10 free, exam-style Microsoft Certified: Azure Administrator Associate (AZ-104) (AZ-104) practice questions with answers and explanations. No signup required. Work through them below, then take the full free AZ-104 practice test to study every exam domain.
The AZ-104 exam has 60 questions and runs 1 hour 40 minutes.
These 10 free AZ-104 questions are organized by exam domain, so you can see how each part of the Microsoft Certified: Azure Administrator Associate (AZ-104) blueprint is tested. Reveal the answer and explanation under each question.
A team lead must be able to fully manage all virtual machines, networks, and storage in a resource group, but company policy forbids them from granting other users access to those resources. Which built-in role follows the principle of least privilege?
Correct answer: A - Contributor
An organization wants to ensure that no storage account can ever be created in a region outside of Western Europe, regardless of who attempts the deployment. Which Azure governance feature should be used to enforce this?
Correct answer: D - Create an Azure Policy with a 'Deny' effect and allowed locations
A subscription Owner is unable to delete a virtual network. Investigation shows the resource group containing it has a CanNotDelete lock, and the virtual network itself has a ReadOnly lock. Which statement correctly explains the behavior?
Correct answer: C - The most restrictive lock in the inheritance chain takes effect, so ReadOnly applies
An administrator needs to apply a single Azure Policy assignment that automatically governs 12 existing subscriptions and any subscriptions added later. At which scope should the policy be assigned to minimize ongoing administrative effort?
Correct answer: A - Management group
A company plans to require multifactor authentication only when users sign in from outside the corporate network, using Conditional Access policies. What is the minimum Microsoft Entra ID licensing required?
Correct answer: B - Microsoft Entra ID P1
A storage account must keep data available if an entire Azure region fails, and applications must still be able to READ the data from the secondary region during the outage without waiting for a failover. Which redundancy option meets this requirement?
Correct answer: D - Read-access geo-redundant storage (RA-GRS)
An auditor requests immediate access to a compliance document stored as a blob in the Archive access tier. What must happen before the blob's contents can be read?
Correct answer: A - The blob must be rehydrated to the Hot or Cool tier first
Data must remain online and immediately accessible but is expected to be read only a few times per year. The team wants the lowest storage cost that still avoids the rehydration delay of offline storage. Which blob access tier is the BEST fit?
Correct answer: C - Cold
An administrator issues a service shared access signature (SAS) to a partner. Later the partner relationship ends, and the SAS must be revoked immediately without regenerating the storage account keys or disrupting other applications. What should have been used when the SAS was created?
Correct answer: B - A stored access policy associated with the SAS
An application runs on two virtual machines that must remain available even if an entire Azure datacenter within the region goes offline. Which deployment configuration provides the highest single-region availability SLA for this requirement?
Correct answer: D - Deploy the VMs across two availability zones
The AZ-104 exam also covers these domains. Drill them in the full free practice test:
Practice hundreds more AZ-104 questions with instant scoring, weak-area drills, and full exam simulations.