AZ-104 Microsoft Azure Administrator – 2025 Mock Exam & Practice Test (Free)

If you are preparing for the AZ-104 Microsoft Azure Administrator certification exam, this free AZ-104 mock exam is designed to help you practice and assess your knowledge before taking the real test. The AZ-104 exam is one of the most in-demand Microsoft certifications in cloud computing and validates your ability to manage, secure, and monitor Azure resources in real enterprise environments.

This AZ-104 practice test covers the key skills measured in the official exam, including:

Managing Azure identities and access (Azure AD, RBAC, groups, roles)
Configuring and managing Azure storage (blob, files, replication, access controls)
Deploying and managing Azure compute resources (VMs, containers, App Services)
Configuring virtual networking (VNets, routing, NSGs, VPNs, private endpoints)
Monitoring resources (Azure Monitor, Log Analytics, alerts, diagnostics)
Implementing backup, disaster recovery, and governance controls

Each question in this Microsoft Azure Administrator practice exam is built to reflect real AZ-104 exam scenarios, giving you a clear understanding of the concepts, difficulty level, and question patterns you’ll encounter during the actual certification.

Why Take This AZ-104 Practice Test?

Get realistic AZ-104 exam questions aligned with the latest 2025 exam outline
Identify your strengths and the areas that require additional study
Improve your confidence before attempting the real Microsoft certification
Reinforce your understanding of core Azure administration concepts
Practice in an environment that simulates the actual AZ-104 testing format

Whether you are new to Azure or already working as a cloud administrator, this practice test will help you evaluate your readiness and close any knowledge gaps before scheduling the real exam.

Who Should Take the AZ-104 Certification?

This certification is ideal for:

Cloud administrators
IT professionals managing Azure environments
System engineers transitioning to cloud roles
Professionals preparing for Azure role-based certifications

If you’re aiming to build a career in cloud administration or prepare for higher-level Azure certifications, AZ-104 is an essential milestone.

/65

AZ-104: Microsoft Azure Administrator — Mock Exam (2025 Update)

Think about how to keep group membership current without manual intervention.

1 / 65

What is the primary advantage of using a dynamic membership rule for a Microsoft Entra group?

It allows guest users to be added to the group automatically.

It is the only way to assign licenses to a group of users.

It provides a higher level of security than assigned membership groups.

It automatically adds or removes members based on user attributes, reducing administrative overhead.

Think about the two points where you can apply traffic filtering rules as data flows towards a virtual machine.

2 / 65

To which two layers can a Network Security Group (NSG) be associated to filter traffic?

Subscription and Management Group

Virtual Network and Resource Group

Public IP Address and Virtual Network Gateway

Network Interface (NIC) and Subnet

Consider the term used to describe connectivity that spans across different geographical locations in Azure.

3 / 65

You are creating a VNet-to-VNet connection to link two virtual networks in different Azure regions. What type of VNet peering should you configure?

Hybrid Peering

Regional Peering

Transitive Peering

Global VNet Peering

Look for a service that operates at a global scale and is designed for web application delivery.

4 / 65

A global company has web applications hosted in multiple Azure regions (US, Europe, Asia). They need a solution to direct users to the closest, best-performing regional endpoint and provide instant global failover. Which service is best suited for this?

Azure Load Balancer

Azure VPN Gateway

Azure Front Door

Azure Application Gateway

Look for a feature specifically designed to protect resources from accidental modification or deletion, even by administrators.

5 / 65

An organization is migrating its on-premises servers to Azure. The finance team wants to implement a solution that prevents accidental deletion of critical resources like production virtual machines. Which Azure feature should be used?

Resource Tags

Resource Locks

Azure Policy

Role-Based Access Control (RBAC)

Look for a feature within the Entra ID user management blade designed for managing many users at once.

6 / 65

An administrator needs to create multiple user accounts in Microsoft Entra ID. The user information is available in a CSV file. What is the most efficient method to create these accounts in the Azure portal?

Use the 'Bulk create' user operation and upload the prepared CSV file.

Create each user account manually, one by one, using the 'New user' wizard.

Write a PowerShell script using the `New-AzADUser` cmdlet.

Add the users to an on-premises Active Directory and wait for Microsoft Entra Connect to synchronize them.

Think about the common technology used to create a secure, encrypted connection across the internet.

7 / 65

A custom application running on an Azure VM needs to connect to an on-premises SQL Server database. The connection must be secure and travel over the public internet. Which Azure networking service is designed to create an encrypted tunnel between an Azure VNet and an on-premises network?

Azure Private Link

Azure VPN Gateway

VNet Peering

Azure Load Balancer

Think about the lifecycle of a backup after it has been created.

8 / 65

You are configuring a backup policy for an Azure VM. What does the 'retention' setting define?

The Azure region where the backup data will be stored.

How long each recovery point (backup) is kept before it is deleted.

The time of day the backup job will start.

The number of concurrent backup jobs that can run.

Think about what information you might need to retrieve *after* a template deployment has finished.

9 / 65

What is the function of the `outputs` section in an ARM template?

To return values from the deployed resources, such as a VM's public IP address or a storage account's connection string.

To list the Azure resources, such as virtual machines and storage accounts, that will be created or updated.

To declare variables that can be reused throughout the template to simplify expressions.

To define the input values, like resource names or sizes, that are required when the template is deployed.

Look for the feature that creates a network interface card (NIC) for a PaaS service within your own virtual network.

10 / 65

You need to implement a solution that allows Azure resources in a VNet to securely access Azure PaaS services like Azure SQL Database over a private IP address, effectively bringing the service into your VNet. Which feature should you use?

Service Endpoints

VNet Peering

User-Defined Routes (UDRs)

Azure Private Link

Think about the developer and authoring experience when writing Infrastructure as Code.

11 / 65

What is the primary benefit of using Azure Bicep compared to using ARM templates in JSON?

Bicep provides a simpler and more concise syntax, making templates easier to write and read.

Bicep templates deploy resources significantly faster than ARM templates.

Bicep supports a wider range of Azure resources than ARM templates.

Bicep is the only way to manage dependencies between resources.

Consider the object that connects a VNet to a private DNS zone.

12 / 65

You need to create a private DNS zone for name resolution within a VNet. What is required to enable automatic registration of VM DNS records in this private zone?

Deploy an Azure DNS Private Resolver into the VNet.

Create a virtual network link between the VNet and the private DNS zone, and enable auto-registration.

Manually create an A record for each VM after it is deployed.

Configure the VM's network interface to point to the private DNS zone's IP address.

Review the list of standard reservations for protocol, gateway, and broadcast functions.

13 / 65

You are configuring a Network Security Group (NSG) and notice that Azure reserves five IP addresses within each subnet. Which of the following is NOT one of the reasons for these reserved addresses?

The first address is reserved as the network address.

An address is reserved for the Azure DNS resolver.

The last address is reserved as the broadcast address.

The second address is reserved by Azure for the default gateway.

Think about which layer of the OSI model this service operates at.

14 / 65

You are creating a new Standard tier Azure Load Balancer. What type of traffic can it distribute?

Only traffic between different Azure regions.

Only DNS resolution requests.

Only HTTP and HTTPS traffic.

TCP and UDP traffic.

Consider the highest-level object used to organize multiple Azure subscriptions.

15 / 65

Which of the following describes a 'management group' in the Azure governance hierarchy?

A logical container that allows you to manage access, policy, and compliance for multiple subscriptions.

The physical Azure region where resources are deployed.

A collection of users in Microsoft Entra ID who are granted the same permissions.

A container for Azure resources like VMs and storage accounts that share the same lifecycle.

Think of the hierarchy of resources used in Azure File Sync. What is the top-level object you create first?

16 / 65

When configuring Azure File Sync, what is the role of the Storage Sync Service?

It is the specific file share in the cloud that stores the synchronized data.

It is the agent software installed on the on-premises Windows Server.

It is a top-level Azure resource that represents the sync relationship and contains sync groups.

It is a network endpoint used to accelerate data transfer between on-premises and Azure.

Consider what determines the performance, features, and cost of the environment where your web app is hosted.

17 / 65

What is the primary function of the Azure App Service Plan?

It defines the DNS name and URL for a specific web application.

It defines the set of compute resources (region, SKU, and instance count) on which your web apps run.

It manages the SSL/TLS certificates for the web applications.

It is a container for organizing multiple web applications for billing purposes.

Think about the state of the resources while the Azure Resource Manager is re-associating them with a new group.

18 / 65

An Azure Administrator needs to move several existing resources, including a VM, a storage account, and a VNet, from 'ResourceGroupA' to 'ResourceGroupB' within the same subscription. What is a key consideration for this operation?

The move operation will also change the Azure region of the resources to match the region of the destination resource group.

Only resources of the same type can be moved in a single operation.

During the move, both the source and destination resource groups are locked, and resources cannot be modified.

The virtual machine must be deallocated before it can be moved.

Consider the mechanism designed specifically for time-bound, permission-scoped delegated access to storage resources.

19 / 65

An administrator needs to grant a third-party application temporary, specific permissions to upload files to a single blob container. Which method provides the most secure, least-privileged access for this task?

Configure a firewall rule on the storage account to allow the application's IP address.

Assign the Storage Blob Data Contributor role to the application's service principal.

Provide one of the storage account access keys.

Create a Shared Access Signature (SAS) token.

Think about how Azure can verify you control a domain name that is managed by an external registrar.

20 / 65

When configuring a custom domain for an Azure App Service, what is the purpose of creating a TXT record in your DNS zone?

To prove that you have ownership of the custom domain before Azure will map it to your app.

To route application traffic from the custom domain to the App Service's IP address.

To configure the Web Application Firewall (WAF) for the custom domain.

To enable the automatic renewal of the App Service Managed Certificate.

Consider the geographical scope of protection offered by each redundancy option.

21 / 65

An administrator is setting up a Recovery Services vault for Azure VM backups. What is the difference between Locally-redundant storage (LRS) and Geo-redundant storage (GRS) for the vault's storage redundancy?

LRS stores three copies of data in a single datacenter, while GRS stores three copies across multiple datacenters in the same region.

LRS stores three copies of the data in a single physical location, while GRS copies the data to a secondary region hundreds of miles away.

LRS is for VM backups, while GRS is for SQL database backups.

LRS stores one copy of data locally, while GRS stores six copies in a paired region.

Consider where container images need to be stored before they can be deployed.

22 / 65

What is the primary role of the Azure container registry (ACR)?

To monitor the performance and health of running containers.

To define the network policies for container-to-container communication.

To provide a private, managed registry for storing and managing Docker and OCI container images.

To run and orchestrate containers at scale.

Think about the path traffic takes as it enters and leaves a virtual network's subnet.

23 / 65

A virtual machine has an NSG associated with its network interface and another NSG associated with its subnet. How is traffic evaluated?

For inbound traffic, the subnet NSG is evaluated first, followed by the NIC NSG. For outbound, the order is reversed.

Only the NSG on the subnet is processed.

Only the NSG on the network interface is processed.

The rules from both NSGs are merged, and the rule with the lowest priority number is applied.

Think about a feature that gives an Azure resource its own identity within Microsoft Entra ID.

24 / 65

A web application hosted in an Azure App Service needs to securely access a connection string stored in Azure Key Vault. What is the recommended method to grant the App Service access without storing credentials in the application's code or configuration?

Create a SAS token for the Key Vault and place it in the application settings.

Hardcode the Key Vault access key directly into the application's source code.

Enable a system-assigned managed identity for the App Service and grant it access to the Key Vault.

Store the Key Vault connection string in the `appsettings.json` file of the web application.

Think about a feature that allows you to stage a new version of your application before making it live to the public.

25 / 65

A developer wants to test a new version of their web application without impacting the production version. The application is hosted in an Azure App Service. Which feature should they use?

Enable autoscaling to create a new instance for the new version.

Use a deployment slot to host the new version, then swap it with the production slot.

Create a new App Service Plan and deploy the new version there.

Configure a backup of the production app and restore it to a new App Service.

Consider how this feature changes the network path that traffic takes to reach a PaaS service.

26 / 65

What is the primary security benefit of using Azure Private Endpoints for PaaS services?

It automatically applies Web Application Firewall (WAF) rules to the PaaS service.

It prevents data from being exposed to the public internet by assigning a private IP from your VNet to the service.

It encrypts data in transit over the public internet.

It eliminates the need for multi-factor authentication for administrators.

Think about how to provide low-latency access to an Azure file share from an on-premises location.

27 / 65

What is the key difference between Azure File Sync and a standard Azure Files share?

Azure File Sync has a lower storage capacity limit than a standard Azure Files share.

Azure File Sync allows you to centralize file shares in Azure Files and keep an on-premises Windows Server as a fast, local cache of the data.

Azure Files shares can be accessed via SMB protocol, whereas Azure File Sync uses NFS only.

Azure File Sync is used for blob storage, while Azure Files is for file shares.

Look for the tool that provides a consolidated view of rules from both the NIC-level and subnet-level NSGs.

28 / 65

An Azure Administrator needs to view the effective security rules applied to a specific network interface (NIC) of a virtual machine. Which Azure Network Watcher tool should be used for this purpose?

Connection troubleshoot

NSG diagnostics

Effective security rules

IP flow verify

Look for the log that records all management plane operations performed on your subscription's resources.

29 / 65

An administrator wants to query the last 24 hours of activity in their subscription to see who deleted a specific resource. Which Azure Monitor feature should they use?

Metrics

Activity Log

Service Health

Application Insights

Consider the certification that serves as the primary entry point for understanding cloud concepts on Azure.

30 / 65

Which of the following is considered a 'Foundational' level Microsoft Azure certification?

AZ-305: Designing Microsoft Azure Infrastructure Solutions

AZ-900: Microsoft Azure Fundamentals

AZ-104: Microsoft Azure Administrator

DP-203: Data Engineering on Microsoft Azure

Consider the numerical property that dictates which rule gets evaluated first.

31 / 65

Which component of an NSG rule determines its processing order relative to other rules in the same NSG?

Protocol

Action

Priority

Source Port

Consider the option that requires the most specific commitment in terms of instance type and location.

32 / 65

Which pricing model in Azure provides the greatest discount in exchange for a one- or three-year commitment to a specific virtual machine family in a specific region?

Pay-as-you-go

Azure Savings Plans for compute

Azure Reserved Virtual Machine Instances

Azure Spot Virtual Machines

Consider the group type that is integrated with the broader Microsoft 365 suite of collaboration tools.

33 / 65

An organization wants to provide its employees with access to a shared mailbox, calendar, and SharePoint site for a specific project. Which type of Microsoft Entra group is best suited for this collaborative purpose?

Security group

Distribution group

Dynamic group

Microsoft 365 group

The term 'polyglot' means 'knowing or using several languages.' Apply this concept to data storage technologies.

34 / 65

When designing an Azure Storage solution, what does 'polyglot persistence' refer to in a typical cloud design?

Encrypting data using multiple different encryption algorithms for added security.

Using a mix of different storage technologies to handle different types of data, choosing the best technology for each specific need.

Storing all data, regardless of its type or structure, in a single, large relational database.

Replicating data across multiple geographic regions for disaster recovery.

Think about which layers of the technology stack are abstracted away for the customer in a PaaS offering.

35 / 65

What is the primary difference between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in the shared responsibility model?

In IaaS, the customer manages the operating system, middleware, and runtime, whereas in PaaS, Microsoft manages these for the customer.

In PaaS, the customer is responsible for managing the data and access, while in IaaS, Microsoft manages them.

In IaaS, the customer manages the physical datacenter, while in PaaS, Microsoft manages it.

There is no difference in the shared responsibility model between IaaS and PaaS.

Consider the 'managed service' aspect of AKS and what components Microsoft abstracts away from the customer.

36 / 65

When deploying a containerized application with Azure Kubernetes Service (AKS), what is the customer's responsibility regarding the AKS control plane?

The customer must manually upgrade the Kubernetes version of the control plane.

The customer pays for the control plane nodes based on their size and uptime.

The customer must provision, manage, patch, and scale the VMs for the control plane nodes.

The customer is responsible for configuring the network routing for the control plane.

Consider the part of the alert rule where you specify the threshold and the metric to be evaluated.

37 / 65

An administrator is creating an alert rule in Azure Monitor. The goal is to be notified when the number of failed requests for a web app exceeds 100 over a 5-minute period. What component of the alert rule defines this condition?

The Signal Logic

The Target Resource

The Log Analytics Query

The Action Group

Look for a governance service that can audit or enforce rules during resource creation.

38 / 65

Your organization wants to ensure that all newly created storage accounts have 'Secure transfer required' enabled. Which Azure service is best suited to enforce this rule across the entire subscription?

Azure Policy

Azure Monitor

Microsoft Defender for Cloud

Azure Advisor

Look for the tool whose name directly relates to copying data in an Azure context.

39 / 65

Which command-line utility is specifically designed for high-performance copying of data to and from Azure Storage?

Azure PowerShell (`Az`)

Azure CLI (`az`)

AzCopy

Robocopy

Think about what happens after an alert rule's condition is met.

40 / 65

What is the purpose of an 'Action Group' in Azure Monitor?

To apply a set of RBAC permissions to multiple users simultaneously.

To define a collection of notifications and actions that are triggered by an alert.

To create a logical grouping of virtual machines for load balancing.

To group a collection of resources for applying a single Azure Policy.

The name of the model itself provides a clue to its fundamental philosophy.

41 / 65

A team is adopting a 'Zero Trust' security model. Which of the following is a core principle of this model?

Provide users with standing administrator privileges to avoid access delays.

Focus security controls only on the network perimeter.

Verify explicitly, use least privileged access, and assume breach.

Trust all traffic originating from inside the corporate network by default.

Think about a service that acts as a secure 'jump box' or proxy for administrative access to VMs.

42 / 65

What is the primary function of Azure Bastion?

To provide a managed web application firewall (WAF) for App Services.

To enable secure RDP and SSH access to virtual machines directly through the Azure portal without public IP exposure on the VM.

To act as a global DNS-based load balancer for web traffic.

To manage and rotate secrets, keys, and certificates used by Azure services.

Consider how a load balancer knows which of its backend servers are currently available to serve requests.

43 / 65

What is the role of a 'health probe' in an Azure Load Balancer configuration?

To monitor the overall cost of the backend pool instances.

To apply Network Security Group rules to the backend instances.

To periodically check the health of the instances in the backend pool and stop sending traffic to unhealthy instances.

To trigger an autoscale event to add more instances to the backend pool.

Look for the service in the Azure portal that is dedicated to the financial aspects of your subscription.

44 / 65

You are managing costs in Azure and want to analyze spending and create budgets. Which service provides tools for cost analysis, budgets, and exporting cost data?

Azure Advisor

Azure Policy

Azure Cost Management + Billing

Azure Monitor

Consider a solution that involves physically shipping a storage device.

45 / 65

You need to copy 20 TB of data from an on-premises datacenter to Azure Blob Storage. The on-premises location has a slow and unreliable internet connection. Which Azure service offers an offline data transfer solution?

Azure Data Box.

AzCopy command-line utility.

Azure File Sync.

Azure Site Recovery.

Consider the difference between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in terms of management responsibility.

46 / 65

When comparing Azure SQL Database and SQL Server on Azure Virtual Machines, which option provides the highest level of administrative control, including OS-level access?

Azure SQL Database (Elastic Pool)

Azure SQL Managed Instance

SQL Server on Azure Virtual Machines

Azure SQL Database (Serverless tier)

Focus on the components of an Availability Set: fault domains and update domains.

47 / 65

You are designing a high-availability solution for virtual machines within a single Azure region. What is the purpose of placing VMs in an Availability Set?

To group VMs for easier management and application of network security group rules.

To distribute VMs across different physical locations within a region to protect against datacenter-level failures.

To protect VMs from a region-wide outage.

To ensure VMs are spread across multiple physical hardware racks (fault domains) and receive updates at different times (update domains) within a datacenter.

Look for a service designed for disaster recovery and business continuity through continuous replication.

48 / 65

An organization has a business-critical application running on Azure VMs and requires a Recovery Point Objective (RPO) of less than one minute. Which Azure service is best suited for this requirement?

Azure Backup with the standard policy.

Azure File Sync.

Storage account replication (GRS).

Azure Site Recovery (ASR).

Think about the cost trade-off between storing data and accessing data.

49 / 65

When using Azure Blob Storage lifecycle management, what is a common reason to create a rule that moves blobs from the Hot tier to the Cool tier?

To increase data access performance for blobs that are accessed more frequently.

To prepare data for offline archival with the longest retrieval times.

To reduce storage costs for data that is accessed less frequently but still needs to be immediately available.

To enable geo-replication for the storage account.

Consider a compute model where you don't have to think about servers at all.

50 / 65

What is the primary characteristic of an Azure 'serverless' compute service like Azure Functions?

The service runs continuously, and you are billed a fixed monthly fee regardless of usage.

It requires the user to provision and manage the underlying virtual machine operating system.

The platform automatically manages the compute infrastructure, and code is executed in response to events or triggers.

It is designed exclusively for hosting containerized applications using Docker.

Look for the term that implies a connection to both on-premises and cloud directories.

51 / 65

Which Azure Active Directory (now Microsoft Entra ID) device state is intended for devices that are owned by the organization and are joined to both an on-premises Active Directory and Microsoft Entra ID?

Microsoft Entra hybrid joined

Microsoft Entra joined

Microsoft Entra registered

Microsoft Entra managed

Think about the concept of Infrastructure as Code (IaC) and how it applies to Azure.

52 / 65

What is the primary purpose of using an Azure Resource Manager (ARM) template?

To define the infrastructure and configuration of Azure resources in a declarative JSON file for repeatable deployments.

To securely connect an on-premises network to an Azure Virtual Network.

To provide real-time monitoring and alerting for Azure resources.

To apply granular access control permissions to users and groups.

Consider which load balancing service operates at the application layer (Layer 7) to inspect HTTP request details.

53 / 65

A company requires a load balancing solution that can distribute HTTP/HTTPS traffic to a set of web servers based on the URL path of the incoming request. For example, requests for '/images/*' should go to one pool of VMs, and '/videos/*' should go to another. Which Azure service is most appropriate?

Azure Load Balancer (Standard SKU)

Azure Application Gateway

Azure Virtual WAN

Azure Traffic Manager

Think about the standard document that defines the address blocks for private internets.

54 / 65

An administrator is deploying a virtual network (VNet) in Azure and needs to plan the IP address space. It is highly recommended to use address ranges from which specification for private, non-internet routable addresses?

RFC 791

RFC 1918

RFC 2544

IEEE 802.3

Focus on what 'Zone' refers to in the context of Azure regional architecture.

55 / 65

You have an Azure storage account with the redundancy option set to Zone-Redundant Storage (ZRS). What level of protection does this provide?

Data is replicated synchronously across three physically separate Availability Zones within the primary region.

Data is replicated to a secondary region hundreds of miles away.

Data is replicated across three different Azure regions.

Data is replicated three times within a single physical datacenter.

Consider how Azure handles conflicts when a broad permission is granted but a more specific permission within that scope needs to be denied.

56 / 65

A developer needs to create a custom role that allows users to restart virtual machines but explicitly prevents them from stopping (deallocating) them. How does Azure RBAC process these permissions?

The 'Allow' action for restarting will always override a 'Deny' action for stopping.

Both 'Actions' and 'NotActions' must be defined in separate, competing role assignments.

The 'NotActions' property will deny the specified action, even if it is part of a wildcard in 'Actions'.

Permissions are processed based on the alphabetical order of the action strings.

Think of the feature that allows a service to dynamically respond to changes in demand.

57 / 65

A company wants to automatically adjust the number of running VM instances in a Virtual Machine Scale Set (VMSS) based on CPU load. What feature should they configure?

Azure Backup policy

VMSS Autoscale rules

Availability Set

Azure Load Balancer health probes

Focus on how high availability is achieved *within* a single Azure region.

58 / 65

Which of the following statements accurately describes Azure Availability Zones?

They are physically separate locations within an Azure region, each with independent power, cooling, and networking.

They are multiple Azure regions that are paired for disaster recovery.

They are used exclusively for storing geo-redundant backups.

They are logically separate datacenters within a single Azure building.

Think of the service that collects security data from many sources for threat detection, investigation, and automated response.

59 / 65

Which Azure service provides a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution?

Azure Monitor

Azure Policy

Microsoft Sentinel

Microsoft Defender for Cloud

The prefix 'e-' often relates to 'exit' or 'out'. Consider the direction of data flow.

60 / 65

You are reviewing an Azure bill and see charges for 'Data Egress'. What does this term typically refer to?

The cost of data being transferred out of an Azure datacenter to the internet or another region.

The cost of data being transferred into an Azure datacenter from the internet.

The cost of CPU and memory used by virtual machines.

The cost of storing data in an Azure Storage Account.

Consider what is needed to gather data from *inside* the virtual machine's operating system.

61 / 65

An administrator needs to collect performance counters and event logs from the guest operating system of an Azure VM. Which component must be configured?

The VM's public IP address

A Log Analytics workspace data collection rule

The VM's Network Security Group (NSG)

The VM's diagnostic settings

Think about the difference between adding more instances (horizontal scaling) versus increasing the power of existing instances (vertical scaling).

62 / 65

You are deploying an Azure Web App and want to ensure that if the average CPU utilization exceeds 75% for 10 minutes, a new instance is added. What feature of the App Service Plan should you configure?

Deployment Slots

Application Insights

Scale up (App Service Plan)

Scale out (App Service Plan)

Think about how you would override the default system route that sends traffic directly to the internet.

63 / 65

You need to create a route table in Azure to force all internet-bound traffic from a subnet through a Network Virtual Appliance (NVA) for inspection. What is this technique called?

VNet Peering

Service Endpointing

Network Address Translation (NAT)

Forced Tunneling

Look for a VM feature that allows for post-deployment configuration and automation inside the guest OS.

64 / 65

An administrator needs to deploy a custom script to a new Windows virtual machine at creation time to install specific software. Which feature should be used to achieve this?

Azure Monitor Agent

Azure Bastion

Azure Policy

VM Custom Script Extension

Consider what happens to data that has been written to the temporary cache but not yet committed to the persistent disk.

65 / 65

A virtual machine's OS disk is configured with Read/write host caching. What is the potential risk associated with this configuration?

Inability to attach additional data disks to the virtual machine.

Increased read latency for frequently accessed data.

Data loss in the event of an unexpected system shutdown or host failure.

Higher storage costs compared to disabling the cache.

Your score is