Was :
$90
Today :
$50
Was :
$108
Today :
$60
Was :
$126
Today :
$70
Why Should You Prepare For Your Microsoft Azure Administrator With MyCertsHub?
At MyCertsHub, we go beyond standard study material. Our platform provides authentic Microsoft AZ-104 Exam Dumps, detailed exam guides, and reliable practice exams that mirror the actual Microsoft Azure Administrator test. Whether you’re targeting Microsoft certifications or expanding your professional portfolio, MyCertsHub gives you the tools to succeed on your first attempt.
Verified AZ-104 Exam Dumps
Every set of exam dumps is carefully reviewed by certified experts to ensure accuracy. For the AZ-104 Microsoft Azure Administrator , you’ll receive updated practice questions designed to reflect real-world exam conditions. This approach saves time, builds confidence, and focuses your preparation on the most important exam areas.
Realistic Test Prep For The AZ-104
You can instantly access downloadable PDFs of AZ-104 practice exams with MyCertsHub. These include authentic practice questions paired with explanations, making our exam guide a complete preparation tool. By testing yourself before exam day, you’ll walk into the Microsoft Exam with confidence.
Smart Learning With Exam Guides
Our structured AZ-104 exam guide focuses on the Microsoft Azure Administrator's core topics and question patterns. You will be able to concentrate on what really matters for passing the test rather than wasting time on irrelevant content. Pass the AZ-104 Exam – Guaranteed
We Offer A 100% Money-Back Guarantee On Our Products.
After using MyCertsHub's exam dumps to prepare for the Microsoft Azure Administrator exam, we will issue a full refund. That’s how confident we are in the effectiveness of our study resources.
Try Before You Buy – Free Demo
Still undecided? See for yourself how MyCertsHub has helped thousands of candidates achieve success by downloading a free demo of the AZ-104 exam dumps.
MyCertsHub – Your Trusted Partner For Microsoft Exams
Whether you’re preparing for Microsoft Azure Administrator or any other professional credential, MyCertsHub provides everything you need: exam dumps, practice exams, practice questions, and exam guides. Passing your AZ-104 exam has never been easier thanks to our tried-and-true resources.
Microsoft AZ-104 Sample Question Answers
Question # 1
You deploy Azure virtual machines to three Azure regions.Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full meshtopology.Each subnet contains a network security group (NSG) that has defined rules.A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtualmachine in another region.Which two options can you use to diagnose the issue? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.
A. Azure Virtual Network Manager
B. IP flow verify
C. Azure Monitor Network Insights
D. Connection troubleshoot
E. elective security rules
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of
direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security
group, the name of the rule that denied the packet is returned. While any source or destination IP can be
chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and
from or to the on-premises environment.
Question # 2
You have an Azure subscription that contains an Azure Stream Analytics job named Job1.You need to monitor input events for Job1 to identify the number of events that were NOT processed.Which metric should you use?
A. Output Events B. Backlogged Input Events C. Out-of-Order Events D. Late Input Events
Answer: B
Explanation
Backlogged Input Events is a metric that shows the number of input events that are waiting to be processed by
the Stream Analytics job1. This metric indicates the performance and health of the job, as well as the input
data rate and latency. If the Backlogged Input Events metric is high or increasing, it means that the job is not
able to keep up with the incoming events and some events are not processed in a timely manner2.
Output Events is a metric that shows the number of output events that are emitted by the Stream Analytics
job1. This metric indicates the output data rate and throughput of the job. It does not show how many input
events were not processed by the job.
Out-of-Order Events is a metric that shows the number of input events that arrive out of order based on their
timestamp1. This metric indicates the quality and consistency of the input data source. It does not show how
many input events were not processed by the job.
Late Input Events is a metric that shows the number of input events that arrive after the late arrival window
has expired1. This metric indicates the timeliness and reliability of the input data source. It does not show how
many input events were not processed by the job.
Question # 3
You have an Azure subscription. The subscription contains virtual machines that connect to a virtual networknamed VNet1.You plan to configure Azure Monitor for VM Insights.You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.What should you create first?
A. an Azure Monitor Private Link Scope (AMPIS) B. a private endpoint C. a Log Analytics workspace D. a data collection rule (DCR)
Answer: A
Explanation
Azure Monitor for VM Insights is a feature of Azure Monitor that provides comprehensive monitoring and
diagnostics for your Azure virtual machines and virtual machine scale sets. It collects performance data,
process information, and network dependencies from your virtual machines and displays them in interactive
charts and maps. You can use Azure Monitor for VM Insights to troubleshoot performance issues, optimize
resource utilization, and identify network bottlenecks1.
To enable Azure Monitor for VM Insights, you need to install two agents on your virtual machines: the Azure
Monitor agent (preview) and the Dependency agent. The Azure Monitor agent collects performance metrics
and sends them to a Log Analytics workspace. The Dependency agent collects process information and
network dependencies and sends them to the InsightsMetrics table in the same workspace2.
By default, the agents communicate with Azure Monitor over the public internet. However, if you want to
ensure that all the virtual machines only communicate with Azure Monitor through a virtual network named
VNet1, you need to configure private network access for the agents.
Private network access allows the agents to communicate with Azure Monitor using a private endpoint, which
is a special network interface that connects your virtual network to an Azure service without exposing it to the
public internet. A private endpoint uses a private IP address from your virtual network address space, so you
can secure and control the network traffic between your virtual machines and Azure Monitor3.
To configure private network access for the agents, you need to create an Azure Monitor Private Link Scope
(AMPIS) first. An AMPIS is a resource that groups one or more Log Analytics workspaces together and
associates them with a private endpoint. An AMPIS allows you to manage the private connectivity settings for
multiple workspaces in one place4.
After creating an AMPIS, you need to create a private endpoint in VNet1 and link it to the AMPIS. This will
enable the agents on your virtual machines to send data to the Log Analytics workspaces in the AMPIS using
the private IP address of the private endpoint5.
Question # 4
You have an Azure DNS zone named adatum.com. You need to delegate a subdomain named
research.adatum.com to a different DNS server in Azure. What should you do?
A. Create an PTR record named research in the adatum.com zone. B. Create an NS record named research in the adatum.com zone. C. Modify the SOA record of adatum.com. D. Create an A record named *. research in the adatum.com zone
You have an Azure subscription that contains a web app named webapp1. You need to add a custom domainnamed www.contoso.com to webapp1. What should you do first?
A. Upload a certificate. B. Add a connection string. C. Stop webapp1. D. Create a DNS record.
Answer: D
Explanation
You can use either a CNAME record or an A record to map a custom DNS name to App Service. You should
use CNAME records for all custom DNS names except root domains (for example, contoso.com). For root
You have an Azure virtual machine named VM1 and an Azure key vault named Vault1.On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK)You need to prepare Vault! for Azure Disk Encryption.Which two actions should you perform on Vault1? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.
A. Create a new key. B. Select Azure Virtual machines for deployment C. Configure a key rotation policy. D. Create a new secret. E. Select Azure Disk Encryption for volume encryption
Answer: A C
Explanation
To prepare Vault1 for Azure Disk Encryption, you need to perform the following actions on Vault1:
Create a new key. A key encryption key (KEK) is an encryption key that is used to encrypt the
encryption secrets before they are stored in the key vault. You can create a new KEK by using the Azure
CLI, the Azure PowerShell, or the Azure portal1. You can also import an existing KEK from another
source, such as a hardware security module (HSM)2. The KEK must be a 2048-bit RSA key or a 256-bit
AES key3.
Select Azure Disk Encryption for volume encryption. This is an advanced access policy setting that
enables Azure Disk Encryption to access the keys and secrets in the key vault. You can select this
setting by using the Azure CLI, the Azure PowerShell, or the Azure portal4. You must also enable
access to Microsoft Trusted Services if you have enabled the firewall on the key vault.
Question # 7
You have an Azure Active Directory (Azure AD) tenant named contoso.com.You have a CSV file that contains the names and email addresses of 500 external users.You need to create a guest user account in contoso.com for each of the 500 external users.Solution: You create a Power Shell script that runs the New-MgUser cmdlet for each user.Does this meet the goal?
You have an Azure subscription that contains a storage account named account1.You plan to upload the disk files of a virtual machine to account! from your on-premises network. Theon-premises network uses a public IP address space of 131.107.1.0/24.You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to avirtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.You need to configure account1 to meet the following requirements:• Ensure that you can upload the disk files to account1.• Ensure that you can attach the disks to VM1.• Prevent all other access to account1.Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Eachcorrect selection is worth one point.
A. From the Networking blade of account1, select Selected networks B. From the Service endpoints blade of VNet1, add a service endpoint. C. From the Networking blade of account11, add the 131.107.1.0/24 IP address range. D. From the Networking blade of account1. select Allow trusted Microsoft services to access this storage
account E. From the Networking blade of account1, add VNet1.
Answer: A E
Explanation
To restrict access to account1, you need to enable the firewall and virtual network settings on the storage
account. This allows you to specify which networks can access the storage account. By selecting Selected
networks, you can block all access from the public internet and only allow access from the specified networks.
By adding VNet1, you can allow access from the virtual network that contains VM1. You do not need to add
the on-premises IP address range or enable the service endpoint option, as these are not required for uploading
the disk files to the storage account. You do not need to allow trusted Microsoft services, as this is not relevant
for the scenario. Then, References: [Configure Azure Storage firewalls and virtual networks] [Upload a
generalized VHD to Azure]
Question # 9
You have an Azure Active Directory (Azure AD) tenant named contoso.com.You have a CSV file that contains the names and email addresses of 500 external users.You need to create a guest user account in contoso.com for each of the 500 external users.Solution: You create a Power Shell script that runs the New-MgUser cmdlet for each user.Does this meet the goal?
A. Yes B. No
Answer: B
Explanation
The New-MgUser cmdlet is part of the Microsoft Graph PowerShell SDK, which is a module that allows you
to interact with the Microsoft Graph API. The Microsoft Graph API is a service that provides access to data
and insights across Microsoft 365, such as users, groups, mail, calendar, contacts, files, and more1.
The New-MgUser cmdlet can be used to create new users in your Azure AD tenant, but it has some limitations
and requirements. For example, you need to have the Global Administrator or User Administrator role in your
tenant, you need to authenticate with the Microsoft Graph API using a certificate or a client secret, and you
need to specify the required parameters for the new user, such as userPrincipalName, accountEnabled,
displayName, mailNickname, and passwordProfile2.
However, the New-MgUser cmdlet does not support creating guest user accounts in your Azure AD tenant.
Guest user accounts are accounts that belong to external users from other organizations or domains. Guest user
accounts have limited access and permissions in your tenant, and they are typically used for collaboration or
sharing purposes3.
To create guest user accounts in your Azure AD tenant, you need to use a different cmdlet:
New-AzureADMSInvitation. This cmdlet is part of the Azure AD PowerShell module, which is a module that
allows you to manage your Azure AD resources and objects. The New-AzureADMSInvitation cmdlet can be
used to create and send an invitation email to an external user, which contains a link to join your Azure AD
tenant as a guest user. You can also specify some optional parameters for the invitation, such as the invited
user display name, message info, redirect URL, or send invitation message.
Therefore, to meet the goal of creating guest user accounts for 500 external users from a CSV file, you need to
use a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each user, not the New-MgUser
cmdlet.
Question # 10
Your company has an Azure subscription named Subscription1.The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016.Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.comcontains 1,000 DNS records.You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:The DNS Manager consoleAzure PowerShell Azure CLI 2.0 You need to move the adatum.com zone to Subscription1. The solution must minimize administrative effort.
What should you use?
A. Azure PowerShell B. Azure CLI C. the Azure portal D. the DNS Manager console
Answer: B
Explanation
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI).
Zone file import is not currently supported via Azure PowerShell or the Azure portal.
You have an Azure subscription that contains a storage account named storage1. The storage 1 accountcontains a container named container! You need to configure access to container 1. The solution must meet thefollowing requirements:• Only allow read access• Allow both HTTP and HTTPS protocols.• Apply access permissions to all the content in the containerWhat should you use?
A. an access policy B. a shared access signature (SAS) C. Azure Content Delivery Network (CDN) D. access keys
Answer: B
According to the Microsoft documentation, a shared access signature (SAS) is a URI that grants
restricted access rights to Azure Storage resources. You can provide a SAS to clients who don’t
otherwise have access to your storage account, and delegate access to them for a specified time period
and with a specified set of permissions.
A SAS can be used to grant read-only access to a container and its blobs, as well as specify the allowed
protocols (HTTP or HTTPS) and the start and expiry time of the access. For more information about
creating and using SAS, see Using shared access signatures (SAS).
An access policy is not the correct answer because it is used to define a set of permissions and a time
period for a container or a queue, but it does not grant access by itself. An access policy must be
associated with a SAS to take effect. For more information about access policies, see Manage stored
access policies for containers and queues.
Azure Content Delivery Network (CDN) is not the correct answer because it is used to cache and deliver
content from Azure Storage or other sources, but it does not control the access permissions to the
content. For more information about Azure CDN, see [What is Azure Content Delivery Network?].
Access keys are not the correct answer because they are used to authenticate requests to Azure Storage
from any client, but they do not limit the access permissions or the protocols. Using access keys also
exposes your storage account to potential unauthorized access if the keys are compromised. For more
information about access keys, see [Manage storage account access keys].
Question # 12
You have an Azure AD tenant that is linked to 10 Azure subscriptions.You need to centrally monitor user activity across all the subscriptions.What should you use?
A. Activity log filters B. Log Analytics workspace C. access reviews D. Azure Application Insights Profiler
Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.
Question # 13
Note: This question is part of a series of questions that present the same scenario. Each question in the seriescontains a unique solution that might meet the stated goals. Some question sets might have more than onecorrect solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questionswill not appear in the review screen.You have an Azure subscription that contains the virtual machines shown in the following table.You deploy a load balancer that has the following configurations:•Name: LB1•Type: Internal•SKU: Standard•Virtual network: VNET1You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1,and then stop VM2.Does this meet the goal?
A. Yes B. No
Answer: B
Question # 14
You create an Azure Storage account.You plan to add 10 blob containers to the storage account.For one of the containers, you need to use a different key to encrypt data at rest.What should you do before you create the container?
A. Modify the minimum TLS version. B. Create an encryption scope. C. Generate a shared access signature (SAS). D. Rotate the access keys.
Answer: B
Question # 15
You have an Azure subscription that contains a storage account named storage1.You plan to use conditions when assigning role-based access control (RABC) roles to storage1Which storage1 services support conditions when assigning roles?
A. containers only B. file shares only C. tables only D. queues only E. containers and queues only F. files shares and tables only
Answer: A
Question # 16
You have an on-premises server that contains a folder named D:\Folder1.You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account namedcontoso data.Which command should you run?
A. https://contosodata.blob.core.windows.net/public B. azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive D. az storage blob copy start-batch D:\Folder1 https:// contosodata.blob.core.windows.net/public
Answer: C
Explanation
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The
result is a directory in the container by the same name.
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named [email protected] as an administrator on all the computers that will be
joined to the Azure AD domain. What should you configure in Azure AD? A. Device settings from the Devices blade.
B. General settings from the Groups blade.
C. User settings from the Users blade.
D. Providers from the MFA Server blade.
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions
will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate
resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual
networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
A. Yes B. No
Answer: B
Explanation No, this does not meet the goal. Assigning a built-in policy definition to the subscription is not enough to
ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. This
is because there is no built-in policy definition that matches this requirement. The closest built-in policy
definition is “Network security groups should not allow unrestricted inbound traffic on well-known ports”, but
this policy only blocks TCP port 80 and 443, not 80801.
To meet the goal, you need to create a custom policy definition that enforces a default security rule for
NSGs. A policy definition is a set of rules and actions that Azure performs when evaluating your resources2.
You can use a policy definition to specify the required properties and values for NSGs, such as the direction,
protocol, source, destination, and port of the security rule. You can then assign the policy definition to the
subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.
Question # 19
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's
location.
What should you configure?
A. load balancing B. private endpoints
C. Azure Firewall rules
D. Routing preference
Answer: D
Explanation Routing preference is a feature that allows you to configure how network traffic is routed to your storage
account from clients over the internet. By default, traffic from the internet is routed to the public endpoint of
your storage account over the Microsoft global network, which is optimized for low-latency path selection and
high reliability. Both inbound and outbound traffic are routed through the point of presence (POP) that is
closest to the client. This ensures that traffic to and from your storage account traverses over the Microsoft
global network for the bulk of its path, maximizing network performance. You can also change the routing
preference to use internet routing, which minimizes the traversal of your traffic over the Microsoft global
network, handing it off to the transit ISP at the earliest opportunity. This lowers networking costs, but may
compromise network performance. Therefore, to ensure that inbound user traffic uses the Microsoft POP
closest to the user’s location, you should configure routing preference to use the Microsoft global network as
the default routing option for your storage account.
References:
Network routing preference for Azure Storage
Configure network routing preference for Azure Storage
Question # 20
You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
A. virtual machine size
B. operating system
C. administrator username
D. resource group
Answer: D
Explanation
Resource Group is the correct answer: Admin user, password, vm size and os are the part of ARM templates
Question # 21
You create an Azure Storage account named Contoso storage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should be open between the home computers and the data file share?
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image namedImage1. Image1 contains a Microsoft SQL Server instance that requires persistent storage. You need to configure a storage service for Container1.
What should you use?
A. Azure Files
B. Azure Blob storage
C. Azure Queue storage
D. Azure Table storage
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions
will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a connection monitor.
Does this meet the goal?
You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1.
After creating Backup1, you perform the following changes to VM1:
Modify the size of VM1.
Copy a file named Budget.xls to a folder named Data.
Reset the password for the built-in administrator account.
Add a data disk to VM1. An administrator uses the Replace existing option to restore VM1 from Backup1.
You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?
A. Modify the size of VM1.
B. Add a data disk.
C. Reset the password for the built-in administrator account.
D. Copy Budget.xls to Data.
Answer: D
Explanation
The scenario mentioned in the question, we are using the replace option. So in this case we would lose the
existing data written to the disk after the backup was taken. The file was copied to the disk after the backup
was taken. Hence, we would need to copy the file once again.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks
Question # 25
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a quest user account in contoso.com for each of the 500 external users.
Solution: from Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?
Rowan Fuller
Henri Möller
Ari Wilson
Bijoy Puri