test14 Flashcards
DRAG DROP -
You have an Azure subscription that contains two on-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:
Actions
Create a virtual hub.
Create VPN sites.
Connect the virtual networks to the hub.
Create a Virtual WAN resource.
Connect the VPN sites to the hub.
Answer Area
The correct sequence for connecting two on-premises locations using Azure Virtual WAN is:
Create a Virtual WAN resource
Create a virtual hub
Create VPN sites
Connect the VPN sites to the hub
Here’s why this sequence is correct:
Create a Virtual WAN resource:
First step because it’s the parent resource
Defines the overall WAN architecture
Required before creating any other components
Sets up the foundation for the network
Create a virtual hub:
Must have Virtual WAN first
Acts as the core connectivity point
Enables routing between connected networks
Required for site-to-site connectivity
Create VPN sites:
Represents your on-premises locations (site1 and site2) [1]
Defines connection parameters
Contains VPN device information
Must have hub to connect to
Connect the VPN sites to the hub:
Final step to establish connectivity
Links on-premises sites to the virtual hub
Enables communication between sites
Completes the network topology
Note: “Connect the virtual networks to the hub” is not needed in this scenario as we’re only connecting on-premises sites.
Important Notes for AZ-104 Exam:
Virtual WAN Components:
Virtual WAN resource
Virtual hubs
VPN sites
Site-to-site connections
Branch-to-branch connectivity
Key Concepts:
Hub-and-spoke topology
Regional virtual hubs
Automated routing
Scalable connectivity
Global transit network architecture
Best Practices:
Plan hub locations carefully
Consider bandwidth requirements
Configure proper routing
Implement security policies
Monitor connections
Remember:
Virtual WAN is the parent resource
Hubs are regional resources
VPN sites represent physical locations
Connections link sites to hubs
Design Considerations:
Hub location affects latency
Bandwidth capacity planning
Routing requirements
Security requirements
Scalability needs
Troubleshooting:
Check connection status
Verify routing tables
Monitor bandwidth usage
Review security policies
Validate configurations
For the exam:
Know the deployment sequence
Understand resource dependencies
Remember component relationships
Know configuration requirements
Understand connectivity options
This knowledge is crucial for:
Designing hybrid networks
Implementing global connectivity
Managing branch offices
Optimizing network performance
Ensuring secure communications
HOTSPOT -
You have the following custom role-based access control (RBAC) role.
```json
{
“id”: “b988327b-7dae-4d00-8925-1cc14fd68be4”,
“properties”: {
“roleName”: “Rolel”,
“description”: “”,
“assignableScopes”: [
“/subscriptions/c691ad84-99f2-42fd-949b-58afd7ef6ab3”
],
“permissions”: [
{
“actions”: [
“Microsoft.Resources/subscription/resourceGroups/resources/read”,
“Microsoft.Resources/subscription/resourceGroups/read”,
“Microsoft.Resourcehealth/”,
“Microsoft.Authorization//read”,
“Microsoft.Compute//read”,
“Microsoft.Support/”,
“Microsoft.Authorization//read”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Resources/deployments/”,
“Microsoft.Resources/subscription/resourceGroups/read”,
“Microsoft.Storage/storageAccounts/read”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/powerOff/action”,
“Microsoft.Compute/virtualMachines/deallocate/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Compute/virtualMachines/”,
“Microsoft.Compute/disks/”,
“Microsoft.Compute/availabilitySets/”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Network/virtualNetworks/subnets/read”,
“Microsoft.Network/virtualNetworks/subnets/virtualMachines/read”,
“Microsoft.Network/networkInterfaces/”,
“Microsoft.Compute/snapshots/”
],
“notActions”: [
“Microsoft.Authorization//Delete”,
“Microsoft.Authorization/*/Write”,
“Microsoft.Authorization/elevateAccess/Action”
]
}
]
}
}
~~~
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Statements
Users that are assigned Role1 can assign Role1 to users.
Users that are assigned Role1 can deploy new virtual machines.
Users that are assigned Role1 can set a static IP address on a virtual machine.
Answer Area
Let’s analyze each statement based on the provided RBAC role:
Correct Answers:
“Users that are assigned Role1 can assign Role1 to users” Answer: NO Why:
The role has “Microsoft.Authorization//read” only
“notActions” explicitly blocks “Microsoft.Authorization//Write”
Role assignment requires write permissions
“Users that are assigned Role1 can deploy new virtual machines” Answer: NO Why:
While it has “Microsoft.Compute/virtualMachines/”
Deploying VMs also requires write permissions on multiple resources
No explicit create/write permissions for new VM deployment
“Users that are assigned Role1 can set a static IP address on a virtual machine” Answer: YES Why:
Has “Microsoft.Network/networkInterfaces/” permission
This allows managing network interface configurations
Can modify IP address settings
Important Notes for AZ-104 Exam:
Understanding RBAC Permissions:
Actions: Allowed operations [1]
notActions: Explicitly denied operations
wildcard includes all operations
Read vs Write permissions
Inheritance in resource hierarchies
Key Permission Concepts:
“actions”: [
“/read” // Read-only access
“/write” // Write access
“/delete” // Delete access
“/action” // Special operations
“/” // All operations
]
Copy
Insert at cursor
json
Common Permission Patterns:
Management operations need write access
Resource creation needs multiple permissions
Network configuration requires specific permissions
Role assignment requires authorization permissions
Best Practices:
Follow least privilege principle
Use built-in roles when possible
Carefully scope custom roles
Document role definitions
Regular access review
Remember:
Check both actions and notActions
Consider dependent resources
Verify required permissions
Understand permission inheritance
Check scope limitations
Critical Points:
Role assignment requires specific permissions
VM deployment needs multiple resource permissions
Network interface management permissions
Resource group scope considerations
Authorization limitations
For the exam:
Know how to read RBAC definitions
Understand permission requirements
Recognize permission dependencies
Know common management tasks
Understand scope levels
Common scenarios:
VM management
Network configuration
Resource deployment
Role assignments
Access management
HOTSPOT -
You configure the custom role shown in the following exhibit.
```json
{
“properties”: {
“roleName”: “rolel”,
“description”: “”,
“roletype”: “true”,
“assignableScopes”: [
“/subscriptions/3d6209d5-c714-4440-9556e-d6342086c2d7/”
],
“permissions”: [
{
“actions”: [
“Microsoft.Authorization//read”,
“Microsoft.Compute/availabilitySets/”,
“Microsoft.Compute/locations/”,
“Microsoft.Compute/virtualMachines/”,
“Microsoft.Compute/virtualMachineScaleSets/”,
“Microsoft.Compute/disks/write”,
“Microsoft.Compute/disks/read”,
“Microsoft.Compute/disks/delete”,
“Microsoft.Network/locations/”,
“Microsoft.Network/networkInterfaces/”,
“Microsoft.Network/networkSecurityGroups/join/action”,
“Microsoft.Network/networkSecurityGroups/read”,
“Microsoft.Network/publicIPAddresses/join/action”,
“Microsoft.Network/publicIPAddresses/read”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Resources/deployments/”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Support/*”
],
“notActions”: [],
“dataActions”: [],
“notDataActions”: []
}
]
}
}
~~~
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
To ensure that users can sign in to virtual machines that are
Answer Area
To ensure that users can sign in to virtual machines that are assigned role1, modify the [answer choice] section:
Dropdown options:
actions
roletype
notActions
dataActions
notDataActions
assignableScopes
To ensure that role1 can be assigned only to a resource group named RG1, modify the [answer choice] section:
Dropdown options:
actions
roletype
notActions
dataActions
notDataActions
assignableScopes
Let’s analyze each question based on the provided custom role definition:
To ensure that users can sign in to virtual machines that are assigned role1, modify the answer choice section:
Correct Answer: dataActions
Why:
Signing in to VMs requires data plane actions
dataActions section is used for data operations
Current role doesn’t have any dataActions defined
Need to add VM login permissions like “Microsoft.Compute/virtualMachines/login/action”
To ensure that role1 can be assigned only to a resource group named RG1, modify the answer choice section:
Correct Answer: assignableScopes
Why:
assignableScopes defines where the role can be assigned
Current scope is at subscription level
To restrict to a specific resource group, change to RG1’s resource ID
Format: “/subscriptions/<subscription-id>/resourceGroups/RG1"
Important Notes for AZ-104 Exam:
Role Definition Components:
actions: Control plane operations
notActions: Explicitly denied operations
dataActions: Data plane operations
notDataActions: Denied data operations
assignableScopes: Where role can be assigned
Key Concepts:
Control plane vs Data plane actions
Scope hierarchy (Management Group > Subscription > Resource Group > Resource)
Custom role limitations
Least privilege principle
VM Access Control:
VM login requires data plane access
Use dataActions for VM sign-in permissions
Example: "Microsoft.Compute/virtualMachines/login/action"
Scope Management:
Subscription scope: "/subscriptions/<id>"
Resource group scope: "/subscriptions/<id>/resourceGroups/<RG-name>"
Resource scope: "/subscriptions/<id>/resourceGroups/<RG-name>/providers/<provider>/<resource-type>/<resource-name>"
Best Practices:
Use built-in roles when possible
Limit custom role scope
Regularly review and update roles
Document custom role purposes
Follow least privilege principle
Remember:
dataActions for data plane operations
assignableScopes for role assignment limitations
Proper scope format is crucial
Consider inheritance in role assignments
For the exam:
Understand role definition structure
Know difference between actions and dataActions
Recognize scope formats
Understand role assignment process
Be familiar with common Azure resource providers
Common scenarios:
Creating custom roles
Managing VM access
Limiting role assignment scope
Troubleshooting permissions
Implementing least privilege access</resource-name></resource-type></provider></RG-name></id></RG-name></id></id></subscription-id>
HOTSPOT:
You have an Azure subscription that contains the resources shown in the following table:
Name Type Description
VNET1 Virtual network Contains subnet1 and subnet2
subnet1 Subnet IP address space 10.3.0.0/24
subnet2 Subnet IP address space 10.4.0.0/24
NSG1 Network security group(NS) None
vm1 Virtual machine IP address 10.3.0.15
vm2 Virtual machine IP address 10.4.0.16
storage1 Storage account None
NSG1 is configured as shown in the following exhibit:
Inbound security rules:
Priority Name Port Protocol Source Destination Action
110 HTTPS_VM1_Deny 443 TCP Internet 10.3.0.15 Deny
65000 AllowVnetInBound Any Any VirtualNetwork VirtualNetwork Allow
65001 AllowAzureLoadBalancerInBound Any Any AzureLoadBalancer Any Allow
65500 DenyAllInBound Any Any Any Any Deny
Outbound security rules:
Priority Name Port Protocol Source Destination Action
145 Storage_Access 443 TCP VirtualNetwork Storage Allow
150 Block_Internet Any Any VirtualNetwork Internet Deny
65000 AllowVnetOutBound Any Any VirtualNetwork VirtualNetwork Allow
65001 AllowInternetOutBound Any Any Any Internet Allow
65500 DenyAllOutBound Any Any Any Any Deny
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer Area
Statements Yes No
VM1 can access storage1. ( ) ( )
VM2 can access VM1 by using the HTTPS protocol. ( ) ( )
The security rules for NSG1 apply to any virtual machine on VNET1. ( ) ( )
Analyzing NSG1 Rules
Inbound Rules:
110 - HTTPS_VM1_Deny: Denies inbound HTTPS (port 443, TCP) from the Internet to 10.3.0.15 (VM1).
65000 - AllowVnetInBound: Allows inbound traffic within the virtual network.
65001 - AllowAzureLoadBalancerInBound: Allows inbound traffic from the Azure Load Balancer.
65500 - DenyAllInBound: Denies all inbound traffic.
Outbound Rules:
145 - Storage_Access: Allows outbound HTTPS (port 443, TCP) from the virtual network to Storage.
150 - Block_Internet: Denies all outbound traffic to the internet from the virtual network.
65000 - AllowVnetOutBound: Allows outbound traffic within the virtual network.
65001 - AllowInternetOutBound: Allows outbound traffic to the internet.
65500 - DenyAllOutBound: Denies all outbound traffic.
Analyzing the Statements
“VM1 can access storage1.”
Analysis: VM1 can access the storage account because of outbound rule 145 (Storage_Access) which allows traffic to any storage account on port 443.
Answer: Yes
“VM2 can access VM1 by using the HTTPS protocol.”
Analysis: The inbound rule HTTPS_VM1_Deny blocks inbound HTTPS traffic from the internet to VM1. There is no other rule that allows HTTPS, even from within the virtual network. There is also no indication that NSG1 applies to the subnet of VM2.
Answer: No
“The security rules for NSG1 apply to any virtual machine on VNET1.”
Analysis: There is no indication that the NSG is applied to the subnet, therefore, the rules are not applied to any virtual machines. The prompt states that NSG1 is not applied to any subnet, but to an undefined resource.
Answer: No
Answer Area:
Statements Yes No
VM1 can access storage1. Yes
VM2 can access VM1 by using the HTTPS protocol. No
The security rules for NSG1 apply to any virtual machine on VNET1. No
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
|—|—|
| MG1 | Management group |
| RG1 | Resource group |
| VM1 | Virtual machine |
You create a user named Admin1.
To what can you add Admin1 as a co-administrator?
A. RG1
B. MG1
C. Sub1
D. VM1
Name | Type |
The correct answer is C: Sub1 (Subscription)
Let’s analyze why:
Why C (Sub1) is correct:
Co-administrator is a legacy Azure role
Can only be assigned at subscription level
Still supported but Microsoft recommends using RBAC roles
Provides full access to all resources in subscription
Why other options are incorrect:
A. RG1 (Resource Group):
Uses RBAC roles, not co-administrator
Cannot assign co-administrator at resource group level
Should use Owner/Contributor RBAC roles instead
B. MG1 (Management Group):
Uses RBAC roles only
Co-administrator concept doesn’t exist at this level
Requires specific RBAC roles for management
D. VM1 (Virtual Machine):
Resource level uses RBAC
Co-administrator can’t be assigned to individual resources
Requires specific RBAC roles for management
Important Notes for AZ-104 Exam:
Classic Administrator Roles:
Account Administrator
Service Administrator
Co-Administrator
Only at subscription level
Legacy authentication model
Modern RBAC Roles:
- Owner
- Contributor
- Reader
- Custom roles
Copy
Insert at cursor
plaintext
Scope Hierarchy:
Management Groups
└── Subscriptions
└── Resource Groups
└── Resources
Copy
Insert at cursor
plaintext
Best Practices:
Use RBAC instead of classic roles
Follow least privilege principle
Regular access review
Document role assignments
Use built-in roles when possible
Remember:
Co-administrator is legacy
Subscription-level only
Cannot be used at other scopes
RBAC is preferred method
Consider security implications
Key Concepts:
Role assignment scope
Authentication models
Access control hierarchy
Permission inheritance
Security best practices
For the exam:
Understand classic vs RBAC roles
Know scope limitations
Remember co-admin restrictions
Understand role inheritance
Know best practices
Common scenarios:
Access management
Role assignments
Permission delegation
Security implementation
Resource management
Additional Tips:
Migration from Classic:
Plan migration to RBAC
Review existing permissions
Document changes
Test access
Security Considerations:
Limit co-admin usage
Regular access review
Monitor role assignments
Implement least privilege
Document assignments
Troubleshooting:
Check scope levels
Verify role assignments
Review inheritance
Check effective permissions
Monitor access logs
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a Microsoft 365 group that uses the Assigned membership type
B. a Security group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type
For this scenario, the correct answers are:
A. a Microsoft 365 group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
Here’s why these are correct:
Microsoft 365 Groups (both A and C) are the better choice because: [1]
They are specifically designed for collaboration scenarios like SharePoint document libraries
They provide integrated access to SharePoint resources
They support expiration policies (the 180-day requirement)
They include additional collaboration features like shared mailbox and calendar
Both Assigned and Dynamic User membership types work because:
Assigned membership (A) allows manual addition of the three specific users
Dynamic membership (C) can be configured with rules to automatically add/remove users based on attributes
Key points to remember for the AZ-104 exam:
Group Expiration:
Only Microsoft 365 groups support automatic expiration policies
Security groups don’t have built-in expiration capabilities
Group expiration requires Azure AD Premium P1 license
Membership Types:
Assigned: Manual user management
Dynamic User: Automatically adds/removes users based on attributes
Dynamic Device: Only for device management (why option E is incorrect)
Important Distinctions:
Security groups (B, D, E) are primarily for permissions and access control
Microsoft 365 groups are designed for collaboration scenarios
Dynamic Device membership (E) is not suitable for user access to SharePoint
License Requirements:
Dynamic group membership requires Azure AD Premium P1
Group expiration policies require Azure AD Premium P1
Basic Azure AD doesn’t support these advanced features
Remember that for SharePoint collaboration scenarios, Microsoft 365 groups are generally the preferred choice as they provide integrated access to collaboration tools and support expiration policies.
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table:
Name Member of Role assigned
User1 Group1 None
User2 Group2 None
User3 Group1, Group2 User administrator
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit.
(Click the Password Reset tab.)
Self-service password reset enabled
None
Selected
All (Selected)
Select group
Group2
(Options displayed for groups)
Number of methods required to reset
1
2 (Selected)
Methods available to users
Mobile app notification
Mobile app code
Email
Mobile phone
Office phone
Security questions
Number of questions required to register
3
4
5 (Selected)
Number of questions required to reset
3 (Selected)
4
5
Select security questions
10 security questions selected.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer Area
Statements Yes No
After User2 answers three security questions correctly, he can reset his password immediately. ( ) ( )
If User1 forgets her password, she can reset the password by using the mobile phone app. ( ) ( )
User3 can add security questions to the password reset process. ( ) ( )
Analyzing the Statements
“After User2 answers three security questions correctly, he can reset his password immediately.”
Analysis: User2 is a member of Group2. SSPR is enabled for Group2. However, the requirement is that a user must authenticate using 2 methods. Even if user 2 answers the three security questions correctly, he would not be able to reset the password immediately, as a second authentication method is required.
Answer: No
“If User1 forgets her password, she can reset the password by using the mobile phone app.”
Analysis: User1 is not a member of Group2. SSPR is enabled for members of Group2 only. Therefore, User1 cannot use self-service password reset.
Answer: No
“User3 can add security questions to the password reset process.”
Analysis: User3 is a member of Group2. User 3 also has the User administrator role, however this does not grant the ability to manage the password reset process. The self-service password reset is set at a tenant level and cannot be modified on a per user basis. The user can add security questions for themselves , but not for the password reset process.
Answer: No
Answer Area
Statements Yes No
After User2 answers three security questions correctly, he can reset his password immediately. No
If User1 forgets her password, she can reset the password by using the mobile phone app. No
User3 can add security questions to the password reset process. No
Name | Service tier |
You have an Azure subscription that has the Azure container registries shown in the following table.
|—|—|
| ContReg2 | Standard |
| ContReg3 | Basic |
You plan to use ACR Tasks and configure private endpoint connections.
Which container registries support ACR Tasks and private endpoints? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point.
Answer Area
ACR Tasks:
ContReg1 only
ContReg1 and ContReg2 only
ContReg1, ContReg2, and ContReg3
Private endpoints:
ContReg1 only
ContReg1 and ContReg2 only
ContReg1, ContReg2, and ContReg3
| ContReg1 | Premium |
Understanding Azure Container Registry (ACR)
ACR Service Tiers: ACR offers different service tiers (Basic, Standard, Premium) that have varying capabilities.
ACR Tasks: A feature that allows you to automate container image builds, pushes, and other actions within ACR.
Private Endpoints: Allow secure access to ACR resources from within a virtual network, without exposing them to the public internet.
Analyzing the ACR Service Tiers
Basic: The most basic tier, suitable for development/testing with limited capabilities.
Standard: A mid-range tier, provides good performance and scalability for most production scenarios.
Premium: The highest tier, offers geo-replication, enhanced throughput and features, and is suitable for mission critical deployments.
Analyzing ACR Tasks and Private Endpoint Support
ACR Tasks:
Supported in the Standard and Premium service tiers.
Not supported in the Basic tier.
Private Endpoints:
Supported in the Standard and Premium service tiers.
Not supported in the Basic tier.
Determining Supported Registries
Based on the support for the different service tiers, let’s determine which registries support ACR Tasks and private endpoints:
ContReg1 (Premium): Supports both ACR Tasks and private endpoints.
ContReg2 (Standard): Supports both ACR Tasks and private endpoints.
ContReg3 (Basic): Does not support ACR Tasks or private endpoints.
Answer Area:
ACR Tasks:
ContReg1 and ContReg2 only
Private endpoints:
ContReg1 and ContReg2 only
You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable Azure Network Watcher in the East US Azure region.
B. Add an Azure Network Watcher connection monitor.
C. Register the MicrosoftLogAnalytics provider.
D. Create an Azure Storage account.
E. Register the Microsoft.Insights resource provider.
F. Enable Azure Network Watcher flow logs.
The correct answers are:
A. Enable Azure Network Watcher in the East US Azure region
D. Create an Azure Storage account
F. Enable Azure Network Watcher flow logs
Let’s break down why these are correct:
A. Enable Azure Network Watcher in the East US Azure region
Network Watcher must be enabled in the region where you want to monitor resources
It’s a prerequisite for using flow logs
Must be in the same region as VM1 (East US)
D. Create an Azure Storage account
Flow logs require a storage account to store the log data
This is where the connection attempts will be recorded
Storage account is mandatory for flow logs configuration
F. Enable Azure Network Watcher flow logs
Flow logs capture inbound and outbound IP traffic information
They record all allowed and denied network traffic
Provides detailed information about connection attempts [1]
Why other options are incorrect:
B. Add an Azure Network Watcher connection monitor
Connection monitor is for monitoring connectivity between endpoints
Not used for recording connection attempts
C. Register the MicrosoftLogAnalytics provider
Not required for flow logs functionality
Used for Log Analytics workspace integration
E. Register the Microsoft.Insights resource provider
Not required for flow logs
Used for Azure Monitor insights and metrics
Important notes for AZ-104 exam:
Network Watcher Components:
Must be enabled per region
Required for network monitoring features
Free service but associated features may have costs
Flow Logs:
NSG flow logs are a feature of Network Watcher
Capture IP traffic flowing through NSGs
Version 2 provides additional fields and capabilities
Can integrate with Log Analytics
Storage Requirements:
Storage account is mandatory for flow logs
Can use general-purpose v1 or v2
Should be in same region for best performance
Consider retention period settings
Resource Providers:
Know which providers are needed for different services
Some providers are registered by default
Others need manual registration
Monitoring Capabilities:
Understand different monitoring options
Know when to use flow logs vs other monitoring tools
Understand retention and storage requirements
Security Considerations:
Flow logs provide security insights
Help with troubleshooting network issues
Important for compliance and auditing
Cost Considerations:
Storage costs for flow logs
Data retention impact on costs
Network Watcher feature costs
Remember:
Flow logs work at NSG level
Required components: Network Watcher, Storage Account, Flow Logs
Logs capture both successful and failed connections
Configuration must be in same region as resources
Consider retention period and storage costs
This question tests understanding of:
Network monitoring requirements
Flow logs configuration
Required Azure components
Resource provider knowledge
Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The application calls a service on SRV02 by IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?
A. Run the New-AzureRMVMConfig PowerShell cmdlet.
B. Run the Set-AzureSubnet PowerShell cmdlet.
C. Modify the VM properties in the Azure Management Portal.
D. Modify the IP properties in Windows Network and Sharing Center.
E. Run the Set-AzureStaticVNetIP PowerShell cmdlet.
The correct answer is C: Modify the VM properties in the Azure Management Portal
Here’s why:
Why C is correct:
You can configure static private IP addresses directly in the Azure Portal
This is done through the VM’s networking settings
It’s the most straightforward and recommended approach
Changes are properly registered with Azure’s infrastructure
Why other options are incorrect:
A. New-AzureRMVMConfig
This cmdlet is used for creating new VM configurations
Not used for modifying existing VM IP addresses
Outdated cmdlet (RM version)
B. Set-AzureSubnet
Used for subnet configuration
Doesn’t directly set VM IP addresses
Classic (older) deployment model cmdlet
D. Modify the IP properties in Windows Network and Sharing Center
Changes made within the OS are not persistent
Doesn’t properly register with Azure infrastructure
Could cause conflicts with Azure’s network management
E. Set-AzureStaticVNetIP
This is a classic (older) deployment model cmdlet
Not applicable for modern Azure Resource Manager VMs
Important notes for AZ-104 exam:
Static IP Address Configuration:
Can be done through Azure Portal, PowerShell, CLI, or ARM templates
Must be within the subnet’s address range
Can be set during or after VM creation
Preserves IP address even after VM restart
IP Address Types:
Dynamic: Default allocation method [1]
Static: Fixed IP address
Understanding difference between public and private IPs
Know when to use each type
Networking Concepts:
VMs in same subnet can communicate by default
IP addresses must be unique within VNet
Understand DHCP vs Static allocation
Know subnet address ranges
Best Practices:
Use Azure Portal for simple configurations
Use automation for bulk operations
Document IP assignments
Consider IP address planning
PowerShell/CLI Knowledge:
Know modern Azure PowerShell commands
Understand difference between classic and ARM cmdlets
Be familiar with basic networking commands
Portal Navigation:
Know where to find networking settings
Understand VM configuration options
Know how to modify existing settings
Important Considerations:
IP address must be within subnet range
Cannot change IP while VM is running
Plan IP addressing scheme carefully
Consider future growth
Troubleshooting:
Verify subnet address ranges
Check for IP conflicts
Understand how to verify configurations
Know how to validate connectivity
Modern approaches for the same task:
Azure Portal:
VM > Networking > Network Interface > IP configurations > Static
Copy
Insert at cursor
text
Azure PowerShell (modern):
$nic = Get-AzNetworkInterface -Name “NICname” -ResourceGroupName “RGname”
$nic.IpConfigurations[0].PrivateIpAllocationMethod = “Static”
$nic.IpConfigurations[0].PrivateIpAddress = “10.0.0.4”
Set-AzNetworkInterface -NetworkInterface $nic
Copy
Insert at cursor
powershell
Azure CLI:
az network nic ip-config update –name ipconfig1 –nic-name NICname –resource-group RGname –private-ip-address 10.0.0.4
Copy
Insert at cursor
bash
Remember:
Always use current Azure tools and methods
Plan IP addressing carefully
Document changes
Verify configurations after changes
Consider impact on running applications
You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a container named container1.
You need to configure access to container1. The solution must meet the following requirements:
* Only allow read access.
* Allow both HTTP and HTTPS protocols.
* Apply access permissions to all the content in the container.
What should you use?
A. an access policy
B. a shared access signature (SAS)
C. Azure Content Delivery Network (CDN)
D. access keys
The correct answer is A: an access policy
Here’s why:
Why A (access policy) is correct:
Can configure read-only access at container level
Supports both HTTP and HTTPS protocols
Applies to all content within the container
Can be configured through container access level settings
Provides consistent access rules for all objects
Why other options are incorrect:
B. Shared Access Signature (SAS)
More suitable for temporary access
Requires management of tokens
Better for granular control
Not ideal for permanent public read access
C. Azure Content Delivery Network (CDN)
Used for content delivery optimization
Doesn’t directly control access permissions
Additional service with different purpose
More complex than needed for this scenario
D. Access Keys
Provides full access to storage account
Cannot limit to read-only
Too broad in scope
Not suitable for public access
Important notes for AZ-104 exam:
Container Access Levels:
Private (default): No anonymous access
Blob: Anonymous read access for blobs only
Container: Anonymous read access for container and blobs
Know when to use each level
Access Policy Configuration:
# PowerShell
Set-AzStorageContainerAcl -Name “container1” -Permission Blob
Copy
Insert at cursor
powershell
# Azure CLI
az storage container set-permission –name container1 –public-access blob
Copy
Insert at cursor
bash
Security Considerations:
Always use least privilege principle
Monitor access patterns
Regular security audits
Consider using HTTPS only when sensitive
Authentication Methods:
Access Keys (full access)
SAS (temporary, granular)
Azure AD (identity-based)
Anonymous (public access)
Best Practices:
Document access configurations
Regular review of access policies
Monitor usage patterns
Use secure transfer when needed
Protocol Considerations:
HTTPS: Secure transfer
HTTP: Less secure but faster
When to allow both
Default security settings
Important Features:
Audit logging
Metrics monitoring
Access tracking
Security recommendations
Implementation Steps:
Navigate to storage account
Select container
Access level settings
Choose appropriate level
Apply and verify
Monitoring and Management:
Regular access review
Usage monitoring
Cost implications
Performance impact
Compliance Considerations:
Data privacy requirements
Security standards
Industry regulations
Audit requirements
Example Portal Configuration:
Go to Storage Account
Select Containers
Select container1
Access Level > Container
Save changes
Remember:
Access policies are persistent
Apply to all content in container
Simple to manage
Cost-effective solution
Suitable for public read access
Key Exam Tips:
Know different access levels
Understand security implications
Remember protocol options
Know configuration methods
Understand use cases for each option
Be familiar with monitoring options
Know best practices
Understand compliance requirements
This scenario tests understanding of:
Storage access control
Security configurations
Protocol settings
Access management options
DRAG DROP -
You have a Microsoft Entra tenant.
You need to ensure that when a new Microsoft 365 group is created, the group name is automatically formatted as follows:<Department><Group name>
Which three actions should you perform in sequence in the Microsoft Entra admin center? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Actions Answer Area
Set Add suffix to Attribute.
Create a group naming policy.
Set Add prefix to Attribute.
Set Add suffix to String.
Set Add prefix to String.
Set Select type to Department.
Customize the company branding.
The correct sequence is:
Create a group naming policy
Set Add prefix to Attribute
Set Select type to Department
Here’s why this sequence is correct:
First: Create a group naming policy
This is the initial step to establish naming conventions
Must be done before configuring specific rules
Creates the framework for naming standards
Second: Set Add prefix to Attribute
Configures where the attribute will be placed (at the start)
Prepares for the Department attribute to be used
Establishes the first part of the naming format
Third: Set Select type to Department
Specifies which attribute (Department) will be used
Completes the configuration for the prefix
Ensures department name will appear first
Why other options are incorrect:
“Set Add suffix to Attribute” - Not needed as department should be prefix
“Set Add suffix to String” - Not required for this format
“Set Add prefix to String” - We need an attribute, not a static string
“Customize the company branding” - Not related to group naming
Important notes for AZ-104 exam:
Group Naming Policies:
Require Azure AD Premium P1 license
Apply to Microsoft 365 groups only
Can use both prefixes and suffixes
Can combine strings and attributes
Policy Components:
Prefix/suffix rules
Blocked words
Custom blocked words
Fallback policy options
Attributes Available:
Department
Company
Office
State or province
Country or region
Location
Implementation Considerations:
Case sensitivity
Special characters
Length limitations
Blocked terms
Configuration Steps:
# PowerShell example
Connect-AzureAD
$template = @{
Prefixes=@{
Type=”Attribute”
Value=”Department”
}
}
Set-AzureADDirectorySettingTemplate -Setting $template
Copy
Insert at cursor
powershell
Best Practices:
Plan naming convention carefully
Document policy decisions
Test before full implementation
Consider future needs
Limitations:
Cannot modify existing groups
Only affects new group creation
Some characters not supported
Maximum length restrictions
Management Tasks:
Regular policy review
Monitor compliance
Update as needed
Handle exceptions
Key Exam Tips:
Remember the Order:
Policy creation first
Prefix/suffix configuration
Attribute selection
Know Available Options:
Attributes vs. Strings
Prefix vs. Suffix
Supported attributes
Configuration limits
Understand Requirements:
License requirements
Scope of application
Implementation impact
Management needs
Configuration Details:
Where to find settings
How to implement
Testing procedures
Validation methods
Troubleshooting:
Common issues
Resolution steps
Policy conflicts
Error messages
Remember:
Policies affect new groups only
Premium license required
Plan before implementing
Test thoroughly
Document decisions
Monitor compliance
This question tests understanding of:
Group naming policies
Configuration sequence
Attribute usage
Implementation process
DRAG DROP-
You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be
adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Options
An Azure Key Vault
An Azure Storage account
Azure Active Directory (AD)
Identity Protection
An access policy
An Azure policy
A backup policy
Answer
Create Key Vault
Analyzing the Options
Let’s examine each option and see how they align with the requirements:
An Azure Key Vault: This is correct. Azure Key Vault is designed to securely store sensitive information like passwords.
An Azure Storage account: This option is incorrect. Storage accounts are for storing files and other types of data, and is not suitable for securing keys and passwords.
Azure Active Directory (AD) Identity Protection: This option is incorrect. Identity Protection is for detecting and mitigating user risk, not storing passwords.
An access policy: This option is correct. An access policy will define which users and applications can access the key vault and the secrets stored.
An Azure policy: This option is incorrect. Azure policies are for enforcing rules, not for secret storage.
A backup policy: This option is incorrect. Backup policies are for defining how backups should be created and retained.
The Correct Components
To meet the requirements, you should create the following components:
An Azure Key Vault: To store the password securely.
An access policy: To grant permissions for the ARM template to access the key vault.
Answer Area:
An Azure Key Vault
An access policy
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company’s security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?
A. Assign the User administrator role to User1.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
C. Create a point-to-site VPN from the home network of User1 to Azure.
D. From the Device settings blade, modify the Users may join devices to Azure AD setting.
The correct answer is B: From the Device settings blade, modify the Maximum number of devices per user setting.
Here’s why:
Why B is correct:
User1 could join devices previously but can’t now
This suggests they’ve hit their device limit
Each user has a default limit of devices they can join
Modifying this limit will allow additional device joins
Why other options are incorrect:
A. Assign User administrator role
Not needed for device join
Too broad of permissions
User already demonstrated ability to join devices [1]
C. Create point-to-site VPN
Not required for Azure AD join [2]
Azure AD join works over internet
Adds unnecessary complexity
D. Modify “Users may join devices to Azure AD”
User1 could already join devices before
This setting is already enabled
Wouldn’t resolve per-user limit issue
Important notes for AZ-104 exam:
Device Settings Configuration:
Located in Azure AD portal
Affects all users in organization
Default limit is typically 20 devices
Can be modified as needed
Key Settings:
# PowerShell example to check current settings
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq “Device Settings”}
# To modify settings
Set-AzureADDirectorySetting -DirectorySetting $setting
Copy
Insert at cursor
powershell
Device Join Types:
Azure AD registered
Azure AD joined
Hybrid Azure AD joined
Understand differences between each
Requirements:
Azure AD Premium license for some features
Proper user permissions
Internet connectivity
Valid credentials
Troubleshooting Steps:
Check device limits
Verify user permissions
Review join settings
Check error messages
Review audit logs
Best Practices:
Regular review of device limits
Monitor device joins
Clean up unused devices
Document policies
Common Issues:
Device limit reached
Permission issues
Network connectivity
Authentication problems
Management Tasks:
Monitor device status
Remove old devices
Update policies
Audit compliance
Portal Navigation:
Azure AD
Devices
Device settings
Maximum number of devices per user
Key Configuration Steps:
Access Azure Portal
Navigate to Azure AD
Select Devices
Choose Device settings
Modify device limit
Save changes
Remember:
Check device limits first
Review user’s existing devices
Consider security implications
Document changes
Monitor device joins
Additional Considerations:
Security:
Balance security and usability
Consider device management
Implement conditional access
Monitor device health
Compliance:
Meet security policies
Track device status
Regular audits
Policy enforcement
User Experience:
Clear communication
Self-service options
Support procedures
Training materials
Monitoring:
Device join status
Error patterns
Usage trends
Security alerts
This question tests understanding of:
Azure AD device management
Troubleshooting methodology
Configuration settings
User permissions
Device join process
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
A. Yes
B. No
The correct answer is B: No
Here’s why this solution doesn’t work:
Why Resource Locks Don’t Work Here:
Resource locks only prevent resource modification or deletion
They don’t control traffic flow or security rules
Locks can’t create or enforce NSG rules
Locks are for preventing resource changes/deletions
What Resource Locks Actually Do:
CanNotDelete: Prevents deletion
ReadOnly: Prevents modification and deletion
Cannot automatically create NSG rules
Doesn’t affect network traffic [1]
Important notes for AZ-104 exam:
Better Solutions Would Be:
Azure Policy to enforce NSG rules [2]
Example policy definition:
{
“if”: {
“field”: “type”,
“equals”: “Microsoft.Network/networkSecurityGroups”
},
“then”: {
“effect”: “append”,
“details”: {
“field”: “Microsoft.Network/networkSecurityGroups/securityRules”,
“value”: [
{
“name”: “Block8080”,
“properties”: {
“protocol”: “TCP”,
“sourcePortRange”: “”,
“destinationPortRange”: “8080”,
“sourceAddressPrefix”: “”,
“destinationAddressPrefix”: “*”,
“access”: “Deny”,
“priority”: 100,
“direction”: “Inbound”
}
}
]
}
}
}
Copy
Insert at cursor
json
Resource Lock Types:
CanNotDelete (Delete)
ReadOnly (Delete and Modify)
Scope levels: subscription, resource group, resource
Understanding Azure Policy:
Enforces standards
Ensures compliance
Automatically applies rules
Evaluates resources
NSG Concepts:
Controls network traffic
Rule priority
Inbound/outbound rules
Port filtering
Key Differences: Resource Locks:
Prevent resource changes
Protection against deletion
Resource management tool
Azure Policy:
Enforces standards
Automates compliance
Can configure resources
Ongoing enforcement
Best Practices:
Use appropriate tool for task
Combine tools when needed
Document configurations
Regular review of settings
Implementation Considerations:
Scope of control
Impact on operations
Management overhead
Compliance requirements
Common Use Cases: Resource Locks:
Protect critical resources
Prevent accidental deletion
Production environment protection
Azure Policy:
Security standards
Configuration compliance
Automated enforcement
Resource consistency
Remember:
Resource locks don’t control traffic
Use Azure Policy for NSG rules
Understand tool purposes
Choose appropriate solution
Key Exam Tips:
Know the Tools:
Resource locks for resource protection
Azure Policy for compliance
NSGs for network security
When to use each
Understand Capabilities:
What each tool can do
Limitations of each
Appropriate use cases
Implementation methods
Implementation Details:
How to configure
Where to configure
Impact of configuration
Management requirements
Troubleshooting:
Common issues
Resolution steps
Verification methods
Monitoring options
This question tests understanding of:
Resource lock functionality
Network security requirements
Azure Policy vs Resource Locks
Security implementation methods
HOTSPOT
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active Directory domain. The domain contains the users shown in the following table:
Name Role
SecAdmin1 Security administrator
BillAdmin1 Billing administrator
User1 Reports reader
You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
Number of methods required to reset: 2
Methods available to users: Mobile phone, Security questions
Number of questions required to register: 3
Number of questions required to reset: 3
You select the following security questions:
What is your favorite food?
In what city was your first job?
What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area:
Statements:
SecAdmin1 must answer the following question during the self-service password reset: “In what city was your first job?”
Yes [ ]
No [ ]
BillAdmin1 must answer the following question during the self-service password reset: “What is your favorite food?”
Yes [ ]
No [ ]
User1 must answer the following question during the self-service password reset: “What was the name of your first pet?”
Yes [ ]
No [ ]
Name | Role |
The correct answers are:
SecAdmin1: No
BillAdmin1: No
User1: No
Here’s why:
For all users (SecAdmin1, BillAdmin1, and User1):
Users must register 3 security questions
Users choose which questions to answer from the available pool
During reset, they must answer any 3 of their registered questions
The specific questions aren’t predetermined or assigned
Why “No” for all:
The configuration doesn’t force specific questions for specific users
Users can choose which questions to register from the available pool
The system randomly selects from registered questions during reset
No user is required to answer any specific question
Important notes for AZ-104 exam:
SSPR Configuration Components:
Number of methods required
Available authentication methods
Question requirements
Registration requirements
Authentication Methods:
# PowerShell example to check SSPR settings
Get-MsolPasswordPolicy
Copy
Insert at cursor
powershell
Key SSPR Settings:
Methods required (1 or 2)
Available methods
Question requirements
Registration process
Security Questions:
Predefined questions
Custom questions
Number required
Answer requirements
Implementation Requirements:
Azure AD Premium license
User configuration
Authentication methods
Policy settings
Best Practices:
Multiple authentication methods
Strong security questions
Clear user instructions
Regular policy review
Important Considerations:
User experience
Security level
Administration overhead
Compliance requirements
Configuration Steps:
Enable SSPR
Select methods
Configure questions
Set requirements
Deploy to users
Monitoring and Management:
Usage reports
Success/failure rates
User registration status
Policy effectiveness
Common Settings:
{
“numberOfMethodsRequired”: 2,
“methods”: [
“mobilePhone”,
“securityQuestions”
],
“questionsRequired”: 3,
“resetQuestionsRequired”: 3
}
Copy
Insert at cursor
json
Remember:
Users choose their questions
No predetermined assignments
Random selection during reset
Multiple methods required
Key Exam Tips:
Understanding SSPR:
Configuration options
Authentication methods
Security requirements
User experience
Security Questions:
Registration process
Reset process
Question selection
Answer requirements
Authentication Methods:
Available options
Configuration requirements
Combination rules
Implementation process
User Experience:
Registration flow
Reset process
Method selection
Question answering
Administration:
Policy configuration
User management
Monitoring
Troubleshooting
This question tests understanding of:
SSPR configuration
Security question implementation
Authentication methods [1]
User experience
Administrative controls
The key point is that security questions in SSPR are user-selected during registration, not assigned by administrators or roles.
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run Windows Server 2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
You can perform a file recovery of
VM1 to:
VM1 only
VM1 or a new Azure virtual machine only
VM1 and VM2 only
A new Azure virtual machine only
Any Windows computer that has Internet connectivity
You can restore VM1 to:
VM1 only
VM1 or a new Azure virtual machine only
VM1 and VM2 only
Any Windows computer that has Internet connectivity
PowerShell example for restore
Understanding Azure VM Backups
Azure Backup (without agent): Uses Azure’s infrastructure to back up the entire VM disk.
File Recovery: Allows you to restore specific files and folders from a VM backup. This uses a script to mount the backup as a VHD.
VM Restore: Creates a new VM, or overwrites the existing VM, based on a backup.
Analyzing the Situation
VM1: Is backed up daily using Azure Backup (without an agent).
VM1 Infected: Has been encrypted by ransomware.
Need to Restore: Restore the latest backup of the entire VM1.
VM2: Is a different VM, not relevant to restoring VM1.
Determining Restore Locations
Let’s analyze the restore options:
File Recovery:
Can restore files to the original VM (VM1) by using the File Recovery function.
Can restore files to a different VM by mounting the backup of the disk to a different VM.
Cannot restore files to an on-premises computer as the VHD must be mounted on a VM.
Therefore, the correct option for file recovery is VM1 or a new Azure virtual machine only
VM Restore:
Can restore the entire VM to the original VM (VM1).
Can restore the entire VM to a new Azure virtual machine by creating a new VM from the backup.
Cannot restore an entire Azure VM to an on-premises computer.
Therefore, the correct option for restoring the VM is VM1 or a new Azure virtual machine only
Answer Area:
You can perform a file recovery of VM1 to:
VM1 or a new Azure virtual machine only
You can restore VM1 to:
VM1 or a new Azure virtual machine only
You have an Azure virtual machine named VM1 and an Azure key vault named Vault1.
On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK).
You need to prepare Vault1 for Azure Disk Encryption.
Which two actions should you perform on Vault1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a new key.
B. Select Azure Virtual machines for deployment
C. Create a new secret.
D. Configure a key rotation policy.
E. Select Azure Disk Encryption for volume encryption.
Enable Key Vault for disk encryption
Suggested Answer: B, E
To prepare a key vault for Azure Disk Encryption, you need to select Azure Virtual machines for deployment and select Azure Disk Encryption for volume encryption in the key vault access policy settings. These options enable the VMs to access the keys and secrets stored in the key vault for disk encryption. Creating a new key or secret is not required, as Azure Disk Encryption can generate them automatically. Configuring a key rotation policy is optional and not related to preparing the key vault for disk encryption.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal#azure-portal-1
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.
The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?
A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
B. Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
D. Place the scripts in a new virtual hard disk (VHD).
The correct answer is A: Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
Here’s why:
Why A is correct:
Runs automatically after Windows Setup completes
Executes before first user login
Runs only once during initial setup
Ideal for initial VM configuration
Why other options are incorrect:
B. GPO logon scripts
Runs every time a user logs in
Requires domain join first
Not suitable for initial setup
Too frequent execution
C. GPO startup scripts
Runs every system startup
Requires domain join first
Not ideal for one-time configuration
Too frequent execution
D. Scripts in new VHD
No automatic execution mechanism
Requires manual intervention
Not a reliable automation solution
No guaranteed execution
Important notes for AZ-104 exam:
SetupComplete.cmd Configuration:
@echo off
PowerShell.exe -ExecutionPolicy Bypass -File “C:\Scripts\Configure-VM.ps1”
Copy
Insert at cursor
cmd
Implementation Steps:
Create scripts directory
Place PowerShell scripts
Create SetupComplete.cmd
Reference scripts properly
Best Practices:
# Example PowerShell script content
$ErrorActionPreference = “Stop”
try {
# Configuration tasks
Join-Domain
Install-Requirements
Configure-Settings
} catch {
Write-Error $_.Exception.Message
}
Copy
Insert at cursor
powershell
Important Considerations:
Script execution policy
Error handling
Logging
Idempotency
Common Tasks:
Domain join
Software installation
Configuration settings
Security setup
Script Location:
%windir%\setup\scripts\SetupComplete.cmd
Copy
Insert at cursor
text
Logging Best Practices:
# Add logging to scripts
Start-Transcript -Path “C:\Windows\Temp\VMSetup.log”
try {
# Script actions
} finally {
Stop-Transcript
}
Copy
Insert at cursor
powershell
Security Considerations:
Script signing
Execution policy
Credential handling
Audit logging
Remember:
One-time execution
Runs before first login
No user interaction needed
Automatic execution
Key Exam Tips:
VM Configuration Methods:
SetupComplete.cmd
Custom scripts
Group Policy
Automation options
Implementation Details:
Script location
Execution timing
Permission requirements
Error handling
Best Practices:
Error handling
Logging
Security
Idempotency
Common Scenarios:
Initial configuration
Software installation
Domain join
Security setup
Troubleshooting:
Log locations
Common issues
Resolution steps
Verification methods
Example Implementation:
Directory Structure:
%windir%\setup\scripts\
├── SetupComplete.cmd
├── Configure-VM.ps1
└── Install-Software.ps1
Copy
Insert at cursor
text
SetupComplete.cmd:
@echo off
PowerShell.exe -ExecutionPolicy Bypass -File “%~dp0Configure-VM.ps1”
Copy
Insert at cursor
cmd
Configure-VM.ps1:
# Configuration script
$ErrorActionPreference = “Stop”
Start-Transcript -Path “C:\Windows\Temp\VMSetup.log”
try {
# Your configuration tasks here
Write-Output “Starting VM configuration…”
# Example tasks Set-TimeZone "UTC" Install-WindowsFeature -Name "Web-Server"
} catch {
Write-Error $_.Exception.Message
} finally {
Stop-Transcript
}
Copy
Insert at cursor
powershell
This question tests understanding of:
VM automation methods
Initial configuration options
Script execution timing
Implementation best practices
HOTSPOT -
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
User1:
Contributor for RG1
Contributor for Sub1
Security Admin for RG1
Resource Policy Contributor for Sub1
User4:
Contributor for RG2
Contributor for Sub1
Security Admin for Sub1
Resource Policy Contributor for RG2
Assign Resource Policy Contributor
Understanding Azure Policy and Roles
Initiative Definitions: These are used to group policy definitions into a single manageable item.
Initiative Assignments: Applying an initiative (group of policies) to a scope (resource group, subscription, etc.).
Resource Policy Contributor Role: This role grants permissions to create, modify, and delete policies and initiatives. It also grants permissions to assign policies.
Scope: User1 needs permissions to create initiative definitions on the subscription level, while User4 needs permissions to assign initiatives to a specific resource group.
Principle of Least Privilege: Assign the minimum required permissions for each user.
Analyzing the Requirements
User1: Needs to create Azure policy definitions. This requires permissions at the subscription level.
User4: Needs to assign initiatives to RG2. This requires permissions at the resource group level.
Determining Correct Roles
Let’s examine each available role:
User1:
Contributor for RG1: This role is incorrect. Contributor is too broad, and the permissions are limited to the resource group level, it does not allow for creating policy definitions.
Contributor for Sub1: This role is incorrect. Contributor is too broad, and does not provide the correct level of permissions.
Security Admin for RG1: This role is incorrect. It’s focused on security operations, not policy creation.
Resource Policy Contributor for Sub1: This is the correct role. This role provides the ability to create and manage policies at the subscription level, meaning that new initiative definitions can be created.
User4:
Contributor for RG2: This role is incorrect. While it allows management of resources within RG2, it doesn’t have permissions to manage policy assignments.
Contributor for Sub1: This role is incorrect. This is not the correct scope for managing policy assignments at RG2.
Security Admin for Sub1: This role is incorrect, as it does not allow for the assignment of policies.
Resource Policy Contributor for RG2: This is the correct role. It has all the necessary permissions, at the required scope (RG2), for assigning initiatives.
Answer Area:
User1:
Resource Policy Contributor for Sub1
User4:
Resource Policy Contributor for RG2
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
|—|—|—|
| RG1 | West Europe | Policy1 |
| RG2 | North Europe | Policy2 |
| RG3 | France Central | Policy3 |
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
Name | Azure region | Policy |
The correct answer is A: The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
Here’s why:
Location Behavior:
Moving a web app between resource groups doesn’t change its physical location
App Service plan remains in original region (West Europe)
Only the logical grouping changes
Policy Application:
Policies are applied at resource group level
When resource moves to new RG, new RG’s policies apply
WebApp1 now falls under Policy2
Original policy (Policy1) no longer applies
Important notes for AZ-104 exam:
Resource Move Operations:
# Move resource between resource groups
Move-AzResource `
-ResourceId $webapp.Id `
-DestinationResourceGroupName “RG2”
Copy
Insert at cursor
powershell
Key Concepts:
Physical location vs logical grouping
Policy inheritance
Resource dependencies
Move limitations
Move Considerations:
{
“moveConsiderations”: {
“location”: “remains unchanged”,
“policies”: “inherit from new RG”,
“dependencies”: “must be evaluated”,
“services”: “some can’t be moved”
}
}
Copy
Insert at cursor
json
Important Rules:
Location stays same
New RG policies apply
Dependencies must move together
Some resources can’t move
Best Practices:
Check dependencies first
Verify policy compatibility
Plan maintenance window
Document changes
Common Scenarios: Resource Moves:
Between RGs
Between subscriptions
Region transfers
Policy implications
Move Limitations:
Some services can’t move
Regional restrictions
Dependency requirements
Service-specific rules
Implementation Steps:
Check move requirements
Verify dependencies
Plan maintenance
Execute move
Verify functionality
Remember:
Location doesn’t change
Policies inherit from new RG
Check dependencies
Plan carefully
Key Exam Tips:
Resource Movement:
Location behavior
Policy inheritance
Dependencies
Limitations
Policy Application:
Inheritance rules
Scope changes
Implementation timing
Verification methods
Best Practices:
Pre-move checks
Dependency analysis
Documentation
Testing
Troubleshooting:
Common issues
Resolution steps
Verification methods
Documentation needs
Common Scenarios to Know:
Resource Group Moves:
Policy changes
Location retention
Service limitations
Dependency handling
Policy Management:
Inheritance rules
Scope changes
Implementation timing
Verification methods
Location Considerations:
Physical location
Logical grouping
Regional services
Move restrictions
Important Considerations:
Before Moving:
Check dependencies
Verify service support
Review policies
Plan downtime
During Move:
Monitor progress
Check services
Verify connections
Document changes
After Move:
Verify functionality
Check policy application
Update documentation
Monitor performance
This question tests understanding of:
Resource movement behavior
Policy inheritance
Location persistence
Resource management
The key focus is on:
Understanding physical vs logical location
Policy inheritance rules
Resource move implications
Service limitations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
Does this meet the goal?
A. Yes
B. No
The correct answer is B: No
Here’s why:
Why this solution doesn’t work:
IPSec Policy Agent service isn’t the primary requirement
The main requirement is certificate configuration
Self-signed certificate needs to be exported/imported
Missing critical certificate steps
What’s actually needed:
Export certificate from Computer1
Import certificate to Computer2
Configure VPN client properly
Verify certificate installation
Important notes for AZ-104 exam:
P2S VPN Certificate Requirements:
# Export certificate (on Computer1)
$cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$.Subject -like “P2SRoot”}
Export-Certificate -Cert $cert -FilePath “C:\P2SCert.cer”
# Import certificate (on Computer2)
Import-Certificate -FilePath “C:\P2SCert.cer” -CertStoreLocation Cert:\CurrentUser\My
Copy
Insert at cursor
powershell
Key Components:
Root certificate
Client certificate
VPN client configuration
Network settings
Implementation Steps: [1]
Export certificates
Transfer securely
Import certificates
Configure VPN client
Test connection
Best Practices:
{
“p2sVpnSetup”: {
“certificates”: {
“root”: “required”,
“client”: “required”
},
“configuration”: {
“vpnClient”: “installed”,
“network”: “configured”
}
}
}
Copy
Insert at cursor
json
Common Requirements:
Certificate management
VPN client setup
Network configuration
Security settings
Troubleshooting Steps:
Verify certificates
Check VPN configuration
Test network connectivity
Review logs
Security Considerations:
Certificate protection
Secure transfer
Access control
Monitoring
Implementation Checklist:
Export certificates
Secure transfer
Import certificates
Configure client
Test connection
Remember:
Certificates are crucial
IPSec service alone isn’t enough
Proper configuration needed
Security is important
Key Exam Tips:
P2S VPN Setup:
Certificate requirements
Client configuration
Network settings
Security considerations
Certificate Management:
Export process
Import process
Storage location
Security measures
Implementation:
Step sequence
Required components
Verification methods
Troubleshooting
Best Practices:
Security first
Proper configuration
Testing
Documentation
Common Issues:
Certificate problems
Configuration errors
Network issues
Permission problems
Common Scenarios:
Certificate Management:
Export/Import
Storage
Security
Verification
VPN Configuration:
Client setup
Network settings
Security options
Testing
Troubleshooting:
Certificate issues
Connection problems
Network errors
Configuration mistakes
Important Steps:
Certificate Preparation:
# Verify certificate
Get-ChildItem -Path Cert:\CurrentUser\My |
Where-Object {$.Subject -like “P2SRoot”} |
Format-List Subject, Thumbprint, NotAfter
Copy
Insert at cursor
powershell
VPN Client Setup:
Install configuration package
Import certificates
Configure network settings
Test connection
Verification:
Check certificate
Verify configuration
Test connectivity
Monitor logs
This question tests understanding of:
P2S VPN requirements
Certificate management
VPN configuration
Implementation steps
The key focus is on:
Understanding complete P2S VPN requirements
Importance of certificates
Proper configuration steps
Security considerations
You have an Azure subscription that contains a storage account named storage. The storage account contains a blob that stores images.
Client access to storage1 is granted by using a shared access signature (SAS).
You need to ensure that users receive a warning message when they generate a SAS that exceeds a seven-day time period.
What should you do for storage?
A. Enable a read-only lock.
B. Configure an alert rule.
C. Add a lifecycle management rule.
D. Set Allow recommended upper limit for shared access signature (SAS) expiry interval to Enabled.
The correct answer is D: Set Allow recommended upper limit for shared access signature (SAS) expiry interval to Enabled.
Here’s why:
This setting:
Provides warnings for SAS duration > 7 days
Doesn’t block SAS creation
Implements best practice recommendations
Helps maintain security standards
Why other options are incorrect:
A. Read-only lock: Prevents modifications but doesn’t warn about SAS duration
B. Alert rule: Monitors events but doesn’t provide real-time warnings during SAS generation
C. Lifecycle management: Manages blob lifecycle but doesn’t affect SAS settings
Important notes for AZ-104 exam:
SAS Configuration:
# Set SAS policy
Set-AzStorageAccountManagementPolicy `
-ResourceGroupName “RG1” `
-StorageAccountName “storage1” `
-EnableSasExpiryWarning $true `
-SasExpiryWarningDays 7
Copy
Insert at cursor
powershell
Key Components:
{
“sasPolicy”: {
“expiryWarning”: true,
“warningDays”: 7,
“enforcement”: “warning”,
“scope”: “account”
}
}
Copy
Insert at cursor
json
Implementation Steps:
Access storage settings
Enable SAS expiry warning
Set warning threshold
Monitor compliance
Best Practices:
Enable warnings
Set appropriate thresholds
Monitor usage
Regular review
Security Considerations:
SAS duration limits
Access control
Monitoring
Compliance
Common Tasks:
# Generate SAS token
$sasToken = New-AzStorageAccountSASToken `
-Context $ctx `
-Service Blob `
-ResourceType Container,Object `
-Permission “racwd” `
-ExpiryTime (Get-Date).AddDays(7)
Copy
Insert at cursor
powershell
Monitoring Setup:
{
“monitoring”: {
“sasWarnings”: “enabled”,
“threshold”: “7days”,
“actions”: “warning”,
“logging”: “enabled”
}
}
Copy
Insert at cursor
json
Important Settings:
SAS expiry warnings
Duration thresholds
Monitoring options
Compliance settings
Remember:
Warning not blocking
7-day recommendation
Security best practice
Regular monitoring
Key Exam Tips:
SAS Management:
Configuration options
Warning settings
Duration limits
Best practices
Security:
Access control
Duration monitoring
Warning implementation
Compliance
Implementation:
Setting configuration
Monitoring setup
Warning thresholds
Verification
Best Practices:
Enable warnings
Regular monitoring
Policy enforcement
Documentation
Troubleshooting:
Common issues
Resolution steps
Verification methods
Documentation
Common Scenarios:
SAS Configuration:
Warning setup
Duration limits
Monitoring
Compliance
Security Implementation:
Access control
Warning systems
Monitoring
Auditing
Management Tasks:
Policy setup
Monitoring
Reporting
Review
Important Considerations:
Before Implementation:
Plan policy
Set thresholds
Configure monitoring
Document procedures
During Implementation:
Apply settings
Test warnings
Verify functionality
Document changes
After Implementation:
Monitor effectiveness
Review warnings
Adjust settings
Update documentation
Implementation Steps:
Configure Settings:
# Enable SAS warning
Update-AzStorageAccountSasPolicy `
-ResourceGroupName “RG1” `
-AccountName “storage1” `
-EnableExpirationWarning $true `
-ExpirationWarningDays 7
Copy
Insert at cursor
powershell
Verify Configuration:
Test SAS generation
Check warnings
Monitor compliance
Review logs
Maintain Policy:
Regular reviews
Adjust settings
Monitor effectiveness
Update documentation
This question tests understanding of:
SAS management
Security implementation
Warning configuration
Best practices
The key focus is on:
SAS security features
Warning implementation
Duration monitoring
Security best practices
You have an Azure subscription that contains two storage accounts named contoso101 and contoso102.
The subscription contains the virtual machines shown in the following table.
|—|—|—|
| VM1 | VNet1/Subnet1 | Basic |
| VM2 | VNet1/Subnet2 | Standard |
VNet1 has service endpoints configured as shown in the Service endpoints exhibit. (Click the Service endpoints tab.)
VNet1 | Service endpoints ☆
Virtual network
+ Add Refresh
Filter service endpoints
The Microsoft.Storage service endpoint has the service endpoint policy shown in the Microsoft.Storage exhibit. (Click the Microsoft.Storage tab.)
Create a service endpoint policy
✔ Validation passed
Basics Policy definitions Tags Review + create
Basics
| | |
|—|—|
| Subscription | Azure Pass - Sponsorship |
| Resource group | RG1 |
| Region | East US |
| Name | Policy1 |
Resources
| | |
|—|—|
| Microsoft.Storage | contoso101 (Storage account) |
Tags
None
ℹ For this policy to take effect, you will need to associate it to one or more subnets that have virtual network service endpoints.
Please visit a virtual network in East US region and then select the subnets to which you would like to associate this policy.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area
Statements Yes No
VM1 can access contoso102.
VM2 can access contoso101.
VM2 uses a private IP address to access Azure AD.
| Name | Connected to | Public IP address SKU |
Service | Subnet | Status | Locations |
|—|—|—|—|
| Microsoft.AzureActiveDirectory | 1 | | … |
| | Subnet2 | Succeeded | * | … |
| Microsoft.Storage | 1 | | … |
| | Subnet1 | Succeeded | * | … |
The correct answers are:
VM1 can access contoso102: Yes
VM2 can access contoso101: No
VM2 uses a private IP address to access Azure AD: Yes
Here’s why:
VM1 can access contoso102: Yes
Service endpoint exists for Microsoft.Storage on Subnet1
No policy restricting access to contoso102
Default access allowed
VM2 can access contoso101: No
Service endpoint policy (Policy1) only allows access to contoso101
VM2 is in Subnet2 which doesn’t have Storage service endpoint
Access is restricted
VM2 uses a private IP address to access Azure AD: Yes
Azure AD service endpoint is configured on Subnet2
Allows private IP communication
Direct secure connection
Important notes for AZ-104 exam:
Service Endpoint Configuration:
# Add service endpoint
Add-AzVirtualNetworkSubnetConfig `
-Name “Subnet1” `
-VirtualNetwork $vnet `
-AddressPrefix “10.0.1.0/24” `
-ServiceEndpoint “Microsoft.Storage”
Copy
Insert at cursor
powershell
Policy Configuration:
{
“serviceEndpointPolicy”: {
“resourceTypes”: [“Microsoft.Storage”],
“allowedResources”: [“contoso101”],
“subnet”: “Subnet1”
}
}
Copy
Insert at cursor
json
Key Concepts:
Service endpoints
Network policies
Access control
Private connectivity
Implementation Best Practices:
# Configure service endpoint policy
$policy = New-AzServiceEndpointPolicy `
-ResourceGroupName “RG1” `
-Name “Policy1” `
-Location “EastUS”
# Add storage account to policy
Add-AzServiceEndpointPolicyDefinition `
-ServiceEndpointPolicy $policy `
-Name “Storage” `
-Service “Microsoft.Storage” `
-ServiceResources “/subscriptions/<ID>/resourceGroups/RG1/providers/Microsoft.Storage/storageAccounts/contoso101"
Copy
Insert at cursor
powershell
Security Considerations:
Network isolation
Access control
Policy enforcement
Monitoring
Remember:
Service endpoint locations
Policy restrictions
Subnet configurations
Access patterns
Key Exam Tips:
Service Endpoints:
Purpose
Configuration
Restrictions
Benefits
Network Policies:
Implementation
Scope
Restrictions
Management
Access Control:
Service endpoints
Policies
Subnet configuration
Resource access
Troubleshooting:
Common issues
Resolution steps
Verification methods
Documentation
Common Scenarios:
Storage Access:
Service endpoints
Policy restrictions
Subnet configuration
Access patterns
Azure AD Access:
Private connectivity
Service endpoints
Network security
Authentication
Network Security:
Service isolation
Access control
Policy enforcement
Monitoring
Important Considerations:
Service Endpoints:
Configuration
Scope
Restrictions
Management
Network Policies:
Implementation
Enforcement
Monitoring
Updates
Access Control:
Resource restrictions
Subnet configuration
Policy management
Monitoring
This question tests understanding of:
Service endpoints
Network policies
Access control
Private connectivity
The key focus is on:
Understanding service endpoint configuration
Policy implementation and effects
Private connectivity features
Network security concepts</ID>
