AZ-104 RENEWAL EXAM (COMPREHENSIVE VERSION) ACTUAL
EXAM QUESTIONS AND CORRECT DETAILED ANSWERS WITH
RATIONALES ALREADY GRADED A+
Question 1
You have an Azure subscription containing a Microsoft Entra ID (formerly Azure AD)
tenant. You need to create a dynamic user group that automatically includes all users whose
"Department" attribute is set to "IT". Which of the following membership rules is
syntactically correct?
A) user.department -eq "IT"
B) user.department -match "IT"
C) (user.department -eq "IT") -and (user.enabled -eq true)
D) department == "IT"
E) user.department = "IT"
Correct Answer: A) user.department -eq "IT"
Rationale: In Microsoft Entra ID dynamic group syntax, the property name is
strictly user.property (lowercase), and the operator for "equals" is -eq. The value must be
in quotes. Option B (-match) is for regular expressions (substrings). Option C adds a
condition not requested (enabled status). Options D and E use incorrect operator syntax
(== and =) for the Azure dynamic query language.
Question 2
You are configuring Azure policies to ensure compliance. You assign a policy with the
"Deny" effect to a Resource Group. If a user attempts to create a resource that violates this
policy, what is the outcome?
A) The resource is created, but it is marked as "Non-Compliant" in the dashboard.
B) The resource is created, but an alert is sent to the administrator.
C) The deployment request is blocked, and the resource is not created.
D) The resource is created in a "Deallocated" state.
E) The resource is created, but a "DeployIfNotExists" remediation task is triggered.
Correct Answer: C) The deployment request is blocked, and the resource is not created.
Rationale: The "Deny" effect prevents a resource request that doesn't match the policy
definition from succeeding. It blocks the request before the resource is instantiated. Only
"Audit" allows creation while flagging it. "DeployIfNotExists" allows creation but
modifies/deploys related resources later.
Question 3
You manage an Azure Storage account named store1 with a Blob container named data.
You want to automatically move blobs that have not been modified for 30 days to the Cool
,[Type here]
access tier. What should you configure?
A) An Azure Logic App with a recurrence trigger.
B) A Lifecycle Management rule on the storage account.
C) A Content Delivery Network (CDN) endpoint.
D) An Azure Automation Runbook.
E) The Access Tier property on the storage account directly.
Correct Answer: B) A Lifecycle Management rule on the storage account.
Rationale: Azure Blob Storage Lifecycle Management offers a rule-based policy that you
can use to transition data to the appropriate access tiers (Hot to Cool, Cool to Archive) or
expire data at the end of its lifecycle based on age (days since modification or creation).
This is the native, no-code solution.
Question 4
You have a virtual machine (VM1) in VNet1 and a virtual machine (VM2) in VNet2. You
configure VNet Peering between VNet1 and VNet2. You verify that VM1 can ping VM2.
However, VM1 cannot resolve the hostname of VM2. What is the most likely reason?
A) VNet Peering does not support ICMP traffic.
B) Azure DNS does not automatically resolve hostnames across peered VNets.
C) The Network Security Group (NSG) is blocking port 53.
D) You did not enable "Gateway Transit" on the peering link.
E) The VMs are in different Availability Zones.
Correct Answer: B) Azure DNS does not automatically resolve hostnames across peered
VNets.
Rationale: Azure-provided DNS resolves hostnames for VMs within the same virtual
network. It does not resolve hostnames across peered virtual networks by default. To
resolve hostnames across peered networks, you must use Azure Private DNS Zones or a
custom DNS server.
Question 5
You are deploying an Azure Virtual Machine using an ARM template. Which section of the
ARM template is mandatory and defines the actual Azure services to be deployed (e.g., the
VM, NIC, Public IP)?
A) parameters
B) variables
C) functions
D) resources
E) outputs
,[Type here]
Correct Answer: D) resources
Rationale: The resources section is the core of the ARM template. It contains the resource
types, API versions, and properties of the specific Azure services
(like Microsoft.Compute/virtualMachines) that you want to deploy. All other sections
(parameters, variables, outputs) are optional helper sections.
Question 6
You need to ensure that a critical application running on Azure Virtual Machines has an
SLA of 99.99%. Which availability configuration must you use?
A) Deploy a single VM with Premium SSD.
B) Deploy two VMs in an Availability Set.
C) Deploy two VMs in different Availability Zones within the same region.
D) Deploy two VMs in different Regions paired via Traffic Manager.
E) Deploy the VMs in a Scale Set with "FD=1".
Correct Answer: C) Deploy two VMs in different Availability Zones within the same region.
Rationale: Azure guarantees an SLA of 99.99% for virtual machine connectivity only when
two or more instances are deployed across two or more Availability Zones in the same
region. An Availability Set (Option B) provides 99.95%. A single VM (Option A) provides
99.9%.
Question 7
You have a resource group named RG1 containing a critical key vault. You want to prevent
the accidental deletion of the key vault, but you still need to allow administrators to read
and modify its secrets. Which type of Resource Lock should you apply?
A) ReadOnly
B) CanNotDelete
C) NotActions
D) DoNotModify
E) ImmutableBlob
Correct Answer: B) CanNotDelete
Rationale: The CanNotDelete lock (also known as "Delete") prevents authorized users
from deleting a resource, but allows them to read and modify it. The ReadOnly lock would
prevent both deletion and modification (making the key vault secrets immutable), which
contradicts the requirement.
, [Type here]
Question 8
You create a Network Security Group (NSG) and attach it to a subnet. You notice that the
"AllowVnetInBound" default rule has a priority of 65000. You want to block all traffic
from a specific internal IP address (10.0.0.5) within the VNet. You create a "Deny" rule for
this IP. What priority should you assign to this new rule?
A) 65500
B) 65001
C) 100
D) 0
E) 70000
Correct Answer: C) 100
Rationale: NSG rules are processed in priority order, from lowest number to highest
number (100 to 4096). Processing stops once a match is found. To override the default
"AllowVnetInBound" rule (Priority 65000), your custom Deny rule must have
a lower number (higher priority). Priority 100 ensures it is processed before 65000.
Question 9
You have an Azure Storage account configured with Geo-Redundant Storage (GRS). A
regional outage occurs in the primary region. Who is responsible for initiating the failover
to the secondary region?
A) It happens automatically by default; no user intervention is required.
B) Microsoft initiates it, unless you have configured customer-managed failover.
C) You (the customer) must manually initiate the failover if you want immediate access, unless
you wait for Microsoft.
D) The Azure Support team must be contacted via ticket to enable it.
E) Failover is managed by the Traffic Manager profile.
Correct Answer: C) You (the customer) must manually initiate the failover if you want
immediate access, unless you wait for Microsoft.
Rationale: With GRS, customers can initiate a failover (Customer-Managed Failover) to
the secondary region if the primary region becomes unavailable. If the customer does not
initiate it, Microsoft will only perform a failover in catastrophic scenarios where the data
cannot be recovered in the primary region. For control, the admin triggers it via the portal
or CLI.
Question 10
You are configuring a "Point-to-Site" VPN connection to allow remote workers to connect
to an Azure VNet. Which authentication method allows you to use Microsoft Entra ID
EXAM QUESTIONS AND CORRECT DETAILED ANSWERS WITH
RATIONALES ALREADY GRADED A+
Question 1
You have an Azure subscription containing a Microsoft Entra ID (formerly Azure AD)
tenant. You need to create a dynamic user group that automatically includes all users whose
"Department" attribute is set to "IT". Which of the following membership rules is
syntactically correct?
A) user.department -eq "IT"
B) user.department -match "IT"
C) (user.department -eq "IT") -and (user.enabled -eq true)
D) department == "IT"
E) user.department = "IT"
Correct Answer: A) user.department -eq "IT"
Rationale: In Microsoft Entra ID dynamic group syntax, the property name is
strictly user.property (lowercase), and the operator for "equals" is -eq. The value must be
in quotes. Option B (-match) is for regular expressions (substrings). Option C adds a
condition not requested (enabled status). Options D and E use incorrect operator syntax
(== and =) for the Azure dynamic query language.
Question 2
You are configuring Azure policies to ensure compliance. You assign a policy with the
"Deny" effect to a Resource Group. If a user attempts to create a resource that violates this
policy, what is the outcome?
A) The resource is created, but it is marked as "Non-Compliant" in the dashboard.
B) The resource is created, but an alert is sent to the administrator.
C) The deployment request is blocked, and the resource is not created.
D) The resource is created in a "Deallocated" state.
E) The resource is created, but a "DeployIfNotExists" remediation task is triggered.
Correct Answer: C) The deployment request is blocked, and the resource is not created.
Rationale: The "Deny" effect prevents a resource request that doesn't match the policy
definition from succeeding. It blocks the request before the resource is instantiated. Only
"Audit" allows creation while flagging it. "DeployIfNotExists" allows creation but
modifies/deploys related resources later.
Question 3
You manage an Azure Storage account named store1 with a Blob container named data.
You want to automatically move blobs that have not been modified for 30 days to the Cool
,[Type here]
access tier. What should you configure?
A) An Azure Logic App with a recurrence trigger.
B) A Lifecycle Management rule on the storage account.
C) A Content Delivery Network (CDN) endpoint.
D) An Azure Automation Runbook.
E) The Access Tier property on the storage account directly.
Correct Answer: B) A Lifecycle Management rule on the storage account.
Rationale: Azure Blob Storage Lifecycle Management offers a rule-based policy that you
can use to transition data to the appropriate access tiers (Hot to Cool, Cool to Archive) or
expire data at the end of its lifecycle based on age (days since modification or creation).
This is the native, no-code solution.
Question 4
You have a virtual machine (VM1) in VNet1 and a virtual machine (VM2) in VNet2. You
configure VNet Peering between VNet1 and VNet2. You verify that VM1 can ping VM2.
However, VM1 cannot resolve the hostname of VM2. What is the most likely reason?
A) VNet Peering does not support ICMP traffic.
B) Azure DNS does not automatically resolve hostnames across peered VNets.
C) The Network Security Group (NSG) is blocking port 53.
D) You did not enable "Gateway Transit" on the peering link.
E) The VMs are in different Availability Zones.
Correct Answer: B) Azure DNS does not automatically resolve hostnames across peered
VNets.
Rationale: Azure-provided DNS resolves hostnames for VMs within the same virtual
network. It does not resolve hostnames across peered virtual networks by default. To
resolve hostnames across peered networks, you must use Azure Private DNS Zones or a
custom DNS server.
Question 5
You are deploying an Azure Virtual Machine using an ARM template. Which section of the
ARM template is mandatory and defines the actual Azure services to be deployed (e.g., the
VM, NIC, Public IP)?
A) parameters
B) variables
C) functions
D) resources
E) outputs
,[Type here]
Correct Answer: D) resources
Rationale: The resources section is the core of the ARM template. It contains the resource
types, API versions, and properties of the specific Azure services
(like Microsoft.Compute/virtualMachines) that you want to deploy. All other sections
(parameters, variables, outputs) are optional helper sections.
Question 6
You need to ensure that a critical application running on Azure Virtual Machines has an
SLA of 99.99%. Which availability configuration must you use?
A) Deploy a single VM with Premium SSD.
B) Deploy two VMs in an Availability Set.
C) Deploy two VMs in different Availability Zones within the same region.
D) Deploy two VMs in different Regions paired via Traffic Manager.
E) Deploy the VMs in a Scale Set with "FD=1".
Correct Answer: C) Deploy two VMs in different Availability Zones within the same region.
Rationale: Azure guarantees an SLA of 99.99% for virtual machine connectivity only when
two or more instances are deployed across two or more Availability Zones in the same
region. An Availability Set (Option B) provides 99.95%. A single VM (Option A) provides
99.9%.
Question 7
You have a resource group named RG1 containing a critical key vault. You want to prevent
the accidental deletion of the key vault, but you still need to allow administrators to read
and modify its secrets. Which type of Resource Lock should you apply?
A) ReadOnly
B) CanNotDelete
C) NotActions
D) DoNotModify
E) ImmutableBlob
Correct Answer: B) CanNotDelete
Rationale: The CanNotDelete lock (also known as "Delete") prevents authorized users
from deleting a resource, but allows them to read and modify it. The ReadOnly lock would
prevent both deletion and modification (making the key vault secrets immutable), which
contradicts the requirement.
, [Type here]
Question 8
You create a Network Security Group (NSG) and attach it to a subnet. You notice that the
"AllowVnetInBound" default rule has a priority of 65000. You want to block all traffic
from a specific internal IP address (10.0.0.5) within the VNet. You create a "Deny" rule for
this IP. What priority should you assign to this new rule?
A) 65500
B) 65001
C) 100
D) 0
E) 70000
Correct Answer: C) 100
Rationale: NSG rules are processed in priority order, from lowest number to highest
number (100 to 4096). Processing stops once a match is found. To override the default
"AllowVnetInBound" rule (Priority 65000), your custom Deny rule must have
a lower number (higher priority). Priority 100 ensures it is processed before 65000.
Question 9
You have an Azure Storage account configured with Geo-Redundant Storage (GRS). A
regional outage occurs in the primary region. Who is responsible for initiating the failover
to the secondary region?
A) It happens automatically by default; no user intervention is required.
B) Microsoft initiates it, unless you have configured customer-managed failover.
C) You (the customer) must manually initiate the failover if you want immediate access, unless
you wait for Microsoft.
D) The Azure Support team must be contacted via ticket to enable it.
E) Failover is managed by the Traffic Manager profile.
Correct Answer: C) You (the customer) must manually initiate the failover if you want
immediate access, unless you wait for Microsoft.
Rationale: With GRS, customers can initiate a failover (Customer-Managed Failover) to
the secondary region if the primary region becomes unavailable. If the customer does not
initiate it, Microsoft will only perform a failover in catastrophic scenarios where the data
cannot be recovered in the primary region. For control, the admin triggers it via the portal
or CLI.
Question 10
You are configuring a "Point-to-Site" VPN connection to allow remote workers to connect
to an Azure VNet. Which authentication method allows you to use Microsoft Entra ID
