Microsoft · AZ-104
Validates the ability to implement, manage, and monitor an organization's Microsoft Azure environment, including virtual networks, storage, compute, identity, security, and governance.
Questions
757
Duration
120 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2025
Use this AZ-104 practice exam to prepare for Microsoft Certified: Azure Administrator Associate (AZ-104) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 757 questions for Microsoft AZ-104, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Manage Azure identities and governance, Implement and manage storage, Deploy and manage Azure compute resources, Implement and manage virtual networking, and Monitor and maintain Azure resources. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft Certified: Azure Administrator Associate (AZ-104) validates subject matter expertise in implementing, managing, and monitoring an organization's Microsoft Azure environment. The certification covers a broad range of Azure services and capabilities, including virtual networks, storage, compute, identity, security, and governance. Exam content was last updated on April 18, 2025, reflecting the current skills required for the Azure administrator role.
Certified administrators are expected to work proficiently across the Azure portal, Azure CLI, PowerShell, Azure Resource Manager (ARM) templates and Bicep files, and Microsoft Entra ID. The role requires a solid understanding of foundational IT concepts — operating systems, networking, servers, and virtualization — applied to cloud-based infrastructure management. Azure administrators often collaborate with teams responsible for database, application development, DevOps, and security, making this a highly cross-functional credential.
This certification is designed for IT professionals who actively administer Azure cloud environments, typically with a minimum of six months of hands-on Azure experience. Target job roles include Azure Administrator, Cloud Engineer, Azure Systems Administrator, Cloud Support Engineer, and Cloud Operations Analyst. It is particularly suited to professionals transitioning from on-premises infrastructure roles (sysadmins, network admins) into cloud-focused positions, as well as those already working in Azure who want to formalize and validate their skills.
Candidates pursuing advancement into cloud security (AZ-500), DevOps (AZ-400), or Solutions Architect (AZ-305) roles will also find AZ-104 a required or strongly recommended stepping stone, as it establishes the administrative foundation those advanced certifications build upon.
There are no mandatory prerequisite certifications for AZ-104 — it does not require passing AZ-900 (Azure Fundamentals) first, though completing that exam is helpful for those new to Azure concepts. Microsoft recommends at least six months of practical experience administering Azure resources before attempting the exam.
Candidates should have hands-on familiarity with the Azure portal, Azure CLI, and PowerShell for managing resources, as well as working knowledge of Azure Resource Manager templates and Bicep files. A background in traditional IT infrastructure — including networking concepts (DNS, routing, NSGs, load balancing), server administration, operating systems, and virtualization — is strongly recommended, as many exam scenarios assume this foundational knowledge. Experience with Microsoft Entra ID (formerly Azure Active Directory) for identity and access management is also expected.
The AZ-104 exam is proctored and delivered through Pearson VUE, either at a testing center or via online proctoring. Candidates are given 100 minutes to complete the assessment. The exam may include interactive lab-based components (e.g., tasks performed in a live or simulated Azure environment) in addition to standard multiple-choice, case study, drag-and-drop, and scenario-based questions; the exact number of questions varies per administration and is not published by Microsoft.
A score of 700 out of 1000 is required to pass. Scoring is scaled, meaning it does not correspond directly to a raw percentage of correct answers. If a candidate fails on the first attempt, a retake is permitted after 24 hours; subsequent retake waiting periods vary per Microsoft's retake policy. The certification is valid for one year and can be renewed at no cost by passing an online renewal assessment on Microsoft Learn.
Earning the AZ-104 certification opens access to a strong and growing job market, with Azure administrator roles reporting U.S. salaries generally in the range of $88,000–$161,000 annually depending on experience, location, and employer. Certified professionals typically see a 15–20% salary premium over non-certified peers in equivalent roles. Common job titles held by AZ-104 holders include Azure Administrator, Cloud Engineer, Azure Systems Administrator, and Cloud Operations Analyst, with experienced professionals moving into hybrid roles such as Cloud Security Analyst or progressing toward Solutions Architect and DevOps Engineer tracks.
Microsoft Azure holds approximately 20% of the global cloud market and is the dominant platform in enterprise, government, healthcare, and financial services sectors, creating consistent demand for certified administrators. The AZ-104 also serves as a direct prerequisite or recommended foundation for higher-level Microsoft certifications including AZ-500 (Azure Security Engineer Associate), AZ-400 (DevOps Engineer Expert), and AZ-305 (Azure Solutions Architect Expert). Compared to AWS Certified SysOps Administrator and Google Associate Cloud Engineer, AZ-104 is particularly competitive in enterprise-heavy industries where Microsoft's ecosystem — including Microsoft 365, Active Directory, and hybrid cloud via Azure Arc — is deeply embedded.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 757 questions.
Preview — answers shown1. A user named 'User1' has the 'Reader' and 'Security Admin' roles on a subscription. They need to be able to assign the 'Reader' role for a specific virtual network, 'VNet1', to other users. What is the most effective action to grant User1 this specific permission?
Explanation
The most effective action is to assign the 'User Access Administrator' role to User1, scoped specifically to the VNet1 resource. This role grants only the permissions needed to manage user access (i.e., assign roles) for a resource. By scoping it to VNet1, you ensure User1 can manage role assignments for VNet1 but not for any other resource. This follows the principle of least privilege. Here's why the other options are incorrect: Contributor and Owner are too permissive, granting management rights over the resources themselves. Network Contributor allows management of the network but not the access permissions.
2. An ARM template for a storage account contains the following 'networkAcls' property: "defaultAction": "Deny" and a "virtualNetworkRules" array that allows access from a specific subnet. What type of network access control is being configured here?
Explanation
This configuration is for Virtual Network Service Endpoints. The virtualNetworkRules property within the networkAcls block is used to specify which virtual networks and subnets are allowed to access the storage account. This is the declarative way to configure a service endpoint, which provides a secure and direct connection from the VNet to the storage account over the Azure backbone. The defaultAction: Deny ensures that all other networks are blocked. Here is why the other options are incorrect: RBAC controls user permissions, not network access. Private Endpoints are configured differently, using a separate privateEndpointConnections resource. A firewall rule for a public IP would use the ipRules array, not virtualNetworkRules.
3. An administrator is provisioning a server farm of five identical virtual machines, each requiring a private IP address. To simplify security management, all five VMs will share the same firewall rules. What is the minimum number of network interfaces (NICs) and network security groups (NSGs) needed?
Explanation
The minimum is 5 NICs and 1 NSG. Each virtual machine in Azure requires its own network interface, so five VMs need five NICs. Since all five VMs share the same security rules, the most efficient design is to create a single Network Security Group (NSG) and associate it with the subnet where all five VMs reside. This applies the same rules to all of them with the least administrative effort.
4. A company stores blobs from multiple departments in a single storage account. The security team requires that blobs from the 'Legal' department be encrypted with a different key than blobs from the 'Marketing' department. What Azure Storage feature allows for different encryption keys to be used for different blobs within the same storage account?
Explanation
Encryption scopes allow for this granular control. An encryption scope defines an encryption key that can be applied at the container or individual blob level. You can create one scope that uses a key for 'Legal' and another scope for 'Marketing'. When uploading blobs, you can specify which encryption scope to use, ensuring different data is encrypted with different keys, all within the same storage account.
5. An administrator needs to deploy a new web application to Azure. To save costs, they want to back up the web app to an existing storage account. The web app will be deployed in the West US region. They have several storage accounts available. Which of the following accounts would be the most cost-effective target for the backup?
Explanation
The Standard StorageV2 account in West US is the most cost-effective. For App Service backups, the target storage account must be in the same subscription and the same region as the App Service plan. This eliminates the Central US account. Between the remaining options, a Standard SKU storage account is significantly less expensive than a Premium SKU account. Therefore, the Standard StorageV2 account in the same region is the correct choice.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam