Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 221:

  Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is being deployed and configured for on-premises to Azure connectivity. Several virtual machines exhibit network connectivity issues. You need to

  analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.

  Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

• Question 222:

  You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned membership. Group1 has 50 members, including 20 guest users.

  You need to recommend a solution for evaluating the membership of Group1.

  The solution must meet the following requirements:

  The evaluation must be repeated automatically every three months. Every member must be able to report whether they need to be in Group1. Users who report that they do not need to be in Group1 must be removed from Group1

  automatically. Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.

  What should you include in the recommendation?

  A. Implement Azure AD Identity Protection.

  B. Change the Membership type of Group1 to Dynamic User.

  C. Create an access review.

  D. Implement Azure AD Privileged Identity Management (PIM).

  Correct Answer: C

  Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or deny

  access with a friendly interface and with the help of smart recommendations.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#learn-about- access-reviews

• Question 223:

  You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory domain.

  You have an internal web app named WebApp1 that is hosted on-premises.

  WebApp1 uses Integrated Windows authentication.

  Some users work remotely and do NOT have VPN access to the on-premises network. You need to provide the remote users with single sign-on (SSO) access to WebApp1. Which two features should you include in the solution? Each correct

  answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Azure AD Application Proxy

  B. Azure AD Privileged Identity Management (PIM)

  C. Conditional Access policies

  D. Azure Arc

  E. Azure AD enterprise applications

  F. Azure Application Gateway

  Correct Answer: AC

• Question 224:

  You have an Azure subscription. The subscription has a blob container that contains multiple blobs. Ten users in the finance department of your company plan to access the blobs during the month of April. You need to recommend a solution to enable access to the blobs during the month of April only. Which security solution should you include in the recommendation?

  A. shared access signatures (SAS)

  B. Conditional Access policies

  C. certificates

  D. access keys

  Correct Answer: A

  Shared Access Signatures (SAS) allows for limited-time fine grained access control to resources. So you can generate URL, specify duration (for month of April) and disseminate URL to 10 team members. On May 1, the SAS token is

  automatically invalidated, denying team members continued access.

  Reference:

  https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

• Question 225:

  You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam, Ltd. Developers at Fabrikam were assigned role-based access control (RBAC)

  permissions to the Application1 components. All users are licensed for the Microsoft 365 E5 plan. You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet

  the following requirements:

  To the manager of the developers, send a monthly email message that lists the access permissions to Application1.

  If the manager does not verify an access permission, automatically revoke that permission.

  Minimize development effort.

  What should you recommend?

  A. In Azure Active Directory (Azure AD), create an access review of Application1.

  B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.

  C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources.

  D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-user-access-with-access- reviews

• Question 226:

  You have an Azure subscription that contains an Azure Log Analytics workspace. You have a resource group that contains 100 virtual machines. The virtual machines run Linux. You need to collect events from the virtual machines to the Log

  Analytics workspace.

  Which type of data source should you configure in the workspace?

  A. Syslog

  B. Linux performance counters

  C. custom fields

  Correct Answer: A

  Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the

  local Syslog daemon to forward messages to the agent. The agent then sends the message to Azure Monitor where a corresponding record is created.

  Reference:

  https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

• Question 227:

  You have an Azure subscription that contains 10 virtual machines on a virtual network. You need to create a graph visualization to display the traffic flow between the virtual machines. What should you do from Azure Monitor?

  A. From Activity log, use quick insights.

  B. From Metrics, create a chart.

  C. From Logs, create a new query.

  D. From Workbooks, create a workbook.

  Correct Answer: C

  Navigate to Azure Monitor and select Logs to begin querying the data Reference: https://azure.microsoft.com/en-us/blog/analysis-of-network-connection-data-with-azure-monitor-for-virtual- machines/

• Question 228:

  You have an Azure web app named App1. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier. You discover that App1 stops each day after running continuously for 60 minutes. You need to

  ensure that App1 can run continuously for the entire day. Solution: You change the pricing tier of Plan1 to Shared.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  You should switch to the Basic Tier.

  The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Shared Tier provides 240 CPU minutes / day. The Basic tier has no such cap.

  References:

  https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

• Question 229:

  You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.

  

  RG1 has a web app named WebApp1. WebApp1 islocated in West Europe.

  You move WebApp1 to RG2.

  What is the effect of the move?

  A. The App Service plan for WebApp1 moves to North Europe.Policy2 applies to WebApp1.

  B. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1

  C. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.

  D. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1

  Correct Answer: B

  You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region. The region in which your app runs is the region of the App Service plan it's in.

  However, you cannot change an App Service plan's region.

  References:

  https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

• Question 230:

  From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.

  

  What caused AlexW to be blocked?

  A. The user account password expired.

  B. The user entered an incorrect PIN four times within 10 minutes.

  C. An administrator manually blocked the user.

  D. The user reported a fraud alert when prompted for additional authentication.

  Correct Answer: C

  An Administrator can block a user:

  1.

  Sign in to the Azure portal as an administrator.

  2.

  Browse to Azure Active Directory > MFA > Block/unblock users.

  3.

  Select Add to block a user.

  4.

  Select the Replication Group. Enter the username for the blocked user as [email protected]. Enter a comment in the Reason field, for example: Lost phone.

  5.

  Select Add to finish blocking the user.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings