Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 181:

  You have an Azure Active Directory (Azure AD) tenant named contoso.com that is synced to an Active Directory domain. The tenant contains the users shown in the following table.

  

  The users have the attribute shown in the following table.

  

  You need to ensure that you can enable Azure Multi-Factor Authentication (MFA) for all four users. Solution: You add a mobile phone number for User2 and User4. Does this meet the Goal?

  A. Yes

  B. No

  Correct Answer: B

  User3 requires a user account in Azure AD.

  Note: Your Azure AD password is considered an authentication method. It is the one method that cannot be disabled.

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication- methods

• Question 182:

  You have an Azure subscription named Subscription1.

  You have 5 TB of data that you need to transfer to Subscription1.

  You plan to use an Azure Import/Export job.

  What can you use as the destination of the imported data?

  A. Azure SQL Database

  B. Azure File Storage

  C. An Azure Cosmos DB database

  D. The Azure File Sync Storage Sync Service

  E. Azure Data Factory

  F. A virtual machine

  Correct Answer: B

  Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.

  References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

• Question 183:

  You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.

  

  Adatum.com has the following configurations:

  1.

  Users may join devices to Azure AD is set to User1.

  2.

  Additional local administrators on Azure AD joined devices is set to None.

  You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.

  You need to identify the local Administrator group membership on Computer1.

  Which users are members of the local Administrators group?

  A. User1 only

  B. User1, User2, and User3 only

  C. User1 and User2 only

  D. User1, User2, User3, and User4

  E. User2 only

  Correct Answer: C

  Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All. Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners are granted local administrator rights by default.

  References: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

• Question 184:

  You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.

  You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.

  What should you create to store the password?

  A. Azure Active Directory (AD) Identity Protection and an Azure policy

  B. a Recovery Services vault and a backup policy

  C. an Azure Key Vault and an access policy

  D. an Azure Storage account and an access policy

  Correct Answer: C

  You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.

  Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. When deploying resources through Azure Resource Manager templates, it's a best practice to store sensitive

  data like administrative passwords in Azure Key Vault rather than in the template itself. By referencing the Azure Key Vault in the ARM template, the password can be fetched securely during deployment.

  The access policy in Azure Key Vault defines what operations can be done on the secrets (like read or write) and who can perform these operations.

  Thus, the best way to securely store and reference an administrative password in an Azure Resource Manager template is by using Azure Key Vault and setting an appropriate access policy.

  References:

  https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/

• Question 185:

  You create an Azure subscription named Subscription1 and an associated Azure Active Directory (Azure AD) tenant named Tenant1. Tenant1 contains the users in the following table.

  

  You need to add an Azure AD Privileged Identity Management application to Tenant1. Which account can you use?

  A. [email protected]

  B. [email protected]

  C. [email protected]

  D. [email protected]

  Correct Answer: B

  For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management. Only owner can create an subscription and only global administrator can perform Privileged Identity Management changes. So you can create subscription with external user and then promote him to global administrator to get things done. As it is mentioned as it is associated with azure tenant so that tenant has an AD domain. So in azure AD the default domain ends with onmicrosoft.com. So you can't have Hotmail IDs there. Moreover always remember the principle of least privileges, when you can get your job done with Global Administrator then you should not look for owner for security purpose. [email protected] : Correct Choice As Admin1 is Global Administrator and part of default AD domain so Admin1 can add an Azure AD Privileged Identity Management application to Tenant1 [email protected] : Incorrect Choice As per the above explanation Admin3 is not Global Administrator, so this option is incorrect. [email protected] : Incorrect Choice As per the above explanation Admin2 is not Global Administrator, so this option is incorrect. [email protected] : Incorrect Choice Although this user is Global Administrator but referring to the least privileges principal and default domain consideration this option is incorrect.

  References: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance

• Question 186:

  You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1. What should you do first?

  A. Upload a certificate.

  B. Add a connection string.

  C. Stop webapp1.

  D. Create a DNS record.

  Correct Answer: D

  You can use either a CNAME record or an A record to map a custom DNS name to App Service.

  Reference: https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

• Question 187:

  You create an App Service plan named App1 and an Azure web app named webapp1.

  You discover that the option to create a staging slot is unavailable. You need to create a staging slot for App1.

  What should you do first?

  A. From webapp1, modify the Application settings.

  B. From webapp1, add a custom domain.

  C. From App1, scale up the App Service plan.

  D. From App1, scale out the App Service plan.

  Correct Answer: C

  The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.

  If the app isn't already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app

  before continuing.

  Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots, autoscaling, and more.

  Incorrect:

  Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances

  Reference:

  https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

  https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up

• Question 188:

  You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.

  VM2 is protected by RSV1.

  You need to use RSV2 to protect VM2.

  What should you do first?

  A. From the RSV1 blade, click Backup items and stop the VM2 backup.

  B. From the RSV1 blade, click Backup Jobs and export the VM2 backup.

  C. From the RSV1 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup.

  D. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault.

  Correct Answer: D

  The Azure Site Recovery service contributes to your disaster recovery strategy by managing and orchestrating replication, failover, and failback of on-premises machines and Azure virtual machines (VMs).

  

  Reference:

  https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-quickstart https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication

• Question 189:

  You have an Azure subscription that contains the resources shown in the following table.

  

  All virtual machines run Windows Server 2016.

  On VM1, you back up a folder named Folder1 as shown in the following exhibit.

  

  You plan to restore the backup to a different virtual machine.

  You need to restore the backup to VM2.

  What should you do first?

  A. From VM2, install the Microsoft Azure Recovery Services Agent

  B. From VM1, install the Windows Server Backup feature

  C. From VM2, install the Windows Server Backup feature

  D. From VM1, install the Microsoft Azure Recovery Services Agent

  Correct Answer: A

  Microsoft Azure Recovery Services Agent also known as MARS or Azure Backup Agent can be used to restore data for entire volume or just individual folders and files.

  reference: https://learn.microsoft.com/en-us/azure/backup/restore-all-files-volume-mars

• Question 190:

  You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.

  

  The planned disk configurations for VM1 are shown in the following exhibit.

  

  You need to ensure that VM1 can be created in an Availability Zone.

  Which two settings should you modify? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Use managed disks

  B. Availability options

  C. OS disk type

  D. Size

  E. Image

  Correct Answer: AB

  Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.

  When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone dropdown.

  Reference:

  https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone

  https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone

  https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability

  https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones