If you are preparing for the AZ 104 Microsoft Azure Administrator exam, you know that practice questions can make all the difference. Domain 2, Implement and Manage Storage, is a big part of the test. It checks how well you understand Azure Storage, from setting it up, to securing it, to monitoring and optimizing it.
In this post, you will find a set of exam style practice questions that reflect the way Microsoft frames its scenarios. Each question comes with a clear explanation of why one answer is correct and why the others are not. This way, you build real reasoning skills rather than just memorizing answers.
Take your time with each question, read through the explanations carefully, and use the Microsoft Learn links at the end to go deeper when you want more detail. By the end of this set, you will have sharpened your understanding of replication options, security and compliance, networking and access control, Azure Files identity integration, and lifecycle management.
Let’s begin with the first question.
Question: Your company requires a storage account that will remain available if the primary region fails. You must ensure data is replicated to a secondary region and be able to provide read-only access to the replicated data during an outage. Which replication option should you choose?
- Locally Redundant Storage (LRS)
- Zone-Redundant Storage (ZRS)
- Geo-Redundant Storage (GRS)
- Read-Access Geo-Redundant Storage (RA-GRS)
Correct Answer
D. Read-Access Geo-Redundant Storage (RA-GRS)
Explanation:
- A. LRS – Stores three synchronous copies in a single datacenter. It does not provide regional protection, so a region-wide outage would cause downtime.
- B. ZRS – Replicates data across three availability zones in the same region. This protects against zone failure but not full regional outages.
- C. GRS – Replicates asynchronously to a secondary region. However, the secondary is not available for read access unless a failover occurs.
- D. RA-GRS – Extends GRS by providing read-only access to the secondary region at any time. This satisfies both requirements: protection from regional outage and read-only access during downtime.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-redundancy
Question: Your company needs to give a contractor temporary access to upload files into a specific container in your storage account. The contractor should not have access to other containers or the account keys. Which method should you use?
A. Storage account keys
B. Shared Access Signature (SAS)
C. Azure AD RBAC assignment at the storage account scope
D. Storage firewall rules
Correct Answer
B. Shared Access Signature (SAS
Explanation:
- A. Storage account keys – Provide full access to all containers in the account. Not limited or temporary.
- B. Shared Access Signature (SAS) – Grants scoped, time-limited access to a container or specific operations. Ideal for temporary access.
- C. RBAC at the storage account scope – Would apply at the full account level, not scoped to one container. Too broad.
- D. Storage firewall rules – Control which networks can connect. Do not provide scoped user-level access.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-sas-overview
Question: You are configuring a storage account that must only be accessible from a specific subnet in your Azure virtual network. Compliance requires that all traffic remains on private IP space, with no public internet connectivity. Which feature should you configure?
A. Private Endpoint
B. Service Endpoint
C. Firewall rules with selected networks
D. Azure Policy
Correct Answer
A. Private Endpoint
Explanation:
- A. Private Endpoint – Maps the storage account to a private IP inside the VNet. Ensures all traffic stays within the private IP space. Correct solution.
- B. Service Endpoint – Routes traffic to Azure services over the Microsoft backbone but still uses public IPs for the service. Does not meet “private only” requirement.
- C. Firewall rules – Restrict traffic sources but do not eliminate public IP dependency.
- D. Azure Policy – Enforces configuration rules but cannot enforce network routing.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/private-link/private-endpoint-overview
Question: Your company is migrating file shares to Azure Files. Users must continue using their on-premises Active Directory identities for authentication, and they should be able to mount the shares over SMB. What should you configure?
A. Enable Azure AD Kerberos authentication for Azure Files with Active Directory Domain Services (AD DS)
B. Use NTFS permissions with Azure AD RBAC at the storage account
C. Provide users with storage account keys to mount the shares
D. Configure anonymous access using a SAS token
Correct Answer
A. Enable Azure AD Kerberos authentication for Azure Files with AD DS
Explanation:
- A. Enable Azure AD Kerberos with AD DS – Correct. This integrates Azure Files with on-premises AD DS, allowing SMB authentication with existing AD identities.
- B. NTFS with Azure AD RBAC – Incorrect. RBAC controls management-plane access, not SMB authentication.
- C. Storage account keys – Incorrect. Keys grant full account access, bypassing per-user AD identities.
- D. Anonymous with SAS – Incorrect. SAS is for delegated REST access, not SMB authentication with AD credentials.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/files/storage-files-active-directory-overview
Question: Your security team requires that malicious activity, such as unusual data access patterns, is automatically detected in your storage account. Which feature should you enable?
A. Azure Policy
B. Azure Monitor
C. Microsoft Defender for Storage
D. Firewall rules
Correct Answer
C. Microsoft Defender for Storage
Explanation:
- A. Azure Policy – Incorrect. Used for governance and enforcing configuration, not threat detection.
- B. Azure Monitor – Incorrect. Provides metrics and logs, but requires custom rules; does not provide built-in anomaly detection.
- C. Microsoft Defender for Storage – Correct. Provides automatic threat detection and alerts for suspicious or malicious activity.
- D. Firewall rules – Incorrect. Control network access but cannot detect anomalies or malicious behavior.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction
Question: A storage account uses GRS replication. During a regional outage, you need to allow read access to the secondary region without initiating a failover. What should you configure?
A. Zone-Redundant Storage (ZRS)
B. Read-Access Geo-Redundant Storage (RA-GRS)
C. Geo-Redundant Storage (GRS)
D. Geo-Zone Redundant Storage (GZRS)
Correct Answer
B. Read-Access Geo-Redundant Storage (RA-GRS)
Explanation:
- A. ZRS – Incorrect. Replicates within a region only, not across regions.
- B. RA-GRS – Correct. Provides geo-redundancy plus read access to the secondary region without failover.
- C. GRS – Incorrect. Replicates to a secondary region, but secondary is not readable unless failover is initiated.
- D. GZRS – Incorrect. Combines ZRS with cross-region replication, but without RA, the secondary cannot be read.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-redundancy
Question: Your company needs to migrate 80 TB of on-premises data into Azure Storage. Internet bandwidth is too limited for the initial transfer. After migration, small daily updates must continue syncing automatically to the cloud. Which two tools should you use?
A. Azure Import/Export
B. Azure Migrate
C. AzCopy
D. Azure Monitor
Correct Answer
A. Azure Import/Export & C. AzCopy
Explanation:
- A. Azure Import/Export – Correct. Enables bulk offline data transfer by shipping encrypted drives to Microsoft for ingestion into Azure Storage.
- B. Azure Migrate – Incorrect. Used for migrating servers, VMs, and databases, not unstructured file data into Storage.
- C. AzCopy – Correct. Optimized for incremental uploads and sync of files into Azure Storage, suitable for daily updates.
- D. Azure Monitor – Incorrect. Provides monitoring and alerting but does not transfer data.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-import-export-service
Question: You are tasked with ensuring that only HTTPS connections are allowed to your Azure Storage account to improve security posture. Which setting should you configure?
A. Storage account firewall rules
B. Secure transfer required
C. Azure Policy assignment
D. Encryption with customer-managed keys
Correct Answer
B. Secure transfer required
Explanation:
- A. Firewall rules – Incorrect. Control network-level access but not the transport protocol.
- B. Secure transfer required – Correct. Enforces that all requests to the storage account use HTTPS.
- C. Azure Policy – Incorrect. Can enforce the presence of secure transfer at scale, but the actual setting is configured on the storage account.
- D. Customer-managed keys – Incorrect. Control encryption at rest, not transport security.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer
Question: Your company wants to map Azure File shares directly to on-premises Windows systems. Security requires that only the minimum necessary network port is opened on the corporate firewall. Which port must be opened?
A. Port 443
B. Port 445
C. Port 80
D. Port 22
Correct Answer
B. Port 445
Explanation:
- A. Port 443 – Incorrect. Used for HTTPS, not SMB access.
- B. Port 445 – Correct. Required for SMB protocol, which is used to mount Azure File shares.
- C. Port 80 – Incorrect. Used for unencrypted HTTP, not SMB.
- D. Port 22 – Incorrect. Used for SSH, unrelated to file shares.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/files/storage-how-to-use-files-windows
Question: You need to enforce that all blob data uploaded to a storage account is automatically encrypted with keys managed by your organization. What should you configure?
A. Shared Access Signatures (SAS)
B. Encryption with Microsoft-managed keys
C. Customer-managed keys in Azure Key Vault
D. Azure Storage firewall rules
Correct Answer
C. Customer-managed keys in Azure Key Vault
Explanation:
- A. SAS – Incorrect. Provides delegated access but does not control encryption.
- B. Microsoft-managed keys – Incorrect. Provides encryption but with keys controlled by Microsoft, not the organization.
- C. Customer-managed keys in Key Vault – Correct. Allows encryption at rest using organization-controlled keys, meeting the requirement.
- D. Firewall rules – Incorrect. Control network access, not encryption.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-service-encryption-customer-managed-keys
Question: A developer accidentally overwrote critical blobs in a storage account. The company wants to recover both deleted and overwritten blobs for up to 30 days, without third-party tools. Which two features should you enable?
A. Blob versioning
B. Blob snapshots
C. Soft delete for blobs
D. Shared Access Signatures (SAS)
Correct Answer
A. Blob versioning & C. Soft delete for blobs
Explanation:
- A. Blob versioning – Correct. Maintains previous versions of an object whenever it is overwritten, enabling recovery.
- B. Snapshots – Incorrect. Can protect individual blobs, but must be manually created; not automatic for all operations.
- C. Soft delete for blobs – Correct. Allows recovery of deleted blobs within the retention period.
- D. SAS – Incorrect. Provides scoped access control but not recovery features.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview
Question: You are configuring lifecycle management for a blob storage account. The requirement is to move blobs that have not been modified for 30 days to the cool access tier, and then delete them after 365 days. Which feature should you configure?
A. Azure Policy
B. Storage account firewall rules
C. Blob lifecycle management rules
D. Immutable storage policies
Correct Answer
C. Blob lifecycle management rules
Explanation:
- A. Azure Policy – Incorrect. Enforces configuration at scale but does not manage blob tiering or deletion.
- B. Firewall rules – Incorrect. Control network access, not blob lifecycle.
- C. Blob lifecycle management rules – Correct. Automates tiering and deletion based on conditions such as age or last modified date.
- D. Immutable policies – Incorrect. Prevent deletion or modification but do not manage lifecycle movement or expiry.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-overview
Question: You need to ensure data in a storage account cannot be modified or deleted for a fixed period to meet compliance requirements. What should you configure?
A. Shared Access Signature (SAS)
B. Immutable storage policies
C. Azure Monitor alerts
D. Customer-managed keys
Correct Answer
B. Immutable storage policies
Explanation:
- A. SAS – Incorrect. Provides scoped access but does not enforce write-once, read-many (WORM) compliance.
- B. Immutable storage policies – Correct. Enforces WORM, preventing modification or deletion for a set retention period.
- C. Azure Monitor alerts – Incorrect. Monitoring tool, not a data protection mechanism.
- D. Customer-managed keys – Incorrect. Control encryption but do not prevent modification or deletion.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview
Question: You must configure monitoring for a storage account to detect and alert on large numbers of failed authentication requests. What should you use?
A. Activity log alerts in Azure Monitor
B. Metrics in Azure Monitor
C. Microsoft Defender for Storage
D. Firewall rules
Correct Answer
B. Metrics in Azure Monitor
Explanation:
- A. Activity log alerts – Incorrect. Capture management-plane operations, not failed data-plane authentications.
- B. Metrics in Azure Monitor – Correct. Storage accounts emit metrics such as “authentication failures,” which can be alerted on.
- C. Defender for Storage – Incorrect. Provides anomaly detection but is focused on malicious access patterns, not simple auth failures.
- D. Firewall rules – Incorrect. Restrict access sources, but do not generate alerts on failed logins.
Microsoft Learn Reference:
https://learn.microsoft.com/azure/storage/common/storage-monitoring-diagnosing-troubleshooting
