100+ Free Azure AZ-801 Practice Questions

Pass your Configuring Windows Server Hybrid Advanced Services (AZ-801) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

You need to block an unsigned legacy script-based attack tool from running on Windows Server 2022 file servers, while still allowing IT to deploy approved PowerShell modules. Which feature should you configure first?

Windows Defender Application Control (WDAC) policy in enforced mode

Network Load Balancing (NLB) host filtering

Storage Replica asynchronous replication

Cluster-Aware Updating (CAU)

to track

2026 Statistics

Key Facts: Azure AZ-801 Exam

700/1000

Passing Score

Microsoft

40-60 Q

Exam Questions

Microsoft (varies)

80-120 hrs

Study Time

Recommended

$165

Exam Fee

Microsoft

5 domains

Exam Domains

Microsoft AZ-801 outline

100 min

Exam Duration

Microsoft

Sep 30, 2026

Retirement Date

Microsoft

AZ-802

Replacement Exam

Microsoft

AZ-801 is Microsoft's associate-level Windows Server hybrid advanced services exam, paired with AZ-800 to earn the Windows Server Hybrid Administrator Associate. It uses a 700/1000 passing score and typically delivers 40-60 questions in 100 minutes for US$165. The October 6, 2025 study guide refresh sets domain weights at Secure Windows Server (25-30%), High availability (15-20%), Disaster recovery (10-15%), Migrate servers and workloads (20-25%), and Monitor and troubleshoot (15-20%). IMPORTANT: Microsoft retires AZ-801 on September 30, 2026 at 5:00 PM CST and is replacing it with AZ-802; candidates planning to certify in 2026 should schedule before that date or pivot to AZ-802 once it becomes the active exam.

Sample Azure AZ-801 Practice Questions

Try these sample questions to test your Azure AZ-801 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1You need to block an unsigned legacy script-based attack tool from running on Windows Server 2022 file servers, while still allowing IT to deploy approved PowerShell modules. Which feature should you configure first?

A.Windows Defender Application Control (WDAC) policy in enforced mode

B.Network Load Balancing (NLB) host filtering

C.Storage Replica asynchronous replication

D.Cluster-Aware Updating (CAU)

Explanation: WDAC enforces code integrity policies that allow only trusted publishers, hashes, or paths to execute, which blocks unsigned binaries and scripts while still permitting approved PowerShell modules. NLB, Storage Replica, and CAU address availability and updates rather than code execution control.

2Your team must protect cached domain credentials on Windows Server 2022 member servers from pass-the-hash attacks. Which feature uses virtualization-based security (VBS) to isolate LSA secrets?

A.Windows Defender Credential Guard

B.AppLocker publisher rules

C.Azure Disk Encryption

D.BitLocker network unlock

Explanation: Credential Guard uses VBS to run the Local Security Authority in an isolated container, so NTLM password hashes and Kerberos ticket-granting tickets cannot be read by a process running in the normal OS. AppLocker controls execution but does not isolate LSA secrets, and the encryption features protect data at rest, not in-memory credentials.

3You want to remove static local administrator passwords on hundreds of Windows Server 2022 hosts and store rotated passwords in Active Directory. Which solution should you implement?

A.Windows Local Administrator Password Solution (Windows LAPS)

B.Group Managed Service Accounts (gMSA)

C.Just Enough Administration (JEA)

D.Microsoft Entra Password Protection

Explanation: Windows LAPS automatically rotates and stores the local administrator password for each computer in Active Directory or Microsoft Entra ID. gMSAs are for service identities, JEA constrains PowerShell sessions, and Entra Password Protection blocks weak user passwords rather than managing local admin secrets.

4Helpdesk staff must reset user passwords from a remote PowerShell session, but the security team forbids granting them domain admin rights. Which feature lets you expose only specific PowerShell cmdlets through a constrained endpoint?

A.Just Enough Administration (JEA)

B.Just-In-Time (JIT) VM access

C.Authentication policy silos

D.Read-Only Domain Controller (RODC)

Explanation: JEA uses role capability and session configuration files to expose a curated allowlist of PowerShell commands under a managed virtual account. JIT VM access controls inbound network ports on Azure VMs, policy silos limit where credentials may be used, and an RODC limits where credentials are stored.

5You need to limit RDP exposure on Azure VMs running Windows Server so that the management port is opened only when an authorized engineer requests access. Which capability should you enable?

A.Microsoft Defender for Cloud Just-In-Time VM access

B.Network Load Balancing port rules

C.Windows Defender Firewall connection security rules

D.Azure Backup soft delete

Explanation: Defender for Cloud's Just-In-Time VM access dynamically modifies NSG and Azure Firewall rules so that management ports such as 3389 are open only for an approved time window and source IP. The other choices do not provide on-demand, time-bound port opening for VMs.

6BitLocker is protecting the OS volume of a Windows Server 2022 host with TPM-only protectors, but the boot process must continue unattended after a power outage in a remote datacenter. Which BitLocker feature should you configure?

A.BitLocker network unlock

B.BitLocker To Go

C.BitLocker recovery password

D.Encrypted File System (EFS)

Explanation: BitLocker network unlock lets a domain-joined machine on a wired network automatically unlock its OS volume during boot using a key delivered by a Windows Deployment Services server, eliminating manual PIN entry after reboots. The other choices either apply only to removable drives, are for recovery scenarios, or address file-level encryption.

7An auditor asks where BitLocker recovery passwords for AD-joined servers are stored and how to retrieve them quickly. Which tool surfaces these passwords directly inside Active Directory Users and Computers?

A.BitLocker Recovery Password Viewer

B.Windows Admin Center

C.Microsoft Defender for Cloud

D.Azure Key Vault

Explanation: BitLocker Recovery Password Viewer is an optional RSAT feature that adds a BitLocker Recovery tab to the computer object in Active Directory Users and Computers, exposing the escrowed recovery passwords. The other tools store or manage keys but do not provide that integrated ADUC view.

8You replace an SQL Server service account with a managed identity that automatically rotates its password every 30 days and supports use across multiple cluster nodes. Which account type should you use?

A.Group Managed Service Account (gMSA)

B.Standalone Managed Service Account (sMSA)

C.Built-in NetworkService account

D.Domain admin account

Explanation: A gMSA can be used by multiple hosts, has its password automatically managed by AD, and is the recommended identity for clustered services. An sMSA is bound to a single computer, NetworkService is a built-in low-privilege account without targeted SPN management, and a domain admin would violate least privilege.

9You enabled Microsoft Defender for Servers and onboarded an on-premises Windows Server using Azure Arc. Which capability does this combination unlock for the on-premises VM?

A.Cloud-based threat detection and vulnerability assessment for the on-premises Windows Server

B.Free unlimited storage in an Azure Storage account

C.Automatic conversion of the on-premises server to an Azure VM

D.Migration of the server's identity to a Microsoft Entra-only model

Explanation: Azure Arc projects the server as a resource in Azure so that Defender for Servers can apply its EDR, vulnerability assessment, and security recommendations to non-Azure machines. Arc does not replicate, migrate, or grant free storage.

10You want to ingest Windows Server security event logs into Microsoft Sentinel for SIEM-style analysis. Which agent does Microsoft now recommend for Windows event collection?

A.Azure Monitor Agent (AMA) with the Windows Security Events data connector

B.The legacy Microsoft Monitoring Agent (MMA) only

C.Direct WMI subscription from Sentinel

D.Windows Admin Center extension

Explanation: AMA replaces the legacy MMA and is the supported method to forward Windows Security Events into Sentinel through the Windows Security Events data connector. WMI is not a Sentinel ingestion method, and Windows Admin Center is for management, not log shipping.

About the Azure AZ-801 Exam

AZ-801 validates advanced Windows Server hybrid administration: securing Windows Server on-premises and hybrid infrastructures, configuring failover clustering and Storage Spaces Direct, implementing disaster recovery with Azure Site Recovery and Hyper-V Replica, migrating workloads with Storage Migration Service and Azure Migrate, and monitoring servers with Azure Monitor and Microsoft Defender for Cloud. With AZ-800, it earns the Microsoft Certified: Windows Server Hybrid Administrator Associate certification.

Questions

60 scored questions

Time Limit

100 minutes

Passing Score

700/1000

Exam Fee

$165 (Microsoft / Pearson VUE)

Azure AZ-801 Exam Content Outline

25-30%

Secure Windows Server on-premises and hybrid infrastructures

Configure WDAC, Credential Guard, Exploit Protection, SmartScreen, OSConfig baselines, Windows LAPS, BitLocker and Azure Disk Encryption, Defender for Identity/Servers, and ingest Windows data into Microsoft Sentinel.

15-20%

Implement and manage Windows Server high availability

Build failover clusters with the right quorum and witness model, deploy Storage Spaces Direct and Scale-Out File Servers, configure Network ATC and floating cluster IPs, and run Cluster-Aware Updating and stretch clusters.

10-15%

Implement disaster recovery

Protect workloads with Azure Site Recovery (network mapping, replication policies, recovery plans), Hyper-V Replica with extended replication, and Azure Backup using MARS and Microsoft Azure Backup Server.

20-25%

Migrate servers and workloads

Use Storage Migration Service for file servers, Azure Migrate for VMware/Hyper-V/physical servers, ADMT for AD forest restructure, IIS to App Service or containers, and in-place upgrades or cluster OS rolling upgrades.

15-20%

Monitor and troubleshoot Windows Server environments

Collect telemetry with Azure Monitor Agent, Data Collection Rules, VM Insights, Performance Monitor data collector sets, Windows Event Forwarding, and System Insights, and troubleshoot AD, networking, time, and update issues.

How to Pass the Azure AZ-801 Exam

What You Need to Know

Passing score: 700/1000
Exam length: 60 questions
Time limit: 100 minutes
Exam fee: $165

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Azure AZ-801 Study Tips from Top Performers

1Memorize quorum and witness selection: Cloud Witness for stretched/multi-site clusters, Disk Witness with shared storage, File Share Witness when neither is available, and the rule that even-node clusters need a witness.

2Lab Storage Migration Service end-to-end including the cutover step that transfers identity (name and IP) so client applications keep working.

3Practice ASR replication policies (RPO via crash-consistent points, app-consistent snapshots, retention) and recovery plans with Automation runbooks.

4Know the difference between Azure Backup MARS agent (file/folder/system state) and Microsoft Azure Backup Server / MABS (application-aware Hyper-V and SQL).

5Drill Windows Server hardening: WDAC enforced vs audit, Credential Guard with VBS, Windows LAPS, Protected Users, and authentication policy silos for Tier 0.

6Know that AZ-801 retires September 30, 2026, at 5:00 PM CST and is being replaced by AZ-802 - schedule accordingly if you need the current credential.

Frequently Asked Questions

What is the AZ-801 passing score?

AZ-801 uses Microsoft's scaled scoring model and requires a passing score of 700 out of 1000. The exam typically contains 40-60 questions delivered in 100 minutes.

Is AZ-801 being retired?

Yes. Microsoft will retire AZ-801 on September 30, 2026, at 5:00 PM Central Standard Time. AZ-801 is being replaced by AZ-802. Candidates who want the current AZ-801-based Windows Server Hybrid Administrator Associate must pass before that retirement date.

What changed in the October 6, 2025 update?

The English version was refreshed with updated objectives, including OSConfig for security baselines, Microsoft Entra Password Protection for AD DS, Network ATC, AD migration toward Windows Server 2025, IIS migration to Azure App Service or containers, and Azure Update Manager.

How hard is AZ-801?

AZ-801 is a moderately challenging associate exam because it tests both deep Windows Server knowledge (clustering, BitLocker, AD) and hybrid Azure judgment (Azure Arc, ASR, Defender for Servers, Azure Monitor with AMA). Hands-on lab time is essential.

How long should I study for AZ-801?

Most candidates need 8-12 weeks and 80-120 hours of study, depending on Windows Server depth and Azure exposure. Plan for hands-on labs in failover clustering, ASR, Storage Migration Service, BitLocker, and Azure Monitor with AMA/DCRs.

What roles does AZ-801 support?

AZ-801 fits Windows Server hybrid administrators, infrastructure engineers, systems engineers, and platform engineers who own on-premises and Azure-connected Windows Server estates, including AD, file services, Hyper-V, clustering, and disaster recovery.