Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Az-104-practice test > test 4 > Flashcards

test 4 Flashcards

1
Q

Your team needs to deploy an Azure Kubernetes cluster. It needs to be ensured that applications can connect to the pods deployed to the cluster via the IP addresses assigned to the pod. Which of the following network type would you choose for the cluster?

Azure Private Endpoint
Azure Container Networking Interface
Kubenet
Kubectl

A

Azure Container Networking Interface

In order for each pod to get its own IP address, we need to use the Azure Container Networking Interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your company has set an Azure subscription. They want to transfer 40 TB of data onto an Azure Storage Account. The transfer should not have an impact on the company’s existing network. It should be the fastest and the most secure way of transferring of data. Which of the following can be used for this requirement?

A. Azure Storage Explorer
B. AzCopy tool
C. Azure Import/Export Service
D. Azure DataBox

A

Azure DataBox

When you want to transfer data greater than 30 TB, its ideal to use the Azure DataBox service

One can refer to the below URL for more information on the same

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your company has the following storage accounts
appstore100—-General Purpose V1
appstore200—-General Purpose V2
appstore300—-BlockBlobStorage
appstore400—-FileStorage
Can you create a premium file share in appstore400?

Yes

No

A

Yes, you can create a premium file share in this type of storage account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your company has the following storage accounts
appstore100—-General Purpose V1
appstore200—-General Purpose V2
appstore300—-BlockBlobStorage
appstore400—-FileStorage
Can you create a premium file share in appstore200?

Yes

No

A

No
You can only create Premium files shares in the FileStorage account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have an Azure Storage Account. You need copy files via the AzCopy tool to Blob and File storage.

Can you use access keys as a means of authorization for Azure File storage when it comes to the AzCopy tool?

A. Yes

B. No

A

No

For Azure File storage, you can only use Shared Access Signatures when it comes to authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your company is planning on hosting an application on a couple of Azure virtual machines named appvm1 and appvm2. You have to ensure that the application continues to work even if there is a planned maintenance event of the underlying hardware. How would you plan to deploy the Azure virtual machines?

A. In an Availability set with one fault domain

B. In an Availability set with two fault domains

C. In an Availability set with one update domain

D. In an Availability set with two update domains

A

The correct answer is D: In an Availability set with two update domains
Here’s why:
The key requirement is to “ensure that the application continues to work even if there is a planned maintenance event”
Understanding Update Domains:
Update Domains (UDs) are specifically designed to handle planned maintenance events [1]
When planned maintenance occurs, only one update domain is updated at a time
Having VMs in different update domains ensures that not all VMs are updated simultaneously
This maintains application availability during planned maintenance
Why two Update Domains is correct:
With two VMs (appvm1 and appvm2) in different update domains
When one update domain undergoes maintenance, the VM in the other update domain remains available
This ensures continuous application availability during planned maintenance
Why other options are incorrect:
A. In an Availability set with one fault domain
Fault domains protect against hardware failures, not planned maintenance
Single fault domain doesn’t provide redundancy
Doesn’t address the planned maintenance requirement
B. In an Availability set with two fault domains
Fault domains protect against hardware/rack failures
While important for overall availability, they don’t specifically address planned maintenance
Doesn’t solve the planned maintenance scenario
C. In an Availability set with one update domain
Single update domain means all VMs would be updated at the same time
Would result in application downtime during planned maintenance
Defeats the purpose of high availability
Key Points for AZ-104:
Update Domains (UD) = Protection against planned maintenance
Fault Domains (FD) = Protection against hardware failures
For planned maintenance scenarios, focus on Update Domains
Default: Azure provides up to 5 update domains [2]
Best practice: Distribute VMs across multiple update domains for maximum availability during planned maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company is planning on hosting an application on a set of Azure virtual machines. The implementation should ensure that at least two virtual machines are available if a single Azure datacenter goes down. How would you plan to deploy the Azure virtual machines?

Across a single Availability Set

Across a set of Availability sets

Across a single Availability Zone

Across a set of Availability Zones

A

The correct answer is: Across a set of Availability Zones [1]
Here’s why this is the correct answer:
The key requirement is “ensure that at least two virtual machines are available if a single Azure datacenter goes down”
Availability Zones provide:
Physical separation of resources across different datacenters within the same Azure region [2]
Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking
If one datacenter/zone fails, the other zones in the region remain operational
Why other options are not correct:
Across a single Availability Set
An Availability Set only protects against hardware failures within the same datacenter
Does not protect against datacenter-level failures
All VMs in an Availability Set are in the same datacenter
Across a set of Availability Sets
Multiple Availability Sets are still within the same datacenter
Does not protect against datacenter-level failures
Across a single Availability Zone
This would place all VMs in the same zone (datacenter)
Does not provide protection if that datacenter goes down
Best Practice Implementation:
Deploy VMs across multiple Availability Zones (minimum of 2 zones) [3]
Use a Load Balancer or Application Gateway to distribute traffic
Configure zone-redundant storage for VM disks
This ensures high availability even if an entire datacenter fails
Remember for AZ-104:
Availability Sets = Protection within a single datacenter
Availability Zones = Protection across different datacenters in the same region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your company has an Azure virtual network that contains the following subnets
subnet A: 10.0.0.0/24
subnet B: 10.0.1.0/24

The following VMs:
appvm1: 10.0.0.5
appvm2: 10.0.1.5
appvm3: 10.0.1.6

A Network Security group named app-nsg1 has the following Inbound rules. This NSG is attached to SubnetA.

A Network Security group named app-nsg1 has the following Inbound rules. This NSG is attached to SubnetA.
Priority 120 allow 443 TCP from source 10.0.1.0/24 to 10.0.0.0/24

A Network Security group named app-nsg2 has the following Inbound rules. This NSG is attached to appvm1.
Priority 200 deny 443 TCP from source 10.0.1.5 to 10.0.0.5

Would appvm2 be able to connect on the TCP port of 443 of appvm1?

Yes

No

A

No

Since there is a specific rule in app-nsg2 to deny traffic, the request will not be allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your company has an Azure virtual network that contains the following subnets
subnet A: 10.0.0.0/24
subnet B: 10.0.1.0/24

The following VMs:
appvm1: 10.0.0.5
appvm2: 10.0.1.5
appvm3: 10.0.1.6

A Network Security group named app-nsg1 has the following Inbound rules. This NSG is attached to SubnetA.

A Network Security group named app-nsg1 has the following Inbound rules. This NSG is attached to SubnetA.
Priority 120 allow 443 TCP from source 10.0.1.0/24 to 10.0.0.0/24

A Network Security group named app-nsg2 has the following Inbound rules. This NSG is attached to appvm1.
Priority 200 deny 443 TCP from source 10.0.1.5 to 10.0.0.5

Would appvm1 be able to connect on the TCP port of 443 of appvm2?

Yes

No

A

Yes

Since there is no NSG specifically denying the request, the request will be allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have to use Azure Network Watcher to perform the various activities

1) Find out if a particular Network Security Group rule is preventing traffic from reaching an Azure virtual machine

2) Check the outbound connectivity from an Azure virtual machine to an external host

Which of the following can be used for the following requirement?

“Check the outbound connectivity from an Azure virtual machine to an external host”

Connection Troubleshoot

Next Hop

IP Flow Verify

Traffic Analytics

A

The correct answer is: Connection Troubleshoot
Here’s why Connection Troubleshoot is the correct answer:
Connection Troubleshoot:
Specifically designed to check connectivity between a source (VM) and a destination (external host)
Can verify outbound connections from a VM to:
External websites
External IP addresses
URLs
FQDN (Fully Qualified Domain Names)
Provides detailed diagnostic information about:
Connection status
Latency
Path information
Any connectivity issues
Why other options are incorrect:
IP Flow Verify:
Only checks if a specific packet is allowed or denied by NSG rules
Doesn’t actually test real connectivity
Limited to checking NSG rules, not actual network path or reachability
Next Hop:
Shows the next routing hop a packet would take
Used for routing troubleshooting
Doesn’t test actual connectivity
Only shows the next hop in the routing path
Traffic Analytics:
Provides visibility into network traffic patterns
Analyzes NSG flow logs
Historical analysis tool, not a real-time connectivity testing tool
Used for traffic monitoring and security analysis
Key Points for AZ-104:
Connection Troubleshoot = End-to-end connectivity testing
IP Flow Verify = NSG rule verification
Next Hop = Routing path verification
Traffic Analytics = Traffic pattern analysis
Remember: When you need to test actual connectivity from a VM to an external destination, Connection Troubleshoot is the appropriate Network Watcher feature to use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have to use Azure Network Watcher to perform the various activities

1) Find out if a particular Network Security Group rule is preventing traffic from reaching an Azure virtual machine

2) Check the outbound connectivity from an Azure virtual machine to an external host

Which of the following can be used for the following requirement?

“Find out if a particular Network Security Group rule is preventing traffic from reaching an Azure virtual machine”

Connection Troubleshoot

Next Hop

IP Flow Verify

Traffic Analytics

A

IP Flow Verify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are going to be creating the following Azure Availability set
Fault domain: 2
Update domain: 10
12 virtual machines have been added to the availability set.

What is the maximum number of unavailable machines when a planned maintenance is carried out which impacts the Availability set?
A. 1

B. 2

C. 6

D. 12

A

2

Since there are 10 updates domains, there will be 2 updates domains that will have 2 machines each and the remaining update domains will have 1 machine each. This will give a total of 12 virtual machines spread across the update domains.

This means that at any point in time a maximum of 2 machines will not be available.

Formula for maximum unavailable VMs during planned maintenance:

Max Unavailable VMs = Total VMs ÷ Number of Update Domains
Let’s apply this to your scenario:

Total VMs = 12
Update Domains = 10
Max Unavailable VMs = 12 ÷ 10 = 1.2 (rounded up to 2)
Therefore, the answer is B. 2 machines.

Explanation:

During planned maintenance, Azure processes one update domain at a time
VMs are distributed across update domains evenly
When dividing 12 VMs across 10 update domains:
Some update domains will have 1 VM
Some update domains will have 2 VMs
The worst-case scenario is when maintenance affects an update domain containing 2 VMs
Note: The Fault Domain count (2) doesn’t affect planned maintenance calculations - it’s relevant for hardware failure scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your Azure AD tenant currently has the following settings enabled for self-service password reset.
Select group: GroupA
Number method required to reset: 2
methods available to users:
+ Mobile app code
+ Security questions
Number of questions is required to register: 5
Number of questions is required to reset: 2
The following users are defined as part of your Azure AD tenant
User1@techsup4000gmail.onmicrosoft.com –GroupA
User2@techsup4000gmail.onmicrosoft.com –GroupB

Would User1 be able to reset their password after answering 4 of the security questions?
A. Yes
B. No

A

No

The user also needs to perform the method of Mobile app code to complete the process for reseting the password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Your team has deployed an Azure virtual machine. You have to create an alert in Azure Monitor. The alert needs to send an email to an IT administrator whenever an error is detected in the System event log of the virtual machine. Which of the following would you create in Azure for this requirement?

A. Azure Log Analytics workspace

B. Azure Storage Account

C. Azure SQL database

D. Azure Logic Apps

A

Azure Log Analytics workspace

You can direct the logs to a Log Analytics workspace. And then create an alert based on the logs in the Log Analytics workspace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You need to use the Azure Import/Export service to add files to an Azure Storage account. Which of the following files need to be in place for the import job? Choose 2 answers from the options given below (multi choose)

A. An XML file

B. A driveset CSV file

C. A dataset CSV file

D. A JSON file

A

A driveset CSV file
A dataset CSV file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Your team has a Recovery Services vault defined in the North Europe location and part of a resource group named app-grp.

The team also has the following Azure General Purpose V2 storage accounts in place
Name————————–Resource group———————-Location
appstore1000————–app-grp———————————-North Europe
appstore2000————–app-grp———————————-UK South
The team also has the following Azure Log Analytics workspaces in place
Name————————–Resource group———————-Location
logworkspace1000——–app-grp———————————-North Europe
logworkspace2000——–app-grp———————————-UK South

You need to configure the Diagnostic settings for the Recovery Services vault for the Azure Backup Reports log.

Can you configure appstore2000 for storage of the reports?

Yes

No

A

No

The Recovery Services Vault and the Azure Storage Account need to be in the same region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Your company currently has the following Azure Storage Accounts in place
Name Storage Account Type Performance Replication
appstore1000 General Purpose V2 Standard Locally-redundant storage
appstore2000 BlockBlobStorage Premium Locally-redundant storage
appstore3000 General Purpose V2 Standard Read-access geo-redundant storage
appstore4000 General Purpose V1 Premium Locally-redundant storage
Can you convert the replication of appstore3000 to Zone-redundant storage by requesting Azure support for a live migration?

A. Yes

B. No

A

The answer is B. No

Here’s why:

Direct Replication Conversion Rules:
For GZRS/ZRS conversion:
- You CANNOT convert from RA-GRS (Read-access geo-redundant storage) to ZRS (Zone-redundant storage)
- Even Azure Support cannot perform this conversion as a live migration
Allowed Conversion Paths:
LRS -> ZRS (in supported regions)
ZRS -> LRS
LRS -> GRS/RA-GRS
GRS/RA-GRS -> LRS
Key Points:
appstore3000 is currently using RA-GRS (Read-access geo-redundant storage)
There is no direct conversion path from RA-GRS to ZRS
This limitation exists because:
ZRS and GRS/RA-GRS use fundamentally different architectures
ZRS replicates across availability zones in a single region
RA-GRS replicates across regions
Solution if ZRS is needed:
To get ZRS for this storage:
1. Create a new storage account with ZRS
2. Migrate data to the new account
3. Update applications to use new storage account
4. Delete old storage account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your company currently has the following Azure Storage Accounts in place
Name Storage Account Type Performance Replication
appstore1000 General Purpose V2 Standard Locally-redundant storage
appstore2000 BlockBlobStorage Premium Locally-redundant storage
appstore3000 General Purpose V2 Standard Read-access geo-redundant storage
appstore4000 General Purpose V1 Premium Locally-redundant storage
Can you convert the replication of appstore1000 to Zone-redundant storage by requesting Azure support for a live migration?

A. Yes

B. No

A

Yes, this is supported for General Purpose V2 storage accounts that have the current replication type as Locally-redundant storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Your company has the following App Service Plans
Name Operating System SKU Region
Plan1 Windows Standard North Europe
Plan2 Windows Standard UK South
Plan3 Linux Standard North Europe

The company want to host the following Azure Web Apps
Name Operating System Region
webapp1 .Net Core 3.1 North Europe
webapp2 ASP.NET V4.8 North Europe
webapp3 Ruby 2.6 North Europe

Can you use Plan3 to host webapp2?

Yes

No

A

No

ASP.NET V4.8 is only supported on Windows-based operating systems.

18
Q

Your company has an Azure Storage account that has the following properties.

You need to request Microsoft support to perform a live migration of the storage account to Zone-redundant storage. Which of the following needs to be done first for this requirement?

A. Change the storage account to General-Purpose V1

B. Change the location of the storage account

C. Change the access tier to the Cool Access tier

D. Set the replication type to Locally-redundant storage

A

Set the replication type to Locally-redundant storage

When moving from Read-Access Geo-redundant storage to Zone-redundant storage, you first need to change the replication type to Locally-redundant storage.

Azure Storage accounts that support live migration are typically the General-purpose v2 (GPv2) accounts, especially those with redundancy options like LRS (Locally Redundant Storage) or ZRS (Zone-Redundant Storage).

19
Q

Your company has the following App Service Plans
Name Operating System SKU Region
Plan1 Windows Standard North Europe
Plan2 Windows Standard UK South
Plan3 Linux Standard North Europe

The company want to host the following Azure Web Apps
Name Operating System Region
webapp1 .Net Core 3.1 North Europe
webapp2 ASP.NET V4.8 North Europe
webapp3 Ruby 2.6 North Europe

Can you use Plan1 to host webapp3?

Yes

No

A

No

Ruby 2.6 is only supported on Linux-based operating systems.

20
Q

Your company has an Azure AD tenant and an Azure subscription. You have to ensure a user named adminA has the ability to deploy virtual machines and also manage virtual networks. You need to assign the right role to the user and also ensure the solution uses the principle of least privilege. Which of the following role would you assign to the user?

Owner

Contributor

Virtual Machine Contributor

Reader

A

Contributor

Here we need to use the Contributor role. The Virtual Machine Contributor role does not allow you to manage virtual networks.

21
Q

Your company has an Azure virtual machine named appvm that is deployed to a resource group named app-grp. The resource group is part of an Azure subscription named app-subscription. The subscription is part of a Management Group named app-management. The Management Group is part of the Tenant Root Group.

You need to assign an Azure Policy.

Can you assign the Azure Policy exclusion at the Tenant Root Group Level?

Yes

No

A

No

You need to start adding exclusions from the Management Group onwards

22
Q

Your company has an Azure virtual machine named appvm that is deployed to a resource group named app-grp. The resource group is part of an Azure subscription named app-subscription. The subscription is part of a Management Group named app-management. The Management Group is part of the Tenant Root Group.

You need to assign an Azure Policy.

Can you assign the Azure Policy at the virtual machine Level?

Yes

No

A

No

The maximum level you can go till when it comes to assigning the Azure Policy is the Resource Group level.

23
Q

Your company needs to implement a Site-to-Site VPN connection. The company has two -on-premises VPN devices. The Site-to-Site VPN must be created in such a way that even if a single Azure VPN gateway fails or a single on-premises VPN devices fails, it will not cause a service interruption for more than a minute.

How many Virtual network gateways would you create in Azure for this requirement?

A. 1

B. 2

C. 3

D. 4

A

2

Here we need to deploy the architecture in a full mesh architecture as shown below in the Microsoft documentation

Here you just need two Azure VPN gateways

24
Q

Your company has a set of resources deployed as part of their subscription. The resources are being used by multiple departments in the company. The departments use the resources that are spread across multiple resource groups. You need to ensure that you can get a report of the costs of resources consumed department-wise at the end of the month. Which of the following can you implement for this requirement? Choose 3 answers from the options given below

Assign a tag to each resource group

Assign a tag to each resource

In the Cost Analysis section, filter the costs via tags

In the Cost Analysis section, filter the costs via resource groups

Download the required report

A

Assign a tag to each resource
In the Cost Analysis section, filter the costs via tags
Download the required report

Here we need to assign a resource tag to each resource. We should not assign it to the resource group because the resource groups are being used by multiple departments.

Then in Cost Management , we should filter the costs via tags

And then we can download the required report.

24
Q

Your company needs to implement a Site-to-Site VPN connection. The company has two -on-premises VPN devices. The Site-to-Site VPN must be created in such a way that even if a single Azure VPN gateway fails or a single on-premises VPN devices fails, it will not cause a service interruption for more than a minute.

How many public IP addresses would you create in Azure for this requirement?

A. 1

B. 2

C. 3

D. 4

A

2

Here we need to deploy the architecture in a full mesh architecture as shown below in the Microsoft documentation

Here you just need two Public IP addresses , one for each VPN gateway

25
Q

Your company currently has an Azure Web App that is part of a Basic App Service Plan. You have to ensure that the Web App can scale automatically when the CPU percentage goes beyond 75% for a duration of 10 minutes. Which of the following steps needs to be configured for this requirement? Choose 3 answers from the options given below

Scale up the App Service Plan

Scale out the App Service Plan

Configure a deployment slot for the Azure Web App

Configure a scaling condition to scale based on a metric and then add the rules accordingly.

Configure a scaling condition to scale based on an instance count and then add then set the instance count.

A

Scale up the App Service Plan
Scale out the App Service Plan
Configure a scaling condition to scale based on a metric and then add the rules accordingly.

First you need to scale up the App Service Plan from the Basic to the Standard. The Autoscaling feature is only available from Standard App Service Plan or higher.

Then you need to Scale out the App Service Plan for setting the Auto scaling feature.

And then set the condition and the rules to scale based on a metric.

26
Q

You have some VMs in your Azure subscription in a virtual network. The company has some users that work remotely. Remote workers require access to VMs on VNET. How would you provide access?

A. Configure Site-to-Site VPN.

B. Configure VNET-to-VNET.

C. Configure Point-to-Site VPN.

A

C. Configure Point-to-Site VPN.

The reason for this is that Point-to-Site VPN allows remote workers to securely connect to the VMs on the VNET. This is achieved by establishing a VPN connection between the remote worker’s device and the Azure VPN gateway. Once the VPN connection is established, the remote worker can access the VMs on the VNET as if they were on their local network.

Site-to-Site VPN is typically used when there is a physical network (such as a company’s office network) that needs to connect to the VNET.

VNET-to-VNET is used when there is a need to connect two or more VNETs together.

27
Q

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1. You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. Which two groups should you create? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. A Security group that uses the Dynamic User membership type.

B. A Microsoft 365 group that uses the Assigned membership type.

C. A Security group that uses the Assigned membership type.

D. A Microsoft 365 group that uses the Dynamic User membership type.

E. A Security group that uses the Dynamic Device membership type

A

For this question, the correct answers are:
B. A Microsoft 365 group that uses the Assigned membership type
D. A Microsoft 365 group that uses the Dynamic User membership type
Here’s why:
Both answers are correct because:
Microsoft 365 groups support expiration policy (auto-deletion after specific time)
They can be used to grant access to SharePoint resources
Both Assigned and Dynamic User membership types work with Microsoft 365 groups
Why other options are incorrect:
A & C (Security groups): Don’t support automatic expiration policies
E (Dynamic Device membership): Not suitable for user access to SharePoint; it’s for device management
Important points for AZ-104 exam regarding Azure AD Groups:
Group Types:
Security Groups: Used for managing access to resources
Microsoft 365 Groups: Collaboration features, shared mailbox, calendar, SharePoint site
Membership Types:
Assigned: Manually add/remove members
Dynamic User: Automatically add/remove based on user attributes
Dynamic Device: Automatically add/remove based on device attributes
Key Features:
Expiration Policy: Only available for Microsoft 365 groups
Self-service group management
Group naming policy
Guest access settings
Best Practices:
Use naming conventions
Configure expiration policies for groups
Use dynamic membership when possible
Regular access reviews
Important Azure AD Concepts:
Tenant management
User management
Role-based access control (RBAC)
Conditional Access policies
Identity Protection
Authentication methods
For the AZ-104 exam, focus on:
Understanding different types of groups and their use cases
Group management and policies
Azure AD roles and permissions
Identity and access management concepts
Security features and best practices
Remember that Microsoft 365 groups are specifically designed for collaboration scenarios and support features like expiration policies, which makes them the ideal choice for temporary access to SharePoint resources

28
Q

You have an Azure active directory tenant: cloudportalfinance.onmicrosoft.com. Your company has purchased the domain name cloudportalfinance.com. You need to add cloudportalfinance.com as a custom domain name in Azure AD. You need to ensure Azure can verify the domain name.

Which type of DNS record is required?

A. PTR

B. MX

C. NSEC

D. SRV

A

B. MX (Mail Exchange) record.

Let me explain why MX record is required and provide an example of how to configure it:

DNS Configuration Example:

MX Record Configuration for Azure AD Domain Verification
cloudportalfinance.com IN MX 10 cloudportalfinance-com.mail.protection.outlook.com
Verification Process in Azure Portal:

PowerShell commands to add and verify custom domain
# 1. Add the custom domain
Add-AzureADDomain -Name “cloudportalfinance.com”

  1. Get verification details
    Get-AzureADDomainVerificationDnsRecord -Name “cloudportalfinance.com”
    Why MX Record is Correct:

Azure AD Requirements:

MX records are used to verify domain ownership
Proves you have administrative control over the domain
Required for email services integration
Verification Process:

Azure provides specific MX record values
Must be added to domain’s DNS settings
Azure verifies the record exists
Why Other Options are Incorrect:

A. PTR Record:

Used for reverse DNS lookups
Maps IP addresses to domain names
Not used for domain verification
C. NSEC Record:

Used in DNSSEC
Proves non-existence of DNS records
Not relevant for domain verification
D. SRV Record:

Used for service location
Specifies host and port for services
Not used for initial domain verification

29
Q

What is the default frequency of collecting platform metrics ?

A. 5 min

B. 2 min

C. 30 Seconds

D. 1 min

A

D. 1 min

30
Q

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?

A. You should stop two of the VMs.

B. You should stop all three VMs.

C. You should remove the necessary VM from the availability set.

D. You should only stop one of the VMs.

A

B. You should stop all three VMs.

Let me explain why this is the correct approach and provide example commands:

PowerShell commands to stop all VMs in an availability set
# 1. Get all VMs in the availability set
$availSetVMs = Get-AzVM | Where-Object {$_.AvailabilitySetReference.Id -eq $availabilitySetId}

  1. Stop all VMs
    foreach ($vm in $availSetVMs) {
    Stop-AzVM -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name -Force
    }
  2. Resize the target VM
    $vmToResize = Get-AzVM -Name “VMName” -ResourceGroupName “ResourceGroupName”
    $vmToResize.HardwareProfile.VmSize = “Standard_DS3_v2”
    Update-AzVM -VM $vmToResize -ResourceGroupName “ResourceGroupName”
  3. Restart all VMs
    foreach ($vm in $availSetVMs) {
    Start-AzVM -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name
    }
    Why stopping all VMs is necessary:

Allocation Requirements:

VMs in availability sets share hardware resources
Resizing requires new hardware allocation
All VMs must be deallocated to guarantee proper placement
Azure’s Placement Rules:

Maintains high availability guarantees
Ensures VMs are distributed across fault domains
Requires complete reallocation for size changes
Why other options are incorrect:

A. Stop two VMs:

Insufficient for guaranteed reallocation
May not free enough resources
Doesn’t ensure proper fault domain distribution
C. Remove VM from availability set:

Breaks high availability design
Requires additional reconfiguration
Not a recommended practice
D. Stop one VM:

Won’t resolve allocation constraints
Insufficient for proper resource allocation
Doesn’t guarantee successful resize

31
Q

What is the likely reason for the failure of the resize operation when you try to change the VM1’s size from Standard_D4s_v3 to Standard_D2s_v3 in Azure.

Considering VM1’s properties

Number of virtual CPUs : 2

Storage type: Premium

Number of data disks: 6

Public IP address: Standard SKU

A. Number of virtual CPUs

B. Number of data disk

C. Public IP Address

D. Storage type

A

B: Number of data disks.

Here’s why:
When resizing from Standard_D4s_v3 to Standard_D2s_v3, the key limitation is the maximum number of data disks supported by each VM size. Let’s analyze the specifications: [1]
Standard_D4s_v3:
Supports up to 8 data disks
4 vCPUs
Premium Storage support
Standard_D2s_v3:
Supports up to 4 data disks
2 vCPUs
Premium Storage support
The VM currently has 6 data disks attached, but Standard_D2s_v3 only supports a maximum of 4 data disks. This mismatch is causing the resize operation to fail.

32
Q

Which PowerShell cmdlet allows you to create a template from a deployment that is in the deployment history of a resource group ?

A. Save-AzresourceGroupDeployment

B. Set-AzResourceGroup

C. Get-AzResourceGroupDeployment

A

A. Save-AzresourceGroupDeployment

33
Q

You have created the ARM template to create a virtual machine. You have stored the template in the GitHub repository. How would you deploy the ARM template using the PowerShell cmdlet?

A. New-AzResourceGroupDeployment -ResourceGroupName “RG1” -TemplateFile https://raw.githubusercontent.com/Azure/new.json

B. New-AzResourceGroupDeployment -ResourceGroupName “RG1” -TemplateUri https://raw.githubusercontent.com/Azure/new.json

A

B. New-AzResourceGroupDeployment -ResourceGroupName “RG1” -TemplateUri https://raw.githubusercontent.com/Azure/new.json

34
Q

Which Azure policy will be evaluated first ?

A. Append.

B. Deny.

C. Disabled.

D. Audit.

A

C. Disabled.

Order: disabled > append and modify > deny > audit > manual > auditIfNotExists > denyAction

35
Q

You have an Azure virtual machine named Prod-vm1 that runs windows server 2019. VM was deployed with default drive settings .

You have some files on C and D drive on the VM.

You are planning to redeploy VM. Which drive files will be lost after you redeploy prod-vm1 ?

A. C drive

B. D drive

A

Since D drive is temporary storage drive. If any VM is rebooted, it clears all the content.

36
Q

A company is planning to deploy Kubernetes cluster. Cluster has the following requirements:

You must ensure nodes get an IP address from Azure virtual network subnet, but Pods receive an IP address from a logically different address space.

What network configuration should you choose ?

A. Azure container Network Interface.

B. Kubenet

C. Network Security groups.

D. Service endpoint.

A

B: Kubenet.

Here’s why Kubenet is the correct choice:

Kubenet’s Key Characteristics:

Nodes get IP addresses from the Azure VNet subnet [1]

Pods get IP addresses from a separate, logically distinct address space

Uses a basic network plugin configuration

Creates a clear separation between node and pod IP addressing

How Kubenet Works:

Nodes receive IP addresses directly from the VNet subnet

Pods get IPs from a dedicated podCIDR range

Uses NAT for pod communication across nodes

Requires user-defined routing (UDR) for pod-to-pod communication across nodes

The other options are incorrect because:

A. Azure Container Network Interface (CNI):

Assigns IPs from the same VNet subnet to both pods and nodes

Doesn’t meet the requirement of logically different address spaces

More complex but provides better integration with Azure networking

37
Q

You plan to backup Azure virtual machine – Prod-VM01. You found that backup Pre-Check status displays a status of warning.

What is the possible cause of the warning status?

A. VM is stopped.

B. VM has unmanaged disk.

C. VM does not have the latest version of Azure VM agent (WaAPPAgent.exe) installed.

A

C. VM does not have the latest version of Azure VM agent (WaAPPAgent.exe) installed.

38
Q

Which refers to as look back window over which metric values are checked, while configuring a static threshold metric alert rule ?

A. Period

B. Timeslot

C. Loopback

D. Timeslice

A

A: Period.

Here’s why Period is the correct answer:

Period in metric alerts refers to: [1]

The time window over which metric values are aggregated and evaluated

The lookback duration used to check if the metric crosses the defined threshold

The timespan during which the metric data is monitored for alert conditions

Key characteristics of Period:

For continuous metrics (like CPU):

Aggregates data over the specified time window

Calculates average/sum/count over that period

Compares the aggregated value against the threshold

For discrete metrics (like error counts):

Sums up the values over the specified period

Compares the total against the threshold

39
Q

You have an Azure subscription that contains AKS clusters, and the autoscaling feature is enabled.

You need to configure the minimum and maximum node counts for AKS.

Which PowerShell cmdlet will you choose?

A. Update-AzAksCluster

B. Update-AzAksNodePool

C. Start-AzAksCluster

D. Set-AzAksCluster

A

D. Set-AzAksCluster

40
Q

You need to configure Azure AD authentication for an Azure Storage Account named Prod-Storage1. You need to ensure that members of an AD group – test can upload files by using Azure portal.

The Solution must use the principle of least privilege?

Which two roles should you configure for Prod-Storage1 ?

A. Contributor.

B. Storage Blob Data contributor.

C. Storage account contributor.

D. Reader.

E. Storage Blob data Reader.

A

B: Storage Blob Data Contributor.

For this scenario, you only need one role (not two) to allow members of the AD group to upload files using the Azure portal, following the principle of least privilege.

Here’s why Storage Blob Data Contributor is the correct choice:

Storage Blob Data Contributor:

Provides read, write, and delete permissions for blob storage data

Allows uploading files to blob containers

Follows least privilege by only granting necessary permissions for blob operations

Doesn’t provide unnecessary access to storage account management

D. Reader.
The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal.

41
Q

You have a Microsoft Entra tenant that is linked to the subscriptions shown in the following table.

Name Management group Parent management group
Sub1 Tenant Root Group Not applicable
Sub2 MG1 Tenant Root Group
Sub3 MG2 Tenant Root Group
You have the resource groups shown in the following table.

Name Subscription Description
RG1 Sub1 Contains a storage account named storagel
RG2 Sub2 Contains a web app named Appl
RG3 Sub3 Contains a virtual machine named VM1
You assign roles to users as shown in the following table.

User Role Scope
User1 Contributor MG2
User2 Storage Account Contributor storagel
User3 User Access Administrator Tenant Root Group
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer Area

Statements Yes No
User1 can resize VM1.
User2 can create a new storage account in RG1.
User3 can assign User1 the Owner role for RG3.
which option is correct? why yes? why no? which important note for azure 104 exam?

A

Let’s analyze each statement:
User1 can resize VM1 - YES
Why: User1 has Contributor role at MG2 level
MG2 contains Sub3, which contains RG3 where VM1 exists
Contributor role can manage all resources but cannot grant access to others
Role assignments inherit down the hierarchy
User2 can create a new storage account in RG1 - NO
Why: User2 only has Storage Account Contributor role specifically for storage1
This role is limited to just that specific storage account
It doesn’t grant permissions to create new storage accounts in the resource group
User3 can assign User1 the Owner role for RG3 - YES
Why: User3 has User Access Administrator role at Tenant Root Group level
This role can manage user access to Azure resources
The Tenant Root Group is the highest level in the hierarchy
Permissions flow down to all management groups, subscriptions, and resources
Important notes for AZ-104 exam:
Role Assignment Inheritance:
Permissions assigned at a higher scope inherit down to child scopes
Management group assignments flow down to subscriptions and resource groups
More specific assignments at lower levels can override inherited permissions
Key Built-in Roles:
Contributor: Can manage all resources but can’t grant access
Storage Account Contributor: Limited to managing storage accounts
User Access Administrator: Can manage access to Azure resources
Management Group Hierarchy:
Tenant Root Group is the highest level
Management groups can have child management groups
Subscriptions can be moved between management groups
Scope Levels (from highest to lowest):
Management groups
Subscriptions
Resource groups
Resources
RBAC Best Practices:
Follow principle of least privilege
Use built-in roles when possible
Understand inheritance patterns
Consider the scope when assigning roles
Remember: Understanding RBAC (Role-Based Access Control), role inheritance, and management group hierarchy is crucial for the AZ-104 exam.

42
Q

HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines named VM1 and VM2. VM1 and VM2 run Windows
Server 2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You can perform a file recovery of VM1 to:
VM1 only
VM2 only
VM1 and VM2 only
A new Azure virtual machine only
Any Windows computer that has Internet connectivity
You can restore VM1 to:
VM1 only
VM2 only
VM1 and VM2 only
A new Azure virtual machine only
Any Windows computer that has Internet connectivity
which option is correct in per statement above? why correct? which important note for azure 104 exam?

A

Let’s analyze each scenario:
You can perform a file recovery of VM1 to: Correct answer: Any Windows computer that has Internet connectivity
Why:
File-level recovery from Azure VM backup allows you to restore individual files and folders
You can mount the recovery point as a local drive on any Windows computer with internet access
No need to restore the entire VM just to recover specific files
The computer needs the Azure Recovery Services agent installed
You can restore VM1 to: Correct answer: A new Azure virtual machine only
Why:
When restoring a complete VM from Azure Backup in a ransomware scenario
You should restore to a new VM to avoid overwriting potentially compromised data
This is a security best practice to prevent reinfection
The original VM can be deleted after data verification on the new VM
Important notes for AZ-104 exam:
Azure VM Backup Recovery Options:
File Recovery: Restore individual files/folders
Disk Recovery: Restore individual disks
VM Recovery: Restore entire VM
Cross-Region Restore: Restore to different region (if configured) [1]
Recovery Considerations:
For ransomware recovery, always restore to new resources [2]
Original VM can remain running during restore
Recovery points are application-consistent
File recovery works on any Windows machine with internet access
Key Requirements:
Internet connectivity required for file recovery
Azure Recovery Services agent needed for file recovery
Sufficient permissions to perform restore operations
Adequate storage space in target location
Security Best Practices:
Don’t restore over infected resources
Verify backup integrity before restore
Test recovery procedures regularly
Maintain multiple recovery points
Recovery Time Objectives (RTO):
File recovery is faster for individual files
Full VM restore takes longer but recovers everything
Consider business requirements when choosing recovery method [3]
Remember for the exam:
Understanding different recovery options
Knowing where you can restore files vs. full VMs
Security considerations for ransomware recovery
Requirements for different recovery types
Recovery point consistency types

Az-104-practice test (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions