Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-104

Microsoft AZ-104 Exam
Microsoft Azure Administrator (Page 13 )

Updated On: 12-Jan-2026
Page 13 of 110
PDF with 553 Questions

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1.
The subscription is linked to a hybrid Microsoft Entra tenant that contains a security group named Group1. You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1.
What should you do first?

  1. Enable Active Directory Domain Service (AD DS) authentication for storage1.
  2. Grant share-level permissions by using File Explorer.
  3. Mount share1 by using File Explorer.
  4. Create a private endpoint.

Answer(s): A

Explanation:

Before you enable Microsoft Entra ID over SMB for Azure file shares, make sure you have completed the following prerequisites:
1. Select or create a Microsoft Entra tenant.
2. To support authentication with Microsoft Entra credentials, you must enable Azure AD Domain Services for your Microsoft Entra tenant.
Etc.
Note: The Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.


Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service- enable



You have 15 Azure subscriptions.
You have a Microsoft Entra tenant that contains a security group named Group1. You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements:
Use the principle of least privilege. Minimize administrative effort.
What should you do?

  1. Assign Group1 the Owner role for the root management group.
  2. Assign Group1 the User Access Administrator role for the root management group.
  3. Create a new management group and assign Group1 the User Access Administrator role for the group.
  4. Create a new management group and assign Group1 the Owner role for the group.

Answer(s): B

Explanation:

The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have.
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Incorrect:
Not C: A few directories that started using management groups early in the preview before June 25 2018 could see an issue where not all the subscriptions were within the hierarchy. The process to have all subscriptions in the hierarchy was put in place after a role or policy assignment was done on the root management group in the directory.


Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles https://docs.microsoft.com/en-us/azure/governance/management-groups/overview



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains the hierarchy shown in the following exhibit.


You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
Note: Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers.


Box 2: ManagementGroup1, Subscription1, RG1, and VM1 You can exclude a subscope from the assignment.


Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in a Microsoft Entra tenant named contoso.onmicrosoft.com:


User1 creates a new Microsoft Entra tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts. Does that meet the goal?

  1. Yes
  2. No

Answer(s): B



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in a Microsoft Entra tenant named contoso.onmicrosoft.com:


User1 creates a new Microsoft Entra tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts. Does that meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Only a global administrator can add users to this tenant.


Reference:

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad



Viewing page 13 of 110
Viewing questions 61 - 65 out of 553 questions



Post your Comments and Discuss Microsoft AZ-104 exam prep with other Community members:

Join the AZ-104 Discussion