Free Questions on Microsoft Azure Administrator (AZ-104) Exam

In this blog, you will be trying out AZ-104 exam questions and answers, which will help in your preparation for the actual exam. The AZ-104: Microsoft Azure Administrator Certification exam evaluates your understanding of the implementation, monitoring, and management of the Microsoft Azure Environment in any organization. Read through to Validate!

Question No.: 1

Domain: Manage Azure identities and governance

Main Topic: Manage Microsoft Entra users and groups

Sub Topic: Create users and groups

Question Text: 

Your organization wants to enforce naming conventions for Microsoft Entra groups to ensure consistency and avoid duplication. For example, all group names should start with the department name, such as “HR-“, “Finance-“, or “IT-“. How can you achieve this?

1. Use Group Naming Policy in Microsoft Entra ID and configure prefix/suffix rules based on department
2. Manually rename each group as they are created
3. Implement a PowerShell script that runs daily to enforce the naming convention
4. Use Azure Policies to define naming rules for groups

Correct Answer: A

Explanation: 

Option A is CORRECT because Microsoft Entra ID provides a Group Naming Policy feature to enforce group naming conventions. An Azure Administrator can configure rules to automatically apply prefixes and/or suffixes based on user attributes like department or other organizational needs. This is the recommended and automated approach for achieving consistent group naming without manual intervention.

Reference: https://learn.microsoft.com/en-us/entra/identity/users/groups-naming-policy

Question No.: 2

Domain: Manage Azure identities and governance

Main Topic: Manage Microsoft Entra users and groups

Sub Topic: Manage licenses in Microsoft Entra ID

Question Text:  A user in your organization reports that they cannot access certain Microsoft 365 services despite having an assigned license. Upon investigation, you find that the user’s license is disabled. What is the most likely cause?

1. The user’s account has been disabled in Microsoft Entra ID
2. The license was assigned to the user through a group, but the service plan for that license is disabled
3. The user’s role does not permit them to use the licensed services
4. The license was assigned but has not yet been synchronized with the Microsoft 365 portal

Correct Answer: B

Explanation: 

Option B is CORRECT because when licenses are assigned via group-based licensing, An Azure administrator can enable or disable specific service plans within the license. If the relevant service plan is disabled, the user will not have access to those specific services, even though the license itself is assigned. This is a common scenario when managing license assignments using groups.

References: 

https://learn.microsoft.com/en-us/entra/identity/users/licensing-groups-assign

https://learn.microsoft.com/en-us/entra/identity/users/licensing-group-advanced

Multiple Answer Question

Question No.: 3

Domain: Manage Azure identities and governance

Main Topic: Manage Microsoft Entra users and groups

Sub Topic: Manage external users

Question Text: You are configuring external collaboration settings for your organization in Microsoft Entra ID. The security team has requested the following requirements for external guest access:

1. Guest users should only access their own directory objects, such as their profiles, and should not be able to see other users, groups, or memberships.
2. Only administrators with specific roles should have permission to invite guest users.

What should you configure to meet these requirements? (Select two options)

1. Set “Guest user access is restricted to properties and memberships of their own directory objects” under Guest user access
2. Set “Guest users have the same access as members” under Guest user access
3. Set “Anyone in the organization can invite guest users including guests and non-admins” under Guest invite settings
4. Set “Guest users have limited access to properties and memberships of directory objects” under Guest user access
5. Set “Only users assigned to specific admin roles can invite guest users” under Guest invite settings

Correct Answers: A and E

Explanation: 

Option A is CORRECT because this setting ensures that guest users can only access their own profiles and directory objects, such as their own memberships. It restricts them from seeing other users, groups, or memberships, which satisfies the requirement that guests cannot view other directory objects. This is the most restrictive setting available for guest access and directly addresses the security team’s requirement for limiting guest access.

Option E is CORRECT because this setting limits the ability to invite guest users to administrators with specific roles, such as the User Administrator or Guest Inviter roles. This directly addresses the requirement that only certain administrators should have permission to invite external users, ensuring tighter control over external collaboration.

Reference: https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure#configure-settings-in-the-portal

Multiple Answer Question

Question No.: 4

Domain: Manage Azure identities and governance

Main Topic: Manage Microsoft Entra users and groups

Sub Topic: Configure self-service password reset (SSPR)

Question Text: 

You are an Azure Administrator for your organization, tasked with enhancing security for self-service password reset (SSPR). The IT security team mandates that users must verify their identity using two different authentication methods before they can reset their passwords. This policy aims to ensure compliance with company security standards.

What three configurations should you apply to meet this requirement?

(Select three options)

1. Enable SSPR for all users
2. Set “Number of methods required to reset” to 2
3. Configure SSPR to use “Security questions” as the only authentication method
4. Add “Mobile app notification” and “Email” as authentication methods
5. Limit SSPR registration to selected groups

Correct Answer: A, B, and D

Explanation: 

Option A is CORRECT because enabling SSPR for all users ensures that the self-service password reset feature is available across the organization. Without this step, users will not have the capability to reset their passwords using SSPR, even if other configurations are correct.

Option B is CORRECT because setting the “Number of methods required to reset” to 2 enforces the policy requiring users to verify their identity using two different authentication methods before resetting their passwords. This configuration is essential to meet the company’s security requirements.

Option D is CORRECT because configuring authentication methods such as “Mobile app notification” and “Email” ensures users have secure and reliable options to verify their identity. At least two methods must be available to satisfy the requirement for two-factor authentication during password reset.

References: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks#authentication-methods

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks#change-authentication-methods

Question No.: 5

Domain: Manage Azure identities and governance

Main Topic: Manage Azure subscriptions and governance

Sub Topic: Implement and manage Azure Policy

Question Text:  Your organization has multiple Azure subscriptions managed under a single management group. A new security compliance mandate requires all storage accounts across these subscriptions to have secure transfer enabled. As an Azure Administrator, you need to ensure this requirement is enforced uniformly across all subscriptions with minimal administrative effort. What is the best way to achieve this?

1. Assign the policy to each resource group individually
2. Assign the policy to a single subscription and replicate the setup
3. Assign the policy at the management group level
4. Use Azure Monitor to track storage accounts without secure transfer

Correct Answer: C

Explanation: 

Option C is CORRECT because assigning the policy at the management group level applies the policy to all subscriptions under the management group. This approach ensures uniform enforcement of the compliance mandate across all storage accounts in multiple subscriptions and minimizes administrative effort, making it the most efficient solution.

Reference: https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage#implement-a-new-custom-policy

Question No.: 6

Domain: Manage Azure identities and governance

Main Topic: Manage Azure subscriptions and governance

Sub Topic: Configure resource locks

Question Text: 

Your organization has applied a Delete lock to a storage account containing critical business data. A developer tries to delete a container within this storage account to free up space but encounters an error. What is the most likely reason for the error?

1. The Delete lock applies to all sub-resources of the storage account, including containers
2. The Delete lock is incorrectly configured and should only apply to the storage account itself
3. The developer lacks Azure RBAC permissions to delete the container
4. Containers are not affected by resource locks

Correct Answer: A

Explanation: 

Option A is CORRECT because a Delete lock applied to a storage account affects the storage account itself as well as its sub-resources, including containers. This ensures that no deletions can occur at any level under the locked storage account, which is why the developer encounters an error when attempting to delete a container.

Reference: Protect your Azure resources with a lock – Azure Resource Manager 

Case Study (Question No. 7 to Question No. 13)

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

Overview:

Contoso Inc. is a multinational company specializing in cloud-based enterprise solutions. They have recently migrated several of their workloads to Microsoft Azure to streamline operations and improve security. Contoso has multiple departments, including finance, sales, and HR, which require different resources across several regions.

The company has an Azure environment with several subscriptions for different projects and departments. These subscriptions are governed by various access policies and management practices to ensure compliance with both corporate standards and regulatory requirements.

Existing Environment:

• Azure Subscriptions: Contoso Inc. has three main Azure subscriptions:
• Finance Subscription: Hosts finance-related workloads.
• Sales Subscription: Hosts workloads for the sales department.
• HR Subscription: Hosts HR applications and employee data.

Resource Groups: Each department has resource groups assigned to specific applications.

• Finance has resource groups like Finance-Dev, Finance-Prod.
• Sales has resource groups like Sales-Dev, Sales-Prod.
• HR has resource groups like HR-Dev, HR-Prod.

Tagging Policy: Contoso uses tags for cost allocation, resource management, and compliance auditing. For instance, the tag Environment is applied to each resource with values such as Dev, Prod, or Test.

Management Groups: The organization follows a hierarchical structure to manage resources:

• Top-level Management Group: Contoso-Main
• Sub-management groups for each department: Finance, Sales, HR.

Cost Management: Contoso has implemented Azure cost management solutions, using budgets to monitor and control costs across departments. The Finance department has exceeded its budget for the last quarter, while other departments are within their budget limits.

Compliance and Security: Contoso has set up policies to ensure that no resources are deployed without necessary tags and that resource locks are enforced to prevent accidental deletion of critical resources.

Requirements:

Technical Requirements:

Contoso has the following technical requirements: 

• Tagging: The Finance team has requested that all resources within the Finance-Prod resource group should automatically inherit a Compliance tag with the value High to ensure compliance reporting is accurate.
• Cost Management: The Sales department has requested a solution to alert them when their monthly Azure spend exceeds $50,000 to prevent overspending.
• Resource Group Management: The HR department wants to ensure that all resources in the HR-Prod resource group are protected with a Delete Lock to avoid accidental deletion during system updates.
• Subscription Management: The management needs a strategy to enforce consistent governance across all Azure subscriptions while maintaining autonomy at the department level.
• Management Groups: Contoso wants to set up a policy for all resources under the Sales management group to automatically use a specific SKU for all virtual machines (VMs) to standardize resource provisioning.

User Requirements:

Contoso has the following user requirements: 

• Finance Team: Ensure all resources in the Finance subscription are tagged for reporting and budgeting.
• Sales Team: Monitor and manage Azure cost alerts efficiently to avoid exceeding budget limits.
• HR Team: Ensure critical resources are locked to prevent accidental deletion.
• IT Governance Team: Establish consistent resource management policies across subscriptions while maintaining departmental autonomy.

Question No.: 7

Domain: Manage Azure identities and governance

Main Topic: Manage Azure subscriptions and governance

Sub Topic: Manage resource groups

Question Text: 

Contoso wants to implement a policy that automatically ensures no resources in the HR-Prod resource group can be deleted. What is the most efficient way to achieve this?

1. Apply a Delete lock on each individual resource within the HR-Prod resource group
2. Apply a Delete lock to the entire HR-Prod resource group to prevent deletion of any resources
3. Assign a Role-Based Access Control (RBAC) policy that prevents the deletion of resources in the HR-Prod resource group
4. Use Azure Automation to periodically check the resources in the HR-Prod group and manually apply locks

Correct Answer: B

Explanation: 

Option B is CORRECT because a Delete lock applied at the resource group level ensures that all resources within the group are protected against deletion, regardless of when they were created. This includes any existing resources and any resources added to the resource group in the future. The Delete lock is an in-built Azure feature that overrides permissions, meaning even users with elevated roles, such as Owners or Contributors, cannot delete resources within the group unless the lock is removed. This approach is efficient because it eliminates the need for manual intervention and ensures consistent protection across the resource group. Additionally, locks provide transparency and are visible in the Azure portal, helping organizations enforce strict governance policies. This solution aligns with best practices for managing resources in Azure and reduces the risk of accidental or unauthorized deletions, which could lead to downtime or data loss.

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

Question No.: 8

Domain: Manage Azure identities and governance

Main Topic: Manage Azure subscriptions and governance

Sub Topic: Manage subscriptions

Question Text: 

Contoso Inc. has three Azure subscriptions: Finance, Sales, and HR. The organization wants to ensure that the Finance team can manage all resources within their subscription, while the Sales and HR teams only have limited access to their respective subscriptions. Additionally, the Finance team needs to be able to manage billing across all subscriptions. What is the most efficient approach to implement this scenario?

1. Assign the Finance team as subscription owners for all three subscriptions and restrict the Sales and HR teams to Contributor roles within their respective subscriptions
2. Create a management group for each department and assign the Finance team as a Global Administrator at the management group level while assigning the Sales and HR teams as Owners within their respective subscriptions
3. Use Microsoft Entra Privileged Identity Management to elevate access for the Finance team when needed and assign the Sales and HR teams as Readers in their subscriptions
4. Set up Azure Lighthouse and delegate control of the subscriptions to the Finance team for billing and assign the Sales and HR teams appropriate roles within their subscription

Correct Answer: A

Explanation: 

Option A is CORRECT because assigning the Finance team as Subscription Owners for all subscriptions provides them with full administrative control, including the ability to manage billing across all subscriptions. At the same time, restricting the Sales and HR teams to the Contributor role within their respective subscriptions ensures they can manage resources but are limited to actions within their designated scope. This solution ensures a clear separation of responsibilities while fulfilling the requirement for Finance to manage billing and other resources across subscriptions. It is straightforward and does not involve unnecessary complexity, making it efficient and scalable for governance.

References: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#privileged-administrator-roles

Question No.: 9

Domain: Manage Azure identities and governance

Main Topic: Manage Azure subscriptions and governance

Sub Topic: Manage costs by using alerts, budgets, and Azure Advisor recommendations

Question Text: 

The Sales department has a monthly budget of $50,000 for Azure services. The department wants to receive an alert when their spend approaches 80% of the budgeted amount. Which of the following actions should you take to achieve this?

1. Create an Azure Monitor alert based on the subscription’s total spend
2. Use Azure Cost Management to set up a budget and configure an alert for when the spend exceeds 80% of the budget
3. Configure Azure Advisor recommendations to alert the Sales team when costs are nearing the budget limit
4. Set up an automatic scale rule to scale down the resources when the budget exceeds 80%

Correct Answer: B

Explanation: 

Option B is CORRECT because Azure Cost Management provides the functionality to create budgets and set spending thresholds. You can configure a budget specific to the Sales department’s subscription or resource group and set an alert for 80% of the allocated budget ($50,000 in this case). This approach is aligned with the requirement, as it directly tracks spending and provides proactive notifications when nearing the defined threshold. This method is efficient, automated, and purpose-built for cost governance in Azure.

References: https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets?tabs=psbudget

https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets?tabs=psbudget#configure-forecasted-budget-alerts

Question No.: 10

Domain: Manage Azure identities and governance

Main Topic: Manage Azure subscriptions and governance

Sub Topic: Configure management groups

Question Text: 

Contoso wants to enforce a policy that ensures all virtual machines deployed under the Sales management group use a specific SKU (e.g., Standard_D2_v2) to standardize VM deployment. What is the most efficient way to enforce this policy?

1. Define a custom role within the Sales management group at the resource group level to enforce limitations on the available virtual machine (VM) SKUs
2. Apply an Azure Policy at the Sales management group level to enforce the specific SKU for all virtual machines
3. Manually configure the SKU for each virtual machine deployed in the Sales management group
4. Assign a policy at the subscription level to enforce the VM SKU for all resources within the subscription

Correct Answer: B

Explanation: 

Option B is CORRECT because Azure Policy is specifically designed to enforce compliance and standardization for Azure resources, including virtual machines. By applying a policy at the Sales management group level, you can define a rule that ensures all VMs deployed under this group use the required SKU (e.g., Standard_D2_v2). This policy propagates automatically to all subscriptions and resource groups within the Sales management group, ensuring uniform enforcement with minimal administrative effort. Azure Policy also provides auditing and compliance reporting, allowing Azure administrator to track and remediate non-compliant resources if needed.

References: 

https://learn.microsoft.com/en-us/azure/governance/policy/overview

https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

Question No.: 11

Domain: Deploy and manage Azure compute resources

Main Topic: Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files

Sub Topic: Modify an existing Azure Resource Manager template

Question Text: 

You are modifying an ARM template to include a new Azure Storage account. The storage account must be created before a virtual machine in the same template, as the virtual machine depends on the storage account for disk storage.

Which action ensures that the storage account is created before the virtual machine?

1. Add the dependsOn property to the virtual machine resource and reference the storage account
2. Reorder the resources in the template so the storage account is defined before the virtual machine
3. Use a condition to deploy the storage account only if the virtual machine exists
4. Add the storage account to a nested template and call it before the virtual machine

Correct Answer: A

Explanation: 

Option A is CORRECT because the dependsOn property explicitly specifies a dependency between resources in an ARM template. By referencing the storage account in the dependsOn property of the virtual machine, Azure ensures that the storage account is fully provisioned before the virtual machine is deployed. This is the most reliable and recommended method for defining dependencies between resources.

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency

Question No.: 12

Domain: Deploy and manage Azure compute resources

Main Topic: Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files

Sub Topic: Modify an existing Bicep file

Question Text: 

You are managing an application deployment project where different environments (development, testing, production) require varying Azure App Service plan SKUs. The current Bicep file deploys the App Service plan with the SKU hard coded as P1v2. This has caused issues because the production environment needs P3v2, while development and testing require F1 and S1, respectively.

How should you modify the Bicep file to make the SKU configurable during deployment?

1. Add a new parameter for the SKU and update the App Service plan resource to reference this parameter
2. Add a new variable for the SKU and update the App Service plan resource to reference this variable
3. Update the SKU property directly in the resource definition to include all possible SKU values
4. Add a new output for the SKU to display the selected value after deployment

Correct Answer: A

Explanation: 

Option A is CORRECT because using a parameter makes the SKU value configurable during deployment. Parameters allow you to supply values specific to the environment (e.g., F1 for development, S1 for testing, and P3v2 for production) without modifying the Bicep file. This approach ensures flexibility, reusability, and alignment with best practices for infrastructure as code.

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/file#parameters

Drag and Drop – Ordering (Arranging)

Question No.: 13

Domain: Deploy and manage Azure compute resources

Main Topic: Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files

Sub Topic: Deploy resources by using an Azure Resource Manager template or a Bicep file

Question Text: 

You are tasked with deploying Azure resources using a local Bicep file. You need to ensure the deployment follows the required steps to create a resource group and deploy the resources. Arrange the steps in the correct order to complete the deployment using Azure CLI.

[options on the left side]

1. Validate the Azure CLI installation and ensure it is updated to its latest version
2. Create the resource group using the az group create command
3. Verify successful deployment in the Azure portal
4. Use the az deployment group create command with the Bicep file and parameters
5. Log in to Azure and set the appropriate subscription using az login and az account set
6. Prepare the local Bicep file with the required resource definitions

Correct Answer (to be dragged to the right side)

Correct Sequence – 1, 5, 6, 2, 4, 3

Explanation: 

1. Validate the Azure CLI installation: Before starting any deployment, it is imperative to confirm that the Azure Command-Line Interface (CLI) is installed and functioning correctly. This involves running a command like az –version to check the current version of the Azure CLI. Keeping the CLI updated is crucial because newer versions may introduce new features, improvements, fixes, and support for the latest Azure features, including enhancements related to Bicep, which is a domain-specific language (DSL) for deploying Azure resources. Ensuring that the Azure CLI is up to date helps avoid compatibility issues during deployment.
2. Log in to Azure and set the subscription: The next step is to authenticate to Azure by running the command az login. This command opens a new browser window prompting for Azure credentials, allowing you to sign in securely. Once authenticated, it’s essential to specify which subscription to use if your account has access to multiple subscriptions. This is accomplished with the command az account set –subscription “YourSubscriptionName”. This step ensures that subsequent commands for resource group creation and resource deployment will target the correct Azure subscription, making the deployment process organized and eliminating potential errors related to targeting the wrong subscription.
3. Prepare the local Bicep file: With the Azure CLI set and authenticated, you will need to prepare your Bicep file. The Bicep file is where you define all the Azure resources you want to deploy, such as virtual machines, storage accounts, networking components, etc. This file uses a clear, concise syntax, making it easier to read and maintain compared to traditional JSON ARM templates. Ensure that your Bicep file includes the necessary parameters and resource definitions to meet your deployment needs. This step is crucial because any misconfiguration or missing parameters in the Bicep file can lead to deployment failures.
4. Create the resource group: Before deploying resources, it is essential to ensure that the target resource group exists. A resource group is a logical container for Azure resources, providing a way to manage and organize related resources. Use the command az group create –name YourResourceGroupName –location YourLocation to create a new resource group. If the resource group already exists, you can skip this step. However, if it does not exist, this command ensures a suitable environment is ready for deploying your defined resources.
5. Deploy resources using Bicep: Once you have the resource group set up, the next step is to execute the deployment using the command az deployment group create. This command takes several parameters, including –resource-group, the name of the resource group where you want to deploy the resources, and –template-file pointing to your Bicep file. Optionally, if your Bicep file requires parameters, you can supply these using the –parameters flag. This step is where the actual deployment happens, and Azure starts provisioning the resources as defined in your Bicep file.
6. Verify the deployment: After initiating the deployment, it is important to verify that everything was deployed successfully. You can either monitor the output in the CLI, which provides immediate feedback on the deployment status or log into the Azure portal and navigate to the resource group to visually confirm that the resources are created as expected. Checking the deployment status helps ensure that all resources are provisioned correctly, and if any issues arise, it allows you to troubleshoot or investigate errors accordingly.

References: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-cli#deploy-local-bicep-file

Question No.: 14

Domain: Deploy and manage Azure compute resources

Main Topic: Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files

Sub Topic: Export a deployment as an Azure Resource Manager template or convert an Azure Resource Manager template to a Bicep file

Question Text: 

You are working as an Azure Administrator for a company that heavily uses ARM templates to deploy and manage Azure resources. The development team recently decided to transition to using Bicep files for better readability and easier resource management. The team has shared an existing ARM template that defines the infrastructure for a web application, including virtual networks, storage accounts, and app services. They request your assistance in converting this ARM template into a Bicep file to align with the new approach. 

Which action should you take to convert the ARM template into a Bicep file?

1. Use the az bicep build command to convert the ARM template into a Bicep file
2. Use the az bicep decompile command to convert the ARM template into a Bicep file
3. Open the ARM template in Visual Studio Code and use the “Convert to Bicep” extension
4. Rewrite the ARM template manually in Bicep syntax

Correct Answer: B

Explanation: 

Option B is CORRECT because the az bicep decompile command is specifically designed to convert an existing ARM template (JSON format) into a Bicep file. It simplifies the transition from ARM templates to Bicep by automatically generating the equivalent Bicep code from a JSON file. This is the most efficient and accurate way to achieve the stated objective.

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/decompile?tabs=azure-cli

Question No.: 15

Domain: Deploy and manage Azure compute resources

Main Topic: Create and configure virtual machines

Sub Topic: Configure Azure Disk Encryption

Question Text: 

You are configuring Azure Disk Encryption for a new Linux-based virtual machine (VM). The VM will be deployed using a custom image, and you must ensure that the disk encryption process is performed automatically during the deployment.

Which of the following actions will ensure that the VM’s OS disk is encrypted automatically during deployment?

1. Use the az vm encryption enable command after the VM is deployed
2. Ensure that the Key Vault and encryption key are configured in the VM’s deployment template
3. Configure the VM to use managed disks and enable encryption at rest through the Azure portal
4. Manually create an encryption script and run it after the VM is deployed

Correct Answer: B

Explanation: 

Option B is CORRECT because to enable encryption automatically during deployment, the Key Vault and encryption key need to be configured in the VM’s deployment template (either an ARM template or a Bicep file). By specifying the Key Vault and encryption key in the template, Azure will automatically encrypt the OS disk during the VM’s creation process. This approach is fully automated and eliminates the need for manual steps after deployment. The encryption happens as part of the VM deployment lifecycle.

References: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell

https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux?tabs=azcliazure%2Cenableadecli%2Cefacli%2Cadedatacli

Question No.: 16

Domain: Deploy and manage Azure compute resources

Main Topic: Create and configure virtual machines

Sub Topic: Move a virtual machine to another resource group, subscription, or region

Question Text: 

You are managing an Azure environment and have been tasked with moving a virtual machine (VM) to a new resource group to align with updated organizational policies. While operating the Azure portal, you encounter an error indicating that some dependent resources cannot be moved along with the VM. The error prevents the move operation from completing. Which of the following resources are likely causing the issue?

1. Virtual network and network security group
2. Azure Key Vault associated with the VM
3. Azure Policy assignments linked to the VM
4. Azure Monitor alerts configured for the VM

Correct Answer: A

Explanation: 

Option A is CORRECT because dependent resources such as virtual networks (VNets) and network security groups (NSGs) are tightly bound to the VM. When moving a VM to a new resource group, all associated resources must either already exist in the target resource group or be moved simultaneously. If these resources are not in the same resource group or cannot be moved, the operation will fail. Azure enforces this dependency to maintain resource integrity and connectivity.

References: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations?tabs=azure-cli

Question No.: 17

Domain: Deploy and manage Azure compute resources

Main Topic: Create and configure virtual machines

Sub Topic: Manage virtual machine sizes

Question Text: 

You are using a VM with the size Standard_D16s_v3 for testing purposes. 

The testing is complete, and you want to reduce costs by resizing the VM to a smaller size, Standard_B2s. The VM has managed disks and an associated public IP. 

Which of the following is the best and optimal method to perform the resizing operation?

1. Change the VM size directly in the Azure portal without stopping it
2. Stop the VM, resize it to the smaller size, and then start the VM
3. Delete the VM, select the new size, and recreate it with a new public IP
4. Create a snapshot of the disk, deploy a new VM with the desired size, and attach the disk to it

Correct Answer: B

Explanation: 

Option B is CORRECT because this is the optimal method for resizing a VM to a smaller size. Stopping (deallocating) the VM ensures that the resizing operation can be completed successfully. Azure allows resizing to smaller sizes (like Standard_B2s) only if the VM is deallocated. This method is best for ensuring a seamless operation without any compatibility issues. Resizing a stopped VM also avoids potential disruptions during the resize operation. Deallocating the VM also helps release resources, allowing for the new size to be applied correctly. Once the resize is complete, you can start the VM again.

Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/sizes/resize-vm?tabs=portal

Question No.: 18

Domain: Deploy and manage Azure compute resources

Main Topic: Create and configure virtual machines

Sub Topic: Deploy virtual machines to availability zones and availability sets

Question Text: 

Your organization wants to deploy 10 virtual machines into an Availability Set. You need to distribute these VMs across fault domains and update domains. Based on Azure’s limitations, what is the maximum number of fault domains Azure will assign within an Availability Set?

1. 2
2. 10
3. 5
4. 3

Correct Answer: D

Explanation: 

Option D is CORRECT because Azure Availability Sets support 3 fault domains per region. When you place virtual machines in an Availability Set, Azure automatically distributes them across these fault domains to reduce the impact of potential hardware failures or outages within a specific rack.

Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/availability-set-overview#how-do-availability-sets-work

Question No.: 19

Domain: Deploy and manage Azure compute resources

Main Topic: Provision and manage containers in the Azure portal

Sub Topic: Manage sizing and scaling for containers, including Azure Container Instances and Azure Container Apps

Question Text: 

You are managing a logistics application deployed in Azure Container Apps. The app processes incoming shipment data sent via an Azure Service Bus queue. To ensure timely processing during high traffic, the app must automatically scale out when more than five messages are waiting in the queue. Which scaling rule type should you configure to achieve this?

1. HTTP scaling rule
2. TCP scaling rule
3. Custom scaling rule
4. Default scaling rule

Correct Answer: C

Explanation: 

Option C is CORRECT because custom scaling rules allow you to configure scaling for scenarios like Azure Service Bus, where specific metrics (e.g., the number of messages in a queue) trigger scaling. In this case, you can use a KEDA (Kubernetes-based Event Driven Autoscaler) scaler to monitor the queue length and scale out the app when there are more than five messages.

Reference: https://learn.microsoft.com/en-us/azure/container-apps/scale-app?pivots=azure-portal#scale-rules

Question No.: 20

Domain: Deploy and manage Azure compute resources

Main Topic: Create and configure Azure App Service

Sub Topic: Configure scaling for an App Service plan

Question Text: 

Your App Service is hosted in a B1 App Service Plan. It has started encountering frequent HTTP 500 errors during peak hours due to resource exhaustion. You decide to scale up to a higher pricing tier. What limitation should you be aware of when scaling up?

1. Scaling up will require recreating the App Service Plan
2. App Service scaling up is not supported in the Basic tier
3. Scaling up will change the available features and pricing of the App Service Plan
4. Scaling up is only allowed during non-peak hours

Correct Answer: C

Explanation: 

Option C is CORRECT because when scaling up an App Service Plan to a higher pricing tier, you unlock additional features and resources such as higher CPU, memory, and storage, along with different pricing. This change in features and cost is a key consideration before scaling up.

Reference: https://learn.microsoft.com/en-us/azure/app-service/manage-scale-up

Conclusion: 

As read, these free practice questions would help you understand the big game. Practice and test yourself consistently to excel in your Microsoft Azure Administrator examination. Hands-on experience also plays a crucial part, get it with the Whizlabs Hands-on labs and Sandboxes. Feel free to contact us in case of queries.

• About the Author
• More from Author

About Suneel Moopanar

Suneel is a certified cloud practitioner who specializes in helping users develop and master their Cloud Computing skills across platforms like Azure, GCP, Microsoft Security, and Power Platform Solutions. He is passionate about empowering professionals to advance their careers and has extensive experience in implementing security policies, managing load balancing, and optimizing availability sets and zones.

• How do you configure Azure Site Recovery for AZ-800? - May 16, 2025
• How Does AZ-140 Help in Managing Azure Virtual Desktops? - March 7, 2025
• What Are AZ-800 Key Concepts for Role-Based Access? - February 18, 2025
• Simplifying Azure Dev Workflows with the Azure Developer CLI - February 7, 2025
• MD-102:Endpoint Administrator – Syllabus Update Sept 17, 2024 - September 24, 2024
• How I Successfully Passed the AI-900 Certification Exam - September 4, 2024
• Free Questions on Microsoft Azure Administrator (AZ-104) Exam - March 25, 2022