test15 Flashcards
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
HOTSPOT
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
From the Azure portal:
Create an ExpressRoute circuit only.
Create a virtual network gateway only.
Create a virtual network gateway and a local network gateway.
Create an ExpressRoute circuit and an on-premises data gateway.
Create a virtual network gateway and an on-premises data gateway.
In the New York office:
Deploy ExpressRoute.
Deploy a DirectAccess server.
Implement a Web Application Proxy.
Configure a site-to-site VPN connection.
Let’s analyze the correct answers for this scenario:
Correct Configuration:
From the Azure portal: “Create a virtual network gateway and a local network gateway”
Why correct:
Virtual network gateway is needed to enable VPN connectivity
Local network gateway represents the on-premises network
This combination is required for site-to-site VPN
Most cost-effective solution for the requirement
In the New York office: “Configure a site-to-site VPN connection”
Why correct:
Meets the requirement “Connect the New York office to VNet1 over the Internet by using an encrypted connection”
Cost-effective solution for smaller offices
Provides secure encrypted connection
Works over existing internet connection
Why other options are incorrect:
Azure Portal options:
“ExpressRoute circuit” - Too expensive for small office, overkill
“Virtual network gateway only” - Incomplete solution, needs local network gateway
“On-premises data gateway” - Used for data services, not network connectivity
New York office options:
“Deploy ExpressRoute” - Too expensive, not necessary for small office
“DirectAccess server” - Client access solution, not for site-to-site
“Web Application Proxy” - Application access solution, not for network connectivity
Important notes for AZ-104 exam:
Site-to-Site VPN Requirements: [1]
Virtual network gateway in Azure
Local network gateway in Azure
VPN device/firewall on-premises
Public IP address for on-premises VPN device
Cost Considerations:
Site-to-Site VPN is more cost-effective than ExpressRoute
Appropriate for smaller offices/bandwidth needs
Uses existing internet connection
Network Gateway Types:
VPN Gateway for VPN connections
ExpressRoute Gateway for ExpressRoute connections
Different SKUs available based on performance needs
Connection Types:
Site-to-Site VPN: Office to Azure
Point-to-Site VPN: Individual clients to Azure
ExpressRoute: Private dedicated connection
VNet-to-VNet: Between Azure virtual networks
Best Practices:
Choose connection type based on:
Bandwidth requirements
Security needs
Budget constraints
Office size
Reliability requirements
Key Concepts:
Understanding different connectivity options
Network gateway requirements
Local network gateway purpose
Cost implications of different solutions
Scenario Evaluation:
Consider office size (200 employees)
Internet-based requirement
Encryption requirement
Cost minimization requirement
This question tests understanding of:
Azure connectivity options
Network gateway configurations
Cost-effective solutions
Appropriate technology selection
Hybrid networking concepts
Remember: The solution should match the scale and requirements of the specific scenario while considering cost constraints.
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.
What should you include in the recommended?
Azure AP B2C
Azure AD Identity Protection
an Azure logic app and the Microsoft Identity Management (MIM) client
dynamic groups and conditional access policies
Correct Option:
dynamic groups and conditional access policies
Explanation:
Dynamic Groups: Dynamic groups in Azure AD allow you to automatically add and remove users based on their attributes, such as the department attribute. This ensures that users in the finance department are automatically included in the group without manual intervention.
Conditional Access Policies: Conditional access policies can be used to enforce specific security requirements, such as Azure Multi-Factor Authentication (MFA), for users in the dynamic group. By applying a conditional access policy to the dynamic group for the finance department, you can ensure that only these users are required to use MFA.
Important Note for Azure 104 Exam:
Understand the use of dynamic groups in Azure AD to automate user management based on user attributes.
Be familiar with configuring and applying conditional access policies to enforce security requirements such as MFA.
Know how to combine dynamic groups and conditional access policies to meet specific organizational requirements efficiently and securely.
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to ensure that VM1 can communicate with VM4. The solution must minimize administrative effort.
What should you do?
Create 2 user-defined route from VNET1 to VNET3.
Assign VM4 an IP address of 10.0.1.5/24.
Establish peering between VNET1 and VNET3.
Create an NSG and associate the NSG to VMI and VM4.
Based on the scenario, the correct solution is to “Establish peering between VNET1 and VNET3.”
Here’s why this is the correct answer:
Virtual Network (VNet) peering is the simplest and most efficient way to enable communication between VMs in different virtual networks. It: [1]
Provides low-latency, high-bandwidth connectivity
Requires minimal administrative effort
Allows resources to communicate across VNets as if they were in the same network
Doesn’t require any gateway or complex routing configuration
Why other options are incorrect:
“Create 2 user-defined route from VNET1 to VNET3”
More complex than necessary
Requires additional maintenance
UDRs are typically used when you need to override Azure’s default system routes
“Assign VM4 an IP address of 10.0.1.5/24”
Simply changing IP addresses doesn’t establish connectivity
Doesn’t solve the cross-VNet communication issue
“Create an NSG and associate the NSG to VM1 and VM4”
NSGs are for security rules and traffic filtering [2]
While NSGs are important for security, they alone don’t enable communication between VNets
Important notes for AZ-104 exam:
VNet Peering Characteristics:
Peering is non-transitive (if A is peered with B, and B with C, A cannot communicate with C)
Peering can be between VNets in:
Same region
Different regions (Global VNet peering)
Different subscriptions
Different Azure Active Directory tenants
Key Concepts:
Once peered, VNets appear as one for connectivity purposes
Network latency between VMs in peered VNets is the same as within a single VNet
No downtime is required to create peering
Requirements for Peering:
VNets cannot have overlapping IP address spaces
Peering must be configured on both VNets (bidirectional)
Network address spaces must be planned carefully before implementation
Exam Tips:
Focus on scenarios requiring minimal administrative effort
Understand the differences between connectivity solutions (peering vs VPN vs ExpressRoute)
Know when to use VNet peering versus other networking solutions
Remember peering’s non-transitive nature
Understand the relationship between NSGs, routing, and peering
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
What should you use?
Diagram in VNet1
the security recommendations in Azure Advisor
Diagnostic settings in Azure Monitor
Diagnose and solve problems in Traffic Manager Profiles
IP flow verify in Azure Network Watcher
The correct answer is “IP flow verify in Azure Network Watcher.”
Here’s why this is the correct answer:
IP flow verify:
Specifically designed to troubleshoot NSG-related connectivity issues
Checks if a packet is allowed or denied for a specific VM
Verifies rules at both the NSG and security rules levels
Helps identify which NSG rule is blocking or allowing traffic
Why other options are incorrect:
“The security recommendations in Azure Advisor”
Too broad in scope
Focuses on best practices rather than specific connectivity issues
Doesn’t provide detailed NSG rule verification
“Diagnostic settings in Azure Monitor”
Used for collecting metrics and logs
Too general for NSG troubleshooting
Doesn’t provide real-time flow verification
“Diagnose and solve problems in Traffic Manager Profiles”
Related to DNS-based traffic routing
Not relevant for NSG troubleshooting
Focuses on global traffic distribution
Important notes for AZ-104 exam:
Network Watcher Tools:
IP flow verify
Next hop
Security group view
Packet capture
Connection troubleshoot
NSG flow logs
IP Flow Verify Specifics:
Verifies traffic between source and destination
Checks both inbound and outbound rules
Shows which rule is allowing/denying traffic
Requires:
Source IP
Destination IP
Source Port
Destination Port
Protocol
Network Watcher Features:
Must be enabled per region
Available for troubleshooting:
Connectivity issues
NSG rules
Routing problems
VPN connections
Exam Tips:
Know when to use specific Network Watcher tools
Understand the difference between:
IP flow verify (NSG rules)
Next hop (routing issues)
Connection troubleshoot (end-to-end connectivity)
NSG flow logs (traffic analytics)
Troubleshooting Methodology:
Start with IP flow verify for NSG issues
Use next hop for routing problems
Enable NSG flow logs for ongoing monitoring
Use packet capture for detailed traffic analysis
Best Practices:
Enable Network Watcher in all regions where you have resources
Use appropriate tool for specific networking issues
Understand the limitations of each troubleshooting tool
Know how to interpret results from different Network Watcher features
Remember for the exam:
Network Watcher is Azure’s network performance monitoring and diagnostics solution
IP flow verify is specifically designed for NSG troubleshooting
Different networking issues require different Network Watcher tools
Understanding which tool to use for specific scenarios is crucial
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to meet the technical requirement for VM4.
What should you create and configure?
an Azure Notification Hub
an Azure Event Hub
an Azure Logic App
an Azure services Bus
The correct answer is “an Azure Logic App.”
Here’s why this is the correct answer:
Azure Logic App:
Provides workflow automation capabilities
Can monitor Azure resource changes
Can send email notifications automatically [1]
Perfect for the requirement to “send an email message when the settings of VM4 are modified”
Can integrate with various email services
Why other options are incorrect:
“Azure Notification Hub”
Designed for push notifications to mobile applications
Not suitable for monitoring VM changes
Primarily for mobile apps and cross-platform notifications
“Azure Event Hub”
For big data streaming and event ingestion
Too complex for simple VM monitoring
Designed for millions of events per second
“Azure Service Bus”
Message queue and enterprise messaging service
For application-to-application communication
Overkill for simple VM monitoring and email alerts
Important notes for AZ-104 exam:
Azure Logic Apps Features:
No-code/low-code automation platform
Built-in connectors for various services
Can monitor Azure resources
Supports email notifications
Triggers and actions based workflow
Monitoring VM Changes:
Can monitor:
Configuration changes
State changes
Resource modifications
Tags updates
Size changes
Logic Apps Components:
Triggers (what starts the workflow)
Actions (what happens after trigger)
Connectors (integration with other services)
Conditions (workflow logic)
Best Practices:
Use managed identities for authentication
Implement error handling
Monitor Logic App runs
Consider costs of runs and connectors
Key Exam Concepts:
Understanding different Azure monitoring solutions
Knowing when to use:
Logic Apps (automation and workflows)
Event Grid (event routing)
Event Hubs (big data streaming)
Service Bus (enterprise messaging)
Cost Considerations:
Logic Apps charges per execution
Consider consumption vs standard plan
Monitor usage and optimize workflows
Security:
Use managed identities
Implement least privilege access
Secure connections to other services
Protect sensitive information
Integration Capabilities:
Office 365 integration
Azure services monitoring
Email services (SMTP, Office 365, Gmail)
Custom APIs and webhooks
Remember for the exam:
Logic Apps are ideal for automation workflows
They can easily monitor Azure resources
Perfect for email notifications
Cost-effective for simple automation
Built-in connectors reduce development effort
This scenario is common in the AZ-104 exam, testing your knowledge of:
Azure monitoring solutions
Automation options
Integration capabilities
Cost-effective solutions
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to the appropriate sizes for the Azure virtual for Server2.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
From the Azure portal:
Create an Azure Migrate project.
Create a Recovery Services vault.
Upload a management certificate.
Create an Azure Import/Export job.
On Server2:
Enable Hyper-V Replica.
Install the Azure File Sync agent.
Create a collector virtual machine.
Configure Hyper-V storage migration.
Install the Azure Site Recovery Provider.
The correct answer is:
From the Azure portal:
Create an Azure Migrate project
On Server2:
Create a collector virtual machine
Here’s why these are correct:
Azure Migrate Project:
Purpose-built for assessing and migrating on-premises workloads
Helps determine appropriate VM sizes in Azure
Provides sizing recommendations based on performance data
Offers cost estimates for Azure resources
Collector Virtual Machine:
Discovers and assesses on-premises Hyper-V environments
Gathers performance data from VMs
Analyzes configuration and performance requirements
Helps in right-sizing Azure VMs
Why other options are incorrect:
Recovery Services vault:
For backup and disaster recovery
Not for sizing assessment
Management certificate:
Legacy authentication method
Not required for migration assessment
Import/Export job:
For physical data transfer
Not related to VM sizing
Hyper-V Replica:
For disaster recovery
Not for migration assessment
Azure File Sync agent:
For file synchronization
Not related to VM sizing
Hyper-V storage migration:
For moving VM storage
Not for Azure sizing assessment
Azure Site Recovery Provider:
For disaster recovery
Different purpose than sizing assessment
Important notes for AZ-104 exam:
Azure Migrate Capabilities:
Discovery and assessment
Server migration
Database migration
Web app migration
Virtual desktop migration
Data box migration
Assessment Features:
Performance-based sizing
Cost estimation
Dependency mapping
Migration readiness
Azure compatibility checking
Key Components:
Azure Migrate project
Assessment tools
Discovery methods
Dependency analysis
Performance monitoring
Best Practices:
Gather performance data for at least 24 hours
Consider peak usage periods
Account for future growth
Review compatibility reports
Analyze dependencies
Migration Planning:
Assessment before migration
Right-sizing recommendations
Cost optimization
Performance requirements
Network dependencies
Remember:
Azure Migrate is free for assessment
Different tools for different workloads
Performance history affects recommendations
Consider both CPU and memory metrics
Assessment Process:
Create Azure Migrate project
Deploy collector
Discover resources
Create assessment
Review recommendations
Sizing Considerations:
Performance requirements
Cost optimization
Future growth
Azure region availability
Service level agreements
You need to implement Role1.
Which command should you run before you create Role1?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Dropdown 1 options:
Find-RoleCapability
Get-AzureADDirectoryRole
Get-AzureRmRoleAssignment
Get-AzureRmRoleDefinition
Dropdown 2 options:
ConvertFrom-Json
ConvertFrom-String
ConvertTo-Json
ConvertTo-Xml
Answer Area
Get-AzureRmRoleDefinition
ConvertTo-Json
Explanation:
Get-AzureRmRoleDefinition: This command retrieves the definition of an existing Azure role. You need to get the definition of the Reader role to use it as a base for creating the custom role named Role1.
ConvertTo-Json: This command converts the role definition to a JSON format, which is required for creating a custom role in Azure.
Important Note for Azure 104 Exam:
Understand how to retrieve and manipulate role definitions in Azure using PowerShell.
Be familiar with the process of creating custom roles in Azure, including retrieving existing role definitions and converting them to the required format.
Know the PowerShell commands and their usage for managing Azure roles and role assignments.
You need to prepare the environment to meet the authentication
requirements.
Which two actions should you perform? Each correct answer presents part
of the solution. NOTE: Each correct selection is worth one point.
☐ Allow inbound TCP port 8080 to the domain controllers in the Miami office.
☐ Add http://autogon.microsoftazuread-sso.com to the intranet zone of each
client computer in the Miami office.
☐ Join the client computers in the Miami office to Azure A
☐ Install the Active Directory Federation Services (AD FS) role on a domain
controller in the Miami office.
☐ Install Azure AD Connect on a server in the Miami office and enable Pass-
through Authentication.
The correct answers are:
“Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office”
“Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication”
Here’s why these are correct:
Adding autologon.microsoftazuread-sso.com:
Enables seamless SSO
Required for integrated Windows authentication
Improves user sign-in experience
Part of Azure AD Connect configuration
Installing Azure AD Connect with Pass-through Authentication:
Enables directory synchronization
Provides secure authentication method
Allows password validation against on-premises AD
Meets hybrid identity requirements
Why other options are incorrect:
“Allow inbound TCP port 8080”
Not related to authentication requirements
Wrong port for authentication services
“Join client computers to Azure AD”
Not necessary for hybrid authentication
Machines are already domain-joined
“Install AD FS role”
More complex than necessary
Higher maintenance overhead
Not required when using Pass-through Authentication
Important notes for AZ-104 exam:
Azure AD Connect Features:
Directory synchronization
Password hash synchronization
Pass-through Authentication
Seamless SSO
Object filtering
Authentication Methods:
Password Hash Synchronization
Pass-through Authentication
Federation (AD FS)
Choose based on requirements
Pass-through Authentication:
Validates passwords on-premises
No password sync to cloud
Requires outbound connectivity
Highly available configuration
Seamless SSO:
Works with both PHS and PTA
Requires intranet zone configuration
Uses Kerberos tickets
Reduces prompt frequency
Implementation Requirements:
Enterprise Admin credentials
Global Admin credentials
Required ports and protocols
Network connectivity
Best Practices:
Install on non-DC server
Use staging mode for changes
Configure high availability
Regular maintenance
Monitor sync health
Security Considerations:
Least privilege accounts
Network security
Authentication agent security
Regular updates
Common Configuration Steps:
Install Azure AD Connect
Configure authentication method
Set up SSO
Configure filtering
Verify synchronization
Remember for the exam:
Different authentication methods
Implementation requirements
Configuration steps
Security considerations
High availability options
Key exam topics:
Hybrid identity solutions
Authentication methods
Directory synchronization
SSO configuration
Security requirements
This scenario tests understanding of:
Azure AD Connect
Authentication methods
SSO configuration
Implementation steps
Best practices
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
Which blade should you instruct the finance department auditors to use?
Partner information
Overview
Payment methods
Invoices
The correct answer is “Invoices”
Here’s why this is correct:
Invoices blade:
Shows detailed billing information
Contains historical billing data
Provides downloadable invoices
Allows auditors to review financial records
Shows itemized costs and charges
Why other options are incorrect:
“Partner information”
Shows partner/reseller details
Not related to billing audits
Not relevant for internal finance auditing
“Overview”
Too general
Lacks detailed financial information
Not specific enough for auditing purposes
“Payment methods”
Shows payment configurations
Not useful for historical cost analysis
Doesn’t provide billing details
Important notes for AZ-104 exam:
Azure Cost Management Features:
Invoices
Cost analysis
Budgets
Cost alerts
Exports
Price sheets
Invoice Contents:
Detailed usage breakdown
Service costs
Credits applied
Tax information
Payment terms
Billing period details
Access Control:
RBAC roles for billing
Billing Reader role
Cost Management Reader
Billing Administrator
Owner permissions
Best Practices:
Regular review of costs
Download invoices monthly
Track spending patterns
Monitor budget alerts
Review cost optimizations
Key Billing Concepts:
Billing periods
Invoice sections
Cost allocation
Subscription billing
Enterprise agreements
Pay-as-you-go
Cost Management Tools:
Cost analysis
Budgets
Recommendations
Exports
Reports
Alerts
Important Features for Auditors:
Detailed cost breakdown
Historical data access
Export capabilities
Filtering options
Custom reports
Remember:
Invoice retention period
Download and archive options
Access requirements
Audit trail requirements
Compliance needs
This knowledge is crucial for the AZ-104 exam because:
Cost management is a key responsibility
Understanding billing access
Knowledge of available tools
Security and compliance requirements
Common exam scenarios test:
Billing access management
Cost analysis tools
Invoice management
Budget monitoring
Cost optimization
Additional exam tips:
Know billing roles
Understand access levels
Familiar with cost tools
Know reporting options
Understand billing cycles
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to resolve the Active Directory issue.
What should you do?
From Active Directory Users and Computers, select the user accounts, and then modify the User Principal Name value.
Run idfix.exe, and then use the Edit action.
From Active Directory Domains and Trusts, modify the list of UPN suffixes.
From Azure AD Connect, modify the outbound synchronization rule.
You are evaluating the connectivity between the virtual machines after the
planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true.
Otherwise, select No.
Statements
The virtual machines on Subnet1 will be able to connect to
the virtual machines on Subnet3.
The virtual machines on ClientSubnet will be able to connect
to the Internet.
The virtual machines on Subnet3 and Subnet4 will be able
to connect to the Internet.
For the Active Directory issue, the correct answer is:
“Run idfix.exe, and then use the Edit action”
Here’s why this is correct:
IdFix:
Specifically designed to identify and fix Azure AD sync issues
Detects and resolves directory issues before synchronization
Handles UPN conflicts, invalid characters, and duplicates
Microsoft’s recommended tool for pre-sync cleanup
Why other options are incorrect:
“Modify User Principal Name value manually”:
Time-consuming for multiple users
Prone to human error
Not scalable solution
“Modify UPN suffixes”:
Doesn’t address existing conflicts
Doesn’t fix individual user issues
Too broad of a solution
“Modify outbound synchronization rule”:
Doesn’t fix source directory issues
Could cause additional problems
Wrong approach for directory cleanup
For the connectivity evaluation:
The correct answers are:
“The virtual machines on Subnet1 will be able to connect to Subnet3” - Yes
“The virtual machines on ClientSubnet will be able to connect to the Internet” - Yes
“The virtual machines on Subnet3 and Subnet4 will be able to connect to the Internet” - No
Important notes for AZ-104 exam:
IdFix Tool Features:
Identifies sync blockers
Shows directory errors
Provides fix options
Generates reports
Batch processing capability
Common Directory Issues:
Invalid characters
UPN conflicts
Duplicate attributes
Missing required attributes
Character length violations
Network Connectivity:
VNet peering allows VM communication
NSGs control traffic flow
Route tables affect routing
Internet connectivity depends on configuration
Best Practices:
Run IdFix before sync
Document changes
Backup before fixes
Test in staging
Monitor sync health
Network Security:
NSG rules
Route tables
Network policies
Security baselines
Access controls
Remember:
Directory preparation is crucial
Use Microsoft tools
Test before production
Document changes
Monitor results
Networking Concepts:
VNet peering
Subnet communication
Internet connectivity
Routing
Security rules
Implementation Steps:
Run directory analysis
Fix identified issues
Test synchronization
Monitor results
Document changes
This knowledge is crucial for the AZ-104 exam because:
Directory synchronization is common
Network connectivity is fundamental
Security implementation is critical
Tool knowledge is required
Common exam scenarios test:
Directory sync preparation
Network connectivity
Security implementation
Tool usage
Best practices
Additional exam tips:
Understand IdFix usage
Know networking concepts
Understand security implications
Know troubleshooting steps
Understand connectivity requirements
You are evaluating the name resolution for the virtual machines after the planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statements
The virtual machines on Subnet1 will be able to resolve the hosts in the humongousinsurance.local zone.
The virtual machines on ClientSubnet will be able to register the hostname records in the humongousinsurance.local zone.
The virtual machines on Subnet4 will be able to register the hostname records in the humongousinsurance.local zone.
The correct answers are:
“The virtual machines on Subnet1 will be able to resolve the hosts in the humongousinsurance.local zone” - Yes
“The virtual machines on ClientSubnet will be able to register the hostname records in the humongousinsurance.local zone” - No
“The virtual machines on Subnet4 will be able to register the hostname records in the humongousinsurance.local zone” - No
Here’s why:
Subnet1 resolution - Yes:
Connected to on-premises via ExpressRoute
Can access on-premises DNS servers
DNS forwarding is configured
Part of the connected network infrastructure
ClientSubnet registration - No:
Not directly connected to on-premises
No dynamic DNS registration rights
Separate from on-premises DNS infrastructure
Limited to Azure DNS capabilities
Subnet4 registration - No:
Isolated from on-premises network
No direct DNS registration access
Different DNS infrastructure
No dynamic registration capability
Important notes for AZ-104 exam:
DNS Configuration in Azure:
Custom DNS settings
Azure-provided DNS
DNS forwarding
Conditional forwarding
Private DNS zones
Name Resolution Types:
Azure-provided name resolution
Custom DNS servers
Hybrid DNS solutions
Private DNS zones
Public DNS zones
DNS Integration Scenarios:
On-premises integration
VNet-to-VNet resolution
Cross-premises resolution
Forward and reverse lookup
Conditional forwarding
Best Practices:
Use Azure Private DNS zones
Configure DNS forwarding
Plan DNS strategy
Test name resolution
Document DNS architecture
Key Concepts:
DNS servers
Name resolution
DNS forwarding
Zone delegation
Record registration
Network Planning:
DNS infrastructure
Name resolution strategy
Cross-premises connectivity
Network segmentation
Security considerations
Common Configurations:
Custom DNS servers
Azure Private DNS
Forwarding rules
Conditional forwarding
Zone delegation
Remember:
DNS propagation time
Registration requirements
Resolution paths
Security implications
Performance impact
This knowledge is crucial for the AZ-104 exam because:
DNS is fundamental to Azure networking
Hybrid connectivity is common
Name resolution is critical
Security implications exist
Key exam topics:
DNS configuration
Name resolution
Network connectivity
Hybrid scenarios
Security considerations
Additional exam tips:
Understand DNS concepts
Know resolution paths
Understand registration requirements
Know security implications
Understand hybrid scenarios
Common scenarios test:
DNS configuration
Name resolution
Network connectivity
Security implementation
Hybrid solutions
Best practices:
Plan DNS strategy
Document configurations
Test resolution
Monitor performance
Implement security
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE Each correct selection is worth one point.
Azure Active Directory (AD) Identity Protection and an Azure policy
a Recovery Services vault and a backup policy
an Azure Key Vault and an access policy
an Azure Storage account and an access policy
The correct answers are:
“Azure Active Directory (AD) Identity Protection”
“an Azure Key Vault and an access policy”
Here’s why these are correct:
Azure AD Identity Protection:
Required for MFA implementation
Provides risk-based conditional access
Helps secure finance department users
Part of Azure AD P1 licensing (mentioned in scenario)
Azure Key Vault and access policy:
Securely stores authentication credentials
Manages certificates and secrets
Controls access to sensitive information
Supports MFA implementation [1]
Why other options are incorrect:
“Recovery Services vault and backup policy”:
For backup and disaster recovery
Not related to authentication
Wrong service for MFA
“Azure Storage account and access policy”:
For data storage
Not related to authentication
Wrong service for MFA requirements
Important notes for AZ-104 exam:
Azure AD Identity Protection Features:
Risk-based conditional access
MFA enforcement
Risk detection
Automated responses
Security reporting
Key Vault Features:
Secret management
Key management
Certificate management
Access policies
RBAC integration
MFA Implementation:
Conditional Access policies
Per-user MFA
Risk-based authentication
Security defaults
Authentication methods
Best Practices:
Use conditional access
Implement least privilege
Regular access reviews
Monitor sign-in attempts
Document policies
Security Considerations:
Risk levels
Authentication strength
Access controls
Monitoring
Compliance requirements
Remember:
P1 licensing requirements
MFA configuration options
Policy implementation
Security monitoring
Access management
Implementation Steps:
Enable Identity Protection
Configure Key Vault
Set up access policies
Enable MFA
Test configuration
Key Concepts: [2]
Conditional Access
Risk policies
Authentication methods
Access policies
Security monitoring
This knowledge is crucial for the AZ-104 exam because:
Authentication is fundamental
Security implementation is critical
Service integration is important
Licensing knowledge required
Common exam scenarios test:
MFA implementation
Security configuration
Access management
Policy setup
Service integration
Additional exam tips:
Understand licensing requirements
Know security features
Understand policy types
Know implementation steps
Understand monitoring options
Best practices:
Plan security strategy
Document configurations
Test implementations
Monitor effectiveness
Regular reviews
Remember:
Azure AD P1 features
MFA capabilities
Key Vault usage
Policy types
Security monitoring
Which blade should you instruct the finance department auditors to use?
invoices
partner information
cost analysis
External services
Okay, let’s break down each of these Azure portal blades and determine which one finance department auditors would most likely use:
Invoices: This blade provides a detailed breakdown of Azure consumption charges. It includes information on services used, costs incurred, and billing periods.
Partner Information: This blade is primarily for managing partners who provide access to your Azure resources.
Cost Analysis: This blade offers tools for visualizing and analyzing Azure spending patterns. You can filter by various parameters, set budgets, and receive alerts.
External Services: This blade is usually used to manage third-party services used by your Azure resources.
The Best Choice for Auditors:
Finance department auditors are primarily concerned with ensuring accurate billing and understanding where money is being spent. Therefore, the most appropriate blades for them would be:
Invoices: This provides the raw data about what they are paying for.
Cost Analysis: This allows them to investigate spending trends and anomalies.
Therefore, based on the available options, the correct answer is:
Cost analysis
While the invoices blade is also related to auditing, in the given scenario Cost analysis is the most suitable for the finance department.
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to resolve the licensing issue before you attempt to assign the license again.
What should you do?
From the Groups blade, invite the user accounts to a new group.
From the Profile blade, modify the usage location.
From the Directory role blade, modify the directory role.
Okay, let’s analyze the situation and determine the correct step to resolve a licensing issue when assigning licenses to users.
Understanding the Problem
The scenario implies that there’s a licensing issue preventing you from assigning licenses to users. This is a common problem, and it often stems from one of these situations:
Incorrect Usage Location: Azure AD licenses are tied to a user’s usage location. If the user’s usage location is not set, or set to a region where the license is not valid, you’ll run into assignment issues.
Insufficient Licenses: You might simply not have enough licenses of the type you’re trying to assign. This seems less likely, as you are trying to resolve an issue, not trying to purchase licenses.
Licensing Conflict: There can be licensing conflicts between different types of licenses. This is not explicitly in this scenario.
User already has a license: The user may have an existing license which is causing a conflict. This is not explicitly in this scenario
Analyzing the Options
From the Groups blade, invite the user accounts to a new group: This is not the solution to licensing issues. Groups are often used for assigning licenses but not for directly solving a licensing issue. The problem is not the group membership, but the user profile.
From the Profile blade, modify the usage location: This is the correct action. If the user’s profile doesn’t have a valid usage location, it will cause license assignment problems. Specifying a usage location will ensure licensing is applicable to the specified user.
From the Directory role blade, modify the directory role: Directory roles are about the administrative permissions assigned to users. They have nothing to do with licensing. Changing directory roles will not fix a license assignment issue.
The Correct Action
The correct solution is to modify the usage location of the affected user(s) from the Profile blade. The usage location must be set for licenses to be assigned correctly.
Answer:
From the Profile blade, modify the usage location.
- Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Name Role Contains virtual machine
Server1 VMWare vCenter server VM1
Server2 Hyper-V-host VM2
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNet1 Virtual network
VM3 Virtual machine
VM4 Virtual machine
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
- Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
You need to prepare the environment to ensure that the web administrators
can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the
appropriate actions from the list of actions to the answer area and arrange
them in the correct order.
Actions
From the Automation script blade of the resource group,
click Deploy.
From the Templates service, select the template, and then
share the template to the web administrators.
From the Automation script blade of the resource group,
click Add to library.
From the Automation Accounts service, add an automation
account.
Create a resource group, and then deploy a web app to
the resource group.
From the Automation script blade of the resource group,
click the Parameters tab.
Answer Area
Here’s the correct sequence of actions to prepare the environment for web administrators to deploy web apps quickly:
“Create a resource group, and then deploy a web app to the resource group”
“From the Automation script blade of the resource group, click Add to library”
“From the Templates service, select the template, and then share the template to the web administrators”
Let’s analyze why this sequence is correct:
Step 1: Create a resource group and deploy a web app
# Create Resource Group
New-AzResourceGroup -Name “WebAppsRG” -Location “EastUS”
# Deploy Web App
New-AzWebApp -ResourceGroupName “WebAppsRG” `
-Name “WebApp1” `
-Location “EastUS” `
-AppServicePlan “AppPlan1”
Copy
Insert at cursor
powershell
Why first:
Establishes base infrastructure
Creates working example
Provides template source
Required for automation script
Step 2: Add to library from Automation script blade
# Export template
Export-AzResourceGroup -ResourceGroupName “WebAppsRG” `
-Path “./template.json”
Copy
Insert at cursor
powershell
Why second:
Captures working configuration
Creates reusable template
Saves proven deployment
Enables standardization
Step 3: Share template with web administrators
# Share template
New-AzTemplateSpec -Name “WebAppTemplate” `
-Version “1.0” `
-ResourceGroupName “WebAppsRG” `
-Location “EastUS” `
-TemplateFile “./template.json”
Copy
Insert at cursor
powershell
Why third:
Enables self-service deployment
Provides standardized template
Ensures consistency
Speeds up deployment
Why other options are incorrect:
“From the Automation script blade, click Deploy”:
Not needed if sharing template
Redundant step
Not part of preparation
“From the Automation Accounts service, add an automation account”:
Not required for template deployment
Different automation purpose
Unnecessary complexity
“From the Automation script blade, click the Parameters tab”:
Not a complete action
Part of template editing
Not required for sharing
Topic 3, Contoso Ltd
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
✑ File servers
✑ Domain controllers
✑ Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1.
App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
- Move all the tiers of App1 to Azure.
- Move the existing product blueprint files to Azure Blob storage.
- Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
✑ Ensure that all the virtual machines for App1 are protected by backups.
✑ Copy the blueprint files to Azure over the Internet.
✑ Ensure that the blueprint files are stored in the archive storage tier.
✑ Ensure that partner access to the blueprint files is secured and temporary.
✑ Prevent user passwords or hashes of passwords from being stored in Azure.
✑ Use unmanaged standard storage for the hard disks of the virtual machines.
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.
✑ Admin1 must receive email alerts regarding service outages.
✑ Ensure that a new user named User3 can create network objects for the Azure subscription.
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Statements
Contoso requires a storage account that supports
Blob storage.
Contoso requires a storage account that supports
Azure Table storage.
Contoso requires a storage account that supports
Azure File Storage.
Understanding the Requirements
Blueprint Files: Contoso needs to move their product blueprint files to Azure. These files will be stored in the archive storage tier and require secure, temporary access for partners.
Virtual Machine Storage: The virtual machines for App1 will use unmanaged standard storage for their hard disks.
No Direct User Requirement for Table or File Storage: The requirements do not mention other user related storage requirements.
Analyzing Storage Options
Blob Storage: Blob storage is ideal for storing unstructured data like text or binary data. In this case, the blueprint files fall under unstructured data, making Blob storage a good fit. Additionally, the requirement to use the archive tier is something that only blob storage can provide.
Table Storage: Table storage is a NoSQL key-value datastore, suitable for structured data. There’s no indication that Contoso needs this for their blueprints or virtual machine disks.
File Storage: File storage provides fully managed file shares in the cloud. The requirements focus on moving blueprint files to Azure blob storage, no requirement for a managed file share.
Answering the Statements:
Contoso requires a storage account that supports Blob storage. - Yes. The blueprint files must be stored in Blob storage, making this requirement essential.
Contoso requires a storage account that supports Azure Table storage. - No. There is no indication in the requirements that they require Table storage.
Contoso requires a storage account that supports Azure File Storage. - No. They must move blueprints to blob storage and no requirements dictate the need for Azure File storage.
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
The correct answer is: Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers. [1]
Let’s analyze why this is the correct solution:
Why this is correct:
Port 443 is for HTTPS traffic
Requirements state “Users access the web front end by using HTTPS only”
Only web tier needs public access
Follows principle of least privilege
Example NSG rule configuration:
# Create NSG rule for HTTPS
$nsgRule = New-AzNetworkSecurityRuleConfig `
-Name “Allow-HTTPS-Inbound” `
-Description “Allow HTTPS inbound traffic” `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 100 `
-SourceAddressPrefix Internet `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 443
Copy
Insert at cursor
powershell
Why other options are incorrect:
A. “Create an outgoing security rule for port 443 from the Internet”:
Wrong direction (outbound vs. inbound)
Users initiate connections to web servers
Outbound rules not needed for incoming web traffic
B. “Associate the NSG to all the subnets”:
Violates least privilege principle
Unnecessarily exposes other tiers
Creates potential security risks
Middle and database tiers don’t need public access
Important Security Considerations:
Application Architecture:
Internet -> Web Tier (Port 443) -> Middle Tier -> Database Tier
Copy
Insert at cursor
text
Tier Isolation:
Web tier: Public access (Port 443)
Middle tier: Internal only
Database tier: Internal only
Best Practices:
Limit public access to web tier only
Use separate NSGs for different tiers
Follow least privilege principle
Document security rules
Regular security review
Implementation Steps:
# Create NSG
$nsg = New-AzNetworkSecurityGroup `
-ResourceGroupName “RG1” `
-Location “EastUS” `
-Name “WebTier-NSG”
# Add rule to NSG
Add-AzNetworkSecurityRuleConfig `
-NetworkSecurityGroup $nsg `
-Name “Allow-HTTPS-Inbound” `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 100 `
-SourceAddressPrefix Internet `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 443
# Associate NSG with web tier subnet
Set-AzVirtualNetworkSubnetConfig `
-VirtualNetwork $vnet `
-Name “WebTierSubnet” `
-AddressPrefix “10.0.1.0/24” `
-NetworkSecurityGroup $nsg
Copy
Insert at cursor
powershell
Key Points:
HTTPS requires port 443
Inbound direction for user access
Web tier only needs public access
Other tiers should be protected
Security Benefits:
Minimizes attack surface
Proper network segmentation
Clear security boundaries
Controlled access
Remember:
Only expose necessary ports
Only on required subnets
Document all rules
Regular security reviews
Monitor traffic patterns
This solution specifically:
Enables HTTPS access
Protects internal tiers
Follows security best practices
Supports application architecture
Minimizes security risks
You need to recommend an identify solution that meets the technical requirements.
What should you recommend?
federated single-on (SSO) and Active Directory Federation Services (AD FS)
password hash synchronization and single sign-on (SSO)
cloud-only user accounts
Pass-through Authentication and single sign-on (SSO)
Install Azure AD Connect
Understanding the Requirements
Hybrid Directory: Contoso needs to create a hybrid directory to support the Office 365 migration. This means integrating their on-premises Active Directory with Azure AD.
Prevent Password Hashes in Azure: A key requirement is to avoid storing user password hashes in Azure. This limits the available options.
User Authentication: Users should be able to access resources seamlessly (ideally with single sign-on).
Analyzing the Options
Federated single sign-on (SSO) and Active Directory Federation Services (AD FS): With this setup, the authentication process is handled by the on-premises AD FS servers, which is the correct approach to prevent password hashes being stored in Azure AD. Users would authenticate against their AD environment, and AD FS would create a token that can be used by Azure AD.
Password hash synchronization and single sign-on (SSO): This option involves synchronizing password hashes to Azure AD, which directly violates the requirement to prevent user passwords or hashes from being stored in Azure.
Cloud-only user accounts: While this is an option, it wouldn’t fit the requirement for a hybrid directory or single sign-on with their existing on-premises domain, it would also create a new user directory separate from on-premises which does not align with the requirements.
Pass-through Authentication and single sign-on (SSO): This approach keeps the authentication process on premises. When users attempt to authenticate to Azure AD, the request is passed to an agent on-premises, which validates the user against the on-premises active directory. While this approach does meet the requirements, the federated approach is better and more scalable.
The Correct Recommendation
The best solution is to implement federated single sign-on (SSO) with Active Directory Federation Services (AD FS).
Answer:
federated single sign-on (SSO) and Active Directory Federation Services (AD FS)
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
To answer, select the appropriate settings in the answer area.
Answer Area:
Users may join devices to Azure AD:
Options: All, Selected, None
Selected: No member selected
Additional local administrators on Azure AD joined devices:
Options: Selected, None
Selected: No member selected
Users may register their devices with Azure AD:
Options: All, None
Require Multi-Factor Auth to join devices:
Options: Yes, No
Maximum number of devices per user:
Value: 50
Users may sync settings and app data across devices:
Options: All, Selected, None
Selected: No member selected
Based on the technical and user requirements, here are the two settings that need to be modified:
“Users may join devices to Azure AD”: Select “Selected” Why:
Requirement states “only users who are part of a group named Pilot can join devices to Azure AD”
Need to restrict device join capability
Select the “Pilot” group
“Require Multi-Factor Auth to join devices”: Select “Yes” Why:
Requirement states “users use a mobile phone to verify their identity when joining devices”
Enforces MFA during device join
Adds security layer
Configuration steps:
# Configure device settings
Set-AzureADDevice -DeviceJoinPolicy “Selected” `
-DeviceJoinGroupId “PilotGroupId”
# Enable MFA for device join
Set-AzureADDeviceConfiguration `
-RequireMFAForDeviceJoin $true
Copy
Insert at cursor
powershell
Other settings should remain default because:
“Additional local administrators”:
No requirements specified
Keep default setting
No need to modify
“Users may register devices”:
No specific requirements [1]
Keep default setting
Not mentioned in requirements
“Maximum number of devices”:
Default is sufficient
No requirements specified
No need to modify
“Users may sync settings”:
No requirements specified
Keep default setting
Not mentioned in requirements
Important notes for AZ-104 exam:
Device Join Settings:
Controls who can join devices
Group-based restrictions
Security enforcement
Access control
MFA Requirements:
Additional security
Identity verification
Mobile phone verification
Compliance requirement
Best Practices:
Limit device join rights
Enable MFA
Monitor device joins
Regular review
Document settings
Implementation Steps:
# Create Pilot group
New-AzureADGroup -DisplayName “Pilot” `
-MailEnabled $false `
-SecurityEnabled $true `
-MailNickName “NotSet”
# Add users to Pilot group
Add-AzureADGroupMember -ObjectId “PilotGroupId” `
-RefObjectId “UserId”
Copy
Insert at cursor
powershell
Key Points:
Restricted device join
MFA requirement
Group-based control
Security enhancement
User verification
Remember:
Only modify required settings
Document changes
Test configuration
Monitor compliance
Regular review
This configuration specifically:
Restricts device join to Pilot group
Enforces MFA requirement
Maintains security
Meets user requirements [2]
Follows best practices
Additional Considerations:
Regular group membership review
MFA method verification
Device monitoring
Access control
Security compliance
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
a recovery plan
an Azure Backup Server
a backup policy
a Recovery Services vault
Correct Option:
a Recovery Services vault
Explanation:
a Recovery Services vault: To implement a backup solution for App1 after the application is moved to Azure, you need to create a Recovery Services vault first. The Recovery Services vault is a storage entity in Azure that houses data, including backup copies and recovery points. Once the vault is created, you can then configure backup policies and set up backups for the virtual machines and other resources associated with App1.
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Number of virtual networks:
1
2
3
Number of subnets:
1
2
3
Let’s analyze the requirements and determine the correct number of virtual networks and subnets for App1:
Answer:
Number of virtual networks: 1
Number of subnets: 3
Let’s break down why:
Number of Virtual Networks: 1 Why:
App1 has three tiers that need to communicate
All components should be in same VNet for internal communication
Minimizes complexity and costs
Provides secure internal communication
Example VNet configuration:
# Create Virtual Network
New-AzVirtualNetwork `
-Name “App1-VNet” `
-ResourceGroupName “App1-RG” `
-Location “EastUS” `
-AddressPrefix “10.0.0.0/16”
Copy
Insert at cursor
powershell
Number of Subnets: 3 Why:
Three-tier application architecture:
Web front end tier
Processing middle tier
SQL database tier
Separate subnet for each tier
Supports network segmentation
Enables proper security controls
Subnet configuration:
# Create subnets
$webSubnet = New-AzVirtualNetworkSubnetConfig `
-Name “WebTier” `
-AddressPrefix “10.0.1.0/24”
$middleSubnet = New-AzVirtualNetworkSubnetConfig `
-Name “MiddleTier” `
-AddressPrefix “10.0.2.0/24”
$dbSubnet = New-AzVirtualNetworkSubnetConfig `
-Name “DatabaseTier” `
-AddressPrefix “10.0.3.0/24”
Copy
Insert at cursor
powershell
Architecture Benefits:
Network Security:
Internet -> Web Tier (Subnet 1)
Web Tier -> Middle Tier (Subnet 2)
Middle Tier -> Database Tier (Subnet 3)
Copy
Insert at cursor
text
NSG Implementation:
# Create NSGs for each tier
$webNSG = New-AzNetworkSecurityGroup `
-Name “WebTier-NSG” `
-ResourceGroupName “App1-RG”
$middleNSG = New-AzNetworkSecurityGroup `
-Name “MiddleTier-NSG” `
-ResourceGroupName “App1-RG”
$dbNSG = New-AzNetworkSecurityGroup `
-Name “DatabaseTier-NSG” `
-ResourceGroupName “App1-RG”
Copy
Insert at cursor
powershell
Key Benefits:
Proper network segmentation
Enhanced security
Clear traffic flow
Easy management
Cost-effective
Best Practices:
Use subnet naming convention
Implement proper NSGs
Plan IP addressing
Document configuration
Monitor traffic
Important Considerations:
Address space planning
Subnet sizing
Security requirements
Future growth
Network policies
Remember:
One VNet for simplicity
Three subnets for separation
NSGs for security
Proper planning
Documentation
This design specifically:
Supports three-tier architecture
Enables security controls
Minimizes complexity
Optimizes costs
Follows best practices
Additional Notes:
Plan IP ranges carefully
Consider future growth
Implement proper routing
Monitor performance
Regular security review
Network Design Tips:
Use meaningful names
Document IP ranges
Plan security rules
Consider connectivity
Enable monitoring
Security Considerations:
Tier isolation
Traffic control
Access restrictions
Monitoring
Compliance requirements
Topic 4, Contoso Ltd (Consulting Company)
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
General Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment
Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)
Requirements
Planned Changes
Contoso plans to implement the following changes:
✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
✑ Create a storage account named storage5 and configure storage replication for the Blob service.
✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
|—|—|—|—|—|—|
| 200 | 3389 | TCP | 10.0.0.0/16 | Virtual Network | Deny |
| 400 | Any | ICMP | 10.0.2.0/24 | 10.0.1.0/24 | Allow |
Associate NSG2 to VNET1/Subnet2.
Technical Requirements
Contoso must meet the following technical requirements:
✑ Create container1 and share1.
✑ Use the principle of least privilege.
✑ Create an Azure AD security group named Group4.
✑ Back up the Azure file shares and virtual machines by using Azure Backup.
✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
HOTSPOT
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
container1:
storage2 only
storage2 and storage3 only
storage1, storage2, and storage3 only
storage2, storage3, and storage4 only
storage1, storage2, storage3, and storage4
share1:
storage2 only
storage4 only
storage2 and storage4 only
storage1, storage2, and storage4 only
storage1, storage2, storage3, and storage4
Priority | Port | Protocol | Source | Destination | Action |
Let me help you determine the appropriate storage accounts for container1 and share1, considering the requirements and storage account types provided.
For container1:
The correct answer is “storage2 and storage3 only”
Reasoning:
container1 needs to use the Cool storage tier
Looking at the storage accounts:
storage1 is General Purpose v1 which doesn’t support Cool tier
storage2 (StorageV2) supports Cool tier for blobs
storage3 (BlobStorage) supports Cool tier for blobs
storage4 is FileStorage which doesn’t support blob containers
For share1:
The correct answer is “storage2 and storage4 only”
Reasoning:
share1 needs to be a file share with Cool tier support
Looking at the storage accounts:
storage1 is GPv1 which doesn’t support Cool tier for file shares
storage2 (StorageV2) supports Cool tier for file shares
storage3 is BlobStorage which doesn’t support file shares
storage4 (FileStorage) supports file shares and all tiers
Therefore:
For container1: Use either storage2 or storage3
For share1: Use either storage2 or storage4
The selection is based on the storage account types and their capabilities regarding blob containers, file shares, and support for the Cool storage tier.
You have the Azure virtual machines shown in the following table.
Name IP Address Connected to
VM1 10.1.0.4 VNET1/Subnet1
VM2 10.1.0.5 VNET1/SubnetA
VM3 172.16.0.4 VNET2/SubnetA
VM4 10.2.0.8 VNET3/SubnetB
A DNS service is installed on VM1.
You configure the DNS server settings for each virtual network as shown in the following exhibit.
(There is a screenshot showing the DNS server settings configuration with the following details:
DNS servers: Custom
Custom DNS server address: 10.1.0.4)
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?
Add service endpoints on VNET2 and VNET3.
Configure peering between VNET1, VNET2, and VNET3.
Configure a conditional forwarder on VM1.
Add service endpoints on VNET1.
The correct answer is: Configure peering between VNET1, VNET2, and VNET3.
Here’s why:
Current Situation:
VM1 (10.1.0.4) is running a DNS service
All VNets are configured to use VM1 as their custom DNS server [1]
The VMs are in different virtual networks (VNET1, VNET2, and VNET3)
Currently, VMs in VNET2 and VNET3 cannot reach VM1 because they are in isolated networks
Why VNet Peering is the Solution:
VNet peering enables you to seamlessly connect Azure virtual networks
It creates a direct connection between virtual networks
Allows resources in different VNets to communicate with each other
Provides low-latency, high-bandwidth connectivity
Traffic between peered networks is private and goes through the Microsoft backbone network
Why other options are incorrect:
Service endpoints:
Service endpoints are used to secure Azure service resources to virtual networks
They don’t help with VM-to-VM communication across VNets
Would not solve the DNS resolution issue
Conditional forwarder:
This would only be useful if we needed to forward DNS queries to different DNS servers
The problem here is network connectivity, not DNS forwarding
Implementation steps would involve:
Create peering from VNET1 to VNET2
Create peering from VNET1 to VNET3
Ensure the peering settings allow forwarded traffic if needed
After implementing VNet peering, all VMs will be able to reach VM1’s DNS service (10.1.0.4) and resolve DNS names successfully.
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is protected by RSV1.
You need to use RSV2 to protect VM2.
What should you do first?
From the RSV1 blade, click Backup items and stop the VM2 backup.
From the RSV1 blade, click Backup Jobs and export the VM2 backup.
From the RSV1 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup.
From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault.
The correct answer is: From the RSV1 blade, click Backup items and stop the VM2 backup.
Here’s why:
Process to change Recovery Services vaults:
Before you can protect a VM with a new Recovery Services vault, you must first stop protection in the current vault
You cannot protect a VM using multiple Recovery Services vaults simultaneously
The process must be done in sequence
Correct steps in order: a. First: Stop backup protection in RSV1
Navigate to RSV1
Go to Backup items
Stop the backup for VM2
Choose whether to retain or delete the existing backup data
b. Then: Configure new protection in RSV2
After stopping protection in RSV1
Configure new backup protection for VM2 in RSV2
Why other options are incorrect:
“Export the VM2 backup”:
Exporting backup jobs is for reporting purposes
Does not help in changing protection vaults
“Click Backup and select the backup”: [1]
This would create a new backup
Would not help in changing vaults
“Click Disaster recovery”:
Disaster recovery settings are different from backup settings
Azure Site Recovery (ASR) is for disaster recovery
Recovery Services vaults can be used for both backup and ASR, but they are separate features
Important considerations:
When stopping protection, you can choose to:
Retain the backup data (can be useful for future recovery)
Delete the backup data (frees up space in the vault)
Only after stopping protection in RSV1 can you configure protection in RSV2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Name Type Location Resource Group
RG1 Resource group East US Not applicable
RG2 Resource group West Europe Not applicable
RG3 Resource group North Europe Not applicable
VNET1 Virtual network Central US RG1
VM1 Virtual machine West US RG2
VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
Does this meet the goal?
Yes
NO
Understanding the Requirements
New NIC for VM1: We need to create a new network interface (NIC2) that will be associated with the existing virtual machine VM1.
VM1 Location: VM1 is located in West US.
VNET1 Location: VNET1 is located in Central US.
RG1 Location: RG1 is located in East US.
Resource Group location: The NIC does not need to be in the same resource group as the VM, however it should be in the same location as the VM.
Analyzing the Solution
The solution proposes creating NIC2 in:
RG1: This is located in East US.
West US: This is the same region as VM1.
Determining if the Solution Meets the Goal
A network interface must be created in the same location as the virtual machine it will be connected to.
A network interface cannot be connected to virtual network located in a different location than the NIC.
Given these considerations, the proposed solution does NOT meet the goal. The NIC can’t be in East US, and be connected to a virtual machine in West US. The resource group’s location is irrelevant, the location of the NIC is the key factor.
Answer:
No
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains 500 user accounts.
You deploy Microsoft Office 365. You configure Office 365 to use the user accounts in adatum.com.
You configure 60 users to connect to mailboxes in Microsoft Exchange Online.
You need to ensure that the 60 users use Azure Multi-Factor Authentication (MFA) to connect to the Exchange Online mailboxes. The solution must only affect connections to the Exchange Online mailboxes.
What should you do?
From the multi-factor authentication page, configure the Multi-Factor Auth status for each user
From Azure Active Directory admin center, create a conditional access policy
From the multi-factor authentication page, modify the verification options
From the Azure Active Directory admin center, configure an authentication method
Understanding the Requirements
Targeted MFA: Only 60 specific users who connect to Exchange Online should be required to use MFA.
No MFA for Others: The other 440 users in the adatum.com tenant should not be affected.
Exchange Online Only: MFA should only apply when connecting to Exchange Online mailboxes.
Least effort: The chosen method should be easy and scalable.
Analyzing the Options
From the multi-factor authentication page, configure the Multi-Factor Auth status for each user: This is not the correct solution as this would require enabling/enforcing MFA per user. This also does not allow to target Exchange Online users specifically. This would be a very manual process and not scalable.
From Azure Active Directory admin center, create a conditional access policy: This is the correct approach. Conditional Access policies allow us to define conditions under which MFA is required. We can target a specific group of users, specify the Exchange Online application, and enforce MFA only for that specific scenario. This is scalable and highly customizable.
From the multi-factor authentication page, modify the verification options: This would modify the verification options for the whole tenant, not just the targeted users. This option is incorrect.
From the Azure Active Directory admin center, configure an authentication method: Configuring an authentication method is not the correct solution. This does not allow to target specific users, or applications.
The Correct Approach
The most efficient and targeted solution is to create a Conditional Access policy in the Azure AD admin center.
Answer:
From Azure Active Directory admin center, create a conditional access policy
You have an Azure subscription that contains the storage accounts shown in the following table.
Name Kind Performance Replication Access tier
Storage1 Storage (general purpose v1) Premium Geo-redundant storage (GRS) None
Storage2 StorageV2 (general purpose v2) Standard Locally-redundant storage (LRS) Cool
Storage3 StorageV2 (general purpose v2) Premium Read-access geo-redundant storage (RA-GRS) Hot
Storage4 BlobStorage Standard Locally-redundant storage (LRS) Hot
You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support.
What should you identify?
Storage1
Storage2
Storage3
Storage4
Understanding Zone-Redundant Storage (ZRS)
ZRS Replication: ZRS replicates your data synchronously across three availability zones in the primary region. It provides high availability within a single region.
Live Migration Requirement: Some storage accounts can be converted to ZRS through a live migration process initiated by Azure support.
Account Limitations: Not all types of storage accounts support ZRS, especially for live migrations.
Analyzing the Storage Accounts
Let’s look at each storage account and determine its compatibility with ZRS live migration:
Storage1:
Kind: Storage (general purpose v1)
Performance: Premium
Replication: Geo-redundant storage (GRS)
Access tier: None
Analysis: General purpose v1 accounts do not support ZRS, especially not through live migration. Also, ZRS is not available for Premium performance tiers.
Storage2:
Kind: StorageV2 (general purpose v2)
Performance: Standard
Replication: Locally-redundant storage (LRS)
Access tier: Cool
Analysis: General purpose v2 accounts with standard performance can be migrated to ZRS via live migration when they are using LRS.
Storage3:
Kind: StorageV2 (general purpose v2)
Performance: Premium
Replication: Read-access geo-redundant storage (RA-GRS)
Access tier: Hot
Analysis: Premium performance tiers are not available for live migration to ZRS.
Storage4:
Kind: BlobStorage
Performance: Standard
Replication: Locally-redundant storage (LRS)
Access tier: Hot
Analysis: Blob storage accounts cannot be converted to ZRS. This is an account type limitation.
Determining the Correct Storage Account
Based on our analysis, only Storage2 meets the criteria for being converted to ZRS via live migration from Azure Support. It’s a general purpose v2 account with standard performance and LRS replication.
Answer:
Storage2
HOTSPOT
You have an Azure Migrate project that has the following assessment properties:
✑ Target location: East US
✑ Storage redundancy: Locally redundant
✑ Comfort factor: 2.0
✑ Performance history: 1 month
✑ Percentile utilization: 95th
✑ Pricing tier: Standard
✑ Offer: Pay as you go
You discover the following two virtual machines:
✑ A virtual machine named VM1 that runs Windows Server 2016 and has 10 CPU cores at 20 percent utilization
✑ A virtual machine named VM2 that runs Windows Server 2012 and has four CPU cores at 50 percent utilization
How many CPU cores will Azure Migrate recommend for each virtual machine? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
VM1:
2
4
10
20
VM2:
1
2
4
8
Key factors to consider:
Comfort factor: 2.0 (doubles the calculated requirement)
Percentile utilization: 95th
Performance history: 1 month
For VM1:
Current cores: 10
Utilization: 20%
Calculation:
Actual cores needed = 10 cores × 20% = 2 cores
With comfort factor of 2.0: 2 cores × 2 = 4 cores Answer for VM1: 4 cores
For VM2:
Current cores: 4
Utilization: 50%
Calculation:
Actual cores needed = 4 cores × 50% = 2 cores
With comfort factor of 2.0: 2 cores × 2 = 4 cores Answer for VM2: 4 cores
Therefore:
VM1: 4 cores
VM2: 4 cores
The calculations take into account:
The actual utilization of the current cores
The comfort factor of 2.0 which doubles the requirement
The 95th percentile utilization over the 1-month performance history
This sizing ensures adequate performance while maintaining efficiency in the Azure environment.
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
Name Operating system Connects to
VM1 Windows Server 2019 Subnet1
VM2 Windows Server 2019 Subnet2
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2.
NSG1 uses only the default rules.
NSG2 uses the default and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 connects to Subnet1. NSG2 connects to the network interface of VM2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer Area
Statements Yes No
From the Internet, you can connect to VM1 by using
Remote Desktop.
From the Internet, you can connect to VM2 by using
Remote Desktop.
From VM1, you can connect to VM2 by using Remote
Desktop
Let me analyze each statement based on the NSG configurations and network setup:
“From the Internet, you can connect to VM1 by using Remote Desktop” Answer: NO Reasoning:
VM1 is connected to Subnet1
Subnet1 is protected by NSG1
NSG1 only has default rules
Default rules block inbound RDP (port 3389) from the Internet
“From the Internet, you can connect to VM2 by using Remote Desktop” Answer: YES Reasoning:
VM2 has NSG2 applied to its network interface
NSG2 has a custom rule (Rule1) that:
Allows port 3389 (RDP)
Has priority 100 (overrides default deny rule)
Allows from any source to any destination
“From VM1, you can connect to VM2 by using Remote Desktop” Answer: YES Reasoning:
VM1 and VM2 are in the same VNet (VNET1)
VNet internal communication is allowed by default
NSG2 on VM2 allows RDP connections from any source
VNet internal traffic is allowed by default rules
Therefore:
Statement 1: No
Statement 2: Yes
Statement 3: Yes
