The Microsoft AZ-104: Azure Administrator Associate exam is one of the most sought-after cloud certifications globally. It validates your ability to deploy, configure, monitor, and manage Azure resources efficiently.
According to Microsoft’s 2025 update, the exam now includes new skill domains:
- Azure AI Integration & Automation
- Cost Management and Budgeting
- Defender for Cloud & Security Compliance
This shift means candidates must combine technical proficiency with business awareness and security strategy.
Leads4pass, a trusted IT certification resource provider, has updated its AZ-104 dumps to reflect the latest 2025 exam blueprint. With 414 verified Q&A, https://www.leads4pass.com/az-104.html ensures authenticity, accuracy, and real-world relevance.
Table of Contents
- Official Exam Structure and Skill Domains
- 2025 Exam Update: What’s New
- Highlights of Leads4pass AZ-104 Dumps
- Free az-104 exam Question and Answers
- Four-Week Study Plan and Time Management
- Real Azure Practice Examples (CLI & Portal)
- Tips and Strategies to Pass with High Scores
- Career Path After AZ-104 Certification
- Frequently Asked Questions (FAQ)
Official AZ-104 Exam Structure and Skill Domains
The AZ-104 exam lasts about 120 minutes and consists of 40–60 multiple-choice and scenario-based questions. Here’s the updated skill breakdown:
| Domain | Weight | Key Skills |
|---|---|---|
| Manage Azure Identities and Governance | 15–20% | Azure AD, RBAC, Policies, Locks |
| Implement and Manage Storage | 15–20% | Blob, Disk, Access Control |
| Deploy and Manage Compute Resources | 20–25% | Virtual Machines, App Services, Containers |
| Configure and Manage Virtual Networks | 15–20% | NSG, Load Balancers, DNS, Peering |
| Monitor and Back Up Azure Resources | 10–15% | Monitor, Log Analytics, Recovery Vault |
Modern versions of the exam now emphasize hands-on configuration, not rote memorization. Candidates are expected to perform live management tasks via Azure Portal or command-line tools.
2025 Exam Update: What’s New
Recent test versions include scenario-based and automation-focused questions. You may see topics like:
1.Automation and Deployment Tasks
az vm create --resource-group MyGroup --name DemoVM --image UbuntuLTS --admin-username azureuserKnow the purpose of each parameter and its effect on deployment.
2.Cost Optimization and Budget Alerts
You’ll need to demonstrate how to create budgets and alerts in Azure Cost Management.
3.Security and Compliance
Questions now include Defender for Cloud, Azure Policy, and Role Assignments.
👉 In short, the new AZ-104 exam tests automation, security posture, and financial accountability alongside traditional administration skills.
Highlights of Leads4pass AZ-104 Dumps
Download the latest verified AZ-104 dumps (PDF & VCE):
👉 https://www.leads4pass.com/az-104.html
What’s included:
- ✅ 414 up-to-date verified Q&A
- ✅ Monthly content review by Azure experts
- ✅ Supports real exam interface simulation
- ✅ Both PDF and interactive VCE formats
- ✅ Free 365 access after purchase
Leads4pass dumps are not just question banks — they’re structured learning resources designed to help candidates understand the logic behind each question and improve retention.
Latest Microsoft AZ-104 exam questions and answers shared
| Number of exam questions | Compelet | Related |
| 15(Free) | 414 Q&A | Microsoft Role-based |
Question 1:
HOTSPOT
You have an Azure subscription
You plan to deploy a new storage account
You need to configure encryption for the account The solution must meet the following requirements
Use a customer-managed key stored in an key vault
Use the maximum supported bit length.
Which type of key and which bit length should you use?
Hot Area:
Correct Answer:
Question 2:
HOTSPOT
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
References: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Question 3:
HOTSPOT
You have two Azure subscriptions named Sub1 and Sub2. Sub1 is in a management group named MG1. Sub2 is in a management group named MG2. You have the resource groups shown in the following table.
You have the virtual machines shown in the following table.
Hot Area:
Correct Answer:
Question 4:
You have web apps in the West US, Central US and East US Azure regions. You have the App Service plans shown in the following table.
You plan to create an additional App Service plan named ASP5 that will use the Linux operating system.
You need to identify in which of the currently used locations you can deploy ASP5.
What should you recommend?
A. West US, Central US, or East US
B. Central US only
C. East US only
D. West US only
Correct Answer: A
Explanation:
This question is asking in which regional locations can a APP service plan be deployed to. It tells you it will be a Linux Plan to throw you off and make you wonder if it matters. Which is does not.
Then it asks what should you recommend to make you think you are supposed to choose. The fact is you can recommend any region.
An APP service plan can be deployed in any region and multiple APP service plans can be deployed in a region.
The Plan type you choose depends on the APP\’s your going to deploy and whether the programing language can be run on Linux or Windows.
https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans
Question 5:
HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage accounts support lifecycle management, and which storage accounts support moving data to the Archive access tier.
Which storage accounts should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Explanation:
Box 1: storage1, storage2, and storage3
Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle.
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts.
Box 2: storage2
The Archive tier for Blob Storage is currently supported for LRS, GRS, and RA-GRS accounts.
Incorrect:
* not storage1, not storage3
The Archive tier for Blob Storage isn\’t currently supported for ZRS, GZRS, or RA-GZRS accounts.
Reference:
https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
Question 6:
You have an Azure subscription that contains 100 virtual machines.
You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?
A. From Azure Advisor, modify the Advisor configuration.
B. From Azure Cost Management view Cost Analysis.
C. From Azure Cost Management view Advisor Recommendations.
D. From Microsoft Azure Storage Explorer, view the Account Management properties.
Correct Answer: C
Explanation:
From Home -> Cost Management + Billing -> Cost Management, scroll down on the options and select View Recommendations
Question 7:
HOTSPOT
You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10.
You need to join the virtual machine to an Active Directory domain.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE: Bach correct selection is worth one point.
Hot Area:
Correct Answer:
Explanation:
Azure Resource Manager template overview
Resource Manager templates let you define Azure infrastructure in code. The required resources, network connections, or configuration of VMs can all be defined in a template. These templates create consistent, reproducible deployments
each time, and can be versioned as you make changes. For more information, see Azure Resource Manager templates overview.
Each resource is defined in a template using JavaScript Object Notation (JSON). The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain join extension.
Parameters are used that you specify at deployment time. When the extension is deployed, the VM is joined to the specified managed domain.
JSON
{
“apiVersion”: “2015-06-15”,
“type”: “Microsoft.Compute/virtualMachines/extensions”, “name”: “[concat(parameters(\’dnsLabelPrefix\’),\’/joindomain\’)]”, “location”: “[parameters(\’location\’)]”,
“dependsOn”: [
“[concat(\’Microsoft.Compute/virtualMachines/\’, parameters(\’dnsLabelPrefix\’))]” ],
“properties”: {
“publisher”: “Microsoft.Compute”,
“type”: “JsonADDomainExtension”,
“typeHandlerVersion”: “1.3”,
“autoUpgradeMinorVersion”: true,
“settings”: {
“Name”: “[parameters(\’domainToJoin\’)]”,
“OUPath”: “[parameters(\’ouPath\’)]”,
“User”: “[concat(parameters(\’domainToJoin\’), \’\\\’, parameters(\’domainUsername\’))]”, “Restart”: “true”,
“Options”: “[parameters(\’domainJoinOptions\’)]”
},
“protectedSettings”: {
“Password”: “[parameters(\’domainPassword\’)]”
}
}
}
This VM extension can be deployed even if you don\’t create a VM in the same template. The examples in this article show both of the following approaches:
Create a Windows Server VM and join to a managed domain Join an existing Windows Server VM to a managed domain
Question 8:
You have an Azure Kubernetes cluster in place.
You have to deploy an application using an Azure Container registry image.
Which of the following command can be used for this requirement?
A. az kubernetes deploy
B. kubectl apply
C. New-AzKubernetes set
D. docker run
Correct Answer: B
Explanation:
kubectl apply : Correct Choice
The kubectl command can be used to deploy applications to a Kubernetes cluster.
az kubernetes deploy : Incorrect Choice
This command is used to manage Azure Kubernetes Services. This is not used to deploy applications to a Kubernetes cluster.
New-AzKubernetes set : Incorrect Choice
This command is used to create a new managed Kubernetes cluster. This is not used to deploy applications to a Kubernetes cluster.
docker run : Incorrect Choice
This is run command in a new container. This is not used to deploy applications to a Kubernetes cluster.
Reference:
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest https://docs.microsoft.com/en-us/powershell/module/az.aks/New-AzAks?view=azps3.8.0andviewFallbackFrom=azps-4.3.0 https://docs.docker.com/engine/reference/commandline/run/
Question 9:
You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2. The subscription contains the resources shown in the following table.
The subscription contains the alert rules shown in the following table.
The users perform the following actions:
User1 creates a new virtual disk and attaches the disk to VM1.
User2 creates a new resource tag and assigns the tag to RG1 and VM1.
Which alert rules are triggered by each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one pint.
Hot Area:
Correct Answer:
Question 10:
You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
A. Connect webapp1 to VNET1.
B. Peer VNET1 to another virtual network.
C. Deploy an Azure Application Gateway.
D. Deploy an internal load balancer
Correct Answer: C
Explanation:
By connecting webapp1 to VNET1, the web app will be able to access the data hosted on VM1 through the virtual network.
The other options do not directly address the requirement to allow webapp1 access to the data hosted on VM1.
An internal load balancer and a peered virtual network may provide other benefits, but they would not by themselves ensure that webapp1 can access the data hosted on VM1.
An Azure Application Gateway is a reverse proxy that is often used for load balancing, SSL termination, and URL-based routing, but it would not directly allow webapp1 to access the data hosted on VM1.
Question 11:
HOTSPOT
You have peering configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: vNET6 only
Peering status to both VNet1 and Vnet2 are disconnected.
Box 2: delete peering1
Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering
Question 12:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From the Azure CLI, you run azcopy.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Explanation:
Kubectl is not installed by installing AZ ClI. As stated Azure CLI is already available but installing Azure CLI doesn\’t mean that Azure Kubernates client is also installed. So before running any aks command, we have to install kubectl, the Kubernetes command-line client. az aks install-cli Reference: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough#connect-to-the-cluster
Question 13:
Your network contains an on-premises Active Directory domain named adatum.com. The domain contains an organizational unit (OU) named OU1. OU1 contains the objects shown in the following table.
You sync OU1 to Azure Active Directory (Azure AD) by using Azure AD Connect.
You need to identify which objects are synced to Azure AD.
Which objects should you identify?
A. User1 and Group1 only
B. User1, Group1, and Group2 only
C. User1, Group1, Group2, and Computer1
D. Computer1 only
Correct Answer: B
Reference: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
Question 14:
You need to meet the user requirement for Admin1.
What should you do?
A. From the Subscriptions blade, select the subscription, and then modify the Properties.
B. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.
C. From the Azure Active Directory blade, modify the Properties.
D. From the Azure Active Directory blade, modify the Groups.
Correct Answer: A
Explanation:
Scenario:
1.
Designate a new user named Admin1 as the service admin for the Azure subscription.
2.
Admin1 must receive email alerts regarding service outages.
Follow these steps to change the Service Administrator in the Azure portal.
1.
Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
2.
Sign in to the Azure portal as the Account Administrator.
3.
Open Cost Management + Billing and select a subscription.
4.
In the left navigation, click Properties.
5.
Click Service Admin.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
Question 15:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Explanation:
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and
more easily manage your resources.
References:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
…
Four-Week Study Plan and Time Management
A focused study plan significantly improves your success rate. Here’s a four-week schedule combining Microsoft Learn paths with Leads4pass practice tests:
| Week | Focus Area | Practical Tasks |
|---|---|---|
| Week 1 | Azure Fundamentals & Identity | Create Azure accounts, manage users and groups |
| Week 2 | Compute & Storage | Deploy VMs, configure Blob Storage |
| Week 3 | Networking & Security | Create VNets, NSGs, and load balancers |
| Week 4 | Practice & Review | Use Leads4pass dumps for 3 full-length mock tests |
💡 Pro Tip: Study 2 hours daily and review mistakes weekly. Create a “wrong answer log” to analyze patterns — this helps solidify weak areas efficiently.
Real Azure Practice Examples (CLI & Portal)
Hands-on practice is the most reliable path to success.
1. Create a Virtual Machine via CLI
az vm create \
--name DemoVM \
--resource-group TestRG \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys2.Create a Blob Storage Container
az storage container create \
--account-name mystorage \
--name mycontainer \
--public-access blobPractice these commands repeatedly. Understand not only what they do but why each step matters in production.
Tips and Strategies to Pass with High Scores
- Master CLI and PowerShell logic – over 30% of the exam involves command-based questions.
- Understand concepts instead of memorizing dumps – Microsoft changes questions monthly.
- Time management is key – answer easy questions first.
- Simulate the real test using Leads4pass VCE.
- Stay calm and consistent.
Career Path After AZ-104 Certification
Once certified, you can pursue higher-level Azure roles or advanced certifications, such as:
- AZ-305 – Azure Solutions Architect Expert
- AZ-700 – Azure Network Engineer Associate
- SC-200 – Security Operations Analyst
These certifications build on the foundation AZ-104 provides and open opportunities in architecture, automation, and cybersecurity.
Conclusion
This guide outlined the latest AZ-104 exam updates, study strategies, and Leads4pass resources that make your preparation structured and efficient.
Remember: Understanding beats memorization, and practice beats theory.
Leads4pass helps thousands of candidates each year achieve Azure success. It’s your best companion for mastering the Microsoft Azure Administrator exam.
Frequently Asked Questions (FAQ)
1. How difficult is the AZ-104 exam?
Moderate. It requires strong practical knowledge rather than pure memorization.
2. How often are Leads4pass dumps updated?
Monthly, ensuring complete alignment with Microsoft’s latest exam structure.
3. How long is the certification valid?
One year, renewable online for free.
4. Can I pass using only dumps?
Not recommended. Combine dumps with Microsoft Learn and hands-on labs.
5. What’s next after AZ-104?
Advance to AZ-305 (Architect) or AZ-700 (Networking) certifications.
Comments are closed.