Microsoft · AZ-802
Validates the ability to deploy, manage, and troubleshoot Windows Server in on-premises and hybrid Azure environments. Covers identity, security, networking, storage, high availability, disaster recovery, and monitoring for Windows Server workloads.
Practice Questions
600
≈ 12 practice exams
Duration
120 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
May 2026
Use this AZ-802 practice exam to prepare for Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-802) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 600 questions for Microsoft AZ-802, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Deploy and Manage Active Directory Domain Services (AD DS), Manage Windows Servers and Workloads in a Hybrid Environment, Manage Virtual Machines and Containers, Implement and Manage Hybrid Networking Infrastructure, and Manage Storage and File Services. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft Certified: Windows Server Hybrid Administrator Associate, earned by passing exam AZ-802, validates a professional's ability to deploy, manage, and troubleshoot Windows Server workloads across both on-premises and hybrid Azure environments. AZ-802 consolidates the content previously covered by two separate exams—AZ-800 (Administering Windows Server Hybrid Core Infrastructure) and AZ-801 (Configuring Windows Server Hybrid Advanced Services)—into a single associate-level credential, with AZ-800 and AZ-801 retiring on September 30, 2026. The exam entered beta in June 2026 and covers a broad range of hybrid infrastructure topics including Active Directory Domain Services (AD DS), hybrid identity with Microsoft Entra ID, Hyper-V virtualization, containerization, storage management, and hybrid networking.
Candidates are assessed on their ability to use core administrative toolsets such as Windows Admin Center, PowerShell, Azure Arc, Azure Policy, Azure Monitor, Azure Update Manager, Microsoft Defender for Identity, and Microsoft Defender for Cloud. The certification also covers high availability and disaster recovery strategies, server and workload migration to Azure, and end-to-end monitoring and troubleshooting of Windows Server environments. It is a role-based credential that reflects the real-world skills required of hybrid infrastructure administrators who bridge traditional on-premises Windows Server management with cloud-native Azure services.
This certification is designed for IT professionals who administer Windows Server as a workload in hybrid environments—both on-premises and in Azure. Relevant job roles include system administrators, infrastructure engineers, identity and access administrators, network engineers, security engineers, support engineers, and technology managers who are responsible for Windows Server operations at their organizations. Candidates typically collaborate with architects and cloud engineers on hybrid deployments.
Ideal candidates will have several years of hands-on experience with Windows Server operating systems and should be comfortable working across on-premises Active Directory, Azure IaaS virtual machines, and hybrid connectivity scenarios. Those who previously held the Windows Server Hybrid Administrator Associate certification via AZ-800 and AZ-801 can maintain their credential through the standard annual renewal assessment rather than sitting the full AZ-802 exam.
Microsoft does not enforce formal prerequisites for AZ-802, but candidates are strongly recommended to have several years of practical experience administering Windows Server in enterprise environments before attempting the exam. Foundational knowledge of Active Directory Domain Services, Group Policy, DNS, DHCP, and Windows Server networking is essential, as these topics form a significant portion of the exam content.
Familiarity with Azure fundamentals—particularly Azure IaaS, Azure Arc, Microsoft Entra ID (formerly Azure Active Directory), and hybrid connectivity concepts—is also expected. Candidates without prior Azure exposure may benefit from first earning the Microsoft Azure Fundamentals (AZ-900) certification or completing relevant Microsoft Learn learning paths. Hands-on experience with tools such as Windows Admin Center, PowerShell remoting, and Hyper-V is strongly recommended, as many exam questions are scenario-based and require applied knowledge.
AZ-802 is an associate-level exam administered through Pearson VUE, available via online proctoring or at an authorized testing center. The exam has a time limit of 100 minutes (approximately 120 minutes total with pre-exam administrative tasks) and contains approximately 40–60 scored questions. A passing score of 700 out of 1000 is required. The exam uses a scaled scoring model, meaning 700 does not equate directly to 70% correct answers.
Question types include single-answer multiple choice, multiple-response, drag-and-drop, hotspot (active screen), and yes/no scenario-based questions. The exam is available in English, with localized versions typically released approximately eight weeks after the English version. Candidates whose preferred language is unavailable may request an additional 30 minutes. Microsoft recommends registering with a personal Microsoft account (MSA) rather than an organizational account to ensure exam records are permanently retained. A free exam sandbox is available at aka.ms/examdemo to familiarize candidates with the interface before exam day.
Earning the Windows Server Hybrid Administrator Associate credential positions professionals for roles such as Windows Server Administrator, Hybrid Cloud Administrator, Infrastructure Engineer, and Systems Engineer in organizations that maintain on-premises Windows Server environments alongside Azure workloads. These roles are consistently in demand across enterprise IT departments, government agencies, healthcare, and financial services. As organizations pursue hybrid cloud strategies rather than full cloud migration, Windows Server expertise with Azure integration skills remains highly valuable and difficult to automate away.
According to industry salary surveys, Windows Server administrators with hybrid cloud skills and Microsoft certifications typically earn between $85,000 and $130,000 annually in the United States, depending on experience, location, and scope of responsibility. Compared to cloud-only certifications such as AZ-104 (Azure Administrator), this certification differentiates candidates who can manage the full hybrid lifecycle—on-premises Active Directory, hybrid networking, and Azure IaaS—making it particularly valuable for mid-to-large enterprises where full datacenter retirement is not imminent. The credential renews annually via a free, unproctored online assessment on Microsoft Learn, keeping certified professionals current with platform updates.
5 sample questions with answers and explanations. The full bank has 600 questions, enough for 12 full-length practice exams.
Preview — answers shown1. Graphic Design Institute has 25 on-premises Windows Server 2022 servers registered as Azure Arc-enabled servers. The IT team wants to use Azure Policy to continuously assess configuration compliance and enforce settings on these servers. After deploying the Connected Machine Agent on each server, the team notices that while all servers appear in the Azure portal as Arc-enabled, Azure Policy compliance scans are not evaluating the servers. Which action must the administrator take to enable Azure Policy compliance assessment on the Arc-enabled servers? (Select one!)
Explanation
Azure Machine Configuration (formerly Azure Policy Guest Configuration) is the VM extension that enables Azure Policy to run compliance assessments and enforce settings on Arc-enabled servers. The Connected Machine Agent alone registers the server with Azure Arc and enables core management capabilities, but it does not include the Machine Configuration extension by default. Without the Machine Configuration extension installed, Azure Policy definitions that rely on guest configuration cannot evaluate the machine's compliance state. Azure Automation State Configuration uses PowerShell DSC to push and enforce configurations, but it is a separate service and is not a prerequisite for Azure Policy compliance scanning. A Log Analytics workspace collects log and monitoring data for Azure Monitor and Microsoft Sentinel; it is not required before Azure Policy can assess configuration compliance. Upgrading the Connected Machine Agent resolves agent-level bugs and adds new agent capabilities but does not install the Machine Configuration extension, which is a separate extension that must be explicitly deployed.
2. Contoso is designing a new multi-domain Active Directory forest with five domains. A senior architect must advise the team on correct Infrastructure Master placement to ensure cross-domain group membership references are updated reliably. Which placement guideline must the team follow? (Select one!)
Explanation
In a multi-domain forest, the Infrastructure Master updates phantom references, which are pointers to objects that reside in other domains. It detects stale references by comparing its own database against the Global Catalog. If the Infrastructure Master is placed on a Domain Controller that also serves as a Global Catalog server, it will never detect outdated phantom references because the GC already holds a full partial replica of all forest objects, meaning nothing ever appears missing or stale. The correct rule is to keep the Infrastructure Master off any GC-hosting DC unless every DC in the domain is also a GC, at which point the rule is moot because no phantom references exist. Co-locating Infrastructure Master with the PDC Emulator has no architectural basis and is not required. The Infrastructure Master exists in each domain in the forest, not just the forest root. Placement near the Schema Master provides no benefit to Infrastructure Master functionality.
3. Humongous Insurance has configured Hyper-V Replica between two Windows Server 2022 Hyper-V hosts at geographically separated sites. The disaster recovery team wants to periodically validate that replica virtual machines can be brought online successfully without interrupting production workloads or pausing the ongoing replication cycle. Which type of Hyper-V Replica failover should the administrators initiate? (Select one!)
Explanation
Test failover creates an isolated, temporary virtual machine from the replica for disaster recovery validation without disrupting the running primary virtual machine or pausing the ongoing replication cycle. The test VM runs in an isolated network and does not replace or affect the active replica. Planned failover requires a graceful shutdown of the primary virtual machine before activating the replica, which makes production services unavailable during the transition and is designed for planned maintenance or controlled migrations, not routine DR testing. Unplanned failover immediately activates the replica virtual machine and is the appropriate response when the primary site has failed and is unreachable, not for scheduled validation drills where the primary is still operational. Reverse replication is performed after a failover has completed to synchronize accumulated delta changes back to the original primary site so it can resume the primary role, not as a testing mechanism.
4. Adatum Corporation has a forest with a forest root domain (adatum.com) and two child domains: europe.adatum.com and asia.adatum.com. Users from europe.adatum.com frequently access resources in asia.adatum.com, and authentication is slow because the Kerberos referral chain must traverse through the forest root domain. An administrator needs to improve cross-domain authentication performance without creating any new trust paths or altering the existing trust hierarchy. Which action should the administrator take? (Select one!)
Explanation
A shortcut trust directly connects two domains within the same forest, reducing the number of Kerberos referral hops required for cross-domain authentication. Instead of traversing the full parent-child chain through adatum.com, clients in europe.adatum.com can authenticate to resources in asia.adatum.com via the shortcut. Critically, shortcut trusts do not create new trust paths or change the overall trust hierarchy — they optimize an existing transitive path. External trusts connect domains in different forests and are non-transitive, making them inappropriate for intra-forest optimization. Forest trusts connect two separate forests at their root domains and cannot be applied between domains within the same forest. Universal group membership caching reduces the need for Global Catalog contact during logon but has no effect on the number of Kerberos referral exchanges needed for cross-domain authentication.
5. VanArsdel, Ltd. and its manufacturing partner Datum Corporation need to implement Hyper-V Replica between their respective Windows Server 2022 Hyper-V hosts to replicate critical production virtual machines for disaster recovery. VanArsdel hosts belong to the vanarsdelltd.com Active Directory domain and Datum Corporation hosts belong to the datumcorp.com domain. No Active Directory trust relationship exists between the two organizations and none is planned. Which authentication method should be configured on both sets of Hyper-V hosts for the replication partnership? (Select one!)
Explanation
Certificate-based authentication is required for Hyper-V Replica when the replication source and destination hosts are in separate Active Directory forests without an established trust relationship. Certificates provide mutual authentication between the hosts and can optionally encrypt replication traffic without relying on a shared Kerberos infrastructure. Each organization obtains certificates from a certificate authority that the partner organization trusts, which can be achieved through certificates from a public CA or a cross-trusted internal CA. Kerberos authentication requires both Hyper-V hosts to be members of the same domain or of domains connected through an Active Directory trust relationship; mutual authentication across completely unrelated domains is not possible with Kerberos regardless of DNS resolution capability. NTLM is not a supported authentication option for Hyper-V Replica; the supported modes are Kerberos and certificate-based. CredSSP is a delegation mechanism for handling the PowerShell remoting double-hop problem and is not an authentication protocol for Hyper-V Replica replication connections.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam