restrict resource creation at the tenant root group scope and sales group scope, but the South East Asia limit prevents a storage account in East Asia.

Learn how Azure policy restricts resource creation by scope and location, allowing only storage accounts in East Asia within the Sales Tech subscription.

Learn to assign the billing administrator role to a user in a Microsoft Entra ID tenant using the assigned roles and the Azure role assignments blade.

Download the CSV template and use bulk create in a Microsoft Entra ID tenant to add nearly 100 users, noting that first name and usage location are optional.

Learn how Microsoft Entra ID handles registration of personal iOS devices, including the difference between registered and joined devices and per-user device limits for BYOD.

Learn how to invite external users to an azure ad directory using bulk invite, understanding when to use external guest invitations versus internal user creation and powershell command verbs.

Learn to assign Microsoft Entra ID P2 licenses to users via the licenses blade or a user's profile, selecting users or groups and assignment options.

Explore how to manage access and policy assignments across management groups and subscriptions in Azure. Understand role scopes, tenant root group implications, and common constraints when assigning permissions.

Configure additional local administrators for all Microsoft Entra joined devices by using the manage additional local administrators option in device settings.

Explore how self service password reset works for admin and non-admin users under the defined policy, including required authentication methods and the registration steps via the SPR portal.

Navigate moving resources between Dev and Test subscriptions and their resource groups under read-only and delete locks, evaluating precedence and permissions in Azure administrator practice labs.

Explore how Microsoft Entra ID and Azure subscription roles operate independently to control access. See global admin, user access administrator, contributor, and subscription owner grant or revoke access for users.

Execute the correct deletion order: remove the read-only lock on the virtual network, delete the linked virtual network, then delete the resource group so the private dns zone is removed.

Explain log inheritance in the Azure resource hierarchy, where logs can be created at subscription, resource group, or resource level; tenant root and management group scopes do not host logs.

Configure Microsoft Entra ID's external collaboration settings to deny B2B invitations to gmail.com, yahoo.com, and hotmail.com under collaboration restrictions, while permitting invitations to partner domains.

Learn how a password administrator scoped to an Azure administrative unit can reset passwords only for IT department members, not HR department users, and how group membership affects access.

Assess a custom Azure RBAC role that exports VM snapshots and disks, scoped to rg dev zero one and rg dev zero two, with reassignment allowed but policy management denied.

Explore how Azure RBAC permissions appear in custom or built-in roles, emphasizing the correct verb action for disk operations and exporting snapshots in VM scenarios.

Learn how to craft a custom Azure RBAC role that allows exporting snapshots and disks, using data actions and not actions to control policy assignments.

Explains extending a custom role to grant read access for storage accounts and virtual machines in the Azure portal by adding Microsoft.Storage/*/read and Microsoft.Compute/*/read, and discusses related error messages.

Analyze how resource tags and policy updates apply across resource groups and a key vault, adding environment dev and team compliance tags, while noting tags don’t inherit.

Configure self-service password reset policy in Azure; manage authentication methods and modify permissions (global administrator or authentication policy administrator) while handling security questions and five-of-six versus four-question reset rules.

Modify the Azure RBAC storage role to restrict not actions and set assignable scopes, distinguishing control plane from data plane operations and ensuring access keys cannot be read.

Explore how Azure cost management budgets use actual and forecasted alerts configured as a percentage of the budget to notify managers and developers via action groups when costs exceed budget.

Configure a conditional access policy to require compliant Windows devices for marketing users accessing office apps in a browser, applying to the marketing group and enforcing Intune compliance.

Discover how to connect to an Azure file share from a Windows device, mount via SMB on port 445 using the storage account key, and use net use for access.

Generate a SAS URI for an Azure file share, evaluate IP range and list permissions, and assess access scenarios using Azure Storage Explorer.

Evaluate using SAS URLs with Storage Explorer and a web browser to access an Azure file share and backup file, and identify which URLs allow direct download.

Configure blob data access with Microsoft Entra ID authentication, disable key-based authorization for user one, and assign the storage blob data reader role for read-only access.

Analyze how custom roles stddev zero one and stddev zero two grant or block blob data access in a storage account via the Azure portal and Microsoft Inter ID authentication.

Learn to upload blob data to a storage account using Microsoft Entra ID authentication by granting the storage blob data contributor role, and contrast with reader and account-level roles.

Demonstrates granting access to a SQL backup file in Azure blob storage via Microsoft Entra ID authentication, using storage account contributor and blob data owner roles, with access keys disabled.

Explain why a storage file data privileged contributor role, not blob data owner, enables file share access when storage account key access is disabled.

Explain uploading a backup file to a file share in SDR dev 012 storage account, sharing an access signature token, and why disabled key access breaks SaaS URLs; option no.

Learn how to use azcopy to upload only the backup file from the on premises backups directory to the SQL backups blob container, using wildcard and recursive options.

Learn how to copy blob data with AzCopy across subscriptions and tenants, using SaaS URLs and perimeter scope settings to move containers between storage accounts.

Use azcopy across Windows, Linux, and macOS to copy data between storage accounts. The current tool supports file shares and blobs, not tables, including macOS uploads to blob storage.

Use azcopy to copy a backup file between Azure blob containers using SAS, considering container, blob, and private access levels.

Learn how to use azcopy with Microsoft Entra ID to copy blobs across containers at varying access levels, verifying permissions for source and target containers.

Plan and revoke SAS token access for vendors using stored access policies with a one-month duration, expiring or deleting policies as projects end, with IAM-based storage access as an alternative.

Explain storage account redundancy in Azure, comparing gts-rs and gers, including primary and secondary region copies and the option for read access in the secondary region to support high availability.

Create a standard general purpose v2 Azure storage account with Azure CLI that supports files and blobs, uses the cool access tier, and geo-redundant storage to protect from regional outages.

Export data from Azure using the import export tool and create an export job. Data rests in Azure blobs with product images, supporting on-premises server download for enterprise needs.

Use the azure import export tool to create an import job, uploading product images to the blob container and customer data to the file share.

Azure import export service supports general purpose storage accounts, both V1 and V2, and blob storage accounts, excluding premium file storage such as dev 013.

Prepare the drive with the WA import export tool, configure dataset.csv for files and drives.csv for disks, and obtain a journal file for Azure Import Export Service.

Learn to copy on-premises data to Azure Blob storage using the Azure Import/Export service by preparing encrypted drives, creating an import job, shipping drives, updating tracking, and verifying upload.

Learn how encryption scopes create secure data boundaries in multi-tenant Azure storage by using per-customer keys stored inAzure Key Vault and applying scopes to containers.

Identify which Azure storage accounts support blob lifecycle management policies, enabling automatic transitions between hot, cool, and archive tiers and deletion for block blobs to optimize performance and cost.

Azure storage object replication copies block blobs asynchronously between source and target, requiring blob versioning and change feed on source; replication works between str dev 011 and str dev 012.

Enable cross tenant replication in Azure Storage, then define replication rules with JSON files between source and target accounts across tenants.

Explore storage redundancy options across Azure storage accounts, including LRS, Gers, Xres, and Gts-rs, with secondary-region replication and read-only access, plus premium accounts and geo replication limits.

Create an Azure storage account with zone redundant storage to achieve high availability in the primary region and resilience against regional outages, optimizing cost.

Assess how geo redundant storage, or GRS, asynchronously replicates data to a secondary region. LRS does not satisfy the requirement; primary region availability zones may be more suitable.

Evaluate azure blob storage redundancy options and pricing for more than 500 TB per month in central US, concluding that Gts-rs offers the most cost-efficient solution.

learn how changing the account kind from storage v2 to block blob storage affects performance, premium versus standard, and replication in Azure storage accounts.

Learn which Azure storage accounts can move a blob to the archive tier; zone redundancy and replication types like Zeus, Gts-rs, and Ray Geysers block archive tier moves.

Discover how to migrate a storage account to a different replication type in Azure, including converting to CRS or zone redundant storage and when a support request is required.

Enable identity-based authentication for Azure File Share over SMB with Microsoft Entra ID credentials, then apply default share level permissions and the storage file data SMB share reader role.

Enable Microsoft Entra Domain Services for the Azure file share and assign default share permissions; add users to the AAD DC administrator group to access the VM.

Upgrade the storage account to general purpose v2 to enable blob lifecycle management and access tiering, then create and manage lifecycle policies to optimize storage costs.

Define an Azure storage account using an arm template, enforce disabled blob public access, and apply a 14-day delete retention policy for soft-deleted blobs.

Copy file share contents from one storage account to a blob container in another using AzCopy and Azure AD login. User1's blob data contributor role enables this operation.

Explore how Azure region quotas cap vcpus by region and by VM family. See how allocated and deallocated vcpus count toward limits, with East US as the example.

Learn how to transfer a data disk between Azure virtual machines with minimal downtime by detaching from the source VM, preparing the target VM, and attaching the disk.

Learn how reapply preserves data on the C, E, and F disks when fixing a failed Azure VM, while redeploying can lose data on the temporary D disk.

Identify which Azure VM updates require stopping the VM, such as adding a network interface card, while resizing may restart and BitLocker requires the VM running.

Move a virtual machine and its related resources—os disk, network interface, vnet, public ip, and nsg—between resource groups in the same subscription; verify running status does not block the move.

Learn to move an Azure virtual machine and its resources to another subscription by disassociating the public IP, then reattaching it in the target subscription.

Identify which Azure VM features require managed disks, noting that deploying a VM in availability zones necessitates managed disks, while availability sets can be either managed or unmanaged.

Configure the availability set to place three VMs across at least two update domains and multiple fault domains to remain available during hypervisor patching.

Assess how availability sets distribute virtual machines across fault and update domains using a round-robin placement strategy, ensuring that a power outage can affect at most three VMs.

Learn to architect a three-tier Azure solution with availability sets by placing similar components in the same fault domain to minimize rack-wide failures and maximize availability.

Deploy a single instance VM for a legacy SQL Server app. Use zone redundant storage to replicate data across three availability zones, ensuring availability during data center or zone outages.

Explore how stopping or removing VMs across an availability set, an availability zone, or a scale set works, and why updating their availability settings requires deleting and recreating the VM.

Explain uniform vs flexible orchestration modes for virtual machine scale sets, showing how uniform hides VM resources and limits individual resizes, while flexible exposes resources and enables resizing at scale.

Learn how to autoscale Azure virtual machine scale sets by queue message counts, configuring scale out policies to add or remove instances as queue length grows or shrinks.

Learn how autoscaling in a virtual machine scale set uses a default template with a one-minute time grain and five-minute aggregation to add or remove VMs based on CPU thresholds.

Understand how resource groups and scale set orchestration modes affect adding vms; only the flexible mode lets you add a vm to a scale set within the same resource group.

Explore autoscaling in virtual machine scale sets, including scale out and scale in actions driven by CPU utilization, thresholds, cooldowns, and min and max VM limits.

Install IIS on a Windows Azure VM after deployment using VM extensions like a custom script extension or DSC extension; verify access via the VM's public IP.

Explore upgrading a virtual machine scale set by applying latest model to its VMs with a rolling upgrade of 20% batch size, updating at most one VM at a time.

Identify which actions are not possible when an Azure VM is deallocated, such as configuring Site Recovery to move between availability zones and adding extensions that require the VM agent.

Export the on-prem VM's VHD with Hyper-V; upload it to Azure storage as a page blob; then create a VM image with the az image command.

Define allowed values for ARM template parameters to ensure valid deployments with the Azure Resource Group Deployment Command, and learn how resource section values override parameters for reusable deployments.

Replicate a virtual network in a test environment using an ARM template, preserving initial vnet settings and address prefixes via deployment history.

Export the ARM template from the Vnet resource to capture the latest state, then fix circular dependency issues with subnets for reusable deployment in a new environment.

Learn to replicate an Azure environment by exporting an ARM template from a VNet resource, clean circular dependencies, and deploy an exact replica of the final VNet state.

Explore using an Arm template to replicate an environment; downloading a template for automation before deployment cannot capture final vnet state due to post-creation settings, so option B is correct.

Deploying from an exported template in library explains configuring subscription, resource group, and storage account name when deploying a storage account from an Azure ARM template, while region remains fixed.

Redeploy an ARM template to provision a virtual network and storage account in a resource group using incremental or complete deployment modes, and compare how they treat undefined resources.

Updating a resource property with an arm template applies to the target resource, and removing subnets from a virtual network deletes those subnets while preserving the vnet.

Redeploy a virtual network in complete mode preserves child resources; removing subnets from the template does not delete them, maintaining the parent-child relationship between vnet and subnets.

Learn how to deploy ARM templates at subscription and resource group scopes with PowerShell, using deployment resources to traverse scopes and deploy nested templates.

Learn to deploy an Azure virtual network with two subnets by using a copy loop in the vnet's properties of an ARM template, avoiding child-resource loops.

Use copyindex in an arm template to create three vnets—private, internal, and public—with two subnets each. The internal vnet uses 10.1.0.0/16 and subnets 10.1.3.0/24 and 10.1.4.0/24.

Store the VM password as an Azure Key Vault secret and update the ARM template to reference it, then enable the Azure Resource Manager access policy for deployments.

Learn to use an ARM template to install a VM extension that domain-joins a Windows VM to a managed domain, with double backslash or UPN usernames and extension naming.

Learn to deploy a Linux-based multi-container group in Azure Container Instances, running a web app container and a sidecar container on the same host with shared lifecycle.

Learn to persist data in Azure container instances by mounting an Azure file share as a volume, ensuring data survives restarts and can be verified via created files.

Explore how restart policies in Azure Container Instances control container uptime, comparing always, on failure, and never, and identify never as running at most once when exit code is 1.

Learn how an ARM template deploys a resource group and a virtual network across subscription and resource group scopes, using nested templates and deployment resources.

Choose two app service plans to host ASP.Net 4.8 on Windows and Python 3.12 on Linux, enabling auto scale, daily backups, and four staging slots; standard S1 is cost-efficient.

Scale the app service plan to at least basic to enable a custom domain. Enable application insights with the recommended collection level to capture traces and identify performance issues.

Demonstrates autoscale for an app service app by simulating 100% CPU with a web job, detailing a 10-minute scale-out condition and a 5-minute cooldown, yielding two instances after 20 minutes.

Explains how to use Azure App Service deployment slots to swap staging with production to restore a last known good site, minimizing downtime and avoiding redeploying.

Explore Azure app service backups, with automatic and custom backups that can include the database, and restore to the same or a different app, and to other deployment slots.

Configure partial backups in Azure App Service to exclude the log files folder using a custom backup and a backup filter file in the Kudu app, performed hourly.

Learn to deploy a resource group and a VNet with Azure Bicep, using modules and a scope property to target the resource group, not the subscription.

Interact with an Azure Kubernetes cluster using kubectl, verify kubectl is installed in Azure Cloud Shell, and learn that kubectl is the Kubernetes command-line interface.

Scale the user node pool in an AKS cluster with the node pool scale command, specifying the pool name for the virtual machine scale set instances.

Acquire cluster credentials with az aks get-credentials to merge into the kube config, then deploy your local yaml manifest to the AKS cluster using kubectl apply.

Upgrade an AKS cluster and its node pool quickly by setting the maximum surge to the node count and running az aks upgrade with updated node pool properties.

Select the correct network configuration for an Azure Kubernetes Service cluster. Choose Azure CNI to support both Linux and Windows containers, and distinguish it from network policy.

Choose Kubenet as the AKS network configuration and apply the Calico network policy to govern pod communication in this Kubernetes networking scenario.

Analyze Azure Kubernetes Service address spaces within a virtual network, explain Kubenet and Azure CNI profiles, and identify node, pod CIDR, and DNS service IPs in the 10.24.0.0/12 space.

Deploy an AKS cluster into an Azure virtual network across regions, noting region and subscription constraints. Compare Azure CNI and Kubernetes network models using Azure CLI for an existing VNet.

Compare Azure CNI and Kubenet networking for AKS deployments in a two-subnet vnet. Size subnets to fit node and pod IP allocations under these network models.

Deploy an Azure Bastion service in a virtual network, requiring a dedicated subnet named Azure Bastion subnet with a size larger than /27 to enable RDP via the Azure portal.

Azure Bastion supports basic and standard SKUs; with eight VMs, the standard SKU enables up to 200 concurrent RDP sessions for basic data-entry workloads.

Open port 3389 on the Bastion subnet to allow RDP to Windows VMs via Azure Bastion; note that portal sessions carry RDP/SSH over port 443.

Evaluate Azure virtual network peering between vnet zero one and vnet zero three to ensure non overlapping address spaces and enough usable IPs for scaling across subscriptions and regions.

Check the address spaces to confirm no overlap; VNet 01 spans 0–15, while VNet 02 is 10.16.30.0/22. Azure supports global virtual network peering, enabling pairing of these networks.

Assess Azure virtual network peering by checking address space overlap between VNet 01 and VNet 04; non-overlapping ranges enable cross-subscription and cross-tenant peering.

Resize vnet address space by editing existing space in Azure portal to /12, ensure no overlaps, then perform remote sync on the peering connection to propagate the update without downtime.

Enable VNet peering between two VNets to allow VM-to-VM communication with high bandwidth and no bandwidth limits, verified by ICMP ping after enabling Windows firewall.

Host two static websites on a standalone VM by using two IP configurations on a single NIC, each with a public IP, avoiding extra NICs and subnet complexity.

Learn how NSGs attach to multiple NICs and subnets across VNets in the same region and subscription, while cross-region associations are not allowed.

Configure inbound NSG rule on port 80 (or 443) to allow external traffic to two Azure VMs behind a load balancer, and associate NSG at subnet level to minimize overhead.

Explore how a subnet-level NSG with outbound ICMP deny affects ping between two Azure VMs, and how stateful rules and effective security rules govern traffic.

Analyze how attaching NSGs to NICs governs ICMP traffic between two VMs in a vnet, highlighting default vnet rules, stateful behavior, and how inbound/outbound ICMP denies affect ping tests.

Create a higher-priority inbound NSG rule to allow ICMP from VM zero three to VMs zero one and zero two, overriding the default deny and enabling selective ping.

Learn to block Power BI access from Azure VMs by creating an outbound NSG rule using the Power BI service tag, while still allowing internet access.

Group the three web server VMs into an application security group via their network interface cards, enabling network policies based on the group names rather than IPs.

For an NSG inbound rule to access an Azure VM, use the private IP as the destination; NSG rules execute before NAT, and private IPs can be static or dynamic.

Learn why three NICs are required for three VMs, each with a dedicated NIC, and how a single NSG using private IP targets traffic across subnets.

Explore how to associate only standard static IPv4 public IP addresses with Azure Firewall, noting basic IP addresses are unsupported and IPv6 is not shown.

Choose a standard sku public IP configured for zone redundancy to deploy a zone-redundant VPN gateway for a site-to-site connection between an Azure virtual network and on-premises network.

Delegate your domain from GoDaddy to an Azure DNS zone by updating the domain's nameservers to Azure, verifying delegation with PowerShell, and validating DNS resolution.

Learn how a custom DNS server in an Azure VNet uses a forward zone. See how an Azure private DNS zone like Bigstep.com interacts with nslookup and forwarding.

Delegate the courses subdomain to a separate Azure DNS zone by adding an ns record in the parent zone and verify with an a record and nslookup.

Explore how Azure DNS resolves domain names using private and public zones, VNet linking, and auto registration to enable cross-network name resolution across peered virtual networks.

Demonstrates linking Azure private DNS zones with virtual networks across locations, explains that zones are global, and contrasts single registration zones with multiple resolution zones.

Configure the storage account routing preference to internet routing to optimize cost for users in North Europe, routing traffic via your ISP network instead of the Microsoft Global Network.

Learn how to configure an Azure SQL firewall to allow only a VM private IP, test the result, and why outbound IP and allow Azure services undermine that restriction.

Enable a virtual network service endpoint for Azure SQL on the subnet, then configure the SQL server firewall to restrict access to that subnet, ensuring VM private IP connections.

Configure a private endpoint for Azure SQL server in a vnet, assign a private IP, and leverage private DNS to keep traffic private, illustrating access implications for VMs.

Explore how auto registration links a private Azure DNS zone to VNets and creates A records for deployed VMs, guiding cross-VNet resolution behavior.

Select the correct public IP for an Azure load balancer front-end by applying SKU rules: basic supports IPv4 only, standard supports IPv4 and IPv6, no mixing.

Enable the Azure service endpoints on a subnet, then apply the service endpoint policy; the subnet must be in the same region as the policy and for Azure Storage accounts.

Explore how service endpoint policies act as whitelists to control access to specific storage accounts from a subnet in a virtual network, with default access implications and multiple policies.

Identify misconfigurations in the load balancer setup and adjust the NSG rule or health probe port to restore access to the web server VM.

Use a virtual network in the front-end IP configuration for internal load balancers, not a public IP, while you can define other resources after creation.

Ensure all backend pool VMs reside in the same virtual network when using a standard Azure load balancer, allowing only VM zero one with VM zero three.

Learn to configure an Azure load balancer to distribute HTTP traffic with a load balancing rule and health probe across a backend pool, and use inbound NAT rules for RDP.

Learn to attach multiple NICs to an Azure VM, up to four on d8as v4 sizes, ensuring all NICs reside in the same VNet and knowing how to add them.

Analyze why enabling IP forwarding on VM zero two's guest OS does not let VM zero one ping VM zero two's secondary NIC, despite multiple NICs and primary NIC behavior.

Enable communication between VMs by adding a default route for the secondary network interface, using the route add command to supply the default gateway and allow pinging across subnets.

Move VM zero one to subnet zero two. Ping VM zero two's secondary NIC to confirm traffic stays in the subnet; no default gateway is required.

Analyze how route tables and a network virtual appliance with IP forwarding enable traffic between virtual machines in Azure, highlighting NIC configurations and next-hop routing.

Configure Azure network security groups to regulate traffic across subnets, enabling RDP to VM zero one, web traffic to VM zero two, and blocking internet to VM zero three.

Back up VMs to a Recovery Services Vault only if the VM is in the same location and not protected by another vault; VMs yield application-consistent and crash-consistent snapshots.

Disable soft delete for backups, delete items in the soft delete state, delete restore points, and remove backup data to delete the recovery services vault. Delete the resource group.

Explore how a backup policy in a Recovery Services Vault manages Azure VM backups, detailing daily, weekly, monthly, and yearly retention and conflict resolution.

Explore how backup vaults in Azure back up different data sources, from disks and blob containers to VMs and file shares, with dedicated backup policies per data source type.

Configure diagnostic settings for a recovery services vault to stream logs and metrics to a log analytics workspace, storage account, or an event hub, with storage regional to the vault.

Learn how to recover a deleted project folder from a recovery point by mounting the disk on multiple VMs across regions using a three-step file recovery process.

Master Azure disaster recovery by performing a test failover to West Europe, showing how the target subnet is chosen—mapped VNet or the first alphabetically, ensuring the same subnet.

Explore how traffic analytics analyzes NSD flow logs in Azure Network Watcher to reveal virtual network traffic, using NSG logs, a storage account, and a Log Analytics workspace.

Use Network Watcher to verify NSG effects on subnet and NIC traffic. Use IP flow verify and NSG diagnostics to see if inbound RDP on port 3389 is allowed.

Use the connection monitor to verify VM-to-VM connectivity, since NSG diagnostics and IP flow verify reflect NSG rules. Enable ICMP on VM02 and monitor round trip time to confirm reachability.