Manage Azure identities and governance for Microsoft Azure Administrator (AZ-104)

Sample Practice Questions

1. Question 1

   Your company has serval departments. Each department has a number of virtual machines (VMs). The company has an Azure subscription that contains a resource group named RG1 . All VMs are located in RG1 . You want to associate each VM with its respective department. What should you do?
   1. A. Create Azure Management Groups for each department.
   2. B. Create a resource group for each department.
   3. C. Assign tags to the virtual machines.
   4. D. Modify the settings of the virtual machines.
   Explanation

   The correct answer is: C. Assign tags to the virtual machines..

   Tags are the right primitive for associating a resource with a logical owner like a department without moving the resource. Applying a name/value tag such as department=finance to each VM lets you filter, report, and bill against the tag in Cost Management while leaving the existing resource-group layout intact. Management groups exist to apply policy and role assignments across many subscriptions and are far too coarse for per-VM departmental labeling. Creating one resource group per department forces a move of every VM and breaks the single-RG design the scenario starts from. Modifying generic VM settings does not produce a queryable departmental association. Tags meet the requirement with minimum disruption.

2. Question 2

   Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements. Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. Solution: You access the multi-factor authentication page to alter the user settings. Does the solution meet the goal?
   1. A. Yes
   2. B. No
   Explanation

   The correct answer is: B. No.

   Per-user MFA settings on the legacy MFA user-settings page let you turn MFA on or off per account and adjust trusted IPs, but they cannot express a rule like require MFA and a Microsoft Entra joined device for Global Administrators only from untrusted locations. That kind of policy is exactly what Conditional Access expresses: an assignment that targets the Global Administrators directory role, a condition that excludes named/trusted locations (so untrusted networks match), and grant controls that require both MFA and Hybrid Azure AD joined or compliant device. Because the proposed action stops at per-user MFA toggles, it cannot encode the location-conditional, role-targeted, device-requiring policy the scenario describes. The proposed solution therefore does not meet the goal.

3. Question 3

   Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements. Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. Does the solution meet the goal?
   1. A. Yes
   2. B. No
   Explanation

   The correct answer is: B. No.

   Session controls in Conditional Access apply post-grant restrictions like sign-in frequency, persistent browser session, and app-enforced restrictions; they do not enforce the up-front access conditions that the scenario asks for, namely MFA plus a Microsoft Entra joined device when connecting from untrusted locations. Those are grant controls, configured on the same policy under Grant — Require multi-factor authentication and Require Hybrid Azure AD joined device (or compliant device). Editing only session controls leaves the grant requirements unset, so the policy does not actually enforce MFA or device join for Global Administrators on untrusted networks. The proposed solution therefore does not meet the goal.

4. Question 4

   Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements. Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy. Does the solution meet the goal?
   1. A. Yes
   2. B. No
   Explanation

   The correct answer is: B. No.

   Grant controls in Conditional Access are the right surface for the requirement — they hold the Require multi-factor authentication and Require Hybrid Azure AD joined device toggles that the scenario calls for. But altering grant controls alone is not enough: the policy also needs the matching assignments (target the Global Administrators directory role) and the matching conditions (define trusted locations and target the policy at any location not in that trusted list). The proposed action mentions only changing the grant control and stops short of setting those other elements, so the policy will not actually enforce the location-conditional, role-targeted requirement. The proposed solution therefore does not meet the goal.

5. Question 5

   Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements. Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model. Solution: You reconfigure the existing usage model via the Azure portal. Does the solution meet the goal?
   1. A. Yes
   2. B. No
   Explanation

   The correct answer is: B. No.

   The Per Authentication versus Per Enabled User usage model on a legacy MFA provider is immutable once set, regardless of whether you try to edit it from the Azure portal, the Azure CLI, PowerShell, or an ARM template. Microsoft long ago closed off this property to change in place because billing and provisioning logic both depend on it being fixed for the lifetime of the provider, and since 2018 the platform no longer accepts new MFA provider creations either, expecting tenants to use Microsoft Entra ID P1/P2 licenses (or Microsoft 365 SKUs) that include MFA and to enforce it through Conditional Access or per-user MFA settings on those licenses. Editing through the portal cannot do something the platform forbids at every control plane, so the proposed action will either show no editable field for the usage model or silently fail to persist a change. The proposed solution therefore does not meet the goal.

Other Microsoft Azure Administrator (AZ-104) domains

• Deploy and manage Azure compute resources (123 questions)
• Implement and manage storage (105 questions)
• Implement and manage virtual networking (157 questions)
• Monitor and maintain Azure resources (94 questions)