test 6

Question 1

You have below Azure VM in your subscription.

You need to create 10 more VMs based on the same configuration. Which blade will you use so that you can use the existing ARM template and modify it according to your requirements?
A. Serial console
B. Redeploy + reapply
C. Boot diagnostics
D. Export template

Answer 1

D. Export template.
Explanation: The “Export template” blade in the Azure portal allows you to export the ARM (Azure Resource Manager) template of an existing resource. You can then use this template to create additional resources with the same configuration. By exporting the template of the existing VM, you can modify it as needed and deploy it to create 10 more VMs with the same configuration.

B. Redeploy + reapply: This option is used to move a VM to a new Azure host or to reapply the VM’s state to resolve issues. It is not used for creating new VMs.

Question 2

Your organization has hired a new cloud engineer and he should be able to manage cloud engineer’s access as well. You also need to follow Microsoft principle of least privilege.

Which role should be assigned to cloud engineer ?

A. User Access Administrator
B. Owner
C. User Administrator
D. Contributor

Answer 2

A. User Access Administrator.

Why correct: The “User Access Administrator” role allows the cloud engineer to manage user access to Azure resources. This role is specifically designed to grant permissions to manage access without giving full control over the resources themselves, aligning with the principle of least privilege.

Why wrong:
B. Owner: This role grants full access to all resources, including the ability to manage access. It does not follow the principle of least privilege as it provides more permissions than necessary.
C. User Administrator: This role is primarily used for managing user accounts and groups in Azure Active Directory, not for managing access to Azure resources.
D. Contributor: This role allows the user to create and manage all types of Azure resources but does not grant permissions to manage access to resources.

Question 3

To migrate from on-premises file servers, your organization is considering Azure Premium File Shares.

You have the storage account in your Azure Subscription as shown below.
Storage acount name Prod-storage-01 has account type general-purpose storage V2

Select Yes if the statement is True. Otherwise select No.

Statement: You should create a new premium storage account since existing storage accounts will not allow you to create premium file share

A. No

B. Yes

Answer 3

B. Yes.

Why correct: Azure Premium File Shares require a storage account that supports premium performance. The existing storage account “Prod-storage-01” with account type general-purpose storage V2 does not support premium file shares. Therefore, you need to create a new premium storage account to use Azure Premium File Shares.

Question 4

Your organization has deployed Microsoft 365 Business Standard licenses and has implemented Azure Active Directory self-service password reset. Now, you aim to establish a hybrid environment that connects your on-premises Active Directory Domain Services to Azure AD. As part of this setup, you must enable password writeback from Azure AD to your on-premises network.

Select Yes if the statement is True. Otherwise, select No.

Statement: Microsoft 365 Business Standard License supports password writeback.

A. Yes
B. No

Answer 4

The correct answer is B. No.
Here’s why:
Microsoft 365 Business Standard license does NOT support password writeback functionality. This is an important distinction for the AZ-104 exam.
Password writeback requires one of the following licenses:
Azure AD Premium P1
Azure AD Premium P2
Microsoft 365 Business Premium
Enterprise Mobility + Security E3 or higher
Key points to remember for AZ-104 exam:
License Requirements:
Not all Microsoft 365 licenses support advanced Azure AD features
Business Standard is a basic license focused on productivity apps and services
Password writeback is considered a premium feature
Password Writeback Benefits:
Allows users to change/reset their cloud passwords
Changes sync back to on-premises AD
Enhances security and reduces help desk calls
Supports hybrid identity management
Implementation Requirements:
Proper licensing (Premium licenses mentioned above)
Azure AD Connect installed and configured
Appropriate network connectivity
Required permissions in both Azure AD and on-premises AD
This is a common exam topic because it tests your understanding of:
License differences
Hybrid identity features
Azure AD premium features
Password management capabilities
Remember: While Microsoft 365 Business Standard provides essential business applications and services, it does not include advanced Azure AD features like password writeback. For such functionality, you need to upgrade to a premium license.

Question 5

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active
Directory domain. The domain contains the users shown in the following table.
SecAdmin1 role Security Administrator
BillAdmin1 role Billing Administrator
USer1 role reports reader

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
✑ Number of methods required to reset: 2
✑ Methods available to users: Mobile phone, Security questions
✑ Number of questions required to register: 3
✑ Number of questions required to reset: 3
You select the following security questions:
✑ What is your favorite food?
✑ In what city was your first job?
✑ What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Statement:
SecAdmin1 must answer the following question during the self-service password reset:
In what city was your first job?

BillAdmin1 must answer the following question during the self-service password reset:
What is your favorite food?

User1 must answer the following question during the self-service password reset:
What was the name of your first pet?

Answer 5

For this scenario, all statements should be marked as NO.
Here’s why:
The SSPR configuration shows:
2 authentication methods are required
Available methods are: Mobile phone AND Security questions
Users must register 3 security questions
Users must answer 3 questions to reset
All questions are available to all users
However, the key point is:
Users are not required to answer any specific security question
They can choose which questions to answer from the available pool of questions
The system doesn’t assign specific questions to specific users
Important notes for AZ-104 exam:
SSPR Configuration Components:
Authentication methods (minimum required)
Available methods
Registration requirements
Reset requirements
Key SSPR Concepts:
Users choose their security questions during registration
Questions aren’t assigned based on roles
All configured questions are available to all users
Users must register before using SSPR
Authentication Method Requirements:
Can require multiple methods
Methods are chosen during registration
Users must complete registration before using SSPR
All enabled users follow the same requirements
Security Questions:
Predefined or custom questions can be used
All questions are available to all users
Users select which questions to answer
No specific question assignments per user
Best Practices:
Use multiple authentication methods
Implement strong security questions
Regular review of SSPR policies
Monitor SSPR usage
License Requirements:
Azure AD Premium P1 or P2 for custom SSPR settings
Free tier has limited SSPR capabilities
Remember for the exam:
SSPR requirements are uniform across users
Users choose their security questions
No specific question assignments based on roles
Authentication methods are selected during registration
Understanding the difference between registration and reset requirements

Question 6

You have an Azure subscription, and below is the hub and spoke topology given.

HUB-VNET is connected to on-premises using a site-to-site VPN, and SPOKE-VNET is peering into HUB-VNET.

How VM1 can communicate with On-premises using the same HUB-VNET virtual network gateway.
SPOKE-VNET has vnet 10.0.0.0/16 has subnet 10.0.0.0/24 including VM1
HUB-VNET has vnet 172.16.0.0/16 has subnet 172.16.0.0/24 including VM2

Select yes if the statement is true. Otherwise, select no.

Statement: You are planning to use Gateway Transit.
A. Yes
B. No

Answer 6

Yes. In a hub and spoke topology, Gateway Transit allows the spoke virtual networks to use the virtual network gateway in the hub to communicate with on-premises networks. This setup enables VM1 in the SPOKE-VNET to communicate with on-premises networks through the HUB-VNET’s virtual network gateway.

Hub and Spoke Topology: Familiarize yourself with this network architecture where the hub VNet acts as a central point of connectivity to on-premises networks, and the spoke VNets are peered with the hub.

VNet Peering: Learn how VNet peering allows VNets to communicate with each other through private IP addresses, and how it is used in hub and spoke topologies.

Virtual Network Gateway: Understand the role of a virtual network gateway in providing connectivity between Azure VNets and on-premises networks, typically through VPN or ExpressRoute.

Gateway Transit: Know how Gateway Transit allows spoke VNets to use the virtual network gateway in the hub VNet for communication with on-premises networks.

Question 7

You have migrated your on-premises web application to the Azure web app, prod-webapp. After migration, it has been observed that the website is not accessible using the old domain name, https://www.cloudfinanceportal.com.

You need to configure DNS to resolve this issue.

Which two DNS records are needed to resolve this issue?

A. Create PTR record and map it to prod-webapp.azurewebsites.net.

B. Create Name server (NS) record and map it to IP address of prod-webapp.

C. Create A record and map it to IP address of prod-webapp.

D. Create CNAME record and map it to prod-webapp.azurewebsites.net.

Answer 7

D. Create CNAME record and map it to prod-webapp.azurewebsites.net.
CNAME records are used to map an alias name to a true or canonical domain name. In this case, you would map the old domain name to the Azure web app’s domain name (prod-webapp.azurewebsites.net), allowing users to access the web app using the old domain name.

C. Create A record and map it to IP address of prod-webapp.
An A record maps a domain name to an IP address. If you have a static IP address for your Azure web app, you can create an A record to map the old domain name directly to this IP address, ensuring that users can access the web app using the old domain name.

These two records will ensure that the old domain name resolves to the new Azure web app, making it accessible to users

Question 8

Let’s examine the following situation:.

The resource group includes:

· Virtual Machine A

· Storage account B

· Virtual network C

You are trying to deploy the below resource using the ARM template:

· Network security group D

Below is the PowerShell cmdlet you are using to deploy the template.

New-AzResourceGroupDeployment -Mode Complete -Name ExampleDeployment `

-ResourceGroupName ExampleResourceGroup `

-TemplateFile c:\MyTemplates\storage.json

As you can see in the above cmdlet, we are using mode as complete. When deploying resources with Azure Resource Manager templates (ARM templates), you have two options for deployment mode: incremental or complete. What will happen if we use mode as complete?

A. The Resource Manager leaves unchanged resources in the resource group that aren’t defined in the template - that means virtual machine A, Storage account B, Virtual Network C will not be deleted.

B. Resource Manager deletes resources in the resource group that aren’t specified in the template. – that means virtual machine A, Storage account B, Virtual Network C will be deleted since these are not defined in ARM template.

Answer 8

B. When using the “complete” mode in Azure Resource Manager (ARM) template deployment, the Resource Manager deletes resources in the resource group that aren’t specified in the template. This means that any resources not defined in the ARM template, such as Virtual Machine A, Storage account B, and Virtual Network C, will be deleted from the resource group. The “complete” mode ensures that the resource group matches exactly what is defined in the template, removing any resources not included.

Question 9

The policy must be configured to require members of the Global Administrators group to use multi-factor authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You can access the multi-factor authentication page to alter the user settings. Does the solution meet the goal?

A. Yes

B. No

Answer 9

B. No. Accessing the multi-factor authentication page to alter user settings alone does not meet the goal. To require members of the Global Administrators group to use multi-factor authentication and an Azure AD-joined device when connecting from untrusted locations, you need to configure a Conditional Access policy in Azure AD. This policy should specify the conditions under which multi-factor authentication and device compliance are required, such as when accessing from untrusted locations.

Question 10

You want to implement Azure file share on your on-premises Windows server. What is the recommended Windows OS required?

A. Windows server 2012

B. Windows server 2016

C. Windows server 2019 and above.

Answer 10

C. Windows Server 2019 and above. The recommended Windows OS for implementing Azure file share on an on-premises Windows server is Windows Server 2019 and above. This is because newer versions of Windows Server provide better integration with Azure services, improved security features, and enhanced support for cloud-based file sharing solutions like Azure File Sync, which allows you to centralize your file shares in Azure Files while keeping the flexibility, performance, and compatibility of an on-premises file server.

Question 11

You have an Azure Resource Manager (ARM) template designed to deploy 10 virtual machines, and you want to automate the deployment. Identify one PowerShell and one Azure CLI command for this task. What are the two commands you would select?

A. New-AzResourceGroupDeployment

B. New-AzVM

C. az vm list

D. az deployment group create

Answer 11

A. New-AzResourceGroupDeployment

This PowerShell command is used to deploy resources defined in an ARM template to a resource group. It is suitable for deploying multiple virtual machines as specified in the template.

D. az deployment group create

This Azure CLI command is used to create a deployment at the resource group level using an ARM template. It is also suitable for deploying multiple virtual machines as defined in the template.

Question 12

Your organization has an Azure subscription.

You are planning to create a virtual machine scale set (VMSS) that has the following settings:.

· Resource group name: RG1
· Region: West US
· Orchestration Mode: uniform
· Security type: Standard
· OS disk type: SSD standard

You need to add custom virtual machines to VMSS.

Which settings do you need to modify?

A. Security Type

B. OS disk Type

C. Orchestration Mode

Answer 12

C. Orchestration Mode. To add custom virtual machines to a Virtual Machine Scale Set (VMSS), you need to modify the Orchestration Mode. The “uniform” orchestration mode does not allow for custom virtual machines, as it is designed for identical instances managed by the scale set. To add custom VMs, you would need to use the “flexible” orchestration mode, which allows for more diverse configurations within the scale set.

Question 13

Your company is planning on hosting a set of Azure virtual machines. The virtual machines will be used to host an application. The company wants to ensure that at least six Azure virtual machines are running during an Azure planned maintenance.

How would you deploy the Azure virtual machines?

A. Via an Azure Availability set that has seven update domains and one fault domain

B. Via an Azure Availability set that has five update domains and one fault domain

C. Via an Azure virtual scale set that has 6 Azure virtual machines running

Answer 13

A. Via an Azure Availability set that has seven update domains and one fault domain

You can deploy Azure virtual machines to an Availability Set that has seven update domains. If one update domain goes down, you will still have six update domains in place. Each machine can occupy an update domain.

Question 14

Your company has an Azure App Service Plan named Plan1. This plan is hosting several Azure Web Apps. You have to provide additional memory and CPU to each Azure Web App. Which of the following can be implemented for this requirement?

A. Scale out Plan1

B. Scale up Plan1

C. Add a deployment slot

D. Configure CORS

Answer 14

B. Scale up Plan1

You can scale up the App Service Plan to get more CPU and Memory resources assigned to the respective web applications.

Question 15

Your company has an Azure Web App named newapp1000. A deployment slot has been created for the Web App named “staging”.

You perform a swap of the staging and the production slot.

Is the setting for Web sockets swapped between the staging and the production slot?

A. Yes

B. No

Answer 15

The correct answer is B. No.
Here’s why:
Web socket settings are considered “slot-specific” settings in Azure Web Apps, which means they DO NOT swap when you perform a slot swap operation.
Important notes for AZ-104 exam:
Slot-specific settings (settings that DO NOT swap):
Publishing endpoints
Custom domain names
SSL certificates and bindings
Scale settings
WebJobs schedulers
IP restrictions
WebSockets
Always On settings
Diagnostic settings
Cross-origin resource sharing (CORS)
Settings that DO swap:
General application settings
Connection strings (unless marked as slot-specific)
Handler mappings
Public certificates
WebJobs content
Key exam points:
Understanding which settings swap and which don’t is crucial for the AZ-104 exam
You can make any app setting or connection string slot-specific by selecting the “Slot Setting” checkbox in the Configuration blade
After a swap, all slot-specific settings stay with their original slot
This behavior ensures that certain critical configurations remain with their intended slots
Remember: If you need WebSocket settings to be different between production and staging environments, they will remain with their respective slots during a swap operation, which is often desired for maintaining specific configurations per environment

Question 16

Your company has the following Azure virtual networks defined as part of their Azure subscription

app-network1 IP address range 10.0.0.0/16 location East US
app-network2 IP address range 10.1.0.0/16 location East US

They want to delegate the process of establishing virtual network peering between the networks to a user named AdminA. Currently AdminA has been given the Azure AD Role of Global Administrator. The user has not been granted any roles at the subscription level.

Would the user be able to configure the virtual network peering connection?

A. Yes

B. No

Answer 16

B. No

The user needs to be given the required role at the subscription, resource group or resource level to establish the virtual network peering connection.

Question 17

Your company currently has an Azure Web App that is part of a Basic App Service Plan. They want to enable custom domains and Backups for the Azure Web App. Which of the following needs to be first for achieving these requirements?

A. Scale up the App Service Plan

B. Scale out the App Service Plan

C. Configure an identity for the Azure Web App

D. Configure a deployment slot for the Azure Web App

Answer 17

A. Scale up the App Service Plan

Backups are currently only available for the Standard App Service Plan or higher. Hence you would need to scale up the App Service Plan first for this requirement.

Question 18

You have an Azure virtual machine. You need to enable backups for the Azure virtual machine. The backups need to be taken at 2:00 every day. The backups need to be stored for 30 days.

Which of the following needs to be in place for storage of the backups?

A. Azure File share

B. Azure Blob container

C. Azure SQL database

D. Azure Recovery Services Vault

Answer 18

D. Azure Recovery Services Vault

The backups are stored in the Azure Recovery Services vault

Question 19

Your company has 2 Azure virtual networks that are peered together. They are also connected to an on-premises data center via the use of a Site-to-Site VPN.

You need to deploy Azure Network Watcher-Connection Monitor to monitor the connections between the Azure virtual machines in each network and the on-premises network. What is the minimum number of Connection Monitors that need to be deployed for this requirement?

A. 1

B. 2

C. 3

D. 4

Answer 19

B. 2

We need two deployments , one for each region.

Question 20

Which of the users below can perform domain management tasks in Azure Active Directory (AAD)?

A. A user account with global administrator permissions.

B. A user account with co-administrator permissions.

C. A user account with administrator permissions.

D. A user account with owner permissions.

Answer 20

A. A user account with global administrator permissions - CORRECT

This is the correct answer because Global Administrator (also known as Company Administrator) has the highest level of permissions in Azure AD

Global Administrators can manage all aspects of Azure AD including: [1]

Managing users and groups

Managing domain names

Managing directory-wide settings

Creating and managing other administrator roles

Resetting passwords for all users and administrators

B. A user account with co-administrator permissions - WRONG

Co-administrator is an Azure subscription-level role, not an Azure AD role

Co-administrators can manage Azure resources but don’t have full domain management permissions in Azure AD

This role is more focused on Azure resource management rather than directory management

C. A user account with administrator permissions - WRONG

This is too vague as there are many different types of administrator roles in Azure AD

Without specifying which type of administrator, this cannot be correct

Different administrator roles have different scoped permissions (like User Administrator, License Administrator, etc.)

D. A user account with owner permissions - WRONG

Owner is an Azure RBAC (Role-Based Access Control) role for Azure resources

This role is related to Azure resource management, not Azure AD domain management

Owner permissions do not grant Azure AD domain management capabilities

Question 21

Which of the following is supported in Azure Backup reports?

A. Azure Virtual Machine Backup

B. Reports for Azure SQL

C. File/folder backup

D. Azure Backup Server

Answer 21

The correct answer is A. Azure Virtual Machine Backup
Here’s why:
Azure Backup Reports primarily support Azure Virtual Machine backup reporting, and there are important limitations and features to understand:
Key Points:
Azure Backup Reports specifically support:
Azure Virtual Machine backups
Reporting on backups stored in Recovery Services vaults
Monitoring across regions and subscriptions
What’s NOT supported in Azure Backup Reports:
Azure SQL Database backups
Azure Files shares
Azure Backup Server
System Center DPM
File/folder backups using MARS agent
Important notes for AZ-104 exam:
Report Features to remember:
Reports can be viewed in Azure Portal
Uses Azure Monitor Logs (Log Analytics) for data storage
Provides information about backup health, alerts, and trends
Offers customizable reports and dashboards
Key exam concepts:
Understanding the scope of Azure Backup reporting
Knowing which backup types are supported vs. unsupported
Being aware that Log Analytics workspace is required for backup reporting
Reports can be configured at the vault level
Configuration requirements:
Need a Recovery Services vault
Log Analytics workspace
Diagnostic settings must be configured
Reports can be accessed through the vault or through Azure Monitor
Monitoring capabilities:
Backup health
Backup items
Policy adherence
Job statistics
Alert tracking
Remember: For the AZ-104 exam, it’s crucial to understand that Azure Backup Reports primarily focus on Azure VM backups and not all backup types are supported in the reporting feature.

Question 22

Which of the following allows a user to access both cloud and on-premises applications through an external URL or an internal application portal securely after a single sign-on to Azure AD?

A. Cloud App Discovery
B. Privileged Identity Management (PIM)
C. Active Directory’s Application Proxy
D. Connect

Answer 22

C. Active Directory’s Application Proxy

A. Cloud App Discovery - WRONG

Cloud App Discovery is a feature that helps identify cloud applications being used in an organization

It’s primarily used for:

Discovering shadow IT applications

Monitoring application usage patterns

Assessing security risks of cloud applications

It does NOT provide single sign-on functionality or application access

B. Privileged Identity Management (PIM) - WRONG

PIM is used for managing, controlling, and monitoring access to important resources in Azure AD

Its main functions are:

Just-in-time privileged access

Time-bound access

Approval-based role activation

It does not provide application access or SSO capabilities

C. Active Directory’s Application Proxy - CORRECT

This is the correct answer because Azure AD Application Proxy:

Provides secure remote access to on-premises web applications [1]

Enables single sign-on (SSO) to both cloud and on-premises applications [2]

Allows access through an external URL or internal portal

Works with Azure AD authentication

Doesn’t require VPN or DMZ

Supports both internal and external user access

Provides secure remote access without exposing internal networks

D. Connect - WRONG

Azure AD Connect is a tool for synchronizing on-premises directories with Azure AD

Its primary functions are:

Directory synchronization

Password hash synchronization

Pass-through authentication

Federation integration

It doesn’t provide direct application access or SSO functionality

Question 23

We’ve created a Linux VM in Azure using the Portal. We initially set the public SSH key, but we generated a new key from our workstation and therefore cannot access the VM. What is the easiest and quickest way to gain access to this Linux VM?

A. Use the troubleshooting tool to reset the SSH key for the VM.
B. Redeploy the Linux VM.
C. Add an additional disk to the VM with the key stored on it.
D. Attach a file share to the VM, with the key in the file share.

Answer 23

A. Use the troubleshooting tool to reset the SSH key for the VM.

Question 24

You are having problems with the installation of Azure File Sync on your server. What action could you take to get more details on possible issues?

A. Check the Activity Log.
B.Check the Diagnostics Logs.
C. Check the Azure File Sync error log on the local file system.
D. Run the command StorageSyncAgent.msi /l*v AFSInstaller.log.

Answer 24

D. Run the command StorageSyncAgent.msi /l*v AFSInstaller.log - CORRECT

This is the single best answer because:

It provides the most detailed and specific logging for installation issues

The /l*v switch creates a verbose log that captures every step of the installation process

It creates a dedicated log file (AFSInstaller.log) that can be easily reviewed and shared

It’s specifically designed for troubleshooting installation problems

It captures real-time installation data rather than post-installation information

Why the other options are wrong:

A. Check the Activity Log - WRONG

Activity Log only shows Azure-side operations

Won’t show local server installation issues

Limited to subscription-level activities

Not detailed enough for installation troubleshooting

B. Check the Diagnostics Logs - WRONG

Diagnostic logs are for Azure service monitoring

Won’t contain installation-specific information

Only useful after successful installation

Focuses on service performance, not installation issues

C. Check the Azure File Sync error log on the local file system - WRONG

While useful for general troubleshooting, it’s less specific than option D

These logs are more useful for post-installation issues

Doesn’t provide the detailed installation logging that the MSI command does

May not capture all installation-specific details

Question 25

You want Azure Active Directory’s Application Proxy feature at the lowest price possible. You also want to to make sure you have the enterprise-level SLA of 99.9 percent uptime. Which of the following would be the best option?
A. Azure Active Directory - Premium P2
B. Azure Active Directory - Free
C. Azure Active Directory - Basic
D. Azure Active Directory - Premium P1

Answer 25

D. Azure Active Directory - Premium P1 - CORRECT

This is the correct answer because:

Premium P1 is the lowest-cost tier that includes Application Proxy with enterprise-level SLA (99.9% uptime)

It provides all the necessary Application Proxy features

It meets both requirements: lowest cost while maintaining enterprise SLA

Why other options are wrong:

A. Azure Active Directory - Premium P2 - WRONG

While it includes Application Proxy and enterprise SLA

It’s more expensive than P1

Includes additional features like Privileged Identity Management that aren’t needed for this scenario

Doesn’t meet the “lowest price possible” requirement

B. Azure Active Directory - Free - WRONG

Doesn’t include Application Proxy feature

Doesn’t provide enterprise-level SLA

While it’s the lowest cost (free), it doesn’t meet the feature requirements

C. Azure Active Directory - Basic - WRONG

Doesn’t include Application Proxy feature

While cheaper than Premium tiers, it lacks the required functionality

Doesn’t provide the enterprise-level SLA needed

Question 26

What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an app? Select one.

A. synchronization of accounts across providers

B. pass-through authentication

C. credentials that are stored in the browser

D. redirection to a provider endpoint

Answer 26

D. Redirection to a provider endpoint - CORRECT

This is correct because:

Azure App Service uses a redirection-based authentication flow

When users attempt to access the app, they are redirected to the identity provider’s endpoint (like Azure AD, Google, Facebook, etc.)

After authentication at the provider’s endpoint, the user is redirected back to the app with the necessary tokens

This is the standard OAuth2/OpenID Connect flow used by App Service

Why other options are wrong:

A. Synchronization of accounts across providers - WRONG

App Service doesn’t synchronize accounts between different providers

Authentication is handled through real-time redirection and token exchange

Synchronization would be inefficient and potentially insecure

This is not how modern web authentication works

B. Pass-through authentication - WRONG

Pass-through authentication is an Azure AD feature for on-premises authentication

It’s not used by App Service for user authentication

App Service relies on token-based authentication through redirection

This is more relevant to hybrid identity scenarios

C. Credentials that are stored in the browser - WRONG

Storing credentials in the browser would be a security risk

App Service doesn’t store authentication credentials locally

Modern authentication uses tokens and cookies, not stored credentials

This would violate security best practices

Question 27

Your company previously did not allow employees to use their own devices to access company resources for security reasons. However, management is now considering allowing employees to use their own devices in conjunction with AD join. What are the potential security benefits that may persuade management to allow employees to use their own devices?
A. Organizations can still use on-premise AD to manage security protocols.
B. Organizations can restrict access to apps from only the devices that meet the compliance policy.
C. Organizations can use Windows Hello support for convenient access to work resources.
D. Enterprise compliant roaming of user’s settings across joined devices for users with Microsoft accounts.
E. Organizations can use single sign-on functionality as long as the employees are connected to the domain network.

Answer 27

B. Organizations can restrict access to apps from only the devices that meet the compliance policy - CORRECT

This is a key security benefit because:

Allows enforcement of security standards even on personal devices

Ensures only compliant devices can access company resources

Enables conditional access policies

Provides control over data security regardless of device ownership

C. Organizations can use Windows Hello support for convenient access to work resources - CORRECT

This is beneficial because:

Provides strong two-factor authentication

Offers biometric security options

More secure than traditional passwords

Convenient yet secure access method

Why the other options are WRONG:

A. Organizations can still use on-premise AD to manage security protocols - WRONG

Azure AD join is different from traditional on-premises AD

This statement misunderstands the cloud-based nature of Azure AD join

Security protocols are managed through Azure AD, not on-premises AD

D. Enterprise compliant roaming of user’s settings across joined devices for users with Microsoft accounts - WRONG

This is a feature of Azure AD join but not specifically a security benefit

More about convenience and user experience

Not directly related to securing company resources

E. Organizations can use single sign-on functionality as long as the employees are connected to the domain network - WRONG

Azure AD join provides SSO regardless of network connection

Not limited to domain network connectivity

Misrepresents how Azure AD join works

Question 28

We have reached the CPU quota in the West US 2 region. What two options do we have to move forward when creating this virtual machine?

A. Click Ok to charge the subscription.
B. Give the user admin rights.
C. Request a quota increase.
D. Delete other running VMs.

Answer 28

C. Request a quota increase - CORRECT [1]

This is a proper administrative solution because:

It’s the official process for handling quota limitations [2]

Can be requested through Azure portal

Provides a long-term solution

Doesn’t disrupt existing workloads

Azure evaluates based on usage history and account standing

D. Delete other running VMs - CORRECT

While not ideal, this is a valid immediate solution because:

It immediately frees up CPU quota

Provides a quick workaround if immediate access is needed

Works within existing quota limits

Can be a temporary solution while waiting for quota increase

Why other options are WRONG:

A. Click Ok to charge the subscription - WRONG

This is not a real option

Quota limits are not related to billing

No such option exists in Azure

Payment/billing changes don’t affect quota limits

B. Give the user admin rights - WRONG

Administrative rights don’t bypass quota limits

Quotas apply at the subscription level regardless of permissions

Even global administrators are subject to quota limits

Won’t solve the CPU quota issue

Question 29

Which of the following are file formats not recommended for compression?

A. Text/HTML
B. Text/CSS
C. JPG
D. MP3

Answer 29

C. JPG
D. MP3

Question 30

Which of the following items can be associated with a Network Security Group (NSG)?
A. Subnets

B. NIC

C. Security Rule

D. Virtual Machine

Answer 30

A. Subnets

B. NIC

C. Security Rule

Question 31

You have an existing virtual machine that is currently running, and you need to add an existing custom data disk. What are the steps you would take?
A. A shutdown of the machine.
Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK

B. Select the VM you are trying to attach the existing disk.
Click Attach new to attach the available disk to the VM.
Select your disk, and then click OK.

C. Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK

D. Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK.
Restart the machine in order for the additional disk to be seen

Answer 31

C. Select the VM you are trying to attach the existing disk. Click Attach existing to attach the available disk to the VM. From the existing disk pane, select your disk, and then click OK - CORRECT [1]

This is correct because:

You can attach a data disk to a running VM without shutdown

The process is straightforward and requires minimal steps

The steps are in the correct order

No restart is required for data disk attachment

Azure handles the hot-add of the disk

Why other options are wrong:

A. (Including shutdown) - WRONG

A shutdown is not required to attach a data disk

This adds an unnecessary step

Causes unnecessary downtime

Azure supports hot-add of data disks

B. “Click Attach new” - WRONG

We need to attach an existing disk, not create a new one

“Attach new” would create a new empty disk

Doesn’t match the requirement of adding an existing custom data disk

Wrong option selection

D. (Including restart) - WRONG

A restart is not required after attaching a data disk

Azure can recognize the new disk without restart

Causes unnecessary downtime

The disk can be initialized and formatted while the VM is running

Question 32

You have four different storage accounts. If you want to limit access to a team of people within the organization to just one storage service on one storage account, with the least amount of work, which of the following would be used to accomplish this goal?
A. Azure Traffic Manager
B. NSG
C. SAS account.
D. SAS service.

Question 33

You decide to move all your services to Azure Kubernetes service. Which of the following components will contribute to your monthly Azure charge? Select one

A. Node virtual machines

B. Master node

C. Tables

D. Pods

Answer 33

A. Node virtual machines

Question 34

What PowerShell command prompts the user for either a password or a username and password?

A. Get-Credential

B. Put-Credential

C. Get-PsCredential

D. Set-Credential

Answer 34

A. Get-Credential is the correct answer. [1]

Here’s why each option is correct or incorrect:

A. Get-Credential (CORRECT)

This is the correct PowerShell cmdlet for prompting users for credentials

It can prompt for both username and password, or just password

Returns a PSCredential object that securely stores the credentials

Can be used like: $cred = Get-Credential or Get-Credential -Message “Please enter your credentials”

B. Put-Credential (INCORRECT)

This is not a valid PowerShell cmdlet

The verb “Put” is not used in this context for credential management

C. Get-PsCredential (INCORRECT)

This is not a valid PowerShell cmdlet

While it seems logical since it returns a PSCredential object, the actual cmdlet is Get-Credential

D. Set-Credential (INCORRECT)

This is not a valid PowerShell cmdlet

While “Set” is a common PowerShell verb (like Set-Location, Set-Item), it’s not used for credential prompting

The Get-Credential cmdlet is commonly used in scripts that require secure credential input, especially when connecting to remote systems or services. It’s designed to handle credentials securely by storing the password as a SecureString, which helps prevent the exposure of sensitive information.

Example usage:

Prompt for both username and password
$credential = Get-Credential

Prompt for just password with specified username
$credential = Get-Credential -UserName “JohnDoe” -Message “Enter your password”

Question 35

You are the new administrator of an organization, and one of the changes that you want to implement is multi-factor authentication (MFA). How would you be able to get a count of how many users have not registered for multi-factor authentication?

A. Users page, within the MFA Settings site.
B. This information is not collected.
C. Security Alerts from Privileged Identity Management
D. Identity Protection within the MFA report.

Answer 35

A. Users page, within the MFA Settings site.

Explanation:

In Azure Active Directory (Azure AD), you can view the MFA registration status of users on the Users page within the MFA Settings site. Specifically, you can go to the Azure portal, navigate to Azure Active Directory, and then click on “Multi-Factor Authentication” under the “Security” section. From there, you can click on “Users” and then filter the list to show only users who have not registered for MFA.

This page provides a list of users with their MFA registration status, including those who have not registered. You can also use the “Filter” option to select “Not registered” to get a count of users who have not registered for MFA.

Why the other options are incorrect:

B. This information is not collected: This is incorrect because Azure AD does collect information on MFA registration status for users.

C. Security Alerts from Privileged Identity Management: This is incorrect because Privileged Identity Management (PIM) is a separate feature that provides just-in-time access to privileged roles, and it does not provide information on MFA registration status.

D. Identity Protection within the MFA report: This is incorrect because Identity Protection is a feature that provides risk-based conditional access and does not provide information on MFA registration status. Additionally, the MFA report is not a real feature in Azure AD.

Question 36

You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming direct traffic to the pods? Select one.

A. Load Balancer

B. NodePort

C. ClusterIP

D. AKS node

Answer 36

B. NodePort

Explanation:

In Azure Kubernetes Service (AKS), NodePort is a Service type that maps incoming traffic to a specific port on each node in the cluster, and then routes the traffic to the corresponding pod.

When you create a NodePort Service, Kubernetes allocates a unique port on each node in the cluster, and then maps incoming traffic to that port to the corresponding pod. This allows external traffic to reach the pods in the cluster.

Why the other options are incorrect:

A. Load Balancer: A Load Balancer is a separate Azure resource that distributes incoming traffic across multiple instances of an application. While a Load Balancer can be used in conjunction with AKS, it is not responsible for mapping incoming traffic to pods.

C. ClusterIP: ClusterIP is a Service type that exposes a service on a cluster-internal IP address, making it accessible only within the cluster. It does not map incoming traffic from outside the cluster to pods.

D. AKS node: An AKS node is a virtual machine that runs the Kubernetes agent and hosts pods. While nodes are responsible for hosting pods, they do not directly map incoming traffic to pods. That is the role of the NodePort Service.

Question 37

You are the Azure Administrator for a company, and you notice performance problems when your cloud resources are accessing your company’s internal DNS servers. Those internal servers only service your cloud resources. What is a recommended option to improve performance? Choose the best possible answer.

A. Upgrade the CPU/RAM for the DNS servers.
B. Move on-premise DNS into the Azure Cloud.
C. ExpressRoute
D. Move the DNS servers to another data center.

Answer 37

B. Move on-premise DNS into the Azure Cloud.

Explanation:

By moving the internal DNS servers to Azure, you can take advantage of Azure’s built-in DNS services, such as Azure DNS, which is a highly available and scalable DNS service that can handle high volumes of DNS queries. This can improve performance and reduce latency for your cloud resources accessing the DNS servers.

Additionally, Azure DNS is optimized for Azure resources, so it can provide better performance and lower latency compared to on-premises DNS servers.

Why the other options are incorrect:

A. Upgrade the CPU/RAM for the DNS servers: While upgrading the CPU and RAM of the DNS servers might improve performance, it may not address the underlying issue of latency and network congestion caused by accessing on-premises DNS servers from the cloud.

C. ExpressRoute: ExpressRoute is a network connectivity service that allows you to establish a dedicated, high-bandwidth connection between your on-premises infrastructure and Azure. While it can improve network performance, it may not specifically address the performance issues related to DNS resolution.

D. Move the DNS servers to another data center: Moving the DNS servers to another data center may not necessarily improve performance, as the underlying issue is likely related to the distance and latency between the cloud resources and the on-premises DNS servers.

Question 38

You are an IT Administrator, and you are concerned about protecting corporate assets and devices meeting standards for security and compliance. What options are available to get a device under the control of Azure AD?

A. Using the Conditional Access Rule.
B. Registering the device to Azure AD.
C. Joining a device.
D. Using Identity Protection.

Answer 38

B. Registering the device to Azure AD. C. Joining a device.

A. Using the Conditional Access Rule (INCORRECT)

Conditional Access is a tool that Azure AD uses to control access based on specific conditions [1]

It’s used to enforce policies on devices that are already registered/joined

It’s not a method to get devices under Azure AD control

It’s a policy enforcement tool, not a device enrollment method

B. Registering the device to Azure AD (CORRECT)

This is a valid method to bring devices under Azure AD control

Device registration creates an identity for the device in Azure AD

Allows personal devices (BYOD) to access organizational resources

Enables features like single sign-on

Commonly used for:

Personal devices

Mobile devices

BYOD scenarios

C. Joining a device (CORRECT)

This is another valid method to bring devices under Azure AD control

More comprehensive than registration

Two types of joins are available:

Azure AD join (for cloud-only devices) [2]

Hybrid Azure AD join (for devices that are also joined to on-premises AD)

Provides stronger device-based controls

Typically used for:

Corporate-owned devices

Devices that need full organizational management

Devices requiring stronger security controls

D. Using Identity Protection (INCORRECT)

Identity Protection is a security tool that detects and remedies identity-based risks

It’s not a method for getting devices under Azure AD control

It’s used for monitoring and protecting identities, not device enrollment

It works in conjunction with device management but doesn’t establish device control

Question 39

We have created a virtual machine in Azure, but the verification check fails. We’ve checked all the configuration settings, and everything seems correct. What are two possible reasons why the verification check might be failing?

A. We do not have permissions to create resources in Azure.
B. We have placed the VM and the VNet in separate regions.
C. We have exceeded the maximum quota for CPU in that region.
D. We have exceeded the maximum amount of resources for that subscription.

Answer 39

B. We have placed the VM and the VNet in separate regions. C. We have exceeded the maximum quota for CPU in that region.

Explanation:

B. We have placed the VM and the VNet in separate regions: Azure requires that virtual machines (VMs) and virtual networks (VNets) be in the same region. If the VM and VNet are in different regions, the verification check will fail. This is because Azure uses a regional architecture, and resources in different regions are not connected by default.

C. We have exceeded the maximum quota for CPU in that region: Azure has quotas in place to prevent over-provisioning of resources. If you have exceeded the maximum quota for CPU in a particular region, you will not be able to create a new VM in that region. The verification check will fail because Azure cannot allocate the required resources.

Why the other options are incorrect:

A. We do not have permissions to create resources in Azure: While permissions are important, a lack of permissions would typically result in an error message indicating that you do not have the necessary permissions to create resources. The verification check failing would not typically be related to permissions.

D. We have exceeded the maximum amount of resources for that subscription: While it is possible to exceed the maximum amount of resources for a subscription, this would typically result in an error message indicating that you have exceeded the subscription limits. The verification check failing would not typically be related to subscription limits.

Question 40

The shared access signature (SAS) URI consists of which of the following?

A. Storage Resource
B. Access Key 2
C. Access Key 1
D. SAS Token

Answer 40

A. Storage Resource
D. SAS Token

Question 41

We would like to identify which servers are not in use so we can decommission them and save the cost of keeping them running. Which tool easily helps you identify all VMs that are not in use?

A. Resource Health
B. Advisor Recommendations > Configure > Rules
C. Health Monitor
D. Azure Activity Log

Answer 41

B. Advisor Recommendations > Configure > Rules is the correct answer.

Let’s analyze each option:

A. Resource Health (INCORRECT)

Resource Health shows the health status of Azure resources

It focuses on current operational status and availability

Does not specifically identify unused resources

More focused on troubleshooting and monitoring service health

Cannot determine resource utilization patterns

B. Advisor Recommendations > Configure > Rules (CORRECT)

This is the correct tool for identifying unused VMs

Azure Advisor provides cost optimization recommendations [1]

Specifically helps identify:

Idle or underutilized VMs

VMs with low CPU utilization over time

Opportunities for right-sizing

Potential cost savings

Provides actionable recommendations based on actual usage patterns

Integrates with Cost Management features

Can help identify:

VMs with no network traffic

VMs with low CPU utilization

Unused disks and resources

C. Health Monitor (INCORRECT)

This is not a specific Azure tool for resource utilization

Focuses on monitoring general health metrics

Does not provide specific insights about resource utilization

Cannot determine if VMs are unused or underutilized

D. Azure Activity Log (INCORRECT)

Shows operational logs and activities

Records events and actions taken on resources

Does not analyze resource utilization

Cannot determine if VMs are unused

More focused on audit and compliance tracking

Question 42

Which of the following is not a recommended protocol to access Azure File Sync from your Windows Server?

A. SMB
B. nfs
C. http
D. FTPS

Answer 42

C. http

Question 43

Which series would we choose if we had a virtual machine used for Artificial Intelligence (AI)?
A. F-Series
B. H-Series
C. L-Series
D. A-Series

Answer 43

B. H-Series

Question 44

Where do you go within the Azure Portal to find information about who has logged into the Portal in the last 24 hours?
A. Metrics
B. Monitor
C. Subscriptions
D. Activity Log

Answer 44

D. Activity Log is the correct answer.

Let’s analyze each option:

A. Metrics (INCORRECT)

Metrics focuses on performance data and resource statistics

Shows quantitative measurements of system performance

Does not track user login activities

Used primarily for monitoring resource performance and health

Cannot show user authentication events

B. Monitor (INCORRECT)

While Monitor is a broader service that includes Activity Log

It’s not the most direct path to access login information

Contains many other monitoring features beyond login activity

Too broad of a category for this specific need

C. Subscriptions (INCORRECT)

Manages subscription-level settings and properties

Shows billing and resource allocation information

Does not directly show login activity

Focused on subscription management rather than security monitoring

D. Activity Log (CORRECT)

This is the correct location to find login information

Features:

Shows all sign-in activities

Provides detailed audit trails

Records who logged in, when, and from where

Maintains history of authentication events

Can be filtered by time period (including last 24 hours)

Shows successful and failed login attempts

Benefits:

Easy to query and filter

Exportable for analysis

Integrates with security monitoring

Supports compliance requirements

Question 45

Which of the following settings are not not swapped when you swap an an app? Select three.

A. Publishing endpoints

B. Always On

C. General settings, such as framework version, 32/64-bit, web sockets

D. Handler mappings

E. Custom domain names

Answer 45

A. Publishing endpoints

B. Always On

E. Custom domain names

Question 46

You are backing up your App Service. Which of the following is included in the backup? Select two.

A. SSL enabled Azure Database for MySQL

B. Files and database content totalling 15GB

C. App configuration

D. Firewall enabled-storage account

E. Azure database for MySQL

Answer 46

C. App configuration

E. Azure database for MySQL

Question 47

You want to utilize Azure Identity Protection, which one of the editions below supports this feature?

A. Basic

B. Premium P1
C. Free
D. Premium P2

Answer 47

D. Premium P2