Microsoft Role-based AZ-104 Questions & Answers

• Question 21:

  You have an Azure Active Directory (Azure AD) tenant that is linked to 10 Azure subscriptions. You need to centrally monitor user activity across all the subscriptions. What should you use?

  A. Activity log filters

  B. a Log Analytics workspace

  C. access reviews

  D. Azure Application Insights Profiler

  Correct Answer: B

  Send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you:

  Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.

  https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace

• Question 22:

  You have an Azure subscription

  You need to receive an email alert when a resource lock is removed from any resource in the subscription What should you use to create an activity log alert in Azure Monitor?

  A. a resource a condition, and an action group

  B. a resource, a condition and a Microsoft 365 group

  C. a Log Analytics workspace a resource, and an action group

  D. a data collection endpoint, an application security group, and a resource group

  Correct Answer: C

• Question 23:

  You have an Azure subscription that contains 10 virtual machines, a key vault named Vault 1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region.

  The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet.

  You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort.

  What should you configure as the destination of the outbound security rule for NSG1 ?

  A. an application security group

  B. an IP address range

  C. a service tag

  Correct Answer: C

• Question 24:

  You have an Azure subscription named Sub1 that contains the resources shown in the following table.

  

  You create a user named Admin1.

  To what can you add Admin1 as a co-administrator?

  A. RG1

  B. MG1

  C. Sub1

  D. VM1

  Correct Answer: C

  You can add Admin1 as a co-administrator to the Sub1 subscription.

  You cannot add Admin1 as a co-administrator to the RG1 resource group, MG1 management group, or VM1 virtual machine.

  Co-administrators have full access to all resources in a subscription, including the ability to create, read, update, and delete resources.

  To add Admin1 as a co-administrator to Sub1:

  In the Azure portal, navigate to Sub1.

  Click Access control (IAM).

  Click Assign role.

  Select the Co-Administrator role.

  Select Admin1 in the Select drop-down list.

  Click Assign.

  Once the role has been assigned, Admin1 will have full access to all resources in Sub1.

  Note: Co-administrators can only be assigned at the subscription scope. You cannot assign co-administrators to resource groups, management groups, or virtual machines.

• Question 25:

  You have an Azure subscription that contains the devices shown in the following table.

  

  On which devices can you install Azure Storage Explorer?

  A. Device1 only

  B. Device1 and Device2 only

  C. Device1 and Device3 only

  D. Device1, Device2, and Device3 only

  E. Device1, Device3, and Device4 only

  Correct Answer: D

  https://learn.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

• Question 26:

  You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles:

  1.

  Reader

  2.

  Security Admin

  3.

  Security Reader

  You need to ensure that User1 can assign the Reader role for VNet1 to other users.

  What should you do?

  A. Remove User1 from the Security Reader role for Subscript on 1. Assign User1 the Contributor role for RG1.

  B. Assign User1 the Owner role for VNet1.

  C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription 1.

  D. Assign User1 the Contributor role for VNet1.

  Correct Answer: B

  Contributor

  Need to be Owner. The correct scope is VNET1.

  Owner - Has full access to all resources including the right to delegate access to others.

  Incorrect:

  * Contributor - Can create and manage all types of Azure resources but can't grant access to others.

  Note: Identify the needed scope

  When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.

  

  Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

• Question 27:

  DRAG DROP

  You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.

  Which three actions should you perform in sequence?

  To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Scenario:

  1.

  Web administrators will deploy Azure web apps for the marketing department.

  2.

  Each web app will be added to a separate resource group.

  3.

  The initial configuration of the web apps will be identical.

  4.

  The web administrators have permission to deploy web apps to resource groups.

  Steps:

  1 --> Create a resource group, and then deploy a web app to the resource group.

  2 --> From the Automation script blade of the resource group , click Add to Library.

  3 --> From the Templates service, select the template, and then share the template to the web administrators

  References:

  https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-createtemplates-use-the-portal

• Question 28:

  HOTSPOT

  You implement The planned changes for NSG1 and NSG2.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No NSG2 blocks RDP to VM2

  Box 2: Yes ICMP is not blocked

  Box 3: No NSG2 blocks RDP from VM2

  Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

• Question 29:

  HOTSPOT

  You need to implement Role1.

  Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  https://docs.microsoft.com/en-us/powershell/module/az.resources/getazroledefinition?view=azps-5.9.0 https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-rolepowershell https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/converttojson?view=powershell-7.1 https://docs.microsoft.com/en-us/powershell/module/azuread/getazureaddirectoryrole?view=azureadps-2.0

• Question 30:

  HOTSPOT

  You need to meet the connection requirements for the New York office.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Create a virtual network gateway and a local network gateway.

  Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The

  VPN gateway includes the following elements:

  1.

  Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.

  2.

  Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.

  3.

  Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.

  4.

  Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

  Box 2: Configure a site-to-site VPN connection

  On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

  

  Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

  Incorrect Answers:

  Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet.

  Reference:

  https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn