Microsoft · AZ-104
Validates the ability to implement, manage, and monitor an organization's Microsoft Azure environment, including virtual networks, storage, compute, identity, security, and governance.
Questions
757
Duration
120 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2025
Use this AZ-104 practice exam to prepare for Microsoft Certified: Azure Administrator Associate (AZ-104) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 757 questions for Microsoft AZ-104, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Manage Azure identities and governance, Implement and manage storage, Deploy and manage Azure compute resources, Implement and manage virtual networking, and Monitor and maintain Azure resources. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft Certified: Azure Administrator Associate (AZ-104) validates subject matter expertise in implementing, managing, and monitoring an organization's Microsoft Azure environment. The certification covers a broad range of Azure services and capabilities, including virtual networks, storage, compute, identity, security, and governance. Exam content was last updated on April 18, 2025, reflecting the current skills required for the Azure administrator role.
Certified administrators are expected to work proficiently across the Azure portal, Azure CLI, PowerShell, Azure Resource Manager (ARM) templates and Bicep files, and Microsoft Entra ID. The role requires a solid understanding of foundational IT concepts — operating systems, networking, servers, and virtualization — applied to cloud-based infrastructure management. Azure administrators often collaborate with teams responsible for database, application development, DevOps, and security, making this a highly cross-functional credential.
This certification is designed for IT professionals who actively administer Azure cloud environments, typically with a minimum of six months of hands-on Azure experience. Target job roles include Azure Administrator, Cloud Engineer, Azure Systems Administrator, Cloud Support Engineer, and Cloud Operations Analyst. It is particularly suited to professionals transitioning from on-premises infrastructure roles (sysadmins, network admins) into cloud-focused positions, as well as those already working in Azure who want to formalize and validate their skills.
Candidates pursuing advancement into cloud security (AZ-500), DevOps (AZ-400), or Solutions Architect (AZ-305) roles will also find AZ-104 a required or strongly recommended stepping stone, as it establishes the administrative foundation those advanced certifications build upon.
There are no mandatory prerequisite certifications for AZ-104 — it does not require passing AZ-900 (Azure Fundamentals) first, though completing that exam is helpful for those new to Azure concepts. Microsoft recommends at least six months of practical experience administering Azure resources before attempting the exam.
Candidates should have hands-on familiarity with the Azure portal, Azure CLI, and PowerShell for managing resources, as well as working knowledge of Azure Resource Manager templates and Bicep files. A background in traditional IT infrastructure — including networking concepts (DNS, routing, NSGs, load balancing), server administration, operating systems, and virtualization — is strongly recommended, as many exam scenarios assume this foundational knowledge. Experience with Microsoft Entra ID (formerly Azure Active Directory) for identity and access management is also expected.
The AZ-104 exam is proctored and delivered through Pearson VUE, either at a testing center or via online proctoring. Candidates are given 100 minutes to complete the assessment. The exam may include interactive lab-based components (e.g., tasks performed in a live or simulated Azure environment) in addition to standard multiple-choice, case study, drag-and-drop, and scenario-based questions; the exact number of questions varies per administration and is not published by Microsoft.
A score of 700 out of 1000 is required to pass. Scoring is scaled, meaning it does not correspond directly to a raw percentage of correct answers. If a candidate fails on the first attempt, a retake is permitted after 24 hours; subsequent retake waiting periods vary per Microsoft's retake policy. The certification is valid for one year and can be renewed at no cost by passing an online renewal assessment on Microsoft Learn.
Earning the AZ-104 certification opens access to a strong and growing job market, with Azure administrator roles reporting U.S. salaries generally in the range of $88,000–$161,000 annually depending on experience, location, and employer. Certified professionals typically see a 15–20% salary premium over non-certified peers in equivalent roles. Common job titles held by AZ-104 holders include Azure Administrator, Cloud Engineer, Azure Systems Administrator, and Cloud Operations Analyst, with experienced professionals moving into hybrid roles such as Cloud Security Analyst or progressing toward Solutions Architect and DevOps Engineer tracks.
Microsoft Azure holds approximately 20% of the global cloud market and is the dominant platform in enterprise, government, healthcare, and financial services sectors, creating consistent demand for certified administrators. The AZ-104 also serves as a direct prerequisite or recommended foundation for higher-level Microsoft certifications including AZ-500 (Azure Security Engineer Associate), AZ-400 (DevOps Engineer Expert), and AZ-305 (Azure Solutions Architect Expert). Compared to AWS Certified SysOps Administrator and Google Associate Cloud Engineer, AZ-104 is particularly competitive in enterprise-heavy industries where Microsoft's ecosystem — including Microsoft 365, Active Directory, and hybrid cloud via Azure Arc — is deeply embedded.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 757 questions.
Preview — answers shown1. A computer named 'Computer1' has a Point-to-Site VPN connection to VNet1. An administrator needs to enable 'Computer2' to also connect. They install the VPN client package on Computer2. Which of the following is also a critical requirement for Computer2 to establish a connection, assuming certificate authentication is used?
Explanation
A critical requirement is that a valid client certificate must be installed on Computer2. The VPN client package contains the network configuration settings but not the authentication credentials. For certificate-based authentication, each client computer must have a client certificate installed in its local certificate store. This certificate must be one that is recognized by the Azure VPN gateway. Without this certificate, Computer2 cannot authenticate and the connection will fail.
2. An administrator has a virtual machine scale set (VMSS) named 'WebApp-Tier' that is configured for Flexible orchestration mode. The administrator now needs to add an existing, standalone virtual machine named 'Legacy-VM' into this scale set. Where must 'Legacy-VM' be located?
Explanation
The VM must be in the same resource group and the same region as the VMSS. Flexible orchestration mode for VMSS allows you to manage individual VMs within the set. When adding an existing VM to a flexible VMSS, a key requirement is that the VM must already exist in the same resource group and the same Azure region as the scale set itself.
3. A lifecycle management rule is configured to move blobs to cool storage 3 days after modification and to archive storage 5 days after modification. On Dec 1st, a file is created (and is in the Hot tier). On Dec 10th, the file, now in the Archive tier, is rehydrated back to the Hot tier. When will the file be moved to the Archive tier again?
Explanation
The file will be moved to archive storage on December 15. The 'days after last modification' timer resets whenever the blob is modified or its tier is changed. When the file was rehydrated to the Hot tier on December 10, the last modification timer was reset to that date. The lifecycle policy will now evaluate from Dec 10th: - Move to Cool: 3 days after Dec 10th is Dec 13th. - Move to Archive: 5 days after Dec 10th is Dec 15th. Therefore, the final move to the Archive tier will occur on December 15.
4. To secure a critical storage account named 'corpdata123', an administrator at 'PrivateCloud Corp' wants to block all public internet access to it. The data must only be accessible from virtual machines running in a specific virtual network named 'VNet-Core'. Which Azure networking feature should be implemented?
Explanation
The correct feature is a Private Endpoint. A Private Endpoint creates a network interface with a private IP address from your virtual network (VNet-Core) that connects directly and privately to the Azure Storage account. You can then configure the storage account's firewall to deny all access from public networks, ensuring that traffic only flows from your VNet over the Microsoft backbone network. This is the standard and most secure method to achieve the stated goal. Here is why the other options are incorrect: An NSG filters traffic to and from VMs within a VNet, but it cannot block public access to a PaaS service like a storage account itself. A SAS is an authentication token for granting access; it does not control the network path. A VNet peering connects two VNets together; it does not connect a VNet to a PaaS service.
5. An application at 'CodePerfect Inc.' is being migrated to Azure VMs. The front-end VM must call a back-end service on another VM using its IP address. To ensure the connection remains stable after restarts, both VMs need permanent private IP addresses within their subnet. How should an administrator configure this?
Explanation
The correct method is to modify the IP configuration of the Network Interface (NIC) for each VM. In Azure, IP addresses are managed by the Azure fabric, not the guest OS. By navigating to the NIC resource associated with each VM, you can change the private IP address assignment from 'Dynamic' to 'Static'. This ensures that Azure will reserve that specific private IP for the NIC for its entire lifetime. Here's why the other options are incorrect: There is no -StaticIP parameter for New-AzVM; IP settings are part of the NIC configuration. Setting a static IP inside the guest OS will conflict with Azure's DHCP service and cause connectivity loss. Set-AzSubnet configures the subnet's properties, it does not assign IPs to specific resources.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam