Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-104

Microsoft AZ-104 Exam
Microsoft Azure Administrator (Page 16 )

Updated On: 12-Jan-2026
Page 16 of 110
PDF with 553 Questions

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft Entra tenant named contoso.com.
You have two external partner organizations named fabrikam.com and litwareinc.com. Fabrikam.com is configured as a connected organization.
You create an access package as shown in the Access package exhibit. (Click the Access package tab.)


You configure the external user lifecycle settings as shown in the Lifecycle exhibit. (Click the Lifecycle tab.)


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
Access package include the setting: Users who can request access: All configured connected organizations This allow users in connected organizations (other directories and domains) to request this access package.
Box 2: No
From the first exhibit we see that Access package assignments expires after 365 days.
From the second exhibit, however, we see that there is a further delay of 30 days before users are removed from Group1.
Box 3: Yes
365+30 days is 395 days. Users will be removed after 395 days.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access- package-first



You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Assign User1 the Network Contributor role for VNet1.
  2. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  3. Assign User1 the Owner role for VNet1.
  4. Assign User1 the Network Contributor role for RG1.

Answer(s): C

Explanation:

Owner role - Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Incorrect:
Not A, Not D:
Network Contributor
Lets you manage networks, but not access to them. Actions:
Microsoft.Authorization/*/read - Read roles and role assignments Microsoft.Insights/alertRules/*- Create and manage a classic metric alert Microsoft.Network/* - Create and manage networks
Microsoft.ResourceHealth/availabilityStatuses/read - Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* - Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read - Gets or lists resource groups. Microsoft.Support/*- Create and update a support ticket
Not B:
Contributor role - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains the users shown in the following table.


The groups are configured as shown in the following table.


You have a resource group named RG1 as shown in the following exhibit.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: No
Group nesting is not supported. A group can't be added as a member of a role-assignable group.
Box 2: No
Group nesting is not supported. A group can't be added as a member of a role-assignable group. Box 3: Yes


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept



You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  2. Assign User1 the Owner role for VNet1.
  3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
  4. Assign User1 the Contributor role for VNet1.

Answer(s): B

Explanation:

Contributor
Need to be Owner. The correct scope is VNET1.
Owner - Has full access to all resources including the right to delegate access to others. Incorrect:
* Contributor - Can create and manage all types of Azure resources but can't grant access to others.
Note: Identify the needed scope
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal



Your on-premises network contains a VPN gateway.
You have an Azure subscription that contains the resources shown in the following table.


You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure?

  1. Azure Application Gateway
  2. private endpoints
  3. a network security group (NSG)
  4. Azure Virtual WAN

Answer(s): B

Explanation:

You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
Note: For this question with different alternatives:
Correct answer only:
private endpoints
Incorrect answers include:
* a network security group (NSG)
* Microsoft Entra Application Proxy
* Azure Application Gateway
* Azure Firewall
* Azure Peering Service
Azure Virtual WAN


Reference:

https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints



Viewing page 16 of 110
Viewing questions 76 - 80 out of 553 questions



Post your Comments and Discuss Microsoft AZ-104 exam prep with other Community members:

Join the AZ-104 Discussion