Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 161:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

  

  User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

  You need to create new user accounts in external.contoso.onmicrosoft.com.

  Solution: You instruct User2 to create the user accounts.

  Does that meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  A Global Administrator from one Azure AD tenant cannot create new users in another Azure AD tenant, even if they have Global Administrator privileges. Each Azure AD tenant is an isolated directory with its own set of users, resources, and administrative controls.

• Question 162:

  You have a hybrid infrastructure that contains an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The tenant contains the users shown in the following table.

  

  You plan to share a cloud resource to the All Users group. You need to ensure that User1, User2, User3, and User4 can connect successfully to the cloud resource.

  What should you do first?

  A. Create a user account of the member type for User4.

  B. Create a user account of the member type for User3.

  C. Modify the Directory-wide Groups settings.

  D. Modify the External collaboration settings.

  Correct Answer: C

  Ensure that "Enable an 'All Users' group in the directory" policy is set to "Yes" in your Azure Active Directory (AD) settings in order to enable the "All Users" group for centralized access administration. This group represents the entire

  collection of the Active Directory users, including guests and external users, that you can use to make the access permissions easier to manage within your directory.

  Incorrect Answers:

  A, B: User3 and User4 are guests already.

  Note: By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You

  can also delegate invitations to individual users by assigning roles that allow them to invite guests.

  References:

  https://www.cloudconformity.com/knowledge-base/azure/ActiveDirectory/enable-all-users- group.html

• Question 163:

  You have an Azure Active Directory (Azure AD) tenant named contoso.com. Multi-factor authentication (MFA) is enabled for all users.

  You need to provide users with the ability to bypass MFA for 10 days on devices to which they have successfully signed in by using MFA.

  What should you do?

  A. From the multi-factor authentication page, configure the users' settings.

  B. From Azure AD, create a conditional access policy.

  C. From the multi-factor authentication page, configure the service settings.

  D. From the MFA blade in Azure AD, configure the MFA Server settings.

  Correct Answer: C

  Enable remember Multi-Factor Authentication

  1.

  Sign in to the Azure portal.

  2.

  On the left, select Azure Active Directory>; Users.

  3.

  Select Multi-Factor Authentication.

  4.

  Under Multi-Factor Authentication, select service settings.

  5.

  On the Service Settings page, manage remember multi-factor authentication, select the Allow users to remember multi-factor authentication on devices they trust option.

  6.

  Set the number of days to allow trusted devices to bypass two-step verification. The default is 14 days.

  7.

  Select Save.

  References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

• Question 164:

  You have an Azure subscription that contains the resources shown in the following table.

  

  VM1 and VM2 run a website that is configured as shown in the following table.

  

  LB1 is configured to balance requests to VM1 and VM2.

  You configure a health probe as shown in the exhibit. (Click the Exhibit tab.)

  

  You need to ensure that the health probe functions correctly. What should you do?

  A. On LB1, change the Unhealthy threshold to 65536.

  B. On LB1, change the port to 8080.

  C. On VM1 and VM2, create a file named Probe1.htm in the C:\intepub\wwwroot\Temp folder.

  D. On VM1 and VM2, create a file named Probe1.htm in the C:\intepub\wwwroot\SiteA\Temp folder.

  Correct Answer: D

  Load balancing provides a higher level of availability and scale by spreading incoming requests across virtual machines (VMs). You can use the Azure portal to create a Standard load balancer and balance internal traffic among VMs. To load

  balance successfully between VM1 and VM2 you have to place the html file in the path mentioned in the Probe1 configuration.

  References:

  https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-internal- portal

• Question 165:

  You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.

  You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.

  You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.

  Which two groups should you create? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. a Security group that uses the Assigned membership type

  B. an Office 365 group that uses the Assigned membership type

  C. an Office 365 group that uses the Dynamic User membership type

  D. a Security group that uses the Dynamic User membership type

  E. a Security group that uses the Dynamic Device membership type

  Correct Answer: BC

  You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can

  help remove inactive groups from the system and make things cleaner.

  When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.

  You can set up a rule for dynamic membership on security groups or Office 365 groups.

  Incorrect Answers:

  A, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).

  References:

  https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration- policy?view=o365-worldwide

• Question 166:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that contains the following resources:

  1.

  A virtual network that has a subnet named Subnet1

  2.

  Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1

  3.

  A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

  NSG-Subnet1 has the default inbound security rules only.

  NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  1.

  Priority: 100

  2.

  Source: Any

  3.

  Source port range: *

  4.

  Destination: *

  5.

  Destination port range: 3389

  6.

  Protocol: UDP

  7.

  Action: Allow

  VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.

  You need to be able to establish Remote Desktop connections from the internet to VM1.

  Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.

  Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp- connection

• Question 167:

  You create an Azure VM named VM1 that runs Windows Server 2019. VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

  

  You need to enable Desired State Configuration for VM1.

  What should you do first?

  A. Configure a DNS name for VM1.

  B. Start VM1.

  C. Connect to VM1.

  D. Capture a snapshot of VM1.

  Correct Answer: B

  Status is Stopped (Deallocated).

  The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.

  The VM needs to be started.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

• Question 168:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might

  have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the following resources:

  1.

  A virtual network that has a subnet named Subnet1

  2.

  Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1

  3.

  A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

  4.

  NSG-Subnet1 has the default inbound security rules only.

  NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  1.

  Priority: 100

  2.

  Source: Any

  3.

  Source port range: *

  4.

  Destination: *

  5.

  Destination port range: 3389

  6.

  Protocol: UDP

  7.

  Action: Allow

  VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1. You need to be able to establish Remote Desktop connections from the internet to VM1.

  Solution: You modify the custom rule for NSG-VM1 to use the internet as a source and TCP as a protocol. Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface. By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation. Subnets usually do not have any NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it won't have an RDP rule by default, thus blocking inbound connections. Request first goes to NSG -subnet1 and as there is no allow rule for RDP so it will block the request by default.Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound RDP connection. References: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp- connection https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

• Question 169:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that contains the following resources:

  1.

  A virtual network that has a subnet named Subnet1

  2.

  Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1

  3.

  A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

  NSG-Subnet1 has the default inbound security rules only.

  NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  1.

  Priority: 100

  2.

  Source: Any

  3.

  Source port range: *

  4.

  Destination: *

  5.

  Destination port range: 3389

  6.

  Protocol: UDP

  7.

  Action: Allow

  VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.

  You need to be able to establish Remote Desktop connections from the internet to VM1.

  Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.

  Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp- connection

• Question 170:

  You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

  

  You create virtual machines in Subscription1 as shown in the following table.

  

  You plan to use Vault1 for the backup of as many virtual machines as possible.

  Which virtual machines can be backed up to Vault1?

  A. VM1, VM3, VMA, and VMC only

  B. VM1 and VM3 only

  C. VM1, VM2, VM3, VMA, VMB, and VMC

  D. VM1 only

  E. VM3 and VMC only

  Correct Answer: A

  To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in several regions, create a Recovery Services vault in each region

  References: https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault