AZ-104 Renewal Exam Microsoft Azure Administrator Question
Bank (Latest 2026/2027 Edition) – 100% Correct Questions,
Answers & Detailed Rationales
Total Questions: 50
Time Allowed: 60 Minutes
Passing Score: 80%
Instructions: Select the BEST answer for each question based on Microsoft Azure best
practices and AZ-104 exam standards. For SATA questions, select all that apply.
SECTION 1: MANAGE AZURE IDENTITIES AND GOVERNANCE
Questions 1–12
Question 1
Contoso Corporation has an Azure subscription with multiple resource groups. The
security team needs to ensure that only specific users can create virtual machines in
the production resource group. Which Azure feature should the administrator configure?
A. Azure Policy with a built-in policy definition
B. Azure AD Conditional Access
C. Role-Based Access Control (RBAC) with a custom role
D. Azure Blueprints
Correct Answer: C
,Rationale: RBAC with a custom role allows granular permission assignment to specific
users for creating virtual machines within a specific resource group, following the
principle of least privilege. Option A is incorrect because Azure Policy enforces resource
configuration compliance, not user permissions. Option B is incorrect because
Conditional Access manages authentication and access conditions, not resource
creation permissions. Option D is incorrect because Blueprints deploy standardized
environments, not user access controls.
Question 2
A company uses Microsoft Entra ID (formerly Azure AD) for identity management. The
administrator needs to create a group that automatically includes all users in the Sales
department based on their department attribute. Which group type should be
configured?
A. Assigned membership group
B. Dynamic Device membership group
C. Dynamic User membership group
D. Security group with manual assignment
Correct Answer: C
Rationale: Dynamic User membership groups automatically add or remove users based
on rules evaluating user attributes (such as department), eliminating manual
management. Option A is incorrect because assigned membership requires manual
user addition. Option B is incorrect because Dynamic Device membership evaluates
device attributes, not user attributes. Option D is incorrect because manual assignment
does not meet the automatic inclusion requirement.
Question 3
,An Azure administrator needs to prevent accidental deletion of critical production
resources. Which feature should be applied to the resource or resource group?
A. Azure Policy
B. Resource lock (CanNotDelete or ReadOnly)
C. Azure AD Privileged Identity Management (PIM)
D. Management group hierarchy
Correct Answer: B
Rationale: Resource locks (CanNotDelete or ReadOnly) prevent accidental deletion or
modification of Azure resources, even by users with appropriate RBAC permissions.
Option A is incorrect because Azure Policy enforces configuration standards, not
deletion protection. Option C is incorrect because PIM manages just-in-time privileged
access, not resource-level deletion prevention. Option D is incorrect because
management groups organize subscriptions and apply policies, not resource locks.
Question 4
An organization needs to ensure that all virtual machines in a subscription use
managed disks and are deployed only in specific Azure regions. Which combination of
Azure governance tools should the administrator implement?
A. Azure Blueprints and Azure Cost Management
B. Azure Policy and Management Groups
C. Azure AD Conditional Access and RBAC
D. Azure Monitor and Azure Advisor
Correct Answer: B
Rationale: Azure Policy enforces resource configuration rules (managed disks, allowed
regions), while Management Groups organize subscriptions for policy inheritance
across the organization. Option A is incorrect because Cost Management handles
, billing, not resource configuration enforcement. Option C is incorrect because
Conditional Access and RBAC manage identity and access, not resource deployment
standards. Option D is incorrect because Monitor and Advisor provide
recommendations and monitoring, not enforcement.
Question 5
An administrator needs to assign the User Administrator role to a help desk employee.
The employee should only be able to manage users within a specific administrative unit,
not the entire tenant. Which approach should the administrator use?
A. Assign the Global Administrator role with a scope limited to the administrative unit
B. Assign the User Administrator role at the administrative unit scope
C. Create a custom role with User Administrator permissions and assign it at the
subscription level
D. Assign the Helpdesk Administrator role at the tenant level
Correct Answer: B
Rationale: Administrative units in Microsoft Entra ID allow scoping directory roles (such
as User Administrator) to specific subsets of users, enabling delegated administration
without tenant-wide permissions. Option A is incorrect because Global Administrator
cannot be scoped to administrative units and grants excessive permissions. Option C is
incorrect because custom roles at the subscription level manage Azure resources, not
Entra ID users. Option D is incorrect because tenant-level assignment would grant
broader access than required.
Question 6
A company wants to implement self-service password reset (SSPR) for all employees.
Which Microsoft Entra ID license is required to enable SSPR for all users?
Bank (Latest 2026/2027 Edition) – 100% Correct Questions,
Answers & Detailed Rationales
Total Questions: 50
Time Allowed: 60 Minutes
Passing Score: 80%
Instructions: Select the BEST answer for each question based on Microsoft Azure best
practices and AZ-104 exam standards. For SATA questions, select all that apply.
SECTION 1: MANAGE AZURE IDENTITIES AND GOVERNANCE
Questions 1–12
Question 1
Contoso Corporation has an Azure subscription with multiple resource groups. The
security team needs to ensure that only specific users can create virtual machines in
the production resource group. Which Azure feature should the administrator configure?
A. Azure Policy with a built-in policy definition
B. Azure AD Conditional Access
C. Role-Based Access Control (RBAC) with a custom role
D. Azure Blueprints
Correct Answer: C
,Rationale: RBAC with a custom role allows granular permission assignment to specific
users for creating virtual machines within a specific resource group, following the
principle of least privilege. Option A is incorrect because Azure Policy enforces resource
configuration compliance, not user permissions. Option B is incorrect because
Conditional Access manages authentication and access conditions, not resource
creation permissions. Option D is incorrect because Blueprints deploy standardized
environments, not user access controls.
Question 2
A company uses Microsoft Entra ID (formerly Azure AD) for identity management. The
administrator needs to create a group that automatically includes all users in the Sales
department based on their department attribute. Which group type should be
configured?
A. Assigned membership group
B. Dynamic Device membership group
C. Dynamic User membership group
D. Security group with manual assignment
Correct Answer: C
Rationale: Dynamic User membership groups automatically add or remove users based
on rules evaluating user attributes (such as department), eliminating manual
management. Option A is incorrect because assigned membership requires manual
user addition. Option B is incorrect because Dynamic Device membership evaluates
device attributes, not user attributes. Option D is incorrect because manual assignment
does not meet the automatic inclusion requirement.
Question 3
,An Azure administrator needs to prevent accidental deletion of critical production
resources. Which feature should be applied to the resource or resource group?
A. Azure Policy
B. Resource lock (CanNotDelete or ReadOnly)
C. Azure AD Privileged Identity Management (PIM)
D. Management group hierarchy
Correct Answer: B
Rationale: Resource locks (CanNotDelete or ReadOnly) prevent accidental deletion or
modification of Azure resources, even by users with appropriate RBAC permissions.
Option A is incorrect because Azure Policy enforces configuration standards, not
deletion protection. Option C is incorrect because PIM manages just-in-time privileged
access, not resource-level deletion prevention. Option D is incorrect because
management groups organize subscriptions and apply policies, not resource locks.
Question 4
An organization needs to ensure that all virtual machines in a subscription use
managed disks and are deployed only in specific Azure regions. Which combination of
Azure governance tools should the administrator implement?
A. Azure Blueprints and Azure Cost Management
B. Azure Policy and Management Groups
C. Azure AD Conditional Access and RBAC
D. Azure Monitor and Azure Advisor
Correct Answer: B
Rationale: Azure Policy enforces resource configuration rules (managed disks, allowed
regions), while Management Groups organize subscriptions for policy inheritance
across the organization. Option A is incorrect because Cost Management handles
, billing, not resource configuration enforcement. Option C is incorrect because
Conditional Access and RBAC manage identity and access, not resource deployment
standards. Option D is incorrect because Monitor and Advisor provide
recommendations and monitoring, not enforcement.
Question 5
An administrator needs to assign the User Administrator role to a help desk employee.
The employee should only be able to manage users within a specific administrative unit,
not the entire tenant. Which approach should the administrator use?
A. Assign the Global Administrator role with a scope limited to the administrative unit
B. Assign the User Administrator role at the administrative unit scope
C. Create a custom role with User Administrator permissions and assign it at the
subscription level
D. Assign the Helpdesk Administrator role at the tenant level
Correct Answer: B
Rationale: Administrative units in Microsoft Entra ID allow scoping directory roles (such
as User Administrator) to specific subsets of users, enabling delegated administration
without tenant-wide permissions. Option A is incorrect because Global Administrator
cannot be scoped to administrative units and grants excessive permissions. Option C is
incorrect because custom roles at the subscription level manage Azure resources, not
Entra ID users. Option D is incorrect because tenant-level assignment would grant
broader access than required.
Question 6
A company wants to implement self-service password reset (SSPR) for all employees.
Which Microsoft Entra ID license is required to enable SSPR for all users?
