Step into the academic realm with vigor, powered by the unmatched acumen of the AZ-104 dumps. Precisely tailored to resonate with the specific benchmarks of the syllabus, the AZ-104 dumps encompass a vast array of practice questions, nurturing deep-rooted mastery. Whether it\’s the refined consistency of PDFs or the interactive terrains of the VCE format that catch your attention, the AZ-104 dumps cater to every nuanced preference. A comprehensive study guide, integral to the AZ-104 dumps, provides depth, underlining essential concepts. Rooted in our conviction about the efficacy of our tools, we confidently extend our 100% Pass Guarantee.
[Updated Compilation] Guarantee 100% pass rate with the free AZ-104 PDF and Exam Questions download
Question 1:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
Question 2:
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules. NSG2 uses the default rules and the following custom incoming rule:
1.
Priority: 100
2.
Name: Rule1
3.
Port: 3389
4.
Protocol: TCP
5.
Source: Any
6.
Destination: Any
7.
Action: Allow
NSG1 connects to Subnet1. NSG2 connects to the network interface of VM2. For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Box 2: Yes
NSG2 will allow this.
Box 3: Yes
NSG2 will allow this.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp- connection
Question 3:
A web developer creates a web application that you plan to deploy as an Azure web app. Users must enter credentials to access the web application.
You create a new web app named WebApp1 and deploy the web application to WebApp1.
You need to disable anonymous access to WebApp1.
What should you configure?
A. Access control (IAM)
B. Advanced Tools
C. Deployment credentials
D. Authentication/Authorization
Correct Answer: D
Anonymous access is an authentication method. It allows users to establish an anonymous connection.
References: https://docs.microsoft.com/en-us/biztalk/core/guidelines-for-resolving-iis-permissions-problems
Question 4:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company registers a domain name of contoso.com.
You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10.
You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address.
You need to resolve the name resolution issue.
Solution: You add an NS record to the contoso.com Azure DNS zone.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Before you can delegate your DNS zone to Azure DNS, you need to know the name servers for your zone.
The NS record set contains the names of the Azure DNS name servers assigned to the zone.
References:
https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
Question 5:
HOTSPOT
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of Windows Server 2016 Datacenter by using an Azure Marketplace image.
You need to complete the storageProfile section of the template. How should you complete the storageProfile section? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
..
“storageProfile”: {
“imageReference”: {
“publisher”: “MicrosoftWindowsServer”,
“offer”: “WindowsServer”,
“sku”: “2016-Datacenter”,
“version”: “latest”
},
…
References:
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate
Question 6:
You have an Azure subscription that contains the following resources:
1.
100 Azure virtual machines
2.
20 Azure SQL databases
3.
50 Azure file shares
You need to create a daily backup of all the resources by using Azure Backup.
What is the minimum number of backup policies that you must create?
A. 1
B. 2
C. 3
D. 150
E. 170
Correct Answer: C
There is a limit of 100 VMs that can be associated to the same backup policy from portal. We recommend that for more than 100 VMs, create multiple backup policies with same schedule or different schedule.
One policy for VMS, one for SQL databases, and one for the file shares.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq
Question 7:
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
A. Modify the address space of the local network gateway.
B. Remove the public IP addresses from the virtual machines.
C. Modify the address space of Subnet1.
D. Create a deny rule in a network security group (NSG) that is linked to Subnet1.
Correct Answer: D
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don\’t have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.
Modify the address space of Subnet1 : Incorrect choice Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network. Modify the address space of the local network gateway : Incorrect choice Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network. Remove the public IP addresses from the virtual machines : Incorrect choice If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Question 8:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?
A. Yes
B. No
Correct Answer: B
Only a global administrator can add users to this tenant.
References:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
Question 9:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run the kubectl client.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Reference: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
Question 10:
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?
A. Modify the address space of VNet1.
B. Add a gateway subnet to VNet1.
C. Create a subnet on VNet1 and VNet2.
D. Configure a service endpoint on VNet2.
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
Question 11:
You have an Azure subscription that contains a virtual machine named VM1.
You plan to deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.
You need to ensure that the alert rule sends an email message to two users named User1 and User2.
What should you create for Azure Monitor?
A. an action group
B. a mail-enabled security group
C. a distribution group
D. a Microsoft 365 group
Correct Answer: A
“Alerts consist of:
-Action groups
-Alert conditions
-User response
-Alert processing rules” https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview
Question 12:
HOTSPOT
You have an Azure subscription that contains the file shares shown in the following table.
You have the on-premises file shares shown in the following table.
You create an Azure file sync group named Sync1 and perform the following actions:
1.
Add share1 as the cloud endpoint for Sync1.
2.
Add data1 as a server endpoint for Sync1.
3.
Register Server1 and Server2 to Sync1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No
A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.
Box 2: Yes
Data2 is located on Server2 which is registered to Sync1.
Box 3: No
Data3 is located on Server3 which is not registered to Sync1.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-sync-group-and-a-cloud-endpoint
Question 13:
HOTSPOT
You have an Azure subscription that contains a user named User1 and a storage account named storage1. The storage1 account contains the resources shown in the following table.
User1 is assigned the following roles for storage1:
1.
Storage Blob Data Reader
2.
Storage Table Data Contributor
3.
Storage File Data SMB Share Contributor
For storage1, you create a shared access signature (SAS) named SAS1 that has the settings shown in the following exhibit. (Click the Exhibit tab.)
To which resources can User1 write by using SAS1 and key1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: folder1 and Table1 only With key1.
User1 is assigned the following roles for storage1: Storage Blob Data Reader Storage Table Data Contributor Storage File Data SMB Share Contributor
*
Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities Can write to Table1
*
Storage File Data SMB Share Contributor Allows for read, write, and delete access on files and directories in Azure file shares. Can write to folder1
Box 2: Table1 and container1 only
With SAS1.
For key1 we see:
Allowed services: Table only. Not File, so not folder1.
Allowed resource types: Service, Container, Object.
Allowed permissions: Read, write, etc.
Note: How a shared access signature works
A shared access signature is a signed URI that points to one or more storage resources. The URI includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client. One of
the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to the storage resource.
Reference:
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions
Question 14:
HOTSPOT
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to VNET1.
You successfully deploy the following Azure Resource Manager template.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:Eachcorrectselectionisworthonepoint.
Hot Area:
Correct Answer:
Question 15:
HOTSPOT
You have an Azure Subscription named Subcription1.has Subcription1 contains the virtual machines in the following table.
Subcription1 contains the virtual machines in the following table.
VM3 has multiple network, including a network adapter named NIC3, IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table.
You apply RT1 to subnet1 and Sybnet2.
For each of the following statements, select Yes if the statements is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
IP forwarding enables the virtual machine a network interface is attached to:
1.
Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
2.
Send network traffic with a different source IP address than the one assigned to one of a network interface\’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a
single network interface attached to it.
Box 1: Yes
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding