Azure AZ-104 Exam Dumps | Free Microsoft Azure Practice Test

The free Azure AZ-104 practice test is the ultimate tool for administrators aiming to validate their skills in the Microsoft cloud ecosystem. The Azure Administrator Associate certification is known for its rigorous testing of practical knowledge, covering everything from virtual networking to identity management. Whether you are a seasoned pro or new to the cloud, testing your knowledge against realistic scenarios is the only way to ensure success.

Note: The full interactive practice test is available immediately at the bottom of this post.

Free Azure AZ-104 Practice Test: 50+ Essential Questions to Pass Fast

Why You Need Reliable Practice Questions

Many candidates fall into the trap of using unverified azure az-104 exam dumps found on random forums. These often contain outdated information that can lead to failure. To pass the AZ-104, you need to understand the why behind the answers. Our free Microsoft Azure practice tests are designed to challenge your understanding of the core architectural components of Azure.

Below, we break down high-impact topics you will encounter on the exam, derived from our comprehensive question bank.

Mastering Identity and Governance in Azure

Identity is the new firewall. A significant portion of the AZ-104 exam focuses on Microsoft Entra ID (formerly Azure AD) and governance.

Understanding RBAC and Deny Assignments

One common area of confusion is how Azure Role-Based Access Control (RBAC) processes permissions. For example, if you need to create a custom role that allows users to restart VMs but explicitly prevents them from stopping (deallocating) them, you must understand the NotActions property.

In Azure RBAC, the NotActions property explicitly removes permissions from the Actions list. If your role includes a wildcard for virtual machines in Actions but lists the deallocate action in NotActions, the user will be denied the ability to stop the VM. This specific exclusion is a critical concept for least-privileged access.

Protecting Critical Resources

Governance also involves protecting resources from accidental deletion. If a finance team needs to ensure production VMs are never deleted, even by accident, Resource Locks are the solution. Specifically, a CanNotDelete lock prevents modification or deletion, serving as a safeguard that overrides standard permissions until the lock is removed.

https://learn.microsoft.com/en-us/azure/governance/policy/overview

Azure Storage Implementation Scenarios

Storage questions on the exam often present specific business requirements, such as cost optimization or data migration.

Handling Massive Data Migrations

You may face a scenario where you need to copy 20 TB of data from an on-premises datacenter to Azure Blob Storage, but the internet connection is slow and unreliable. While tools like AzCopy are great for online transfers, they fail in low-bandwidth scenarios.

The correct answer here is Azure Data Box. This is a physical appliance Microsoft ships to your location. You load your data onto it locally and ship it back. It is the definitive offline data transfer solution for large datasets.

Lifecycle Management and Cost

Azure Blob Storage lifecycle management is essential for optimizing costs. A common exam question asks why you would move blobs from the Hot tier to the Cool tier. The Cool tier offers lower storage costs for data that is accessed infrequently but must remain available for immediate access (unlike Archive tier, which requires rehydration time).

https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview

Configuring Azure Compute Resources

Whether it is Virtual Machines (VMs), Kubernetes, or App Services, you must know how to scale and secure compute resources.

Scaling Web Apps

Understanding the difference between vertical and horizontal scaling is vital. If an exam question asks how to add a new instance when CPU utilization exceeds 75%, you are looking for Scale Out (horizontal scaling). Scaling Up refers to increasing the power (RAM/CPU) of an existing machine, whereas Scaling Out adds more machines to the pool.

High Availability with Availability Sets

For high availability within a single datacenter, you use Availability Sets. These protect against localized hardware failures by distributing VMs across different Fault Domains (physical racks) and Update Domains. While Availability Zones protect against datacenter-level failures, Availability Sets are the standard for rack-level redundancy.

Virtual Networking: The Core of AZ-104

Networking is often considered the hardest part of the exam. You must master connectivity, load balancing, and name resolution.

Global VNet Peering

If you need to connect a VNet in the US to a VNet in Europe, you must configure Global VNet Peering. This allows resources in different regions to communicate using the Microsoft backbone network with high bandwidth and low latency, without the need for gateways or public internet.

Load Balancing: Layer 4 vs. Layer 7

You must distinguish between the different load balancers.

Azure Load Balancer: Works at Layer 4 (Transport). It distributes TCP/UDP traffic based on IP and port.
Application Gateway: Works at Layer 7 (Application). It creates routing decisions based on URL paths (e.g., /images vs /videos) and handles SSL termination.

If a question asks for URL-path-based routing, Application Gateway is the only correct choice among standard load balancers.

Secure Access with Bastion

For secure management, Azure Bastion is a critical service. It provides secure RDP and SSH connectivity to your VMs directly from the Azure portal over SSL. This eliminates the need to expose a public IP address on your virtual machines, significantly reducing your attack surface.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

Monitoring and Backup Recovery

The final piece of the puzzle is ensuring your environment is observable and recoverable.

RPO and Disaster Recovery

For business-critical applications requiring a Recovery Point Objective (RPO) of less than one minute, Azure Site Recovery (ASR) is the superior choice. ASR provides near-synchronous replication, whereas standard backups usually have a much higher RPO.

Action Groups

In Azure Monitor, when an alert triggers (like high CPU or failed requests), it needs to know what to do. This is defined by an Action Group. An action group is a collection of notification preferences (email, SMS) and automated actions (Logic Apps, Webhooks) that execute when the alert condition is met.

Conclusion

Passing the AZ-104 requires more than just memorizing answers; it requires deep conceptual knowledge. By using high-quality resources like our free Microsoft Azure practice tests, you can identify your weak points and turn them into strengths. Do not rely on questionable azure az-104 exam dumps. Stick to verified, expert-explained questions to guarantee your certification success. Please do not forget to checkout other free Microsoft Azure Practice Tests on CertyBuddy.com: https://certybuddy.com/practice-tests/?vendor=azure

Ready to test your skills? Take the full interactive quiz below!

/65

AZ-104: Microsoft Azure Administrator — Mock Exam (2025 Update)

Consider the part of the alert rule where you specify the threshold and the metric to be evaluated.

1 / 65

An administrator is creating an alert rule in Azure Monitor. The goal is to be notified when the number of failed requests for a web app exceeds 100 over a 5-minute period. What component of the alert rule defines this condition?

The Target Resource

The Log Analytics Query

The Action Group

The Signal Logic

Consider how Azure handles conflicts when a broad permission is granted but a more specific permission within that scope needs to be denied.

2 / 65

A developer needs to create a custom role that allows users to restart virtual machines but explicitly prevents them from stopping (deallocating) them. How does Azure RBAC process these permissions?

Both 'Actions' and 'NotActions' must be defined in separate, competing role assignments.

The 'Allow' action for restarting will always override a 'Deny' action for stopping.

Permissions are processed based on the alphabetical order of the action strings.

The 'NotActions' property will deny the specified action, even if it is part of a wildcard in 'Actions'.

Consider the highest-level object used to organize multiple Azure subscriptions.

3 / 65

Which of the following describes a ‘management group’ in the Azure governance hierarchy?

A container for Azure resources like VMs and storage accounts that share the same lifecycle.

The physical Azure region where resources are deployed.

A collection of users in Microsoft Entra ID who are granted the same permissions.

A logical container that allows you to manage access, policy, and compliance for multiple subscriptions.

Consider what happens to data that has been written to the temporary cache but not yet committed to the persistent disk.

4 / 65

A virtual machine’s OS disk is configured with Read/write host caching. What is the potential risk associated with this configuration?

Inability to attach additional data disks to the virtual machine.

Data loss in the event of an unexpected system shutdown or host failure.

Higher storage costs compared to disabling the cache.

Increased read latency for frequently accessed data.

Look for the tool that provides a consolidated view of rules from both the NIC-level and subnet-level NSGs.

5 / 65

An Azure Administrator needs to view the effective security rules applied to a specific network interface (NIC) of a virtual machine. Which Azure Network Watcher tool should be used for this purpose?

Connection troubleshoot

Effective security rules

IP flow verify

NSG diagnostics

Think of the feature that allows a service to dynamically respond to changes in demand.

6 / 65

A company wants to automatically adjust the number of running VM instances in a Virtual Machine Scale Set (VMSS) based on CPU load. What feature should they configure?

Azure Load Balancer health probes

Availability Set

Azure Backup policy

VMSS Autoscale rules

Consider the difference between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in terms of management responsibility.

7 / 65

When comparing Azure SQL Database and SQL Server on Azure Virtual Machines, which option provides the highest level of administrative control, including OS-level access?

Azure SQL Managed Instance

Azure SQL Database (Elastic Pool)

Azure SQL Database (Serverless tier)

SQL Server on Azure Virtual Machines

Think about a feature that gives an Azure resource its own identity within Microsoft Entra ID.

8 / 65

A web application hosted in an Azure App Service needs to securely access a connection string stored in Azure Key Vault. What is the recommended method to grant the App Service access without storing credentials in the application’s code or configuration?

Hardcode the Key Vault access key directly into the application's source code.

Enable a system-assigned managed identity for the App Service and grant it access to the Key Vault.

Create a SAS token for the Key Vault and place it in the application settings.

Store the Key Vault connection string in the `appsettings.json` file of the web application.

Look for the log that records all management plane operations performed on your subscription’s resources.

9 / 65

An administrator wants to query the last 24 hours of activity in their subscription to see who deleted a specific resource. Which Azure Monitor feature should they use?

Activity Log

Application Insights

Service Health

Metrics

Consider the group type that is integrated with the broader Microsoft 365 suite of collaboration tools.

10 / 65

An organization wants to provide its employees with access to a shared mailbox, calendar, and SharePoint site for a specific project. Which type of Microsoft Entra group is best suited for this collaborative purpose?

Security group

Microsoft 365 group

Dynamic group

Distribution group

Consider what is needed to gather data from *inside* the virtual machine’s operating system.

11 / 65

An administrator needs to collect performance counters and event logs from the guest operating system of an Azure VM. Which component must be configured?

The VM's public IP address

The VM's Network Security Group (NSG)

A Log Analytics workspace data collection rule

The VM's diagnostic settings

Consider how a load balancer knows which of its backend servers are currently available to serve requests.

12 / 65

What is the role of a ‘health probe’ in an Azure Load Balancer configuration?

To apply Network Security Group rules to the backend instances.

To periodically check the health of the instances in the backend pool and stop sending traffic to unhealthy instances.

To trigger an autoscale event to add more instances to the backend pool.

To monitor the overall cost of the backend pool instances.

The name of the model itself provides a clue to its fundamental philosophy.

13 / 65

A team is adopting a ‘Zero Trust’ security model. Which of the following is a core principle of this model?

Focus security controls only on the network perimeter.

Provide users with standing administrator privileges to avoid access delays.

Verify explicitly, use least privileged access, and assume breach.

Trust all traffic originating from inside the corporate network by default.

The prefix ‘e-‘ often relates to ‘exit’ or ‘out’. Consider the direction of data flow.

14 / 65

You are reviewing an Azure bill and see charges for ‘Data Egress’. What does this term typically refer to?

The cost of storing data in an Azure Storage Account.

The cost of CPU and memory used by virtual machines.

The cost of data being transferred into an Azure datacenter from the internet.

The cost of data being transferred out of an Azure datacenter to the internet or another region.

Look for a VM feature that allows for post-deployment configuration and automation inside the guest OS.

15 / 65

An administrator needs to deploy a custom script to a new Windows virtual machine at creation time to install specific software. Which feature should be used to achieve this?

Azure Monitor Agent

Azure Bastion

VM Custom Script Extension

Azure Policy

Look for the service in the Azure portal that is dedicated to the financial aspects of your subscription.

16 / 65

You are managing costs in Azure and want to analyze spending and create budgets. Which service provides tools for cost analysis, budgets, and exporting cost data?

Azure Monitor

Azure Policy

Azure Advisor

Azure Cost Management + Billing

Think about which layers of the technology stack are abstracted away for the customer in a PaaS offering.

17 / 65

What is the primary difference between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in the shared responsibility model?

In IaaS, the customer manages the operating system, middleware, and runtime, whereas in PaaS, Microsoft manages these for the customer.

There is no difference in the shared responsibility model between IaaS and PaaS.

In PaaS, the customer is responsible for managing the data and access, while in IaaS, Microsoft manages them.

In IaaS, the customer manages the physical datacenter, while in PaaS, Microsoft manages it.

Look for the feature that creates a network interface card (NIC) for a PaaS service within your own virtual network.

18 / 65

You need to implement a solution that allows Azure resources in a VNet to securely access Azure PaaS services like Azure SQL Database over a private IP address, effectively bringing the service into your VNet. Which feature should you use?

VNet Peering

Azure Private Link

Service Endpoints

User-Defined Routes (UDRs)

Consider where container images need to be stored before they can be deployed.

19 / 65

What is the primary role of the Azure container registry (ACR)?

To provide a private, managed registry for storing and managing Docker and OCI container images.

To monitor the performance and health of running containers.

To define the network policies for container-to-container communication.

To run and orchestrate containers at scale.

Consider the object that connects a VNet to a private DNS zone.

20 / 65

You need to create a private DNS zone for name resolution within a VNet. What is required to enable automatic registration of VM DNS records in this private zone?

Create a virtual network link between the VNet and the private DNS zone, and enable auto-registration.

Deploy an Azure DNS Private Resolver into the VNet.

Configure the VM's network interface to point to the private DNS zone's IP address.

Manually create an A record for each VM after it is deployed.

Think about the state of the resources while the Azure Resource Manager is re-associating them with a new group.

21 / 65

An Azure Administrator needs to move several existing resources, including a VM, a storage account, and a VNet, from ‘ResourceGroupA’ to ‘ResourceGroupB’ within the same subscription. What is a key consideration for this operation?

The move operation will also change the Azure region of the resources to match the region of the destination resource group.

During the move, both the source and destination resource groups are locked, and resources cannot be modified.

Only resources of the same type can be moved in a single operation.

The virtual machine must be deallocated before it can be moved.

Think about which layer of the OSI model this service operates at.

22 / 65

You are creating a new Standard tier Azure Load Balancer. What type of traffic can it distribute?

Only DNS resolution requests.

Only HTTP and HTTPS traffic.

TCP and UDP traffic.

Only traffic between different Azure regions.

Think about the lifecycle of a backup after it has been created.

23 / 65

You are configuring a backup policy for an Azure VM. What does the ‘retention’ setting define?

The number of concurrent backup jobs that can run.

The time of day the backup job will start.

How long each recovery point (backup) is kept before it is deleted.

The Azure region where the backup data will be stored.

Think about what happens after an alert rule’s condition is met.

24 / 65

What is the purpose of an ‘Action Group’ in Azure Monitor?

To apply a set of RBAC permissions to multiple users simultaneously.

To group a collection of resources for applying a single Azure Policy.

To define a collection of notifications and actions that are triggered by an alert.

To create a logical grouping of virtual machines for load balancing.

Think about the difference between adding more instances (horizontal scaling) versus increasing the power of existing instances (vertical scaling).

25 / 65

You are deploying an Azure Web App and want to ensure that if the average CPU utilization exceeds 75% for 10 minutes, a new instance is added. What feature of the App Service Plan should you configure?

Scale out (App Service Plan)

Application Insights

Scale up (App Service Plan)

Deployment Slots

Think about the developer and authoring experience when writing Infrastructure as Code.

26 / 65

What is the primary benefit of using Azure Bicep compared to using ARM templates in JSON?

Bicep is the only way to manage dependencies between resources.

Bicep templates deploy resources significantly faster than ARM templates.

Bicep supports a wider range of Azure resources than ARM templates.

Bicep provides a simpler and more concise syntax, making templates easier to write and read.

Think about how Azure can verify you control a domain name that is managed by an external registrar.

27 / 65

When configuring a custom domain for an Azure App Service, what is the purpose of creating a TXT record in your DNS zone?

To prove that you have ownership of the custom domain before Azure will map it to your app.

To configure the Web Application Firewall (WAF) for the custom domain.

To route application traffic from the custom domain to the App Service's IP address.

To enable the automatic renewal of the App Service Managed Certificate.

Consider which load balancing service operates at the application layer (Layer 7) to inspect HTTP request details.

28 / 65

A company requires a load balancing solution that can distribute HTTP/HTTPS traffic to a set of web servers based on the URL path of the incoming request. For example, requests for ‘/images/*’ should go to one pool of VMs, and ‘/videos/*’ should go to another. Which Azure service is most appropriate?

Azure Load Balancer (Standard SKU)

Azure Application Gateway

Azure Virtual WAN

Azure Traffic Manager

Think about how to keep group membership current without manual intervention.

29 / 65

What is the primary advantage of using a dynamic membership rule for a Microsoft Entra group?

It allows guest users to be added to the group automatically.

It provides a higher level of security than assigned membership groups.

It is the only way to assign licenses to a group of users.

It automatically adds or removes members based on user attributes, reducing administrative overhead.

Think about a service that acts as a secure ‘jump box’ or proxy for administrative access to VMs.

30 / 65

What is the primary function of Azure Bastion?

To act as a global DNS-based load balancer for web traffic.

To provide a managed web application firewall (WAF) for App Services.

To enable secure RDP and SSH access to virtual machines directly through the Azure portal without public IP exposure on the VM.

To manage and rotate secrets, keys, and certificates used by Azure services.

Think about how to provide low-latency access to an Azure file share from an on-premises location.

31 / 65

What is the key difference between Azure File Sync and a standard Azure Files share?

Azure File Sync has a lower storage capacity limit than a standard Azure Files share.

Azure Files shares can be accessed via SMB protocol, whereas Azure File Sync uses NFS only.

Azure File Sync is used for blob storage, while Azure Files is for file shares.

Azure File Sync allows you to centralize file shares in Azure Files and keep an on-premises Windows Server as a fast, local cache of the data.

Look for a governance service that can audit or enforce rules during resource creation.

32 / 65

Your organization wants to ensure that all newly created storage accounts have ‘Secure transfer required’ enabled. Which Azure service is best suited to enforce this rule across the entire subscription?

Microsoft Defender for Cloud

Azure Policy

Azure Advisor

Azure Monitor

Consider a solution that involves physically shipping a storage device.

33 / 65

You need to copy 20 TB of data from an on-premises datacenter to Azure Blob Storage. The on-premises location has a slow and unreliable internet connection. Which Azure service offers an offline data transfer solution?

Azure Site Recovery.

AzCopy command-line utility.

Azure Data Box.

Azure File Sync.

Think about the two points where you can apply traffic filtering rules as data flows towards a virtual machine.

34 / 65

To which two layers can a Network Security Group (NSG) be associated to filter traffic?

Public IP Address and Virtual Network Gateway

Subscription and Management Group

Virtual Network and Resource Group

Network Interface (NIC) and Subnet

Think of the hierarchy of resources used in Azure File Sync. What is the top-level object you create first?

35 / 65

When configuring Azure File Sync, what is the role of the Storage Sync Service?

It is a top-level Azure resource that represents the sync relationship and contains sync groups.

It is the specific file share in the cloud that stores the synchronized data.

It is the agent software installed on the on-premises Windows Server.

It is a network endpoint used to accelerate data transfer between on-premises and Azure.

Focus on what ‘Zone’ refers to in the context of Azure regional architecture.

36 / 65

You have an Azure storage account with the redundancy option set to Zone-Redundant Storage (ZRS). What level of protection does this provide?

Data is replicated three times within a single physical datacenter.

Data is replicated synchronously across three physically separate Availability Zones within the primary region.

Data is replicated across three different Azure regions.

Data is replicated to a secondary region hundreds of miles away.

Consider what determines the performance, features, and cost of the environment where your web app is hosted.

37 / 65

What is the primary function of the Azure App Service Plan?

It defines the set of compute resources (region, SKU, and instance count) on which your web apps run.

It manages the SSL/TLS certificates for the web applications.

It defines the DNS name and URL for a specific web application.

It is a container for organizing multiple web applications for billing purposes.

Think about a feature that allows you to stage a new version of your application before making it live to the public.

38 / 65

A developer wants to test a new version of their web application without impacting the production version. The application is hosted in an Azure App Service. Which feature should they use?

Create a new App Service Plan and deploy the new version there.

Enable autoscaling to create a new instance for the new version.

Use a deployment slot to host the new version, then swap it with the production slot.

Configure a backup of the production app and restore it to a new App Service.

Think about the concept of Infrastructure as Code (IaC) and how it applies to Azure.

39 / 65

What is the primary purpose of using an Azure Resource Manager (ARM) template?

To define the infrastructure and configuration of Azure resources in a declarative JSON file for repeatable deployments.

To apply granular access control permissions to users and groups.

To provide real-time monitoring and alerting for Azure resources.

To securely connect an on-premises network to an Azure Virtual Network.

Consider the mechanism designed specifically for time-bound, permission-scoped delegated access to storage resources.

40 / 65

An administrator needs to grant a third-party application temporary, specific permissions to upload files to a single blob container. Which method provides the most secure, least-privileged access for this task?

Create a Shared Access Signature (SAS) token.

Provide one of the storage account access keys.

Configure a firewall rule on the storage account to allow the application's IP address.

Assign the Storage Blob Data Contributor role to the application's service principal.

Look for a feature specifically designed to protect resources from accidental modification or deletion, even by administrators.

41 / 65

An organization is migrating its on-premises servers to Azure. The finance team wants to implement a solution that prevents accidental deletion of critical resources like production virtual machines. Which Azure feature should be used?

Resource Locks

Azure Policy

Resource Tags

Role-Based Access Control (RBAC)

Think about the path traffic takes as it enters and leaves a virtual network’s subnet.

42 / 65

A virtual machine has an NSG associated with its network interface and another NSG associated with its subnet. How is traffic evaluated?

Only the NSG on the subnet is processed.

Only the NSG on the network interface is processed.

The rules from both NSGs are merged, and the rule with the lowest priority number is applied.

For inbound traffic, the subnet NSG is evaluated first, followed by the NIC NSG. For outbound, the order is reversed.

Think of the service that collects security data from many sources for threat detection, investigation, and automated response.

43 / 65

Which Azure service provides a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution?

Azure Monitor

Azure Policy

Microsoft Defender for Cloud

Microsoft Sentinel

Look for a feature within the Entra ID user management blade designed for managing many users at once.

44 / 65

An administrator needs to create multiple user accounts in Microsoft Entra ID. The user information is available in a CSV file. What is the most efficient method to create these accounts in the Azure portal?

Add the users to an on-premises Active Directory and wait for Microsoft Entra Connect to synchronize them.

Write a PowerShell script using the `New-AzADUser` cmdlet.

Create each user account manually, one by one, using the 'New user' wizard.

Use the 'Bulk create' user operation and upload the prepared CSV file.

Consider the geographical scope of protection offered by each redundancy option.

45 / 65

An administrator is setting up a Recovery Services vault for Azure VM backups. What is the difference between Locally-redundant storage (LRS) and Geo-redundant storage (GRS) for the vault’s storage redundancy?

LRS stores three copies of the data in a single physical location, while GRS copies the data to a secondary region hundreds of miles away.

LRS stores three copies of data in a single datacenter, while GRS stores three copies across multiple datacenters in the same region.

LRS is for VM backups, while GRS is for SQL database backups.

LRS stores one copy of data locally, while GRS stores six copies in a paired region.

Think about how you would override the default system route that sends traffic directly to the internet.

46 / 65

You need to create a route table in Azure to force all internet-bound traffic from a subnet through a Network Virtual Appliance (NVA) for inspection. What is this technique called?

Forced Tunneling

Service Endpointing

Network Address Translation (NAT)

VNet Peering

Consider how this feature changes the network path that traffic takes to reach a PaaS service.

47 / 65

What is the primary security benefit of using Azure Private Endpoints for PaaS services?

It encrypts data in transit over the public internet.

It eliminates the need for multi-factor authentication for administrators.

It automatically applies Web Application Firewall (WAF) rules to the PaaS service.

It prevents data from being exposed to the public internet by assigning a private IP from your VNet to the service.

Think about the common technology used to create a secure, encrypted connection across the internet.

48 / 65

A custom application running on an Azure VM needs to connect to an on-premises SQL Server database. The connection must be secure and travel over the public internet. Which Azure networking service is designed to create an encrypted tunnel between an Azure VNet and an on-premises network?

VNet Peering

Azure Private Link

Azure VPN Gateway

Azure Load Balancer

Consider the ‘managed service’ aspect of AKS and what components Microsoft abstracts away from the customer.

49 / 65

When deploying a containerized application with Azure Kubernetes Service (AKS), what is the customer’s responsibility regarding the AKS control plane?

The customer is responsible for configuring the network routing for the control plane.

The customer pays for the control plane nodes based on their size and uptime.

The customer must provision, manage, patch, and scale the VMs for the control plane nodes.

The customer must manually upgrade the Kubernetes version of the control plane.

Look for the tool whose name directly relates to copying data in an Azure context.

50 / 65

Which command-line utility is specifically designed for high-performance copying of data to and from Azure Storage?

Azure CLI (`az`)

AzCopy

Robocopy

Azure PowerShell (`Az`)

Consider the certification that serves as the primary entry point for understanding cloud concepts on Azure.

51 / 65

Which of the following is considered a ‘Foundational’ level Microsoft Azure certification?

AZ-305: Designing Microsoft Azure Infrastructure Solutions

AZ-104: Microsoft Azure Administrator

AZ-900: Microsoft Azure Fundamentals

DP-203: Data Engineering on Microsoft Azure

Consider the numerical property that dictates which rule gets evaluated first.

52 / 65

Which component of an NSG rule determines its processing order relative to other rules in the same NSG?

Action

Source Port

Priority

Protocol

Look for the term that implies a connection to both on-premises and cloud directories.

53 / 65

Which Azure Active Directory (now Microsoft Entra ID) device state is intended for devices that are owned by the organization and are joined to both an on-premises Active Directory and Microsoft Entra ID?

Microsoft Entra registered

Microsoft Entra joined

Microsoft Entra hybrid joined

Microsoft Entra managed

Think about the standard document that defines the address blocks for private internets.

54 / 65

An administrator is deploying a virtual network (VNet) in Azure and needs to plan the IP address space. It is highly recommended to use address ranges from which specification for private, non-internet routable addresses?

RFC 2544

RFC 791

IEEE 802.3

RFC 1918

Consider a compute model where you don’t have to think about servers at all.

55 / 65

What is the primary characteristic of an Azure ‘serverless’ compute service like Azure Functions?

It is designed exclusively for hosting containerized applications using Docker.

The service runs continuously, and you are billed a fixed monthly fee regardless of usage.

The platform automatically manages the compute infrastructure, and code is executed in response to events or triggers.

It requires the user to provision and manage the underlying virtual machine operating system.

Focus on how high availability is achieved *within* a single Azure region.

56 / 65

Which of the following statements accurately describes Azure Availability Zones?

They are logically separate datacenters within a single Azure building.

They are multiple Azure regions that are paired for disaster recovery.

They are physically separate locations within an Azure region, each with independent power, cooling, and networking.

They are used exclusively for storing geo-redundant backups.

Consider the term used to describe connectivity that spans across different geographical locations in Azure.

57 / 65

You are creating a VNet-to-VNet connection to link two virtual networks in different Azure regions. What type of VNet peering should you configure?

Transitive Peering

Hybrid Peering

Regional Peering

Global VNet Peering

Look for a service that operates at a global scale and is designed for web application delivery.

58 / 65

A global company has web applications hosted in multiple Azure regions (US, Europe, Asia). They need a solution to direct users to the closest, best-performing regional endpoint and provide instant global failover. Which service is best suited for this?

Azure Front Door

Azure Application Gateway

Azure VPN Gateway

Azure Load Balancer

The term ‘polyglot’ means ‘knowing or using several languages.’ Apply this concept to data storage technologies.

59 / 65

When designing an Azure Storage solution, what does ‘polyglot persistence’ refer to in a typical cloud design?

Replicating data across multiple geographic regions for disaster recovery.

Using a mix of different storage technologies to handle different types of data, choosing the best technology for each specific need.

Encrypting data using multiple different encryption algorithms for added security.

Storing all data, regardless of its type or structure, in a single, large relational database.

Think about what information you might need to retrieve *after* a template deployment has finished.

60 / 65

What is the function of the `outputs` section in an ARM template?

To return values from the deployed resources, such as a VM's public IP address or a storage account's connection string.

To define the input values, like resource names or sizes, that are required when the template is deployed.

To list the Azure resources, such as virtual machines and storage accounts, that will be created or updated.

To declare variables that can be reused throughout the template to simplify expressions.

Look for a service designed for disaster recovery and business continuity through continuous replication.

61 / 65

An organization has a business-critical application running on Azure VMs and requires a Recovery Point Objective (RPO) of less than one minute. Which Azure service is best suited for this requirement?

Storage account replication (GRS).

Azure File Sync.

Azure Site Recovery (ASR).

Azure Backup with the standard policy.

Consider the option that requires the most specific commitment in terms of instance type and location.

62 / 65

Which pricing model in Azure provides the greatest discount in exchange for a one- or three-year commitment to a specific virtual machine family in a specific region?

Pay-as-you-go

Azure Spot Virtual Machines

Azure Reserved Virtual Machine Instances

Azure Savings Plans for compute

Focus on the components of an Availability Set: fault domains and update domains.

63 / 65

You are designing a high-availability solution for virtual machines within a single Azure region. What is the purpose of placing VMs in an Availability Set?

To group VMs for easier management and application of network security group rules.

To ensure VMs are spread across multiple physical hardware racks (fault domains) and receive updates at different times (update domains) within a datacenter.

To protect VMs from a region-wide outage.

To distribute VMs across different physical locations within a region to protect against datacenter-level failures.

Review the list of standard reservations for protocol, gateway, and broadcast functions.

64 / 65

You are configuring a Network Security Group (NSG) and notice that Azure reserves five IP addresses within each subnet. Which of the following is NOT one of the reasons for these reserved addresses?

The first address is reserved as the network address.

The second address is reserved by Azure for the default gateway.

An address is reserved for the Azure DNS resolver.

The last address is reserved as the broadcast address.

Think about the cost trade-off between storing data and accessing data.

65 / 65

When using Azure Blob Storage lifecycle management, what is a common reason to create a rule that moves blobs from the Hot tier to the Cool tier?

To enable geo-replication for the storage account.

To increase data access performance for blobs that are accessed more frequently.

To prepare data for offline archival with the longest retrieval times.

To reduce storage costs for data that is accessed less frequently but still needs to be immediately available.

Your score is

Why You Need Reliable Practice Questions

Mastering Identity and Governance in Azure

Understanding RBAC and Deny Assignments

Protecting Critical Resources

Azure Storage Implementation Scenarios

Handling Massive Data Migrations

Lifecycle Management and Cost

Configuring Azure Compute Resources

Scaling Web Apps

High Availability with Availability Sets

Virtual Networking: The Core of AZ-104

Global VNet Peering

Load Balancing: Layer 4 vs. Layer 7

Secure Access with Bastion

Monitoring and Backup Recovery

RPO and Disaster Recovery

Action Groups

Conclusion

Related Posts

60+ Free Azure AZ-700 Practice Test Questions to Master Azure Networking in 2025

High-Value AZ-700 Questions to Dominate Azure Networking: 67+ Free Practice Questions (2025 Update)

65+ Free AZ-500 Practice Test Questions to Dominate Azure Security Exam