Microsoft Azure AZ-104 Administrator 2025 — 55 Q&A Practice
Exam Verified Answers
Series:
CrashCourses Professional Study Series
Author:
Dr Z. Moomba, MBChB, MRCPsych | BethelWellness Ltd
Exam Target:
Microsoft Azure AZ-104
Year:
2025/2026
Format:
55 Questions with Verified Answers and Rationales
>
Author's Note:
This document is an original work produced for the CrashCourses Professional Study Series.
Clinical questions and professional scenarios were composed by Dr Z. Moomba based on current
exam objectives, published guidelines, and evidence-based sources (2024–2025). All patient
names, ages, and case details are fictional. Any resemblance to existing published Q&A banks is
coincidental. For personal study use only — not for reproduction or redistribution.
SECTION A — FOUNDATIONS
1. A healthcare trust is deploying a new patient portal. You need to invite external clinical researchers
to access a specific Azure web app using their existing university credentials. Which Microsoft Entra
ID feature should you configure?
A) Entra ID Domain Services
B) Entra ID B2B Collaboration
C) Entra ID B2C
D) Entra ID Application Proxy
Answer: B
,Rationale:
Entra ID B2B Collaboration allows you to invite external guest users to your directory, letting them
sign in using their own identity providers while you maintain control over access to your
resources. The key discriminating factor is the need for external researchers to use their existing
credentials (BYOI) to access an internal resource. Option C (B2C) is tempting but is designed for
customer-facing apps where users sign up with social accounts, not for targeted guest invitations.
Examiner Pearl: Use `az ad user create --user-principal-name` for internal users, but B2B relies on
invitations. Guests receive the `UserType` of Guest. [Microsoft Entra Docs 2025]
2. You are configuring self-service password reset (SSPR) for the oncology department. Security
policy dictates that users must use two methods to reset their password. Which of the following is a
valid combination of authentication methods for SSPR?
A) Email and Security Questions
B) Mobile app notification and Office phone
C) SMS and an alternate email address
D) Microsoft Authenticator app and a hardware OATH token
Answer: A
Rationale:
Email and Security Questions are valid, standard methods that can be combined for SSPR in
Microsoft Entra ID. The key discriminating factor is understanding which methods are officially
supported in the SSPR policy portal. Option B fails because "Office phone" and "Mobile app
notification" cannot always be combined dynamically if the user lacks the app setup. Examiner
Pearl: SSPR requires at least one Azure AD Premium P1 license in the tenant. [NCSC Security
Guidelines 2024]
3. The trust's Chief Medical Information Officer (CMIO) requires that all administrative access to
Azure resources must trigger a multi-factor authentication (MFA) prompt, but only when accessed
from outside the hospital's corporate network. What should you create?
A) An Azure Policy definition
B) A Conditional Access policy
C) A Network Security Group (NSG) rule
D) A Privileged Identity Management (PIM) access review
Answer: B
Rationale:
, Conditional Access policies evaluate signals like IP address (named locations), user role, and risk
to enforce decisions like requiring MFA. The key discriminating feature is the requirement to
enforce identity security based on a network location condition. Option A (Azure Policy) is for
resource compliance, not identity-based access control. Examiner Pearl: You can configure
named locations via CLI: `az rest --method post --uri
https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations`. [Microsoft Entra
Docs 2025]
4. You need to assign an IT engineer permissions to restart virtual machines in the "Cardiology-RG"
resource group. The engineer must not be able to modify the network interfaces or create new VMs.
Which built-in RBAC role is most appropriate?
A) Contributor
B) Virtual Machine Contributor
C) Reader
D) DevTest Labs User
Answer: B
Rationale:
The Virtual Machine Contributor role lets users manage virtual machines, including starting and
stopping them, but it does not allow them to manage the virtual network or storage account to
which the VM is connected. The key discriminating feature is limiting access strictly to VM
management without network modification. Option A (Contributor) fails because it grants
permission to create and delete any resource in the resource group. Examiner Pearl: You can
assign this via CLI: `az role assignment create --assignee --role "Virtual
Machine Contributor" --scope /subscriptions/.../resourceGroups/Cardiology-RG`. [Azure RBAC
Guidelines 2025]
5. A new clinical application requires a custom RBAC role. You are authoring the JSON definition.
Which property must you configure to ensure the role can only be assigned within a specific
management group?
A) Actions
B) NotActions
C) AssignableScopes
D) DataActions
Answer: C
Rationale:
Exam Verified Answers
Series:
CrashCourses Professional Study Series
Author:
Dr Z. Moomba, MBChB, MRCPsych | BethelWellness Ltd
Exam Target:
Microsoft Azure AZ-104
Year:
2025/2026
Format:
55 Questions with Verified Answers and Rationales
>
Author's Note:
This document is an original work produced for the CrashCourses Professional Study Series.
Clinical questions and professional scenarios were composed by Dr Z. Moomba based on current
exam objectives, published guidelines, and evidence-based sources (2024–2025). All patient
names, ages, and case details are fictional. Any resemblance to existing published Q&A banks is
coincidental. For personal study use only — not for reproduction or redistribution.
SECTION A — FOUNDATIONS
1. A healthcare trust is deploying a new patient portal. You need to invite external clinical researchers
to access a specific Azure web app using their existing university credentials. Which Microsoft Entra
ID feature should you configure?
A) Entra ID Domain Services
B) Entra ID B2B Collaboration
C) Entra ID B2C
D) Entra ID Application Proxy
Answer: B
,Rationale:
Entra ID B2B Collaboration allows you to invite external guest users to your directory, letting them
sign in using their own identity providers while you maintain control over access to your
resources. The key discriminating factor is the need for external researchers to use their existing
credentials (BYOI) to access an internal resource. Option C (B2C) is tempting but is designed for
customer-facing apps where users sign up with social accounts, not for targeted guest invitations.
Examiner Pearl: Use `az ad user create --user-principal-name` for internal users, but B2B relies on
invitations. Guests receive the `UserType` of Guest. [Microsoft Entra Docs 2025]
2. You are configuring self-service password reset (SSPR) for the oncology department. Security
policy dictates that users must use two methods to reset their password. Which of the following is a
valid combination of authentication methods for SSPR?
A) Email and Security Questions
B) Mobile app notification and Office phone
C) SMS and an alternate email address
D) Microsoft Authenticator app and a hardware OATH token
Answer: A
Rationale:
Email and Security Questions are valid, standard methods that can be combined for SSPR in
Microsoft Entra ID. The key discriminating factor is understanding which methods are officially
supported in the SSPR policy portal. Option B fails because "Office phone" and "Mobile app
notification" cannot always be combined dynamically if the user lacks the app setup. Examiner
Pearl: SSPR requires at least one Azure AD Premium P1 license in the tenant. [NCSC Security
Guidelines 2024]
3. The trust's Chief Medical Information Officer (CMIO) requires that all administrative access to
Azure resources must trigger a multi-factor authentication (MFA) prompt, but only when accessed
from outside the hospital's corporate network. What should you create?
A) An Azure Policy definition
B) A Conditional Access policy
C) A Network Security Group (NSG) rule
D) A Privileged Identity Management (PIM) access review
Answer: B
Rationale:
, Conditional Access policies evaluate signals like IP address (named locations), user role, and risk
to enforce decisions like requiring MFA. The key discriminating feature is the requirement to
enforce identity security based on a network location condition. Option A (Azure Policy) is for
resource compliance, not identity-based access control. Examiner Pearl: You can configure
named locations via CLI: `az rest --method post --uri
https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations`. [Microsoft Entra
Docs 2025]
4. You need to assign an IT engineer permissions to restart virtual machines in the "Cardiology-RG"
resource group. The engineer must not be able to modify the network interfaces or create new VMs.
Which built-in RBAC role is most appropriate?
A) Contributor
B) Virtual Machine Contributor
C) Reader
D) DevTest Labs User
Answer: B
Rationale:
The Virtual Machine Contributor role lets users manage virtual machines, including starting and
stopping them, but it does not allow them to manage the virtual network or storage account to
which the VM is connected. The key discriminating feature is limiting access strictly to VM
management without network modification. Option A (Contributor) fails because it grants
permission to create and delete any resource in the resource group. Examiner Pearl: You can
assign this via CLI: `az role assignment create --assignee --role "Virtual
Machine Contributor" --scope /subscriptions/.../resourceGroups/Cardiology-RG`. [Azure RBAC
Guidelines 2025]
5. A new clinical application requires a custom RBAC role. You are authoring the JSON definition.
Which property must you configure to ensure the role can only be assigned within a specific
management group?
A) Actions
B) NotActions
C) AssignableScopes
D) DataActions
Answer: C
Rationale: