AZ-104 Practice Exam Free

Table of Contents

AZ-104 Practice Exam Free – 50 Questions to Simulate the Real Exam

Are you getting ready for the AZ-104 certification? Take your preparation to the next level with our AZ-104 Practice Exam Free – a carefully designed set of 50 realistic exam-style questions to help you evaluate your knowledge and boost your confidence.

Using a AZ-104 practice exam free is one of the best ways to:

Experience the format and difficulty of the real exam
Identify your strengths and focus on weak areas
Improve your test-taking speed and accuracy

Below, you will find 50 realistic AZ-104 practice exam free questions covering key exam topics. Each question reflects the structure and challenge of the actual exam.

Question 1

You have an Azure subscription that contains the virtual networks shown in the following table.

All the virtual networks are peered. Each virtual network contains nine virtual machines.
You need to configure secure RDP connections to the virtual machines by using Azure Bastion.
What is the minimum number of Bastion hosts required?

A. 1

B. 3

C. 9

D. 10

Question 2

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

You plan to create a data collection rule named DCR1 in Azure Monitor.
Which resources can you set as data sources in DCR1, and which resources can you set as destinations in DCR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: VM1 only -
A virtual machine may have an association to multiple DCRs, and a DCR may have multiple virtual machines associated to it.
In the Resources tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) that should have the Data Collection Rule applied.
Box 2: Workspace1 only -
On the Destination tab, add one or more destinations for the data source. You can select multiple destinations of same of different types, for instance multiple Log
Analytics workspaces (i.e. "multi-homing").
Note: The Data Collection Rules (or DCR) improve on a few key areas of data collection from VMs including like better control and scoping of data collection (e.g. collect from a subset of VMs for a single workspace), collect once and send to both Log Analytics and Azure Monitor Metrics, send to multiple workspaces (multi- homing for Linux), improved Windows event filtering, and improved extension management.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent

Question 3

You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)

You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?

A. Disassociate the NSG from a network interface

B. Change the Port_80 inbound security rule.

C. Associate the NSG to Subnet1.

D. Change the DenyWebSites outbound security rule.

Suggested Answer: C

You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

Question 4

You have an Azure subscription that contains the Microsoft Entra identities shown in the following table.

You need to enable self-service password reset (SSPR).
For which identities can you enable SSPR in the Azure portal?

A. User1 only

B. Group1 only

C. User1 and Group1 only

D. Group1 and Group2 only

E. User1, Group1, and Group2

Suggested Answer: C

Question 5

Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The tenant uses the
Premium P1 pricing tier.
Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
HOTSPOT -
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: Create a virtual network gateway and a local network gateway.
Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see
Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
✑ Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the
VNet.
✑ Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
✑ Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
✑ Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn

Question 6

HOTSPOT -
You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.

You deploy virtual machines to Subscription1 as shown in the following table.

You plan to deploy the virtual machines shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16 vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

Question 7

DRAG DROP -
You have an Azure Linux virtual machine that is protected by Azure Backup.
One week ago, two files were deleted from the virtual machine.
You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Suggested Answer:

Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer
Generate and download script to browse and recover files:
Step 4: Copy the files using File Explorer!
After the disks are attached, use Windows File Explorer to browse the new volumes and files. The restore files functionality provides access to all files in a recovery point. Manage the files via File Explorer as you would for normal files.
Step 1-3 below:
To restore files or folders from the recovery point, go to the virtual machine and perform the following steps:
1. Sign in to the Azure portal and in the left pane, select Virtual machines. From the list of virtual machines, select the virtual machine to open that virtual machine's dashboard.
2. In the virtual machine's menu, select Backup to open the Backup dashboard.
3. In the Backup dashboard menu, select File Recovery.

The File Recovery menu opens.

4. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is already selected.
5. Select Download Executable (for Windows Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to download the software used to copy files from the recovery point.
Running the script and identifying volumes:
For Linux machines, a python script is generated. Download the script and copy it to the relevant/compatible Linux server.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-automation#restore-files-from-an-azure-vm-backup

Question 8

DRAG DROP -
Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network.
Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.
Which of the following objects that must be created to achieve this goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:

Suggested Answer:

Question 9

HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.

The subscription contains the private DNS zones shown in the following table.

You add virtual network links to the private DNS zones as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

Question 10

You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?

A. Azure File Storage

B. an Azure Cosmos DB database

C. Azure Data Factory

D. Azure SQL Database

Suggested Answer: A

Reference:
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service

Question 11

HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: 5 -
A public and a private IP address can be assigned to a single network interface.
Box 2: 1 -
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses

Question 12

DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.

You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Suggested Answer:

Step 1: Remove peering between Vnet1 and VNet2.
You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

Question 13

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Access
Control tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: No -
Only Admin3, the owner, can assign ownership.
Box 2: Yes -
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator

Question 14

HOTSPOT -
You need to create an Azure Storage account that meets the following requirements:
✑ Minimizes costs
✑ Supports hot, cool, and archive blob tiers
✑ Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: StorageV2 -
You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.
Box 2: Standard_GRS -
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.
Incorrect Answers:
Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.
Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

Question 15

You have an Azure subscription that contains a storage account named storage1 in the North Europe Azure region.
You need to ensure that when blob data is added to storage1, a secondary copy is created in the East US region. The solution must minimize administrative effort.
What should you configure?

A. operational backup

B. object replication

C. geo-redundant storage (GRS)

D. a lifecycle management rule

Suggested Answer: C

Question 16

You have an Azure subscription that contains a storage account named storage1.
You have the devices shown in the following table.

From which devices can you use AzCopy to copy data to storage1?

A. Device 1 only

B. Device1, Device2 and Device3

C. Device1 and Device2 only

D. Device1 and Device3 only

Suggested Answer: B

Question 17

You have an Azure subscription that contains a container group named Group1. Group1 contains two Azure container instances as shown in the following table.

You need to ensure that container2 can use CPU resources without negatively affecting container1.
What should you do?

A. Increase the resource limit of container1 to three CPUs.

B. Increase the resource limit of container2 to six CPUs.

C. Remove the resource limit for both containers.

D. Decrease the resource limit of container2 to two CPUs.

Suggested Answer: D

Question 18

You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.
User named User1 has the following roles for Subscription1:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

A. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.

B. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.

C. Assign User1 the Network Contributor role for VNet1.

D. Assign User1 the User Access Administrator role for VNet1.

Suggested Answer: D

Question 19

You have a Recovery Services vault named RSV1. RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days.
RSV1 performs daily backups of VM1. VM1 hosts a static website that was updated eight days ago.
You need to recover VM1 to a point eight days ago. The solution must minimize downtime.
What should you do first?

A. Deallocate VM1.

B. Restore VM1 by using the Replace existing restore configuration option.

C. Delete VM1.

D. Restore VM1 by using the Create new restore configuration option.

Suggested Answer: B

Replace existing:
You can restore a disk, and use it to replace a disk on the existing VM.
The current VM must exist. If it's been deleted, this option can't be used.
Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.
The snapshot is copied to the vault, and retained in accordance with the retention policy.
After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

Question 20

You have an Azure AD tenant named contoso.com.
You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a wildcard certificate for contoso.com.
You have a user named
user1@contoso.com
that is assigned the Owner role for App1 and KV1.
You need to configure App1 to use the wildcard certificate of KV1.
What should you do first?

A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.

B. Assign a managed user identity to App1.

C. Configure KV1 to use the role-based access control (RBAC) authorization system.

D. Create an access policy for KV1 and assign the policy to User1.

Suggested Answer: A

Question 21

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?

A. You should only stop one of the VMs.

B. You should stop two of the VMs.

C. You should stop all three VMs.

D. You should remove the necessary VM from the availability set.

Suggested Answer: C

If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.
Reference:
https://azure.microsoft.com/es-es/blog/resize-virtual-machines/

Question 22

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

NSG1 is configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Question 23

DRAG DROP -
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Suggested Answer:

Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3: Add a server endpoint -
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

Question 24

You have an Azure subscription. The subscription contains virtual machines that run Windows Server.
You have a data collection rule (DCR) named Rule1.
You plan to use the Azure Monitor Agent to collect events from Windows System event logs.
You only need to collect system events that have an ID of 1001.
Which type of query should you use for the data source in Rule1?

A. SQL

B. XPath

C. KQL

Suggested Answer: B

Question 25

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.

You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine.
Does this meet the goal?

A. Yes

B. No

Suggested Answer: A

A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management

Question 26

Your on-premises network contains an SMB share named Share1.
You have an Azure subscription that contains the following resources:
✑ A web app named webapp1
✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?

A. an Azure Application Gateway

B. an Azure Active Directory (Azure AD) Application Proxy

C. an Azure Virtual Network Gateway

Suggested Answer: C

A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.
Incorrect Answers:
B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Question 27

You have an Azure subscription that contains the resources shown in the following table.

You create a route table named RT1 in the East US Azure region.
To which resources can you associate RT1?

A. VNet1 only

B. Subnet1 only

C. VNet1 and NIC1 only

D. Subnet1 and NIC1 only

E. VNet1, Subnet1, and NIC1

Suggested Answer: B

Question 28

You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?

A. operating system

B. administrator username

C. virtual machine size

D. resource group

Suggested Answer: B

When deploying a virtual machine from a template, you must specify:
✑ the Resource Group name and location for the VM
✑ the administrator username and password
✑ an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template

Question 29

Your company has a Microsoft Azure subscription.
The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?

A. Geo-redundant storage

B. Read-only geo-redundant storage

C. Zone-redundant storage

D. Locally redundant storage

Suggested Answer: B

RA-GRS allows you to have higher read availability for your storage account by providing ג€read onlyג€ access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region. This is an
ג€opt-inג€ feature which requires the storage account be geo-replicated.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Question 30

You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?

A. Create an NS record named research in the adatum.com zone.

B. Create a PTR record named research in the adatum.com zone.

C. Modify the SOA record of adatum.com.

D. Create an A record named *.research in the adatum.com zone.

Suggested Answer: A

You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain

Question 31

HOTSPOT
-
Your network contains an on-premises Active Directory Domain Services (AD DS) domain.
The domain contains the identities shown in the following table.

You have an Azure subscription that contains a storage account named storage1. The file shares in storage1 have an identity source of AD DS and Default share-level permissions set to Enable permissions for all authenticated users and groups.
You create an Azure Files share named share1 that has the roles shown in the following table.

You have a Microsoft Entra tenant that contains a cloud-only user named User3.
You use Microsoft Entra Connect to sync OU1 from the AD DS domain to the Microsoft Entra tenant.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question 32

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?

A. Yes

B. No

Suggested Answer: B

Question 33

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
Does this meet the goal?

A. Yes

B. No

Suggested Answer: B

Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Question 34

You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.
A user named User1 has the following roles for Subscription1:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

A. Assign User1 the Contributor role for VNet1.

B. Assign User1 the Network Contributor role for VNet1.

C. Assign User1 the User Access Administrator role for VNet1.

D. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.

Suggested Answer: C

Question 35

You have an Azure subscription that uses the public IP addresses shown in the following table.

You need to create a public Azure Standard Load Balancer.
Which public IP addresses can you use?

A. IP1, IP2, and IP3

B. IP2 only

C. IP3 only

D. IP1 and IP3 only

Suggested Answer: C

Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU resources.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses

Question 36

HOTSPOT
-
You have an Azure AD tenant named contoso.com.
You have two external partner organizations named fabrikam.com and litwareinc.com. Fabrikam.com is configured as a connected organization.
You create an access package as shown in the Access package exhibit. (Click the Access package tab.)

You configure the external user lifecycle settings as shown in the Lifecycle exhibit. (Click the Lifecycle tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question 37

HOTSPOT -
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named
Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions
Box 2: ILB1 -
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics

Question 38

HOTSPOT -
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously.
✑ Remains available if a single data center in the region fails.
How should you configure the storage account? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

Question 39

You have an Azure subscription. The subscription contains virtual machines that connect to a virtual network named VNet1.
You plan to configure Azure Monitor for VM Insights.
You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.
What should you create first?

A. a data collection rule (DCR)

B. a Log Analytics workspace

C. an Azure Monitor Private Link Scope (AMPLS)

D. a private endpoint

Suggested Answer: C

Question 40

Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?

A. three Azure Application Gateways and one On-premises data gateway

B. three virtual hubs and one virtual WAN

C. three virtual WANs and one virtual hub

D. three On-premises data gateways and one Azure Application Gateway

Suggested Answer: C

Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

Question 41

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?

A. Yes

B. No

Suggested Answer: B

Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.
Reference:
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation

Question 42

HOTSPOT
-
You have the Azure virtual machines shown in the following table.

VNET1, VNET2, and VNET3 are peered.
VM4 has a DNS server that is authoritative for a zone named contoso.com and contains the records shown in the following table.

The virtual networks are configured to use the DNS servers shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question 43

HOTSPOT
-
Your company purchases a new Azure subscription.
You create a file named Deploy.json as shown in the following exhibit.

You connect to the subscription and run the following cmdlet.
New-AzDeployment -Location westus -TemplateFile “deploy.json”
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question 44

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?

A. Session persistence to None

B. a health probe

C. Session persistence to Client IP

D. Idle Time-out (minutes) to 20

Suggested Answer: C

Question 45

Overview -
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment -
Azure Environment -
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.

The subscription contains the virtual machines shown in the following table.

The subscription has an Azure container registry that contains the images shown in the following table.

The subscription contains the resources shown in the following table.

Azure Key Vault -
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.

Vault1 contains the keys shown in the following table.

Microsoft Entra Environment -
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.

The tenant contains the groups shown in the following table.

The adatum.com tenant has a custom security attribute named Attribute1.
Planned Changes -
ADatum plans to implement the following changes:
• Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
• In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage
• Whenever possible, use directories to organize storage account content.
• Grant User1 the permissions required to link Zone1 to VNet1.
• Assign Attribute1 to supported adatum.com resources.
• In storage2, create an encryption scope named Scope1.
• Deploy new containers by using Image1 or Image2.
Technical Requirements -
ADatum must meet the following technical requirements:
• Use TLS for WebApp1.
• Follow the principle of least privilege.
• Grant permissions at the required scope only.
• Ensure that Scope1 is used to encrypt storage services.
• Use Azure Backup to back up cont1 and share1 as frequently as possible.
• Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You need to implement the planned changes for the storage account content.
Which containers and file shares can you use to organize the content?

A. share1 only

B. cont1 and share1 only

C. share1 and share2 only

D. cont1, share1, and share2 only

E. cont1, cont2, share1, and share2

Suggested Answer: B

Question 46

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
Does the solution meet the goal?

A. Yes

B. No

Suggested Answer: B

You should use the Resource Group blade
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template

Question 47

HOTSPOT
-
You have an Azure subscription that contains the alerts shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question 48

HOTSPOT -
You have a virtual network named VNET1 that contains the subnets shown in the following table:

You have Azure virtual machines that have the network configurations shown in the following table:

For NSG1, you create the inbound security rule shown in the following table:

For NSG2, you create the inbound security rule shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Suggested Answer:

Box 1: Yes -
The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or Subnet1 where
VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the NSG1 rule has a higher priority (or lower value) than the NSG2 rule.
Box 2: Yes -
No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.
Box 3: Yes -
No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Question 49

HOTSPOT
-
You have an Azure subscription that uses Azure Container Instances.
You have a computer that has Azure Command-Line Interface (CLI) and Docker installed.
You create a container image named image1.
You need to provision a new Azure container registry and add image1 to the registry.
Which command should you run for each requirement? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.

Suggested Answer:

Question 50

HOTSPOT
-
You have an Azure AD tenant named adatum.com that contains the groups shown in the following table.

Adatum.com contains the users shown in the following table.

You assign an Azure Active Directory Premium P2 license to Group1 as shown in the following exhibit.

Group2 is NOT directly assigned a license.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Free Access Full AZ-104 Practice Exam Free

Looking for additional practice? Click here to access a full set of AZ-104 practice exam free questions and continue building your skills across all exam domains.

Our question sets are updated regularly to ensure they stay aligned with the latest exam objectives—so be sure to visit often!

Good luck with your AZ-104 certification journey!