Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. AZ-104

Microsoft AZ-104 Exam (page: 10)
Microsoft Azure Administrator
Updated on: 02-Jan-2026

Viewing Page 10 of 69
AZ-104 PDF 553 Questions

Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Microsoft Entra tenant uses a domain named litware.onmicrosoft.com. The tenant uses the Premium P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.


Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.


The network security team implements several network security groups (NSGs)
Requirements Planned Changes
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure. Synchronize on-premises Active Directory to Microsoft Entra ID.
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only. Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com. Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified. Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.

HOTSPOT (Drag and Drop is not supported)
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Create a virtual network gateway and a local network gateway.
Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.


Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet.


Reference:

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn



You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual machine named VM1 and a storage account named storage1. VM1 is associated to the resources shown in the following table.


You need to move VM1 to Sub2.
Which resources should you move to Sub2?

  1. VM1, Disk1, and NetInt1 only
  2. VM1, Disk1, and VNet1 only
  3. VM1, Disk1, and storage1 only
  4. VM1, Disk1, NetInt1, and VNet1

Answer(s): D

Explanation:

Virtual machines in an existing virtual network can be moved to a new subscription only when the virtual network and all of its dependent resources are also moved.
Incorrect:
Not A: VNet1 must be moved. Not B: NetInt1 must be moved.
Not C: The storage account does not need to be moved. NetInt1 must be moved.


Reference:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/virtual- machines-move-limitations?tabs=azure-cli



HOTSPOT (Drag and Drop is not supported)
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: 5
A public and a private IP address can be assigned to a single network interface.
Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in
a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.


Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses



You have an Azure subscription that contains the resources shown in the following table.


LB1 is configured as shown in the following table.


You plan to create new inbound NAT rules that meet the following requirements:
Provide Remote Desktop access to VM1 from the internet by using port 3389. Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?

  1. a frontend IP address
  2. a load balancing rule
  3. a health probe
  4. a backend pool

Answer(s): A



HOTSPOT (Drag and Drop is not supported)
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to- site VPN. VNet1 contains one subnet named Subnet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions
Box 2: ILB1


Reference:

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics



You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
The NVAs must run in an active-active configuration that uses automatic failover.
The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. Deploy a basic load balancer
  2. Deploy a standard load balancer
  3. Add two load balancing rules that have HA Ports and Floating IP enabled
  4. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
  5. Add a frontend IP configuration, a backend pool, and a health probe
  6. Add a frontend IP configuration, two backend pools, and a health probe

Answer(s): B,C,F

Explanation:

A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses. Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.


Reference:

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription. The subscription contains virtual machines that run Windows Server and are configured as shown in the following table.


You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. You create a virtual network link for contoso.com as shown in the following exhibit.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role- instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration



You create an Azure VM named VM1 that runs Windows Server 2019. VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)


You need to enable Desired State Configuration for VM1. What should you do first?

  1. Connect to VM1.
  2. Start VM1.
  3. Capture a snapshot of VM1.
  4. Configure a DNS name for VM1.

Answer(s): B

Explanation:

Status is Stopped (Deallocated).
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure. The VM needs to be started.


Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows



Viewing Page 10 of 69



Share your comments for Microsoft AZ-104 exam with other users:

Alex 5/24/2025 12:54:15 AM

Can I trust to this source?
Anonymous