Top 10 AZ-104 interview questions and how to answer them in 2026

The 10 questions

1. What’s the difference between Azure AD roles and Azure RBAC roles?

Azure AD roles (Global Administrator, User Administrator, etc.) control identity and directory objects — users, groups, app registrations. Azure RBAC roles (Owner, Contributor, Reader, custom) control access to Azure resources such as VMs, storage accounts, and VNets. The critical distinction: Azure AD roles are tenant-wide; RBAC roles are scoped to subscription, resource group, or individual resource. The two systems operate independently. Conflating them in an interview is a red flag that candidates almost always fail to recover from.

2. A user needs to deploy VMs only in East US. How do you enforce this?

Azure Policy with the built-in Allowed locations definition, assigned at the subscription or resource group scope, with East US as the only permitted value. Not NSGs — NSGs filter traffic, not deployments. Not RBAC — RBAC controls who can act, not where. Policy evaluates before deployment and blocks non-compliant requests. This tests whether you understand the Policy vs. RBAC vs. NSG distinction under pressure.

3. A user can’t RDP to a VM. Walk me through your troubleshooting steps.

In order: (1) confirm the VM is running; (2) check the NSG inbound rule for port 3389 on the NIC and subnet; (3) check Azure Firewall rules if the hub-spoke topology uses one; (4) check Boot Diagnostics for OS-level issues; (5) check whether Just-in-Time VM Access (Defender for Cloud) has expired the port. Skipping step 5 is the most common miss — JIT is enabled in many enterprise Azure environments and blocks RDP after the approved window closes.

4. What’s the difference between an NSG and Azure Firewall?

NSGs are stateful L4 filters attached to subnets or NICs — free, allow/deny TCP/UDP/ICMP by port and IP. Azure Firewall is a managed stateful L4–L7 service deployed in a hub VNet; it adds FQDN-based filtering, built-in threat intelligence feed, and optional TLS inspection. Cost: approximately $1.25/hour for the firewall instance plus data-processing fees. NSGs and Azure Firewall are complementary, not alternatives. The Azure Firewall documentation covers the full feature comparison.

5. How do you move a VM between resource groups vs. between subscriptions?

Both use the portal’s Move blade or Move-AzResource in PowerShell. Between resource groups: straightforward, no downtime, resource IDs update to reflect the new group. Between subscriptions: the target subscription must be in the same Azure AD tenant; managed disks, NICs, and the public IP move with the VM as part of the same move operation. The resource IDs change. Any hard-coded ARM references break and must be updated.

6. What’s the difference between Azure Policy and Azure Blueprints?

Policy enforces individual governance rules at scale (deny, audit, append, deployIfNotExists). Blueprints package multiple artifacts — policies, RBAC assignments, ARM templates, resource groups — into a repeatable, version-controlled deployment unit used to stamp out environments consistently. A correct follow-up note: Azure Blueprints is deprecated as of 2026; Microsoft recommends replacing Blueprints with a combination of Template Specs and Policy Initiatives. Knowing the deprecation is a strong signal of current knowledge.

7. How do you rotate a certificate in Azure Key Vault without downtime?

Enable certificate auto-rotation via a Key Vault rotation policy set to trigger before expiry. The consuming service (App Service, AKS, API Management) must be configured to reload from Key Vault on certificate version change — either via Key Vault references (App Service) or a CSI driver mount with periodic sync (AKS). If the consumer caches the certificate in memory at startup, a coordinated restart during a low-traffic window is still required.

8. What is a user delegation SAS token for Azure Blob Storage, and when would you use it?

A Shared Access Signature signed with Azure AD credentials instead of the storage account key. It inherits the signing identity’s RBAC permissions, has a maximum lifetime of 7 days, and is revocable by removing the user’s RBAC role. Prefer it over a service SAS (key-based) because the account key never leaves Azure and the token is tied to an identifiable principal. Use it when you need time-scoped delegated access to a blob or container for a specific user or service principal.

9. How do you enforce MFA for all users using only the free Azure AD tier?

Enable Security Defaults — the free Microsoft-managed baseline that requires MFA for all users via the Microsoft Authenticator app and blocks legacy authentication protocols. Conditional Access policies require Azure AD P1 (Microsoft Entra ID P1) or above. This question tests tier awareness: many candidates answer “Conditional Access” without knowing it requires a paid license. Security Defaults is the correct free-tier answer.

10. What’s the difference between LRS, ZRS, GRS, and GZRS?

LRS: 3 synchronous copies in a single datacenter. ZRS: 3 synchronous copies across 3 availability zones in one region — survives a zone failure. GRS: LRS plus async replication to a secondary region; secondary readable only after failover. GZRS: ZRS plus async geo-replication — zone-resilient and geo-redundant. For production storage in 2026, ZRS is the recommended minimum in regions with availability zones; GZRS for workloads requiring both zone and geo-level resilience. LRS is acceptable only for non-critical data or cost-constrained dev environments.

What these questions test

Every question above has a “book answer” and an “operational answer.” Interviewers are checking for the operational answer — the version that includes the gotcha (JIT closing your RDP port), the deprecation (Blueprints), or the tier distinction (Security Defaults vs. Conditional Access). Passing AZ-104 proves you know the concepts. Answering these questions correctly proves you’ve applied them.

Frequently asked questions