Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 361:

  You have an Azure Active Directory (Azure AD) tenant named Contoso.com that is synced to an Active Directory domain. The tenant contains the users shown in the following table.

  

  The user have the attributes shown in the following table.

  

  You need to ensure that you can enable Azure Multi-Factor Authentication (MFA) for all four users.

  Solution: You create a new user account in Azure AD for User3.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  User3 requires a user account in Azure AD.

  Note: Your Azure AD password is considered an authentication method. It is the one method that cannot be disabled.

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication- methods

• Question 362:

  You are deploying a containerized web application in Azure. When deploying the web app, which of the following are valid container image sources?

  A. Virtual machine

  B. Docker hub

  C. ACR

  D. On-premises

  Correct Answer: BC

  When you create a web app from a Docker image, you configure the following properties:

  1.

  The registry that contains the image. The registry can be Docker Hub, Azure Container Registry (ACR), or some other private registry.

  2.

  The image :This item is the name of the repository.

  3.

  The tag : This item indicates which version of the image to use from the repository. By convention, the most recent version is given the tag latest when it's built.

  4.

  Startup File :This item is the name of an executable file or a command to be run when the image is loaded. It's equivalent to the command that you can supply to Docker when running an image from the command line by using docker run. If

  you're deploying a ready-to-run, containerized app that already has the ENTRYPOINT and/or COMMAND values configured, you don't need to fill this in.

  Reference:

  https://docs.microsoft.com/en-us/learn/modules/deploy-run-container-app-service/4-deploy-web- app

• Question 363:

  You have an Azure virtual machine named VM1.

  The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

  

  You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.

  You need to ensure that users can connect to the website from the internet. What should you do?

  A. Create a new inbound rule that allows TCP protocol 443 and configure the protocol to have a priority of 501.

  B. For Rule5, change the Action to Allow and change the priority to 401.

  C. Delete Rule1.

  D. Modify the protocol of Rule4.

  Correct Answer: B

  Rule 2 is blocking HTTPS access (port 443) and has a priority of 500. Changing Rule 5 (ports 50-5000) and giving it a lower priority number will allow access on port 443. Note: Rules are processed in priority order, with lower numbers

  processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

• Question 364:

  Your VMware vSphere on-premises infrastructure hosts 600 virtual machines (VMs).

  Your company is planning to move all of these VMs to Azure. You are asked to provide information about

  the resources that will be needed in Azure to host all of the VMs.

  All VMs hosted in your on-premise infrastructure are based on Windows Server 2012 R2 or newer and RedHat Enterprise Linux 7.0 or newer.

  You conduct the initial migration assessment and get a message that some virtual machines are conditionally ready for Azure.

  You need to find the cause of this message.

  What are two reasons why are you might get this message on some VMs? (Choose two)

  Each correct answer presents part of the solution.

  A. The vCenter user does not have enough permissions on affected VMs.

  B. The operating system is configured as Windows Server 2003 in vCenter Server.

  C. The operating system is configured as Others in vCenter Server.

  D. The VMs are configured with the BIOS boot type.

  E. The VMs are configured with the UEFI boot type.

  Correct Answer: BE

  To prepare for VMware VM assessment, you need to:

  Verify VMware settings. Make sure that the vCenter Server and VMs you want to migrate meet requirements.

  Set up permissions for assessment. Azure Migrate uses a vCenter account to access the vCenter Server, to discover and assess VMs. Verify appliance requirements. Verify deployment requirements for the Azure Migrate appliance, before

  you deploy it in the next tutorial.

  Reference:

  https://docs.microsoft.com/en-us/azure/migrate/tutorial-prepare-vmware

• Question 365:

  You have an Azure virtual machine named VMV

  The network interface for VM1 is configured as shown in the exhibit(Click the Exhibit tab.)

  

  You deploy a web server on VM1. and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.

  You need to ensure that users can connect to the website from the internet.

  What should you do?

  A. For Rule4. change the protocol from UDP to Any

  B. Modify the protocol of Rule4.

  C. Modify the action of Rule1.

  D. Change the priority of Rute3 to 450

  Correct Answer: D

  Rule 2 is blocking HTTPS access (port 443) and has a priority of 500. Changing Rule 3 (ports 60-500) and giving it a lower priority number will allow access on port 443. Note: Rules are processed in priority order, with lower numbers

  processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops.

  Incorrect Answers:

  A: HTTPS uses port 443. Rule6 only applies to ports 150 to 300. C, D: Rule 1 blocks access to port 80, which is used for HTTP, not HTTPS.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

• Question 366:

  You have an Azure subscription that contains the resources in the following table.

  

  Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.

  You need to apply ASG1 to VM1.

  What should you do?

  A. Modify the properties of NSG1.

  B. Modify the properties of ASG1.

  C. Associate NIC1 to ASG1.

  Correct Answer: C

  Associate Virtual Machines

  An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then use the application security group as a source or destination in NSG rules.

  The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual machine. If you click this button, a pop-up blade will appear and you can select which (none,

  one, many) application security groups that this NIC should join, and then click Save to commit the change.

  https://petri.com/understanding-application-security-groups-in-the-azure-portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.

• Question 367:

  You have an Azure Active Directory (Azure AD) tenant.

  All administrators must enter a verification code to access the Azure portal.

  You need to ensure that the administrators can access the Azure portal only from your on- premises network.

  What should you configure?

  A. an Azure AD Identity Protection user risk policy.

  B. the multi-factor authentication service settings.

  C. the default for all the roles in Azure AD Privileged Identity Management

  D. an Azure AD Identity Protection sign-in risk policy

  Correct Answer: B

  the multi-factor authentication service settings - Correct choice There are two criterias mentioned in the question.

  1.

  MFA required

  2.

  Access from only a specific geographic region/IP range. To satisfy both the requirements you need MFA with location conditional access. Please note to achieve this configuration you need to have AD Premium account for Conditional Access policy. Navigate to Active Directory --> Security --> Conditional Access --> Named Location. Here you can create a policy with location (on-premise IP range) and enable MFA. This will satisfy the requirements.

  

  an Azure AD Identity Protection user risk policy - Incorrect choice In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk and MFA Registration. None of those in which you can enable a location (on-prem IP

  Range) requirement in any blade.

  the default for all the roles in Azure AD Privileged Identity Management - Incorrect choice This option will not help you to restrict the users to access only form on prem. an Azure AD Identity Protection sign-in risk policy - Incorrect choice In the

  Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk and MFA Registration. None of those in which you can enable a location (on-prem IP Range) requirement in any blade.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

• Question 368:

  You have an Azure subscription that contains two virtual networks named VNET1 and VNET2 and the users shown in the following table: Larger image

  

  You need to identify which users can configure peering between VNET1 and VNET2. Which users should you identify?

  A. User1 only

  B. User3 only

  C. User1 and User2 only

  D. User1 and User3 only

  E. User1, User2 and User3

  Correct Answer: E

  Owner: An owner can configure peering.

  A Global administrator can configure peering.

  Network Contributor:

  The accounts you use to work with virtual network peering must be assigned to the following roles:

  1.

  Network Contributor: For a virtual network deployed through Resource Manager.

  2.

  Classic Network Contributor: For a virtual network deployed through the classic deployment model.

  Reference:

  https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/resource- consistency/governance-multiple-teams

• Question 369:

  You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2016 and hosts 10 virtual machines that run Windows Server 2016.

  You plan to replicate the virtual machines to Azure by using Azure Site Recovery.

  You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1.

  You need to add Host1 to ASR1.

  What should you do?

  A. Download the installation file for the Azure Site Recovery Provider. Download the vault registration key. Install the Azure Site Recovery Provider on Host1 and register the server.

  B. Download the installation file for the Azure Site Recovery Provider. Download the storage account key.

  Install the Azure Site Recovery Provider on Host1 and register the server.

  C. Download the installation file for the Azure Site Recovery Provider. Download the vault registration key. Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.

  D. Download the installation file for the Azure Site Recovery Provider. Download the storage account key. Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.

  Correct Answer: A

  Below are the steps you need to perform in this scenario. Refer the link mentioned in the reference section.

  Download the installation file for the Azure Site Recovery Provider To set up the source environment, you create a Hyper-V site and add to that site the Hyper-V hosts containing VMs that you want to replicate. Then, you download and install

  the Azure Site Recovery Provider and the Azure Recovery Services agent on each host, and register the Hyper-V site in the vault.

  

  Download the vault registration key

  Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it.

  

  Install the Azure Site Recovery Provider on Host1.

  Install the downloaded setup file (AzureSiteRecoveryProvider.exe) on each Hyper-V host that you want to add to the Hyper-V site. Setup installs the Azure Site Recovery Provider and Recovery Services agent on each Hyper-V host.

  Register the server

  In Registration, after the server is registered in the vault, select Finish.

  References:

  https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial

• Question 370:

  You have an Azure Service Bus.

  You need to implement a Service Bus queue that guarantees first in first-out (FIFO) delivery of messages.

  What should you do?

  A. Set the Lock Duration setting to 10 seconds.

  B. Enable duplicate detection.

  C. Set the Max Size setting of the queue to 5 GB.

  D. Enable partitioning.

  E. Enable sessions.

  Correct Answer: E

  Through the use of messaging sessions you can guarantee ordering of messages, that is first-in-first- out (FIFO) delivery of messages.

  References:

  https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-bus- queues-compared-contrasted