How hard is the AZ-104 exam?

AZ-104 is considered a moderately difficult exam — significantly harder than AZ-900. It has 40-60 questions (including case studies and labs) with a 100-minute time limit and a 700/1000 passing score. The exam tests hands-on Azure administration skills, not just conceptual knowledge. Most candidates need 2-4 months of preparation with real Azure experience.

Do I need AZ-900 before AZ-104?

No — AZ-900 is not a formal prerequisite. However, AZ-900 provides excellent foundational knowledge that makes AZ-104 significantly easier. If you're new to Azure, take AZ-900 first (1-2 weeks of study). If you already have Azure experience, you can skip directly to AZ-104. Microsoft recommends at least 6 months of hands-on Azure experience.

Is AZ-104 worth it in 2026?

Absolutely — Azure is the second-largest cloud platform globally and growing rapidly. AZ-104 is the most in-demand Azure certification for cloud administrators and engineers. Certified Azure Administrators earn $100,000-$140,000 in the US. It's a prerequisite pathway to advanced certs like AZ-305 (Solutions Architect) and AZ-400 (DevOps Engineer).

Yes — Microsoft role-based certifications are valid for 1 year. To renew, complete a free online renewal assessment on Microsoft Learn before the expiration date. The renewal assessment is shorter than the original exam, open-book, and can be retaken if you don't pass the first time. Fundamentals certifications (AZ-900) never expire.

Microsoft Azure Administrator AZ-104 MCQs with Answers 2026 -

40+

MCQs Covered

Domains Covered

700

Pass Score

2026

Updated For

The Microsoft Azure Administrator (AZ-104) is the most popular Azure role-based certification and the natural next step after AZ-900. It validates your ability to implement, manage, and monitor an organization’s Azure environment — including virtual machines, networking, storage, identity, and governance. Azure Administrators handle day-to-day cloud operations, resource provisioning, cost management, and security implementation. Whether you’re a system administrator, cloud engineer, or IT professional transitioning to cloud — AZ-104 proves you can manage Azure infrastructure at scale.

🔐 Identity &
Governance (20%)
💾 Storage
(15%)
🖥️ Compute
(25%)
🌐 Networking
(20%)
📊 Monitor &
Backup (20%)

Table of Contents

Manage Azure Identities & Governance

Domain 1 — 20% of Exam

Question 01

Which Azure feature allows you to enforce organizational standards and assess compliance at scale by creating policies that deny, audit, or auto-remediate non-compliant resources?

AAzure Policy ✅

BAzure Blueprints

CManagement Groups

DAzure Monitor

💡 Explanation: Azure Policy evaluates resources and enforces rules. Effects include: Deny (prevent non-compliant creation), Audit (log but allow), DeployIfNotExists (auto-remediate), and Modify (add tags). Policies can be assigned at management group, subscription, or resource group scope. Azure Blueprints package policies, role assignments, and ARM templates together. Management Groups organize subscriptions hierarchically.

Question 02

An Azure administrator needs to grant a developer the ability to create and manage virtual machines in a specific resource group, but NOT access other resource groups. Which feature should they use?

AAzure RBAC — assign the Virtual Machine Contributor role at the resource group scope ✅

BAzure Policy with a deny rule

CAzure AD Conditional Access

DNetwork Security Group

💡 Explanation: Azure RBAC (Role-Based Access Control) grants permissions at specific scopes: management group → subscription → resource group → resource. Assigning “Virtual Machine Contributor” at the resource group level gives VM management permissions only within that group. Key built-in roles: Owner (full access), Contributor (create/manage but not assign roles), Reader (view only). RBAC is the most tested AZ-104 concept.

Question 03

Which Azure resource hierarchy level allows you to manage policies and RBAC across multiple subscriptions?

AManagement Group ✅

BResource Group

CTenant

DAvailability Zone

💡 Explanation: The Azure resource hierarchy from top to bottom: Tenant → Management Groups → Subscriptions → Resource Groups → Resources. Management Groups sit above subscriptions and allow you to apply policies and RBAC across multiple subscriptions at once. They support up to 6 levels of depth. This hierarchy and inheritance model is heavily tested on AZ-104.

Implement & Manage Storage

Domain 2 — 15% of Exam

Question 04

Which Azure Storage service provides massively scalable object storage for unstructured data like images, videos, documents, and backups?

AAzure Blob Storage ✅

BAzure Files

CAzure Table Storage

DAzure Queue Storage

💡 Explanation: Azure Blob Storage stores unstructured data as binary large objects (blobs). Three blob types: Block blobs (files up to 190.7 TB), Append blobs (logging data), and Page blobs (VHD disks). Access tiers: Hot (frequent access), Cool (infrequent, 30+ days), Cold (rare, 90+ days), Archive (offline, 180+ days). Azure Files provides SMB/NFS file shares. Table Storage is NoSQL key-value. Queue Storage handles messaging.

Question 05

An admin needs to grant temporary, time-limited access to a specific blob in Azure Storage without sharing the storage account key. What should they generate?

AShared Access Signature (SAS) token ✅

BAccess Key

CAzure AD token

DManaged identity

💡 Explanation: A Shared Access Signature (SAS) provides granular, time-limited access to storage resources. You specify: permissions (read, write, delete), resource scope (account, container, blob), start/expiry time, and allowed IP addresses. SAS types: Account SAS, Service SAS, and User Delegation SAS (most secure, uses Azure AD). Access keys provide full access — never share them. SAS is the standard for secure temporary access.

Deploy & Manage Compute Resources

Domain 3 — 25% of Exam (Highest Weight)

Question 06

Which Azure service allows you to deploy a group of identical VMs that can automatically scale in and out based on demand or a schedule?

AAvailability Set

BVirtual Machine Scale Set (VMSS) ✅

CAzure Kubernetes Service

DAzure Batch

💡 Explanation: Virtual Machine Scale Sets (VMSS) deploy and manage a set of identical, auto-scaling VMs. They support metric-based autoscaling (CPU > 75% = add VMs) and schedule-based scaling (scale up during business hours). VMSS works with Azure Load Balancer or Application Gateway. Availability Sets protect against hardware failures within a datacenter (fault domains + update domains). AKS is for container orchestration.

Question 07

Which Azure compute service is a fully managed platform for building, deploying, and scaling web applications without managing the underlying infrastructure?

AAzure App Service ✅

BAzure Virtual Machines

CAzure Container Instances

DAzure Functions

💡 Explanation: Azure App Service is a PaaS offering for hosting web apps, REST APIs, and mobile backends. It supports .NET, Java, Node.js, Python, PHP, and Ruby. Features include custom domains, SSL, autoscaling, deployment slots (staging/production swap), and CI/CD integration. VMs are IaaS (you manage the OS). Container Instances run containers without orchestration. Functions are serverless event-driven compute.

Question 08

An admin wants to deploy a new version of a web app for testing before making it live. Which Azure App Service feature allows testing in a separate environment and swapping to production with zero downtime?

ADeployment slots ✅

BAzure DevOps pipeline

CTraffic Manager

DAzure CDN

💡 Explanation: Deployment slots in Azure App Service allow you to create a separate instance (e.g., “staging”) with its own URL. Deploy your new version to the staging slot, test it, then swap staging ↔ production instantly with zero downtime. If issues arise, swap back immediately. Slots share the same App Service plan. You can also route a percentage of traffic to a slot for A/B testing. Available on Standard tier and above.

Configure & Manage Virtual Networking

Domain 4 — 20% of Exam

Question 09

Which Azure networking feature allows two virtual networks to communicate directly with each other as if they were on the same network, using Microsoft’s backbone network?

AVNet Peering ✅

BVPN Gateway

CExpressRoute

DAzure Firewall

💡 Explanation: VNet Peering connects two Azure virtual networks via Microsoft’s backbone — traffic never touches the public internet. Two types: Regional peering (same region) and Global peering (cross-region). Peering is non-transitive — if VNet A peers with VNet B, and VNet B peers with VNet C, A cannot reach C unless directly peered. VPN Gateway connects Azure to on-premises or other cloud networks. ExpressRoute provides private, dedicated connectivity.

Question 10

Which Azure resource controls inbound and outbound network traffic to Azure resources using security rules based on source/destination IP, port, and protocol?

ANetwork Security Group (NSG) ✅

BAzure Firewall

CApplication Gateway

DAzure DDoS Protection

💡 Explanation: NSGs contain security rules that allow or deny inbound/outbound traffic. Each rule specifies: priority (100-4096, lower = higher priority), source/destination (IP, service tag, ASG), port, protocol (TCP/UDP/Any), and action (Allow/Deny). NSGs can be associated with subnets or individual NICs. Azure Firewall is a managed, stateful firewall-as-a-service with FQDN filtering. Application Gateway is a Layer 7 load balancer with WAF.

Question 11

Which Azure load balancing service operates at Layer 7 (HTTP/HTTPS) and supports URL-based routing, SSL termination, and Web Application Firewall (WAF)?

AAzure Load Balancer

BAzure Application Gateway ✅

CAzure Front Door

DTraffic Manager

💡 Explanation: Application Gateway is a regional Layer 7 (HTTP/HTTPS) load balancer with URL path-based routing, SSL termination, cookie-based session affinity, and optional WAF. Azure Load Balancer is Layer 4 (TCP/UDP) — faster but no URL routing. Front Door is a global Layer 7 load balancer with CDN. Traffic Manager is DNS-based global load balancing. Know the differences between all four for AZ-104.

Monitor & Maintain Azure Resources

Domain 5 — 20% of Exam

Question 12

Which Azure service provides a centralized platform for collecting, analyzing, and acting on telemetry data from Azure resources — including metrics, logs, and alerts?

AAzure Monitor ✅

BAzure Advisor

CAzure Service Health

DAzure Activity Log

💡 Explanation: Azure Monitor is the comprehensive monitoring platform. It collects: Metrics (numerical performance data), Logs (structured event data sent to Log Analytics workspace), and Activity Logs (control-plane operations). Features: Alerts (notify on conditions), Dashboards (visualize), Workbooks (interactive reports), and Insights (pre-built monitoring for VMs, containers, apps). Azure Advisor gives best-practice recommendations. Service Health tracks Azure outages.

Question 13

Which Azure service provides backup and disaster recovery for Azure VMs, SQL databases, file shares, and on-premises workloads?

AAzure Backup (Recovery Services vault) ✅

BAzure Site Recovery

CAzure Blob Snapshots

DAzure Storage replication

💡 Explanation: Azure Backup uses a Recovery Services vault to store backups of VMs, SQL databases, Azure Files, and on-premises machines. It supports scheduled backups, retention policies, geo-redundant storage, and point-in-time restore. Azure Site Recovery (ASR) is for disaster recovery — it replicates VMs to a secondary region for failover. Know the difference: Backup = data protection, Site Recovery = business continuity (DR).

Question 14

An administrator wants to automate the deployment of Azure resources in a repeatable, consistent manner using JSON-based template files. Which approach should they use?

AARM templates (or Bicep) ✅

BAzure CLI only

CAzure Portal manually

DAzure Advisor

💡 Explanation: ARM (Azure Resource Manager) templates are JSON files that define the infrastructure and configuration declaratively — similar to Terraform but Azure-native. Bicep is a newer, simpler DSL that compiles to ARM JSON. Benefits: idempotent deployments, version control, modular design, and what-if previews. Azure CLI/PowerShell can deploy resources imperatively but aren’t template-based. ARM templates are the Azure-native IaC standard.

🏗️ Azure Resource Hierarchy

Level 1

Management
Group

Organize multiple
subscriptions

Level 2

Subscription

Billing boundary
& access control

Level 3

Resource Group

Logical container
for resources

Level 4

Resources

VMs, storage,
databases, etc.

🔑 Key Azure Services for AZ-104

🖥️

Virtual Machines

IaaS compute — Windows & Linux VMs

🌐

App Service

PaaS web hosting — deployment slots

💾

Blob Storage

Object storage — Hot, Cool, Archive tiers

🔗

VNet & NSG

Virtual networking — peering, security rules

🔐

Azure AD / RBAC

Identity & access — roles at any scope

📊

Azure Monitor

Metrics, logs, alerts & diagnostics

⚖️ Azure Load Balancing Options

Load Balancer

Layer 4 (TCP/UDP)
Regional

App Gateway

Layer 7 (HTTP)
Regional + WAF

Front Door

Layer 7 (HTTP)
Global + CDN

Traffic Manager

DNS-based
Global routing

💡 Azure Administrator AZ-104 Exam Tips

Hands-On Practice Is Essential

AZ-104 requires practical knowledge. Use a free Azure account ($200 credit) or Microsoft Learn sandbox to practice creating VMs, configuring VNets, setting up NSGs, managing storage accounts, and configuring RBAC. Many questions present Azure Portal screenshots or CLI commands and ask what happens next.

Master RBAC + Azure Policy — They Dominate

Know the resource hierarchy (Management Group → Subscription → Resource Group → Resource), how RBAC roles inherit downward, the difference between Owner/Contributor/Reader, and how Azure Policy enforces compliance. Together these topics make up 25-30% of the exam.

Know All 4 Load Balancing Options

Load Balancer (L4, regional), Application Gateway (L7, regional, WAF), Front Door (L7, global, CDN), Traffic Manager (DNS, global). Many questions give a scenario and ask which load balancer to use. Layer 4 vs Layer 7, regional vs global — these distinctions determine the right answer.