Loading…
Passing AZ-104 does not mean you'll pass the Azure Administrator interview. Here are the 15 questions that hiring managers ask after they've already seen your cert.
Passing AZ-104 means you can answer multiple-choice questions about Azure services. Hiring managers know this. The interview is designed to find out whether you can actually do the job — configure things under pressure, troubleshoot when things break, and explain decisions to a non-technical stakeholder.
Here are the 15 questions that come up repeatedly in Azure Administrator interviews, and what a strong answer looks like.
1. "Your CEO can't access a critical SharePoint site. Walk me through how you'd diagnose the issue."
What they're testing: Can you navigate Entra ID sign-in logs, diagnose Conditional Access policy blocks, and communicate clearly under pressure? Strong answer: start with Sign-in logs in Entra admin center, filter by user, identify the policy that blocked access, check if Named Location or compliance policy was the cause, then use the "What If" tool to simulate the policy against the user's conditions.
2. "How do you ensure least-privilege access across an Azure subscription?"
Strong answer: Use RBAC at the resource group level rather than subscription. Avoid Owner role where possible — use Contributor or custom roles. Use Privileged Identity Management (PIM) for just-in-time admin access. Audit with Access Reviews quarterly. Use Entra ID groups to manage role assignments rather than assigning directly to users.
3. "A VM in one VNet can't reach a VM in another. How do you troubleshoot?"
Strong answer: Check VNet peering status (Connected, not Initiated). Verify "Allow forwarded traffic" is enabled if using a hub-spoke topology. Check NSG rules on both NICs and subnets — inbound on the destination, outbound on the source. Use Network Watcher → IP Flow Verify to test the path. Check routing table for any UDRs overriding default routes.
4. "How would you reduce Azure costs for a company that's overspending by 40%?"
This is a senior-level question. Strong answer: use Azure Advisor Cost recommendations as a starting point. Right-size under-utilised VMs (Azure Advisor flags these at <5% CPU over 14 days). Convert Pay-as-You-Go VMs with predictable workloads to Reserved Instances (saves up to 72%). Delete unattached managed disks, unused Public IPs, and orphaned snapshots. Set budgets and alerts. Consider Azure Hybrid Benefit for Windows/SQL workloads.
5. "What's the difference between Azure Policy and RBAC?"
RBAC controls WHO can take actions (assignment of roles to identities). Azure Policy controls WHAT can be done regardless of who does it — enforces resource configurations, naming conventions, tag requirements, allowed regions. They complement each other. RBAC: "only these people can deploy VMs." Policy: "all VMs must have a tag and must be in approved regions."
6. "How do you back up and restore an Azure VM?"
Azure Backup → Recovery Services Vault → Backup → Azure Virtual Machine. RPO and RTO depend on backup frequency (daily at minimum, enhanced policy supports multiple/day). Restore options: Create new VM, Replace existing disk, or Restore disk only. Cross-region restore is supported for geo-redundant vaults.
7. "Describe your experience with ARM templates or Bicep."
If you've used them: explain a real scenario. If you haven't: "I've worked with the portal for most deployments, but I've been building Bicep skills — I know the advantage is repeatable, version-controlled infrastructure that reduces config drift." Then demonstrate you know the concept: modules, parameters, outputs, deployment scopes.
8. "How do you manage Azure AD group-based licensing?"
Assign M365 licences to Entra ID groups rather than individual users. Ensure the group has a valid licence assignment. Group-based licensing propagates automatically to group members. Errors (e.g. insufficient licences) appear in the group's Licensing blade. Use dynamic groups for automatic membership based on department or jobTitle attributes.
9. "What happens to a resource when you delete the resource group it's in?"
All resources in the group are deleted. This is a common interview trap. The follow-up: "How do you prevent accidental deletion?" — apply a Delete lock at the resource group level. Read-only lock prevents modifications and deletions. Delete lock prevents deletion only.
10. "How do you configure a site-to-site VPN to on-premises?"
Create a Virtual Network Gateway (VpnGw SKU). Create a Local Network Gateway with the on-premises public IP and address space. Create a Connection between the two with a shared key. On-premises side needs a compatible VPN device (Cisco ASA, Palo Alto, etc.) with matching BGP ASN if using BGP. IKEv2 is preferred over IKEv1.
11. "How do you monitor VM performance in Azure?"
Azure Monitor Metrics for CPU, disk, network — available by default, 93-day retention. Enable Diagnostics extension for OS-level metrics (memory, processes). Log Analytics workspace for query-based investigation. VM Insights for process and dependency mapping. Alerts on metric thresholds (e.g. CPU > 90% for 5 minutes → email/action group).
12. "What's a Managed Identity and when do you use it?"
A Managed Identity gives an Azure resource (VM, App Service, Function App) an identity in Entra ID without needing to manage credentials. System-assigned: tied to the resource, deleted with it. User-assigned: standalone, can be shared across resources. Use case: a VM needs to read secrets from Key Vault without storing credentials in code — assign MI, grant it Key Vault Secrets User role.
13. "How do you enforce MFA for all users except break-glass accounts?"
Create a Conditional Access policy: Target All Users, require MFA. Exclude the break-glass accounts (emergency access accounts). Store break-glass credentials in a physical safe, not in a password manager. Audit break-glass account sign-ins with an alert rule — any sign-in by these accounts should trigger immediate investigation.
14. "What's the difference between Azure Files and Blob Storage?"
Azure Files: SMB/NFS share, accessible as a mounted drive, ideal for lift-and-shift file shares and application config. Blob Storage: object storage, REST-based, ideal for unstructured data (images, backups, logs, media). Key distinction: Files uses SMB protocol (port 445), Blob uses HTTPS. Azure File Sync can tier on-premises file servers to Azure Files.
15. "Tell me about a time Azure broke in production and what you did."
Behavioural question — they want to hear: you diagnosed methodically (not panicked), you communicated clearly, you learned something. Structure it: what broke, how you detected it, how you diagnosed, what you did to fix it, what you changed afterwards. Even if your experience is limited, describe a lab scenario honestly.
The AZ-104 course on InterviUni covers the technical foundations. Pair it with the Azure Administrator mock interview to practice answering these under pressure — you get scored feedback on every answer.
Practice AI mock interviews, check your ATS score, or start a cert course — free.