test12 Flashcards
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Resource Group blade.
Does the solution meet the goal?
A. Yes
B. No
The correct answer is B - No.
Here’s why:
While the Resource Group blade does show deployed resources, it doesn’t directly show you the actual ARM template that was used for deployment. The Resource Group blade primarily shows:
List of resources in the resource group
Resource group properties
Access control (IAM)
Tags
Overview of costs
Activity logs
To actually review the ARM template that was used, you would need to:
Go to the Resource Group
Click on “Deployments” in the left menu
Select the specific deployment
Click on “Template” to see the actual ARM template that was used
Important notes for AZ-104 exam:
ARM Template Review Methods:
Through Deployment History
Through Export Template feature
Through Activity Log
Key locations to find deployment information:
Deployments section in Resource Group
Activity Log
Template Specs service
Azure Portal’s Template Export feature
Best Practices:
Always save your ARM templates for future reference
Use version control for templates
Document template parameters and variables
Use template specs for organization-wide template management
Understand how to review deployment history for troubleshooting
ARM Template Components to know:
Parameters
Variables
Resources
Outputs
Functions
Dependencies
Remember that being able to review and understand ARM templates is a crucial skill for Azure administrators, as it’s essential for infrastructure as code (IaC) practices and troubleshooting deployment issues.
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Container blade.
Does the solution meet the goal?
A. Yes
B. No
B. No
Your company has a Microsoft Azure subscription.
The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?
A. Geo-redundant storage
B. Read-only geo-redundant storage
C. Zone-redundant storage
D. Locally redundant storage
B. Read-only geo-redundant storage
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?
A. Yes
B. No
B. No
Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?
A. You should only stop one of the VMs.
B. You should stop two of the VMs.
C. You should stop all three VMs.
D. You should remove the necessary VM from the availability set.
C. You should stop all three VMs.
HOTSPOT
You have an Azure Storage account named storage1 that contains a blob container. The blob container has a default access tier of Hot. Storage1 contains a container named container1.
You create lifecycle management rules in storage1 as shown in the following table.
You perform the actions shown in the following table.
| Date | Action |
|—|—|
| October 1 | Upload three files named Dep1File1.docx, File2.docx, and File3.docx to container 1. |
| October 2 | Edit Dep1File1.docx and File3.docx. |
| October 5 | Edit File2.docx. |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
| Statements | Yes | No |
|—|—|—|
| On October 10, you can read Dep1File1.docx. | ○ | ○ |
| On October 10, you can read File2.docx. | ○ | ○ |
| On October 10, you can read File3.docx. | ○ | ○ |
Name | Rule scope | Blob type | Blob subtype | Rule block | Prefix match |
|—|—|—|—|—|—|
| Rule1 | Limit blobs by using filters. | Block blobs | Base blobs | If base blobs were not modified for two days, move to archive storage. <br></br> If base blobs were not modified for nine days, delete the blob. | container1/Dep1 |
| Rule2 | Apply to all blobs in storage1. | Block blobs | Base blobs | If base blobs were not modified for three days, move to cool storage. <br></br> If base blobs were not modified for nine days, move to archive storage. | Not applicable |
Let me analyze each file’s status on October 10 based on the rules and actions:
“On October 10, you can read Dep1File1.docx” Answer: NO
Why:
File is in container1/Dep1 path (matches Rule1)
Last modified on October 2
Rule1: After 2 days of no modification → moves to archive storage
By October 10, it’s been 8 days since last modification
File is in archive tier
Archive tier requires rehydration before reading
Cannot directly read archived files
“On October 10, you can read File2.docx” Answer: YES
Why:
File is not in Dep1 path (only Rule2 applies)
Last modified on October 5
Rule2: After 3 days → cool storage
By October 10, it’s been 5 days
File is in cool storage tier
Cool storage allows immediate read access
“On October 10, you can read File3.docx” Answer: YES
Why:
File is not in Dep1 path (only Rule2 applies)
Last modified on October 2
Rule2: After 3 days → cool storage
By October 10, it’s been 8 days
File is in cool storage tier
Cool storage allows immediate read access
Key Points:
Archive tier requires rehydration before reading
Cool tier allows immediate read access
Rule1 takes precedence for files in container1/Dep1
Rule2 applies to all other files
Time calculations are based on last modification date
You have an Azure subscription that contains the storage accounts shown in the following table.
Name Kind Redundancy
storage1 StorageV2 Geo-zone-redundant storage (GZRS)
storage2 BlobStorage Read-access geo-redundant storage (RA-GRS)
storage3 BlockBlobStorage Zone-redundant storage (ZRS)
You need to identify which storage accounts support lifecycle management, and which storage accounts support moving data to the Archive access tier.
Which storage accounts should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer Area
Lifecycle management:
storage1 only
storage2 only
storage1 and storage3 only
storage2 and storage3 only
storage1, storage2, and storage3
The Archive access tier:
storage1 only
storage2 only
storage1 and storage3 only
storage2 and storage3 only
storage1, storage2, and storage3
Which option is correct in per question on answer area? why correct?
- Lifecycle Management
Lifecycle management allows for automatic management of data lifecycle policies, including transitioning data between access tiers (e.g., Hot, Cool, Archive) and deleting data after a specified period.
Support for lifecycle management is as follows:
StorageV2: Supports lifecycle management.
BlobStorage: Supports lifecycle management.
BlockBlobStorage: Does not support lifecycle management.
From the table:
storage1 → StorageV2 → Supports lifecycle management ✅
storage2 → BlobStorage → Supports lifecycle management ✅
storage3 → BlockBlobStorage → Does not support lifecycle management ❌
Thus, the correct answer for lifecycle management is:
storage1 and storage2 only - Archive Access Tier
The Archive access tier is used to store data that is rarely accessed and has very low storage costs but high retrieval costs.
Support for the Archive access tier is as follows:
StorageV2: Supports the Archive access tier.
BlobStorage: Supports the Archive access tier.
BlockBlobStorage: Supports the Archive access tier.
From the table:
storage1 → StorageV2 → Supports Archive access tier ✅
storage2 → BlobStorage → Supports Archive access tier ✅
storage3 → BlockBlobStorage → Supports Archive access tier ✅
Thus, the correct answer for Archive access tier is:
storage1, storage2, and storage3
Final Answer
Lifecycle management: storage1 and storage2 only
Archive access tier: storage1, storage2, and storage3
You have an Azure subscription. The subscription contains a storage account named storage1 that has the lifecycle management rules shown in the following table.
On June 1, you store two blobs in storage1 as shown in the following table.
| Name | Location | Access tier |
| :—– | :———– | :———– |
| File1 | container1 | Hot |
| File2 | container2 | Hot |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area
Statements
On June 6, File1 will be stored in the Cool access tier.
On June 1, File2 will be stored in the Cool access tier.
On June 16, File2 will be stored in the Archive access tier.
Which option is correct in per question on answer area? why yes? why no?
Name | Blob prefix | If base were last modified more than (days ago) | Then |
| :—– | :———– | :—————————————– | :————————- |
| Rule1 | container1/ | 3 days | Move to archive storage |
| Rule2 | Not applicable | 5 days | Move to cool storage |
| Rule3 | container2/ | 10 days | Delete the blob |
| Rule4 | container2/ | 15 days | Move to archive storage |
Let me help you analyze each statement based on the lifecycle management rules:
“On June 6, File1 will be stored in the Cool access tier.”
Answer: NO
Explanation:
File1 is in container1
Rule1 applies to container1/ and moves blobs to archive storage after 3 days
Rule2 (move to cool after 5 days) applies to all containers, but Rule1 will execute first
By June 6 (5 days later), File1 would already be in archive storage (moved there on June 4 by Rule1)
“On June 1, File2 will be stored in the Cool access tier.”
Answer: NO
Explanation:
This is the same day the file was stored
No lifecycle rules would trigger immediately
The file remains in its original Hot tier on the day it was created
“On June 16, File2 will be stored in the Archive access tier.”
Answer: NO
Explanation:
File2 is in container2
Rule3 applies to container2/ and deletes blobs after 10 days
Rule4 applies to container2/ and moves to archive after 15 days
By June 16 (15 days later), File2 would have already been deleted by Rule3 on June 11
Therefore, it cannot be moved to archive storage as it no longer exists
The key to understanding these answers is that:
Rules are evaluated in chronological order based on the number of days
Once a rule takes action on a blob, subsequent rules cannot affect it
If a blob is deleted by a rule, it cannot be affected by later rules
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT After implementing the planned changes for DCR1, which event types will be collected from VM4? Answer Area
All System events
Only System events with ID 4648
All Security events
Only Security events with ID 4648
Only System events with ID 4648
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which Microsoft Entra role must be assigned to Admin2 to manage Attribute1? Answer Area
Global Administrator
Attribute Definition Administrator
Attribute Assignment Administrator
Security Administrator
The correct answer is B - Attribute Definition Administrator
Here’s why:
Attribute Definition Administrator:
Has permissions to define and manage custom security attribute definitions
Can create, read, update, and delete custom security attribute definitions
Is the appropriate role for managing the attribute schema/definition
Why other options are incorrect:
A. Global Administrator:
While this role can manage attributes, it’s too broad
Violates the principle of least privilege
Not the most appropriate role for this specific task
C. Attribute Assignment Administrator:
Can only assign existing attributes to resources
Cannot create or manage attribute definitions
Wrong role for managing Attribute1’s definition
D. Security Administrator:
Too broad and doesn’t specifically focus on attribute management
Not the most appropriate role for this task
Violates the principle of least privilege
Important notes for AZ-104 exam:
Microsoft Entra Built-in Roles:
Know the differences between administrative roles
Understand role hierarchies
Remember which roles are needed for specific tasks
Custom Security Attributes:
Two main aspects: Definition and Assignment
Different roles for different aspects
Understanding of attribute lifecycle management
Role Assignment Best Practices:
Follow principle of least privilege
Assign at appropriate scope
Use built-in roles when possible
Understand role permissions
Key Concepts:
Attribute Definition vs Assignment
Role-based access control (RBAC)
Security principles
Administrative hierarchy
Administrative Tasks:
Creating attributes
Managing attribute definitions
Assigning attributes
Modifying existing attributes
Security Considerations:
Separation of duties
Principle of least privilege
Role inheritance
Scope of permissions
Role Differences:
Attribute Definition Administrator: Manages definitions
Attribute Assignment Administrator: Assigns values
Global Administrator: Has full access
Security Administrator: Manages security settings
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is the minimum Azure role needed for User1 to link Zone1 to VNet1? Answer Area
Private DNS Zone Contributor
Network Contributor
DNS Zone Contributor
Private DNS Zone Administrator
Private DNS Zone Contributor
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which encryption type must be used for the virtual machines that support Azure Disk Encryption with KEK? Answer Area
Server-side encryption
Client-side encryption
Double encryption
Infrastructure encryption
Server-side encryption
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is the maximum backup frequency available for cont1 in storage1 using Azure Backup? Answer Area
Every 4 hours
Every 6 hours
Every 12 hours
Every 24 hours
Every 4 hours
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which certificate from Vault1 should be used for WebApp1’s TLS configuration? Answer Area
Cert1
Cert2
Cert3
Cert4
The correct answer is A - Cert1
Here’s why:
Cert1 is the appropriate choice because:
It’s in PKCS#12 format, which is required for TLS certificates in App Service
PKCS#12 includes both the certificate and private key
2048-bit RSA key size is sufficient for TLS security
Why other options are incorrect:
B. Cert2:
While it’s PKCS#12, the 4096-bit key size is unnecessary
Would use more resources without significant security benefit
More expensive in terms of computational overhead
C. Cert3:
PEM format only
Not suitable for direct use in App Service
Would require conversion to PKCS#12
D. Cert4:
PEM format only
4096-bit key is unnecessary
Wrong format for App Service
Important notes for AZ-104 exam:
Certificate Requirements for App Service:
Must be in PKCS#12 format
Must include private key
Minimum 2048-bit key size
Must be valid and not expired
Must be uploaded to Azure Key Vault [1]
Key Vault Integration:
App Service can integrate with Key Vault
Managed identities for secure access
Certificate rotation capabilities
Centralized certificate management
TLS/SSL Configuration:
SNI SSL vs IP SSL
Private certificate requirements
Public certificate requirements
Certificate binding types
Certificate Formats:
PKCS#12 (.pfx) vs PEM
Understanding different key sizes
Import/export considerations
Format conversion requirements
Security Best Practices:
Regular certificate rotation
Proper key vault access control
Monitoring certificate expiration
Using managed identities
Key Concepts:
Certificate types
Key sizes and security implications
Certificate storage options
Access control and permissions
Cost Considerations:
Key size impact on performance
Certificate storage costs
Key Vault transaction costs
SSL binding costs
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is required to implement the encryption scope Scope1 in storage2? Answer Area
StorageV2 account type
Premium performance tier
Hierarchical namespace disabled
Hierarchical namespace enabled
The correct answer requires:
StorageV2 account type: Required ✓
Hierarchical namespace disabled: Required ✓
Premium performance tier: Not required ✘
Hierarchical namespace enabled: Not required ✘
Here’s why:
Requirements for creating an encryption scope:
StorageV2 account type is required because:
Encryption scopes are only supported on StorageV2 accounts
Storage2 is already a StorageV2 account, so this requirement is met
Hierarchical namespace must be disabled because:
Encryption scopes are not compatible with hierarchical namespace (HNS)
From the scenario, storage2 already has HNS disabled, so this requirement is met
Why other options are incorrect:
Premium performance tier:
Not required for encryption scopes
Can work with both standard and premium tiers
Hierarchical namespace enabled:
Actually prevents encryption scopes from working
Contradicts the requirement for encryption scopes
Important notes for AZ-104 exam:
Storage Account Features:
Know the differences between storage account types
Understand feature compatibility
Remember which features work together and which don’t
Encryption Scope Requirements:
Only works with StorageV2 accounts
Not compatible with HNS
Can be used with both standard and premium performance tiers
Can be configured with either Microsoft-managed or customer-managed keys
Hierarchical Namespace (HNS):
Used for Azure Data Lake Storage Gen2
Enables folder-level operations
Has certain feature limitations
Not compatible with some storage features
Storage Account Types:
StorageV2 (General Purpose v2)
BlockBlobStorage
FileStorage
Storage (General Purpose v1)
Key Concepts:
Infrastructure encryption
Customer-managed keys
Microsoft-managed keys
Azure Key Vault integration
Best Practices:
Plan storage account features before creation
Understand feature compatibility
Consider security requirements
Follow the principle of least privilege
Remember that encryption scopes provide an additional layer of encryption management for blob storage, allowing you to manage encryption at the container or blob level.
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which virtual machines can be encrypted using Azure Disk Encryption with KEK? Select all that apply:
VM1
VM2
VM3
VM4
VM5
VM2, VM3, VM5 (Windows Server and standard Linux VMs)
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is the minimum role required to deploy containers using Image1 and Image2? Answer Area
AcrPull
AcrPush
AcrDelete
AcrImageSigner
AcrPull
