Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 701:

  Your on-premises network contains a VPN gateway.

  You have an Azure subscription that contains the resources shown in the following table.

  

  You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure?

  A. Azure AD Application Proxy

  B. service endpoints

  C. a network security group (NSG)

  D. Azure Firewall

  Correct Answer: B

• Question 702:

  You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements. Which storage account should you identify?

  A. storage4

  B. storage1

  C. storage2

  D. storage3

  Correct Answer: C

  For at least two reasons, storage2 is the only candidate:

  -Location: The storage account used must be in the same region as the NSG.

  -Retention is available only if you use General Purpose v2 Storage accounts (GPv2).

  Reference:

  https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

• Question 703:

  You need to add VM1 and VM2 to the backend poo! of LB1. What should you do first?

  A. Create a new NSG and associate the NSG to VNET1/Subnet1.

  B. Connect VM2 to VNET1/Subnet1.

  C. Redeploy VM1 and VM2 to the same availability zone.

  D. Redeploy VM1 and VM2 to the same availability set.

  Correct Answer: D

• Question 704:

  You need to ensure that you can grant Group4 Azure RBAC read-only permissions to all the A2ure file shares. What should you do?

  A. On storagel and storage4, change the Account kind type to StorageV2 (general purpose v2).

  B. Recreate storage2 and set Hierarchical namespace to Enabled.

  C. On storage2, enable identity-based access for the file shares.

  D. Create a shared access signature (SAS) for storagel, storage2, and storage4.

  Correct Answer: C

  Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS).

  Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

• Question 705:

  You need to meet the user requirement for Admin1.

  What should you do?

  A. From the Subscriptions blade, select the subscription, and then modify the Properties.

  B. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.

  C. From the Azure Active Directory blade, modify the Properties.

  D. From the Azure Active Directory blade, modify the Groups.

  Correct Answer: A

  Scenario:

  1.

  Designate a new user named Admin1 as the service admin for the Azure subscription.

  2.

  Admin1 must receive email alerts regarding service outages.

  Follow these steps to change the Service Administrator in the Azure portal.

  1.

  Make sure your scenario is supported by checking the limitations for changing the Service Administrator.

  2.

  Sign in to the Azure portal as the Account Administrator.

  3.

  Open Cost Management + Billing and select a subscription.

  4.

  In the left navigation, click Properties.

  5.

  Click Service Admin.

  Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

• Question 706:

  You need to move the blueprint files to Azure. What should you do?

  A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.

  B. Use the Azure Import/Export service.

  C. Generate an access key. Map a drive, and then copy the files by using File Explorer.

  D. Use Azure Storage Explorer to copy the files.

  Correct Answer: D

  Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

  Scenario:

  Planned Changes include: move the existing product blueprint files to Azure Blob storage. Technical Requirements include: Copy the blueprint files to Azure over the Internet.

  References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

• Question 707:

  You need to implement a backup solution for App1 after the application is moved.

  What should you create first?

  A. a recovery plan

  B. an Azure Backup Server

  C. a backup policy

  D. a Recovery Services vault

  Correct Answer: D

  A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

  Scenario:

  There are three application tiers, each with five virtual machines.

  Move all the virtual machines for App1 to Azure.

  Ensure that all the virtual machines for App1 are protected by backups.

  Reference:

  https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

• Question 708:

  You need to recommend an identify solution that meets the technical requirements. What should you recommend?

  A. federated single-on (SSO) and Active Directory Federation Services (AD FS)

  B. password hash synchronization and single sign-on (SSO)

  C. cloud-only user accounts

  D. Pass-through Authentication and single sign-on (SSO)

  Correct Answer: A

  Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company's network.

  Scenario: Technical Requirements include:

  Prevent user passwords or hashes of passwords from being stored in Azure. References: https://www.sherweb.com/blog/active-directory-federation-services/

• Question 709:

  You are planning the move of App1 to Azure.

  You create a network security group (NSG).

  You need to recommend a solution to provide users with access to App1.

  What should you recommend?

  A. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.

  B. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.

  C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

  D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

  Correct Answer: C

  As App1 is public-facing we need an incoming security rule, related to the access of the web servers. Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier. Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

  Incoming and the web server subnet only, as users access the web front end by using HTTPS only.

  Note Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

  1.

  A SQL database

  2.

  A web front end

  3.

  A processing middle tier

  Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

• Question 710:

  Which blade should you instruct the finance department auditors to use?

  A. invoices

  B. partner information

  C. cost analysis

  D. External services

  Correct Answer: C

  Cost analysis: Correct Option

  In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span: last 7 days , last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

  Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to the calendar month, like the current billing period or last invoice. Use the links at the top of the menu to jump to the previous or next period, respectively. For example,

  Invoice: Incorrect Option

  Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by invoices because Azure generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty.

  Resource Provider: Incorrect Option

  When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

  Payment method: Incorrect Option

  Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

  Reference: https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost-analysis https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/download-azure-invoice-daily-usage-date