Exam-Answer

Exam AZ-104: Microsoft Azure Administrator

Prepare for Exam AZ-104: Microsoft Azure Administrator. Free demo questions with answers and explanations.

Home / Microsoft / AZ-104 / Question 1

Question 1

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User2 to create the user accounts.

Does that meet the goal?

Answers


Explanation (click to expand)

Only a global administrator can add users to this tenant.

References (click to expand)


Home / Microsoft / AZ-104 / Question 2

Question 2

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User4 to create the user accounts.

Does that meet the goal?

Answers


Explanation (click to expand)

Only a global administrator can add users to this tenant.

References (click to expand)


Home / Microsoft / AZ-104 / Question 3

Question 3

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User3 to create the user accounts.

Does that meet the goal?

Answers


Explanation (click to expand)

Only a global administrator can add users to this tenant.

References (click to expand)


Home / Microsoft / AZ-104 / Question 4

Question 4

You have an Azure subscription named Subscription1 that contains a resource group named RG1.

In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.

You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.

Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Answers


Explanation (click to expand)

The Network Contributor role lets you manage networks, but not access them.

References (click to expand)


Home / Microsoft / AZ-104 / Question 5

Question 5

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.

An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.

You need to ensure that access to AKS1 can be granted to the contoso.com users.

What should you do first?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 6

Question 6

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.

You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.

You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.

Which two groups should you create? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers


Explanation (click to expand)

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).

Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.

When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.

You can set up a rule for dynamic membership on security groups or Office 365 groups.

References (click to expand)


Home / Microsoft / AZ-104 / Question 7

Question 7

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:

User3 is the owner of Group1.

Group2 is a member of Group1.

You configure an access review named Review1 as shown in the following exhibit:

Choose all that apply:

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 8

Question 8

You have the Azure management groups shown in the following table:

You add Azure subscriptions to the management groups as shown in the following table:

You create the Azure policies shown in the following table:

Choose all that apply:

Answers


Explanation (click to expand)

Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.

Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.

Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.

References (click to expand)


Home / Microsoft / AZ-104 / Question 9

Question 9

You have an Azure policy as shown in the following exhibit:

What is the effect of the policy?

Answers


Explanation (click to expand)

You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1


Home / Microsoft / AZ-104 / Question 10

Question 10

You have an Azure subscription that contains the resources shown in the following table:

You assign a policy to RG6 as shown in the following table:

To RG6, you apply the tag: RGroup: RG6.

You deploy a virtual network named VNET2 to RG6.

Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.

Answers


Explanation (click to expand)

VNET1: Department: D1, and Label:Value1 only.

Tags applied to the resource group or subscription are not inherited by the resources.

Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or across a whole

Azure subscription.

VNET2: Label:Value1 only.

References (click to expand)


Home / Microsoft / AZ-104 / Question 11

Question 11

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

You create a new Azure subscription named AZPT2.

You need to identify which resources can be moved to AZPT2.

Which resources should you identify?

Answers


Explanation (click to expand)

You can move a VM and its associated resources to a different subscription by using the Azure portal.

You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.

References (click to expand)


Home / Microsoft / AZ-104 / Question 12

Question 12

You recently created a new Azure subscription that contains a user named Admin1.

Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure

PowerShell and receives the following error message: "User failed validation to purchase resources. Error message: "Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time."

You need to ensure that Admin1 can deploy the Marketplace resource successfully.

What should you do?

Answers


Explanation (click to expand)

Set-AzMarketplaceTerms: Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name). Please use Get-AzMarketplaceTerms to get the agreement terms.

References (click to expand)


Home / Microsoft / AZ-104 / Question 13

Question 13

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.

You create a new user account named AdminUser1.

You need to assign the User administrator administrative role to AdminUser1.

What should you do from the user account properties?

Answers


Explanation (click to expand)

Assign a role to a user -

1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.

2. Select Azure Active Directory, select Users, and then select a specific user from the list.

3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.

4. Press Select to save.

References (click to expand)


Home / Microsoft / AZ-104 / Question 14

Question 14

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.

You purchase 10 Azure AD Premium P2 licenses for the tenant.

You need to ensure that 10 users can use all the Azure AD Premium features.

What should you do?

Answers


Explanation (click to expand)

Assign or remove licenses in the Azure Active Directory portal;https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups


Home / Microsoft / AZ-104 / Question 15

Question 15

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.

Subscription1 contains a virtual machine named VM1.

You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.

What should you do first?

Answers


Explanation (click to expand)

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the

Microsoft System Center Service Manager.

With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

References (click to expand)


Home / Microsoft / AZ-104 / Question 16

Question 16

You sign up for Azure Active Directory (Azure AD) Premium.

You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.

What should you configure in Azure AD?

Answers


Explanation (click to expand)

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:

The Azure AD global administrator role

The Azure AD device administrator role

The user performing the Azure AD join

In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

1. Sign in to your Azure portal as a global administrator or device administrator.

2. On the left navbar, click Azure Active Directory.

3. In the Manage section, click Devices.

4. On the Devices page, click Device settings.

5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

References (click to expand)


Home / Microsoft / AZ-104 / Question 17

Question 17

You have Azure Active Directory tenant named Contoso.com that includes following users:

Contoso.com includes following Windows 10 devices:

You create following security groups in Contoso.com:

Choose all that apply:

Answers


Explanation (click to expand)

User1 is a Cloud Device Administrator.

Device2 is Azure AD joined.

Group1 has the assigned to join type. User1 is the owner of Group1.

Note: Assigned groups - Manually add users or devices into a static group.

Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD

..

User2 is a User Administrator.

Device1 is Azure AD registered.

Group1 has the assigned join type, and the owner is User1.

Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential.

..

User2 is a User Administrator.

Device2 is Azure AD joined.

Group2 has the Dynamic Device join type, and the owner is User2.

References (click to expand)


Home / Microsoft / AZ-104 / Question 18

Question 18

You have an Azure subscription that contains a resource group named RG26.

RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.

SQLDB01 is backed up to RGV1.

When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.

You need to delete RG26.

What should you do first?

Answers



Home / Microsoft / AZ-104 / Question 19

Question 19

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

Reader

Security Admin

Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

Answers


Explanation (click to expand)

Has full access to all resources including the right to delegate access to others.

References (click to expand)


Home / Microsoft / AZ-104 / Question 20

Question 20

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.

Your company has a public DNS zone for contoso.com.

You add contoso.com as a custom domain name to Azure AD.

You need to ensure that Azure can verify the domain name.

Which type of DNS record should you create?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 21

Question 21

You plan to create an Azure Storage account in the Azure region of East US 2.

You need to create a storage account that meets the following requirements:

Replicates synchronously.

Remains available if a single data center in the region fails.

How should you configure the storage account? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answers


Explanation (click to expand)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.

LRS would not remain available if a data center in the region fails

GRS and RA GRS use asynchronous replication.

ZRS only support GPv2.

Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region:

Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but is not recommended for applications requiring high availability.

Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.

References (click to expand)


Home / Microsoft / AZ-104 / Question 22

Question 22

You have an Azure Storage account named storage1.

You plan to use AzCopy to copy data to storage1.

You need to identify the storage services in storage1 to which you can copy the data.

What should you identify?

Answers


Explanation (click to expand)

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

References (click to expand)


Home / Microsoft / AZ-104 / Question 23

Question 23

You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.

You need to use AzCopy to copy data to the blob storage and file storage in storage1.

Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answers


Explanation (click to expand)

Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.

Only Shared Access Signature (SAS) token is supported for File storage.

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Use this table as a guide:

CHOOSE HOW YOU'LL PROVIDE AUTHORIZATION CREDENTIALS

Blob storage: Azure AD & SAS

Blob storage (hierarchical namespace): Azure AD & SAS

File storage: SAS only

References (click to expand)


Home / Microsoft / AZ-104 / Question 24

Question 24

You have an Azure subscription that contains an Azure Storage account.

You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.

You need to configure a storage service for Container1.

What should you use?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 25

Question 25

You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.

You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting

VM1 and VM2.

What should you include in the Availability Set?

Answers


Explanation (click to expand)

Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.

An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.

A fault domain shares common storage as well as a common power source and network switch. It is used to protect against unplanned system failure.

References (click to expand)


Home / Microsoft / AZ-104 / Question 26

Question 26

You have an Azure subscription named Subscription1 that contains the resources shown in the following table:

You plan to configure Azure Backup reports for Vault1.

You are configuring the Diagnostics settings for the AzureBackupReports log.

Which storage accounts and which Log Analytics workspaces can you use for the Azure Backup reports of Vault1? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 27

Question 27

You have an Azure subscription named Subscription1.

In Subscription1, you create an Azure file share named share1.

You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:

To answer, select the appropriate options in the answer area.

Answers


Explanation (click to expand)

The IP 193.77.134.1 does not have access on the SAS.

The net use command is used to connect to file shares.

References (click to expand)


Home / Microsoft / AZ-104 / Question 28

Question 28

You have an on-premises server that contains a folder named D:\Folder1.

You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.

Which command should you run?

Answers


Explanation (click to expand)

The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.

References (click to expand)


Home / Microsoft / AZ-104 / Question 29

Question 29

You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:

You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:

You plan to use the Azure Import/Export service to export data from Subscription1.

You need to identify which storage account can be used to export the data.

What should you identify?

Answers


Explanation (click to expand)

Azure Import/Export service supports the following of storage accounts:

Standard General Purpose v2 storage accounts (recommended for most scenarios)

Blob Storage accounts

General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

Azure Import/Export service supports the following storage types:

Import supports Azure Blob storage and Azure File storage

Export supports Azure Blob storage

References (click to expand)


Home / Microsoft / AZ-104 / Question 30

Question 30

You have Azure subscription that includes following Azure file shares:

You have the following on-premises servers:

You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.

You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.

Choose all that apply:

Answers


Explanation (click to expand)

Group1 already has a cloud endpoint named Share1.

A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.

Yes, one or more server endpoints can be added to the sync group.

Yes, one or more server endpoints can be added to the sync group.

References (click to expand)


Home / Microsoft / AZ-104 / Question 31

Question 31

You have an Azure subscription named Subscription1.

You create an Azure Storage account named contosostorage, and then you create a file share named data.

Which UNC path should you include in a script that references files from the data file share?

Answers


Explanation (click to expand)

<storageAccountName>.file.core.windows.net\<fileShareName>

References (click to expand)


Home / Microsoft / AZ-104 / Question 32

Question 32

You have an Azure subscription that contains an Azure Storage account.

You plan to copy an on-premises virtual machine image to a container named vmimages.

You need to create the container for the planned image.

Which command should you run?

Answers


Explanation (click to expand)

azcopy make - Create a container or file share represented by the given resource URL.

Examples: azcopy make "https://[account-name].[blob,file,dfs].core.windows.net/[top-level-resource-name]"

References (click to expand)


Home / Microsoft / AZ-104 / Question 33

Question 33

You have an Azure File sync group that has the endpoints shown in the following table.

Cloud tiering is enabled for Endpoint3.

You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.

On which endpoints will File1 and File2 be available within 24 hours of adding the files?

Answers


Explanation (click to expand)

Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier files to your Azure file shares. This converts on-premises file shares into a cache, rather than a complete copy of the dataset, to help you manage space efficiency on your server. With cloud tiering, infrequently used or accessed files can be tiered to Azure Files.

References (click to expand)


Home / Microsoft / AZ-104 / Question 34

Question 34

You have several Azure virtual machines on a virtual network named VNet1.

You configure an Azure Storage account as shown in the following exhibit.

Choose all that apply:

Answers


Explanation (click to expand)

Endpoint status is enabled, but 10.2.9.0/24 is not allowed

After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the network restricted storage account.

References (click to expand)


Home / Microsoft / AZ-104 / Question 35

Question 35

You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt.

Your on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.

You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1.

Choose all that apply:

Answers


Explanation (click to expand)

If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other files that are already on other endpoints in the sync group.

References (click to expand)


Home / Microsoft / AZ-104 / Question 36

Question 36

You have an Azure subscription that contains the storage accounts shown in the following table.

You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support.

What should you identify?

Answers


Explanation (click to expand)

ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.

Live migration is supported only for storage accounts that use LRS replication. If your account uses GRS or RA-GRS, then you need to first change your account's replication type to LRS before proceeding. This intermediary step removes the secondary endpoint provided by GRS/RA-GRS.

Also, only standard storage account types support live migration. Premium storage accounts must be migrated manually.

ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.

References (click to expand)


Home / Microsoft / AZ-104 / Question 37

Question 37

You have an Azure subscription that contains a storage account named account1.

You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of

131.107.1.0/24.

You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.

You need to configure account1 to meet the following requirements:

Ensure that you can upload the disk files to account1.

Ensure that you can attach the disks to VM1.

Prevent all other access to account1.

Which two actions should you perform?

Answers


Explanation (click to expand)

By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

Azure portal -

1. Navigate to the storage account you want to secure.

2. Click on the settings menu called Firewalls and virtual networks.

3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'.

4. Click Save to apply your changes.

E: Grant access from a Virtual Network

Storage accounts can be configured to allow access only from specific Azure Virtual Networks.

By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request.

References (click to expand)


Home / Microsoft / AZ-104 / Question 38

Question 38

You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.

You need to view the date and time when the resources were created in RG1.

Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.

Does this meet the goal?

Answers


Explanation (click to expand)

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

References (click to expand)


Home / Microsoft / AZ-104 / Question 39

Question 39

You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.

You need to view the date and time when the resources were created in RG1.

Solution: From the RG1 blade, you click Automation script.

Does this meet the goal?

Answers


Explanation (click to expand)

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

References (click to expand)


Home / Microsoft / AZ-104 / Question 40

Question 40

You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.

You need to view the date and time when the resources were created in RG1.

Solution: From the RG1 blade, you click Deployments.

Does this meet the goal?

Answers


Explanation (click to expand)

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

References (click to expand)


Home / Microsoft / AZ-104 / Question 41

Question 41

You have an Azure subscription named Subscription1.

You deploy a Linux virtual machine named VM1 to Subscription1.

You need to monitor the metrics and the logs of VM1.

What should you use?

Answers


Explanation (click to expand)

You can use extensions to configure diagnostics on your VMs to collect additional metric data.

The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM.

References (click to expand)


Home / Microsoft / AZ-104 / Question 42

Question 42

You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.

You install and configure a web server and a DNS server on VM1.

VM1 has the effective network security rules shown in the following exhibit:

Answers



Home / Microsoft / AZ-104 / Question 43

Question 43

You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.

You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.

What should you deploy?

Answers


Explanation (click to expand)

Availability sets are a datacenter configuration to provide VM redundancy and availability. This configuration within a datacenter ensures that during either a planned or unplanned maintenance event, at least one virtual machine is available.

References (click to expand)


Home / Microsoft / AZ-104 / Question 44

Question 44

You have an Azure virtual machine named VM1 that runs Windows Server 2019.

You save VM1 as a template named Template1 to the Azure Resource Manager library.

You plan to deploy a virtual machine named VM2 from Template1.

What can you configure during the deployment of VM2?

Answers


Explanation (click to expand)

When deploying a virtual machine from a template, you must specify:

the Resource Group name and location for the VM

the administrator username and password

an unique DNS name for the public IP

References (click to expand)


Home / Microsoft / AZ-104 / Question 45

Question 45

You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not support multiple active instances.

At the end of each month, CPU usage for VM1 peaks when App1 runs.

You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.

Answers



Home / Microsoft / AZ-104 / Question 46

Question 46

You have an Azure virtual machine named VM1 that runs Windows Server 2019.

You sign in to VM1 as a user named User1 and perform the following actions:

Create files on drive C.

Create files on drive D.

Modify the screen saver timeout.

Change the desktop background.

You plan to redeploy VM1.

Which changes will be lost after you redeploy VM1?

Answers



Home / Microsoft / AZ-104 / Question 47

Question 47

You have an Azure subscription.

You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit.

You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.

What should you modify on VM1?

Answers


Explanation (click to expand)

From the exhibit we see that the disk is in the VHDX format.

Before you upload a Windows virtual machine (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GYou can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.

References (click to expand)


Home / Microsoft / AZ-104 / Question 48

Question 48

You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:

Operating system: Windows Server 2016

Size: Standard_D1_v2

You run the get-azvmss cmdlet as shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers


Explanation (click to expand)

The Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.

The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.

Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all instances in the scale set.

References (click to expand)


Home / Microsoft / AZ-104 / Question 49

Question 49

You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table:

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.

You need to view the template used for the deployment.

From which blade can you view the template that was used for the deployment?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 50

Question 50

You have an Azure web app named App1. App1 has the deployment slots shown in the following table:

In webapp1-test, you test several changes to App1.

You back up App1.

You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.

You need to revert to the previous version of App1 as quickly as possible.

What should you do?

Answers


Explanation (click to expand)

When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the slots. We can easily revert the deployment by swapping back.

When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service, you can use a separate deployment slot instead of the default production slot when you're running in the Standard, Premium, or Isolated App Service plan tier. Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.

Deploying your application to a non-production slot has the following benefits:

You can validate app changes in a staging deployment slot before swapping it with the production slot.

Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, and no requests are dropped because of swap operations. You can automate this entire workflow by configuring auto swap when pre-swap validation isn't needed.

After a swap, the slot with previously staged app now has the previous production app. If the changes swapped into the production slot aren't as you expect, you can perform the same swap immediately to get your "last known good site" back.

Each App Service plan tier supports a different number of deployment slots. There's no additional charge for using deployment slots. To find out the number of slots your app's tier supports, see App Service limits.

References (click to expand)


Home / Microsoft / AZ-104 / Question 51

Question 51

You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run Windows Server

2016.

VM1 is backed up daily by Azure Backup without using the Azure Backup agent.

VM1 is affected by ransomware that encrypts data.

You need to restore the latest backup of VM1.

To which location can you restore the backup? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 52

Question 52

You have an Azure virtual machine named VM1 that runs Windows Server 2016.

You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.

Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.

Does this meet the goal?

Answers


Explanation (click to expand)

You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in

Azure Monitor and specify the Log Analytics workspace as the source.

pay attention over "add extension" (question) and to be install (answer).

References (click to expand)


Home / Microsoft / AZ-104 / Question 53

Question 53

You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.

Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in

Azure Monitor and specify the Log Analytics workspace as the source.

Does this meet the goal?

Answers


Explanation (click to expand)

Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an automated response.

The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on- premises. It collects data into a Log Analytics workspace.

References (click to expand)


Home / Microsoft / AZ-104 / Question 54

Question 54

You have an Azure virtual machine named VM1 that runs Windows Server 2016.

You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.

Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the storage account as the source.

Does this meet the goal?

Answers


Explanation (click to expand)

You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in

Azure Monitor and specify the Log Analytics workspace as the source.

References (click to expand)


Home / Microsoft / AZ-104 / Question 55

Question 55

You have an Azure subscription that contains the resources shown in the following table.

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Solution: You move VM1 to RG2, and then you add a new network interface to VM1.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.

Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.

References (click to expand)


Home / Microsoft / AZ-104 / Question 56

Question 56

You have an Azure subscription that contains the resources shown in the following table.

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.

Does this meet the goal?

Answers


Explanation (click to expand)

You should delete VM1. You recreate VM1, and then you add the network interface for VM1.

Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.

References (click to expand)


Home / Microsoft / AZ-104 / Question 57

Question 57

You have an Azure subscription that contains the resources shown in the following table.

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Solution: You move VM1 to RG2, and then you add a new network interface to VM1.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.

Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.

References (click to expand)


Home / Microsoft / AZ-104 / Question 58

Question 58

You have an Azure subscription that contains the resources shown in the following table.

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Solution: You turn off VM1, and then you add a new network interface to VM1.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.

Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.

References (click to expand)


Home / Microsoft / AZ-104 / Question 59

Question 59

You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.

You deploy virtual machine to Subscription1 as shown in the following table.

You plan to deploy the virtual machines shown in the following table.

Choose all that apply:

Answers


Explanation (click to expand)

The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16 vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.

Quota is calculated based on the total number of cores in use both allocated and deallocated

References (click to expand)


Home / Microsoft / AZ-104 / Question 60

Question 60

You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.

You add 14 virtual machines to WEBPROD-AS-USE2.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers


Explanation (click to expand)

There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.

There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault domain so 7 VMs will be offline.

References (click to expand)


Home / Microsoft / AZ-104 / Question 61

Question 61

You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.

You need to provide internet users with access to the applications that run in Cluster1.

Which IP address should you include in the DNS record for Cluster1?

Answers


Explanation (click to expand)

LoadBalancer - Creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers' traffic to reach the application, load balancing rules are created on the desired ports.

The IP address for load balancers and services can be dynamically assigned, or you can specify an existing static IP address to use. Both internal and external static IP addresses can be assigned. This existing static IP address is often tied to a DNS entry.

Both internal and external load balancers can be created. Internal load balancers are only assigned a private IP address, so they can't be accessed from the Internet.

References (click to expand)


Home / Microsoft / AZ-104 / Question 62

Question 62

You have a deployment template named Template1 that is used to deploy 10 Azure web apps.

You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.

What should you identify?

Answers


Explanation (click to expand)

You create Azure web apps in an App Service plan.

References (click to expand)


Home / Microsoft / AZ-104 / Question 63

Question 63

You plan to deploy an Azure container instance by using the following Azure Resource Manager template.

Answers



Home / Microsoft / AZ-104 / Question 64

Question 64

You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.

You plan to make the following changes to VM1:

Change the size to D8s v3.

Add a 500-GB managed disk.

Add the Puppet Agent extension.

Enable Desired State Configuration Management.

Which change will cause downtime for VM1?

Answers


Explanation (click to expand)

While resizing the VM it must be in a stopped state.

References (click to expand)


Home / Microsoft / AZ-104 / Question 65

Question 65

You have an app named App1 that runs on an Azure web app named webapp1.

The developers at your company upload an update of App1 to a Git repository named Git1.

Webapp1 has the deployment slots shown in the following table.

You need to ensure that the App1 update is tested before the update is made available to users.

Which two actions should you perform? Each correct answer presents part of the solution.

Answers



Home / Microsoft / AZ-104 / Question 66

Question 66

You have an Azure subscription named Subscription1 that has the following providers registered:

Authorization

Automation

Resources

Compute

KeyVault

Network

Storage

Billing

Web

Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:

Private IP address: 10.0.0.4 (dynamic)

Network security group (NSG): NSG1

Public IP address: None

Availability set: AVSet

Subnet: 10.0.0.0/24

Managed disks: No

Location: East US -

You need to record all the successful and failed connection attempts to VM1.

Which three actions should you perform? Each correct answer presents part of the solution.

Answers


Explanation (click to expand)

A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability. In this tutorial, you learn how to:

Create a VM with a network security group

Enable Network Watcher and register the Microsoft.Insights provider

Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability

Download logged data

View logged data

References (click to expand)


Home / Microsoft / AZ-104 / Question 67

Question 67

You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.

What should you do?

Answers


Explanation (click to expand)

Virtual machine scale sets will support 2 distinct orchestration modes:

ScaleSetVM – Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set.

VM (virtual machines) – Virtual machines created outside of the scale set can be explicitly added to the scaleset.

References (click to expand)


Home / Microsoft / AZ-104 / Question 68

Question 68

You plan to create the Azure web apps shown in the following table.

What is the minimum number of App Service plans you should create for the web apps?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 69

Question 69

You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.

You create the budget shown in the following exhibit.

The AG1 action group contains a user named admin@contoso.com only.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers


Explanation (click to expand)

The budget alerts are for Resource Group RG1, which include VM1, but not VM2.

Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in 25 days, and an email will be sent.

The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.

Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.

References (click to expand)


Home / Microsoft / AZ-104 / Question 70

Question 70

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.

Does this meet the goal?

Answers


Explanation (click to expand)

You should use a policy definition.

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.

References (click to expand)


Home / Microsoft / AZ-104 / Question 71

Question 71

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You assign a built-in policy definition to the subscription.

Does this meet the goal?

Answers


Explanation (click to expand)

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.

References (click to expand)


Home / Microsoft / AZ-104 / Question 72

Question 72

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You configure a custom policy definition, and then you assign the policy to the subscription.

Does this meet the goal?

Answers


Explanation (click to expand)

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.

References (click to expand)


Home / Microsoft / AZ-104 / Question 73

Question 73

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.

VM1 hosts a frontend application that connects to VM2 to retrieve data.

Users report that the frontend application is slower than usual.

You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.

Which Azure Network Watcher feature should you use?

Answers


Explanation (click to expand)

Network Watcher Connection Monitor enables you to configure and track connection reachability, latency, and network topology changes. If there is an issue, it tells you why it occurred and how to fix it.

The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.

The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does.

The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG.

References (click to expand)


Home / Microsoft / AZ-104 / Question 74

Question 74

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.

You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.

Which two actions should you perform? Each correct answer presents part of the solution.

Answers


Explanation (click to expand)

The type of VPN you can choose depends on the make and model of your VPN device, and the kind of VPN connection you intend to create. Choose a route-based gateway if you intend to use point-to-site, inter-virtual network, or multiple site-to-site connections; if you are creating a VPN type gateway to coexist with an ExpressRoute gateway; or if you need to use IKEv2. Policy-based gateways support only IKEv1

olicy-based vs. route-based VPN devices differ in how the IPsec traffic selectors are set on a connection:

Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.

Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).

References (click to expand)


Home / Microsoft / AZ-104 / Question 75

Question 75

You have an Azure subscription that contains the resources in the following table:

In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in the following exhibit:

Choose all that apply:

Answers


Explanation (click to expand)

Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though.

Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution virtual network.

VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.

By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network.

References (click to expand)


Home / Microsoft / AZ-104 / Question 76

Question 76

You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table:

Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.

You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.

How should you configure RT1? To answer, select the appropriate options in the answer area.

Answers



Home / Microsoft / AZ-104 / Question 77

Question 77

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

Answers


Explanation (click to expand)

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For

Sticky Sessions set Session persistence to Client IP.

References (click to expand)


Home / Microsoft / AZ-104 / Question 78

Question 78

You have an Azure subscription that contains the virtual machines shown in the following table:

VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.

Subnet1 and Subnet2 are in a virtual network named VNET1.

The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.

NSG2 uses the default rules and the following custom incoming rule:

Priority: 100

Name: Rule1

Port: 3389

Protocol: TCP

Source: Any

Destination: Any

Action: Allow

NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.

Choose all that apply:

Answers


Explanation (click to expand)

Default security rules

Azure creates the following default rules in each network security group that you create:

Inbound

AllowVNetInBound

ALLOWVNETINBOUND

Priority Source Source ports Destination Destination ports Protocol Access

65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow

AllowAzureLoadBalancerInBound

ALLOWAZURELOADBALANCERINBOUND

Priority Source Source ports Destination Destination ports Protocol Access

65001 AzureLoadBalancer 0-65535 0.0.0.0/0 0-65535 Any Allow

DenyAllInbound

DENYALLINBOUND

Priority Source Source ports Destination Destination ports Protocol Access

65500 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any Deny

Outbound

AllowVnetOutBound

ALLOWVNETOUTBOUND

Priority Source Source ports Destination Destination ports Protocol Access

65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow

AllowInternetOutBound

ALLOWINTERNETOUTBOUND

Priority Source Source ports Destination Destination ports Protocol Access

65001 0.0.0.0/0 0-65535 Internet 0-65535 Any Allow

DenyAllOutBound

DENYALLOUTBOUND

Priority Source Source ports Destination Destination ports Protocol Access

65500 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any Deny


Home / Microsoft / AZ-104 / Question 79

Question 79

You have a virtual network named VNET1 that contains the subnets shown in the following table:

You have two Azure virtual machines that have the network configurations shown in the following table:

For NSG1, you create the inbound security rule shown in the following table:

For NSG2, you create the inbound security rule shown in the following table:

Choose all that apply:

Answers


Explanation (click to expand)

Priority only works within the specific NSG.

No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.

No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied.

References (click to expand)


Home / Microsoft / AZ-104 / Question 80

Question 80

You have an Azure subscription named Subscription1.

Subscription1 contains the virtual machines in the following table:

Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:

VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.

You create a route table named RT1 that contains the routes in the following table:

You apply RT1 to Subnet1 and Subnet2.

Choose all that apply:

Answers


Explanation (click to expand)

IP forwarding enables the virtual machine a network interface is attached to:

Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.

Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.

The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.

The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

References (click to expand)


Home / Microsoft / AZ-104 / Question 81

Question 81

Your on-premises network contains an SMB share named Share1.

You have an Azure subscription that contains the following resources:

A web app named webapp1

A virtual network named VNET1

You need to ensure that webapp1 can connect to Share1.

What should you deploy?

Answers


Explanation (click to expand)

A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.

References (click to expand)


Home / Microsoft / AZ-104 / Question 82

Question 82

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.

You need to ensure that NGINX is available on all the virtual machines after they are deployed.

What should you use?

Answers


Explanation (click to expand)

The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run time. The Custom Script Extension integrates with Azure Resource Manager templates, and can be run using the Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API.

References (click to expand)


Home / Microsoft / AZ-104 / Question 83

Question 83

You have an Azure subscription named Sub1.

You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:

Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.

Protect the web servers from SQL injection attacks.

Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.

Answers


Explanation (click to expand)

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.

References (click to expand)


Home / Microsoft / AZ-104 / Question 84

Question 84

Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.

You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.

You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.

What should you create?

Answers


Explanation (click to expand)

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity. You do not have to have all of these use cases to start using Virtual WAN. You can simply get started with just one use case, and then adjust your network as it evolves.

The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables global transit network architecture, where the cloud hosted network 'hub' enables transitive connectivity between endpoints that may be distributed across different types of 'spokes'.

Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) connectivity. For spoke connectivity with SD-WAN/VPN devices, users can either manually set it up in Azure Virtual WAN, or use the Virtual WAN CPE (SD-WAN/VPN) partner solution to set up connectivity to Azure. We have a list of partners that support connectivity automation (ability to export the device info into Azure, download the Azure configuration and establish connectivity) with Azure Virtual WAN.

References (click to expand)


Home / Microsoft / AZ-104 / Question 85

Question 85

You plan to deploy five virtual machines to a virtual network subnet.

Each virtual machine will have a public IP address and a private IP address.

Each virtual machine requires the same inbound and outbound security rules.

What is the minimum number of network interfaces and network security groups that you require?

Answers


Explanation (click to expand)

A public and a private IP address can be assigned to a single network interface.

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.

References (click to expand)


Home / Microsoft / AZ-104 / Question 86

Question 86

You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.

You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.

Which A records will be added to the adatum.com zone for each virtual machine?

Answers


Explanation (click to expand)

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.

References (click to expand)


Home / Microsoft / AZ-104 / Question 87

Question 87

You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named Sunet1.

Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.

You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.

What should you do? To answer, select the appropriate options in the answer area.

Answers


Explanation (click to expand)

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions

References (click to expand)


Home / Microsoft / AZ-104 / Question 88

Question 88

You have the Azure virtual networks shown in the following table.

To which virtual networks can you establish a peering connection from VNet1?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 89

Question 89

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.

The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.

You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:

The NVAs must run in an active-active configuration that uses automatic failover.

The NVA must load balance traffic to two services on the Production subnet. The services have different IP addresses.

Which three actions should you perform? Each correct answer presents part of the solution.

Answers


Explanation (click to expand)

A standard load balancer is required for the HA ports.

Two backend pools are needed as there are two services with different IP addresses.

Floating IP rule is used where backend ports are reused.

References (click to expand)


Home / Microsoft / AZ-104 / Question 90

Question 90

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named

VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.

On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.

You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.

You need to ensure that you can connect Client1 to VNet2.

What should you do?

Answers


References (click to expand)


Home / Microsoft / AZ-104 / Question 91

Question 91

You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the following table.

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.

You create a virtual network link for contoso.com as shown in the following exhibit.

Choose all that apply:

Answers


Explanation (click to expand)

If you enable autoregistration on a virtual network link, the DNS records for the virtual machines on that virtual network are registered in the private zone. When autoregistration is enabled, Azure DNS also updates the zone records whenever a virtual machine is created, changes its' IP address, or is deleted.

References (click to expand)


Home / Microsoft / AZ-104 / Question 92

Question 92

You have an Azure subscription that contains the resources in the following table.

To which subnets can you apply NSG1?

Answers


Explanation (click to expand)

All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.

References (click to expand)


Home / Microsoft / AZ-104 / Question 93

Question 93

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.

The virtual networks have the address spaces and the subnets configured as shown in the following table.

You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.

Which three actions should you perform in sequence?

Answers


Explanation (click to expand)

You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network.

To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.

References (click to expand)


Home / Microsoft / AZ-104 / Question 94

Question 94

You have an Azure subscription that contains the resource groups shown in the following table.

RG1 contains the resources shown in the following table.

VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.

RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.

Choose all that apply:

Answers


Explanation (click to expand)

You can move storage

You can't move to a new resource group a NIC that is attached to a virtual machine.

Azure Public IPs are region specific and can't be moved from one region to another.

References (click to expand)


Home / Microsoft / AZ-104 / Question 95

Question 95

You have an Azure web app named webapp1.

Users report that they often experience HTTP 500 errors when they connect to webapp1.

You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details.

What should you do first?

Answers


Explanation (click to expand)

To enable web server logging for Windows apps in the Azure portal, navigate to your app and select App Service logs.

For Web server logging, select Storage to store logs on blob storage, or File System to store logs on the App Service file system.

In Retention Period (Days), set the number of days the logs should be retained.

References (click to expand)


Home / Microsoft / AZ-104 / Question 96

Question 96

You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:

Answers



Home / Microsoft / AZ-104 / Question 97

Question 97

You have the Azure virtual machines shown in the following table:

You have a Recovery Services vault that protects VM1 and VM2.

You need to protect VM3 and VM4 by using Recovery Services.

What should you do first?

Answers


Explanation (click to expand)

Back up the VM to a different region or subscription:Not supported.

To successfully back up, virtual machines must be in the same subscription as the vault for backup.

References (click to expand)


Home / Microsoft / AZ-104 / Question 98

Question 98

You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.

You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.

You need to identify the minimum number of alert rules and action groups required for the planned monitoring.

How many alert rules and action groups should you identify?

Answers



Home / Microsoft / AZ-104 / Question 99

Question 99

Overview -

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment -

Currently, Contoso uses multiple types of servers for business operations, including the following:

File servers

Domain controllers

Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

A SQL database -

A web front end

A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Planned Changes -

Contoso plans to implement the following changes to the infrastructure:

Move all the tiers of App1 to Azure.

Move the existing product blueprint files to Azure Blob storage.

Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements -

Contoso must meet the following technical requirements:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.

Ensure that all the virtual machines for App1 are protected by backups.

Copy the blueprint files to Azure over the Internet.

Ensure that the blueprint files are stored in the archive storage tier.

Ensure that partner access to the blueprint files is secured and temporary.

Prevent user passwords or hashes of passwords from being stored in Azure.

Use unmanaged standard storage for the hard disks of the virtual machines.

Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Minimize administrative effort whenever possible.

User Requirements -

Contoso identifies the following requirements for users:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

Designate a new user named Admin1 as the service admin for the Azure subscription.

Admin1 must receive email alerts regarding service outages.

Ensure that a new user named User3 can create network objects for the Azure subscription.

Answers


Explanation (click to expand)

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

Contoso is moving the existing product blueprint files to Azure Blob storage.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

A SQL database

A web front end

A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Technical requirements include:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.

References (click to expand)


Load more