Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-104

Microsoft AZ-104 Exam Questions
Microsoft Azure Administrator (Page 11 )

Updated On: 12-Apr-2026
Page 11 of 69
PDF with 564 Questions

HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains the users shown in the following table.


The groups are configured as shown in the following table.


You have a resource group named RG1 as shown in the following exhibit.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: No
Group nesting is not supported. A group can't be added as a member of a role-assignable group.
Box 2: No
Group nesting is not supported. A group can't be added as a member of a role-assignable group. Box 3: Yes


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept



You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  2. Assign User1 the Owner role for VNet1.
  3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
  4. Assign User1 the Contributor role for VNet1.

Answer(s): B

Explanation:

Contributor
Need to be Owner. The correct scope is VNET1.
Owner - Has full access to all resources including the right to delegate access to others. Incorrect:
* Contributor - Can create and manage all types of Azure resources but can't grant access to others.
Note: Identify the needed scope
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal



Your on-premises network contains a VPN gateway.
You have an Azure subscription that contains the resources shown in the following table.


You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure?

  1. Azure Application Gateway
  2. private endpoints
  3. a network security group (NSG)
  4. Azure Virtual WAN

Answer(s): B

Explanation:

You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
Note: For this question with different alternatives:
Correct answer only:
private endpoints
Incorrect answers include:
* a network security group (NSG)
* Microsoft Entra Application Proxy
* Azure Application Gateway
* Azure Firewall
* Azure Peering Service
Azure Virtual WAN


Reference:

https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains a user named User1 and the resources shown in the following table.


NSG1 is associated to networkinterface1.
User1 has role assignments for NSG1 as shown in the following table.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
User1 is Storage Account Contributor of RG1.
Classic Storage Account Contributor
Lets you manage classic storage accounts, but not access to them. Actions include:
Microsoft.ClassicStorage/storageAccounts/* Create and manage storage accounts
Box 2: No
User1 is a Contributor of NSG1. Networkinterface1 is in NSG1.
However, the DNS settings of Networkinterface1 is in the scope of RG1, not the scope of NSG1. At the NSG1 scope User1 is only reader.
Note: Example: Change DNS settings on a network interface
$nic = Get-AzNetworkInterface -ResourceGroupName "ResourceGroup1" -Name "NetworkInterface1"
$nic.DnsSettings.DnsServers.Add("192.168.1.100")
$nic | Set-AzNetworkInterface
The first command gets a network interface named NetworkInterface1 that exists within resource group ResourceGroup1. The second command adds DNS server 192.168.1.100 to this interface. The third command applies these changes to the network interface. To remove a DNS server, follow the commands listed above, but replace ".Add" with ".Remove" in the second command.
Box 3: Yes
User1 is a Contributor of NSG1. Networkinterface1 is in NSG1.
Contributor - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Actions include: * Create and manage resources of all types
Note: You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#classic-storage-account- contributor
https://learn.microsoft.com/en-us/powershell/module/az.network/set-aznetworkinterface https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview



You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  2. Assign User1 the Access Administrator role for VNet1.
  3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
  4. Assign User1 the Network Contributor role for RG1.

Answer(s): B

Explanation:

The User Access Administrator role enables the user to grant other users access to Azure resources.
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
* Assign User1 the Access Administrator role for VNet1.
* Assign User1 the User Access Administrator role for VNet1.
Assign User1 the Owner role for VNet1.
Other incorrect answer options you may see on the exam include the following:
* Assign User1 the Contributor role for VNet1.
* Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.


Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles



HOTSPOT (Drag and Drop is not supported)
You have three Azure subscriptions named Sub1, Sub2, and Sub3 that are linked to a Microsoft Entra tenant.
The tenant contains a user named User1, a security group named Group1, and a management group named MG1. User1 is a member of Group1.
Sub1 and Sub2 are members of MG1. Sub1 contains a resource group named RG1. RG1 contains five Azure functions.
You create the following role assignments for MG1: Group1: Reader
User1: User Access Administrator
You assign User1 the Virtual Machine Contributor role for Sub1 and Sub2. You assign User1 the Contributor role for RG1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
The RG1 Resource Group contains five Azure functions.
The Management Group MG1 contains the role assignment: Group1 is Reader for RG1.
The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources.
Box 2: Yes
The Management Group MG1 contains the role assignment User1: User Access Administrator Sub1 is a member of MG1.
Sub1 contains a resource group named RG1.
The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
You can use User Access Administrator role to give another user the Owner role in the subscription. Box 3: No
User Access Administrator only lets you manage user access to Azure resource


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin



You have an Azure subscription that contains the resources shown in the following table.


You need to assign User1 the Storage File Data SMB Share Contributor role for share1. What should you do first?

  1. Enable identity-based data access for the file shares in storage1.
  2. Modify the security profile for the file shares in storage1.
  3. Select Default to Microsoft Entra authorization in the Azure portal for storage1.
  4. Configure Access control (IAM) for share1.

Answer(s): A



You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  2. Assign User1 the User Access Administrator role for VNet1.
  3. Remove User1 from the Security Reader and Reader roles for Subscription1.
  4. Assign User1 the Contributor role for VNet1.

Answer(s): B

Explanation:

The User Access Administrator role enables the user to grant other users access to Azure resources.
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
* Assign User1 the Access Administrator role for VNet1.
* Assign User1 the User Access Administrator role for VNet1.
Assign User1 the Owner role for VNet1.
Other incorrect answer options you may see on the exam include the following:
* Assign User1 the Contributor role for VNet1.
* Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.


Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles



Viewing page 11 of 69
Viewing questions 81 - 88 out of 564 questions



Post your Comments and Discuss Microsoft AZ-104 exam dumps with other Community members:

AZ-104 Exam Discussions & Posts

AI Tutor AI Tutor 👋 I’m here to help!