Page 1 of 202
AZ-104 RENEWAL COMPREHENSIVE EXAM
VERSION1| ALL QUESDTIONS AND
CORRECT ANSWERS| LATEST UPDATE WITH
VERIFIED Q&AS
Question 1
You are configuring Azure AD Connect for a company with
strict security policies. The on-premises Active Directory has a
user named "Admin5" who is a member of the "Domain
Admins" group. You need to install Azure AD Connect to sync
passwords only (no seamless SSO). The solution must follow the
principle of least privilege.
Which account should you use for the installation?
• A. Admin5 (Domain Admin)
,Page 2 of 202
• B. A custom domain user account with local admin rights
on the Azure AD Connect server
• C. A custom domain user account that is a member of the
"Enterprise Admins" group
• D. The built-in Administrator account of the Azure AD
Connect server
Correct Answer: B
Rationale: For a standard installation (password hash sync
only) without Seamless SSO, the account only needs to be a
local administrator on the Azure AD Connect server and have
standard read permissions to Active Directory (which a
standard domain user has). Domain Admin (A) or Enterprise
Admin (C) provides excessive privileges. The built-in local
admin (D) cannot read AD.
Question 2
You have an Azure Active Directory tenant. You have 500
external partner users who currently use their corporate Gmail
,Page 3 of 202
accounts to access your resources. You need to ensure that
when these partners authenticate, they use their existing
credentials but you can manage their access lifecycle.
What should you configure?
• A. Azure AD B2B with "Invite redemption" set to "Admin
only"
• B. Federation with Google (SAML/WS-Fed)
• C. Identity Protection user risk policy
• D. Conditional Access policy blocking legacy
authentication
Correct Answer: B
Rationale: To allow Gmail/Google accounts to sign in using
their existing credentials (not just receive a one-time passcode
or create a Microsoft Account), you must configure federation
with Google.
Question 3
You have an Azure subscription. You need to delegate the
, Page 4 of 202
ability to manage network interfaces to a group named
"Network-Team". The group must NOT be able to delete
Virtual Networks or modify DNS servers.
What should you do?
• A. Assign the "Network Contributor" role at the Resource
Group scope.
• B. Assign the "Virtual Machine Contributor" role at the
subscription scope.
• C. Create a custom RBAC role
with Microsoft.Network/networkInterfaces/* and
deny delete actions.
• D. Assign the "Owner" role but remove the delete
permission via Azure Policy.
Correct Answer: A
Rationale: The "Network Contributor" role allows management
of networks, including network interfaces, but does not allow
deletion of top-level resources like Virtual Networks or
AZ-104 RENEWAL COMPREHENSIVE EXAM
VERSION1| ALL QUESDTIONS AND
CORRECT ANSWERS| LATEST UPDATE WITH
VERIFIED Q&AS
Question 1
You are configuring Azure AD Connect for a company with
strict security policies. The on-premises Active Directory has a
user named "Admin5" who is a member of the "Domain
Admins" group. You need to install Azure AD Connect to sync
passwords only (no seamless SSO). The solution must follow the
principle of least privilege.
Which account should you use for the installation?
• A. Admin5 (Domain Admin)
,Page 2 of 202
• B. A custom domain user account with local admin rights
on the Azure AD Connect server
• C. A custom domain user account that is a member of the
"Enterprise Admins" group
• D. The built-in Administrator account of the Azure AD
Connect server
Correct Answer: B
Rationale: For a standard installation (password hash sync
only) without Seamless SSO, the account only needs to be a
local administrator on the Azure AD Connect server and have
standard read permissions to Active Directory (which a
standard domain user has). Domain Admin (A) or Enterprise
Admin (C) provides excessive privileges. The built-in local
admin (D) cannot read AD.
Question 2
You have an Azure Active Directory tenant. You have 500
external partner users who currently use their corporate Gmail
,Page 3 of 202
accounts to access your resources. You need to ensure that
when these partners authenticate, they use their existing
credentials but you can manage their access lifecycle.
What should you configure?
• A. Azure AD B2B with "Invite redemption" set to "Admin
only"
• B. Federation with Google (SAML/WS-Fed)
• C. Identity Protection user risk policy
• D. Conditional Access policy blocking legacy
authentication
Correct Answer: B
Rationale: To allow Gmail/Google accounts to sign in using
their existing credentials (not just receive a one-time passcode
or create a Microsoft Account), you must configure federation
with Google.
Question 3
You have an Azure subscription. You need to delegate the
, Page 4 of 202
ability to manage network interfaces to a group named
"Network-Team". The group must NOT be able to delete
Virtual Networks or modify DNS servers.
What should you do?
• A. Assign the "Network Contributor" role at the Resource
Group scope.
• B. Assign the "Virtual Machine Contributor" role at the
subscription scope.
• C. Create a custom RBAC role
with Microsoft.Network/networkInterfaces/* and
deny delete actions.
• D. Assign the "Owner" role but remove the delete
permission via Azure Policy.
Correct Answer: A
Rationale: The "Network Contributor" role allows management
of networks, including network interfaces, but does not allow
deletion of top-level resources like Virtual Networks or
