MICROSOFT CERTIFICATION
AZ-104 Azure Administrator Associate Practice Exam
Exam Number: 3103 | Last updated 16-Apr-26 | 980+ questions across 5 vendor-aligned objectives
The AZ-104 Azure Administrator Associate certification validates the skills of Azure administrators who implement, manage, and monitor identity, governance, storage, compute, and virtual networks in cloud environments. This exam measures your ability to work with Microsoft Entra ID, Azure Virtual Machines, Azure Storage, Azure Virtual Network, Azure Monitor, Azure Policy, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Manage Azure Identities and Governance (20–25%), Deploy and Manage Azure Compute Resources (20–25%), and Implement and Manage Storage (15–20%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Implement and Manage Virtual Networking (15–20%), and Monitor and Maintain Azure Resources (10–15%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
716
practice exam users
94.2%
satisfied users
91%
passed the exam
4.2/5
quality rating
Test your AZ-104 Azure Administrator Associate knowledge
10 of 980+ questions
Question #1 - Manage Azure Identities and Governance
A company onboards 50 users needing identical Azure permissions. The IT team wants to avoid individual role assignments.
What is the most efficient role assignment approach?
A) Create a management group and assign at subscription level
B) Create a security group, add users, assign role to the group
C) Assign roles individually via PowerShell
D) Create a custom Azure Policy for automatic role assignment
Show solution
Correct answers: B – Explanation:
Assigning RBAC to a security group means all members inherit access. Adding/removing users automatically updates permissions. Individual assignments create management overhead. Policy enforces compliance, not roles. Management groups organize subscriptions, not user-level roles. Source: Check Source
Question #2 - Manage Azure Identities and Governance
A company onboards 50 users needing identical Azure permissions. The IT team wants to avoid individual role assignments.
What is the most efficient role assignment approach?
A) Run a PowerShell script that creates individual role assignments for each user account
B) Create a management group hierarchy and assign the role at the top subscription level
C) Create a security group, add all 50 users, and assign the RBAC role to the group directly
D) Create a custom Azure Policy definition that automatically assigns roles on user sign-in
Show solution
Correct answers: C – Explanation:
Assigning an RBAC role to a security group means all members inherit access automatically. Adding or removing users from the group instantly updates their permissions without touching role assignments. Azure Policy enforces resource compliance rules, not user role assignments. Individual PowerShell assignments create 50 separate assignments requiring individual management. Management groups organize subscriptions but do not address the per-user group efficiency. Source: Check Source
Question #3 - Manage Azure Identities and Governance
An organization needs to enforce naming conventions across subscriptions. Non-compliant resources should be flagged but not blocked.
Which governance tool and effect should be configured?
A) Azure Resource Manager mandatory tag policy requiring a naming-convention tag value
B) Azure Policy with the Audit effect that flags non-compliant resources in the dashboard
C) Azure Blueprints with Delete Lock that prevents modification of non-conforming resources
D) Azure Policy with the Deny effect that blocks creation of non-compliant resource names
Show solution
Correct answers: B – Explanation:
Azure Policy with the Audit effect evaluates resources against defined rules and flags non-compliant resources in the compliance dashboard without preventing their creation. The Deny effect blocks creation entirely, which is not desired. Blueprints with locks prevent modification but do not address naming validation. Tag policies enforce tag presence but do not validate the actual resource name. Source: Check Source
Question #4 - Manage Azure Identities and Governance
A firm needs to provide a vendor temporary 90-day access to Azure resources that auto-expires.
Which feature manages time-limited access?
A) Configure PIM with time-bound eligible assignments that automatically expire after 90 days
B) Create a separate Azure subscription for the vendor and plan to decommission it afterward
C) Create permanent guest accounts in Entra ID and set calendar reminders to delete after 90 days
D) Share existing administrator credentials with the vendor team for the project duration
Show solution
Correct answers: A – Explanation:
PIM supports time-bound eligible assignments that automatically expire after the specified period without manual intervention. Permanent guests with calendar reminders depend on human follow-through and risk lingering access. Separate subscriptions add unnecessary complexity and cost. Sharing administrator credentials violates security principles and the concept of individual accountability. Source: Check Source
Question #5 - Deploy and Manage Azure Compute Resources
A startup deploys a web app with unpredictable traffic spikes during launches. It needs auto-scaling while minimizing costs during quiet periods.
Which compute solution meets these requirements?
A) An Azure Reserved Virtual Machine Instance locked in for a one-year commitment term
B) Virtual Machine Scale Sets with metric-based autoscale rules tied to CPU utilization
C) Azure Container Instances with manual replica count adjustments by the operations team
D) A single high-specification Standard-tier virtual machine with vertical scaling capabilities
Show solution
Correct answers: B – Explanation:
VM Scale Sets with autoscale rules automatically add or remove instances based on CPU metrics, handling spikes while scaling down during quiet periods. A single VM cannot scale horizontally to handle traffic spikes. Reserved instances lock in pricing for steady workloads but do not dynamically scale. Container Instances with manual scaling require human intervention and cannot respond to sudden traffic changes. Source: Check Source
Question #6 - Deploy and Manage Azure Compute Resources
An e-commerce company needs to host a .NET app with automatic patching, built-in auth, and deployment slots.
Which Azure service should they choose?
A) Azure App Service providing managed hosting with integrated authentication and slot support
B) Azure Virtual Machines configured with Internet Information Services and manual patch management
C) Azure Container Instances running the application container image without orchestration
D) Azure Kubernetes Service with a managed Kubernetes cluster and Helm chart deployments
Show solution
Correct answers: A – Explanation:
Azure App Service is a fully managed PaaS offering that provides automatic OS patching, built-in authentication with Entra ID, and deployment slots for staging and production swaps. Virtual Machines require manual IIS configuration and patching. AKS provides container orchestration but requires managing cluster infrastructure and does not include built-in auth. Container Instances run containers but lack deployment slots and integrated authentication. Source: Check Source
Question #7 - Implement and Manage Storage
A media company stores large videos frequently accessed the first week but rarely after 30 days. They want automatic cost optimization.
Which Azure Blob Storage feature should be configured?
A) Immutable storage with a legal hold to protect content from modification or deletion
B) Azure File Sync with cloud tiering to automatically move cold files to on-premises storage
C) Blob versioning with automatic snapshot creation to maintain multiple access-optimized copies
D) Lifecycle management rules that transition blobs from Hot to Cool to Archive by age
Show solution
Correct answers: D – Explanation:
Lifecycle management rules automatically transition blobs between access tiers (Hot, Cool, Archive) based on age or last access time, optimizing costs as access patterns change. Blob versioning maintains copies for data protection but does not reduce storage costs per copy. Immutable storage prevents deletion for compliance, not cost optimization. Azure File Sync tiers between cloud and on-premises, which is the reverse direction needed here. Source: Check Source
Question #8 - Implement and Manage Storage
A pharma company must store clinical data unmodifiable for 7 years. No admin should delete or modify it during retention.
Which feature meets these compliance needs?
A) Immutable blob storage with a locked time-based retention policy preventing all modification
B) Soft delete with a 7-year retention window allowing recovery of accidentally deleted blobs
C) Azure Backup with a long-term geo-redundant retention vault storing protected backup copies
D) Annual access key rotation ensuring only currently authorized personnel can reach the data
Show solution
Correct answers: A – Explanation:
Immutable storage with a locked time-based retention policy creates WORM compliance — data cannot be erased or modified by anyone, including administrators, until the period expires. Soft delete allows recovery of deleted data but does not prevent deliberate deletion. Azure Backup creates copies but the original data remains modifiable. Key rotation is a security practice that does not protect data from intentional modification by authorized users. Source: Check Source
Question #9 - Implement and Manage Virtual Networking
Two Azure VNets in different regions need to communicate with low latency over the Microsoft backbone.
Which feature should be configured?
A) Azure ExpressRoute with a private peering circuit connecting on-premises to both regions
B) Azure Traffic Manager with priority-based DNS routing directing clients between regions
C) A site-to-site VPN gateway connection using encrypted tunnels between the two regions
D) Global virtual network peering connecting the VNets across regions over the Microsoft backbone
Show solution
Correct answers: D – Explanation:
Global VNet peering connects VNets across regions directly over the Microsoft backbone with low latency and high bandwidth. Site-to-site VPN works but routes traffic through encrypted tunnels with higher latency than direct peering. ExpressRoute connects on-premises networks to Azure, not Azure VNets to each other directly. Traffic Manager is a DNS-based traffic distributor that routes client requests but does not provide VNet-to-VNet private connectivity. Source: Check Source
Question #10 - Implement and Manage Virtual Networking
A school runs Azure VMs accessible from internet on port 443 only. All other inbound traffic including RDP must be blocked.
Which configuration should be implemented?
A) A public IP address assigned to each VM with no additional network security controls applied
B) A Network Security Group with an inbound allow rule for TCP 443 and default deny for everything else
C) Azure Firewall with a DNAT rule forwarding only port 443 traffic to the backend virtual machines
D) An internal Azure Load Balancer with a health probe configured to monitor only port 443
Show solution
Correct answers: B – Explanation:
An NSG applied to the subnet or NIC explicitly allows inbound TCP 443 while the default deny rules block all other inbound traffic including RDP. Azure Firewall with DNAT works but adds significant cost and complexity for a straightforward port-filtering requirement. Public IPs without security controls expose all listening ports to the internet. An internal load balancer is not internet-facing and cannot provide public inbound access to the VMs. Source: Check Source
Get 980+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the AZ-104 Azure Administrator Associate exam measures
- Manage Azure Identities and Governance (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement and Manage Storage (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Deploy and Manage Azure Compute Resources (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement and Manage Virtual Networking (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Monitor and Maintain Azure Resources (10–15%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Azure Administrator: $100,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
- Cloud Infrastructure Engineer: $110,000–$150,000 per year (based on Glassdoor and ZipRecruiter data)
- Systems Administrator – Azure: $95,000–$130,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the AZ-104 Azure Administrator Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.