Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Az-104-practice test > test 10 > Flashcards

test 10 Flashcards

1
Q

Which of the following are file formats not recommended for compression?

MP3

JPG

Text/HTML

Text/CSS

A

MP3
JPG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are developing a storage plan that includes Premium storage.Which storage redundancy type is

available to use? Select one.

Locally redundant storage

RA Geo redundant Storage

Zone Redundant Storage

Geo Redundant Storage

A

Locally redundant storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the PowerShell command to add the image information to the virtual machine’s configuration?

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”

Get-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Sku “2012-R2-Datacenter” -Version “current”

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName WindowsServer -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest

A

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

For Linux, which of the CLI commands will open up port 80?

az vm open-port –port 80 –resourcegroup myResourceGroup –name myVM

az vm open-port –port 80 –resource-group myResourceGroup –name myVM

az vm set-port –port 80 –resource-group myResourceGroup –name myVM

None of these commands are needed because port 80 is open by default.

A

az vm open-port –port 80 –resource-group myResourceGroup –name myVM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

We are trying to apply a tag to a resource group and need the appropriate permissions using the philosophy of least privileges. Which answer below would be the most appropriate?

You are assigned the Contributor role in RBAC.

You are assigned the Owner role in RBAC.

We are assigned the Reader role in RBAC.

We are assigned the Administrator role in RBAC.

A

You are assigned the Contributor role in RBAC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which account will be able to reset the password regardless of whether the Azure Active Directory password reset enabled option is selected?

An account with Owner permissions.

An account with Contributor permissions.

Azure Administrator

An account with Reader permissions.

A

Azure Administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You want Azure Active Directory’s Application Proxy feature at the lowest price possible. You also want to to make sure you have the enterprise-level SLA of 99.9 percent uptime. Which of the following would be the best option?

Azure Active Directory - Free

Azure Active Directory - Basic

Azure Active Directory - Premium P1

Azure Active Directory - Premium P2

A

Azure Active Directory - Premium P1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

One of your teammates on the IT team is trying to change the size of a VM but can’t seem to do so. They are able to set off the job, but it fails immediately. What is one possible reason why they can’t perform this action?

The subscription doesn’t support this size of VM.

The resource has already reached its maximum size.

The resource is locked.

The user is logged into the classic portal.

A

The resource is locked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are an IT Administrator, and you are concerned about protecting corporate assets and devices meeting standards for security and compliance. What options are available to get a device under the control of Azure AD?

Using Identity Protection.

Registering the device to Azure AD.

Joining a device.

Using the Conditional Access Rule.

A

Registering the device to Azure AD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have a MySQL database that you want to keep secure and prevent access to the public internet. Which of these options would you use? Select 3

Service Endpoint

VNet Peering

NSG

Private IP Address

A

Service Endpoint
NSG
Private IP Address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The shared access signature (SAS) URI consists of which of the following?

SAS Token

Access Key 2

Access Key 1

Storage Resource

A

SAS Token
Storage Resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following settings are not not swapped when you swap an an app? Select three.

General settings, such as framework version, 32/64-bit, web sockets

Handler mappings

Always On

Correct selection
Custom domain names

Publishing endpoint

A

Always On
Custom domain names
Publishing endpoints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are backing up your App Service. Which of the following is included in the backup? Select two.

Files and database content totalling 15GB

SSL enabled Azure Database for MySQL

Firewall enabled-storage account

App configuration

Azure database for MySQL

A

App configuration

Azure database for MySQL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You want to utilize Azure Identity Protection, which one of the editions below supports this feature?

Free

Basic

Premium P2

Premium P1

A

Premium P2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are having problems with the installation of Azure File Sync on your server. What action could you take to get more details on possible issues?

Check the Diagnostics Logs.

Check the Activity Log.

Check the Azure File Sync error log on the local file system.

Run the command StorageSyncAgent.msi /l*v AFSInstaller.log.

A

Run the command StorageSyncAgent.msi /l*v AFSInstaller.log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which series would we choose if we had a virtual machine used for Artificial Intelligence (AI)?

F-Series

A-Series

H-Series

L-Series

A

H-Series

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The Contoso Company would like policies implemented to enforce a standard for how their infrastructure is built. Which of the following RBAC roles will they need to have to view these policies?

Domain Administrator

Security Admin

Security Reader

Security Contributor

A

Security Reader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You configured a routing table which should be forcing all outgoing traffic from one virtual machine to go through a firewall appliance. However, the traffic is not going through the firewall appliance. Which one of the following would be an effective diagnostic tool?

Create a Log Analytics workspace.

Install Network Monitoring Agent

Network Watcher

Activate Resource Diagnostic Settings

A

Network Watcher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have a MySQL database on a Linux instance. The MySQL database is in development and being worked on by your developers. Only the developers should have access to this database while it is in the development stage. Which of the following actions will ensure that only the developers can access the database?

Using the Azure Application Gateway.

Using an NSG rule that has the source: IP addresses identified (outbound rule).

Setting the NSG rules that only allow traffic from the developers.

Using an NSG rule that has the source port range (inbound rule).

A

Setting the NSG rules that only allow traffic from the developers.

14
Q

If you wanted to gain insight into your on-premises identity infrastructure that is used to access Azure AD applications and also monitors the synchronizations that occur between your on-premises Azure Directory Domain Services (AD DS) and Azure AD, which of the following tools would you use?

Azure AD Connect Health

Activity Report

This information is not captured within the Azure environment.

Security reports

A

Azure AD Connect Health

15
Q

Which of the following is not a recommended protocol to access Azure File Sync from your Windows Server?

nfs

SMB

http

FTPS

16
Q

Your company previously did not allow employees to use their own devices to access company resources for security reasons. However, management is now considering allowing employees to use their own devices in conjunction with AD join. What are the potential security benefits that may persuade management to allow employees to use their own devices?

Organizations can restrict access to apps from only the devices that meet the compliance policy.

Organizations can use Windows Hello support for convenient access to work resources.

Enterprise compliant roaming of user’s settings across joined devices for users with Microsoft accounts.

Organizations can still use on-premise AD to manage security protocols.

Organizations can use single sign-on functionality as long as the employees are connected to the domain network.

A

Organizations can restrict access to apps from only the devices that meet the compliance policy.

Organizations can use Windows Hello support for convenient access to work resources.

17
Q

What PowerShell command prompts the user for either a password or a username and password?

Put-Credential

Get-PsCredential

Set-Credential

Get-Credential

A

Get-Credential

18
Q

What is the limit on the total number of VNet service endpoints in a virtual network?

25,000

5

500

There is no limit on the total number of VNet service endpoints in a virtual network.

A

There is no limit on the total number of VNet service endpoints in a virtual network.

19
We have reached the CPU quota in the West US 2 region. What two options do we have to move forward when creating this virtual machine? Delete other running VMs. Give the user admin rights. Click Ok to charge the subscription. Request a quota increase.
Delete other running VMs. Request a quota increase.
20
Your current virtual machine which is currently running has a size of standard DS2_V2, this plan does not allow more than two NICs and you need to add a third NIC. What are the steps you would take to add the additional NIC (assuming the NIC already exists)? 1) Shut down the machine 2) Go to the network blade of the VM 3) Click on Attach Network Interface. 4) Select the existing network interface 5) Select existing NIC and click okay. 6) Start the machine. 1) Shut down the machine. 2) Increase the plan size to DS3_v2. 3) Go into the network blade of the VM. 4) Go into the NSG blade. 5) Click attach network interface, 6) Select the existing NIC, and then click okay. 7) Start the machine. 1) Shut down the machine. 2) Increase the plan size to DS3_v2. 3) Go into the networking blade of the VM 4) Click Attach Network Interface. 5) Select the existing NIC, and then click okay. 6) Start the machine. 1) Upgrade the grade plan size to DS3_v2. 2) Go to the network security group blade. 3) Click Attach Network Interface. 4) Select the existing NIC, and then click okay. 5) Reboot the machine for the new NIC to be seen.
1) Shut down the machine. 2) Increase the plan size to DS3_v2. 3) Go into the networking blade of the VM 4) Click Attach Network Interface. 5) Select the existing NIC, and then click okay. 6) Start the machine.
21
Which of the following items can be associated with a Network Security Group (NSG)? Security Rule Subnets NIC Virtual Machine
Security Rule Subnets NIC
22
You decide to move all your services to Azure Kubernetes service. Which of the following components will contribute to your monthly Azure charge? Select one Master node Node virtual machines Tables Pods
Node virtual machines
23
What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an app? Select one. synchronization of accounts across providers pass-through authentication credentials that are stored in the browser redirection to a provider endpoint
redirection to a provider endpoint
24
You are the new administrator of an organization, and one of the changes that you want to implement is multi-factor authentication (MFA). How would you be able to get a count of how many users have not registered for multi-factor authentication? This information is not collected. Security Alerts from Privileged Identity Management Users page, within the MFA Settings site. Identity Protection within the MFA report.
Users page, within the MFA Settings site.
25
You have four different storage accounts. If you want to limit access to a team of people within the organization to just one storage service on one storage account, with the least amount of work, which of the following would be used to accomplish this goal? SAS service. SAS account. Azure Traffic Manager NSG
SAS service.
26
Can you add an existing VM to an availability set? Only when the VM has been suspended. No, you can only add a VM to an availability set when creating the VM. Only when the VM has been shutdown. Yes, you can add an existing VM to an availability set at any time.
No, you can only add a VM to an availability set when creating the VM.
27
You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming direct traffic to the pods? Select one. Load Balancer ClusterIP NodePort † AKS node
NodePort
28
Which of the following is not true about container groups? Select one. Is assigned a DNS name label. Exposes a single public IP address, with one exposed port. Includes two Azure file shares as volume mounts. Consists of two containers. Is scheduled on a multiple host machines.
Is scheduled on a multiple host machines.
29
You have an existing virtual machine that is currently running, and you need to add an existing custom data disk. What are the steps you would take? A. Select the VM you are trying to attach the existing disk. Click Attach existing to attach the available disk to the VM. From the existing disk pane, select your disk, and then click OK. Restart the machine in order for the additional disk to be seen B. A shutdown of the machine. Select the VM you are trying to attach the existing disk. Click Attach existing to attach the available disk to the VM. From the existing disk pane, select your disk, and then click OK C. Select the VM you are trying to attach the existing disk. Click Attach new to attach the available disk to the VM. Select your disk, and then click OK. D. Select the VM you are trying to attach the existing disk. Click Attach existing to attach the available disk to the VM. From the existing disk pane, select your disk, and then click OK
D. Select the VM you are trying to attach the existing disk. Click Attach existing to attach the available disk to the VM. From the existing disk pane, select your disk, and then click OK
30
Which of the following built-in roles has the required Microsoft Authorization permissions that will allow a user account to create a cloud endpoint? Reader and Data Access Contributor Owner User Access Administrator
Owner User Access Administrator
31
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table. Name Resource Group Daily Cost VM1 RG1 20 euros VM2 RG2 30 euros You create the budget shown in the following exhibit. Budget1 Resource Group Current Spend: 5.93 EUR Budget: 1,000.00 EUR BUDGET SUMMARY Name: Budget1 Scope: RG1 (Resource Group) Filters: – Amount: 1,000.00 EUR Budget Period: Resets billing month Start Date: 6/20/2019 End Date: 6/19/2021 BUDGET ALERTS Alert Conditions % of Budget Amount Action Group Action Group 50% €500 AG1 1 Email 70% €700 AG2 1 SMS 100% €1,000 AG3 1 Azure App Alert Recipients (email): User1@Contoso.com The AG1 action group contains a user named admin@contoso.com only. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. Hot Area: Answer Area When the maximum amount in Budget1 is reached, [answer choice]: VM1 and VM2 are turned off VM1 and VM2 continue to run VM1 is turned off, and VM2 continues to run Based on the current usage costs of the virtual machines, [answer choice]: No email notifications will be sent each month One email notification will be sent each month Two email notifications will be sent each month Three email notifications will be sent each month
Let me analyze each question: "When the maximum amount in Budget1 is reached, answer choice Answer: VM1 and VM2 continue to run Reason: Azure budgets are monitoring tools that can trigger alerts but do not automatically take action on resources While there are action groups configured (AG1, AG2, AG3), they only send notifications (email, SMS, Azure App) The budget is scoped to RG1, but this only affects monitoring, not resource control Therefore, reaching the budget limit will not automatically stop any VMs "Based on the current usage costs of the virtual machines, answer choice Answer: Two email notifications will be sent each month Reason: VM1 costs 20 euros/day in RG1 (the budget scope) Monthly cost for VM1 = 20 euros × 30 days = 600 euros Budget alerts are set at: 50% (500 euros) - Will trigger email via AG1 [1] 70% (700 euros) - Will trigger SMS via AG2 100% (1000 euros) - Will trigger Azure App via AG3 With VM1's monthly cost of 600 euros: The 50% threshold (500 euros) will be triggered The 70% threshold (700 euros) will not be triggered The 100% threshold (1000 euros) will not be triggered Note: VM2's costs (30 euros/day) are not considered since it's in RG2, which is outside the budget scope Two notifications will be sent: One to admin@contoso.com (via AG1) One to User1@Contoso.com (default budget recipient) Therefore, two email notifications will be sent each month when the 50% threshold is crossed.
32
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: You assign a built-in policy definition to the subscription. Does this meet the goal? A. Yes B. No
The answer is No To meet the requirement, you should: Create a Custom Policy Definition that: Targets the Microsoft.Network/networkSecurityGroups resource type Uses the deployIfNotExists or modify effect Includes a policy rule that adds the required NSG rule for port 8080 Here's an example policy definition: { "mode": "All", "policyRule": { "if": { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups" }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" ], "operations": [{ "operation": "add", "field": "properties.securityRules", "value": { "name": "Block8080", "properties": { "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "8080", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "VirtualNetwork", "access": "Deny", "priority": 100, "direction": "Inbound" } } }] } } } } Copy Insert at cursor json Steps to implement the solution: Create the custom policy definition using the above JSON Assign the policy to the subscription Set the policy assignment to use the "modify" effect Ensure the policy has the necessary permissions through role assignment This solution will: Automatically add the required rule to any new NSG created in the subscription Block TCP port 8080 between virtual networks Apply consistently across all resource groups in the subscription Work with the existing 10 virtual networks and any new ones created The custom policy approach is required because: It allows for specific rule configuration It can automatically modify resources upon creation It ensures consistent security rule implementation It works at scale across the subscription
33
You have an Azure subscription that contains the hierarchy shown in the following exhibit. (Tenant Root Group → ManagementGroup1 → Subscription1 → RG1 → VM1) You create an Azure Policy definition named Policy1. To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area Answer Area You can assign Policy1 to: Subscription1 and RG1 only ManagementGroup1 and Subscription1 only Tenant Root Group, ManagementGroup1, and Subscription1 only Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1 You can exclude Policy1 from: VM1 only RG1 and VM1 only Subscription1, RG1, and VM1 only ManagementGroup1, Subscription1, RG1, and VM1 only Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1 which option is correct in per question on Answer area? why?
Let me analyze each part of the question: "You can assign Policy1 to:" [1] Answer: Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only Reason: Azure Policy assignments can be made at the following levels: Management Groups (including Tenant Root Group) Subscriptions Resource Groups Individual resources (like VM1) cannot be direct targets for policy assignments [2] The hierarchy allows for assignment at any level except individual resources Therefore, you can assign to all levels except VM1 You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only Exclusions can be specified for any resource or resource group within the scope of the policy assignment. However, you cannot exclude the Tenant Root Group itself because it is the top-level scope12. So, the correct options are: You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1 You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only
34
You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table: Name Type RG1 Resource group storage1 Storage account VNET1 Virtual network You assign an Azure policy that has the following settings: Scope: Sub1 Exclusions: Sub1/RG1/VNET1 Policy definition: Append a tag and its value to resources Policy enforcement: Enabled Tag name: Tag4 Tag value: value4 You assign tags to the resources as shown in the following table: Resource Tag Sub1 Tag1:subscription RG1 Tag2:IT storage1 Tag3:value1 VNET1 Tag3:value2 For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area Answer Area Statements: RG1 has the Tag2:IT tag assigned only. Yes No Storage1 has the Tag1:subscription, Tag2:IT, Tag3:value1, and Tag4:value4 tags assigned. Yes No VNET1 has the Tag2:IT and Tag3:value2 tags assigned only. Yes No
Let's analyze each statement based on the given information: RG1 has the Tag2:IT tag assigned only. RG1 is assigned the tag Tag2:IT. The policy to append Tag4:value4 does not apply to RG1 because VNET1 (which is in RG1) is excluded from the policy. Therefore, RG1 has the Tag2:IT Answer: Yes Storage1 has the Tag1:subscription, Tag2:IT, Tag3:value1, and Tag4:value4 tags assigned. Storage1 is assigned the tag Tag3:value1. The policy to append Tag4:value4 applies to Storage1 because it is within the scope of Sub1 and not excluded. However, Storage1 does not have Tag1:subscription or Tag2:IT assigned. Answer: No VNET1 has the Tag2:IT and Tag3:value2 tags assigned only. VNET1 is assigned the tag Tag3:value2. The policy to append Tag4:value4 does not apply to VNET1 because it is explicitly excluded. VNET1 does not have Tag2:IT assigned. Answer: No So, the correct answers are: RG1 has the Tag2:IT tag assigned only: Yes Storage1 has the Tag1:subscription, Tag2:IT, Tag3:value1, and Tag4:value4 tags assigned: No VNET1 has the Tag2:IT and Tag3:value2 tags assigned only: No
35
You have an Azure subscription that contains the virtual networks shown in the following table: Name Location VNet1 West Europe VNet2 Southeast Asia VNet3 South Central US The subscription contains the subnets shown in the following table: Name Virtual network Service endpoint Subnet1 VNet1 None Subnet2 VNet2 Microsoft.Storage Subnet3 VNet3 Microsoft.Storage Subnet4 VNet4 None The subscription contains the storage accounts shown in the following table: Name Location Kind storage1 West Europe StorageV2 storage2 South Central US BlobStorage storage3 Southeast Asia StorageV2 You create a service endpoint policy named Policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in the subscription. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer Area Statements: Policy1 can be applied to Subnet3. [Yes] [No] Only storage1 and storage2 can be accessed from VNet2. [Yes] [No] Only storage2 can be accessed from VNet3. [Yes] [No] which option is correct in per question on answer area? why?
I'll help you with each statement. Statement 1: Policy1 can be applied to Subnet3. Correct answer: Yes Why: Policy1 is created in the South Central US Azure region, which is the same region as VNet3 (where Subnet3 is located). Service endpoint policies can be applied to subnets in the same region. Statement 2: Only storage1 and storage2 can be accessed from VNet2. Correct answer: No Why: VNet2 has a service endpoint for Microsoft.Storage, which allows access to all storage accounts in the subscription, not just storage1 and storage2. There is no restriction mentioned that would prevent access to storage3 from VNet2. Statement 3: Only storage2 can be accessed from VNet3. Correct answer: Yes Why: Similar to Statement 2, VNet3 has a service endpoint for Microsoft.Storage, which allows access to all storage accounts in the subscription, due to location match, So the statement is correct.
36
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Add a service endpoint to VNet1 B. Reset GW1 C. Create a route-based virtual network gateway D. Add a connection to GW1 E. Delete GW1 F. Add a public IP address space to VNet1 which one is correct? why correct?
To configure a point-to-site (P2S) connection from an on-premises computer to VNet1, you need to perform the following actions: Create a route-based virtual network gateway (C): Point-to-site VPN connections require a route-based VPN gateway, not a policy-based one. This is because route-based gateways support IKEv2 and OpenVPN protocols, which are necessary for P2S connections. Delete GW1 (E): Since you currently have a policy-based virtual network gateway (GW1), you need to delete it before you can create a new route-based virtual network gateway. Azure does not allow changing the type of an existing gateway; you must delete the existing one and create a new one. Why the other options are incorrect: A. Add a service endpoint to VNet1: Service endpoints are used to secure Azure service resources to your virtual network, but they are not related to configuring VPN connections. B. Reset GW1: Resetting the gateway does not change its type from policy-based to route-based, which is necessary for P2S connections. D. Add a connection to GW1: Adding a connection to the existing policy-based gateway will not help because P2S connections require a route-based gateway. F. Add a public IP address space to VNet1: While a public IP address is necessary for the VPN gateway, this option is not relevant to the specific requirement of changing the gateway type to support P2S connections.
36
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal? A. Yes B. No
The answer is A. Yes Here's why this solution meets the goal: Azure Policy capabilities: Azure Policies allow you to enforce rules and compliance across your Azure resources They can be used to automatically enforce standards when new resources are created Policies can be applied at subscription level, which affects all resource groups within that subscription Custom Policy for NSGs: A custom policy definition can be created to define rules for NSG creation The policy can specify that any new NSG must include a security rule blocking TCP port 8080 When assigned at the subscription level, it will apply to all resource groups in that subscription Policy enforcement: The policy will automatically enforce the rule when new NSGs are created It ensures consistency across all NSGs in the subscription It prevents creation of NSGs that don't comply with the port 8080 blocking requirement Benefits of this approach: Centralized control: Manages security rules across multiple virtual networks from one policy Automated enforcement: No need for manual intervention when new NSGs are created Consistent security: Ensures uniform security rules across all virtual networks Scalable: Automatically applies to new NSGs as they are created This solution is particularly effective because: It's preventive rather than reactive It ensures compliance by default It reduces administrative overhead It eliminates the risk of human error in implementing the security rule
37
You have an Azure subscription that contains the resources shown in the following table: Name Type Resource group VNET1 Virtual network RG1 VM1 Virtual machine RG1 The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters: Microsoft.Network/virtualNetworks Microsoft.Compute/virtualMachines In RG1, you need to create a new virtual machine named VM2 and then connect VM2 to VNET1. What should you do first? A. Remove Microsoft.Compute/virtualMachines from the policy. B. Create an Azure Resource Manager template. C. Add a subnet to VNET1. D. Remove Microsoft.Network/virtualNetworks from the policy.
The correct answer is A: Remove Microsoft.Compute/virtualMachines from the policy.
38
HOTSPOT Overview ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York. Existing Environment Azure Environment ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3. The subscription contains the storage accounts shown in the following table. Name Kind Location Hierarchical namespace Container File share storage1 StorageV2 West US Yes cont1 share1 storage2 StorageV2 West US No cont2 share2 The subscription contains the virtual machines shown in the following table. Name Size Operating system Description VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks VM2 A Windows Server 2022 Has a basic volume VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs VM4 M Windows Server 2022 Uses Write Accelerator disks VM5 E Windows Server 2022 Has a dynamic volume The subscription has an Azure container registry that contains the images shown in the following table. Name Operating system Image1 Windows Server Image2 Linux The subscription contains the resources shown in the following table. Name Description In resource group Workspace1 Log Analytics workspace RG1 WebApp1 Azure App Service web app RG1 VNet1 Virtual network RG2 zone1.com Azure Private DNS zone RG3 Azure Key Vault - The subscription contains an Azure key vault named Vault1. Vault1 contains the certificates shown in the following table. Name Content type Key type Key size Cert1 PKCS#12 RSA 2048 Cert2 PKCS#12 RSA 4096 Cert3 PEM RSA 2048 Cert4 PEM RSA 4096 Vault1 contains the keys shown in the following table. Name Type Description Key1 RSA Has a key size of 4096 Key2 EC Has Elliptic curve name set to P-256 Microsoft Entra Environment - ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table. Name Microsoft Entra role Azure role Admin1 Global Administrator None Admin2 Attribute Definition Administrator None Admin3 Attribute Assignment Administrator None User1 None Reader for RG2 and RG3 The tenant contains the groups shown in the following table. Name Type Group1 Security group Group2 Microsoft 365 group The adatum.com tenant has a custom security attribute named Attribute1. Planned Changes - ADatum plans to implement the following changes: * Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4. * In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage * Whenever possible, use directories to organize storage account content. * Grant User1 the permissions required to link Zone1 to VNet1. * Assign Attribute1 to supported adatum.com resources. * In storage2, create an encryption scope named Scope1. * Deploy new containers by using Image1 or Image2. Technical Requirements - ADatum must meet the following technical requirements: * Use TLS for WebApp1. * Follow the principle of least privilege. * Grant permissions at the required scope only. * Ensure that Scope1 is used to encrypt storage services. * Use Azure Backup to back up cont1 and share1 as frequently as possible. * Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines. You implement the planned changes for cont2. What is the maximum number of additional access policies you can create for cont2? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer Area Stored access policies: 0 1 2 3 4 5 Immutable blob storage policies: 0 1 2 3 4 5
To determine the maximum number of additional policies you can create for cont2, we need to analyze two aspects: stored access policies and immutable blob storage policies. Stored Access Policies Azure Storage accounts have a limit on the number of stored access policies you can create per container. The limit is five stored access policies per container. In the case study, cont2 already has three stored access policies created: Stored1, Stored2, and Stored3. Therefore, the number of additional stored access policies you can create is: Max Policies ( 5 ) − Existing Policies ( 3 ) = 2 Max Policies(5)−Existing Policies(3)=2 Immutable Blob Storage Policies Azure Storage accounts allow the use of immutable blob storage policies to enforce legal holds and time-based retention policies. A container can have: One legal hold policy (already applied in this case). Multiple time-based retention policies, but the total combined limit of immutable blob storage policies is two per container. Since cont2 already has one immutable blob storage policy (the legal hold), you can create one additional immutable blob storage policy. Correct Answer Stored access policies: 2 Immutable blob storage policies: 1 Explanation Stored Access Policies: The total allowed is five, and three are already in place, leaving space for two more. Immutable Blob Storage Policies: A container can have a maximum of two, and one is already in place (the legal hold), leaving space for one additional policy.
39
Overview - ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York. Existing Environment - Azure Environment - ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3. The subscription contains the storage accounts shown in the following table. | Name | Kind | Location | Hierarchical namespace | Container | File share | |---|---|---|---|---|---| | storage1 | StorageV2 | West US | Yes | cont1 | share1 | | storage2 | StorageV2 | West US | No | cont2 | share2 | The subscription contains the virtual machines shown in the following table. | Name | Size | Operating system | Description | |---|---|---|---| | VM1 | A | Red Hat Enterprise Linux (RHEL) | Uses ephemeral OS disks | | VM2 | D | Windows Server 2022 | Has a basic volume | | VM3 | B | Red Hat Enterprise Linux (RHEL) | Uses a standard SSDs | | VM4 | M | Windows Server 2022 | Uses Write Accelerator disks | | VM5 | E | Windows Server 2022 | Has a dynamic volume | The subscription has an Azure container registry that contains the images shown in the following table. | Name | Operating system | |---|---| | Image1 | Windows Server | | Image2 | Linux | The subscription contains the resources shown in the following table. | Name | Description | In resource group | |---|---|---| | Workspace1 | Log Analytics workspace | RG1 | | WebApp1 | Azure App Service web app | RG1 | | VNet1 | Virtual network | RG2 | | zone1.com | Azure Private DNS zone | RG3 | Azure Key Vault - The subscription contains an Azure key vault named Vault1. Vault1 contains the certificates shown in the following table. | Name | Content type | Key type | Key size | |---|---|---|---| | Cert1 | PKCS#12 | RSA | 2048 | | Cert2 | PKCS#12 | RSA | 4096 | | Cert3 | PEM | RSA | 2048 | | Cert4 | PEM | RSA | 4096 | Vault1 contains the keys shown in the following table. | Name | Type | Description | |---|---|---| | Key1 | RSA | Has a key size of 4096 | | Key2 | EC | Has Elliptic curve name set to P-256 | Microsoft Entra Environment - ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table. Name Microsoft Entra role Azure role Admin1 Global Administrator None Admin2 Attribute Definition Administrator None Admin3 Attribute Assignment Administrator None User1 None Reader for RG2 and RG3 The tenant contains the groups shown in the following table. Name Type Group1 Security group Group2 Microsoft 365 group The adatum.com tenant has a custom security attribute named Attribute1. Planned Changes - ADatum plans to implement the following changes: * Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4. * In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage * Whenever possible, use directories to organize storage account content. * Grant User1 the permissions required to link Zone1 to VNet1. * Assign Attribute1 to supported adatum.com resources. * In storage2, create an encryption scope named Scope1. * Deploy new containers by using Image1 or Image2. Technical Requirements - ADatum must meet the following technical requirements: * Use TLS for WebApp1. * Follow the principle of least privilege. * Grant permissions at the required scope only. * Ensure that Scope1 is used to encrypt storage services. * Use Azure Backup to back up cont1 and share1 as frequently as possible. * Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines. You need to implement the planned changes for the storage account content. Which containers and file shares can you use to organize the content? A. share1 only B. cont1 and share1 only C. share1 and share2 only D. cont1, share1, and share2 only E. cont1, cont2, share1, and share2
The correct answer is D: cont1, share1, and share2. Here's why: Based on the storage account details provided: storage1 has both cont1 (container) and share1 (file share) storage2 has both cont2 (container) and share2 (file share) The planned changes state: "Whenever possible, use directories to organize storage account content." Both containers and file shares can be used to organize storage content: Azure Storage containers can organize blob storage using virtual directory hierarchy Azure Files shares support proper directory structures All three existing storage components (cont1, share1, and share2) can be used because: Containers (cont1) support blob storage organization through virtual directories File shares (share1 and share2) natively support directory structures Both storage accounts (storage1 and storage2) are StorageV2, which supports modern storage features

Az-104-practice test (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions