Azure AZ-104 Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Microsoft Azure Administrator (AZ-104) topics such as identity, RBAC scope, storage access, compute deployment, virtual networking, monitoring, backup, and operational troubleshooting. The prompts emphasize administrator choices under constraints.

Where these questions fit in the AZ-104 guide

The sample set below is part of the Microsoft AZ-104 guide path:

• Microsoft certification hub
• Microsoft Azure guides
• AZ-104 exam guide
• AZ-104 cheat sheet
• AZ-104 study plan
• AZ-104 FAQ
• AZ-104 resources
• AZ-104 glossary

AZ-104 administrator sample questions

Work through each prompt before opening the explanation. Strong AZ-104 answers usually identify the management scope, the control plane, and the least disruptive operational fix.

Question 1

Topic: RBAC scope for a project team

A project team needs to manage virtual machines, disks, and network interfaces for one application. They must not modify resources in other applications in the same subscription. What is the best RBAC assignment?

• A. Assign Owner at the subscription scope.
• B. Assign Contributor or a narrower custom role at the resource group scope that contains the application resources.
• C. Assign Reader at the management group scope.
• D. Assign Storage Blob Data Contributor at the storage account scope.

Best answer: B

Explanation: The team needs management access to a defined set of application resources, so the resource group scope is the natural boundary. Contributor may fit if they need broad management rights, while a custom role can narrow permissions further.

Why the other choices are weaker:

• A grants rights across the entire subscription and violates least privilege.
• C grants read-only access and at too broad a scope.
• D is a data-plane storage role, not a VM management role.

What this tests: Selecting RBAC scope and role type based on the resources a team must administer.

Related topics: RBAC; Scope; Resource groups; Least privilege

Question 2

Topic: Private storage access

An application in a virtual network must access a storage account without sending traffic over the public internet. Administrators also want name resolution to return a private address from inside the network. What should they configure?

• A. A private endpoint for the storage account and private DNS integration for the storage service name.
• B. A public IP address on the storage account.
• C. A user-defined route that sends storage traffic to the internet gateway.
• D. A management lock on the storage account.

Best answer: A

Explanation: Private Endpoint brings the storage service into the virtual network through a private IP, and private DNS makes the service name resolve correctly from that network.

Why the other choices are weaker:

• B does the opposite of private access.
• C routes toward public connectivity rather than private service access.
• D protects against accidental changes but does not affect data-path connectivity.

What this tests: Distinguishing private endpoint connectivity from routing, public IP, and governance controls.

Related topics: Private Endpoint; Storage; Private DNS; Networking

Question 3

Topic: Operational alerting

A production VM occasionally reaches high CPU utilization for ten minutes. The operations team wants to notify an on-call group when the condition occurs and include the VM name in the alert context. Which approach best fits?

• A. Create an Azure Monitor alert rule based on the VM CPU metric and attach an action group for the on-call notification.
• B. Create an Azure Policy assignment that denies VM creation.
• C. Create a resource lock on the VM.
• D. Create a storage lifecycle rule for the VM diagnostics container.

Best answer: A

Explanation: Azure Monitor metric alerts evaluate metric conditions and can notify people or systems through action groups. This directly matches the CPU threshold and notification requirement.

Why the other choices are weaker:

• B enforces governance at deployment time, not runtime monitoring.
• C prevents changes but does not alert on CPU.
• D manages stored data lifecycle and does not detect the condition.

What this tests: Choosing the right Azure Monitor construct for metric-based operational alerts.

Related topics: Azure Monitor; Metrics; Action groups; Operations

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by the exam vendor.