test 7 Flashcards

1
Q

A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Role Based access policies

Does this fulfil the requirement?

Yes

No

A

No
Role based access policies can be used to restrict access to resources, but they can put any sort of governance on what type of resources to create.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Azure locks

Does this fulfil the requirement?

Yes

No

A

No

Azure locks are used to prevent users from accidentally deleting or modifying critical resources. They can’t be used for the said purpose as stated in the question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Azure policies

Does this fulfil the requirement?

Yes

No

A

Yes

Yes, this can be done with Azure policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A company plans to use Azure Network watcher to perform the following tasks

“Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network”

“Find out if there is outbound connectivity between an Azure virtual machine and an external host”

Which of the following network watcher feature would you use for the following requirement?

” Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network”

IP Flow Verify

Next Hop

Packet Capture

Traffic Analysis

A

IP Flow Verify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your company currently has a Site-to-Site connection with an Azure Virtual Private network. The VPN device that is allocated on the on-premise side is going to undergo a change in its public IP address. You have to ensure the Site-to-Site VPN connection continues to work after the change.

Which of the following steps would you need to carry out after the change in the public IP address on the on-premise VPN device ensuring minimum connection downtime?Choose 3 answers from the options given below

Remove the VPN connection

Stop the VPN connection

Modify the local gateway IP address

Modify the VPN gateway address

Recreate the VPN connection

Start the VPN connection

A

Remove the VPN connection

Modify the local gateway IP address

Recreate the VPN connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company has an application deployed across a set of virtual machines. Users connect to the application either using point-to-site VPN or site-to-site VPN connections. You need to ensure that connections to the application are spread across all of the virtual machines.

Which of the following could you set up for this requirement? Choose 2 answers from the options given below

A Public Load Balancer

An Internal Load Balancer

A Traffic Manager Profile

An Azure Content Delivery Network

An Azure Application Gateway

A

An Internal Load Balancer

An Azure Application Gateway

Since we need to distribute traffic across the virtual machines, we can use either the Load Balancer or Application Gateway service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company has setup an Azure subscription. They have setup a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.

GroupA – This group should have the ability to manage the storage account

GroupB – This group should be able to manage containers within a storage account

GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control

You need to assign the relevant Role Based Access Control ensuring the privilege of least access. Which of the following would you assign to GroupB?

Owner

Contributor

Storage Account Contributor

Storage Blob Data Contributor

Storage Blob Data Owner

A

Storage Blob Data Contributor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A company has setup an Azure subscription. They have setup a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.

GroupA – This group should have the ability to manage the storage account

GroupB – This group should be able to manage containers within a storage account

GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control

You need to assign the relevant Role Based Access Control ensuring the privilege of least access. Which of the following would you assign to GroupC?

Owner

Contributor

Storage Account Contributor

Storage Blob Data Contributor

Storage Blob Data Owner

A

Storage Blob Data Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A company is planning on using the Azure Import/Export service to move data out of their Azure Storage account. Which of the following service could be used when defining the Azure Export job?

BLOB storage

File storage

Queue storage

Table storage

A

BLOB storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure virtual machine based on the Windows Server 2016 image. You implement Azure backup for the virtual machine. You want to restore the virtual machine by using the Replace existing option.

Which of the following needs to be done first before you go ahead and replace the virtual machine using the Azure Backup option?

Create a custom image

Stop the virtual machine

Allocate a new disk

Enable encryption on the disk

A

Stop the virtual machine

The virtual machine has to be in the Stopped or Deallocated state in order to replace the existing disks on the virtual machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have an Azure subscription named CertGlobalstaging. Under the subscription, you go ahead and create a resource group named CertGlobals-rg.

You then go ahead and create an Azure policy based on the “Not allowed resources types” definition. Here you define the parameters as Microsoft.Network.virtualNetworks as the not allowed resource type. You assign this policy to the Tenant Root Group.

Would you be able to create a virtual machine in the CertGlobals-rg resource group?

Yes

No

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A company current has a set of Azure virtual machines. They want to ensure that their IT administrative team is alerted if any of the virtual machines are shutdown. They decide to create alerts based on Activity Logs in Azure Monitor.

Would this fulfil the requirement?

Yes

No

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A company current has a set of Azure virtual machines. They want to ensure that their IT administrative team is alerted if any of the virtual machines are shutdown. They decide to create alerts in the Azure Advisor service.

Would this fulfil the requirement?

Yes

No

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A company current has a set of Azure virtual machines. They want to ensure that their IT administrative team is alerted if any of the virtual machines are shutdown. They decide to create alerts in the Service Health service

Would this fulfil the requirement?

Yes

No

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A company has created a storage account in their Azure subscription. The name of the storage account is CertGlobalstore. They have also created a file share named demo. They need to access the files in the file share via a UNC path.

You need to fill in the following blocks to ensure the right UNC path is provided

Which of the following needs to go into Slot1?

blob

blob.core.windows.net

portal.azure.com

file

file.core.windows.net

CertGlobalstore

demo

A

CertGlobalstore

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A company has created a storage account in their Azure subscription. The name of the storage account is CertGlobalstore. They have also created a file share named demo. They need to access the files in the file share via a UNC path. You need to fill in the following blocks to ensure the right UNC path is provided

Which of the following needs to go into Slot2?

blob

blob.core.windows.net

portal.azure.com

file

file.core.windows.net

CertGlobalstore

demo

A

file.core.windows.net

To work with UNC path format, you have to mount the Azure file share with File Explorer and the UNC path format is:

\<storageAccountName>.file.core.windows.net\<fileShareName></fileShareName></storageAccountName>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A company has created a storage account in their Azure subscription. The name of the storage account is CertGlobalstore. They have also created a file share named demo. They need to access the files in the file share via a UNC path. You need to fill in the following blocks to ensure the right UNC path is provided

Which of the following needs to go into Slot3?

blob

blob.core.windows.net

portal.azure.com

file

file.core.windows.net

CertGlobalstore

demo

A

demo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A company has setup a Virtual Machine in Azure. A web server listening on port 80 and a DNS server has been installed on the Virtual machine. A network security group is attached to the network interface for the virtual machine. The rules for the NSG are given below Inbound Rules

If RuleB is deleted would users from the Internet be able to

Connect to the web server hosted on the virtual machine only

Connect to the DNS server hosted on the virtual machine only

Connect to both the web and DNS server hosted on the virtual machine only

Not connect to either the web or DNS server hosted on the virtual machine only

A

Not connect to either the web or DNS server hosted on the virtual machine only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Your company has setup a storage account in Azure as shown below

The company needs to only allow connections to the storage account from an IP address range of 51.107.2.0 to 51.107.2.255. From which of the following section of the storage account would you modify to fulfil this requirement?

Firewall and virtual networks

Advanced security

Soft Delete

Lifecycle Management

A

Firewall and virtual networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A company needs to deploy a virtual machine using a Resource Manager template. The template needs to be submitted via Azure CLI commands. The template is stored in a file named CertGlobalvm.json. You need to complete the below CLI command

Which of the following would go into Slot2?

–template

–template-url

–template-file

–template-resource

A

–template-file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Your company has the requirement to create an Azure storage account. The storage account needs to meet the following requirements.

Should be able to support hot, cool and archive blob tiers

Should be able to provide fault tolerance if a disaster hits the Azure region which has the storage account

Should minimize on costs

You need to complete the below command to create the storage account

Which of the following would go into Slot2?

Standard_GRS

Standard_LRS

Standard_RAGRS

Premium_LRS

A

Understanding Azure Storage Replication
Locally Redundant Storage (LRS): Replicates your data three times within a single data center. Provides basic protection against hardware failures but is not fault tolerant to a region failure.
Geo-Redundant Storage (GRS): Replicates your data three times within the primary region and also three times in a secondary region that is hundreds of miles away. Provides protection against regional outages.
Read-Access Geo-Redundant Storage (RA-GRS): Same as GRS, but also provides read-only access to the secondary region, which can be used for reading data during a failure of the primary region.
Premium performance tier: This tier is not available for GRS or RA-GRS storage accounts.
Analyzing the Requirements
Support for Hot, Cool, and Archive Blob Tiers: Both standard and premium storage accounts can support all three tiers. This option does not limit the possible answers.
Fault Tolerance for Region Disasters: Only GRS and RA-GRS provide protection in the event of a regional outage.
Minimize Costs: LRS is the cheapest option. RA-GRS is more expensive than GRS. Standard GRS is a low cost option, and premium performance tier cannot be used in conjunction with any of the geo-redundancy options.
Determining the Correct Replication Setting
Based on the requirements:
LRS is the cheapest, but does not meet the fault tolerance requirement.
RA-GRS provides protection and read access, but at a higher cost.
GRS provides protection for a region outage at a lower cost than RA-GRS.
Premium performance tier storage cannot be configured with GRS and RA-GRS storage.
The option that provides the required fault tolerance while minimizing costs is Standard GRS.
Answer:
Standard_GRS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A team has setup Log Analytics for a virtual machine named demovm. They are running the following query in the Log Analytics Workspace
If a query is run on Monday, then the query will return events from the last
1 day
7 days
8 days
14 days
which option is correct? why correct? which important note for azure 104 exam?

A

Understanding Log Analytics Queries and Time Ranges
Log Analytics Workspace: A service in Azure for collecting and analyzing log data.
Kusto Query Language (KQL): The query language used in Log Analytics.
union isfuzzy=true *: this will get data from any type of table.
where TimeGenerated > ago(7d): The key part of this query is the ago(7d) function.
ago(time) Function: This function specifies a time range relative to the current time when the query is executed. For example, ago(1d) means “one day ago” from the time the query runs. The date is based on the current date, and the date will be relative to the current date.
Analyzing the Query:
The query is:
union isfuzzy=true *
| where TimeGenerated > ago(7d)
Use code with caution.
Kusto
union isfuzzy=true *: This combines data from all tables in the workspace.
| where TimeGenerated > ago(7d): This filters the results to include only events where the TimeGenerated timestamp is greater than 7 days ago, from the current time.
Determining the Time Range
The ago(7d) function will return all results that are within the past 7 days. This means that when run on a monday, it will return the last 7 days, and will not include the current day, as the > operator does not include the current date.
Monday: The query is executed on a Monday.
Time Range: ago(7d) means “7 days ago”.
Therefore:
When the query is executed on Monday, it will return all the events that have been generated from the last 7 days from the date of execution.
Important Note for AZ-104 Exam
For the AZ-104 exam, be sure to:
Understand ago(): Know how the ago() function works in KQL for defining relative time ranges.
Time Units: Be familiar with how to use units like d (days), h (hours), and m (minutes) with ago().
Pay Attention to Operators: Note that the > operator excludes the date on which the query is being run, while >= would include the date on which the query is being run.
Know the default time range: It is important to remember that if a time range is not explicitly defined, that Log Analytics will only return data from the last 24 hours by default.
Answer:
The query will return events from the last 7 days.

where TimeGenerated > ago(1d) // Last 1 day

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Your company has the requirement to create an Azure storage account. The storage account needs to meet the following requirements.

Should be able to support hot, cool and archive blob tiers

Should be able to provide fault tolerance if a disaster hits the Azure region which has the storage account

Should minimize on costs

You need to complete the below command to create the storage account

Which of the following would go into Slot1?

FileStorage

Storage

StorageV2

Table

A

StorageV2

Since there is a requirement to support the Hot, Cool and Archive tier, then we can choose General Purpose v2. This is supported by General Purpose V2 or Blob Storage. To have complete functionality of the BLOB service, you can choose General Purpose V2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A company has setup an Azure Virtual Machine. A team member is trying to connect to the Virtual machine but is not able to do so. Below is the snippet of the Networking section of the Virtual Machine

Which of the following needs to be done in order to ensure that the team member can connect to the Virtual Machine?

Delete the Rule “ Port_3389”

Add a rule to the Outbound port rules to allow traffic on port 3389

Delete the Rule “ DenyAllInBound”

Start the Virtual Machine

A

Start the Virtual Machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script Which of the following would go into Slot1? New-AzDisk New-AzDiskConfig Add-AzVMDataDisk Set-AzDisk
New-AzDiskConfig
25
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script Which of the following would go into Slot4? New-AzDisk New-AzDiskConfig Add-AzVMDataDisk Set-AzDisk
Add-AzVMDataDisk
26
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script Which of the following would go into Slot5? Set-AzVM Update-AzVM Get-AzVM New-AzVM
Update-AzVM
26
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script Which of the following would go into Slot2? New-AzDisk New-AzDiskConfig Add-AzVMDataDisk Set-AzDisk
New-AzDisk
27
A company currently has the following networks defined in Azure All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement You are going to create the virtual network peering connection for all of the virtual networks. Which of the following is important to set for the virtual network peering connection? Set the virtual network deployment model as Classic Set the virtual network access settings as Disabled Set the forwarded traffic settings as Enabled Enable “Allow gateway transit”
Set the forwarded traffic settings as Enabled
28
A company currently has the following networks defined in Azure All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement Which of the following would you need to create additional to ensure traffic is sent via the virtual machine hosting the intrusion software? A new route table Add an address space Add DNS servers Add a service endpoint
A new route table
29
A company currently has the following networks defined in Azure All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement Which of the following needs to be enabled on the virtual machine “CertGlobal-detect”? Enable IP forwarding Enable the identity for the virtual machine Add an extension to the virtual machine Change the size of the virtual machine
Enable IP forwarding
30
A company has the following resources deployed to their Azure subscription The virtual machine “CertGlobalvm” is currently in the running state. The company now assigns the below Azure policy The Not Allowed resources types are Microsoft.Network/virtualNetworks Microsoft/Compute/virtualMachines Would an administrator be able to move the virtual machine to another resource group? Yes No
Understanding Azure Policies Azure Policies: Used to enforce organizational standards and assess compliance at scale. Resource Types: Azure policies can target specific resource types. "Not Allowed" Resources: Policies can be configured to prevent the creation or modification of resources. Resource Move: Moving resources to different resource groups is considered a modification of the resource. Analyzing the Resources Virtual Machine "CertGlobalvm": Running state. Analyzing the Azure Policy The defined policy prevents: Creation of virtual networks (Microsoft.Network/virtualNetworks). Creation of virtual machines (Microsoft/Compute/virtualMachines). Determining if the VM Can Be Moved The policy restricts the creation of new virtual machines and virtual networks, it does not prevent the modification of existing virtual machines, therefore the resource should be able to be moved. Answer: Yes
31
A company has the following resources deployed to their Azure subscription The virtual machine “CertGlobalvm” is currently in the running state. The company now assigns the below Azure policy The Not Allowed resources types are Microsoft.Network/virtualNetworks Microsoft/Compute/virtualMachines Would the state of the virtual machine change to deallocated? Yes No
Understanding Azure Policies Azure Policies: Used to enforce organizational standards and assess compliance at scale. Resource Types: Azure policies can target specific resource types. "Not Allowed" Resources: Policies can be configured to prevent the creation or modification of resources. Virtual Machine State: The state of a virtual machine (e.g., running, deallocated) is controlled by its configuration and lifecycle events. Analyzing the Resources Virtual Machine "CertGlobalvm": Currently in the running state. Analyzing the Azure Policy The defined policy prevents: Creation of virtual networks (Microsoft.Network/virtualNetworks). Creation of virtual machines (Microsoft/Compute/virtualMachines). Determining if the VM State Changes Policy Impact: The policy is designed to prevent the creation of new resources, not the modification or deallocation of existing ones. Existing Resources: As the virtual machine has already been created, the policy will not impact the existing state of the virtual machine. Therefore, assigning the policy will not deallocate the virtual machine. Answer: No
32
A team is currently storing all of their objects in an Azure storage account. They are currently using the Azure Blob service. They want to create a lifecycle management rule that would do the following Change the tier level of the objects to the cool tier if they have not been modified in the past 30 days Archive an object if they have not been modfiied in the past 90 days The Lifecycle rule would be applied to a container called demo and a folder within the container called data. You have to complete the following JSON snippet for the Lifecycle rule Which of the following would go into Slot1? demo data data/demo demo/data
demo/data
33
A team is currently storing all of their objects in an Azure storage account. They are currently using the Azure Blob service. They want to create a lifecycle management rule that would do the following Change the tier level of the objects to the cool tier if they have not been modified in the past 30 days Archive an object if they have not been modified in the past 90 days The Lifecycle rule would be applied to a container called demo and a folder within the container called data. You have to complete the following JSON snippet for the Lifecycle rule Which of the following would go into Slot3? 15 30 90 120
90
34
What is the PowerShell command to add the image information to the virtual machine's configuration? A. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version "latest" B. Get-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version "latest" C. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Sku "2012-R2-Datacenter" -Version "current" D. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName WindowsServer -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version "latest"
A. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version "latest"
35
Which of the following is the Kubernetes agent that processes the orchestration requests from the cluster master, and schedules running the requested containers? Select one. A. kube-proxy B. kubelet C. controller master D. container runtime
B. kubelet Why B is correct: Kubelet is the primary node agent that runs on each node in the Kubernetes cluster [1] It's responsible for ensuring containers are running in a Pod as specified in the PodSpecs It communicates with the control plane (master) and executes orchestration requests It manages the container lifecycle, ensuring containers are running and healthy It registers the node with the kube-apiserver on the Kubernetes control plane Why other options are incorrect: A. kube-proxy This is incorrect because kube-proxy is a network proxy that runs on each node It maintains network rules and handles network communication to and from pods It does not handle container orchestration or scheduling C. controller master This is incorrect because "controller master" is not a standard Kubernetes component While the control plane (master) makes scheduling decisions, it's the kubelet that actually executes these decisions on the nodes D. container runtime This is incorrect because container runtime (like Docker) is just the software responsible for running containers It's a lower-level component that kubelet uses to start and stop containers It doesn't handle orchestration requests or scheduling decisions
36
Which of the following built-in roles has the required Microsoft Authorization permissions that will allow a user account to create a cloud endpoint? A. User Access Administrator B. Owner C. Reader and Data Access D. Contributor
Understanding Azure Roles and Permissions Azure RBAC: Azure Role-Based Access Control (RBAC) is used to manage access to Azure resources. Roles: Roles define the set of permissions that can be granted to a user, group, or service principal. Cloud Endpoint: A cloud endpoint typically involves configuring resources such as load balancers, application gateways, or other networking components. Microsoft.Authorization Permissions: Permissions under the Microsoft.Authorization namespace are related to access control and role assignments. Analyzing the Roles Let's examine each of the provided roles and their relevance to creating a cloud endpoint: A. User Access Administrator: Analysis: This role grants permissions to manage user access to Azure resources, including assigning roles to other users. It does not grant direct permissions for creating resources, such as cloud endpoints. This role is incorrect. B. Owner: Analysis: This role grants full access to all Azure resources, including the ability to create resources, and manage the access permissions of other users. This role has the necessary permissions to create a cloud endpoint. This role is correct. C. Reader and Data Access: Analysis: This role only provides read-only access to resources. It does not grant permissions to create resources. This role is incorrect. D. Contributor: Analysis: This role grants the ability to create and manage resources, but doesn't include the specific Microsoft.Authorization permissions required to create cloud endpoints. This role is not the correct one. The Correct Role The role that has the required permissions to create a cloud endpoint, and includes Microsoft.Authorization permissions is the Owner role. Answer: B. Owner
37
You have a MySQL database that you want to keep secure and prevent access to the public internet. Which of these options would you use? Select 3 A. Service Endpoint B. VNet Peering C. Private IP Address D. NSG
The correct answers are: A. Service Endpoint C. Private IP Address D. NSG (Network Security Group) Let's analyze why each option is correct or incorrect: CORRECT ANSWERS: A. Service Endpoint Correct because it allows you to secure Azure service resources to your virtual network Provides direct connection from your VNet to Azure MySQL database [1] Restricts database access to only resources within your VNet Improves security by removing database access from the public internet C. Private IP Address Correct because it ensures the database is only accessible within the private network Prevents direct exposure to the internet Allows secure communication between resources in the same VNet Can be used with Private Link to establish secure connections D. NSG (Network Security Group) Correct because it acts as a network-level firewall Allows you to control inbound and outbound traffic Can restrict access based on source/destination IP addresses and ports Provides additional security layer for database access control INCORRECT ANSWER: B. VNet Peering While VNet Peering is a useful networking feature, it's not primarily a security measure It's used to connect two VNets together to allow resources to communicate It's more about network connectivity than security While it can be part of a secure architecture, it's not specifically focused on securing database access
38
You are administering a production web app. The app requires scaling to five instances, 40GB of storage, and a custom domain name. Which App Service Plan should you select? Select one. Basic Free Standard Premium Shared
Correct Option: C. Standard Explanation: Standard: The Standard App Service Plan supports scaling up to 10 instances, provides up to 50GB of storage, and allows for custom domain names. It is suitable for production workloads that require scaling, custom domains, and additional storage.
39
You are developing a storage plan that includes Premium storage.Which storage redundancy type is available to use? Select one. A. Geo Redundant Storage B. Locally redundant storage C. Zone Redundant Storage D. RA Geo redundant Storage
Understanding Azure Storage Redundancy Locally Redundant Storage (LRS): Replicates your data three times within a single data center. Provides basic protection against hardware failures within a single data center. Geo-Redundant Storage (GRS): Replicates your data three times within the primary region and also three times in a secondary region that is hundreds of miles away. Provides protection against regional outages. Read-Access Geo-Redundant Storage (RA-GRS): Same as GRS, but also provides read-only access to the secondary region, which can be used for reading data during a failure of the primary region. Zone-Redundant Storage (ZRS): Replicates your data synchronously across three availability zones in the primary region. Provides high availability within a single region. Premium Storage: Uses Solid State Drives (SSDs) to provide high performance and low latency. Analyzing Redundancy Options for Premium Storage LRS (Locally Redundant Storage): Is supported in conjunction with the premium storage tier. GRS (Geo-Redundant Storage): Is not available in conjunction with the premium storage tier. RA-GRS (Read-Access Geo-Redundant Storage): Is not available in conjunction with the premium storage tier. ZRS (Zone-Redundant Storage): Is not available in conjunction with the premium storage tier. The Correct Redundancy Option Only Locally redundant storage is available when using Premium storage. Answer: B. Locally redundant storage
40
If we want to have an image of the operating system (OS) and all disks attached, which of the following would be the preferred image? A. OS image (generalized) B. Disk image C. VM image (specialized) D. Data image
C. VM image (specialized) Why C is correct: A VM image (specialized) captures the complete state of a running VM including: Operating system All attached data disks Applications and configurations System state It's perfect for creating exact copies of a working VM Maintains all configurations and customizations Best for backup and disaster recovery scenarios Why other options are incorrect: A. OS image (generalized) Incorrect because generalized images remove all machine-specific information Doesn't maintain specific configurations and customizations Requires sysprep which removes unique identifiers Doesn't include data disks Better for deploying multiple new instances, not for capturing complete system state B. Disk image Incorrect because it only captures a single disk Doesn't capture the complete VM configuration Limited to either OS disk or data disk content Doesn't maintain the relationship between multiple disks D. Data image Incorrect because this isn't a standard image type in cloud environments Would only contain data, not system state or configurations Doesn't include OS or system configurations Doesn't maintain the complete VM state
41
You have multiple apps running in a single App Service plan. True or False: Each app in the service plan can have different scaling rules. A. False B. True
Correct Option: A. False Explanation: False: In an Azure App Service plan, all apps share the same scaling rules. The scaling settings apply to the entire App Service plan, not to individual apps within the plan. Therefore, you cannot configure different scaling rules for each app in the same App Service plan.
42
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Contoso needs to back up Azure file shares and virtual machines using Azure Backup. Which of the following statements is correct regarding the minimum backup configuration needed? A) One Recovery Services vault with one backup policy for all resources [1] B) One Recovery Services vault with separate policies for VMs and file shares C) Two Recovery Services vaults with one backup policy each D) Two Recovery Services vaults with separate policies for VMs and file shares
Correct Option: B) One Recovery Services vault with separate policies for VMs and file shares Explanation: One Recovery Services vault with separate policies for VMs and file shares: Azure Backup allows you to use a single Recovery Services vault to back up multiple types of resources, including virtual machines and file shares. However, you need to create separate backup policies for VMs and file shares to meet their specific backup requirements.
43
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. NSG1 needs to be created with specific inbound rules and associated with VM1's network interface. Q: After implementing NSG1, which traffic pattern would be allowed? A) Only RDP from subnet 10.0.2.0/24 and ICMP from any source B) Only RDP from any source and ICMP from virtual network C) Only RDP from subnet 10.0.2.0/24 D) All traffic, as NSGs allow all traffic by default
The correct answer is A) Only RDP from subnet 10.0.2.0/24 and ICMP from any source Here's why this is correct: Key Technical Points: NSG1 inbound rules: Priority 500: Port 3389 (RDP), TCP, Source 10.0.2.0/24, Destination Any Priority 1000: Any port, ICMP, Source Any, Destination Virtual Network Copy Insert at cursor text NSG Rule Analysis: Rule Breakdown: 1. RDP Rule (Priority 500): - Protocol: TCP - Port: 3389 - Source: 10.0.2.0/24 - Allows RDP only from specific subnet 2. ICMP Rule (Priority 1000): - Protocol: ICMP - Port: Any - Source: Any - Allows ICMP from anywhere Copy Insert at cursor text Important Notes for AZ-104 Exam: a) NSG Default Rules: Priority Name Port Source Destination 65000 AllowVnetInBound All VNet VNet 65001 AllowAzureLoadBalancer All Azure LB Any 65500 DenyAllInbound All Any Any Copy Insert at cursor text b) Rule Processing: Processed by priority First match wins Lower number = higher priority Why Other Options are Wrong: B) Only RDP from any source and ICMP from virtual network: RDP is restricted to 10.0.2.0/24 ICMP is allowed from any source
44
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Storage accounts configuration: storage1: Azure AD DS enabled storage2: Identity access disabled storage4: Azure AD DS enabled Q: Which storage accounts can Group4 be granted read-only RBAC permissions to access file shares? A) Only storage1 B) storage1 and storage4 C) storage1, storage2, and storage4 D) None of the storage accounts
The correct answer is B) storage1 and storage4 Here's why this is correct: Key Technical Points: Azure AD DS enabled for storage1 and storage4 Identity access disabled for storage2 RBAC requires Azure AD authentication File shares access control Storage Account Analysis: Storage Account Configuration: storage1: - Azure AD DS enabled - Can use RBAC - File share: sharea storage2: - Identity access disabled - Cannot use RBAC - File shares: shareb, sharec storage4: - Azure AD DS enabled - Can use RBAC - File share: shared Copy Insert at cursor text Important Notes for AZ-104 Exam: a) File Share Access Methods: - Azure AD authentication - Storage account keys - Shared access signatures (SAS) - Azure AD DS integration Copy Insert at cursor text b) RBAC Requirements: Azure AD DS enabled Identity-based access Proper role assignment Permission scope Why Other Options are Wrong: A) Only storage1: Excludes storage4 Both support RBAC C) storage1, storage2, and storage4: storage2 has identity access disabled Cannot use RBAC D) None: Incorrect storage1 and storage4 support RBAC Implementation Considerations: a) Access Configuration: Azure AD DS integration Role assignments Permission scope Authentication method b) Security Controls: Least privilege Access review Monitoring Audit logging Best Practices: a) Storage Access: Use Azure AD authentication Enable identity access Regular access review Proper documentation b) Security Management: Role-based access Regular audits Monitoring Compliance checks Critical Exam Topics: a) Storage Authentication: Azure AD integration Identity access RBAC support Authentication methods b) Access Control: Role assignments Permission scope Authentication options Security controls Remember for the Exam: a) Storage Requirements: Azure AD DS enabled Identity access configured RBAC support Authentication method b) Access Methods: Azure AD authentication Storage account keys SAS tokens File share permissions Additional Important Notes: a) Management Options: Azure Portal PowerShell Azure CLI REST API b) Troubleshooting Areas: Authentication issues Permission problems Access denied errors Configuration validation Key Exam Focus Areas: a) Technical Knowledge: Storage authentication Access control RBAC implementation Security features b) Operational Understanding: Configuration steps Management tasks Troubleshooting Best practices
45
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirements: User1 needs to create Azure policy definitions User2 needs to assign Azure policies to RG1 Q: Which built-in roles should be assigned to meet these requirements? A) User1: Policy Contributor, User2: Policy Administrator B) User1: Resource Policy Contributor, User2: Policy Administrator C) User1: Policy Administrator, User2: Policy Contributor D) User1: Resource Policy Contributor, User2: Resource Policy Contributor
Understanding Azure Policy and Roles Azure Policy Definitions: Define the rules that must be followed by resources in Azure. Azure Policy Assignments: Apply policies to resources, resource groups, or subscriptions. Policy Contributor: A role that allows a user to create and manage policy definitions. Policy Administrator: A role that allows a user to manage policies and policy assignments, and can also create policies. Resource Policy Contributor: Allows for creating and managing policies, and it can also assign policies. Analyzing the Requirements User1: Needs to create Azure policy definitions. User2: Needs to assign Azure policies to RG1. Determining the Correct Roles Let's evaluate the options: A) User1: Policy Contributor, User2: Policy Administrator Analysis: The Policy Contributor role is not sufficient for creating policy definitions. While the Policy Administrator would be sufficient to assign the policies, it is not the lowest level role to perform the required tasks. This option is incorrect. B) User1: Resource Policy Contributor, User2: Policy Administrator Analysis: While the Policy Administrator would be sufficient to assign the policies, it is not the lowest level role to perform the required tasks. This option is incorrect. The resource policy contributor role allows for the creation of policies and the assignment of the policies, so is suitable to meet the requirements. C) User1: Policy Administrator, User2: Policy Contributor Analysis: The Policy Administrator role has the correct level of permissions, but would be too permissive for creating policy definitions, and the policy contributor role would not be able to assign the policy at a resource group level. This option is incorrect. D) User1: Resource Policy Contributor, User2: Resource Policy Contributor Analysis: The Resource Policy Contributor role allows the user to create policy definitions and to assign policies to a resource group. This is the correct approach as it allows for the desired permissions while using the least privileged option. This option is correct. The Correct Roles The correct roles are: User1: Resource Policy Contributor User2: Resource Policy Contributor Answer: D) User1: Resource Policy Contributor, User2: Resource Policy Contributor
46
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Current VNET peering: VNET1 ↔ VNET2 VNET2 ↔ VNET3 VNET4: No peering Q: Which VMs can directly communicate with VM3 (172.16.1.4)? A) Only VM1 and VM2 B) VM1, VM2, and VM4 C) All VMs D) Only VM4
The correct answer is B) VM1, VM2, and VM4 Here's why this is correct: Key Technical Points: VM3 is in VNET2 VNET peering relationships exist Transitive peering is NOT supported [1] No NSGs currently applied VNET Peering Analysis: Direct Peering Map: VNET1 ↔ VNET2 (VM1, VM2 can reach VM3) VNET2 ↔ VNET3 (VM4 can reach VM3) VNET4: Isolated (VM5 cannot reach VM3) VM Locations: VM1: VNET1/Subnet1 VM2: VNET1/Subnet2 VM3: VNET2/Subnet1 VM4: VNET3/Subnet1 VM5: VNET4/Subnet1 Copy Insert at cursor text Important Notes for AZ-104 Exam: a) VNET Peering Rules: Not transitive Bi-directional Cross-region capable Requires setup on both VNets b) Key Concepts: - Direct peering only - No transitive routing - Regional considerations - Network planning Copy Insert at cursor text Why Other Options are Wrong: A) Only VM1 and VM2: Excludes VM4 Ignores VNET2-VNET3 peering C) All VMs: VM5 is isolated No path to VNET4 D) Only VM4: Ignores VNET1-VNET2 peering VM1 and VM2 can also connect [2] Implementation Considerations: a) Peering Requirements: Non-overlapping IP ranges Network connectivity Proper configuration Resource permissions b) Network Planning: Address spaces Subnet design Routing Security Best Practices: a) VNET Design: Plan IP addressing Document peering Consider future growth Security requirements b) Connectivity: Direct peering where needed Hub-spoke topology Network security Monitoring Critical Exam Topics: a) VNET Peering Concepts: Non-transitive nature Bi-directional setup Regional support Limitations b) Network Design: IP addressing Connectivity options Security considerations Management Remember for the Exam: a) Peering Characteristics: Direct connections only No transitive routing Bi-directional traffic Regional considerations b) Network Planning: Address spaces Connectivity requirements Security controls Management needs Additional Important Notes: a) Management Options: Azure Portal PowerShell Azure CLI ARM templates b) Troubleshooting Areas: Connectivity issues Routing problems Security controls Performance Key Exam Focus Areas: a) Technical Knowledge: VNET peering Network connectivity [3] Routing Security b) Operational Understanding: Implementation Troubleshooting Management Best practices
47
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirement: Create storage5 with blob replication configuration Q: Which storage account type should be used for storage5 to support blob replication? A) General-purpose v1 B) General-purpose v2 C) BlobStorage D) FileStorage
Determining the Correct Storage Account Type Let's evaluate the options: A) General-purpose v1 Analysis: While General-purpose v1 storage accounts support blobs, this is a legacy type and is not the recommended option. This option is incorrect. B) General-purpose v2 Analysis: General-purpose v2 storage accounts are the recommended type and do support blob storage replication, therefore, this option is correct. C) BlobStorage Analysis: The Blob storage type is designed for blob storage and does support blob replication. This is a valid option, but the general purpose storage accounts are a better solution, as they allow other types of resources to be created if necessary. This option is correct. D) FileStorage Analysis: File storage is designed for file shares and does not support blob service replication. This option is incorrect. The Correct Storage Account Types Both general-purpose v2 and BlobStorage are correct options. General purpose v2 is the most flexible, however both would meet the requirements of this question. Answer: B) General-purpose v2 C) BlobStorage Therefore, the full answer is: General-purpose v2: Supports blob replication directly. BlobStorage: Supports blob replication directly. Azure Data Lake Storage Gen2: This is technically a General-purpose v2 account with additional capabilities, and it supports blob replication through the underlying General-purpose v2 capabilities.
48
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirement: Alert when VM1 or VM2 has less than 20 GB free space on volume C Q: Which Azure Monitor component should be used to implement this requirement? A) Metrics Alert B) Activity Log Alert C) Log Analytics workspace with custom query D) Service Health Alert
The correct answer is C) Log Analytics workspace with custom query Here's why this is correct: Key Technical Points: Need to monitor disk space Custom threshold (20 GB) Volume C specific Multiple VM monitoring Log Analytics Solution Components: Implementation Steps: 1. Create Log Analytics workspace 2. Install Log Analytics agent on VMs 3. Configure custom query for disk space 4. Set up alert rule with condition Sample Query: Perf | where ObjectName == "LogicalDisk" | where CounterName == "Free Megabytes" | where InstanceName == "C:" | where CounterValue < (20 * 1024) Copy Insert at cursor text Important Notes for AZ-104 Exam: a) Alert Components: Log Analytics workspace Data collection rules Query-based alerts Action groups b) Monitoring Hierarchy: Azure Monitor ├── Log Analytics ├── Custom Queries ├── Alert Rules └── Action Groups Copy Insert at cursor text Why Other Options are Wrong: A) Metrics Alert: Cannot directly monitor OS-level metrics Limited to platform metrics Not suitable for disk space B) Activity Log Alert: For subscription-level events Not for resource metrics Wrong alert type D) Service Health Alert: For Azure service issues Not for resource monitoring Wrong alert type Implementation Considerations: a) Configuration Requirements: Agent installation Workspace setup Query definition Alert configuration b) Monitoring Setup: Data collection Query testing Alert thresholds Notification config Best Practices: a) Alert Configuration: Clear alert names Appropriate thresholds Proper action groups Regular testing b) Monitoring Management: Regular review Query optimization Cost monitoring Performance impact Critical Exam Topics: a) Azure Monitor Features: Log Analytics Custom queries Alert rules Action groups b) Implementation Steps: Workspace creation Agent deployment Query configuration Alert setup Remember for the Exam: a) Monitoring Components: Log Analytics workspace Data collection Query language Alert configuration b) Alert Requirements: Resource targeting Threshold definition Action configuration Testing validation Additional Important Notes: a) Management Options: Azure Portal PowerShell Azure CLI REST API b) Troubleshooting Areas: Agent connectivity Query performance Alert triggering Data collection Key Exam Focus Areas: a) Technical Knowledge: Monitoring solutions Query language Alert types Configuration options b) Operational Understanding: Implementation steps Troubleshooting Management tasks Best practices
49
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirement: Create internal Basic Load Balancer LB1 in VNET1/Subnet1 Q: Which configuration elements are required for the load balancer implementation? A) Frontend IP configuration and backend pool only B) Frontend IP configuration, backend pool, and health probe C) Frontend IP configuration, backend pool, health probe, and load balancing rule D) Frontend IP configuration and health probe only
The correct answer is C) Frontend IP configuration, backend pool, health probe, and load balancing rule Here's why this is correct: Key Technical Points: Internal Basic Load Balancer requirement [1] Complete functional configuration needed All essential components required Load balancing functionality Required Load Balancer Components: [2] Essential Components: 1. Frontend IP configuration - Private IP from subnet - Internal endpoint 2. Backend pool - Target VMs/resources - Resource association 3. Health probe - Service availability check - Protocol and port 4. Load balancing rule - Traffic distribution - Protocol and ports - Session persistence Copy Insert at cursor text Important Notes for AZ-104 Exam: a) Load Balancer Configuration: All four components are mandatory Logical configuration order Dependencies between components Basic vs Standard SKU differences b) Component Relationships: Frontend IP → Load Balancing Rule → Backend Pool ↓ Health Probe Copy Insert at cursor text Why Other Options are Wrong: A) Frontend IP and backend pool only: Missing health monitoring Missing traffic rules Incomplete configuration B) Frontend IP, backend pool, and health probe: Missing load balancing rules Cannot distribute traffic Incomplete configuration D) Frontend IP and health probe only: Missing backend targets Missing traffic rules Incomplete configuration Implementation Considerations: a) Configuration Requirements: VNet/subnet planning IP addressing Port configuration Health check settings b) Design Elements: High availability Fault tolerance Performance optimization Monitoring Best Practices: a) Load Balancer Setup: Meaningful names Appropriate health checks Proper backend pool config Efficient rules b) Monitoring: Health status Performance metrics Alert configuration Logging setup Critical Exam Topics: a) Load Balancer Components: Required elements Configuration options Dependencies Management b) Network Integration: VNet configuration Subnet planning IP addressing Routing Remember for the Exam: a) Configuration Order: Create Load Balancer Configure Frontend IP Create Backend Pool Set up Health Probe Define Load Balancing Rules b) Component Requirements: All four components needed Proper configuration Logical relationships Testing validation Additional Important Notes: a) Management Options: Azure Portal PowerShell Azure CLI ARM templates b) Troubleshooting Areas: Health probe failures Connection issues Performance problems Configuration errors Key Exam Focus Areas: a) Technical Knowledge: Component requirements Configuration options Dependencies Best practices b) Operational Understanding: Implementation steps Troubleshooting Management tasks Monitoring
50
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirement: Enable flow logging for VM5 traffic with 8-month retention Q: Which Azure service is required to implement this requirement? A) Network Watcher with NSG flow logs B) Azure Monitor logs C) Traffic Analytics only D) Azure Network Monitor
Understanding Flow Logging Network Flow Logs: Capture information about IP traffic flowing through a network interface, subnet, or virtual network. Use Cases: Commonly used for network monitoring, traffic analysis, and security investigations. Retention: You need to be able to specify the duration for which the flow logs are retained. NSG flow logs: Network security group flow logs are a feature of network watcher that allow for the logging of network traffic. Analyzing the Options Let's evaluate the options: A) Network Watcher with NSG flow logs Analysis: Network Watcher is the core Azure service that enables the capture of flow logs. NSG flow logs, specifically, provide the traffic information based on rules applied in a Network Security Group, and are configured within Network Watcher. The retention policy can also be configured within the Network Watcher configuration. Therefore, this option is correct. B) Azure Monitor logs Analysis: While Azure Monitor can consume the NSG flow logs, it is not the service that enables the logging itself. Network Watcher is necessary for enabling flow logs. This option is incorrect, as the service must enable flow logs. C) Traffic Analytics only Analysis: Traffic analytics is a feature within Network Watcher which provides insights based on NSG flow logs, however, it does not enable NSG flow logs themselves. This option is incorrect. D) Azure Network Monitor Analysis: There is not an Azure service called Azure Network Monitor. Network Watcher is the correct service. This option is incorrect. The Correct Service The correct Azure service to enable flow logging and retain the flow logs for a specified duration is Network Watcher with NSG flow logs. Answer: A) Network Watcher with NSG flow logs
51
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirement: Create container1 and share1 using Cool storage tier Q: Which storage account type supports this requirement? A) General-purpose v1 B) General-purpose v2 C) BlobStorage D) FileStorage
Correct Option: B) General-purpose v2 Explanation: General-purpose v2: The General-purpose v2 (StorageV2) account type supports both blob containers and file shares, and it allows you to configure different access tiers, including the Cool storage tier. This makes it the appropriate choice for creating a blob container and a file share with the Cool storage tier.
52
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Which storage account type should you use? A. Storage (general purpose v1) B. StorageV2 (general purpose v2) C. BlobStorage D. FileStorage
Correct Option: B. StorageV2 (general purpose v2) Explanation: StorageV2 (general purpose v2): The StorageV2 account type supports both blob containers and file shares, and it allows you to configure different access tiers, including the Cool storage tier. This makes it the appropriate choice for creating a blob container and a file share with the Cool storage tier.
53
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to enable User2 to assign Azure policies to RG1. Which role should you assign to User2? A. Contributor B. Owner C. Policy Contributor D. Policy Administrator
Understanding Azure Policy and Roles Azure Policy: Enforces organizational standards and assesses compliance at scale. Policy Assignments: Apply policies to resources, resource groups, or subscriptions. Contributor: A role that grants the ability to create and manage resources. Owner: A role that grants full access to all Azure resources. Policy Contributor: A role that allows a user to manage and create policies. Policy Administrator: A role that allows a user to manage policies and policy assignments, and can also create policies. Analyzing the Requirements User2: Needs to assign Azure policies to RG1. Determining the Correct Role Let's evaluate the options: A) Contributor Analysis: The Contributor role has the ability to create and manage Azure resources, however, it doesn't explicitly grant permissions to manage Azure policies and policy assignments. This role is insufficient. B) Owner Analysis: The Owner role grants full access to all resources, including the ability to manage policies. This role is too permissive, and is not the required solution, though it would grant the desired access. This option is incorrect. C) Policy Contributor Analysis: The Policy Contributor role can manage policy definitions, but it cannot assign policies. This option is incorrect. D) Policy Administrator Analysis: The Policy Administrator role has the correct permissions to manage and assign Azure policies. This role is correct. The Correct Role The correct role is the Policy Administrator. Answer: D) Policy Administrator
54
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1. Which type of IP address should you use? A. Public IP address B. Private IP address C. Dynamic IP address D. Static IP address
Determining the Correct IP Address Type Let's evaluate the options: A) Public IP address Analysis: Public IP addresses are used for internet-facing resources. An internal load balancer must have a private IP address. This option is incorrect. B) Private IP address Analysis: This is the correct approach. Private IP addresses are used for internal resources within a virtual network. Since the requirement is to create an internal load balancer, a private IP address is required. C) Dynamic IP address Analysis: Dynamic IP addresses can change when a resource is deallocated, which is not a desirable solution for internal load balancers which should have predictable IP addresses. While a dynamic private IP can be used, it does not address the core requirement of an internal load balancer, and is therefore incorrect. D) Static IP address Analysis: While a static IP can be used, a dynamic IP can also be used for an internal load balancer. However, the core requirement is to use a private IP. While a static private IP address is a common configuration for an internal load balancer, it is not a requirement. This option is not the correct response to the prompt. The Correct IP Address Type The correct IP address type is Private IP address. Answer: B) Private IP address
55
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Which role should you assign to Group4? A. Reader B. Storage File Data SMB Share Reader C. Storage Blob Data Reader D. Storage Account Contributor
Correct Option: B. Storage File Data SMB Share Reader Explanation: Storage File Data SMB Share Reader: This role provides read-only access to Azure file shares over the SMB protocol. It is specifically designed for scenarios where you need to grant read-only access to file shares without granting broader permissions to other storage account resources.
56
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to associate NSG1 to the network interface of VM1. Which command should you use? A. az network nsg create B. az network nic update C. az network vnet subnet update D. az network nsg update
Correct Option: B. az network nic update Explanation: az network nic update: This command is used to update the network interface card (NIC) settings of a virtual machine. To associate NSG1 with the network interface of VM1, you need to update the NIC settings to include the NSG.
57
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4. Which service should you use? A. Azure Monitor B. Azure Log Analytics C. Azure Security Center D. Azure Policy
Correct Option: A. Azure Monitor
57
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to create an NSG named NSG1 that will have the custom inbound security rules shown in the table. Which command should you use to create the NSG? A. az network nsg create B. az network nsg rule create C. az network nsg rule update D. az network nsg update
Correct Option: A. az network nsg create Explanation: az network nsg create: This command is used to create a new Network Security Group (NSG) in Azure. Since the requirement is to create an NSG named NSG1, this is the appropriate command to use.
58
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to grant User1 the permissions required to link Zone1 to VNet1. Which role should you assign to User1? A. Network Contributor B. DNS Zone Contributor C. Contributor D. Owner
Correct Option: B. DNS Zone Contributor Explanation: DNS Zone Contributor: To link a DNS zone to a virtual network, the user needs permissions to manage DNS zones. The DNS Zone Contributor role provides the necessary permissions to manage DNS zones, including linking them to virtual networks. Important Note for Azure 104 Exam: Understand the different Azure roles and their specific permissions, especially those related to networking and DNS management. Be familiar with the tasks that require specific roles, such as linking DNS zones to virtual networks. Know how to apply the principle of least privilege by assigning the most appropriate role that grants the necessary permissions without providing excessive access.
59
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to ensure that Scope1 is used to encrypt storage services in storage2. Which setting should you configure? A. Access tier B. Encryption scope C. Replication D. Performance tier
The correct answer is B) Encryption scope [1] Here's why this is correct: Key Technical Points: Storage2 is a StorageV2 (general purpose v2) account Encryption scopes provide encryption management at the container level Encryption scopes can be used to manage encryption for specific data sets Encryption Scope Characteristics: a) Key Features: - Container-level encryption - Infrastructure encryption options - Key management flexibility - Scope inheritance Copy Insert at cursor text Important Notes for AZ-104 Exam: a) Storage Encryption Types: Storage Service Encryption (SSE) Infrastructure encryption Customer-managed keys Platform-managed keys b) Encryption Scope Properties: Name Encryption type Infrastructure encryption Key management Why Other Options are Wrong: A) Access tier: Related to data storage optimization Not related to encryption Affects cost and performance C) Replication: Data redundancy feature No impact on encryption Geographic availability D) Performance tier: Performance optimization Not related to encryption Affects IOPS and throughput Key Implementation Considerations: a) Configuration Requirements: Storage account type compatibility Key vault integration (if using customer-managed keys) Permission requirements Regional availability b) Security Controls: Key rotation Access policies Audit logging Compliance requirements Best Practices: a) Encryption Management: Regular key rotation Access review Monitoring Documentation b) Security Configuration: Least privilege access Regular audits Compliance monitoring Incident response plan Critical Exam Topics: a) Storage Security Features: Encryption at rest Encryption in transit Key management Access control b) Implementation Steps: Scope creation Key configuration Policy assignment Monitoring setup Remember for the Exam: a) Encryption Scope Requirements: Storage account compatibility Permission requirements Key management options Infrastructure encryption b) Configuration Elements: Scope name Encryption type Key source Infrastructure encryption setting Additional Important Notes: a) Management Options: Azure Portal PowerShell Azure CLI REST API b) Monitoring and Compliance: Activity logs Diagnostic settings Compliance reporting Security metrics Key Exam Focus Areas: a) Technical Knowledge: Encryption types Configuration options Management tools Security features b) Operational Understanding: Implementation steps Troubleshooting Monitoring Maintenance For the AZ-104 exam, focus on: Storage Security Concepts: Encryption types Key management Access control Compliance requirements Implementation Knowledge: Configuration steps Permission requirements Tool usage Best practices Management Skills: Daily operations Monitoring Troubleshooting Maintenance Security Understanding: Access control Key management Audit logging Compliance requirements
60
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. You need to back up the Azure file shares and virtual machines by using Azure Backup. Which type of backup should you configure for the file shares? A. Snapshot B. Incremental C. Differential D. Full
The correct answer is B) Incremental Here's why this is correct: Key Technical Points: Azure Backup for file shares uses incremental backup by default First backup is full, subsequent backups are incremental More efficient use of storage and network resources Reduces backup time and costs Azure Backup File Share Characteristics: a) Backup Process: Initial Backup: Full backup of all data Subsequent Backups: Only changed blocks Recovery Point Creation: Based on incremental changes Storage Efficiency: Only stores delta changes Copy Insert at cursor text Important Notes for AZ-104 Exam: a) Azure File Share Backup Features: Supports Azure Files Requires Storage Account integration Uses Recovery Services vault Supports schedule-based backups b) Backup Types Understanding: Full: Complete copy of data [1] Incremental: Only changed blocks Differential: Changes since last full backup Snapshot: Point-in-time copy Why Other Options are Wrong: A) Snapshot: Not a complete backup solution Doesn't provide long-term retention Limited recovery options C) Differential: Not supported for Azure file shares Less efficient than incremental Would consume more storage D) Full: Only used for initial backup Inefficient for regular backups Unnecessary storage consumption Key Implementation Considerations: a) Requirements: Recovery Services vault Supported storage account Proper permissions Network connectivity b) Limitations: Storage account restrictions Backup frequency limits Retention period limits Regional availability Best Practices: a) Backup Configuration: Regular schedule Appropriate retention Monitoring Testing restores b) Performance Optimization: Backup window planning Network bandwidth consideration Storage capacity planning Recovery time objectives Critical Exam Topics: a) Azure Backup Components: Recovery Services vault Backup policies Protection groups Retention policies b) Backup Operations: Backup scheduling Monitoring Alerting Recovery procedures Remember for the Exam: a) Azure File Share Backup Requirements: Premium or Standard file shares Storage account compatibility Regional availability Backup policy limits b) Backup Policy Elements: Schedule Retention Time zones Consistency checks Additional Important Notes: a) Monitoring and Management: Azure Portal PowerShell Azure CLI REST API b) Recovery Options: Original location Alternate location Individual file recovery Point-in-time recovery Key Exam Focus Areas: a) Technical Knowledge: Backup types Configuration requirements Management tools Recovery procedures b) Operational Understanding: Monitoring Troubleshooting Capacity planning Cost optimization For the AZ-104 exam, focus on: Azure Backup Concepts: Backup types [2] Components Requirements Limitations Implementation Knowledge: Configuration steps Policy settings Monitoring Recovery procedures Management Skills: Daily operations Troubleshooting Performance optimization Cost management Security Understanding: Access control Encryption Network security Compliance requirements
61
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Azure AD tenant contains: User1: Member User2: Guest User3: Member User4: Member Q: Based on the user types in the environment, which statement is correct regarding User2's access capabilities? A) User2 can be assigned the same RBAC roles as member users B) User2 cannot access any Azure resources by default C) User2 has automatic access to all resources in Sub1 D) User2 cannot be added to Azure AD security groups
The correct answer is A) User2 can be assigned the same RBAC roles as member users Here's why this is correct: Key Technical Points: User2 is a Guest user in Azure AD [1] Guest users can be assigned the same RBAC roles as member users Guest access is controlled through Azure AD settings and RBAC [2] Guest User Characteristics: a) Default Capabilities: Can be assigned RBAC roles Can be added to security groups Has restricted default permissions Needs explicit access grants b) Key Differences from Member Users: More restricted default permissions Limited directory visibility Different authentication process External identity source Important Notes for AZ-104 Exam: a) Guest User Management: - Invitation process - Access levels - Permission assignment - Security considerations Copy Insert at cursor text b) Azure AD B2B Collaboration: Guest user invitation [3] External identity federation Access review Conditional Access policies Why Other Options are Wrong: B) Incorrect: Guest users can access resources when granted permissions C) Incorrect: No automatic access is granted D) Incorrect: Guest users can be added to security groups Critical Exam Concepts: a) Guest User Access Levels: Restricted Limited Same as member users b) Security Considerations: Conditional Access Multi-Factor Authentication Access Reviews Identity Protection Best Practices: a) Guest Access Management: Regular access reviews Least privilege principle Clear documentation Monitoring and auditing b) Security Controls: Conditional Access policies MFA enforcement Session controls Risk-based policies Key Points for the Exam: a) Guest User Properties: External directory source Invitation process Access limitations Permission inheritance b) Administration Tasks: Guest invitation Role assignment Group membership Access review Implementation Considerations: a) Guest Access Configuration: External collaboration settings Guest invite settings User permissions Security controls b) Monitoring and Compliance: Activity logging Access reviews Compliance reporting Security monitoring Remember for the Exam: Guest users can have same RBAC roles Default permissions are restricted Explicit permission assignment needed Security group membership possible Access review requirements Conditional Access policies Additional Important Notes: Guest user limitations Authentication methods Directory role restrictions Collaboration settings Security best practices For the AZ-104 exam, focus on: Azure AD Concepts: B2B collaboration User types Access management Security controls RBAC Understanding: Role assignments Scope levels Permission inheritance Access control Security Knowledge: Conditional Access MFA requirements Identity protection Access reviews Administration Skills: User management Permission assignment Group management Security configuration
62
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Resource Group Access Control Context: User1 manages resources in RG1 User4 manages resources in RG2 Need to implement least privilege principle Q: Which built-in RBAC role should be assigned to User1 and User4 for their respective resource groups? A) Owner at subscription level B) Contributor at resource group level C) Administrator at resource group level D) Reader at resource group level
The correct answer is B) Contributor at resource group level Here's why this is correct: Key Technical Points: Requirement states "Use the principle of least privilege" Users need to "manage resources" in their respective resource groups [1] No mention of needing to manage access control or assign permissions [2] Analysis of Built-in RBAC Roles: [3] Contributor Role: Can manage all resources Cannot assign roles Cannot manage permissions Perfect fit for resource management without security control Owner Role: Full access including role assignment Too much privilege for basic resource management Violates least privilege principle Reader Role: Read-only access Insufficient for resource management Cannot make changes to resources Important Notes for AZ-104 Exam: a) Built-in Role Hierarchy (from most to least privileged): Owner > Contributor > Reader Copy Insert at cursor text b) Key Role Permissions: Owner: Full access + role assignment Contributor: Full resource management, no RBAC Reader: View-only access Custom roles: Specific permissions as needed c) Scope Levels (from broad to narrow): Management Group > Subscription > Resource Group > Resource Copy Insert at cursor text Why Other Options are Wrong: A) Owner at subscription level: Violates least privilege, too broad scope C) Administrator: Not a standard built-in role for resource management D) Reader: Insufficient permissions for resource management Best Practices for RBAC: Always apply least privilege principle Assign roles at the most specific scope needed Use built-in roles when possible Document role assignments Regular access reviews Critical Exam Concepts: a) Role Assignment Components: Security principal (who) Role definition (what) Scope (where) b) Important Role Characteristics: Inheritance Deny assignments Role assignment limits Scope considerations Remember for the Exam: Common built-in roles and their permissions Role assignment scopes Inheritance patterns Security best practices Management hierarchy Role assignment process Additional Key Points: RBAC is additive (permissions combine) Deny assignments override allows Maximum 2000 role assignments per subscription Changes can take up to 30 minutes to propagate Custom roles require additional Azure AD Premium licenses Troubleshooting Knowledge: Access control (IAM) blade usage Role assignment verification Effective permissions checking Activity logs for role changes Common permission issues Implementation Considerations: Regular access reviews Emergency access accounts Break-glass procedures Role assignment documentation Compliance requirements For the AZ-104 exam, focus on: Understanding built-in roles Scope levels and inheritance Least privilege principle Role assignment process Common scenarios and solutions Security best practices Troubleshooting access issues Role management tools and features
63
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirements: Create storage5 Configure storage replication for Blob service Consider cost-effective solution Q: Which replication option should you choose for storage5 to provide the minimum required redundancy while minimizing costs? A) Geo-redundant storage (GRS) B) Zone-redundant storage (ZRS) C) Locally redundant storage (LRS) D) Read-access geo-redundant storage (RA-GRS)
The correct answer is C) Locally redundant storage (LRS) [1] Here's why this is correct: Key Technical Points: LRS is the most cost-effective replication option LRS maintains three synchronous copies of data in a single physical location Provides 99.999999999% (11 nines) durability over a given year Lowest cost redundancy option in Azure Storage Storage Replication Options Comparison: LRS (Locally Redundant Storage): 3 copies in single datacenter Lowest cost 99.999999999% durability Best for cost-sensitive dev/test scenarios ZRS (Zone-redundant Storage): 3 copies across availability zones Higher cost than LRS Better availability than LRS Good for high-availability needs GRS (Geo-redundant Storage): 6 copies (3 primary + 3 secondary region) Higher cost than ZRS Better disaster recovery Secondary region read-only after failover RA-GRS (Read-access GRS): Same as GRS plus read access to secondary Highest cost option Highest availability Best for critical business data Important Notes for AZ-104 Exam: a) Replication Costs (Low to High): LRS < ZRS < GRS < RA-GRS Copy Insert at cursor text b) Key Concepts to Remember: Durability ratings Regional vs. geo-redundancy Synchronous vs. asynchronous replication Cost implications Use cases for each type c) Storage Account Types and Supported Replication: General Purpose v2: Supports all replication types General Purpose v1: Limited replication options BlockBlobStorage: All replication types FileStorage: LRS and ZRS only d) Best Practices: Match replication type to business requirements Consider compliance requirements Balance cost vs. redundancy needs Consider application availability requirements Scenario Analysis: Question asks for "minimum required redundancy" Emphasizes "minimizing costs" No specific high-availability requirements mentioned No geo-redundancy requirements specified Therefore, LRS is the most appropriate choice Why Other Options are Wrong: A) GRS: More expensive, exceeds minimum requirements B) ZRS: More expensive, multi-zone redundancy not required D) RA-GRS: Most expensive option, exceeds requirements Additional Exam Tips: Know the differences between replication types Understand pricing implications Be familiar with use cases for each type Know availability and durability percentages Understand regional vs. zonal vs. geo-replication Know which storage account types support which replication options Remember for the Exam: Default replication type for new storage accounts Conversion possibilities between replication types Impact on storage account pricing Regional availability of different replication options Relationship between replication and storage account tier Recovery Point Objective (RPO) and Recovery Time Objective (RTO) implications This knowledge is crucial for the AZ-104 exam as storage configuration and cost optimization are key objectives in Azure administration.
64
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Virtual Networks: VNET1 (Subnet1, Subnet2) VNET2 (Subnet1) NSG2 to be associated with VNET1/Subnet2 Q: After implementing NSG2's outbound rules, what will be the impact on VM2's network communication? A) VM2 cannot establish RDP connections to any VMs in VNET1 B) VM2 can only send ICMP traffic to Subnet1 C) VM2 cannot communicate with any resources in VNET2 D) VM2 can establish any outbound connection except RDP to 10.0.0.0/16
The correct answer is D) VM2 can establish any outbound connection except RDP to 10.0.0.0/16 Here's why this is correct: Analysis of NSG2's Rules: Priority 200: Deny TCP 3389 (RDP) from 10.0.0.0/16 to Virtual Network Priority 400: Allow ICMP from 10.0.2.0/24 to 10.0.1.0/24 Copy Insert at cursor text Key Technical Points: NSG2 is associated with VNET1/Subnet2 where VM2 (10.0.2.4) is located [1] The rule with priority 200 (lower number = higher priority) blocks RDP traffic to 10.0.0.0/16 All other traffic types are allowed by default NSG rules The ICMP rule is specifically allowing ping from Subnet2 to Subnet1 Important Notes for AZ-104 Exam: NSG Rule Processing: Rules are processed in priority order (lowest to highest number) Once a rule matches, processing stops Default rules exist at priority 65000+ Custom rules should use priorities between 100-4096 NSG Default Rules: Allow all traffic within the virtual network Allow all outbound internet traffic Deny all inbound internet traffic These rules are lowest priority (65000+) Key Concepts to Remember: Rule Priority Rule Processing Order Default Rules Implicit Denies vs Explicit Allows Source/Destination addressing Protocol specifications Why Other Options are Wrong: A) Incorrect because VM2 can establish RDP to VMs outside 10.0.0.0/16 B) Incorrect because other protocols besides ICMP are allowed by default rules C) Incorrect because only RDP is blocked, not all communication Important Exam Tips: Always check rule priorities first Consider default rules Understand the difference between inbound and outbound rules Know how subnet and NIC NSGs work together Remember that more specific rules override general rules Understand CIDR notation and IP addressing Best Practices: Use priority numbers with gaps (like 100, 200, 300) to allow for future rules Document NSG rules clearly Use service tags where possible Consider using application security groups Regular review of NSG rules for security For the AZ-104 exam, focus on: NSG rule evaluation order Default rules and their priorities Impact of multiple NSGs (subnet and NIC level) Network protocol understanding (RDP, ICMP, etc.) IP addressing and CIDR notation Security rule components (priority, source, destination, action)
65
Existing Environment Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant. The Azure AD tenant contains the users shown in the following table. Name Type Role User1 Member None User2 Guest None User3 Member None User4 Member None Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the follow Name Subnet Peered with VNET1 Subnet1, Subnet2 VNET2 VNET2 Subnet1 VNET1, VNET3 VNET3 Subnet1 VNET2 VNET4 Subnet1 None ing table. User1 manages the resources in RG1. User4 manages the resources in RG2. Sub1 contains virtual machines that run Windows Server 2019 as shown https://www.certification-questions.com Microsoft AZ-104 Name IP address Location Connected to VM1 10.0.1.4 West US VNET1/Subnet1 VM2 10.0.2.4 West US VNET1/Subnet2 VM3 172.16.1.4 Central US VNET2/Subnet1 VM4 192.168.1.4 West US VNET3/Subnet1 VM5 10.0.22.4 East US VNET4/Subnet1 in the following table No network security groups (NSGs) are associated to the network interfaces or the subnets. Sub1 contains the storage accounts shown in the following table. Name Kind Location File share Identity-access for storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled storage3 BlobStorage East US 2 Not applicable Not applicable storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D Requirements Planned Changes Contoso plans to implement the following changes: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Create a storage account named storage5 and configure storage replication for the Blob service. Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow Priority Port Protocol Source Destination 500 3389 TCP 10.0.2.0/24 Any 1000 Any ICMP Any Virtual Network ing table. Associate NSG1 to the network interface of VM1. Create an NSG named NSG2 that will have the custom outbound security rules shown Priority Port Protocol Source Destination Action 200 3389 TCP 10.0.0.0/16 Virtual Network Deny 400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow n the following table. Associate NSG2 to VNET1/Subnet2. Technical Requirements Contoso must meet the following technical requirements: Create container1 and share1. Use the principle of least privilege. Create an Azure AD security group named Group4. Back up the Azure file shares and virtual machines by using Azure Backup. Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C. Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1. Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months. Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Requirements: Back up Azure file shares Back up virtual machines Implement cost-effective solution Q: What is the minimum backup retention period that must be configured for the Recovery Services vault to protect the specified resources? A) 7 days B) 14 days C) 30 days D) 180 days
For this question, the correct answer is C) 30 days. Here's why this is correct: Key Technical Points: Azure Backup has a mandatory minimum retention period of 30 days for all backup types [1] This applies to both Azure VM backups and Azure File Share backups This is a built-in requirement that cannot be overridden Important Details for Azure 104 Exam: a) Recovery Services Vault Retention Policies: [2] Daily backups: Minimum 7 days Weekly backups: Minimum 1 week Monthly backups: Minimum 1 month Yearly backups: Minimum 1 year BUT overall minimum retention period is 30 days regardless of backup frequency b) Cost Considerations: While the question asks for "cost-effective solution", you cannot go below 30 days Attempting to set lower retention periods will fail This is a compliance and data protection requirement by Azure c) Key Exam Points: Remember the 30-day minimum for all Azure Backup scenarios This applies across: Azure VM backups Azure File Share backups Azure SQL Database backups Azure Managed Disk backups d) Additional Important Notes: Maximum retention periods: Daily and weekly backups: Up to 9999 days Monthly backups: Up to 120 months Yearly backups: Up to 99 years Recovery Services vault can't be deleted if it contains any backup data Changing retention policy affects only new backups, not existing ones Why Other Options are Wrong: A) 7 days: Too short, below minimum requirement B) 14 days: Too short, below minimum requirement D) 180 days: While possible, not the minimum required period For the AZ-104 exam, remember: Always know the minimum retention periods for different Azure services Understand that some minimums are non-negotiable for compliance reasons Be familiar with backup policy configurations and their limitations Know the difference between retention requirements for different backup frequencies (daily/weekly/monthly/yearly) Understand the relationship between retention periods and costs