Up To The Immediate Present AZ-104 Test Question For Microsoft Azure Administrator Certification

NEW QUESTION 1
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table

In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the command? To answer, select the appropriate options in the answer area,
NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 2

You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1. What should you do first?

• A. Upload a certificate.
• B. Add a connection string.
• C. Stop webapp1.
• D. Create a DNS record.

Answer: D

Explanation:
You can use either a CNAME record or an A record to map a custom DNS name to App Service. You should use CNAME records for all custom DNS names except root domains (for example, contoso.com). For root domains, use A records. Reference: https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom- domain

NEW QUESTION 3

You have an Azure AD tenant that is linked to 10 Azure subscriptions. You need to centrally monitor user activity across all the subscriptions. What should you use?

• A. Activity log filters
• B. Log Analytics workspace
• C. access reviews
• D. Azure Application Insights Profiler

Answer: B

Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace Send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you: - Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.

NEW QUESTION 4

You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.





You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A. Use managed disks
• B. Availability options
• C. OS disk type
• D. Size
• E. Image

Answer: AB

Explanation:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability- zone https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones

NEW QUESTION 5

You have an Azure subscription that contains the resources shown in the following table.

The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2 which is connected toVNET1. What should you do first?

• A. Create an Azure Resource Manager template.
• B. AddasubnettoVNET1.
• C. Remove Microsof
• D. Network/virtualNetworks from the policy.
• E. Remove Microsoft.Compute/virtualMachines from the policy.

Answer: C

Explanation:
To create a new virtual machine named VM2 which is connected to VNET1 in RG1, you need to remove Microsoft.Network/virtualNetworks from the policy. This is because the Not allowed resource types Azure policy denies the deployment of the specified resource types in the scope of the assignment. In this case, the policy is assigned to RG1 and uses the parameters Microsoft.Network/virtualNetworks and Microsoft.Compute/virtualMachines. This means that you cannot create or update any virtual networks or virtual machines in RG1. Therefore, to create VM2 and connect it to VNET1, you need to remove Microsoft.Network/virtualNetworks from the policy parameters. This will allow you to create or update virtual networks in RG1, but still prevent you from creating or updating virtual machines. Alternatively, you can also exclude VNET1 from the policy assignment scope, but this will affect the compliance of the policy for the entire virtual network.
References:
✑ Not allowed resource types (Deny)
✑ Create and manage policies to enforce compliance

NEW QUESTION 6
HOTSPOT
You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:
• Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
• Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 7

You have an Azure subscription. The subscription contains virtual machines that connect to a virtual network named VNet1.
You plan to configure Azure Monitor for VM Insights.
You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.
What should you create first?

• A. an Azure Monitor Private Link Scope (AMPIS)
• B. a private endpoint
• C. a Log Analytics workspace
• D. a data collection rule (DCR)

Answer: A

Explanation:
Azure Monitor for VM Insights is a feature of Azure Monitor that provides comprehensive monitoring and diagnostics for your Azure virtual machines and virtual machine scale sets. It collects performance data, process information, and network dependencies from your virtual machines and displays them in interactive charts and maps. You can use Azure Monitor for VM Insights to troubleshoot performance issues, optimize resource utilization, and identify network bottlenecks1.
To enable Azure Monitor for VM Insights, you need to install two agents on your virtual machines: the Azure Monitor agent (preview) and the Dependency agent. The Azure Monitor agent collects performance metrics and sends them to a Log Analytics workspace. The Dependency agent collects process information and network dependencies and sends them to the InsightsMetrics table in the same workspace2.
By default, the agents communicate with Azure Monitor over the public internet. However, if you want to ensure that all the virtual machines only communicate with Azure Monitor through a virtual network named VNet1, you need to configure private network access for the agents.
Private network access allows the agents to communicate with Azure Monitor using a
private endpoint, which is a special network interface that connects your virtual network to
an Azure service without exposing it to the public internet. A private endpoint uses a private IP address from your virtual network address space, so you can secure and control the network traffic between your virtual machines and Azure Monitor3.
To configure private network access for the agents, you need to create an Azure Monitor Private Link Scope (AMPIS) first. An AMPIS is a resource that groups one or more Log Analytics workspaces together and associates them with a private endpoint. An AMPIS allows you to manage the private connectivity settings for multiple workspaces in one place4.
After creating an AMPIS, you need to create a private endpoint in VNet1 and link it to the AMPIS. This will enable the agents on your virtual machines to send data to the Log Analytics workspaces in the AMPIS using the private IP address of the private endpoint5.

NEW QUESTION 8

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have acorrect solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite?source=recommendations

NEW QUESTION 9

You have an Azure subscription That contains a Recovery Services vault named Vault1. You need to enable multi-user authorization (MAU) for Vaultl.
Which resource should you create first?

• A. a managed identity
• B. a resource guard
• C. an administrative unit
• D. a custom Azure role

Answer: B

Explanation:
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault#before-you-start
Before you start
Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the providers - Microsoft.RecoveryServices and Microsoft.DataProtection . For more information, see Azure

NEW QUESTION 10

You need to resolve the Active Directory issue. What should you do?

• A. From Active Directory Users and Computers, select the user accounts, and then modify the User Principal Name value.
• B. Run idfix.exe, and then use the Edit action.
• C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.
• D. From Azure AD Connect, modify the outbound synchronization rule.

Answer: B

Explanation:
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directorysynchronization with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters. You suspect that some of the characters are unsupported in Azure AD.
References: https://www.microsoft.com/en-us/download/details.aspx?id=36832

NEW QUESTION 11

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule. Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 12

You have an Azure virtual machine named VM1 and an Azure key vault named Vault1. On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK) You need to prepare Vault! for Azure Disk Encryption.
Which two actions should you perform on Vault1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Create a new key.
• B. Select Azure Virtual machines for deployment
• C. Configure a key rotation policy.
• D. Create a new secret.
• E. Select Azure Disk Encryption for volume encryption

Answer: AC

Explanation:
To prepare Vault1 for Azure Disk Encryption, you need to perform the following actions on Vault1:
✑ Create a new key. A key encryption key (KEK) is an encryption key that is used to
encrypt the encryption secrets before they are stored in the key vault. You can create a new KEK by using the Azure CLI, the Azure PowerShell, or the Azure portal1. You can also import an existing KEK from another source, such as a hardware security module (HSM)2. The KEK must be a 2048-bit RSA key or a 256-bit AES key3.
✑ Select Azure Disk Encryption for volume encryption. This is an advanced access
policy setting that enables Azure Disk Encryption to access the keys and secrets in the key vault. You can select this setting by using the Azure CLI, the Azure PowerShell, or the Azure portal4. You must also enable access to Microsoft Trusted Services if you have enabled the firewall on the key vault.

NEW QUESTION 13

You need to move the blueprint files to Azure. What should you do?

• A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
• B. Use the Azure Import/Export service.
• C. Generate an access ke
• D. Map a drive, and then copy the files by using File Explorer.
• E. Use Azure Storage Explorer to copy the files.

Answer: D

Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage. Technical Requirements include: Copy the blueprint files to Azure over the Internet.
References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science- process/move-data-to-azure-blob-using-azure-storage-explorer

NEW QUESTION 14
HOTSPOT
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 15
HOTSPOT
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an
external host
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 16
HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following table.

You need to identify which storage accounts support lifecycle management, and which storage accounts support moving data to the Archive access tier. What should you identify for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct answer is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 17
......