AZ-104: Microsoft Azure Administrator Part 4
Question #: 236
Topic #: 1
You administer a solution in Azure that is currently having performance issues.
You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure.
Which of the following is the tool you should use?
A. Azure Traffic Analytics
B. Azure Monitor
C. Azure Activity Log
D. Azure Advisor
Selected Answer: B
Question #: 237
Topic #: 2
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login
Selected Answer: C
Question #: 238
Topic #: 3
You have an Azure subscription that contains the storage accounts shown in the following table.
You plan to manage the data stored in the accounts by using lifecycle management rules.
To which storage accounts can you apply lifecycle management rules?
A. storage1 only
B. storage1 and storage2 only
C. storage3 and storage4 only
D. storage1, storage2, and storage3 only
E. storage1, storage2, storage3, and storage4
Selected Answer: D
Question #: 239
Topic #: 5
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
What should you do first?
A. Change the priority of the RDP rule
B. Attach a network interface
C. Delete the DenyAllInBound rule
D. Start VM1
Selected Answer: D
Question #: 240
Topic #: 4
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
Adatum.com has the following configurations:
✑ Users may join devices to Azure AD is set to User1.
✑ Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.
You need to identify the local Administrator group membership on Computer1.
Which users are members of the local Administrators group?
A. User1 only
B. User2 only
C. User1 and User2 only
D. User1, User2, and User3 only
E. User1, User2, User3, and User4
Selected Answer: C
Question #: 243
Topic #: 1
Your company has an Azure subscription that includes a Recovery Services vault.
You want to use Azure Backup to schedule a backup of your company’s virtual machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.
A. VMs that run Windows 10.
B. VMs that run Windows Server 2012 or higher.
C. VMs that have NOT been shut down.
D. VMs that run Debian 8.2+.
E. VMs that have been shut down.
Selected Answer: ABCDE
Question #: 244
Topic #: 3
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
A. 80
B. 443
C. 445
D. 3389
Selected Answer: C
Question #: 245
Topic #: 5
You have the Azure virtual machines shown in the following table.
A DNS service is installed on VM1.
You configure the DNS servers settings for each virtual network as shown in the following exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?
A. Configure a conditional forwarder on VM1
B. Add service endpoints on VNET1
C. Add service endpoints on VNET2 and VNET3
D. Configure peering between VNET1, VNET2, and VNET3
Selected Answer: D
Question #: 246
Topic #: 6
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic.
Which two resources should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a Log Analytics workspace
B. an Azure Monitor workbook
C. a storage account
D. a Microsoft Sentinel workspace
E. a Data Collection Rule (DCR) in Azure Monitor
Selected Answer: AE
Question #: 249
Topic #: 6
You have an Azure subscription that contains eight virtual machines and the resources shown in the following table.
You need to configure access for VNET1. The solution must meet the following requirements:
• The virtual machines connected to VNET1 must be able to communicate with the virtual machines connected to VNET2 by using the Microsoft backbone.
• The virtual machines connected to VNET1 must be able to access storage1, storage2, and Azure AD by using the Microsoft backbone.
What is the minimum number of service endpoints you should add to VNET1?
A. 1
B. 2
C. 3
D. 5
Selected Answer: B
Question #: 250
Topic #: 2
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?
A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1
Selected Answer: A
Question #: 251
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for each user.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 252
Topic #: 3
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. Azure File Storage
B. an Azure Cosmos DB database
C. Azure Data Factory
D. Azure SQL Database
Selected Answer: A
Question #: 255
Topic #: 2
You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1
Selected Answer: B
Question #: 256
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 257
Topic #: 6
You need to configure an Azure web app named contoso.azurewebsites.net to host www.contoso.com.
What should you do first?
A. Create A records named www.contoso.com and asuid.contoso.com.
B. Create a TXT record named asuid that contains the domain verification ID.
C. Create a CNAME record named asuid that contains the domain verification ID.
D. Create a TXT record named www.contoso.com that has a value of contoso.azurewebsites.net.
Selected Answer: B
Question #: 258
Topic #: 5
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
A. Modify the address space of the local network gateway
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1
Selected Answer: B
Question #: 259
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 260
Topic #: 3
You have an Azure subscription that contains a storage account named storage1.
You have the devices shown in the following table.
From which devices can you use AzCopy to copy data to storage1?
A. Device 1 only
B. Device1, Device2 and Device3
C. Device1 and Device2 only
D. Device1 and Device3 only
Selected Answer: B
Question #: 261
Topic #: 4
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You create virtual machines in Subscription1 as shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible.
Which virtual machines can be backed up to Vault1?
A. VM1 only
B. VM3 and VMC only
C. VM1, VM2, VM3, VMA, VMB, and VMC
D. VM1, VM3, VMA, and VMC only
E. VM1 and VM3 only
Selected Answer: D
Question #: 262
Topic #: 6
You have an Azure subscription that contains 10 network security groups (NSGs), 10 virtual machines, and a Log Analytics workspace named Workspace1. Each NSG is connected to a virtual machine.
You need to configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected.
What should you do first?
A. Deploy Connection Monitor.
B. Configure data collection endpoints.
C. Configure a private link.
D. Configure NSG flow logs.
Selected Answer: D
Question #: 263
Topic #: 5
You have an Azure subscription that contains the resources in the following table.
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.
You need to apply ASG1 to VM1.
What should you do?
A. Associate NIC1 to ASG1
B. Modify the properties of ASG1
C. Modify the properties of NSG1
Selected Answer: A
Question #: 264
Topic #: 2
You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
A. Create an NS record named research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an A record named *.research in the adatum.com zone.
Selected Answer: A
Question #: 267
Topic #: 5
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
D. Create a gateway subnet
E. Create a VPN gateway that uses the Basic SKU
Selected Answer: BCD
Question #: 268
Topic #: 4
You have an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to configure cluster autoscaler for AKS1.
Which two tools should you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. the kubectl command
B. the az aks command
C. the Set-AzVm cmdlet
D. the Azure portal
E. the Set-AzAks cmdlet
Selected Answer: BD
Question #: 269
Topic #: 3
You have an Azure Storage account named storage1 that contains a blob container named container1.
You need to prevent new content added to container1 from being modified for one year.
What should you configure?
A. the access tier
B. an access policy
C. the Access control (IAM) settings
D. the access level
Selected Answer: B
Question #: 272
Topic #: 4
You create the following resources in an Azure subscription:
✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?
A. Run the docker push command.
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Selected Answer: C
Question #: 273
Topic #: 6
You have an Azure subscription that contains a storage account named storage1 in the North Europe Azure region.
You need to ensure that when blob data is added to storage1, a secondary copy is created in the East US region. The solution must minimize administrative effort.
What should you configure?
A. operational backup
B. object replication
C. geo-redundant storage (GRS)
D. a lifecycle management rule
Selected Answer: B
Question #: 274
Topic #: 2
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A. Get-Event Event | where {$_.EventType == “error”}
B. Event | search “error”
C. select * from Event where EventType == “error”
D. search in (Event) * | where EventType ג€”eq ג€errorג€
Selected Answer: B
Question #: 276
Topic #: 3
You are configuring Azure Active Directory (Azure AD) authentication for an Azure Storage account named storage1.
You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. The solution must use the principle of least privilege.
Which two roles should you configure for storage1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Storage Account Contributor
B. Storage Blob Data Contributor
C. Reader
D. Contributor
E. Storage Blob Data Reader
Selected Answer: BC
Question #: 277
Topic #: 6
You have an Azure subscription that contains two Log Analytics workspaces named Workspace1 and Workspace2 and 100 virtual machines that run Windows Server.
You need to collect performance data and events from the virtual machines. The solution must meet the following requirements:
• Logs must be sent to Workspace1 and Workspace 2.
• All Windows events must be captured.
• All security events must be captured.
What should you install and configure on each virtual machine?
A. the Azure Monitor agent
B. the Windows Azure diagnostics extension (WAD)
C. the Windows VM agent
Selected Answer: A
Question #: 278
Topic #: 4
You have an Azure subscription that contains the resources shown in the following table.
You need to configure a proximity placement group for VMSS1.
Which proximity placement groups should you use?
A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only
Selected Answer: A
Question #: 279
Topic #: 2
You have a registered DNS domain named contoso.com.
You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the internet.
What should you do?
A. Create NS records in contoso.com.
B. Modify the SOA record in the DNS domain registrar.
C. Create the SOA record in contoso.com.
D. Modify the NS records in the DNS domain registrar.
Selected Answer: D
Question #: 283
Topic #: 6
You have an Azure subscription that contains a virtual machine named VM1 and an Azure function named App1.
You need to create an alert rule that will run App1 if VM1 stops.
What should you create for the alert rule?
A. an application security group
B. a security group that has dynamic device membership
C. an action group
D. an application group
Selected Answer: C
Question #: 284
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 286
Topic #: 6
You have an Azure subscription that contains a virtual network named VNet1.
VNet1 uses two ExpressRoute circuits that connect to two separate on-premises datacenters.
You need to create a dashboard to display detailed metrics and a visual representation of the network topology.
What should you use?
A. Azure Monitor Network Insights
B. a Data Collection Rule (DCR)
C. Azure Virtual Network Watcher
D. Log Analytics
Selected Answer: A
Question #: 287
Topic #: 5
You have an Azure subscription that contains the resources shown in the following table.
You need to create a network interface named NIC1.
In which location can you create NIC1?
A. East US and North Europe only
B. East US only
C. East US, West Europe, and North Europe
D. East US and West Europe only
Selected Answer: B
Question #: 288
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Automation script.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 289
Topic #: 3
You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.
Which command should you run?
A. https://contosodata.blob.core.windows.net/public
B. azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public –snapshot
C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public –recursive
D. az storage blob copy start-batch D:\Folder1 https://contosodata.blob.core.windows.net/public
Selected Answer: C
Question #: 291
Topic #: 6
You deploy Azure virtual machines to three Azure regions
Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology.
Each subnet contains a network security group (NSG) that has defined rules.
A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region.
Which two options can you use to diagnose the issue? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Virtual Network Manager
B. IP flow verify
C. Azure Monitor Network Insights
D. Connection troubleshoot
E. elective security rules
Selected Answer: BD
Question #: 292
Topic #: 3
You have an Azure subscription.
In the Azure portal, you plan to create a storage account named storage1 that will have the following settings:
✑ Performance: Standard
✑ Replication: Zone-redundant storage (ZRS)
✑ Access tier (default): Cool
✑ Hierarchical namespace: Disabled
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.
Which setting should you modify first?
A. Performance
B. Replication
C. Access tier (default)
D. Hierarchical namespace
Selected Answer: A
Question #: 293
Topic #: 5
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)
You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?
A. Update the DNS suffix on VM1 to be adatum.com
B. Configure the name servers for adatum.com at the domain registrar
C. Create an SRV record in the contoso.com zone
D. Modify the Access control (IAM) settings for link1
Selected Answer: B
Question #: 294
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Deployments.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 297
Topic #: 2
You have an Azure Active Directory (Azure AD) tenant.
You plan to delete multiple users by using Bulk delete in the Azure Active Directory admin center.
You need to create and upload a file for the bulk delete.
Which user attributes should you include in the file?
A. The user principal name and usage location of each user only
B. The user principal name of each user only
C. The display name of each user only
D. The display name and usage location of each user only
E. The display name and user principal name of each user only
Selected Answer: B
Question #: 298
Topic #: 6
You have an Azure subscription.
You need to receive an email alert when a resource lock is removed from any resource in the subscription.
What should you use to create an activity log alert in Azure Monitor?
A. a resource, a condition, and an action group
B. a resource, a condition, and a Microsoft 365 group
C. a Log Analytics workspace, a resource, and an action group
D. a data collection endpoint, an application security group, and a resource group
Selected Answer: A
Question #: 299
Topic #: 4
You have an Azure subscription named Subscription1.
You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?
A. Azure HDInsight
B. Linux Diagnostic Extension (LAD) 3.0
C. the AzurePerformanceDiagnostics extension
D. Azure Analysis Services
Selected Answer: B
Question #: 304
Topic #: 3
You create an Azure Storage account.
You plan to add 10 blob containers to the storage account.
For one of the containers, you need to use a different key to encrypt data at rest.
What should you do before you create the container?
A. Generate a shared access signature (SAS).
B. Modify the minimum TLS version.
C. Rotate the access keys.
D. Create an encryption scope.
Selected Answer: D
Question #: 308
Topic #: 4
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
What should you deploy?
A. all three virtual machines in a single Availability Zone
B. all virtual machines in a single Availability Set
C. each virtual machine in a separate Availability Zone
D. each virtual machine in a separate Availability Set
Selected Answer: C
Question #: 309
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B