Microsoft - AZ-104: Microsoft Azure Administrator
Sample Questions
Question: 801
Measured Skill: Implement and manage virtual networking (15–20%)
You have two Azure subscriptions named Sub1 and Sub2 that contain the virtual networks shown in the following table.

You need to ensure that VM1 and VM2 can communicate. The solution must minimize costs and administrative effort.
What should you use?A | A user-defined route (UDR) |
B | Network peering |
C | Azure Route Server |
D | An Azure VPN gateway |
E | A network virtual appliance (NVA) |
Correct answer: BExplanation:
Virtual network peering enables you to seamlessly connect two or more virtual networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Traffic is routed through the Microsoft private network only.
For peered virtual networks, resources in either virtual network can directly connect with resources in the peered virtual network.
The network latency between virtual machines in peered virtual networks in the same region is the same as the latency within a single virtual network. The network throughput is based on the bandwidth allowed for the virtual machine, proportionate to its size. There isn't any extra restriction on bandwidth within the peering.
Reference: Virtual network peering
Question: 802
Measured Skill: Implement and manage virtual networking (15–20%)
You have an Azure subscription that contains the resources shown in the following table.
You need to create a network interface named NIC1 without creating additional resources.
In which region can you create NIC1?A | East US only |
B | East US and West Europe only |
C | East US and North Europe only |
D | East US, West Europe, and North Europe |
Correct answer: AExplanation:
A network interface (NIC) enables an Azure virtual machine (VM) to communicate with internet, Azure, and on-premises resources.
You can assign a NIC only to a virtual network in the same subscription and location as the NIC. Once you create a NIC, you can't change the virtual network it's assigned to. The VM you add the NIC to must also be in the same location and subscription as the NIC.
Reference: Create, change, or delete a network interface
Question: 803
Measured Skill: Deploy and manage Azure compute resources (20–25%)
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual machine named VM1 and a storage account named storage1.
VM1 is associated to the resources shown in the following table.

You move VM1 to Sub2.
Which resources move to Sub2?A | VM1, Disk1, and Nic1 only |
B | VM1, Disk1, and VNet1 only |
C | VM1, Disk1, and storage1 only |
D | VM1, Disk1, Nic1, and VNet1 |
Correct answer: DExplanation:
Moving resources from one subscription to another is a three-step process. To illustrate these steps, the following diagram depicts only one dependent resource:

- Step 1: If dependent resources are distributed across different resource groups, first move them into one resource group.
- Step 2: Move the resource and dependent resources together from the source subscription to the target subscription.
- Step 3: Optionally, redistribute the dependent resources to different resource groups within the target subscription.
Only top-level (parent) resources should be specified in the move request. Child resources move automatically with their parent but can't be moved independently. For example, you can move a parent resource like Microsoft.Compute/virtualMachines, and its child resource such as Microsoft.Compute/virtualMachines/extensions moves with it. However, you can't move the child resource on its own.
If you move a virtual machine from one subscription to another, you have to include all dependant resources including the operating system disk, the network interface, and the virtual network. If you just only select the virtual machine, the move requests results in an error and will not carried out.
If you move a VM from one resource group into another resource group within the same subscription, you can move just only the VM without to select the dependant resources.
Reference: Move Azure resources to a new resource group or subscription
Question: 804
Measured Skill: Implement and manage virtual networking (15–20%)
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains virtual machines that have Remote Desktop enabled.
Several users plan to work remotely and connect to the virtual machines from a home office.
You need to configure connectivity to the virtual machines to support a Point-to-Site (P2S) VPN connection for each user.
Which three actions should you perform in sequence?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.) 
A | Sequence: 1, 5, 6 |
B | Sequence: 1, 6, 4 |
C | Sequence: 1, 3, 6 |
D | Sequence: 5, 2, 3 |
Correct answer: BExplanation:
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure virtual networks from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of site-to-site (S2S) VPN when you have only a few clients that need to connect to a virtual network.
Azure VPN Gateway is the service that is used in Azure to receive and send the encrypted traffic between an Azure virtual network and the P2S clients over the public Internet.
Azure VPN Gateway requires a dedicated subnet to be deployed in. The gateway subnet contains the IP addresses that the virtual network gateway services use. You need to create a gateway subnet for your virtual network in order to configure a virtual network gateway.
Once the VPN Gateway is deployed to the gateway subnet, we need to add a point-to-site IP address pool. This client address pool is a range of private IP addresses that we specify. The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range.
References:
About Point-to-Site VPN
What is Azure VPN Gateway?
Tutorial: Create and manage a VPN gateway using the Azure portal
Question: 805
Measured Skill: Implement and manage storage (15–20%)
You have an Azure subscription that contains the virtual machines shown in the following table.
The subscription contains a storage account named storage184 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(Note: Each correct selection is worth one point.)
A | VM1 can connect to storage184 by using 131.107.10.10: Yes
VM2 can connect to storage184 by using 150.120.10.10: Yes
VM3 must use its private IP address to connect to storage184: Yes |
B | VM1 can connect to storage184 by using 131.107.10.10: Yes
VM2 can connect to storage184 by using 150.120.10.10: Yes
VM3 must use its private IP address to connect to storage184: No |
C | VM1 can connect to storage184 by using 131.107.10.10: Yes
VM2 can connect to storage184 by using 150.120.10.10: No
VM3 must use its private IP address to connect to storage184: Yes |
D | VM1 can connect to storage184 by using 131.107.10.10: No
VM2 can connect to storage184 by using 150.120.10.10: Yes
VM3 must use its private IP address to connect to storage184: No |
E | VM1 can connect to storage184 by using 131.107.10.10: No
VM2 can connect to storage184 by using 150.120.10.10: No
VM3 must use its private IP address to connect to storage184: Yes |
F | VM1 can connect to storage184 by using 131.107.10.10: No
VM2 can connect to storage184 by using 150.120.10.10: No
VM3 must use its private IP address to connect to storage184: No |
Correct answer: BExplanation:
Azure Storage provides a layered security model. This model enables you to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources that you use.
When you configure network rules, only applications that request data over the specified set of networks or through the specified set of Azure resources can access a storage account. You can limit access to your storage account to requests that come from specified IP addresses, IP ranges, subnets in an Azure virtual network, or resource instances of some Azure services.
The storage account allows access from the private IP addresses of Subnet1 of VNet1 and from the public IP addresses 131.107.10.10 (VM1), 150.120.10.10 (VM2), and 170.20.10.10 (VM3).
VM1 and VM3 can use both their private IP addresses and their public IP addresses to access storage184. VM2 is not connected to Subnet1 and can only use its public IP address to connect to storage184.
Reference: Configure Azure Storage firewalls and virtual networks