Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 351:

  You have an Azure subscription that contains the following storage account:

  

  You need 10 create a request to Microsoft Support to perform a live migration of storage1 to Zone Redundant Storage (ZRS) replication. How should you modify storage1 before the Live migration?

  A. Set the replication to Locally-redundant storage (IRS)

  B. Disable Advanced threat protection

  C. Remove the lock

  D. Set the access tier to Hot

  Correct Answer: A

  If you want to live migration from RA-GRS to ZRS, at first you have to Switch the storage tier to LRS and then only you can request a live migration.

  

  Reference:

  https://docs.microsoft.com/en-us/azure/storage/common/redundancy- migration?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.jsonandtabs=portal

• Question 352:

  You have an Azure Kubernetes cluster in place.

  You have to deploy an application using an Azure Container registry image.

  Which of the following command can be used for this requirement?

  A. az kubernetes deploy

  B. kubectl apply

  C. New-AzKubernetes set

  D. docker run

  Correct Answer: B

  kubectl apply : Correct Choice

  The kubectl command can be used to deploy applications to a Kubernetes cluster.

  az kubernetes deploy : Incorrect Choice

  This command is used to manage Azure Kubernetes Services. This is not used to deploy applications to a Kubernetes cluster.

  New-AzKubernetes set : Incorrect Choice

  This command is used to create a new managed Kubernetes cluster. This is not used to deploy applications to a Kubernetes cluster.

  docker run : Incorrect Choice

  This is run command in a new container. This is not used to deploy applications to a Kubernetes cluster.

  Reference:

  https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest https://docs.microsoft.com/en-us/powershell/module/az.aks/New-AzAks?view=azps3.8.0andviewFallbackFrom=azps-4.3.0 https://docs.docker.com/engine/reference/commandline/run/

• Question 353:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

  Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1.

  A. Yes

  B. No

  Correct Answer: B

  https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#traffic-manager-contributor

• Question 354:

  You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.

  You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.

  What should you do first?

  A. From the on-premises network, deploy Active Directory Federation Services (AD FS).

  B. From Azure AD, add and verify a custom domain name.

  C. From the on-premises network, request a new certificate that contains the Active Directory domain name.

  D. From the server that runs Azure AD Connect, modify the filtering options.

  Correct Answer: B

  Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken.

  The Azure

  AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:

  State: Verified

  Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.

  State: Not verified

  Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified.

  Action Required: Verify the custom domain in Azure AD.

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin

• Question 355:

  You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

  You hire a temporary vendor. The vendor uses a Microsoft account that has a sign-in of [email protected].

  You need to ensure that the vendor can authenticate to the tenant by using [email protected].

  What should you do?

  A. From Windows PowerShell, run the New-AzureADUser cmdlet and specify the ?UserPrincipalName [email protected] parameter.

  B. From the Azure portal, add a custom domain name, create a new Azure AD user, and then specify [email protected] as the username.

  C. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the serPrincipalName [email protected] parameter.

  D. From the Azure portal, add a new guest user, and then specify [email protected] as the email address.

  Correct Answer: D

  UserPrincipalName - contains the UserPrincipalName (UPN) of this user. The UPN is what the user will use when they sign in into Azure AD. The common structure is @, so for Abby Brown in Contoso.com, the UPN would be

  [email protected]

  Example:

  To create the user, call the New-AzureADUser cmdlet with the parameter values:

  powershell New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" - PasswordProfile$PasswordProfile -MailNickName "AbbyB" -UserPrincipalName "[email protected]" References:

  https://docs.microsoft.com/bs-cyrl-ba/powershell/azure/active-directory/new-user-sample?view=azureadps-2.0

• Question 356:

  You have an Azure resource manager template that will be used to deploy 10 Azure Web Apps.

  You have to ensure to deploy the pre-requisites before the deployment of the template.

  You have to minimize the costs associated with the implementation.

  Which of the following would you deploy as pre-requisites?

  A. An Azure Load Balancer

  B. An Application Gateway

  C. 10 Azure App Service Plans

  D. One App Service Plan

  Correct Answer: D

  In App Service (Web Apps, API Apps, or Mobile Apps), an app always runs in an App Service plan. An App Service plan defines a set of compute resources for a web app to run. One App Service Plan : Correct Choice For an Azure Web App, you need to have an Azure App Service Plan in place. You can associate multiple Azure Web Apps with the same App Service Plan. Hence to save on costs, you can just have one Azure App Service Plan in place. An Azure Load Balancer : Incorrect Choice An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM An Application Gateway : Incorrect Choice Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port. 10 Azure App Service Plans : Incorrect Choice For an Azure Web App, you need to have an Azure App Service Plan in place. You can associate multiple Azure Web Apps with the same App Service Plan. Hence to save on costs, you can just have one Azure App Service Plan in place. So there is no need for 10 App Service Plans.

  Reference: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-load-balancer https://docs.microsoft.com/en-us/azure/application-gateway/overview

• Question 357:

  You sign up for Azure Active Directory (Azure AD) Premium.

  You need to add a user named [email protected] as an administrator on all the computers that will be joined to the Azure AD domain.

  What should you configure in Azure AD?

  A. Device settings from the Devices blade.

  B. General settings from the Groups blade.

  C. User settings from the Users blade.

  D. Providers from the MFA Server blade.

  Correct Answer: A

  When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:

  1.

  The Azure AD global administrator role

  2.

  The Azure AD device administrator role

  3.

  The user performing the Azure AD join

  In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

  1.

  Sign in to your Azure portal as a global administrator or device administrator.

  2.

  On the left navbar, click Azure Active Directory.

  3.

  In the Manage section, click Devices.

  4.

  On the Devices page, click Device settings.

  5.

  To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

  References: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

• Question 358:

  You have an Active Directory forest named contoso.com.

  You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.

  You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.

  You need to ensure that the synchronization completes successfully.

  What should you do?

  A. From Synchronization Service Manager, run a full import.

  B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.

  C. From Azure PowerShell, run Start-AdSyncSyncCycle -PolicyType Initial.

  D. Run Azure AD Connect and disable staging mode.

  Correct Answer: D

  Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync- troubleshoot-password-hash-synchronization#no-passwords-are-synchronized-troubleshoot-by- using-the-troubleshooting-task

• Question 359:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure web app named App1. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier.

  You discover that App1 stops each day after running continuously for 60 minutes.

  You need to ensure that App1 can run continuously for the entire day.

  Solution: You add a continuous WebJob to App1.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  A web app can time out after 20 minutes of inactivity. Only requests to the actual web app reset the timer. Viewing the app's configuration in the Azure portal or making requests to the advanced tools site (Error! Hyperlink reference not valid.) don't reset the timer. If your app runs continuous or scheduled (Timer trigger) WebJobs, enable Always On to ensure that the WebJobs run reliably. This feature is available only in the Basic, Standard, and Premium pricing tiers. The app service plan mentioned in the question is associated to the free tier , so addition of a continuous WebJob to App1 is not possible. So the proposed solution won't meet the goal.

  Reference : https://docs.microsoft.com/en-us/azure/app-service/webjobs-create

• Question 360:

  You have an Azure subscription.

  You enable multi-factor authentication for all users.

  Some users report that the email applications on their mobile device cannot connect to their Microsoft

  Exchange Online mailbox.

  The users can access Exchange Online by using a web browser and from Microsoft Outlook 2016 on their computer.

  You need to ensure that the users can use the email applications on their mobile device.

  What should you instruct the users to do?

  A. Create an app password

  B. Reset the Azure Active Directory (Azure AD) password

  C. Enable self-service password reset

  D. Reinstall the Microsoft Authenticator app

  Correct Answer: A

  If you're enabled for multi-factor authentication, make sure that you have set up app passwords. Note: During your initial two-factor verification registration process, you're provided with a single app password. If you require more than one,

  you'll have to create them yourself.

  Go to the Additional security verification page.

  References:

  https://docs.microsoft.com/en-us/office365/troubleshoot/sign-in/sign-in-to-office-365-azure-intune https://docs.microsoft.com/sv-se/azure/active-directory/user-help/multi-factor-authentication-end- user-app-passwords