Microsoft AZ-104 Full Practice Tests 15.pdf Flashcards
You have an Azure subscription that contains a resource group named RG1.
You have a group named Group1 that is assigned the Contributor role for RG1.
You need to ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address.
What should you use to ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address?
- Azure Policy
- Azure Bastion
- Virtual network service endpoints
- Azure Firewall
- Azure Web Application Firewall (WAF)
Azure Bastion
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual
machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
INCORRECT ANSWERS:
Azure Policy – Azure policy is used to enforce organizational standards.
Virtual network service endpoints – Service endpoints are used to enable direct connectivity between Azure Service over Microsoft Backbone network.
Azure Firewall – Azure Firewall is to control inbound and outbound traffic.
Azure Web Application Firewall (WAF) – WAF is to protect web applications from common exploits and
vulnerabilities.
You have a resource group named RG1 that contains the following:
A virtual network that contains two subnets named Subnet1 and AzureFirewallSubnet
An Azure Storage account named storageaccount1
An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that storageaccount1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
- Modify the Firewalls and virtual networks settings for storageaccount1.
- Create a stored access policy for storageaccount1.
- Implement a virtual network service endpoint.
- Remove the Azure firewall.
Implement a virtual network service endpoint.
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
INCORRECT ANSWERS:
Modify the Firewalls and virtual networks settings for storageaccount1. – Modifying firewalls either allow or deny traffic.
Create a stored access policy for storageaccount1. – A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
Remove the Azure firewall – By removing the firewall, you are removing the control on inbound and outbound traffic.
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected. You need to capture a network trace on VM1.
What should you do?
- From the VM1 blade, configure Connection troubleshoot.
- From Diagnostic settings for VM1, configure the performance counters to include network counters.
- From the VM1 blade, install performance diagnostics and run advanced performance analysis.
- From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
From the VM1 blade, install performance diagnostics and run advanced performance analysis.
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
It Checks for known issues, analyzes best practices, and collects diagnostics data and captures a network trace and SMB counters.
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-
diagnostics#select-an-analysis-scenario-to-run
Your company has an Azure environment that will contain many subscriptions. You are creating an Azure Policy as part of a governance solution.
To which three scopes can you assign Azure Policy definitions?
management groups
subscriptions
Azure Active Directory (Azure AD) tenants
resource groups
Azure Active Directory (Azure AD) administrative units
compute resources
management groups
subscriptions
resource groups
An assignment is a policy definition or initiative that has been assigned to take place within a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment.
For example, at the subscription scope, you can assign a definition that prevents the creation of networking resources. You could exclude a resource group in that subscription that is intended for networking infrastructure. You then grant access to this networking resource group to users that you
trust with creating networking resources.
https://docs.microsoft.com/en-us/azure/governance/policy/overview
INCORRECT ANSWERS:
Azure Active Directory (Azure AD) tenants – You can assign Azure Policy to a management group, subscription or resource group.
Azure Active Directory (Azure AD) administrative units- You can assign Azure Policy to a management group, subscription or resource group.
compute resources- You can assign Azure Policy to a management group, subscription or resource group.
You are implementing self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD). You need to select authentication mechanisms that can be used for both MFA
and SSPR.
Which two authentication methods should you use?
- Short Message Service (SMS) messages
- Microsoft Authenticator App
- Email addresses
- Security questions
- App passwords
Short Message Service (SMS) messages
Microsoft Authenticator App
SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don’t need to know a username and password to access applications and services. The user instead enters their registered
mobile phone number, receives a text message with a verification code, and enters that in the sign-ininterface.
Users can also verify themselves using a mobile phone or office phone as secondary form ofauthentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
INCORRECT ANSWERS:
Email addresses – only used for SSPR
Security questions – only used for SSPR
App passwords – Can be used as primary authentication method for legacy apps, but cannot be used for both MFA & SSPR
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
- Owner
- Virtual Machine Contributor
- Contributor
- Virtual Machine Administrator Login
Contributor
Contributor role allows you to manage both virtual machines and virtual networks.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
INCORRECT ANSWERS:
Owner – Owner role allows you to manage both virtual machines and virtual networks, however it is not a least privileged role.
Virtual Machine Contributor – Virtual Machine Contributor lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. Virtual Machine Administrator Login – View Virtual Machines in the portal and login as administrator
You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1. You need to identify the storage services in storage1 to which you can copy the data.
What should you identify?
- blob, file, table, and queue
- blob and file only
- file and table only
- file only
- blob, table, and queue only
blob and file only
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
INCORRECT ANSWERS:
AzCopy does not support copying data to Table & Queue.
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.
You need to configure a storage service for Container1.
What should you use?
- Azure Files
- Azure Blob storage
- Azure Queue storage
- Azure Table storage
Azure Files
Azure file shares can be used as persistent volumes for stateful containers. Containers deliver “build once, run anywhere” capabilities that enable developers to accelerate innovation. For the containers that access raw data at every start, a shared file system is required to allow these containers to access the file system no matter which instance they run on.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
INCORRECT ANSWERS:
Azure Blob storage – Blob storage is optimized for storing massive amounts of unstructured data.
Azure Queue storage – Queue storage is for storing messages in distributed applications.
Azure Table storage – Table storage is for storing semi-structured data.
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting VM1 and VM2.
What should you include in the Availability Set?
- one update domain
- two fault domains
- one fault domain
- two update domains
two update domains
The hardware in a location is divided in to multiple update domains and fault domains. An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time. VMs in the same fault domain share common storage as well as a common power source and network switch.
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
INCORRECT ANSWERS:
one update domain – Adding VMs in the same update domain will not suffice the requirements since it shares same underlying physical hardware that can be rebooted at the same time.
two fault domains – Fault domains define the group of virtual machines that share a common power source and network switch, it is group VMs for unplanned outages like power failures.
one fault domain – Fault domains define the group of virtual machines that share a common power source and network switch, it is group VMs for unplanned outages like power failures.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)
You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which storage accounts can you use for the Azure Backup reports of Vault1?
- storage1 only
- storage2 only
- storage3 only
- storage1, storage2 and storage3
storage3 only
To create a vault to protect any data source, the vault must be in the same region as the data source.
Storage account must be in the same region as your Recovery Service Vault.
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault
INCORRECT ANSWERS:
storage1 only – storage1 and vault1 are not in same region.
storage2 only – storage2 and vault1 are not in same region.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)
You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which Log Analytics workspaces can you use for the Azure Backup reports of Vault1?
- Analytics1 only
- Analytics2 only
- Analytics3 only
- Analytics1, Analytics2 and Analytics3
Analytics1, Analytics2 and Analytics3
The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your vaults exist.
https://docs.microsoft.com/en-us/azure/backup/configure-reports
INCORRECT ANSWERS:
Analytics1 only – You can use any workspace
Analytics2 only – You can use any workspace
Analytics3 only – You can use any workspace
You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named companydata.
Which command should you run?
- https://companydata.blob.core.windows.net/public
- azcopy sync D:\folder1 https://companydata.blob.core.windows.net/public –snapshot
- azcopy copy D:\folder1 https://companydata.blob.core.windows.net/public –recursive
- az storage blob copy start-batch D:\Folder1 https://companydata.blob.core.windows.net/public
azcopy copy D:\folder1 https://companydata.blob.core.windows.net/public –recursive
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Syntax is : azcopy copy ‘‘ ‘https://..core.windows.net/‘ –recursive
Append the –recursive flag to upload files in all subdirectories.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs-upload
INCORRECT ANSWERS:
All incorrect answers does not match with azcopy syntax.
https://companydata.blob.core.windows.net/public
azcopy sync D:\folder1 https://companydata.blob.core.windows.net/public –snapshot
az storage blob copy start-batch D:\Folder1 https://companydata.blob.core.windows.net/public
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table. (see image)
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform?
- Detach VM1 network interface
- Attach a new network interface
- Move network interface to RG2
- Move VM1 to RG2
- Delete VM1
- Create a new virtual machine in VNet2
Delete VM1
Create a new virtual machine in VNet2
Microsoft does not support moving VMs between virtual networks. So, we have delete the VM and create a new VM in target VNet.
Detailed steps are mentioned in the below article.
https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-move-a-vm-to-a-different-vnet-on-
azure
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
- an Azure Key Vault and an access policy
- an Azure Storage account and an access policy
- a Recovery Services vault and a backup policy
- Azure Active Directory (AD) Identity Protection and an Azure policy
an Azure Key Vault and an access policy
When you create a virtual machine (VM). You need to provide the VM administrator username and password. Instead of providing the password, you can pre-store the password in an Azure key vault and then customize the template to retrieve the password from the key vault during the deployment.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault
INCORRECT ANSWERS:
an Azure Storage account and an access policy Storage account is used to store the blobs. Not recommended to store sensitive data like passwords.
a Recovery Services vault and a backup policy Recovery services vault is to store backups.
Azure Active Directory (AD) Identity Protection and an Azure policy Identity protection is to detect and investigate identity based risks.
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform?
- Upload a configuration script
- Create an automation account
- Create an Azure policy
- Modify the extensionProfile section of the Azure Resource Manager template
- Create a new virtual scale set in the Azure portal
Upload a configuration script
Modify the extensionProfile section of the Azure Resource Manager template
When you define a virtual machine scale set with an Azure template, the Microsoft.Compute/virtualMachineScaleSets resource provider can include a section on extensions.
The extensionsProfile details what is applied to the VM instances in a scale set. To use the Custom Script Extension, you specify a publisher of Microsoft.Azure.Extensions and a type of CustomScript.
The Custom Script Extension downloads and executes scripts on Azure VMs.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
INCORRECT ANSWERS:
Create an automation account Automation account is to automate azure management tasks.
Create an Azure policy Azure policy is to enforce organizational standards.
Create a new virtual scale set in the Azure portal You already have a virtual machine scale set.
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run?
- az aks install-cli
- docker aks install-cli
- msiexec.exe aks install-cli
- az /package install-cli
az aks install-cli
To install kubectl locally, use the az aks install-cli command
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
INCORRECT ANSWERS:
docker aks install-cli No such command exists
msiexec.exe aks install-cli msiexec.exe is to install windows installer packages
az /package install-cli No such command exists
You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
What should you do first?
- From Plan1, scale up the App Service plan
- From webapp1, modify the Application settings
- From webapp1, add a custom domain
- From Plan1, scale out the App Service plan
From Plan1, scale up the App Service plan
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn’t already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
INCORRECT ANSWERS:
From webapp1, modify the Application settings Slots are available based on app service plan, nothing to do with application settings.
From webapp1, add a custom domain Slots are not dependent on custom domains.
From Plan1, scale out the App Service plan scale out will increase the number of application instances. It will not create slots.
You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named http://www.preparationlabs.com to webapp1.
What should you do first?
Create a DNS record
Add a connection string
Upload a certificate.
Stop webapp1.
Create a DNS record
First purchase a domain name, and make sure you have access to the DNS registry for your domain provider. Then you can map the custom domain to your Azure web app. To add a custom domain to your app, you need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider.
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
INCORRECT ANSWERS:
Add a connection string Custom domain is not related to application settings or connection strings.
Upload a certificate. Uploading a certificate will make application to access on https protocol
Stop webapp1. No need to stop the web site to add a custom domain.
You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
What should you identify?
- five Azure Application Gateways
- one App Service plan
- 10 App Service plans
- one Azure Traffic Manager
- one Azure Application Gateway
one App Service plan
You must create an app service plan before deploying web apps. One app service plan can have multiple web apps. To reduce the costs, create one app service and use it for 10 web apps.
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
INCORRECT ANSWERS:
five Azure Application Gateways Application gateway is a traffic load balancer. It is not a pre-requisite to create web apps.
10 App Service plans App service plan is mandatory to create a web app. However, 10 app service plans will increase the cost.
one Azure Traffic Manager Traffic manager is also a load balancer, not a pre-requisite to create web apps.
one Azure Application Gateway – Application gateway is a traffic load balancer. It is not a pre-requisite to create web apps.
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
Change the size to D8s v3.
Add a 500-GB managed disk.
Add the Puppet Agent extension.
Enable Desired State Configuration Management.
Which change will cause downtime for VM1?
Enable Desired State Configuration Management
Add a 500-GB managed disk
Change the size to D8s v3
Add the Puppet Agent extension
Change the size to D8s v3
After you create a virtual machine (VM), you can scale the VM up or down by changing the VM size. In some cases, you must deallocate the VM first. This can happen if the new size is not available on the hardware cluster that is currently hosting the VM. If the virtual machine is currently running, changing its size will cause it to be restarted.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm
INCORRECT ANSWERS:
Enable Desired State Configuration Management VM restart is not required.
Add a 500-GB managed disk You can add managed disks while VM is running.
Add the Puppet Agent extension VM restart is not required.
You have an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to configure cluster autoscaler for AKS1.
Which two tools should you use?
the kubectl command
the az aks command
the Set-AzVm cmdlet
the Azure portal
the Set-AzAks cmdlet
the kubectl command
the az aks command\
The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front –cpu-percent=50 –min=3 –max=10
Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
INCORRECT ANSWERS:
the Set-AzVm cmdlet This command sets VM as generalized
the Azure portal Not a valid command
the Set-AzAks cmdlet Creates or updates a Kubernetes cluster
You create the following resources in an Azure subscription:
An Azure Container Registry instance named Registry1
An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?
Run the docker push command.
Create an App Service plan.
Run the az acr build command.
the az aks create command.
Run the az acr build command.
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
–image contoso-website \
–registry $ACR_NAME \
–file Dockerfile .
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
INCORRECT ANSWERS:
Run the docker push command. We can use docker push command to push an image. However, there is no mention of docker tag in the question. So, I will rule out this option.
Create an App Service plan. No need of app service plan
the az aks create command. This command creates a new managed Kubernetes cluster. We already have a cluster.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
- Yes
- No
No
Resource lock is used to avoid accidental deletion of Azure resources
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?
- Yes
- No
No
Instead, use Azure policy.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
- Yes
- No
No
Built-in Azure policies does not provide the policy required for this requirement.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
- Yes
- No
Yes
You can create a custom policy to block port 8080. Azure policy enables you to establish conventions for resources in your subscription by describing when the policy is enforced and what effect to take.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition