Timed Mode Bonus Test – AZ-104 Azure Administrator Flashcards
You are managing an Azure Subscription named Tagaytay-Subscription. The subscription has multiple resource groups that are used by three departments in your organization.
You have been asked to send a usage report of each department to the accounting department.
Which four actions should you perform in sequence?
Instructions: To answer, drag the appropriate item from the column on the left to its description on the right. Each correct match is worth one point.
A. Apply a tag to each Azure resource
B. Download the usage data
C. Filter the items by tag
D, Navigate to cost analysis and select a scope
1 2 3 4
- A. Apply a tag to each Azure resource
- D, Navigate to cost analysis and select a scope
- C. Filter the items by tag
- B. Download the usage data
Explanation:
Azure Cost Management + Billing is a suite of tools provided by Microsoft that helps you analyze, manage, and optimize the costs of your workloads. Using the suite helps ensure that your organization is taking advantage of the benefits provided by the cloud.
You use Azure Cost Management + Billing features to:
Conduct billing administrative tasks such as paying your bill Manage billing access to costs Download cost and usage data that was used to generate your monthly invoice Proactively apply data analysis to your costs Set spending thresholds Identify opportunities for workload changes that can optimize your spending
You apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and the value Production to all the resources in production.
To download the usage report of each department, you must first assign a tag for each resource. These tags would help you filter the view in cost analysis. Take note that if you assign a tag by resource group, you won’t be able to classify which department uses that resource since each department uses resources in different resource groups.
If you’ve already assigned tags to your resources, you can go to Cost Manage + Billing and open the scope in the Azure portal, and select Cost analysis in the menu. Add a filter and select filter by “Tag”. Then download it by selecting Export and selecting Download data to CSV or Download data to Excel. The Excel download provides more context on the view you used to generate the download, like scope, query configuration, total, and date generated.
Hence, the correct sequence is:
- Apply a tag to each Azure resource
- Navigate to cost analysis and select a scope
- Filter the items by tag
- Download the usage data
References:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost-analysis?tabs=azure-portal
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
Check out this Azure Pricing Cheat Sheet:
https://tutorialsdojo.com/azure-pricing/
Your company has an Azure Subscription that contains a resource group named TD-Cebu.
TD-Cebu contains the following resources:
AZ104-D-02 question imageWhat should you do first to delete the TD-Cebu resource group?
A. Delete all the resource lock and backup data in TD-RSV.
B. Stop TD-VM and delete the resource lock of TD-VNET.
C. Change the resource lock type of TD-VNET and modify the backup configuration of TD-VM.
D> Set the resource lock of TD-SA to Delete.
A. Delete all the resource lock and backup data in TD-RSV.
Explanation:
Incorrect
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup data while minimizing management overhead.
In order to delete the TD-Cebu resource group, you must first delete/remove the following:
- Resource Lock
– If the lock level is set to Delete or Read-only, the users in your organization are prevented from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.
- Backup data in Recovery Services vault
– If you try to delete a vault that contains backup data, you’ll encounter a message: “Vault cannot be deleted as there are existing resources within the vault. Please ensure there are no backup items, protected servers, or backup management servers associated with this vault.”
After you deleted the lock and backup data, you can now delete the TD-Cebu resource group.
Hence, the correct answer is: Delete all the resource lock and backup data in TD-RSV.
The option that says: Stop TD-VM and delete the resource lock of TD-VNET is incorrect because you must also delete the backup data of TD-RSV to delete the resource group. Take note that you can’t delete a vault that contains backup data.
The option that says: Set the resource lock of TD-SA to Delete is incorrect because even if you change the resource lock of TD-SA, you still won’t be able to delete the TD-Cebu resource group. You must first delete all the resource lock and backup data in TD-RSV to delete the resource group.
The option that says: Change the resource lock type of TD-VNET and modify the backup configuration of TD-VM is incorrect because changing the lock type of TD-VNET to Delete or Read-only still won’t allow you to delete the resource group. To accomplish the requirements in the scenario, you need to remove the resource lock and delete all the backup data in TD-RSV.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
Check out this Azure Virtual Machines Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
You have an Azure subscription that contains a subscription named TDSub1.
There is a requirement to assess your network infrastructure using Azure Network Watcher. You plan to do the following activities:
Capture information about the IP traffic going to and from a network security group. Diagnose connectivity issues to or from an Azure virtual machine
Which feature should you use for each activity?
Select the correct answer from the drop-down list of options. Each correct selection is worth one point.
1. Capture information about the IP traffic going to and from a network security group: A. IP Flow Verify B. NSG Flow Lops C. Next Hop D. Traffic Analysis
- Diagnose connectivity issues to an Azure virtual machine:
A. IP Flow Verify
B. Next Hop
C. Traffic Analytics
D. NSG Flows Logs
- B. NSG Flow Logs
- A. IP Flow Verify
Explanation:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.
Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.
Flow logs are the source of truth for all network activity in your cloud environment. Whether you’re an upcoming startup trying to optimize resources or a large enterprise trying to detect intrusion, Flow logs are your best bet. You can use it for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. If the packet is denied by a security group, the name of the rule that denied the packet is returned.
IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.
Therefore, you have to use the NSG flow logs to capture information about the IP traffic going to and from a network security group.
Conversely, to diagnose connectivity issues to or from an Azure virtual machine, you need to use IP flow verify.
Next hop is incorrect because this simply helps you determine if traffic is being directed to the intended destination, or whether the traffic is being sent nowhere.
Traffic analytics is incorrect because this just allows you to process your NSG Flow Log data that enables you to visualize, query, analyze, and understand your network traffic.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Check out this Azure Virtual Network Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-network-vnet
You have an Azure subscription that contains hundreds of network resources.
You need to recommend a solution that will allow you to monitor resources in one centralized console for network monitoring.
What solution should you recommend?
A. Azure Traffic Manager
B. Azure Virtual Network
C. Azure Monitor Network Insights
D. Azure Advisor
C. Azure Monitor Network Insights
Explanation:
Azure Monitor maximizes the availability and performance of your applications and services by delivering a solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
Azure Monitor Network Insights provides a comprehensive view of health and metrics for all deployed network resources without requiring any configuration. It also provides access to network monitoring capabilities like Connection Monitor, flow logging for network security groups (NSGs), and Traffic Analytics. And it provides other network diagnostic features. Key features of Network Insight:
– Single console for network monitoring
– No agent configuration required
– Access to health state, metrics, alerts, & data from traffic and connectivity monitoring tools in one place
– View network topology with functional dependencies for simpler troubleshooting
– Access resources metrics to debug issues without writing queries or authoring workbooks
Hence, the correct answer is: Azure Monitor Network Insights.
Azure Virtual Network is incorrect because this service simply allows your resources, such as virtual machines, to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
Azure Traffic Manager is incorrect because this is simply a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness. However, you cannot use this to monitor your network resources.
Azure advisor is incorrect because this service just helps you improve the cost-effectiveness, performance, reliability (formerly called high availability), and security of your Azure resources.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-insights-overview
Check out this Azure Monitor Cheat Sheet:
https://tutorialsdojo.com/azure-monitor/
Your company plans to migrate your on-premises servers to Azure.
There is a requirement wherein the users must use the suffix of @tutorialsdojo.com instead of tutorialsdojo.onmicrosoft.com domain name.
Which four actions should you perform in sequence?
Instructions: To answer, drag the appropriate item from the column on the left to its description on the right. Each correct match is worth one point.
A. Add Tutorialsdojo.com to Azure AD. B. Provision an Azure Active Directory C. Add the Azure AD DNS information to your domain provider D. Verify Tutorialsdojo.com 4 1 2 3
- B. Provision an Azure Active Directory
- A. Add Tutorialsdojo.com to Azure AD.
- C. Add the Azure AD DNS information to your domain provider
- D. Verify Tutorialsdojo.com
Explanation:
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:
– External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
– Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.
Every new Azure AD tenant comes with an initial domain name, <domainname>.onmicrosoft.com. You can’t change or delete the initial domain name, but you can add your organization’s names. Adding custom domain names helps you to create user names that are familiar to your users, such as azure@tutorialsdojo.com.</domainname>
You can verify your custom domain name by using the following steps in order:
- Provision an Azure Active Directory
– Sign in to the Azure portal for your directory, using an account with the Owner role for the subscription. The person who creates the tenant is automatically the Global administrator for that tenant. The Global administrator can add additional administrators to the tenant.
- Add Tutorialsdojo.com to Azure AD.
– After you create your directory, you can add your custom domain name. Head over to your Azure Active Directory resource and look for custom domain names and click add custom domain and enter tutorialsdojo.com as the domain name
- Add the Azure AD DNS information to your domain provider
– After you add your custom domain name to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file. Creating this TXT record for your domain verifies ownership of your domain name.
– Go back to your domain registrar and create a new TXT record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record.
- Verify Tutorialsdojo.com
– After you register your custom domain name, make sure it’s valid in Azure AD. The propagation from your domain registrar to Azure AD can be instantaneous or it can take a few days, depending on your domain registrar.
– Head over to your custom domain name and click verify. After you’ve verified your custom domain name, you can delete your verification TXT or MX file.
Hence, the correct order of deployment are:
- Provision an Azure Active Directory
- Add Tutorialsdojo.com to Azure AD
- Add the Azure AD DNS information to your domain provider
- Verify Tutorialsdojo.com
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/azure-active-directory-azure-ad/
Note: This item is part of a series of questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.
Your organization has an Azure AD subscription that is associated with the directory TD-Siargao.
You have been tasked to implement a conditional access policy.
The policy must require the DevOps group to use multi-factor authentication and a hybrid Azure AD joined device when connecting to Azure AD from untrusted locations.
Solution: Create a conditional access policy and enforce grant control.
Does the solution meet the goal?
A. No
B. Yes
B. Yes
Explanation:
Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks. The single sign-on is an authentication method that simplifies access to your apps from anywhere. While conditional access and multi-factor authentication help protect and govern access to your resources.
With conditional access, you can implement automated access-control decisions for accessing your cloud apps based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. It’s not intended to be a first-line defense against denial-of-service (DoS) attacks, but it uses signals from these events to determine access.
There are two types of access controls in a conditional access policy:
Grant – enforces grant or block access to resources. Session – enable limited experiences within specific cloud applications
Going back to the scenario, the requirement is to enforce a policy to the members of the DevOps group to use MFA and a hybrid Azure AD joined device when connecting to Azure AD from untrusted locations. The given solution is to enforce grant access control. If you check the image above, the grant control satisfies this requirement.
Hence, the correct answer is: Yes.
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/azure-active-directory-azure-ad/
Note: This item is part of a series of questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.
Your organization has an Azure AD subscription that is associated with the directory TD-Siargao.
You have been tasked to implement a conditional access policy.
The policy must require the DevOps group to use multi-factor authentication and a hybrid Azure AD joined device when connecting to Azure AD from untrusted locations.
Solution: Create a conditional access policy and enforce session control.
Does the solution meet the goal?
A. No
B. Yes
A. No
Explanation:
Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks. The single sign-on is an authentication method that simplifies access to your apps from anywhere. While conditional access and multi-factor authentication help protect and govern access to your resources.
With conditional access, you can implement automated access-control decisions for accessing your cloud apps based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. It’s not intended to be a first-line defense against denial-of-service (DoS) attacks, but it uses signals from these events to determine access.
There are two types of access controls in a conditional access policy:
Grant – enforces grant or block access to resources. Session – enable limited experiences within specific cloud applications
Going back to the scenario, the requirement is to enforce a policy to the members of the DevOps group to use MFA and a hybrid Azure AD joined device when connecting to Azure AD from untrusted locations. The given solution is to enforce session access control. If you check the image above, the session control doesn’t have options to require the use of MFA and AD joined devices.
Hence, the correct answer is: No.
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/azure-active-directory-azure-ad/
Your organization has an Azure AD subscription that is associated with the directory TD-Siargao.
You have been tasked to implement a conditional access policy.
The policy must require the DevOps group to use multi-factor authentication and a hybrid Azure AD joined device when connecting to Azure AD from untrusted locations.
Solution: Go to the security option in Azure AD and configure MFA.
Does the solution meet the goal?
A. Yes
B. No
B. No
Explanation:
Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks. The single sign-on is an authentication method that simplifies access to your apps from anywhere. While conditional access and multi-factor authentication help protect and govern access to your resources.
With conditional access, you can implement automated access-control decisions for accessing your cloud apps based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. It’s not intended to be a first-line defense against denial-of-service (DoS) attacks, but it uses signals from these events to determine access.
There are two types of access controls in a conditional access policy:
Grant – enforces grant or block access to resources. Session – enable limited experiences within specific cloud applications
Going back to the scenario, the requirement is to enforce a policy to the members of the DevOps group to use MFA and a hybrid Azure AD joined device when connecting to Azure AD from untrusted locations. The given solution is to configure MFA in Azure AD security. If you check the question again, there is a line “You have been tasked to implement a conditional access policy.” This means that you must create a conditional access policy and enforce grant control. Also, configuring MFA does not enable the option to require the use of an AD joined device.
Hence, the correct answer is: No.
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/azure-active-directory-azure-ad/
Your company plans to implement a hybrid Azure Active Directory that will include the following users:
AZ104D-09You have been assigned to modify the Department and UsageLocation attributes of the given users.
Which attributes can you modify from Azure AD?
Select the correct answer from the drop-down list of options. Each correct selection is worth one point.
- Department
A. Dev2 and Dev3 Only
B. Dev1 and Dev2 only
C. Dev1, Dev2 and Dev3
D. Dev1 only - UsageLocation
A. Dev2 and Dev3 only
B. Dev1 and Dev4 only
C. Dev1 only
D. Dev1, Dev2, Dev3, and Dev4
- B. Dev1 and Dev2 only
- D. Dev1, Dev2, Dev3, and Dev4
Explanation:
Azure Active Directory (Azure AD) is a multi-tenant, cloud-based identity and access management service. By implementing hybrid Azure AD joined devices, organizations with existing Active Directory implementations can benefit from some of the functionality provided by Azure Active Directory. These devices are joined to your on-premises Active Directory and registered with Azure Active Directory.
To achieve a hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:
Password hash synchronization (PHS) Pass-through authentication (PTA) Federation (AD FS)
These authentication methods also provide single-sign-on capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.
Based on the given scenario, you need to modify the Department and UsageLocation attributes from Azure Active Directory. Once you encounter this kind of scenario, the most important info to look at is the source of the user.
There are three sources:
Microsoft account Windows Server AD Azure AD
Keep in mind that you cannot modify the Job Info of a user using Azure AD if the source is from Windows Server AD. To update the information of users from this source, you must do it in the Windows Server AD. Lastly, since the UsageLocation is an attribute of Azure Active Directory, you can modify it for all users.
Therefore, the correct answers are:
– EmployeeID = Dev1 and Dev2 only
– UsageLocation = Dev1, Dev2, Dev3, and Dev4
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/azure-active-directory-azure-ad/
Your company created several Azure virtual machines and a file share in the subscription TD-Boracay. The VMs are all part of the same virtual network.
You have been assigned to manage the on-premises Hyper-V server replication to Azure.
To support the planned deployment, you will need to create additional resources in TD-Boracay.
Which of the following options should you create?
A. Hyper-V site
B. Azure Recovery Services Vault
C. Azure Storage Account
D. Replication Policy
E. Azure ExpressRoute
VNet Service Endpoint
A. Hyper-V site
B. Azure Recovery Services Vault
D. Replication Policy
Explanation:
Azure Virtual Machines is one of several types of on-demand, scalable computing resources that Azure offers. It gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it. However, you still need to maintain the VM by performing tasks such as configuring, patching, and installing the software that runs on it.
Hyper-V is Microsoft’s hardware virtualization product. It lets you create and run a software version of a computer called a virtual machine. Each virtual machine acts like a complete computer, running an operating system and programs. Hyper-V runs each virtual machine in its own isolated space, which means you can run more than one virtual machine on the same hardware at the same time.
A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup-related operations.
A replication policy defines the settings for the retention history of recovery points. The policy also defines the frequency of app-consistent snapshots.
To set up disaster recovery of on-premises Hyper-V VMs to Azure, you should complete the following steps:
Select your replication source and target – to prepare the infrastructure, you will need to create a Recovery Services vault. After you created the vault, you can now accomplish the protection goal, as shown in the image above. Set up the source replication environment, including on-premises Site Recovery components and the target replication environment – to set up the source environment, you need to create a Hyper-V site and add to that site the Hyper-V hosts containing the VMs that you want to replicate. The target environment will be the subscription and the resource group in which the Azure VMs will be created after failover. Create a replication policy Enable replication for a VM
Hence, the correct answers are:
– Hyper-V site
– Azure Recovery Services Vault
– Replication Policy
Azure Storage Account is incorrect because before you can create an Azure file share, you need to create a storage account first. Instead of creating a storage account again, you should set up a Hyper-V site.
Azure ExpressRoute is incorrect because this service is simply used to establish a private connection between your on-premises data center or corporate network to your Azure cloud infrastructure. It does not have the capability to replicate the Hyper-V server to Azure.
VNet Service Endpoint is incorrect because this option will only remove public internet access to resources and allow traffic only from your virtual network. Remember that the main requirement is to replicate the Hyper-V server to Azure. Therefore, this option wouldn’t satisfy the requirement.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure-for-hyperv
https://docs.microsoft.com/en-nz/azure/site-recovery/hyper-v-azure-tutorial
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-technology-overview
Check out this Azure Virtual Machines Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
You have been assigned to manage the following Azure resources:
AZ104-D-11 IMAGEThese resources are used by the analytics, development, and operations teams.
You need to track the resource consumption and prevent the deletion of resources.
Which resources can you apply tags and locks?
Select the correct answer from the drop-down list of options. Each correct selection is worth one point.
- Tags
A. tdvm, tdsa, tdsub, and tdmg
B. tdvm, tdsa
C. tdvm, tdsa, tdsub
D. tdvm, tdsa, and tdmg - Locks
A. tdvm, tdsa, tdsub, and tdmg
B. tdvm, tdsa, tdsub
C. tdvm, tdsa, and tdmg
D. tdvm, tdsa
- C. tdvm, tdsa, tdsub
- B. tdvm, tdsa, tdsub
Explanation:
Tags are used to logically organize your Azure resources, resource groups, and subscriptions into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and the value Production to all the resources in production. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment.
While locks are used to prevent other users in your organization from accidentally deleting or modifying critical resources. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent.
The lock level can be set in two ways:
CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource. ReadOnly means authorized users can read a resource, but they can’t delete or update the resource.
Going back to the question, the analytics, developments, and operations teams are able to use the resources given from the table. Your task is to identify which resources can you apply tags and locks. As we’ve read earlier about the usage of tags and locks, the only resource that we cannot apply a tag and lock is the Management Group. The Azure management groups are containers that helps you manage access, policy, and compliance across multiple subscriptions.
Therefore, the correct answers are:
– Tags = tdvm, tdsa, and tdsub
– Locks = tdvm, tdsa, and tdsub
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Check out these Azure Cheat Sheets:
https://tutorialsdojo.com/microsoft-azure-cheat-sheets/
Your company has five branch offices and an Azure Active Directory to centrally manage all identities and application access.
You have been tasked with granting permission to local administrators to manage users and groups within their scope.
What should you do?
A. Assign an Azure AD role.
B. Create an administrative unit.
C. Assign an Azure role.
D. Create management groups.
B. Create an administrative unit.
Explanation:
Azure Active Directory (Azure AD) enterprise identity service provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks. An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. Take note that it can only contain users and groups. Also, in order to assign roles at resource scope, you need to have Azure AD Premium P1 or P2 licenses.
For more granular administrative control in Azure Active Directory (Azure AD), you can assign an Azure AD role with a scope limited to one or more administrative units.
Administrative units limit a role’s permissions to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, allowing them to manage users only in the region for which they are responsible.
Hence, the correct answer is: Create an administrative unit.
The option that says: Assign an Azure AD role is incorrect because if you assign an administrative role to a user that is not a member of an administrative unit, the scope of this role is within the directory.
The option that says: Create a management group is incorrect because this is just a container to organize your resources and subscriptions. This option won’t help you grant permission to local administrators to manage users and groups.
The option that says: Assign an Azure role is incorrect because the requirement is to grant local administrators permission only in their respective offices. If you use an Azure role, the user will be able to manage other Azure resources. Therefore, you need to use administrative units so the administrators can only manage users in the region that they support.
References:
https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/azure-active-directory-azure-ad/
Your company has a web app hosted in Azure Virtual Machine.
You plan to create a backup of TD-VM1 but the backup pre-checks displayed a warning state.
What could be the reason?
A. The Recovery Services vault lock type is read-only.
B. The status of TD-VM1 is deallocated.
C. The TD-VM1 data disk is unattached.
D. The latest VM Agent is not installed in TD-VM1
D. The latest VM Agent is not installed in TD-VM1
Explanation:
Azure Virtual Machine is an image service instance that provides on-demand and scalable computing resources with usage-based pricing. More broadly, a virtual machine behaves like a server: it is a computer within a computer that provides the user the same experience they would have on the host operating system itself. To protect your data, you can use Azure Backup to create recovery points that can be stored in geo-redundant recovery vaults.
A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup-related operations. These operations include taking on-demand backups, performing restores, and creating backup policies.
Backup Pre-Checks, as the name implies, check the configuration of your VMs for issues that may affect backups and aggregate this information so that you can view it directly from the Recovery Services Vault dashboard. It also provides recommendations for corrective measures to ensure successful file-consistent or application-consistent backups, wherever applicable.
Backup Pre-Checks are performed as part of your Azure VMs’ scheduled backup operations and result in one of the following states:
Passed: This state indicates that your VMs configuration is conducive for successful backups and no corrective action needs to be taken. Warning: This state indicates one or more issues in VM’s configuration that might lead to backup failures and provides recommended steps to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of issues. Critical: This state indicates one or more critical issues in the VM’s configuration that will lead to backup failures and provides required steps to ensure successful backups. A network issue caused due to an update to the NSG rules of a VM, for example, will fail backups as it prevents the VM from communicating with the Azure Backup service and falls in this class of issues.
As stated above, the reason why backup pre-checks displayed a warning state is because of the VM agent. The Azure VM Agent for Windows is automatically upgraded on images deployed from the Azure Marketplace. As new VMs are deployed to Azure, they receive the latest VM agent at VM provision time.
If you have installed the agent manually or are deploying custom VM images you will need to manually update to include the new VM agent at image creation time. To check for the Azure VM Agent in your machine, open Task Manager and look for a process name WindowsAzureGuestAgent.exe.
Hence, the correct answer is: The latest VM Agent is not installed in TD-VM1.
The option that says: The Recovery Services vault lock type is read-only is incorrect because you can’t create a backup if the configured lock type is read-only. If you attempted to backup a virtual machine with a resource lock, the operation won’t be performed, and notify you to remove the lock first.
The option that says: The TD-VM1 data disk is unattached is incorrect because you don’t need to attach a data disk to the virtual machine when creating a backup. To enable VM backup, you need to have a VM agent and Recovery Services vault.
The option that says: The status of TD-VM1 is deallocated is incorrect because you can still create a backup even if the status of your virtual machine is stopped (deallocated).
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
Check out this Azure Virtual Machine Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
Your organization has two web applications running in different environments:
az104-D-14You have been tasked to monitor the performance of the applications using Azure Application Insights.
The operation should have minimal changes to the code.
What should you do?
Select the correct answer from the drop-down list of options. Each correct selection is worth one point.
- TDWebApp1
A. Install the Applications Insight Agent
B. Install the Windows Azure VM Agent
C. Install the Applications Agents SDK
D. Install the Azure Monitor Agent - TDWebApp2
A. Install the Applications Insight Agent
B. Install the Azure Monitor Agent
C. Install the Applications Agents SDK
D. Install the Windows Azure VM Agent
- A. Install the Applications Insight Agent
- A. Install the Applications Insight Agent
Explanation:
Application Insights is a feature of Azure Monitor that provides extensible application performance management (APM) and monitoring for live web apps. It also supports a wide variety of platforms, including .NET, Node.js, Java, Python and works for apps hosted on-premises, hybrid, or on any public cloud.
There are two ways to enable application monitoring for hosted applications:
- Agent-based application monitoring (Application Insights Agent)
– This method is the easiest to enable, you only need to install the Application Insights Agent, and code changes or advanced configurations are not required.
- Manually instrumenting the application through code (Application Insights SDK)
– The alternative approach is you need to install the Application Insights SDK. This means that you have to manage the updates to the latest version of the packages by yourself. The second method is recommended if you need to make custom API calls to track events/dependencies not captured by default with agent-based monitoring.
The main requirement in the scenario is to use Azure Application Insights to track the performance of the applications. But the condition is to implement it with minimal changes in the code. That is why the first approach satisfies the requirement since you only need to install the agent in the machine.
Therefore, the correct answers are:
– TDWebApp1= Install the Application Insights Agent
– TDWebApp2 = Install the Application Insights Agent
The option that says: Install the Application Insights SDK is incorrect because, in order to implement this method, you will need to do some changes in the application code. Take note that the requirement is to implement monitoring with minor changes in the code.
The option that says: Install the Windows Azure VM Agent is incorrect because this won’t help you track the performance of the application. The VM agent is commonly used when you need to create a backup of the virtual machine. Therefore, this option is incorrect and won’t satisfy the requirement in the scenario.
The option that says: Install the Azure Monitor Agent is incorrect because it is already indicated in the scenario that you need to use Azure Application Insights to track the performance of the application. Also, the Azure Application Insights is a feature of Azure Monitor. Hence, this method is incorrect and will not meet the given requirement in the scenario.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
Check out these Azure Cheat Sheets:
https://tutorialsdojo.com/microsoft-azure-cheat-sheets/
Your company eCommerce website is deployed in an Azure virtual machine named TD-BGC.
You created a backup of the TD-BGC and implemented the following changes:
– Change the local admin password.
– Create and attach a new disk.
– Resize the virtual machine.
– Copy the log reports to the data disk.
You received an email that the admin restore the TD-BGC using the replace existing configuration.
Which of the following options should you perform to bring back the changes in TD-BGC?
A. Resize the virtual machine.
B. Create and attach a new disk.
C. Change the local admin password.
D. Copy the log reports to the data disk.
D. Copy the log reports to the data disk.
Explanation:
Azure Backup is a cost-effective, secure, one-click backup solution that’s scalable based on your backup storage needs. The centralized management interface makes it easy to define backup policies and protect a wide range of enterprise workloads, including Azure Virtual Machines, SQL and SAP databases, and Azure file shares.
Azure Backup provides several ways to restore a VM:
Create a new VM – quickly creates and gets a basic VM up and running from a restore point. Restore disk – restores a VM disk, which can then be used to create a new VM. Replace existing – restore a disk, and use it to replace a disk on the existing VM. Cross-Region (secondary region) – restore Azure VMs in the secondary region, which is an Azure paired region.
The restore configuration that is given in the scenario is the replace existing option. Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. The existing disks connected to the VM are replaced with the selected restore point.
The snapshot is copied to the vault, and retained in accordance with the retention policy. After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren’t needed.
Since you restore the VM using the backup data, the new disk won’t have a copy of the log reports. To bring back the changes in the TD-BGC virtual machine, you will need to copy the log reports to the disk.
Hence, the correct answer is: Copy the log reports to the data disk.
The option that says: Change the local admin password is incorrect because the new password will not be overridden with the old password using the restore VM option. Therefore, you can use the updated password to connect via RDP to the machine.
The option that says: Create and attach a new disk is incorrect because the new disk does not contain the log reports. Instead of creating a new disk, you should attach the existing data disk that contains the log reports.
The option that says: Resize the virtual machine is incorrect because the only changes that will retain after rolling back are the VM size and the account password.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
Check out these Azure Cheat Sheets:
https://tutorialsdojo.com/microsoft-azure-cheat-sheets/
Your company plans to store media assets in two Azure regions.
You are given the following requirements:
Media assets must be stored in multiple availability zones Media assets must be stored in multiple regions Media assets must be readable in the primary and secondary regions.
Which of the following data redundancy options should you recommend?
A. Locally redundant storage
B. Zone-redundant storage
C. Read-access geo-redundant storage
D. Geo-redundant storage
C. Read-access geo-redundant storage
Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.
Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers four options for how your data is replicated:
Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option but is not recommended for applications requiring high availability. Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability. Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region. Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.
Take note, one of the requirements states that you need the media assets must be readable in the primary and secondary regions. With Geo-redundant storage, your media assets are stored in multiple availability zones and multiple regions. But read access will only be available in the secondary region if you or Microsoft initiates a failover from the primary region to the secondary region.
In order to have read access in the primary and secondary region at all times without having the need to initiate a failover, you need to recommend Read-access geo-redundant storage.
Hence, the correct answer is: Read-access geo-redundant storage.
Locally redundant storage is incorrect because the media assets will only be stored in one physical location.
Zone-redundant storage is incorrect. It only satisfies one requirement which is to store the media assets in multiple availability zones. You still need to store your media assets in multiple regions which ZRS is unable to do.
Geo-redundant storage is incorrect because the requirement states that you need read access to the primary and secondary regions. With GRS, the data in the secondary region isn’t available for read access. You can only have read access in the secondary region if a failover from the primary region to the secondary region is initiated by you or Microsoft.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Check out this Azure Storage Overview Cheat Sheet:
https://tutorialsdojo.com/azure-storage-overview/
Locally Redundant Storage (LRS) vs Zone-Redundant Storage (ZRS) vs Geo-redundant storage (GRS):
https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/
Tutorials Dojo has a subscription named TDSub1 that contains the following resources:
AZ104-D-17 image
TDVM1 needs to connect to a newly created virtual network named TDNET1 that is located in Japan West.
What should you do to connect TDVM1 to TDNET1?
Solution: You create a network interface in TD1 in the South East Asia region.
Does this meet the goal?
A. Yes
B. No
B. No
Explanation:
A network interface enables an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources. When creating a virtual machine using the Azure portal, the portal creates one network interface with default settings for you.
You may instead choose to create network interfaces with custom settings and add one or more network interfaces to a virtual machine when you create it. You may also want to change default network interface settings for an existing network interface.
Remember these conditions and restrictions when it comes to network interfaces:
– A virtual machine can have multiple network interfaces attached but a network interface can only be attached to a single virtual machine.
– The network interface must be located in the same region and subscription as the virtual machine that it will be attached to.
– When you delete a virtual machine, the network interface attached to it will not be deleted.
– In order to detach a network interface from a virtual machine, you must shut down the virtual machine first.
– By default, the first network interface attached to a VM is the primary network interface. All other network interfaces in the VM are secondary network interfaces.
The solution proposed in the question is incorrect because the virtual network is not located in the same region as TDVM1. Take note that a virtual machine, virtual network and network interface must be in the same region or location.
You need to first redeploy TDVM1 from South East Asia to Japan West region and then create and attach the network interface in to TDVM1 in the Japan West region.
Hence, the correct answer is: No.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Check out this Azure Virtual Machine Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
Note: This item is part of a series of questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.
Tutorials Dojo has a subscription named TDSub1 that contains the following resources:
AZ104-D-17 image
TDVM1 needs to connect to a newly created virtual network named TDNET1 that is located in Japan West.
What should you do to connect TDVM1 to TDNET1?
Solution: You redeploy TDVM1 to the Japan West region and create a network interface in TD2 in the Japan West region.
Does this meet the goal?
A
Note: This item is part of a series of questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.
Tutorials Dojo has a subscription named TDSub1 that contains the following resources:
AZ104-D-17 image
TDVM1 needs to connect to a newly created virtual network named TDNET1 that is located in Japan West.
What should you do to connect TDVM1 to TDNET1?
Solution: You redeploy TDVM1 to the Japan West region and create a network interface in TD2 in the Japan West region.
Does this meet the goal?
Yes No
B. No
A. Yes
B. No
Explanation:
A network interface enables an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources. When creating a virtual machine using the Azure portal, the portal creates one network interface with default settings for you.
You may instead choose to create network interfaces with custom settings and add one or more network interfaces to a virtual machine when you create it. You may also want to change default network interface settings for an existing network interface.
Remember these conditions and restrictions when it comes to network interfaces:
– A virtual machine can have multiple network interfaces attached but a network interface can only be attached to a single virtual machine.
– The network interface must be located in the same region and subscription as the virtual machine that it will be attached to.
– When you delete a virtual machine, the network interface attached to it will not be deleted.
– In order to detach a network interface from a virtual machine, you must shut down the virtual machine first.
– By default, the first network interface attached to a VM is the primary network interface. All other network interfaces in the VM are secondary network interfaces.
Take note that resources inside a resource group can be of different regions. A resource group is only a logical grouping of resources so it does not matter if a resource group is located in a different region.
Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC. You can’t change the virtual network.
Therefore, You will need to redeploy TDVM1 to the Japan West region and create and attach a network interface in the Japan West Region.
Hence, the correct answer is: Yes.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Check out this Azure Virtual Machine Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
Tutorials Dojo has a subscription named TDSub1 that contains the following resources:
AZ104-D-17 image
TDVM1 needs to connect to a newly created virtual network named TDNET1 that is located in Japan West.
What should you do to connect TDVM1 to TDNET1?
Solution: You create a network interface in TD1 in the Japan West region.
Does this meet the goal?
A. Yes
B. No
B. No
Explanation:
A network interface enables an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources. When creating a virtual machine using the Azure portal, the portal creates one network interface with default settings for you.
You may instead choose to create network interfaces with custom settings and add one or more network interfaces to a virtual machine when you create it. You may also want to change default network interface settings for an existing network interface.
Remember these conditions and restrictions when it comes to network interfaces:
– A virtual machine can have multiple network interfaces attached but a network interface can only be attached to a single virtual machine.
– The network interface must be located in the same region and subscription as the virtual machine that it will be attached to.
– When you delete a virtual machine, the network interface attached to it will not be deleted.
– In order to detach a network interface from a virtual machine, you must shut down the virtual machine first.
– By default, the first network interface attached to a VM is the primary network interface. All other network interfaces in the VM are secondary network interfaces.
Take note, each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC. You can’t change the virtual network.
Since TDVNET1 is located in a different region from TDVM1 , you will need to redeploy TDVM1 to Japan West region and then create and attach the network interface in to TDVM1 in the Japan West region.
Hence, the correct answer is: No.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Check out this Azure Virtual Machine Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
You have an Azure subscription named Davao-Subscription1.
You have the following public load balancers deployed in Davao-Subscription1.
AZ104-D-20
You provisioned two groups of virtual machines containing 5 virtual machines each where the traffic must be load balanced to ensure the traffic are evenly distributed.
Which of the following health probes are not available for TD2?
A. HTTP
B. HTTPS
C. TCP
D. RDP
B. HTTPS
Explanation:
Azure Load balancer provides a higher level of availability and scale by spreading incoming requests across virtual machines (VMs). A private load balancer distributes traffic to resources that are inside a virtual network. Azure restricts access to the frontend IP addresses of a virtual network that is load balanced. Front-end IP addresses and virtual networks are never directly exposed to an internet endpoint. Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources.
Remember that although cheaper, load balancers with the basic SKU have limited features compared to a standard load balancer. Basic load balancers are only useful for testing in development environments but when it comes to production workloads, you need to upgrade your basic load balancer to standard load balancer to fully utilize the features of Azure Load Balancer.
Take note, the protocols supported by the health probes of a basic load balancer only support HTTP and TCP protocols.
Hence, the correct answer is: HTTPS.
HTTP and TCP are incorrect because these are supported protocols for health probes using basic load balancer.
RDP is incorrect because this protocol is not supported by Azure Load Balancer.
References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://docs.microsoft.com/en-us/azure/load-balancer/skus
Check out this Azure Load Balancer Cheat Sheet:
https://tutorialsdojo.com/azure-load-balancer/