test 7 Flashcards
A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Role Based access policies
Does this fulfil the requirement?
Yes
No
No
Role based access policies can be used to restrict access to resources, but they can put any sort of governance on what type of resources to create.
A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Azure locks
Does this fulfil the requirement?
Yes
No
No
Azure locks are used to prevent users from accidentally deleting or modifying critical resources. They can’t be used for the said purpose as stated in the question.
A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Azure policies
Does this fulfil the requirement?
Yes
No
Yes
Yes, this can be done with Azure policies
A company plans to use Azure Network watcher to perform the following tasks
“Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network”
“Find out if there is outbound connectivity between an Azure virtual machine and an external host”
Which of the following network watcher feature would you use for the following requirement?
” Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network”
IP Flow Verify
Next Hop
Packet Capture
Traffic Analysis
IP Flow Verify
Your company currently has a Site-to-Site connection with an Azure Virtual Private network. The VPN device that is allocated on the on-premise side is going to undergo a change in its public IP address. You have to ensure the Site-to-Site VPN connection continues to work after the change.
Which of the following steps would you need to carry out after the change in the public IP address on the on-premise VPN device ensuring minimum connection downtime?Choose 3 answers from the options given below
Remove the VPN connection
Stop the VPN connection
Modify the local gateway IP address
Modify the VPN gateway address
Recreate the VPN connection
Start the VPN connection
Remove the VPN connection
Modify the local gateway IP address
Recreate the VPN connection
A company has an application deployed across a set of virtual machines. Users connect to the application either using point-to-site VPN or site-to-site VPN connections. You need to ensure that connections to the application are spread across all of the virtual machines.
Which of the following could you set up for this requirement? Choose 2 answers from the options given below
A Public Load Balancer
An Internal Load Balancer
A Traffic Manager Profile
An Azure Content Delivery Network
An Azure Application Gateway
An Internal Load Balancer
An Azure Application Gateway
Since we need to distribute traffic across the virtual machines, we can use either the Load Balancer or Application Gateway service.
A company has setup an Azure subscription. They have setup a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.
GroupA – This group should have the ability to manage the storage account
GroupB – This group should be able to manage containers within a storage account
GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control
You need to assign the relevant Role Based Access Control ensuring the privilege of least access. Which of the following would you assign to GroupB?
Owner
Contributor
Storage Account Contributor
Storage Blob Data Contributor
Storage Blob Data Owner
Storage Blob Data Contributor
A company has setup an Azure subscription. They have setup a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.
GroupA – This group should have the ability to manage the storage account
GroupB – This group should be able to manage containers within a storage account
GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control
You need to assign the relevant Role Based Access Control ensuring the privilege of least access. Which of the following would you assign to GroupC?
Owner
Contributor
Storage Account Contributor
Storage Blob Data Contributor
Storage Blob Data Owner
Storage Blob Data Owner
A company is planning on using the Azure Import/Export service to move data out of their Azure Storage account. Which of the following service could be used when defining the Azure Export job?
BLOB storage
File storage
Queue storage
Table storage
BLOB storage
You have an Azure virtual machine based on the Windows Server 2016 image. You implement Azure backup for the virtual machine. You want to restore the virtual machine by using the Replace existing option.
Which of the following needs to be done first before you go ahead and replace the virtual machine using the Azure Backup option?
Create a custom image
Stop the virtual machine
Allocate a new disk
Enable encryption on the disk
Stop the virtual machine
The virtual machine has to be in the Stopped or Deallocated state in order to replace the existing disks on the virtual machine.
You have an Azure subscription named CertGlobalstaging. Under the subscription, you go ahead and create a resource group named CertGlobals-rg.
You then go ahead and create an Azure policy based on the “Not allowed resources types” definition. Here you define the parameters as Microsoft.Network.virtualNetworks as the not allowed resource type. You assign this policy to the Tenant Root Group.
Would you be able to create a virtual machine in the CertGlobals-rg resource group?
Yes
No
No
A company current has a set of Azure virtual machines. They want to ensure that their IT administrative team is alerted if any of the virtual machines are shutdown. They decide to create alerts based on Activity Logs in Azure Monitor.
Would this fulfil the requirement?
Yes
No
Yes
A company current has a set of Azure virtual machines. They want to ensure that their IT administrative team is alerted if any of the virtual machines are shutdown. They decide to create alerts in the Azure Advisor service.
Would this fulfil the requirement?
Yes
No
No
A company current has a set of Azure virtual machines. They want to ensure that their IT administrative team is alerted if any of the virtual machines are shutdown. They decide to create alerts in the Service Health service
Would this fulfil the requirement?
Yes
No
No
A company has created a storage account in their Azure subscription. The name of the storage account is CertGlobalstore. They have also created a file share named demo. They need to access the files in the file share via a UNC path.
You need to fill in the following blocks to ensure the right UNC path is provided
Which of the following needs to go into Slot1?
blob
blob.core.windows.net
portal.azure.com
file
file.core.windows.net
CertGlobalstore
demo
CertGlobalstore
A company has created a storage account in their Azure subscription. The name of the storage account is CertGlobalstore. They have also created a file share named demo. They need to access the files in the file share via a UNC path. You need to fill in the following blocks to ensure the right UNC path is provided
Which of the following needs to go into Slot2?
blob
blob.core.windows.net
portal.azure.com
file
file.core.windows.net
CertGlobalstore
demo
file.core.windows.net
To work with UNC path format, you have to mount the Azure file share with File Explorer and the UNC path format is:
\<storageAccountName>.file.core.windows.net\<fileShareName></fileShareName></storageAccountName>
A company has created a storage account in their Azure subscription. The name of the storage account is CertGlobalstore. They have also created a file share named demo. They need to access the files in the file share via a UNC path. You need to fill in the following blocks to ensure the right UNC path is provided
Which of the following needs to go into Slot3?
blob
blob.core.windows.net
portal.azure.com
file
file.core.windows.net
CertGlobalstore
demo
demo
A company has setup a Virtual Machine in Azure. A web server listening on port 80 and a DNS server has been installed on the Virtual machine. A network security group is attached to the network interface for the virtual machine. The rules for the NSG are given below Inbound Rules
If RuleB is deleted would users from the Internet be able to
Connect to the web server hosted on the virtual machine only
Connect to the DNS server hosted on the virtual machine only
Connect to both the web and DNS server hosted on the virtual machine only
Not connect to either the web or DNS server hosted on the virtual machine only
Not connect to either the web or DNS server hosted on the virtual machine only
Your company has setup a storage account in Azure as shown below
The company needs to only allow connections to the storage account from an IP address range of 51.107.2.0 to 51.107.2.255. From which of the following section of the storage account would you modify to fulfil this requirement?
Firewall and virtual networks
Advanced security
Soft Delete
Lifecycle Management
Firewall and virtual networks
A company needs to deploy a virtual machine using a Resource Manager template. The template needs to be submitted via Azure CLI commands. The template is stored in a file named CertGlobalvm.json. You need to complete the below CLI command
Which of the following would go into Slot2?
–template
–template-url
–template-file
–template-resource
–template-file
Your company has the requirement to create an Azure storage account. The storage account needs to meet the following requirements.
Should be able to support hot, cool and archive blob tiers
Should be able to provide fault tolerance if a disaster hits the Azure region which has the storage account
Should minimize on costs
You need to complete the below command to create the storage account
Which of the following would go into Slot2?
Standard_GRS
Standard_LRS
Standard_RAGRS
Premium_LRS
Understanding Azure Storage Replication
Locally Redundant Storage (LRS): Replicates your data three times within a single data center. Provides basic protection against hardware failures but is not fault tolerant to a region failure.
Geo-Redundant Storage (GRS): Replicates your data three times within the primary region and also three times in a secondary region that is hundreds of miles away. Provides protection against regional outages.
Read-Access Geo-Redundant Storage (RA-GRS): Same as GRS, but also provides read-only access to the secondary region, which can be used for reading data during a failure of the primary region.
Premium performance tier: This tier is not available for GRS or RA-GRS storage accounts.
Analyzing the Requirements
Support for Hot, Cool, and Archive Blob Tiers: Both standard and premium storage accounts can support all three tiers. This option does not limit the possible answers.
Fault Tolerance for Region Disasters: Only GRS and RA-GRS provide protection in the event of a regional outage.
Minimize Costs: LRS is the cheapest option. RA-GRS is more expensive than GRS. Standard GRS is a low cost option, and premium performance tier cannot be used in conjunction with any of the geo-redundancy options.
Determining the Correct Replication Setting
Based on the requirements:
LRS is the cheapest, but does not meet the fault tolerance requirement.
RA-GRS provides protection and read access, but at a higher cost.
GRS provides protection for a region outage at a lower cost than RA-GRS.
Premium performance tier storage cannot be configured with GRS and RA-GRS storage.
The option that provides the required fault tolerance while minimizing costs is Standard GRS.
Answer:
Standard_GRS
A team has setup Log Analytics for a virtual machine named demovm. They are running the following query in the Log Analytics Workspace
If a query is run on Monday, then the query will return events from the last
1 day
7 days
8 days
14 days
which option is correct? why correct? which important note for azure 104 exam?
Understanding Log Analytics Queries and Time Ranges
Log Analytics Workspace: A service in Azure for collecting and analyzing log data.
Kusto Query Language (KQL): The query language used in Log Analytics.
union isfuzzy=true *: this will get data from any type of table.
where TimeGenerated > ago(7d): The key part of this query is the ago(7d) function.
ago(time) Function: This function specifies a time range relative to the current time when the query is executed. For example, ago(1d) means “one day ago” from the time the query runs. The date is based on the current date, and the date will be relative to the current date.
Analyzing the Query:
The query is:
union isfuzzy=true *
| where TimeGenerated > ago(7d)
Use code with caution.
Kusto
union isfuzzy=true *: This combines data from all tables in the workspace.
| where TimeGenerated > ago(7d): This filters the results to include only events where the TimeGenerated timestamp is greater than 7 days ago, from the current time.
Determining the Time Range
The ago(7d) function will return all results that are within the past 7 days. This means that when run on a monday, it will return the last 7 days, and will not include the current day, as the > operator does not include the current date.
Monday: The query is executed on a Monday.
Time Range: ago(7d) means “7 days ago”.
Therefore:
When the query is executed on Monday, it will return all the events that have been generated from the last 7 days from the date of execution.
Important Note for AZ-104 Exam
For the AZ-104 exam, be sure to:
Understand ago(): Know how the ago() function works in KQL for defining relative time ranges.
Time Units: Be familiar with how to use units like d (days), h (hours), and m (minutes) with ago().
Pay Attention to Operators: Note that the > operator excludes the date on which the query is being run, while >= would include the date on which the query is being run.
Know the default time range: It is important to remember that if a time range is not explicitly defined, that Log Analytics will only return data from the last 24 hours by default.
Answer:
The query will return events from the last 7 days.
where TimeGenerated > ago(1d) // Last 1 day
Your company has the requirement to create an Azure storage account. The storage account needs to meet the following requirements.
Should be able to support hot, cool and archive blob tiers
Should be able to provide fault tolerance if a disaster hits the Azure region which has the storage account
Should minimize on costs
You need to complete the below command to create the storage account
Which of the following would go into Slot1?
FileStorage
Storage
StorageV2
Table
StorageV2
Since there is a requirement to support the Hot, Cool and Archive tier, then we can choose General Purpose v2. This is supported by General Purpose V2 or Blob Storage. To have complete functionality of the BLOB service, you can choose General Purpose V2
A company has setup an Azure Virtual Machine. A team member is trying to connect to the Virtual machine but is not able to do so. Below is the snippet of the Networking section of the Virtual Machine
Which of the following needs to be done in order to ensure that the team member can connect to the Virtual Machine?
Delete the Rule “ Port_3389”
Add a rule to the Outbound port rules to allow traffic on port 3389
Delete the Rule “ DenyAllInBound”
Start the Virtual Machine
Start the Virtual Machine
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script
Which of the following would go into Slot1?
New-AzDisk
New-AzDiskConfig
Add-AzVMDataDisk
Set-AzDisk
New-AzDiskConfig
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script
Which of the following would go into Slot4?
New-AzDisk
New-AzDiskConfig
Add-AzVMDataDisk
Set-AzDisk
Add-AzVMDataDisk
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script
Which of the following would go into Slot5?
Set-AzVM
Update-AzVM
Get-AzVM
New-AzVM
Update-AzVM
As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script
Which of the following would go into Slot2?
New-AzDisk
New-AzDiskConfig
Add-AzVMDataDisk
Set-AzDisk
New-AzDisk
A company currently has the following networks defined in Azure
All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement You are going to create the virtual network peering connection for all of the virtual networks.
Which of the following is important to set for the virtual network peering connection?
Set the virtual network deployment model as Classic
Set the virtual network access settings as Disabled
Set the forwarded traffic settings as Enabled
Enable “Allow gateway transit”
Set the forwarded traffic settings as Enabled
A company currently has the following networks defined in Azure
All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement
Which of the following would you need to create additional to ensure traffic is sent via the virtual machine hosting the intrusion software?
A new route table
Add an address space
Add DNS servers
Add a service endpoint
A new route table
A company currently has the following networks defined in Azure
All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement
Which of the following needs to be enabled on the virtual machine “CertGlobal-detect”?
Enable IP forwarding
Enable the identity for the virtual machine
Add an extension to the virtual machine
Change the size of the virtual machine
Enable IP forwarding
A company has the following resources deployed to their Azure subscription
The virtual machine “CertGlobalvm” is currently in the running state.
The company now assigns the below Azure policy
The Not Allowed resources types are
Microsoft.Network/virtualNetworks
Microsoft/Compute/virtualMachines
Would an administrator be able to move the virtual machine to another resource group?
Yes
No
Understanding Azure Policies
Azure Policies: Used to enforce organizational standards and assess compliance at scale.
Resource Types: Azure policies can target specific resource types.
“Not Allowed” Resources: Policies can be configured to prevent the creation or modification of resources.
Resource Move: Moving resources to different resource groups is considered a modification of the resource.
Analyzing the Resources
Virtual Machine “CertGlobalvm”: Running state.
Analyzing the Azure Policy
The defined policy prevents:
Creation of virtual networks (Microsoft.Network/virtualNetworks).
Creation of virtual machines (Microsoft/Compute/virtualMachines).
Determining if the VM Can Be Moved
The policy restricts the creation of new virtual machines and virtual networks, it does not prevent the modification of existing virtual machines, therefore the resource should be able to be moved.
Answer:
Yes
A company has the following resources deployed to their Azure subscription
The virtual machine “CertGlobalvm” is currently in the running state.
The company now assigns the below Azure policy
The Not Allowed resources types are
Microsoft.Network/virtualNetworks
Microsoft/Compute/virtualMachines
Would the state of the virtual machine change to deallocated?
Yes
No
Understanding Azure Policies
Azure Policies: Used to enforce organizational standards and assess compliance at scale.
Resource Types: Azure policies can target specific resource types.
“Not Allowed” Resources: Policies can be configured to prevent the creation or modification of resources.
Virtual Machine State: The state of a virtual machine (e.g., running, deallocated) is controlled by its configuration and lifecycle events.
Analyzing the Resources
Virtual Machine “CertGlobalvm”: Currently in the running state.
Analyzing the Azure Policy
The defined policy prevents:
Creation of virtual networks (Microsoft.Network/virtualNetworks).
Creation of virtual machines (Microsoft/Compute/virtualMachines).
Determining if the VM State Changes
Policy Impact: The policy is designed to prevent the creation of new resources, not the modification or deallocation of existing ones.
Existing Resources: As the virtual machine has already been created, the policy will not impact the existing state of the virtual machine.
Therefore, assigning the policy will not deallocate the virtual machine.
Answer:
No
A team is currently storing all of their objects in an Azure storage account. They are currently using the Azure Blob service. They want to create a lifecycle management rule that would do the following
Change the tier level of the objects to the cool tier if they have not been modified in the past 30 days Archive an object if they have not been modfiied in the past 90 days
The Lifecycle rule would be applied to a container called demo and a folder within the container called data.
You have to complete the following JSON snippet for the Lifecycle rule
Which of the following would go into Slot1?
demo
data
data/demo
demo/data
demo/data
A team is currently storing all of their objects in an Azure storage account. They are currently using the Azure Blob service. They want to create a lifecycle management rule that would do the following
Change the tier level of the objects to the cool tier if they have not been modified in the past 30 days
Archive an object if they have not been modified in the past 90 days
The Lifecycle rule would be applied to a container called demo and a folder within the container called data.
You have to complete the following JSON snippet for the Lifecycle rule
Which of the following would go into Slot3?
15
30
90
120
90
What is the PowerShell command to add the image information to the virtual machine’s configuration?
A. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”
B. Get-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”
C. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Sku “2012-R2-Datacenter” -Version “current”
D. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName WindowsServer -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”
A. Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”
Which of the following is the Kubernetes agent that processes the orchestration requests from the cluster master, and schedules running the requested containers? Select one.
A. kube-proxy
B. kubelet
C. controller master
D. container runtime
B. kubelet
Why B is correct:
Kubelet is the primary node agent that runs on each node in the Kubernetes cluster [1]
It’s responsible for ensuring containers are running in a Pod as specified in the PodSpecs
It communicates with the control plane (master) and executes orchestration requests
It manages the container lifecycle, ensuring containers are running and healthy
It registers the node with the kube-apiserver on the Kubernetes control plane
Why other options are incorrect:
A. kube-proxy
This is incorrect because kube-proxy is a network proxy that runs on each node
It maintains network rules and handles network communication to and from pods
It does not handle container orchestration or scheduling
C. controller master
This is incorrect because “controller master” is not a standard Kubernetes component
While the control plane (master) makes scheduling decisions, it’s the kubelet that actually executes these decisions on the nodes
D. container runtime
This is incorrect because container runtime (like Docker) is just the software responsible for running containers
It’s a lower-level component that kubelet uses to start and stop containers
It doesn’t handle orchestration requests or scheduling decisions
Which of the following built-in roles has the required Microsoft Authorization permissions that will allow a user account to create a cloud endpoint?
A. User Access Administrator
B. Owner
C. Reader and Data Access
D. Contributor
Understanding Azure Roles and Permissions
Azure RBAC: Azure Role-Based Access Control (RBAC) is used to manage access to Azure resources.
Roles: Roles define the set of permissions that can be granted to a user, group, or service principal.
Cloud Endpoint: A cloud endpoint typically involves configuring resources such as load balancers, application gateways, or other networking components.
Microsoft.Authorization Permissions: Permissions under the Microsoft.Authorization namespace are related to access control and role assignments.
Analyzing the Roles
Let’s examine each of the provided roles and their relevance to creating a cloud endpoint:
A. User Access Administrator:
Analysis: This role grants permissions to manage user access to Azure resources, including assigning roles to other users. It does not grant direct permissions for creating resources, such as cloud endpoints. This role is incorrect.
B. Owner:
Analysis: This role grants full access to all Azure resources, including the ability to create resources, and manage the access permissions of other users. This role has the necessary permissions to create a cloud endpoint. This role is correct.
C. Reader and Data Access:
Analysis: This role only provides read-only access to resources. It does not grant permissions to create resources. This role is incorrect.
D. Contributor:
Analysis: This role grants the ability to create and manage resources, but doesn’t include the specific Microsoft.Authorization permissions required to create cloud endpoints. This role is not the correct one.
The Correct Role
The role that has the required permissions to create a cloud endpoint, and includes Microsoft.Authorization permissions is the Owner role.
Answer:
B. Owner
You have a MySQL database that you want to keep secure and prevent access to the public internet. Which of these options would you use? Select 3
A. Service Endpoint
B. VNet Peering
C. Private IP Address
D. NSG
The correct answers are:
A. Service Endpoint
C. Private IP Address
D. NSG (Network Security Group)
Let’s analyze why each option is correct or incorrect:
CORRECT ANSWERS:
A. Service Endpoint
Correct because it allows you to secure Azure service resources to your virtual network
Provides direct connection from your VNet to Azure MySQL database [1]
Restricts database access to only resources within your VNet
Improves security by removing database access from the public internet
C. Private IP Address
Correct because it ensures the database is only accessible within the private network
Prevents direct exposure to the internet
Allows secure communication between resources in the same VNet
Can be used with Private Link to establish secure connections
D. NSG (Network Security Group)
Correct because it acts as a network-level firewall
Allows you to control inbound and outbound traffic
Can restrict access based on source/destination IP addresses and ports
Provides additional security layer for database access control
INCORRECT ANSWER:
B. VNet Peering
While VNet Peering is a useful networking feature, it’s not primarily a security measure
It’s used to connect two VNets together to allow resources to communicate
It’s more about network connectivity than security
While it can be part of a secure architecture, it’s not specifically focused on securing database access
You are administering a production web app. The app requires scaling to five instances, 40GB of storage, and a custom domain name. Which App Service Plan should you select? Select one.
Basic
Free
Standard
Premium
Shared
Correct Option:
C. Standard
Explanation:
Standard: The Standard App Service Plan supports scaling up to 10 instances, provides up to 50GB of storage, and allows for custom domain names. It is suitable for production workloads that require scaling, custom domains, and additional storage.
You are developing a storage plan that includes Premium storage.Which storage redundancy type is
available to use? Select one.
A. Geo Redundant Storage
B. Locally redundant storage
C. Zone Redundant Storage
D. RA Geo redundant Storage
Understanding Azure Storage Redundancy
Locally Redundant Storage (LRS): Replicates your data three times within a single data center. Provides basic protection against hardware failures within a single data center.
Geo-Redundant Storage (GRS): Replicates your data three times within the primary region and also three times in a secondary region that is hundreds of miles away. Provides protection against regional outages.
Read-Access Geo-Redundant Storage (RA-GRS): Same as GRS, but also provides read-only access to the secondary region, which can be used for reading data during a failure of the primary region.
Zone-Redundant Storage (ZRS): Replicates your data synchronously across three availability zones in the primary region. Provides high availability within a single region.
Premium Storage: Uses Solid State Drives (SSDs) to provide high performance and low latency.
Analyzing Redundancy Options for Premium Storage
LRS (Locally Redundant Storage): Is supported in conjunction with the premium storage tier.
GRS (Geo-Redundant Storage): Is not available in conjunction with the premium storage tier.
RA-GRS (Read-Access Geo-Redundant Storage): Is not available in conjunction with the premium storage tier.
ZRS (Zone-Redundant Storage): Is not available in conjunction with the premium storage tier.
The Correct Redundancy Option
Only Locally redundant storage is available when using Premium storage.
Answer:
B. Locally redundant storage
If we want to have an image of the operating system (OS) and all disks attached, which of the following would be the preferred image?
A. OS image (generalized)
B. Disk image
C. VM image (specialized)
D. Data image
C. VM image (specialized)
Why C is correct:
A VM image (specialized) captures the complete state of a running VM including:
Operating system
All attached data disks
Applications and configurations
System state
It’s perfect for creating exact copies of a working VM
Maintains all configurations and customizations
Best for backup and disaster recovery scenarios
Why other options are incorrect:
A. OS image (generalized)
Incorrect because generalized images remove all machine-specific information
Doesn’t maintain specific configurations and customizations
Requires sysprep which removes unique identifiers
Doesn’t include data disks
Better for deploying multiple new instances, not for capturing complete system state
B. Disk image
Incorrect because it only captures a single disk
Doesn’t capture the complete VM configuration
Limited to either OS disk or data disk content
Doesn’t maintain the relationship between multiple disks
D. Data image
Incorrect because this isn’t a standard image type in cloud environments
Would only contain data, not system state or configurations
Doesn’t include OS or system configurations
Doesn’t maintain the complete VM state
You have multiple apps running in a single App Service plan. True or False: Each app in the service plan can have different scaling rules.
A. False
B. True
Correct Option:
A. False
Explanation:
False: In an Azure App Service plan, all apps share the same scaling rules. The scaling settings apply to the entire App Service plan, not to individual apps within the plan. Therefore, you cannot configure different scaling rules for each app in the same App Service plan.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Contoso needs to back up Azure file shares and virtual machines using Azure Backup.
Which of the following statements is correct regarding the minimum backup configuration needed?
A) One Recovery Services vault with one backup policy for all resources [1]
B) One Recovery Services vault with separate policies for VMs and file shares
C) Two Recovery Services vaults with one backup policy each
D) Two Recovery Services vaults with separate policies for VMs and file shares
Correct Option:
B) One Recovery Services vault with separate policies for VMs and file shares
Explanation:
One Recovery Services vault with separate policies for VMs and file shares: Azure Backup allows you to use a single Recovery Services vault to back up multiple types of resources, including virtual machines and file shares. However, you need to create separate backup policies for VMs and file shares to meet their specific backup requirements.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
NSG1 needs to be created with specific inbound rules and associated with VM1’s network interface. Q: After implementing NSG1, which traffic pattern would be allowed?
A) Only RDP from subnet 10.0.2.0/24 and ICMP from any source
B) Only RDP from any source and ICMP from virtual network
C) Only RDP from subnet 10.0.2.0/24
D) All traffic, as NSGs allow all traffic by default
The correct answer is A) Only RDP from subnet 10.0.2.0/24 and ICMP from any source
Here’s why this is correct:
Key Technical Points:
NSG1 inbound rules:
Priority 500: Port 3389 (RDP), TCP, Source 10.0.2.0/24, Destination Any
Priority 1000: Any port, ICMP, Source Any, Destination Virtual Network
Copy
Insert at cursor
text
NSG Rule Analysis:
Rule Breakdown:
1. RDP Rule (Priority 500):
- Protocol: TCP
- Port: 3389
- Source: 10.0.2.0/24
- Allows RDP only from specific subnet
2. ICMP Rule (Priority 1000):
- Protocol: ICMP
- Port: Any
- Source: Any
- Allows ICMP from anywhere
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) NSG Default Rules:
Priority Name Port Source Destination
65000 AllowVnetInBound All VNet VNet
65001 AllowAzureLoadBalancer All Azure LB Any
65500 DenyAllInbound All Any Any
Copy
Insert at cursor
text
b) Rule Processing:
Processed by priority
First match wins
Lower number = higher priority
Why Other Options are Wrong:
B) Only RDP from any source and ICMP from virtual network:
RDP is restricted to 10.0.2.0/24
ICMP is allowed from any source
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Storage accounts configuration:
storage1: Azure AD DS enabled
storage2: Identity access disabled
storage4: Azure AD DS enabled Q: Which storage accounts can Group4 be granted read-only RBAC permissions to access file shares?
A) Only storage1
B) storage1 and storage4
C) storage1, storage2, and storage4
D) None of the storage accounts
The correct answer is B) storage1 and storage4
Here’s why this is correct:
Key Technical Points:
Azure AD DS enabled for storage1 and storage4
Identity access disabled for storage2
RBAC requires Azure AD authentication
File shares access control
Storage Account Analysis:
Storage Account Configuration:
storage1:
- Azure AD DS enabled
- Can use RBAC
- File share: sharea
storage2:
- Identity access disabled
- Cannot use RBAC
- File shares: shareb, sharec
storage4:
- Azure AD DS enabled
- Can use RBAC
- File share: shared
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) File Share Access Methods:
- Azure AD authentication
- Storage account keys
- Shared access signatures (SAS)
- Azure AD DS integration
Copy
Insert at cursor
text
b) RBAC Requirements:
Azure AD DS enabled
Identity-based access
Proper role assignment
Permission scope
Why Other Options are Wrong:
A) Only storage1:
Excludes storage4
Both support RBAC
C) storage1, storage2, and storage4:
storage2 has identity access disabled
Cannot use RBAC
D) None:
Incorrect
storage1 and storage4 support RBAC
Implementation Considerations:
a) Access Configuration:
Azure AD DS integration
Role assignments
Permission scope
Authentication method
b) Security Controls:
Least privilege
Access review
Monitoring
Audit logging
Best Practices:
a) Storage Access:
Use Azure AD authentication
Enable identity access
Regular access review
Proper documentation
b) Security Management:
Role-based access
Regular audits
Monitoring
Compliance checks
Critical Exam Topics:
a) Storage Authentication:
Azure AD integration
Identity access
RBAC support
Authentication methods
b) Access Control:
Role assignments
Permission scope
Authentication options
Security controls
Remember for the Exam:
a) Storage Requirements:
Azure AD DS enabled
Identity access configured
RBAC support
Authentication method
b) Access Methods:
Azure AD authentication
Storage account keys
SAS tokens
File share permissions
Additional Important Notes:
a) Management Options:
Azure Portal
PowerShell
Azure CLI
REST API
b) Troubleshooting Areas:
Authentication issues
Permission problems
Access denied errors
Configuration validation
Key Exam Focus Areas:
a) Technical Knowledge:
Storage authentication
Access control
RBAC implementation
Security features
b) Operational Understanding:
Configuration steps
Management tasks
Troubleshooting
Best practices
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirements:
User1 needs to create Azure policy definitions
User2 needs to assign Azure policies to RG1 Q: Which built-in roles should be assigned to meet these requirements?
A) User1: Policy Contributor, User2: Policy Administrator
B) User1: Resource Policy Contributor, User2: Policy Administrator
C) User1: Policy Administrator, User2: Policy Contributor
D) User1: Resource Policy Contributor, User2: Resource Policy Contributor
Understanding Azure Policy and Roles
Azure Policy Definitions: Define the rules that must be followed by resources in Azure.
Azure Policy Assignments: Apply policies to resources, resource groups, or subscriptions.
Policy Contributor: A role that allows a user to create and manage policy definitions.
Policy Administrator: A role that allows a user to manage policies and policy assignments, and can also create policies.
Resource Policy Contributor: Allows for creating and managing policies, and it can also assign policies.
Analyzing the Requirements
User1: Needs to create Azure policy definitions.
User2: Needs to assign Azure policies to RG1.
Determining the Correct Roles
Let’s evaluate the options:
A) User1: Policy Contributor, User2: Policy Administrator
Analysis: The Policy Contributor role is not sufficient for creating policy definitions. While the Policy Administrator would be sufficient to assign the policies, it is not the lowest level role to perform the required tasks. This option is incorrect.
B) User1: Resource Policy Contributor, User2: Policy Administrator
Analysis: While the Policy Administrator would be sufficient to assign the policies, it is not the lowest level role to perform the required tasks. This option is incorrect. The resource policy contributor role allows for the creation of policies and the assignment of the policies, so is suitable to meet the requirements.
C) User1: Policy Administrator, User2: Policy Contributor
Analysis: The Policy Administrator role has the correct level of permissions, but would be too permissive for creating policy definitions, and the policy contributor role would not be able to assign the policy at a resource group level. This option is incorrect.
D) User1: Resource Policy Contributor, User2: Resource Policy Contributor
Analysis: The Resource Policy Contributor role allows the user to create policy definitions and to assign policies to a resource group. This is the correct approach as it allows for the desired permissions while using the least privileged option. This option is correct.
The Correct Roles
The correct roles are:
User1: Resource Policy Contributor
User2: Resource Policy Contributor
Answer:
D) User1: Resource Policy Contributor, User2: Resource Policy Contributor
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Current VNET peering:
VNET1 ↔ VNET2
VNET2 ↔ VNET3
VNET4: No peering
Q: Which VMs can directly communicate with VM3 (172.16.1.4)?
A) Only VM1 and VM2
B) VM1, VM2, and VM4
C) All VMs
D) Only VM4
The correct answer is B) VM1, VM2, and VM4
Here’s why this is correct:
Key Technical Points:
VM3 is in VNET2
VNET peering relationships exist
Transitive peering is NOT supported [1]
No NSGs currently applied
VNET Peering Analysis:
Direct Peering Map:
VNET1 ↔ VNET2 (VM1, VM2 can reach VM3)
VNET2 ↔ VNET3 (VM4 can reach VM3)
VNET4: Isolated (VM5 cannot reach VM3)
VM Locations:
VM1: VNET1/Subnet1
VM2: VNET1/Subnet2
VM3: VNET2/Subnet1
VM4: VNET3/Subnet1
VM5: VNET4/Subnet1
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) VNET Peering Rules:
Not transitive
Bi-directional
Cross-region capable
Requires setup on both VNets
b) Key Concepts:
- Direct peering only
- No transitive routing
- Regional considerations
- Network planning
Copy
Insert at cursor
text
Why Other Options are Wrong:
A) Only VM1 and VM2:
Excludes VM4
Ignores VNET2-VNET3 peering
C) All VMs:
VM5 is isolated
No path to VNET4
D) Only VM4:
Ignores VNET1-VNET2 peering
VM1 and VM2 can also connect [2]
Implementation Considerations:
a) Peering Requirements:
Non-overlapping IP ranges
Network connectivity
Proper configuration
Resource permissions
b) Network Planning:
Address spaces
Subnet design
Routing
Security
Best Practices:
a) VNET Design:
Plan IP addressing
Document peering
Consider future growth
Security requirements
b) Connectivity:
Direct peering where needed
Hub-spoke topology
Network security
Monitoring
Critical Exam Topics:
a) VNET Peering Concepts:
Non-transitive nature
Bi-directional setup
Regional support
Limitations
b) Network Design:
IP addressing
Connectivity options
Security considerations
Management
Remember for the Exam:
a) Peering Characteristics:
Direct connections only
No transitive routing
Bi-directional traffic
Regional considerations
b) Network Planning:
Address spaces
Connectivity requirements
Security controls
Management needs
Additional Important Notes:
a) Management Options:
Azure Portal
PowerShell
Azure CLI
ARM templates
b) Troubleshooting Areas:
Connectivity issues
Routing problems
Security controls
Performance
Key Exam Focus Areas:
a) Technical Knowledge:
VNET peering
Network connectivity [3]
Routing
Security
b) Operational Understanding:
Implementation
Troubleshooting
Management
Best practices
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirement: Create storage5 with blob replication configuration
Q: Which storage account type should be used for storage5 to support blob replication?
A) General-purpose v1
B) General-purpose v2
C) BlobStorage
D) FileStorage
Determining the Correct Storage Account Type
Let’s evaluate the options:
A) General-purpose v1
Analysis: While General-purpose v1 storage accounts support blobs, this is a legacy type and is not the recommended option. This option is incorrect.
B) General-purpose v2
Analysis: General-purpose v2 storage accounts are the recommended type and do support blob storage replication, therefore, this option is correct.
C) BlobStorage
Analysis: The Blob storage type is designed for blob storage and does support blob replication. This is a valid option, but the general purpose storage accounts are a better solution, as they allow other types of resources to be created if necessary. This option is correct.
D) FileStorage
Analysis: File storage is designed for file shares and does not support blob service replication. This option is incorrect.
The Correct Storage Account Types
Both general-purpose v2 and BlobStorage are correct options. General purpose v2 is the most flexible, however both would meet the requirements of this question.
Answer:
B) General-purpose v2
C) BlobStorage
Therefore, the full answer is:
General-purpose v2: Supports blob replication directly.
BlobStorage: Supports blob replication directly.
Azure Data Lake Storage Gen2: This is technically a General-purpose v2 account with additional capabilities, and it supports blob replication through the underlying General-purpose v2 capabilities.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirement: Alert when VM1 or VM2 has less than 20 GB free space on volume C
Q: Which Azure Monitor component should be used to implement this requirement?
A) Metrics Alert
B) Activity Log Alert
C) Log Analytics workspace with custom query
D) Service Health Alert
The correct answer is C) Log Analytics workspace with custom query
Here’s why this is correct:
Key Technical Points:
Need to monitor disk space
Custom threshold (20 GB)
Volume C specific
Multiple VM monitoring
Log Analytics Solution Components:
Implementation Steps:
1. Create Log Analytics workspace
2. Install Log Analytics agent on VMs
3. Configure custom query for disk space
4. Set up alert rule with condition
Sample Query:
Perf
| where ObjectName == “LogicalDisk”
| where CounterName == “Free Megabytes”
| where InstanceName == “C:”
| where CounterValue < (20 * 1024)
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) Alert Components:
Log Analytics workspace
Data collection rules
Query-based alerts
Action groups
b) Monitoring Hierarchy:
Azure Monitor
├── Log Analytics
├── Custom Queries
├── Alert Rules
└── Action Groups
Copy
Insert at cursor
text
Why Other Options are Wrong:
A) Metrics Alert:
Cannot directly monitor OS-level metrics
Limited to platform metrics
Not suitable for disk space
B) Activity Log Alert:
For subscription-level events
Not for resource metrics
Wrong alert type
D) Service Health Alert:
For Azure service issues
Not for resource monitoring
Wrong alert type
Implementation Considerations:
a) Configuration Requirements:
Agent installation
Workspace setup
Query definition
Alert configuration
b) Monitoring Setup:
Data collection
Query testing
Alert thresholds
Notification config
Best Practices:
a) Alert Configuration:
Clear alert names
Appropriate thresholds
Proper action groups
Regular testing
b) Monitoring Management:
Regular review
Query optimization
Cost monitoring
Performance impact
Critical Exam Topics:
a) Azure Monitor Features:
Log Analytics
Custom queries
Alert rules
Action groups
b) Implementation Steps:
Workspace creation
Agent deployment
Query configuration
Alert setup
Remember for the Exam:
a) Monitoring Components:
Log Analytics workspace
Data collection
Query language
Alert configuration
b) Alert Requirements:
Resource targeting
Threshold definition
Action configuration
Testing validation
Additional Important Notes:
a) Management Options:
Azure Portal
PowerShell
Azure CLI
REST API
b) Troubleshooting Areas:
Agent connectivity
Query performance
Alert triggering
Data collection
Key Exam Focus Areas:
a) Technical Knowledge:
Monitoring solutions
Query language
Alert types
Configuration options
b) Operational Understanding:
Implementation steps
Troubleshooting
Management tasks
Best practices
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirement: Create internal Basic Load Balancer LB1 in VNET1/Subnet1
Q: Which configuration elements are required for the load balancer implementation?
A) Frontend IP configuration and backend pool only
B) Frontend IP configuration, backend pool, and health probe
C) Frontend IP configuration, backend pool, health probe, and load balancing rule
D) Frontend IP configuration and health probe only
The correct answer is C) Frontend IP configuration, backend pool, health probe, and load balancing rule
Here’s why this is correct:
Key Technical Points:
Internal Basic Load Balancer requirement [1]
Complete functional configuration needed
All essential components required
Load balancing functionality
Required Load Balancer Components: [2]
Essential Components:
1. Frontend IP configuration
- Private IP from subnet
- Internal endpoint
2. Backend pool
- Target VMs/resources
- Resource association
3. Health probe
- Service availability check
- Protocol and port
4. Load balancing rule
- Traffic distribution
- Protocol and ports
- Session persistence
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) Load Balancer Configuration:
All four components are mandatory
Logical configuration order
Dependencies between components
Basic vs Standard SKU differences
b) Component Relationships:
Frontend IP → Load Balancing Rule → Backend Pool
↓
Health Probe
Copy
Insert at cursor
text
Why Other Options are Wrong:
A) Frontend IP and backend pool only:
Missing health monitoring
Missing traffic rules
Incomplete configuration
B) Frontend IP, backend pool, and health probe:
Missing load balancing rules
Cannot distribute traffic
Incomplete configuration
D) Frontend IP and health probe only:
Missing backend targets
Missing traffic rules
Incomplete configuration
Implementation Considerations:
a) Configuration Requirements:
VNet/subnet planning
IP addressing
Port configuration
Health check settings
b) Design Elements:
High availability
Fault tolerance
Performance optimization
Monitoring
Best Practices:
a) Load Balancer Setup:
Meaningful names
Appropriate health checks
Proper backend pool config
Efficient rules
b) Monitoring:
Health status
Performance metrics
Alert configuration
Logging setup
Critical Exam Topics:
a) Load Balancer Components:
Required elements
Configuration options
Dependencies
Management
b) Network Integration:
VNet configuration
Subnet planning
IP addressing
Routing
Remember for the Exam:
a) Configuration Order:
Create Load Balancer
Configure Frontend IP
Create Backend Pool
Set up Health Probe
Define Load Balancing Rules
b) Component Requirements:
All four components needed
Proper configuration
Logical relationships
Testing validation
Additional Important Notes:
a) Management Options:
Azure Portal
PowerShell
Azure CLI
ARM templates
b) Troubleshooting Areas:
Health probe failures
Connection issues
Performance problems
Configuration errors
Key Exam Focus Areas:
a) Technical Knowledge:
Component requirements
Configuration options
Dependencies
Best practices
b) Operational Understanding:
Implementation steps
Troubleshooting
Management tasks
Monitoring
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirement: Enable flow logging for VM5 traffic with 8-month retention
Q: Which Azure service is required to implement this requirement?
A) Network Watcher with NSG flow logs
B) Azure Monitor logs
C) Traffic Analytics only
D) Azure Network Monitor
Understanding Flow Logging
Network Flow Logs: Capture information about IP traffic flowing through a network interface, subnet, or virtual network.
Use Cases: Commonly used for network monitoring, traffic analysis, and security investigations.
Retention: You need to be able to specify the duration for which the flow logs are retained.
NSG flow logs: Network security group flow logs are a feature of network watcher that allow for the logging of network traffic.
Analyzing the Options
Let’s evaluate the options:
A) Network Watcher with NSG flow logs
Analysis: Network Watcher is the core Azure service that enables the capture of flow logs. NSG flow logs, specifically, provide the traffic information based on rules applied in a Network Security Group, and are configured within Network Watcher. The retention policy can also be configured within the Network Watcher configuration. Therefore, this option is correct.
B) Azure Monitor logs
Analysis: While Azure Monitor can consume the NSG flow logs, it is not the service that enables the logging itself. Network Watcher is necessary for enabling flow logs. This option is incorrect, as the service must enable flow logs.
C) Traffic Analytics only
Analysis: Traffic analytics is a feature within Network Watcher which provides insights based on NSG flow logs, however, it does not enable NSG flow logs themselves. This option is incorrect.
D) Azure Network Monitor
Analysis: There is not an Azure service called Azure Network Monitor. Network Watcher is the correct service. This option is incorrect.
The Correct Service
The correct Azure service to enable flow logging and retain the flow logs for a specified duration is Network Watcher with NSG flow logs.
Answer:
A) Network Watcher with NSG flow logs
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirement: Create container1 and share1 using Cool storage tier
Q: Which storage account type supports this requirement?
A) General-purpose v1
B) General-purpose v2
C) BlobStorage
D) FileStorage
Correct Option:
B) General-purpose v2
Explanation:
General-purpose v2: The General-purpose v2 (StorageV2) account type supports both blob containers and file shares, and it allows you to configure different access tiers, including the Cool storage tier. This makes it the appropriate choice for creating a blob container and a file share with the Cool storage tier.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to create a blob container named container1 and a file share named share1 that will use the Cool storage tier. Which storage account type should you use?
A. Storage (general purpose v1)
B. StorageV2 (general purpose v2)
C. BlobStorage
D. FileStorage
Correct Option:
B. StorageV2 (general purpose v2)
Explanation:
StorageV2 (general purpose v2): The StorageV2 account type supports both blob containers and file shares, and it allows you to configure different access tiers, including the Cool storage tier. This makes it the appropriate choice for creating a blob container and a file share with the Cool storage tier.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to enable User2 to assign Azure policies to RG1. Which role should you assign to User2?
A. Contributor
B. Owner
C. Policy Contributor
D. Policy Administrator
Understanding Azure Policy and Roles
Azure Policy: Enforces organizational standards and assesses compliance at scale.
Policy Assignments: Apply policies to resources, resource groups, or subscriptions.
Contributor: A role that grants the ability to create and manage resources.
Owner: A role that grants full access to all Azure resources.
Policy Contributor: A role that allows a user to manage and create policies.
Policy Administrator: A role that allows a user to manage policies and policy assignments, and can also create policies.
Analyzing the Requirements
User2: Needs to assign Azure policies to RG1.
Determining the Correct Role
Let’s evaluate the options:
A) Contributor
Analysis: The Contributor role has the ability to create and manage Azure resources, however, it doesn’t explicitly grant permissions to manage Azure policies and policy assignments. This role is insufficient.
B) Owner
Analysis: The Owner role grants full access to all resources, including the ability to manage policies. This role is too permissive, and is not the required solution, though it would grant the desired access. This option is incorrect.
C) Policy Contributor
Analysis: The Policy Contributor role can manage policy definitions, but it cannot assign policies. This option is incorrect.
D) Policy Administrator
Analysis: The Policy Administrator role has the correct permissions to manage and assign Azure policies. This role is correct.
The Correct Role
The correct role is the Policy Administrator.
Answer:
D) Policy Administrator
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1. Which type of IP address should you use?
A. Public IP address
B. Private IP address
C. Dynamic IP address
D. Static IP address
Determining the Correct IP Address Type
Let’s evaluate the options:
A) Public IP address
Analysis: Public IP addresses are used for internet-facing resources. An internal load balancer must have a private IP address. This option is incorrect.
B) Private IP address
Analysis: This is the correct approach. Private IP addresses are used for internal resources within a virtual network. Since the requirement is to create an internal load balancer, a private IP address is required.
C) Dynamic IP address
Analysis: Dynamic IP addresses can change when a resource is deallocated, which is not a desirable solution for internal load balancers which should have predictable IP addresses. While a dynamic private IP can be used, it does not address the core requirement of an internal load balancer, and is therefore incorrect.
D) Static IP address
Analysis: While a static IP can be used, a dynamic IP can also be used for an internal load balancer. However, the core requirement is to use a private IP. While a static private IP address is a common configuration for an internal load balancer, it is not a requirement. This option is not the correct response to the prompt.
The Correct IP Address Type
The correct IP address type is Private IP address.
Answer:
B) Private IP address
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares. Which role should you assign to Group4?
A. Reader
B. Storage File Data SMB Share Reader
C. Storage Blob Data Reader
D. Storage Account Contributor
Correct Option:
B. Storage File Data SMB Share Reader
Explanation:
Storage File Data SMB Share Reader: This role provides read-only access to Azure file shares over the SMB protocol. It is specifically designed for scenarios where you need to grant read-only access to file shares without granting broader permissions to other storage account resources.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to associate NSG1 to the network interface of VM1. Which command should you use?
A. az network nsg create
B. az network nic update
C. az network vnet subnet update
D. az network nsg update
Correct Option:
B. az network nic update
Explanation:
az network nic update: This command is used to update the network interface card (NIC) settings of a virtual machine. To associate NSG1 with the network interface of VM1, you need to update the NIC settings to include the NSG.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4. Which service should you use?
A. Azure Monitor
B. Azure Log Analytics
C. Azure Security Center
D. Azure Policy
Correct Option:
A. Azure Monitor
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to create an NSG named NSG1 that will have the custom inbound security rules shown in the table. Which command should you use to create the NSG?
A. az network nsg create
B. az network nsg rule create
C. az network nsg rule update
D. az network nsg update
Correct Option:
A. az network nsg create
Explanation:
az network nsg create: This command is used to create a new Network Security Group (NSG) in Azure. Since the requirement is to create an NSG named NSG1, this is the appropriate command to use.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to grant User1 the permissions required to link Zone1 to VNet1. Which role should you assign to User1?
A. Network Contributor
B. DNS Zone Contributor
C. Contributor
D. Owner
Correct Option:
B. DNS Zone Contributor
Explanation:
DNS Zone Contributor: To link a DNS zone to a virtual network, the user needs permissions to manage DNS zones. The DNS Zone Contributor role provides the necessary permissions to manage DNS zones, including linking them to virtual networks.
Important Note for Azure 104 Exam:
Understand the different Azure roles and their specific permissions, especially those related to networking and DNS management.
Be familiar with the tasks that require specific roles, such as linking DNS zones to virtual networks.
Know how to apply the principle of least privilege by assigning the most appropriate role that grants the necessary permissions without providing excessive access.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to ensure that Scope1 is used to encrypt storage services in storage2. Which setting should you configure?
A. Access tier
B. Encryption scope
C. Replication
D. Performance tier
The correct answer is B) Encryption scope [1]
Here’s why this is correct:
Key Technical Points:
Storage2 is a StorageV2 (general purpose v2) account
Encryption scopes provide encryption management at the container level
Encryption scopes can be used to manage encryption for specific data sets
Encryption Scope Characteristics:
a) Key Features:
- Container-level encryption
- Infrastructure encryption options
- Key management flexibility
- Scope inheritance
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) Storage Encryption Types:
Storage Service Encryption (SSE)
Infrastructure encryption
Customer-managed keys
Platform-managed keys
b) Encryption Scope Properties:
Name
Encryption type
Infrastructure encryption
Key management
Why Other Options are Wrong:
A) Access tier:
Related to data storage optimization
Not related to encryption
Affects cost and performance
C) Replication:
Data redundancy feature
No impact on encryption
Geographic availability
D) Performance tier:
Performance optimization
Not related to encryption
Affects IOPS and throughput
Key Implementation Considerations:
a) Configuration Requirements:
Storage account type compatibility
Key vault integration (if using customer-managed keys)
Permission requirements
Regional availability
b) Security Controls:
Key rotation
Access policies
Audit logging
Compliance requirements
Best Practices:
a) Encryption Management:
Regular key rotation
Access review
Monitoring
Documentation
b) Security Configuration:
Least privilege access
Regular audits
Compliance monitoring
Incident response plan
Critical Exam Topics:
a) Storage Security Features:
Encryption at rest
Encryption in transit
Key management
Access control
b) Implementation Steps:
Scope creation
Key configuration
Policy assignment
Monitoring setup
Remember for the Exam:
a) Encryption Scope Requirements:
Storage account compatibility
Permission requirements
Key management options
Infrastructure encryption
b) Configuration Elements:
Scope name
Encryption type
Key source
Infrastructure encryption setting
Additional Important Notes:
a) Management Options:
Azure Portal
PowerShell
Azure CLI
REST API
b) Monitoring and Compliance:
Activity logs
Diagnostic settings
Compliance reporting
Security metrics
Key Exam Focus Areas:
a) Technical Knowledge:
Encryption types
Configuration options
Management tools
Security features
b) Operational Understanding:
Implementation steps
Troubleshooting
Monitoring
Maintenance
For the AZ-104 exam, focus on:
Storage Security Concepts:
Encryption types
Key management
Access control
Compliance requirements
Implementation Knowledge:
Configuration steps
Permission requirements
Tool usage
Best practices
Management Skills:
Daily operations
Monitoring
Troubleshooting
Maintenance
Security Understanding:
Access control
Key management
Audit logging
Compliance requirements
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
You need to back up the Azure file shares and virtual machines by using Azure Backup. Which type of backup should you configure for the file shares?
A. Snapshot
B. Incremental
C. Differential
D. Full
The correct answer is B) Incremental
Here’s why this is correct:
Key Technical Points:
Azure Backup for file shares uses incremental backup by default
First backup is full, subsequent backups are incremental
More efficient use of storage and network resources
Reduces backup time and costs
Azure Backup File Share Characteristics:
a) Backup Process:
Initial Backup: Full backup of all data
Subsequent Backups: Only changed blocks
Recovery Point Creation: Based on incremental changes
Storage Efficiency: Only stores delta changes
Copy
Insert at cursor
text
Important Notes for AZ-104 Exam:
a) Azure File Share Backup Features:
Supports Azure Files
Requires Storage Account integration
Uses Recovery Services vault
Supports schedule-based backups
b) Backup Types Understanding:
Full: Complete copy of data [1]
Incremental: Only changed blocks
Differential: Changes since last full backup
Snapshot: Point-in-time copy
Why Other Options are Wrong:
A) Snapshot:
Not a complete backup solution
Doesn’t provide long-term retention
Limited recovery options
C) Differential:
Not supported for Azure file shares
Less efficient than incremental
Would consume more storage
D) Full:
Only used for initial backup
Inefficient for regular backups
Unnecessary storage consumption
Key Implementation Considerations:
a) Requirements:
Recovery Services vault
Supported storage account
Proper permissions
Network connectivity
b) Limitations:
Storage account restrictions
Backup frequency limits
Retention period limits
Regional availability
Best Practices:
a) Backup Configuration:
Regular schedule
Appropriate retention
Monitoring
Testing restores
b) Performance Optimization:
Backup window planning
Network bandwidth consideration
Storage capacity planning
Recovery time objectives
Critical Exam Topics:
a) Azure Backup Components:
Recovery Services vault
Backup policies
Protection groups
Retention policies
b) Backup Operations:
Backup scheduling
Monitoring
Alerting
Recovery procedures
Remember for the Exam:
a) Azure File Share Backup Requirements:
Premium or Standard file shares
Storage account compatibility
Regional availability
Backup policy limits
b) Backup Policy Elements:
Schedule
Retention
Time zones
Consistency checks
Additional Important Notes:
a) Monitoring and Management:
Azure Portal
PowerShell
Azure CLI
REST API
b) Recovery Options:
Original location
Alternate location
Individual file recovery
Point-in-time recovery
Key Exam Focus Areas:
a) Technical Knowledge:
Backup types
Configuration requirements
Management tools
Recovery procedures
b) Operational Understanding:
Monitoring
Troubleshooting
Capacity planning
Cost optimization
For the AZ-104 exam, focus on:
Azure Backup Concepts:
Backup types [2]
Components
Requirements
Limitations
Implementation Knowledge:
Configuration steps
Policy settings
Monitoring
Recovery procedures
Management Skills:
Daily operations
Troubleshooting
Performance optimization
Cost management
Security Understanding:
Access control
Encryption
Network security
Compliance requirements
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Azure AD tenant contains:
User1: Member
User2: Guest
User3: Member
User4: Member Q: Based on the user types in the environment, which statement is correct regarding User2’s access capabilities? A) User2 can be assigned the same RBAC roles as member users B) User2 cannot access any Azure resources by default C) User2 has automatic access to all resources in Sub1 D) User2 cannot be added to Azure AD security groups
The correct answer is A) User2 can be assigned the same RBAC roles as member users
Here’s why this is correct:
Key Technical Points:
User2 is a Guest user in Azure AD [1]
Guest users can be assigned the same RBAC roles as member users
Guest access is controlled through Azure AD settings and RBAC [2]
Guest User Characteristics:
a) Default Capabilities:
Can be assigned RBAC roles
Can be added to security groups
Has restricted default permissions
Needs explicit access grants
b) Key Differences from Member Users:
More restricted default permissions
Limited directory visibility
Different authentication process
External identity source
Important Notes for AZ-104 Exam:
a) Guest User Management:
- Invitation process
- Access levels
- Permission assignment
- Security considerations
Copy
Insert at cursor
text
b) Azure AD B2B Collaboration:
Guest user invitation [3]
External identity federation
Access review
Conditional Access policies
Why Other Options are Wrong:
B) Incorrect: Guest users can access resources when granted permissions
C) Incorrect: No automatic access is granted
D) Incorrect: Guest users can be added to security groups
Critical Exam Concepts:
a) Guest User Access Levels:
Restricted
Limited
Same as member users
b) Security Considerations:
Conditional Access
Multi-Factor Authentication
Access Reviews
Identity Protection
Best Practices:
a) Guest Access Management:
Regular access reviews
Least privilege principle
Clear documentation
Monitoring and auditing
b) Security Controls:
Conditional Access policies
MFA enforcement
Session controls
Risk-based policies
Key Points for the Exam:
a) Guest User Properties:
External directory source
Invitation process
Access limitations
Permission inheritance
b) Administration Tasks:
Guest invitation
Role assignment
Group membership
Access review
Implementation Considerations:
a) Guest Access Configuration:
External collaboration settings
Guest invite settings
User permissions
Security controls
b) Monitoring and Compliance:
Activity logging
Access reviews
Compliance reporting
Security monitoring
Remember for the Exam:
Guest users can have same RBAC roles
Default permissions are restricted
Explicit permission assignment needed
Security group membership possible
Access review requirements
Conditional Access policies
Additional Important Notes:
Guest user limitations
Authentication methods
Directory role restrictions
Collaboration settings
Security best practices
For the AZ-104 exam, focus on:
Azure AD Concepts:
B2B collaboration
User types
Access management
Security controls
RBAC Understanding:
Role assignments
Scope levels
Permission inheritance
Access control
Security Knowledge:
Conditional Access
MFA requirements
Identity protection
Access reviews
Administration Skills:
User management
Permission assignment
Group management
Security configuration
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Resource Group Access Control Context:
User1 manages resources in RG1
User4 manages resources in RG2
Need to implement least privilege principle Q: Which built-in RBAC role should be assigned to User1 and User4 for their respective resource groups?
A) Owner at subscription level
B) Contributor at resource group level
C) Administrator at resource group level
D) Reader at resource group level
The correct answer is B) Contributor at resource group level
Here’s why this is correct:
Key Technical Points:
Requirement states “Use the principle of least privilege”
Users need to “manage resources” in their respective resource groups [1]
No mention of needing to manage access control or assign permissions [2]
Analysis of Built-in RBAC Roles: [3]
Contributor Role:
Can manage all resources
Cannot assign roles
Cannot manage permissions
Perfect fit for resource management without security control
Owner Role:
Full access including role assignment
Too much privilege for basic resource management
Violates least privilege principle
Reader Role:
Read-only access
Insufficient for resource management
Cannot make changes to resources
Important Notes for AZ-104 Exam:
a) Built-in Role Hierarchy (from most to least privileged):
Owner > Contributor > Reader
Copy
Insert at cursor
text
b) Key Role Permissions:
Owner: Full access + role assignment
Contributor: Full resource management, no RBAC
Reader: View-only access
Custom roles: Specific permissions as needed
c) Scope Levels (from broad to narrow):
Management Group > Subscription > Resource Group > Resource
Copy
Insert at cursor
text
Why Other Options are Wrong:
A) Owner at subscription level: Violates least privilege, too broad scope
C) Administrator: Not a standard built-in role for resource management
D) Reader: Insufficient permissions for resource management
Best Practices for RBAC:
Always apply least privilege principle
Assign roles at the most specific scope needed
Use built-in roles when possible
Document role assignments
Regular access reviews
Critical Exam Concepts:
a) Role Assignment Components:
Security principal (who)
Role definition (what)
Scope (where)
b) Important Role Characteristics:
Inheritance
Deny assignments
Role assignment limits
Scope considerations
Remember for the Exam:
Common built-in roles and their permissions
Role assignment scopes
Inheritance patterns
Security best practices
Management hierarchy
Role assignment process
Additional Key Points:
RBAC is additive (permissions combine)
Deny assignments override allows
Maximum 2000 role assignments per subscription
Changes can take up to 30 minutes to propagate
Custom roles require additional Azure AD Premium licenses
Troubleshooting Knowledge:
Access control (IAM) blade usage
Role assignment verification
Effective permissions checking
Activity logs for role changes
Common permission issues
Implementation Considerations:
Regular access reviews
Emergency access accounts
Break-glass procedures
Role assignment documentation
Compliance requirements
For the AZ-104 exam, focus on:
Understanding built-in roles
Scope levels and inheritance
Least privilege principle
Role assignment process
Common scenarios and solutions
Security best practices
Troubleshooting access issues
Role management tools and features
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirements:
Create storage5
Configure storage replication for Blob service
Consider cost-effective solution Q: Which replication option should you choose for storage5 to provide the minimum required redundancy while minimizing costs?
A) Geo-redundant storage (GRS)
B) Zone-redundant storage (ZRS)
C) Locally redundant storage (LRS)
D) Read-access geo-redundant storage (RA-GRS)
The correct answer is C) Locally redundant storage (LRS) [1]
Here’s why this is correct:
Key Technical Points:
LRS is the most cost-effective replication option
LRS maintains three synchronous copies of data in a single physical location
Provides 99.999999999% (11 nines) durability over a given year
Lowest cost redundancy option in Azure Storage
Storage Replication Options Comparison:
LRS (Locally Redundant Storage):
3 copies in single datacenter
Lowest cost
99.999999999% durability
Best for cost-sensitive dev/test scenarios
ZRS (Zone-redundant Storage):
3 copies across availability zones
Higher cost than LRS
Better availability than LRS
Good for high-availability needs
GRS (Geo-redundant Storage):
6 copies (3 primary + 3 secondary region)
Higher cost than ZRS
Better disaster recovery
Secondary region read-only after failover
RA-GRS (Read-access GRS):
Same as GRS plus read access to secondary
Highest cost option
Highest availability
Best for critical business data
Important Notes for AZ-104 Exam:
a) Replication Costs (Low to High):
LRS < ZRS < GRS < RA-GRS
Copy
Insert at cursor
text
b) Key Concepts to Remember:
Durability ratings
Regional vs. geo-redundancy
Synchronous vs. asynchronous replication
Cost implications
Use cases for each type
c) Storage Account Types and Supported Replication:
General Purpose v2: Supports all replication types
General Purpose v1: Limited replication options
BlockBlobStorage: All replication types
FileStorage: LRS and ZRS only
d) Best Practices:
Match replication type to business requirements
Consider compliance requirements
Balance cost vs. redundancy needs
Consider application availability requirements
Scenario Analysis:
Question asks for “minimum required redundancy”
Emphasizes “minimizing costs”
No specific high-availability requirements mentioned
No geo-redundancy requirements specified
Therefore, LRS is the most appropriate choice
Why Other Options are Wrong:
A) GRS: More expensive, exceeds minimum requirements
B) ZRS: More expensive, multi-zone redundancy not required
D) RA-GRS: Most expensive option, exceeds requirements
Additional Exam Tips:
Know the differences between replication types
Understand pricing implications
Be familiar with use cases for each type
Know availability and durability percentages
Understand regional vs. zonal vs. geo-replication
Know which storage account types support which replication options
Remember for the Exam:
Default replication type for new storage accounts
Conversion possibilities between replication types
Impact on storage account pricing
Regional availability of different replication options
Relationship between replication and storage account tier
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) implications
This knowledge is crucial for the AZ-104 exam as storage configuration and cost optimization are key objectives in Azure administration.
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Virtual Networks:
VNET1 (Subnet1, Subnet2)
VNET2 (Subnet1)
NSG2 to be associated with VNET1/Subnet2 Q: After implementing NSG2’s outbound rules, what will be the impact on VM2’s network communication?
A) VM2 cannot establish RDP connections to any VMs in VNET1
B) VM2 can only send ICMP traffic to Subnet1
C) VM2 cannot communicate with any resources in VNET2
D) VM2 can establish any outbound connection except RDP to 10.0.0.0/16
The correct answer is D) VM2 can establish any outbound connection except RDP to 10.0.0.0/16
Here’s why this is correct:
Analysis of NSG2’s Rules:
Priority 200: Deny TCP 3389 (RDP) from 10.0.0.0/16 to Virtual Network
Priority 400: Allow ICMP from 10.0.2.0/24 to 10.0.1.0/24
Copy
Insert at cursor
text
Key Technical Points:
NSG2 is associated with VNET1/Subnet2 where VM2 (10.0.2.4) is located [1]
The rule with priority 200 (lower number = higher priority) blocks RDP traffic to 10.0.0.0/16
All other traffic types are allowed by default NSG rules
The ICMP rule is specifically allowing ping from Subnet2 to Subnet1
Important Notes for AZ-104 Exam:
NSG Rule Processing:
Rules are processed in priority order (lowest to highest number)
Once a rule matches, processing stops
Default rules exist at priority 65000+
Custom rules should use priorities between 100-4096
NSG Default Rules:
Allow all traffic within the virtual network
Allow all outbound internet traffic
Deny all inbound internet traffic
These rules are lowest priority (65000+)
Key Concepts to Remember:
Rule Priority
Rule Processing Order
Default Rules
Implicit Denies vs Explicit Allows
Source/Destination addressing
Protocol specifications
Why Other Options are Wrong:
A) Incorrect because VM2 can establish RDP to VMs outside 10.0.0.0/16
B) Incorrect because other protocols besides ICMP are allowed by default rules
C) Incorrect because only RDP is blocked, not all communication
Important Exam Tips:
Always check rule priorities first
Consider default rules
Understand the difference between inbound and outbound rules
Know how subnet and NIC NSGs work together
Remember that more specific rules override general rules
Understand CIDR notation and IP addressing
Best Practices:
Use priority numbers with gaps (like 100, 200, 300) to allow for future rules
Document NSG rules clearly
Use service tags where possible
Consider using application security groups
Regular review of NSG rules for security
For the AZ-104 exam, focus on:
NSG rule evaluation order
Default rules and their priorities
Impact of multiple NSGs (subnet and NIC level)
Network protocol understanding (RDP, ICMP, etc.)
IP addressing and CIDR notation
Security rule components (priority, source, destination, action)
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
n the
following table.
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
Requirements:
Back up Azure file shares
Back up virtual machines
Implement cost-effective solution Q: What is the minimum backup retention period that must be configured for the Recovery Services vault to protect the specified resources?
A) 7 days B) 14 days C) 30 days D) 180 days
For this question, the correct answer is C) 30 days.
Here’s why this is correct:
Key Technical Points:
Azure Backup has a mandatory minimum retention period of 30 days for all backup types [1]
This applies to both Azure VM backups and Azure File Share backups
This is a built-in requirement that cannot be overridden
Important Details for Azure 104 Exam:
a) Recovery Services Vault Retention Policies: [2]
Daily backups: Minimum 7 days
Weekly backups: Minimum 1 week
Monthly backups: Minimum 1 month
Yearly backups: Minimum 1 year
BUT overall minimum retention period is 30 days regardless of backup frequency
b) Cost Considerations:
While the question asks for “cost-effective solution”, you cannot go below 30 days
Attempting to set lower retention periods will fail
This is a compliance and data protection requirement by Azure
c) Key Exam Points:
Remember the 30-day minimum for all Azure Backup scenarios
This applies across:
Azure VM backups
Azure File Share backups
Azure SQL Database backups
Azure Managed Disk backups
d) Additional Important Notes:
Maximum retention periods:
Daily and weekly backups: Up to 9999 days
Monthly backups: Up to 120 months
Yearly backups: Up to 99 years
Recovery Services vault can’t be deleted if it contains any backup data
Changing retention policy affects only new backups, not existing ones
Why Other Options are Wrong:
A) 7 days: Too short, below minimum requirement
B) 14 days: Too short, below minimum requirement
D) 180 days: While possible, not the minimum required period
For the AZ-104 exam, remember:
Always know the minimum retention periods for different Azure services
Understand that some minimums are non-negotiable for compliance reasons
Be familiar with backup policy configurations and their limitations
Know the difference between retention requirements for different backup frequencies (daily/weekly/monthly/yearly)
Understand the relationship between retention periods and costs
