az-104 dumps topic 2, 1-90(101) Flashcards

Question 1

Q

You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

To add a backend pool to LB1:
Contributor on LB1
Network Contributor on LB1
Network Contributor on RG1
Owner on LB1
To add a health probe to LB2:
Contributor on LB2
Network Contributor on LB2
Network Contributor on RG1
Owner on LB2

Answer

A

The Network Contributor role lets you manage networks, but not access them.

Question 2

Q

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
A. From contoso.com, modify the Organization relationships settings.
B. From contoso.com, create an OAuth 2.0 authorization endpoint.
C. Recreate AKS1.
D. From AKS1, create a namespace.

Answer

A

B. From contoso.com, create an OAuth 2.0 authorization endpoint.

Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user’s identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol

Question 3

Q

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a Microsoft 365 group that uses the Assigned membership type
B. a Security group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type

Answer

A

A. a Microsoft 365 group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.

Question 4

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
Name Туре Member of
User1 Member Group1
User2 Guest Group1
User3 Member None
UserA Member Group2
UserB Guest Group2

User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:

Create an access review
Access reviews enable reviewers to attest user’s membership in a group or access to an application.
* Review name: Review1
Description:
* Start date: 2018-11-22
Frequency: One time
Duration (in days): 1
End: Never/End by Occurrences
* Number of times: 0
* End date: 2018-12-22
Users
Users to review: Members of a group
Scope: +Guest users only/Everyone
* Group: Group1
Reviewers
Reviewers: Group owners
Programs
Link to program
Default program
Upon completion settings
Adavanced settings

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

User3 can perform an access review of User1
User3 can perform an access review of UserA
User3 can perform an access review of UserB

Answer

A

User3 can perform an access review of User1 - No
User3 can perform an access review of UserA - No
User3 can perform an access review of UserB - Yes

Question 5

Q

You have the Azure management groups shown in the following table:

Name In management group
Tenant Root Group Not applicable
ManagementGroup11 Tenant Root Group
ManagementGroup12 Tenant Root Group
ManagementGroup21 ManagementGroup11

You add Azure subscriptions to the management groups as shown in the following table:

Name Management group
Subscription1 ManagementGroup21
Subscription2 ManagementGroup12

You create the Azure policies shown in the following table:

Name Parameter Scope
Not allowed resource types virtualNetworks Tenant Root Group
Allowed resource types virtualNetworks ManagementGroup12

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

You can create a virtual network in Subscription1.
You can create a virtual machine in Subscription2.
You can add Subscription1 to ManagementGroup11.

Answer

A

You can create a virtual network in Subscription1 - No
You can create a virtual machine in Subscription2 - Yes
You can add Subscription1 to ManagementGroup11 - Yes

Question 6

Q

You have an Azure policy as shown in the following exhibit:

SCOPE
Scope: Subscription 1
Exclusions: Subscription 1/ContosoRG1
BASICS
Policy definition: Not allowed resource types
Assignment name: Not allowed resource types
Assignment ID: /subscriptions/5eb8d0b6-ce3b-4ce0-a631-9f5321bedabb/providers/Microsoft.Authorization/policyAssignments/0e6fb866bf854f54accae2a9
Description:
Assigned by: admin1@contoso.com
PARAMETERS
Not allowed resource types → Microsoft.Sql/servers
What is the effect of the policy?
A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You can create Azure SQL servers in any resource group within Subscription 1.

Answer

A

B. You can create Azure SQL servers in ContosoRG1 only.

Question 7

Q

You have an Azure subscription that contains the resources shown in the following table:
Name Туре Resource group Tag
RG6 Resource group Not applicable None
VNET1 Virtual network RG6 Department: D1
You assign a policy to RG6 as shown in the following table:
Section Setting Value
Scope Scope Subscription1/RG6
Exclusions None
Basics Policy definition Apply tag and its default value
Assignment name Apply tag and its default value
Parameters Tag name Label
Tag value Value1
To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.

VNET1:
None
Department: D1 only
Department: D1, and RGroup: RG6 only
Department: D1, and Label: Value1 only
Department: D1, RGroup: RG6, and Label: Value1
VNET2:
None
RGroup: RG6 only
Label: Value1 only
RGroup: RG6, and Label: Value1

Answer

A

VNET1: Department: D1
VNET2: Label: Value1 only

Incorrect Answers:
RGROUP: RG6 - Tags applied to the resource group or subscription are not inherited by the resources.
resources created before policy creation will not inherit the policy rules.

Question 8

Q

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

Name Туре
storage1 Azure Storage account
VNET1 Virtual network
VM1 Azure virtual machine
VM1Managed Managed disk for VM1
RVAULT1 Recovery Services vault for the site recovery of VM1

You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
A. VM1, storage1, VNET1, and VM1Managed only
B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only

Answer

A

C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.

Question 9

Q

You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure
PowerShell and receives the following error message: User failed validation to purchase resources. Error message: Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.`
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?
A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
B. From the Azure portal, register the Microsoft.Marketplace resource provider
C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
D. From the Azure portal, assign the Billing administrator role to Admin1

Answer

A

C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet

https://learn.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-11.2.0

Question 10

Q

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Licenses blade, assign a new license
B. From the Directory role blade, modify the directory role
C. From the Groups blade, invite the user account to a new group

Answer

A

B. From the Directory role blade, modify the directory role

Sign in to the Azure portal with an account that’s a global admin or privileged role admin for the directory.
Select Azure Active Directory, select Users, and then select a specific user from the list.
For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
Press Select to save.

Question 11

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
A. From the Licenses blade of Azure AD, assign a license
B. From the Groups blade of each user, invite the users to a group
C. From the Azure AD domain, add an enterprise application
D. From the Directory role blade of each user, modify the directory role

Answer

A

A. From the Licenses blade of Azure AD, assign a license

Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.

Question 12

Q

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?
A. Create an automation runbook
B. Deploy a function app
C. Deploy the IT Service Management Connector (ITSM)
D. Create a notification

Answer

A

C. Deploy the IT Service Management Connector (ITSM)

IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools: ServiceNow, System Center Service Manager, Provance, Cherwell.

Question 13

Q

You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade
B. Providers from the MFA Server blade
C. User settings from the Users blade
D. General settings from the Groups blade

Answer

A

A. Device settings from the Devices blade

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

Question 14

Q

You have Azure Active Directory tenant named Contoso.com that includes following users:
Name Role
User1 Cloud device administrator
User2 User administrator
Contoso.com includes following Windows 10 devices:
Name Join type
Device1 Azure AD registered
Device2 Azure AD joined
You create following security groups in Contoso.com:
Name Membership Type Owner
Group1 Assigned User2
Group2 Dynamic Device User2
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
User1 can add Device2 to Group1
User2 can add Device1 to Group1
User2 can add Device2 to Group2

Answer

A

User1 can add Device2 to Group1: No (because User1 is Cloud Device Admin and cannot change the group membership for Group1)

User2 can add Device1 to Group1: Yes (because User2 is Group Owner which has the requisite authority for changing group membership. furthermore, Group1 has Assigned membership type)

User2 can add Device2 to Group2: No (because though User2 is Group Owner with requisite rights but Group2 has Dynamic Device membership type)

Explaination:
Groups can contain both registered and joined devices as members.
As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices. User administrator can manage users but not devices.
User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

User2 is the owner of Group1. He can add Device1 to Group1.

Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

Question 15

Q

You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.

Name Туре Location
VM1 Virtual machine North Europe
RGV1 Recovery Services vault North Europe
SQLD01 SQL server in Azure VM North Europe
sa001 Storage account West Europe

SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
What should you do first?
A. Delete VM1
B. Stop VM1
C. Stop the backup of SQLDB01
D. Delete sa001

Answer

A

C. Stop the backup of SQLDB01

Question 16

Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader and Reader roles for Subscription1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the Network Contributor role for RG1.
E. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
F. Assign User1 the Owner role for VNet1.
G. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
H. Assign User1 the Contributor role for VNet1.

Answer

A

B. Assign User1 the User Access Administrator role for VNet1.
F. Assign User1 the Owner role for VNet1.

Owner = Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Contributor = Grants full access to manage all resources, but does NOT allow you to assign roles in Azure RBAC. (you cannot add users or changes their rights)
User Access Administrator = Lets you manage user access to Azure resources.
Reader = View all resources, but does not allow you to make any changes.
Security Admin = View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
Network Contributor = Lets you manage networks, but not access to them. (so you can add VNET, subnet, etc)

Question 17

Q

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create? (choose all correct options)
A. MX
B. NSEC
C. PTR
D. RRSIG
E. SRV
F. TXT
G. NSEC3

Answer

A

A. MX
F. TXT
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.

Question 18

Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
A. Yes
B. No

Answer

A

B. No
The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

Question 19

Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?
A. Yes
B. No

Answer

A

B. No
You would need the Logic App Contributor role.

Question 20

Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No

Answer

A

A. Yes
The Contributor role can manage all resources (and add resources) in a Resource Group.

Question 21

Q

DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Actions
- Assign a tag to each resource group.
-Assign a tag to each resource.
- Download the usage report.
- From the Cost analysis blade, filter the view by tag.
- Open the Resource costs blade of each resource group.

Answer

A

-Assign a tag to each resource.
- From the Cost analysis blade, filter the view by tag.
- Download the usage report.

Question 22

Q

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1? (chose all correct)
A. Get-Event Event | where {$_.EventType == “error”}
B. search in (Event) “error”
C. Event | where EventType == “error”
D select * from Event where EventType == “error”
E. search in (Event) * | where EventType -eq “error”
F. select * from Event where EventType is “error”
G. Event | where EventType is “error”
H. search in (Event) * | where EventType == “error”
I. Event | search “error”

Answer

A

B. search in (Event) “error”
C. Event | where EventType == “error”
I. Event | search “error”

Question 23

Q

You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to VNET1.
You successfully deploy the following Azure Resource Manager template.
{
“apiVersion”: “2017-03-30”,
“type”: “Microsoft.Compute/virtualMachines”,
“name”: “VM1”,
“zones”: “1”,
“location”: “EastUS2”,
“dependsOn”: [
“[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM1-NI’)]”
],
“properties”: {
“hardwareProfile”: {
“vmSize”: “Standard_A2_v2”
},
“osProfile”: {
“computerName”: “VM1”,
“adminUsername”: “AzureAdmin”,
“adminPassword”: “[parameters(‘adminPassword’)]”
},
“storageProfile”: {
“imageReference”: “[variables (‘image’)]”,
“osDisk”: {
“createOption”: “FromImage”
} },
“networkProfile”: {
“networkInterfaces”: [ {
“id”: “[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM1-NI’)]”
} ] } } },
{
“apiVersion”: “2017-03-30”,
“type”: “Microsoft.Compute/virtualMachines”,
“name”: “VM2”,
“zones”: “2”,
“location: “EastUS2”,
“dependsOn”: [
“[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM2-NI’)]”
],
“properties”: {
“hardwareProfile”: {
“vmSize”: “Standard_A2_v2”
},
“osProfile”: {
“computerName”: “VM2”,
“adminUsername”: “AzureAdmin”,
“adminPassword”: “[parameters (‘adminPassword’)]”
},
“storageProfile”: {
“imageReference”: “[variables(‘image’)]”,
“osDisk”: {
“createOption”: “FromImage”
} },
“networkProfile”: {
“networkInterfaces”: [ {
“id”: “[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM2-NI’)]”
} ] } } }
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

VM1 and VM2 can connect to VNET1
If an Azure datacenter becomes unavailable, VM1 or VM2 will be available.
If the East US 2 region becomes unavailable, VM1 or VM2 will be available.

Answer

A

VM1 and VM2 can connect to VNET1 - Yes
If an Azure datacenter becomes unavailable, VM1 or VM2 will be available - Yes (VM1 is in Zone1, while VM2 is on Zone2)
If the East US 2 region becomes unavailable, VM1 or VM2 will be available - No

Question 24

Q

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.

Name Azure region Policy
RG1 West Europe Policy1
RG2 North Europe Policy2
RG3 France Central Policy3

RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG2.
What is the effect of the move?

A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.

Answer

A

A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.

You can only move a resource to a Resource Group or Subscription, but the location stays the same. When you move WebApp1 to RG2, the resource will be restricted based on the policy of the new Resource Group (Policy2).

You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it’s in. However, you cannot change an App Service plan’s region.

Question 25

Q

You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer Area
“assignableScopes”:[ …
- “”
- “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”
- “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups”
],
“permissions”: [ {
“actions”: [ “” ],
“additional Properties”:{},
“dataActions”: [],
“notActions”: [ …
- “Microsoft Authorization/”
- “Microsoft.Resources/”
- “Microsoft.Security/”
],
“notDataActions”: [ ] } ],

Answer

A

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups” - checked in Azure it’s invalid scope, so it’s either “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e” or adding every rg as “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/{rg-name}”
“Microsoft Authorization/*”

Question 26

Q

You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. an internal load balancer
B. a public load balancer
C. an Azure Content Delivery Network (CDN)
D. Traffic Manager
E. an Azure Application Gateway

Answer

A

A. an internal load balancer
E. an Azure Application Gateway

A: The customer sites are connected through VPNs, so an internal load balancer is enough.
B: The customer sites are connected through VPNs, so there’s no need for a public load balancer, an internal load balancer is enough.
C: A CDN does not provide load balancing for applications, so it not relevant for this situation.
D: Traffic manager is a DNS based solution to direct users’ requests to the nearest (typically) instance and does not provide load balancing for this situation.
E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions

Question 27

Q

You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Monitor
B. Advisor
C. Metrics
D. Customer insights

Answer

A

B. Advisor

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.

The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for specific subscriptions and resource types. The recommendations are divided into five categories:

Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications. For more information, see Advisor Reliability recommendations.

Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security recommendations.

Performance: To improve the speed of your applications. For more information, see Advisor Performance recommendations.

Cost: To optimize and reduce your overall Azure spending. For more information, see Advisor Cost recommendations.

Operational Excellence: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more information, see Advisor Operational Excellence recommendations.

Question 28

Q

You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.

Answer Area
* Name: Policy1
Assignments:
- Users and groups
0 users and groups selected
- Cloud apps
0 cloud apps selected
- Conditions
0 conditions selected
Access controls:
- Grant
0 controls selected
- Session

Answer

A

Select Users & Groups : Where you have to choose all users.
Select Cloud apps or actions: To specify the Azure portal
Select Grant: To grant the MFA.

Those are the minimum requirements to create MFA policy. No conditions are required in the question.

Question 29

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Unable to invite user user1@outlook.com ” Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Users settings blade, modify the External collaboration settings.
B. From the Custom domain names blade, add a custom domain.
C. From the Organizational relationships blade, add an identity provider.
D. From the Roles and administrators blade, assign the Security administrator role to Admin1.

Answer

A

A. From the Users settings blade, modify the External collaboration settings.

You can adjust the guest user settings, their access, who can invite them from “External collaboration settings”

Question 30

Q

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?
A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.

Answer

A

C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.

No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.

Question 31

Q

You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

Name Group type Membership type Membership rule
Group1 Security Dynamic user (user.city -startsWith “m”
Group2 Microsoft 365 Dynamic user (user.department -notIn
[“human resources”])
Group3 Microsoft 365 Assigned Not applicable

You create two user accounts that are configured as shown in the following table.

Name City Department Office 365 license assigned
User1 Montreal Human resources Yes
User2 Melbourne Marketing No

Of which groups are User1 and User2 members? To answer, select the appropriate options in the answer area.

User1:
User2:
- Group1 only
- Group2 only
- Group3 only
- Group1 and Group2 only
- Group1 and Group3 only
- Group2 and Group3 only
- Group1, Group2, Group3

Answer

A

User1: Group1
User2: Group1, Group2

Question 32

Q

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.

Name Type Source
User1 Member Azure AD
User2 Member Windows Server Active Directory
User3 Guest Microsoft account

You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.

JobTitle:
UsageLocation:
- User1 only
- User1 and User2 only
- User1 and User3 only
- User1, User2, and User3

Answer

A

JobTitle: - User1 and User3 only
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active
UsageLocation: - User1, User2, and User3

Question 33

Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

Answer

A

A. Yes
One of the following roles can enable Traffic Analytics:
Owner
Contributor
Network Contributor
Monitoring Contributor
(https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites)

Question 34

Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

Answer

A

A. Yes
One of the following roles can enable Traffic Analytics:
Owner
Contributor
Network Contributor
Monitoring Contributor
(https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites)

Question 35

Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

Answer

A

B. No
One of the following roles can enable Traffic Analytics:
Owner
Contributor
Network Contributor
Monitoring Contributor
(https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites)

Question 36

Q

You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login

Answer

A

C. Contributor

Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.

Question 37

Q

You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Access Control tab.)

Role assignments:
Admin3 as Owner

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)

Directory properties:
blablabla
Access Management for Azure Resources
…
[Yes]/No

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Admin1 can add Admin 2 as an owner of the subscription.
Admin3 can add Admin 2 as an owner of the subscription.
Admin2 can create a resource group in the subscription.

Answer

A

Admin1 can add Admin 2 as an owner of the subscription. - yes
Admin1 has elevated access (toggle under ‘Access Management for Azure Resources’ is set to ‘Yes’, Admin1 is assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants permission to assign roles in all Azure subscriptions and management groups associated with this Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID.) *

Admin3 can add Admin 2 as an owner of the subscription. - yes
Admin2 can create a resource group in the subscription. - no

Toggle to No - the User Access Administrator role in Azure RBAC is removed from user account, can no longer assign roles in all Azure subscriptions and management groups that are associated with this Microsoft Entra directory. Can view and manage only the Azure subscriptions and management groups to which user has been granted access. (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)

Question 38

Q

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?
A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1

Answer

A

A. From the Azure portal, modify the Managed Identity settings of VM1

Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable the system-assigned managed identity for VM using the Azure portal.

Question 39

Q

You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:

Name Туре Description
VM1 Virtual Machine VM1 is running and configured
to back up to Vault1 daily
Vault1 Recovery Services Vault1 includes all backups of VM1
Vault
VNET1 Virtual Network VNET1 has a resource lock of type Delete

You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1

Answer

A

B. Remove the resource lock from VNET1 and delete all data in Vault1

You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
A mentions “and modify the resource lock type”. You can set a lock to either CanNotDelete or ReadOnly - both block the resource from being deleted.

Question 40

Q

You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
A. Create an NS record named research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an A record named *.research in the adatum.com zone.

Answer

A

A. Create an NS(nameserver) record named research in the adatum.com zone.

An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many NS records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.

Question 41

Q

You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Add a record to the public contoso.com DNS zone
Add an Azure AD tenant
Configure company branding
Create an Azure DNS zone
Add a custom name
Verify the domain

Answer

A

Add a custom name
Add a record to the public contoso.com DNS zone
Verify the domain

Question 42

Q

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1? (chose all correct)
A. Get-Event Event | where {$_.EventType == “error”}
B. search in (Event) “error”
C. Event | where EventType == “error”
D select * from Event where EventType == “error”
E. search in (Event) * | where EventType -eq “error”
F. select * from Event where EventType is “error”
G. Event | where EventType is “error”
H. search in (Event) * | where EventType == “error”
I. Event | search “error”

Answer

A

B. search in (Event) “error”
C. Event | where EventType == “error”
I. Event | search “error”

Question 43

Q

You have a registered DNS domain named contoso.com.
You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the internet.
What should you do?
A. Create NS records in contoso.com.
B. Modify the SOA record in the DNS domain registrar.
C. Create the SOA record in contoso.com.
D. Modify the NS records in the DNS domain registrar.

Answer

A

D. Modify the NS records in the DNS domain registrar.

Question 44

Q

You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.
The domain contains the security principals shown in the following table.

Name Type
User1 User
Computer1 Computer

In Azure AD, you create a user named User2.
The storage1 account contains a file share named share1 and has the following configurations.

“kind”: “StorageV2”,
“properties”: {
“azureFilesIdentityBasedAuthentication”: {
“directoryServiceOptions”: “AD”,
“activeDirectoryProperties”: {
“domainName”: “Contoso.com”,
“netBiosDomainName”: “Contoso.com”,
“forestName”: “Contoso.com”, } }

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

You can assign the Storage File Data SMB Share Contributor role to User1 for share1.
You can assign the Storage File Data SMB Share Reader role to Computer1 for share1.
You can assign the Storage File Data SMB Share Elevated Contributor role to User2 for share1.

Answer

A

You can assign the Storage File Data SMB Share Contributor role to User1 for share1. - Yes
You can assign the Storage File Data SMB Share Reader role to Computer1 for share1. - No
You can assign the Storage File Data SMB Share Elevated Contributor role to User2 for share1. - No

Hybrid user will work
Computer and cloud users will not work

Question 45

Q

You have an Azure subscription named Subscription1 that contains a virtual network VNet1.
You add the users in the following table.

User Role
User1 Owner
User2 Security Admin
User3 Network Contributor

Which user can perform each configuration? To answer, select the appropriate options in the answer area.

Add a subnet to VNet1:
- User1 only
- User3 only
- User1 and User3 only
- User2 and User3 only
- User1, User2, and User3
Assign a user the Reader role to VNet1:
- User1 only
- User2 only
- User3 only
- User1 and User2 only
- User2 and User3 only
- User1, User2, and User3

Answer

A

Add a subnet to VNet1: - User1 and User3 only
Assign a user the Reader role to VNet1: - User1 only

User1: The Owner Role lets you manage everything, including access to resources.
User3: The Network Contributor role lets you manage networks, including creating subnets.
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.

Question 46

Q

You have the Azure resources shown on the following exhibit.

Tenant Root Group MG1 Sub1
RG1 VM1

You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.

Locks:
Tags:
- RG1 and VM1 only
- Sub1 and RG1 only
- Sub1, RG1, and VM1 only
- MG1, Sub1, RG1, and VM1 only
- Tenant Root Group, MG1, Sub1, RG1, and VM1

Answer

A

Locks: - Sub1, RG1, and VM1 only
Tags: - Sub1, RG1, and VM1 only

You can apply locks and tags to your Azure resources, resource groups, and subscriptions.
Ref Locks:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
Ref Tags:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json

Question 47

Q

You have an Azure Active Directory (Azure AD) tenant.
You plan to delete multiple users by using Bulk delete in the Azure Active Directory admin center.
You need to create and upload a file for the bulk delete.
Which user attributes should you include in the file?
A. The user principal name and usage location of each user only
B. The user principal name of each user only
C. The display name of each user only
D. The display name and usage location of each user only
E. The display name and user principal name of each user only

Answer

A

B. The user principal name of each user only

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-delete

Question 48

Q

You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.

Name Type
RG1 Resource group
storage1 Storage account
VNET1 Virtual network

You assign an Azure policy that has the following settings:
✑ Scope: Sub1
✑ Exclusions: Sub1/RG1/VNET1
✑ Policy definition: Append a tag and its value to resources
✑ Policy enforcement: Enabled
✑ Tag name: Tag4
✑ Tag value: value4
You assign tags to the resources as shown in the following table.

Resource Tag
Sub1 Tag1: subscription
RG1 Tag2: IT
storage1 Tag3: value1
VNET1 Tag3: value2

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

RG1 has the Tag2: IT tag assigned only
Storage1 has the Tag1: subscription, Tag2: IT, Tag3: value1, and Tag4: value4 tags assigned.
VNET1 has the Tag2: IT and Tag3:value2 tags assigned only

Answer

A

RG1 has the Tag2: IT tag assigned only - No, cause it has Tag4: value4 also assigned because of the policy, cause it was modified by adding a tag after the policy was created.
Storage1 has the Tag1: subscription, Tag2: IT, Tag3: value1, and Tag4: value4 tags assigned. - No
VNET1 has the Tag2: IT and Tag3:value2 tags assigned only - No

Tags applied to the resource group or subscription aren’t inherited by the resources.

Question 49

Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

Answer

A

B. No

To enable Traffic Analytics for an Azure subscription, you must have one of the following Azure roles at the subscription scope:

Owner
Contributor
Network Contributor

Question 50

Q

You have three offices and an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
You need to grant user management permissions to a local administrator in each office.
What should you use?
A. Azure AD roles
B. administrative units
C. access packages in Azure AD entitlement management
D. Azure roles

Answer

A

B. administrative units

Question 51

Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No

Answer

A

A. Yes/No(?)
The Contributor role can manage all resources (and add resources) in a Resource Group.

Question 52

Q

You have an Azure Load Balancer named LB1.
You assign a user named User1 the roles shown in the following exhibit.

User1 assignments - LB1
Role assignments (2):
User Access Administrator - This resource
Virtual Machine Contributor- Resource group (inherited)

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

User1 can [answer choice] LB1.
- delete
- create a NAT rule for
- assign access to other users for
User1 can [answer choice] the resource group.
- delete a virtual machine from
- modify the load balancing rules in
- deploy an Azure Kubernetes Service (AKS) cluster to

Answer

A

User1 can [answer choice] LB1.
- assign access to other users for
User1 can [answer choice] the resource group.
- delete a virtual machine from

Question 53

Q

You configure the custom role shown in the following exhibit.
{
“properties”: {
“roleName”: “role1”,
“description”: “”,
“roletype”: “true”,
“assignableScopes”: [
“/subscriptions/3d6209d5-c714-4440-9556e-d6342086c2d7/”
],
“permissions”: [ {
“actions”: [
“Microsoft.Authorization//read”,
“Microsoft.Compute/availabilitySets/”,
“Microsoft.Compute/locations/”,
“Microsoft.Compute/virtualMachines/”,
“Microsoft.Compute/virtualMachineScaleSets/”,
“Microsoft.Compute/disks/write”,
“Microsoft.Compute/disks/read”,
“Microsoft.Compute/disks/delete”,
“Microsoft.Network/locations/”,
“Microsoft.Network/networkInterfaces/”,
“Microsoft.Network/networkSecurityGroups/join/action”, “Microsoft.Network/networkSecurityGroups/read”, “Microsoft.Network/publicIPAddresses/join/action”,
“Microsoft.Network/public IPAddresses/read”, “Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Resources/deployments/”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Support/*” ],
“notActions”: [],
“dataActions”: [],
“notDataActions”: [] } ] } }

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

To ensure that users can sign in to virtual machines that are assigned role1, modify the [answer choice] section.
To ensure that role1 can be assigned only to a resource group named RG1, modify the [answer choice] section.
- actions
- roletype
- notActions
- dataActions
- notDataActions
- assignableScopes

Answer

A

To ensure that users can sign in to virtual machines that are assigned role1, modify the [answer choice] section.
- dataActions
To ensure that role1 can be assigned only to a resource group named RG1, modify the [answer choice] section.
- assignableScopes

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?source=recommendations#virtual-machine-user-login

Question 54

Q

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1.
The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1.
What should you do first?
A. Enable Active Directory Domain Service (AD DS) authentication for storage1.
B. Grant share-level permissions by using File Explorer.
C. Mount share1 by using File Explorer.
D. Create a private endpoint.

Answer

A

A. Enable Active Directory Domain Service (AD DS) authentication for storage1.

Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:
1. Select or create an Azure AD tenant.
2. To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant.
Etc.
Note: The Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

Question 55

Q

You have 15 Azure subscriptions.
You have an Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements:
✑ Use the principle of least privilege.
✑ Minimize administrative effort.
What should you do?
A. Assign Group1 the Owner role for the root management group.
B. Assign Group1 the User Access Administrator role for the root management group.
C. Create a new management group and assign Group1 the User Access Administrator role for the group.
D. Create a new management group and assign Group1 the Owner role for the group.

Answer

A

B. Assign Group1 the User Access Administrator role for the root management group.

To be able to assign licenses to all current and future subscriptions, while minimizing the administrative effort, one should apply the role to the Root Management Group.

And because we should use the principle of least privilege we should chose the User Access Administrator role instead of the Owner one.

Question 56

Q

You have an Azure subscription that contains the hierarchy shown in the following exhibit.

Tenant Root Group -> ManagementGroup1 -> Subscription1 -> RG1 -> VM1

You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.

You can assign Policy1 to:
- Subscription1 and RG1 only
- ManagementGroup1 and Subscription1 only
- Tenant Root Group, ManagementGroup1, and Subscription1 only
- Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only
- Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
You can exclude Policy1 from:
- VM1 only
- RG1 and VM1 only
- Subscription1, RG1, and VM1 only
- ManagementGroup1, Subscription1, RG1, and VM1 only
- Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1

Answer

A

You can assign Policy1 to:
- Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only
You can exclude Policy1 from:
- ManagementGroup1, Subscription1, RG1, and VM1 only

Question 57

Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

Name Role Scope
User1 Global administrator Azure Active Directory
User2 Global administrator Azure Active Directory
User3 User administrator Azure Active Directory
User4 Owner Azure Subscription

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?
A. Yes
B. No

Answer

A

B. No
Maybe yes, cause it’s “external”.contoso.onmicrosoft.com

(Global admin is per tenant, Only a global administrator User1 can add users to this tenant, cause he created it)

Question 58

Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

Name Role Scope
User1 Global administrator Azure Active Directory
User2 Global administrator Azure Active Directory
User3 User administrator Azure Active Directory
User4 Owner Azure Subscription

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts.
Does that meet the goal?
A. Yes
B. No

Answer

A

B. No

(Global admin is per tenant, Only a global administrator User1 can add users to this tenant, cause he created it)

Question 59

Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

Name Role Scope
User1 Global administrator Azure Active Directory
User2 Global administrator Azure Active Directory
User3 User administrator Azure Active Directory
User4 Owner Azure Subscription

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?
A. Yes
B. No

Answer

A

B. No

(Global admin is per tenant, Only a global administrator User1 can add users to this tenant, cause he created it)

Question 60

Q

You have two Azure subscriptions named Sub1 and Sub2.
An administrator creates a custom role that has an assignable scope to a resource group named RG1 in Sub1.
You need to ensure that you can apply the custom role to any resource group in Sub1 and Sub2. The solution must minimize administrative effort.
What should you do?
A. Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes.
B. Create a new custom role for Sub1. Create a new custom role for Sub2. Remove the role from RG1.
C. Create a new custom role for Sub1 and add Sub2 to the assignable scopes. Remove the role from RG1.
D. Select the custom role and add Sub1 to the assignable scopes. Remove RG1 from the assignable scopes. Create a new custom role for Sub2.

Answer

A

A. Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes.

Can be used as:
“AssignableScopes”: [
“/subscriptions/{Sub1}”,
“/subscriptions/{Sub2}”,

Question 61

Q

You have an Azure Subscription that contains a storage account named storageacct1234 and two users named User1 and User2.
You assign User1 the roles shown in the following exhibit.
User1 assignments - storageacct1234
Role Scope
Reader Resource Group (inherited)
Storage Blob Data Contributor This resource
Which two actions can User1 perform? Each correct answer presents a complete solution.

A. Assign roles to User2 for storageacct1234.
B. Upload blob data to storageacct1234.
C. Modify the firewall of storageacct1234.
D. View blob data in storageacct1234.
E. View file shares in storageacct1234.

Answer

A

B. Upload blob data to storageacct1234.
D. View blob data in storageacct1234.

Question 62

Q

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1? (chose all correct)
A. Get-Event Event | where {$_.EventType == “error”}
B. search in (Event) “error”
C. Event | where EventType == “error”
D select * from Event where EventType == “error”
E. search in (Event) * | where EventType -eq “error”
F. select * from Event where EventType is “error”
G. Event | where EventType is “error”
H. search in (Event) * | where EventType == “error”
I. Event | search “error”

Answer

A

B. search in (Event) “error”
C. Event | where EventType == “error”
I. Event | search “error”

Question 63

Q

You have an Azure App Services web app named App1.
You plan to deploy App1 by using Web Deploy.
You need to ensure that the developers of App1 can use their Azure AD credentials to deploy content to App1. The solution must use the principle of least privilege.
What should you do?

A. Assign the Owner role to the developers
B. Configure app-level credentials for FTPS
C. Assign the Website Contributor role to the developers
D. Configure user-level credentials for FTPS

Answer

A

C. Assign the Website Contributor role to the developers

Website Contributor role provides the necessary permissions for developers to deploy content to the web app, but does not grant them excessive permissions that could be used to make unwanted changes.

Option A is not recommended as it would grant excessive permissions to the developers, which could be used to make unwanted changes.
Option B and D are not relevant to the scenario as the question is specifically asking for how to use Azure AD credentials for Web Deploy, not FTPS.
Option C is a potential solution, but the Website Contributor role provides a more targeted and appropriate level of permissions for the scenario.

Question 64

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation.
Does this meet the goal?
A. Yes
B. No

Answer

A

B. No

The required fields (Email and Redirection URL)are missing from the .csv file.
Here are the csv field pre-requisites that are needed for bulk upload of external users:
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite#prerequisites

Answer 65

A

Role3:
- Role1 and built-in Azure subscription roles only

Role4:
- Role2 only
(Built-in Azure AD/Entra roles can not be cloned)

Answer 66

A

User1: Reader and Data Access
User2: Owner

Answer 67

A

B. a service tag

Answer 68

A

B. User1 and User4 only

Answer 69

A

Litwareinc.com users can be assigned to package1. - NO Because not Connected
After 365 days, fabrikam.com users will be removed from Group1. - YES Because when it expires it is removed from the group.
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-resources
When a user’s access package assignment expires, they are removed from the group or team, unless they currently have an assignment to another access package that includes that same group or team.
After 395 days, fabrikam.com users will be removed from the contoso.com tenant. - YES

Answer 70

A

You can assign User2 the Owner role for RG1 by adding Group2 as a member of Group1 - Yes
In Azure, security groups can be nested, and RBAC roles assigned to a parent group are inherited by members of nested groups.

You can assign User3 the Owner role for RG1 by adding Group3 as a member of Group1 - No
While Microsoft 365 groups can be assigned roles in Azure AD, they cannot be nested within security groups for role assignment purposes in Azure RBAC.

You can assign User3 the Owner role for RG1 by assigning the Owner role to Group3 for RG1 - Yes
Microsoft 365 groups can be assigned roles in Azure RBAC directly.

Answer 71

A

B. private endpoints
F. service endpoints (???)

Private endpoints are network interfaces that connect you privately and securely to a service powered by Azure Private Link. This means that your VM can access the storage account through a private IP address within your VNet, ensuring that the traffic stays on the Microsoft backbone network.

Answer 72

A

User1 can create a storage account in RG1 - Yes
User1 has the “Storage Account Contributor” role at the resource group (RG1) level. This role specifically allows creating and managing storage accounts within the resource group.

User1 can modify the DNS settings of networkinterface1 - No
Modifying the DNS settings of networkinterface1 requires the “Contributor” role at the scope of networkinterface1. However, User1 has the “Contributor” role only at the scope of NSG1, not networkinterface1.

User1 can create an inbound security rule to filter inbound traffic to networkinterface1 - Yes
Creating an inbound security rule for NSG1 is permitted because User1 has the “Contributor” role at the scope of NSG1. And NSG1 is associated with networkinterface1.

Answer 73

A

The Group1 members can view the configurations of the Azure functions -Yes
The Reader role at MG1 allows Group1 members to view all resources in Sub1 and Sub2. Since RG1 is in Sub1, and it contains Azure functions, Group1 members can view the configurations of these functions.

User1 can assign the Owner role for RG1 - Yes
As a User Access Administrator at MG1, User1 has the permission to assign roles, for any resource under MG1, which includes RG1.

User1 can create a new resource group and deploy a virtual machine to the new group - No
The Virtual Machine Contributor role at the subscription level (Sub1 and Sub2) allows User1 to manage virtual machines but does not inherently provide permissions to create new resource groups. However, if User1 also has sufficient permissions (such as Contributor or Owner) at the subscription or resource group level to create new resource groups, then this would be possible. The given roles do not explicitly include permissions for creating resource groups.

Answer 74

A

A. Enable identity-based data access for the file shares in storage1.

Answer 75

A

You can assign User1 the Microsoft Defender for Cloud Apps Discovery license - No (cause Off?)
You can remove the Azure Active Directory Premium P2 license from User1 - No
User2 is assigned the Azure Active Directory Premium P2 - No

Answer 76

A

JobTitle:
- User1 and User3 only
UsageLocation:
- User1, User2, and User3

Answer 77

A

B. No

Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.

Answer 78

A

A. Yes
Also correct to use the New-AzureADMSInvitation cmdlet

Answer 79

A

Blob storage:
Azure AD and shared access signatures (SAS)
File storage:
Shared access signatures (SAS) only

Answer 80

A

Identities : mail
[B2b collaboration]

Answer 81

A

C. Storage Blob Data Contributor

Storage Account Contributor : Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.

Storage Blob Data Contributor : Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor

Answer 82

A

B. Group1 and Group3 only

License can be applied for only security groups or security enabled Microsoft 365 groups.

Answer 83

A

(user.department -eq “Marketing”) and (user.country -eq “France”)

Answer 84

A

Default user role permissions
Users can register applications [Yes] -> No
Administration portal
Restrict access to Azure AD administration portal [No] -> Yes

Answer 85

A

User1 can read blob2 - No
User1 can read blob3 - No
User2 can read blob1 - Yes

If a user tries to perform an action in the assigned role that is not an action restricted by the condition, !(ActionMatches) evaluates to true and the overall condition evaluates to true.

Answer 86

A

B. No

the New-MgInvitation cmdlet, also correct to use the New-AzureADMSInvitation cmdlet

Answer 87

A

Three resource groups are created when you run the script - Yes
A resource group named RGroup5 is created - No
All the resource groups are created in the East US Azure region - Yes

Answer 88

A

C. Sub1

Co-administrators can only be assigned at the subscription scope.

Answer 89

A

Users:
User1, User2, User3, and User4
Groups:
Group2 and Group4 only

Answer 90

A

B. a private endpoint

Brainscape's Knowledge GenomeTM

az-104 dumps topic 2, 1-90(101) Flashcards

Brainscape's Knowledge Genome^TM