50 Azure Administrator Interview Questions for 2026 (with Answers)

Q1. What is the difference between Microsoft Entra ID and on-prem Active Directory?

Active Directory (AD DS) is on-premises identity built on Kerberos and LDAP, organized into forests, domains and OUs. Microsoft Entra ID (formerly Azure AD) is a cloud-native identity service using OAuth 2.0, OpenID Connect and SAML, organized into tenants. They are not interchangeable. Hybrid environments connect the two with Entra Connect (formerly Azure AD Connect) to sync user objects and password hashes.

Q2. What are the four Entra ID licence tiers?

Free, Microsoft 365 Apps (formerly Office 365), Entra ID P1 and Entra ID P2. P1 unlocks Conditional Access, group-based licensing and self-service password reset with writeback. P2 adds Identity Protection (risk-based sign-in) and Privileged Identity Management (PIM).

Q3. What is Conditional Access and what are common policies?

Conditional Access is the policy engine that decides whether to allow, block, or step-up authentication based on signals (user, device, location, risk). Common policies: require MFA for all admins, block legacy authentication, require compliant devices for sensitive apps, block sign-in from untrusted countries.

Q4. What is the difference between a security group and a Microsoft 365 group?

Security groups are used for assigning permissions and Conditional Access. M365 groups grant access to shared resources (mailboxes, Teams, SharePoint sites). M365 groups can be mail-enabled and have owners; security groups cannot.

Q5. Explain Azure RBAC roles and scopes.

RBAC has three pieces: a security principal (user, group, SP, managed identity), a role definition (set of permissions), and a scope (management group, subscription, resource group, or resource). The most-restrictive assignment wins. Best practice: assign least-privilege built-in roles at the smallest reasonable scope.

Q6. What is a managed identity and when do you use it?

A managed identity is an Entra ID identity automatically managed by Azure for a resource (VM, App Service, Function). Use it whenever an Azure service needs to call another Azure service — it replaces the need to store secrets or service principal credentials. System-assigned is tied to one resource; user-assigned can be shared.

Q7. What is PIM (Privileged Identity Management)?

PIM provides just-in-time (JIT) elevation to privileged roles. Users are eligible for roles instead of permanently assigned, must activate the role (with optional MFA + approval), and the elevation expires automatically. Reduces standing privilege blast radius.

Q8. How do you enable MFA for all users?

The modern answer is a Conditional Access policy requiring MFA for "All cloud apps" with appropriate exclusions for break-glass accounts. Security Defaults (free tier) is simpler but less flexible. Per-user MFA is legacy and should be avoided.

Q9. What is the Azure resource hierarchy?

Top to bottom: Management Group → Subscription → Resource Group → Resource. Policies, RBAC and budgets can apply at any level. Management groups roll up multiple subscriptions; resource groups are containers within a subscription.

Q10. What is Azure Policy used for?

Azure Policy enforces or audits resource configuration. Examples: "deny VM creation outside approved SKUs", "require tags on every resource group", "audit storage accounts without encryption". Policies evaluate at create time and on every resource scan; non-compliant resources are flagged but not deleted.

Q11. RBAC vs Azure Policy — what is the difference?

RBAC controls who can do something (authorization). Azure Policy controls what can be done (configuration governance). RBAC stops a user deleting a VM; Policy stops anyone deploying a VM without required tags or in the wrong region. They are complementary.

Q12. What are management groups used for?

Management groups let you organize multiple subscriptions into a hierarchy (max 6 levels) and apply policies/RBAC at the top level. Common use: separate non-prod, prod, and sandbox subscriptions under different management groups with different baseline policies.

Q13. How do you move a resource between resource groups?

Resources → Move → choose target resource group. Not all resources can be moved — some require recreation. Use the Move Operations documentation to check supportability before planning. Moves take a global ARM lock so concurrent changes are blocked.

Q14. What is a tag and why use it?

Tags are key-value pairs attached to resources (max 50 per resource). Used for cost reporting, automation, ownership tracking, and policy enforcement. Best practice: enforce required tags via Azure Policy.

Q15. What is Azure Cost Management?

Native cost reporting and forecasting service. Built on the consumption API; supports budgets, alerts and cost analysis by tag, resource group, subscription, or service. Free for usage on Azure resources.

Q16. What is a Virtual Network (VNet)?

A VNet is a logically isolated network within a region. Contains subnets, NICs, and integrations like service endpoints, private endpoints, peering, and VPN gateways. CIDR range cannot overlap with peered or VPN-connected networks.

Q17. NSG vs Azure Firewall — when to use which?

NSGs are stateful Layer 4 filters applied at subnet or NIC level, free of charge. Azure Firewall is a managed Layer 3-7 firewall with application rules, FQDN filtering, threat intelligence, DNAT, billed hourly + data. Use NSGs for east-west micro-segmentation; Azure Firewall for centralized north-south and east-west inspection with logging.

Q18. What is VNet peering vs VPN gateway?

VNet peering connects two VNets directly through the Azure backbone — high bandwidth, low latency, no encryption overhead, billed per GB egress. VPN gateway tunnels via IPsec/IKE for hybrid connectivity to on-premises or other clouds. Peering is faster and simpler; gateway is the cross-environment option.

Q19. What is a Private Endpoint?

Private Endpoint is a NIC inside your VNet that exposes a private IP for a PaaS service (Storage, SQL, Key Vault). Traffic stays on the Microsoft backbone and never traverses the public internet. Replaces service endpoints for most production scenarios.

Q20. Service endpoint vs private endpoint?

Service endpoints give a subnet identity to PaaS services using the service's public IP (traffic stays on Microsoft backbone but uses public IPs). Private endpoints assign a private IP to the PaaS service inside your VNet. Private endpoints are stronger isolation; service endpoints are simpler and free.

Q21. What is an Application Gateway?

Layer 7 load balancer with URL-based routing, SSL termination, WAF, autoscaling, and session affinity. Use when you need HTTP/HTTPS-aware routing. Different product from Azure Load Balancer (Layer 4) and Front Door (global Layer 7).

Q22. What is Azure DNS used for?

Hosted DNS service for public DNS zones and private DNS zones (resolution within VNets). Private zones support auto-registration of VMs and split-horizon. Often paired with Private Endpoints for FQDN-based private connectivity.

Q23. How many subnets can you have per VNet?

3,000 subnets per VNet (current 2026 limit). Five IP addresses per subnet are reserved by Azure (first 4 plus broadcast). The smallest usable subnet is /29.

Q24. What is User-Defined Routing (UDR)?

A Route Table associated with a subnet that overrides Azure's default system routes. Used to force traffic through a Network Virtual Appliance (NVA), Azure Firewall, or to direct egress through ExpressRoute.

Q25. What are Availability Sets vs Availability Zones?

Availability Sets distribute VMs across fault and update domains within a single datacenter (99.95% SLA). Availability Zones distribute VMs across physically separate datacenters (99.99% SLA). AZs are stronger but only available in some regions. You cannot have both.

Q26. What is a Virtual Machine Scale Set (VMSS)?

A VMSS deploys and manages a set of identical, auto-scaling VMs. Supports rolling upgrades, autoscale rules (CPU, queue length, custom metrics), and integration with load balancers. Used for stateless workloads that scale horizontally.

Q27. What is the difference between managed and unmanaged disks?

Managed disks are abstracted from underlying storage accounts — Azure handles placement and IO throttling. Unmanaged disks (legacy) require you to manage storage accounts manually. Always use managed disks for new workloads; unmanaged is deprecated.

Q28. What VM disk types are available?

Standard HDD, Standard SSD, Premium SSD, Premium SSD v2, and Ultra Disk. Choice depends on IOPS, throughput, and latency requirements. Premium SSD is the typical default for production; Ultra Disk for high-IOPS databases.

Q29. How do you patch Azure VMs at scale?

Azure Update Manager (formerly Update Management) provides centralized patch orchestration with maintenance windows, pre/post scripts, and reporting. Works for both Azure and Arc-connected on-prem VMs.

Q30. What is Azure Bastion?

Managed PaaS jumpbox providing browser-based RDP/SSH to VMs without exposing public IPs or requiring VPN. Reduces attack surface and is the preferred pattern for production remote admin.

Q31. What is a Reserved Instance vs Spot VM?

Reserved Instances commit to 1- or 3-year terms in exchange for 30-70% discount — for predictable workloads. Spot VMs use spare capacity at up to 90% discount but can be evicted with 30 seconds notice — for fault-tolerant batch workloads.

Q32. How do you scale a VM vertically?

Resize the VM SKU to a larger size. Requires a reboot. Watch out: not all SKUs are available in all sizes within a region, and some resize operations also change underlying hardware family (Gen1 vs Gen2). Plan a maintenance window.

Q33. What are the storage account redundancy options?

LRS (3 copies in one datacenter), ZRS (3 copies across AZs in one region), GRS (LRS + async replication to paired region), GZRS (ZRS + async to paired region), RA-GRS / RA-GZRS (read access to secondary). Higher redundancy = higher cost.

Q34. What are storage access tiers?

Q35. How do you secure access to a storage account?

Disable public network access; use private endpoints; enforce HTTPS only and TLS 1.2 minimum; rotate keys regularly or replace with Entra ID auth + managed identity; use SAS tokens for time-limited delegated access; enable soft delete and versioning; enable Defender for Storage; encrypt with customer-managed keys for compliance.

Q36. SAS token vs access key?

Access keys grant full control over the storage account and should rarely be shared. SAS (Shared Access Signature) tokens grant scoped, time-limited access to specific containers or blobs. Use User Delegation SAS (signed with Entra ID) for the strongest pattern.

Q37. What is Azure Files vs Blob Storage?

Azure Files exposes SMB / NFS file shares (mountable as drives, used for "lift and shift" workloads). Blob Storage exposes object storage via REST API for unstructured data (images, logs, backups). They are different services with different access patterns.

Q38. How do you migrate data into Azure Storage?

AzCopy (CLI), Storage Explorer (GUI), Data Box (physical appliance for 10s of TB), Azure Migrate (server-level lift), or Storage Mover (managed migration service). Choose based on data size and network bandwidth.

Q39. What is Azure Monitor?

Unified observability platform covering metrics, logs (Log Analytics workspaces), alerts, and dashboards. Includes Application Insights for app telemetry. Most diagnostic settings flow into a Log Analytics workspace.

Q40. What is Log Analytics workspace?

Repository for log data, queried with Kusto Query Language (KQL). Configured as the destination for diagnostic settings, agent data and Sentinel. Pricing is per GB ingested.

Q41. What is Azure Backup?

Native backup service for VMs, SQL, files, and on-prem servers via the MARS agent. Backups are stored in a Recovery Services Vault. Supports application-consistent snapshots, instant restore, and long-term retention.

Q42. What is Azure Site Recovery (ASR)?

Disaster recovery service that replicates VMs (Azure-to-Azure, on-prem-to-Azure) for failover to a secondary region. Used for DR drills and actual region failover. Replication tracks deltas; RPO measured in minutes for most workloads.

Q43. How do you set up alerts?

Define a signal (metric, log query, activity log), condition (threshold), action group (email, SMS, webhook, Logic App, runbook). Alerts can fire on multi-resource scopes via dynamic thresholds.

Q44. What is the Service Health blade for?

Shows Microsoft-side incidents (region outages, planned maintenance, health advisories, security advisories) that affect your subscriptions. Configure Service Health alerts so you get paged when Microsoft impacts a region you use.

Q45. A VM is not starting. Walk me through troubleshooting.

Check Activity Log for the failure event → verify quota in the region (especially for vCPU and disk SKU) → check VM boot diagnostics (serial console / screenshot) → check disk health (status of OS disk) → check if a recent extension upgrade failed → if cannot start, attach the OS disk to a recovery VM and inspect logs.

Q46. Users cannot access a storage account from an Azure VM. Where do you look?

Storage account firewall rules → VNet service endpoint or private endpoint configuration → DNS resolution (especially for private endpoint — needs private DNS zone) → managed identity has correct RBAC role → storage account public access setting → NSG outbound rules on the VM subnet.

Q47. Cost alerts are firing but the team cannot identify which workload is over budget. How do you fix this?

Enforce required tags on every resource (Azure Policy — "deny resource creation without environment + cost-center tags"); restructure resource groups by cost center; build a Cost Management view grouped by tag; set per-resource-group budgets; consider management group structure to isolate big spenders.

Q48. A developer accidentally deleted a production resource group. How do you recover?

If a Resource Lock (Delete or ReadOnly) was applied at the resource group or subscription level, the delete is blocked — teach this lesson early. If deleted: Azure Backup may have application backups; Soft-delete recovers Recovery Services Vaults, Storage blobs, Key Vaults; otherwise re-deploy from infrastructure-as-code (Terraform / Bicep). Open an Azure support case to attempt point-in-time recovery for some PaaS services.

Q49. Your team must move from one Azure region to another. What is your approach?

Inventory and dependency mapping first → identify which services support region migration natively (App Service, Storage with object replication, SQL with geo-replication) → use Azure Resource Mover for VMs, VNets, SQL servers, and load balancers → ASR for VM replication if Resource Mover does not support the SKU → cutover during maintenance window with DNS update → validate → decommission old region.

Q50. Tell me about a time something broke in production. What did you do?

This is the behavioural question every interview includes. Use STAR (Situation, Task, Action, Result). Pick a real story where you (a) identified the root cause, (b) communicated clearly with stakeholders, (c) implemented the fix, and (d) wrote a post-incident review. Bonus points for naming the long-term remediation (better alerting, IaC adoption, runbook authored).