1 | Page
AZ-104 Renewal Exam 2026/2027 |
Verified Questions and Answers
with Detailed Explanations for
Microsoft Azure Administrators
Question 1
You need to configure Azure AD for conditional access so that users can
only sign in from trusted IP addresses. Which Azure service should you
use to implement this policy?
Answer: Conditional Access policies in Azure Active Directory.
Explanation: Conditional Access allows administrators to enforce
access controls based on user, location, device compliance, and risk.
Configuring trusted IPs restricts sign-in to allowed networks, enhancing
security.
Question 2
You are tasked with implementing a role-based access control (RBAC)
model for Azure resources. Which built-in role allows users to create
and manage all resources but not grant access to others?
Answer: Contributor.
Explanation: The Contributor role can manage resources fully but
cannot assign roles to other users. Owner role includes permission to
assign access, so Contributor is the correct choice for resource
management without access delegation.
Question 3
You need to deploy an Azure Storage account that supports hot and
cool access tiers for blob storage. Which storage account type should
you select?
Answer: General-purpose v2 (GPv2).
Explanation: GPv2 supports all storage services and tiering, including
,2 | Page
hot, cool, and archive for blobs, while GPv1 and Blob Storage accounts
have limitations in access tiering.
Question 4
You are configuring Azure Virtual Network peering between two VNets
in the same region. Which statement is correct regarding transitive
peering?
Answer: Peered VNets do not allow transitive connectivity through a
third VNet by default.
Explanation: VNet peering provides direct connectivity between two
VNets. Traffic cannot transit through a third VNet unless you configure
additional routing or use a hub-and-spoke topology.
Question 5
You want to encrypt Azure Storage data at rest using customer-
managed keys. Which feature should you use?
Answer: Azure Key Vault with Storage Service Encryption (SSE) using
CMK.
Explanation: SSE with customer-managed keys allows you to control
encryption keys stored in Key Vault, providing full key lifecycle
management and compliance with organizational policies.
Question 6
You need to monitor an Azure virtual machine for performance metrics
and configure alerts for CPU utilization above 80%. Which service
should you use?
Answer: Azure Monitor.
Explanation: Azure Monitor collects metrics and logs, and allows
configuration of alerts based on thresholds. Metrics like CPU, memory,
and disk utilization can trigger notifications automatically.
Question 7
You are planning to deploy an Azure SQL Database and require
automatic scaling and high availability. Which deployment option
meets this requirement?
Answer: Azure SQL Database managed instance or elastic pool with
,3 | Page
auto-scaling.
Explanation: Managed instances support high availability with built-in
redundancy, and elastic pools allow performance scaling across multiple
databases dynamically.
Question 8
You need to ensure multi-factor authentication (MFA) for all
administrative users in Azure AD. Which approach provides the most
secure enforcement?
Answer: Enable Conditional Access policy requiring MFA for
administrative roles.
Explanation: Conditional Access allows you to enforce MFA
selectively for sensitive roles, improving security without forcing MFA
for all users unnecessarily.
Question 9
You plan to deploy multiple VMs and need to ensure automatic
distribution across physical servers for high availability. Which
Azure feature should you use?
Answer: Availability Set.
Explanation: Availability Sets ensure VMs are distributed across fault
and update domains, reducing downtime risk from hardware failures or
planned maintenance.
Question 10
You want to connect an on-premises network to Azure over a secure
VPN. Which Azure service should you use for site-to-site connectivity?
Answer: Azure VPN Gateway (site-to-site VPN).
Explanation: VPN Gateway supports secure IPsec/IKE VPN tunnels
between on-premises and Azure networks, enabling hybrid connectivity.
Question 11
You are implementing Azure Backup for VMs and want to retain daily
backups for 30 days and monthly backups for one year. Which
backup feature allows this?
Answer: Backup policies in Azure Recovery Services vault.
, 4 | Page
Explanation: Backup policies define retention schedules and
frequencies. You can configure short-term and long-term retention
within the same policy to meet compliance requirements.
Question 12
You need to restrict an Azure Storage account so that only selected
virtual networks and subnets can access it. Which feature should you
enable?
Answer: Storage account firewall and virtual network rules.
Explanation: Storage firewalls allow whitelisting of VNets and IP
ranges to control access at the network level, providing enhanced
security.
Question 13
You are planning a hybrid identity solution and need password hash
synchronization with single sign-on. Which Azure AD feature should
you implement?
Answer: Azure AD Connect with password hash synchronization.
Explanation: Azure AD Connect synchronizes on-premises AD
credentials to Azure AD, enabling users to authenticate to cloud services
with the same password and SSO capabilities.
Question 14
You need to configure Azure Monitor to collect and analyze logs from
multiple resources in a centralized workspace. Which service should
you use?
Answer: Log Analytics workspace.
Explanation: Log Analytics allows collection, aggregation, and
querying of telemetry from multiple Azure resources, enabling
comprehensive monitoring and diagnostics.
Question 15
You are deploying an Azure App Service and need automatic scaling
based on CPU utilization. Which feature provides this functionality?
Answer: Azure App Service autoscale rules.
Explanation: Autoscale allows dynamic adjustment of instance count
AZ-104 Renewal Exam 2026/2027 |
Verified Questions and Answers
with Detailed Explanations for
Microsoft Azure Administrators
Question 1
You need to configure Azure AD for conditional access so that users can
only sign in from trusted IP addresses. Which Azure service should you
use to implement this policy?
Answer: Conditional Access policies in Azure Active Directory.
Explanation: Conditional Access allows administrators to enforce
access controls based on user, location, device compliance, and risk.
Configuring trusted IPs restricts sign-in to allowed networks, enhancing
security.
Question 2
You are tasked with implementing a role-based access control (RBAC)
model for Azure resources. Which built-in role allows users to create
and manage all resources but not grant access to others?
Answer: Contributor.
Explanation: The Contributor role can manage resources fully but
cannot assign roles to other users. Owner role includes permission to
assign access, so Contributor is the correct choice for resource
management without access delegation.
Question 3
You need to deploy an Azure Storage account that supports hot and
cool access tiers for blob storage. Which storage account type should
you select?
Answer: General-purpose v2 (GPv2).
Explanation: GPv2 supports all storage services and tiering, including
,2 | Page
hot, cool, and archive for blobs, while GPv1 and Blob Storage accounts
have limitations in access tiering.
Question 4
You are configuring Azure Virtual Network peering between two VNets
in the same region. Which statement is correct regarding transitive
peering?
Answer: Peered VNets do not allow transitive connectivity through a
third VNet by default.
Explanation: VNet peering provides direct connectivity between two
VNets. Traffic cannot transit through a third VNet unless you configure
additional routing or use a hub-and-spoke topology.
Question 5
You want to encrypt Azure Storage data at rest using customer-
managed keys. Which feature should you use?
Answer: Azure Key Vault with Storage Service Encryption (SSE) using
CMK.
Explanation: SSE with customer-managed keys allows you to control
encryption keys stored in Key Vault, providing full key lifecycle
management and compliance with organizational policies.
Question 6
You need to monitor an Azure virtual machine for performance metrics
and configure alerts for CPU utilization above 80%. Which service
should you use?
Answer: Azure Monitor.
Explanation: Azure Monitor collects metrics and logs, and allows
configuration of alerts based on thresholds. Metrics like CPU, memory,
and disk utilization can trigger notifications automatically.
Question 7
You are planning to deploy an Azure SQL Database and require
automatic scaling and high availability. Which deployment option
meets this requirement?
Answer: Azure SQL Database managed instance or elastic pool with
,3 | Page
auto-scaling.
Explanation: Managed instances support high availability with built-in
redundancy, and elastic pools allow performance scaling across multiple
databases dynamically.
Question 8
You need to ensure multi-factor authentication (MFA) for all
administrative users in Azure AD. Which approach provides the most
secure enforcement?
Answer: Enable Conditional Access policy requiring MFA for
administrative roles.
Explanation: Conditional Access allows you to enforce MFA
selectively for sensitive roles, improving security without forcing MFA
for all users unnecessarily.
Question 9
You plan to deploy multiple VMs and need to ensure automatic
distribution across physical servers for high availability. Which
Azure feature should you use?
Answer: Availability Set.
Explanation: Availability Sets ensure VMs are distributed across fault
and update domains, reducing downtime risk from hardware failures or
planned maintenance.
Question 10
You want to connect an on-premises network to Azure over a secure
VPN. Which Azure service should you use for site-to-site connectivity?
Answer: Azure VPN Gateway (site-to-site VPN).
Explanation: VPN Gateway supports secure IPsec/IKE VPN tunnels
between on-premises and Azure networks, enabling hybrid connectivity.
Question 11
You are implementing Azure Backup for VMs and want to retain daily
backups for 30 days and monthly backups for one year. Which
backup feature allows this?
Answer: Backup policies in Azure Recovery Services vault.
, 4 | Page
Explanation: Backup policies define retention schedules and
frequencies. You can configure short-term and long-term retention
within the same policy to meet compliance requirements.
Question 12
You need to restrict an Azure Storage account so that only selected
virtual networks and subnets can access it. Which feature should you
enable?
Answer: Storage account firewall and virtual network rules.
Explanation: Storage firewalls allow whitelisting of VNets and IP
ranges to control access at the network level, providing enhanced
security.
Question 13
You are planning a hybrid identity solution and need password hash
synchronization with single sign-on. Which Azure AD feature should
you implement?
Answer: Azure AD Connect with password hash synchronization.
Explanation: Azure AD Connect synchronizes on-premises AD
credentials to Azure AD, enabling users to authenticate to cloud services
with the same password and SSO capabilities.
Question 14
You need to configure Azure Monitor to collect and analyze logs from
multiple resources in a centralized workspace. Which service should
you use?
Answer: Log Analytics workspace.
Explanation: Log Analytics allows collection, aggregation, and
querying of telemetry from multiple Azure resources, enabling
comprehensive monitoring and diagnostics.
Question 15
You are deploying an Azure App Service and need automatic scaling
based on CPU utilization. Which feature provides this functionality?
Answer: Azure App Service autoscale rules.
Explanation: Autoscale allows dynamic adjustment of instance count
