Microsoft AZ-104 Exam Dumps & Practice Test Questions

Question No 1:

Your organization hosts multiple departments, all of which use various virtual machines (VMs) to handle departmental workloads. Presently, these VMs are all deployed within one Azure subscription and consolidated in a single resource group named RG1. You’ve been tasked with improving cost allocation and simplifying reporting without restructuring RG1. 

What is the most efficient way to associate each VM with its corresponding department while keeping the current setup intact?

A. Create Azure Management Groups for each department
B. Create separate resource groups for each department
C. Assign tags to each virtual machine
D. Modify the configuration settings of each virtual machine

Correct Answer: C

Explanation:

Using tags is the most efficient and non-disruptive method to categorize virtual machines according to departments while retaining the existing structure of the resource group (RG1). Tags in Azure are composed of key-value pairs (e.g., Department: Finance), allowing you to logically group resources across your environment without physically moving them.

Tags serve multiple operational and administrative purposes:

• Cost Tracking: Azure Cost Management can analyze spending based on tags. By tagging VMs with department identifiers, you can easily break down usage and costs per department.

• Resource Management: Tags help streamline the search and organization of resources, making it easier to filter and manage VMs by department in the Azure portal or through scripts.

• Governance and Automation: Tags integrate with Azure Policies and automation tools, enabling you to apply department-specific policies, access controls, and automate actions like shutting down unused resources.

• Non-intrusive Implementation: Tags can be applied without downtime or reconfiguration of VMs, which avoids unnecessary risk or service disruption.

Here’s why the other options are not ideal:

• A. Azure Management Groups are intended for high-level governance across multiple subscriptions, not for organizing resources within a single resource group.

• B. Creating new resource groups for each department would involve moving existing VMs, which could introduce downtime and complexity.

• D. Modifying VM settings does not inherently support categorization by department and could lead to unintended consequences or configuration errors.

In summary, tags offer a flexible, scalable, and low-risk solution for departmental mapping without requiring structural changes to the existing resource environment.

Question No 2:

Your company uses Azure Active Directory (Azure AD) and wants to enhance the security for users in the Global Administrators group. The requirement is that these users must use Multi-Factor Authentication (MFA) and connect using Azure AD-joined devices whenever accessing Azure AD from untrusted networks. 

You go to the MFA page in Azure AD and change the MFA settings for Global Administrators.Does this action fulfill the security requirements?

A. Yes
B. No

Correct Answer: B

Explanation:

While enabling MFA through the Multi-Factor Authentication (MFA) page might seem helpful, this action alone does not meet the complete objective of enforcing Conditional Access policies based on both device state and user location.

Here’s why this solution falls short:

The MFA page allows for per-user MFA enforcement, which is a basic level of protection. However, it lacks conditional logic—you cannot configure it to apply MFA based on specific conditions such as geographic location or device status.

To fulfill the requirement that Global Administrators must use MFA and connect through Azure AD-joined devices when accessing from untrusted locations, you need to implement a Conditional Access policy in Azure AD.

A proper implementation involves:

1. Targeting the Global Administrators group within the Conditional Access policy.

2. Defining location conditions—marking public or unfamiliar IP ranges as "untrusted locations."

3. Using Grant controls to enforce:
   
   

• MFA for additional identity verification.

• Device compliance, such as ensuring that the device is Azure AD-joined or compliant with organizational security standards.

Without using Conditional Access, you cannot enforce both location-based logic and device requirements. The MFA page only offers a blanket setting that applies regardless of context.

In short, Conditional Access provides the granularity needed to secure administrative accounts under varying conditions. The MFA page alone does not support such complexity and therefore fails to meet the stated security goals.

Question No 3:

You are working on securing access for administrative users in your company’s Azure Active Directory (Azure AD). You need to ensure that when Global Administrators access Azure AD from untrusted locations, they are required to use Multi-Factor Authentication (MFA) and must connect using Azure AD-joined devices. You attempt to meet this goal by adjusting the session control settings within a Conditional Access policy. 

Does this configuration satisfy the security requirement?

A. Yes
B. No

Correct Answer: B

Explanation:

Adjusting session control settings in a Conditional Access policy does not fulfill the security requirements described. Although session controls play an important role in managing user experiences after access is granted, they are not designed to evaluate access eligibility at the sign-in stage based on device or location.

Session controls typically manage:

• Sign-in frequency (e.g., requiring re-authentication every few hours),

• Limited user sessions (e.g., read-only access or restricted features),

• Continuous access evaluation (e.g., rechecking policies mid-session if risk factors change).

However, they do not enforce:

• Whether a user must use MFA at the time of login,

• Whether the device used must be Azure AD-joined or compliant,

• Location-based access decisions (trusted vs. untrusted locations).

To meet the given requirement, you must use grant controls within a Conditional Access policy. This involves:

1. Selecting the Global Administrators group as the target.

2. Defining location conditions that specify what constitutes an untrusted location.

3. Setting grant controls to:
   
   

• Enforce Multi-Factor Authentication,

• Require devices to be either Azure AD-joined or compliant with your organization's security policies.

Only then can you guarantee that administrative users meet both MFA and device compliance requirements when logging in from untrusted networks.

In summary, session controls influence what happens after access is granted, while grant controls determine whether access is allowed at all based on critical security criteria. Therefore, modifying only session controls does not fulfill the requirement, and the solution is inadequate.

Question No 4:

You are responsible for implementing security measures for privileged accounts within your organization's Azure Active Directory (Azure AD). The objective is to enforce strict access controls for users in the Global Administrators group. These users must be required to perform Multi-Factor Authentication (MFA) and use only Azure AD-joined devices when accessing Azure AD from untrusted locations like public Wi-Fi networks. 

You configure a Conditional Access policy in the Azure portal and modify the Grant controls to include these requirements. Does this approach meet the intended security goals?

A. Yes
B. No

Correct Answer: A

Explanation:

Yes, this solution fulfills the specified requirements. The Grant controls section within an Azure AD Conditional Access policy defines the conditions that users must satisfy before they are granted access to a resource. By modifying these controls, you can enforce Multi-Factor Authentication (MFA) and device-based access requirements—such as restricting access to only Azure AD-joined or compliant devices.

To implement this correctly, you would:

1. Target the appropriate user group — in this case, the Global Administrators.

2. Define the conditions under which the policy applies — specifically, logins from untrusted locations.

3. Use Grant controls to require that users:
   
   

• Complete MFA.

• Access from a device that is Azure AD-joined or marked as compliant.

This ensures that privileged accounts can only access Azure AD when both strong authentication and trusted device policies are satisfied. Importantly, Grant controls work at the time of sign-in, making them ideal for access restriction scenarios. This differs from Session controls, which apply after access is granted and do not provide initial gatekeeping based on device trust or authentication strength.

This approach does not disrupt existing user workflows and aligns with best practices for securing administrative access in cloud environments. Therefore, the configuration using Grant controls is not only valid but also the most appropriate choice for meeting the organization’s goal.

Question No 5:

You are tasked with deploying a new Ubuntu Server virtual machine (VM) in your company’s Azure environment. As part of the setup, a specific trusted root Certification Authority (CA) must be installed during provisioning. Your goal is to perform this configuration automatically during VM creation using custom scripts, without requiring manual setup afterward. 

Which method should you use to accomplish this task?

A. Use the New-AzureRmVm cmdlet
B. Use the New-AzVM cmdlet
C. Use the Create-AzVM cmdlet
D. Use the az vm create command

Correct Answer: D

Explanation:

The correct choice for this scenario is the az vm create command, which is a part of the Azure CLI suite. This command is especially useful for provisioning Linux-based virtual machines like Ubuntu, as it supports cloud-init and custom-data scripts that can automate configuration tasks during deployment.

Using the --custom-data parameter, you can include a base64-encoded cloud-init configuration file or a shell script that automates steps such as:

• Installing trusted root CA certificates,

• Configuring system settings,

• Installing necessary software packages,

• Making changes to system behavior during the first boot.

This eliminates the need for manual post-deployment actions, ensuring the VM is production-ready immediately after provisioning.

Why not the other options?

• A. New-AzureRmVm: This cmdlet belongs to the now-deprecated AzureRM module, which has been replaced by the Az module and should not be used for new deployments.

• B. New-AzVM: Although valid and current, using it for cloud-init or custom Linux configurations is less straightforward than with Azure CLI.

• C. Create-AzVM: This cmdlet does not exist, making it an invalid choice.

The az vm create command stands out for its ease of use, modern compatibility, and support for declarative Linux setup via cloud-init, making it ideal for secure and repeatable deployments.

Question No 6:

Your organization currently uses the Per Authentication model for Multi-Factor Authentication (MFA) in Azure Active Directory (Azure AD), which prompts users based on specific access scenarios. After acquiring another company, management now wants to enforce MFA for the new employees individually—on a per-user basis—rather than through global access triggers. 

You try to change the existing MFA usage model directly through the Azure portal to switch to the Per Enabled User model. Will this approach successfully meet the requirement?

A. Yes
B. No

Correct Answer: B

Explanation:

The proposed solution will not meet the requirement. Azure AD does not support directly switching from one MFA usage model to another—such as from Per Authentication to Per Enabled User—through simple configuration in the Azure portal.

MFA in Azure AD can be implemented in two main ways:

1. Per Authentication – Triggers MFA based on conditions such as user risk level or access location (usually via Conditional Access).

2. Per Enabled User – Enforces MFA at the individual user level, regardless of specific conditions.

To shift to a Per Enabled User model, you must manually enable MFA for each user using the Multi-Factor Authentication settings page found under Azure AD > Users. There is no switch or toggle in the Azure portal to convert from one MFA model to another globally. This means you cannot achieve your goal by merely “reconfiguring” the usage model through the portal interface.

Moreover, if Conditional Access policies are active, they may override or coexist with per-user settings, adding to the complexity. Therefore, a complete plan involving manual user configuration or policy adjustments is required.

Summary:

• Switching between MFA models is not a portal toggle.

• To enforce per-user MFA, administrators must enable it manually for each user.

• Conditional Access and legacy settings can further complicate transitions.

As such, attempting to switch models directly through the Azure portal will not accomplish the intended outcome, making the correct answer No.

Question No 7:

Your organization utilizes Azure Active Directory with Multi-Factor Authentication (MFA) configured under the Per Authentication model, meaning MFA is invoked only during specific login events. After integrating employees from a newly acquired company, you're informed that these users must also be enrolled in MFA. You aim to switch to the Per Enabled User model so that MFA is enforced individually for selected users. 

You attempt to do this by reconfiguring the existing MFA model using Azure CLI. Does this approach fulfill the requirement?

A. Yes
B. No

Correct Answer: B

Explanation:

Azure AD supports two primary MFA usage models: Per Authentication and Per Enabled User. The Per Authentication model triggers MFA based on conditions like user location or risky sign-in patterns, while Per Enabled User enforces MFA for specific users at all times, regardless of context.

Once your Azure AD tenant is set up with a particular MFA usage model, that configuration becomes fixed and cannot be changed afterward—neither via the Azure portal nor programmatic tools like Azure CLI. The Azure CLI can manage MFA-related settings such as enabling or disabling MFA for individual users, but it cannot change the foundational usage model from Per Authentication to Per Enabled User.

To implement MFA consistently for newly added users under the Per Enabled User model, you need to manually enable MFA per user. This can be done either via the Azure portal or using PowerShell scripts for bulk operations. It’s important to note that enabling Conditional Access policies can also offer a flexible approach to enforce MFA without needing to change the base usage model.

In this scenario, reconfiguring the MFA model through Azure CLI will not achieve the desired shift to the Per Enabled User method. Therefore, the proposed solution fails to meet the goal.

Summary: The Azure CLI does not support switching between MFA usage models. To meet the requirement, MFA must be individually enabled for each relevant user.

Question No 8:

You have an Azure AD tenant where users working outside the office must use Multi-Factor Authentication (MFA). The current setup uses the Per Authentication model. After integrating users from a newly acquired company, you are asked to ensure MFA is always required for those users. 

You attempt to meet this requirement by creating a new MFA provider and restoring a backup from the previous configuration. Will this achieve your objective?

A. Yes
B. No

Correct Answer: B

Explanation:

In Azure AD, MFA can be enforced using different models—Per Authentication, which triggers MFA based on the nature of the authentication event, and Per Enabled User, which enforces MFA for specific users regardless of context.

The proposal to create a new MFA provider and restore configuration data from a backup will not change the underlying MFA usage model. Restoring a backup does not alter how MFA is triggered, nor does it convert the authentication approach from event-based to user-based enforcement.

When a tenant is initially configured for MFA, the chosen model is effectively locked in. Changing between Per Authentication and Per Enabled User is not supported after the initial setup. Therefore, creating a new MFA provider and restoring settings merely replicates the previous configuration; it doesn't modify the enforcement behavior of MFA.

To enforce MFA for the newly added users, the appropriate action is to manually enable MFA for each user, either through the Azure portal or using PowerShell automation. Alternatively, Conditional Access policies can be used to ensure consistent MFA enforcement across specific user groups.

The solution presented does not directly address the required change in how MFA is applied and therefore does not meet the goal.

Summary: Backing up and restoring the MFA provider doesn't change the usage model. MFA must be individually enabled for new users to enforce Per Enabled User behavior.

Question No 9:

Your company’s Azure AD tenant, weyland.com, operates in hybrid mode with on-premises Active Directory. A server named DirSync1 handles synchronization between both environments. After creating a new user in your on-prem AD, you want to make that user available in Azure AD immediately. 

You decide to run the PowerShell command Start-ADSyncSyncCycle -PolicyType Initial. Will this accomplish your objective?

A. Yes
B. No

Correct Answer: A

Explanation:

Azure AD Connect is the synchronization engine that links on-premises Active Directory with Azure AD. When a new user is created on-prem, it will eventually be synced to Azure AD on a scheduled basis. However, if immediate synchronization is required, it must be manually triggered.

The PowerShell command Start-ADSyncSyncCycle is specifically designed for this purpose. When used with the -PolicyType Initial parameter, it initiates a full synchronization cycle, which includes all directory objects, such as users, groups, and configurations. This ensures that any newly created or updated user accounts are promptly replicated to Azure AD, making them available for use with cloud applications and services.

There are two primary types of sync cycles:

• Delta Sync, which includes only changes since the last sync.

• Initial Sync, which is a full sync and ensures all objects are reevaluated and updated in Azure AD.

In this case, using the Initial Sync command is a valid and effective approach to meet the stated requirement. It allows for immediate availability of the user in Azure AD without waiting for the next automated sync cycle.

Summary: Using Start-ADSyncSyncCycle -PolicyType Initial is the correct method to force immediate synchronization of a new user from on-premises AD to Azure AD.

Question No 10:

Your Azure AD tenant weyland.com is set up in a hybrid environment with your on-premises Active Directory. A server named DirSync1 handles synchronization. After adding a new user on-prem, you want to ensure that the user appears in Azure AD right away. 

You attempt to force Global Catalog replication using Active Directory Sites and Services. Will this fulfill your requirement?

A. Yes
B. No

Correct Answer: B

Explanation:

In a hybrid identity setup with Azure AD, synchronization from on-premises Active Directory to Azure AD is managed by Azure AD Connect. Simply forcing replication of domain controllers within the on-premises AD forest using Active Directory Sites and Services does not push data to Azure AD—it only ensures that changes propagate across domain controllers within your local network.

The replication of user objects to Azure AD is not automatically triggered by internal domain controller replication. Instead, it requires an explicit sync operation using the Azure AD Connect tool, typically via the Start-ADSyncSyncCycle PowerShell cmdlet.

To synchronize changes to Azure AD:

• Run Start-ADSyncSyncCycle -PolicyType Delta to push recent changes.

• Run Start-ADSyncSyncCycle -PolicyType Initial for a complete sync of all objects.

Forcing replication using Sites and Services plays no role in this cloud synchronization process. Therefore, even if the new user object is fully replicated within the on-prem AD forest, Azure AD will not reflect the change until a proper sync cycle is triggered by Azure AD Connect.

Summary: Domain controller replication only affects on-prem environments. To sync with Azure AD, Azure AD Connect and its PowerShell commands must be used.