AZ-104: Microsoft Azure Administrator Part 6
Question #: 375
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 376
Topic #: 2
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A. select * from Event where EventType == “error”
B. Event | search “error”
C. Event | where EventType is “error”
D. Get-Event Event | where {$_.EventType == “error”}
Selected Answer: B
Question #: 377
Topic #: 3
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database
B. Azure Data Lake Store
C. Azure Blob storage
D. Azure Data Factory
Selected Answer: C
Question #: 379
Topic #: 2
You have an Azure App Services web app named App1.
You plan to deploy App1 by using Web Deploy.
You need to ensure that the developers of App1 can use their Azure AD credentials to deploy content to App1. The solution must use the principle of least privilege.
What should you do?
A. Assign the Owner role to the developers
B. Configure app-level credentials for FTPS
C. Assign the Website Contributor role to the developers
D. Configure user-level credentials for FTPS
Selected Answer: C
Question #: 380
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 381
Topic #: 5
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?
A. IP flow verify
B. Connection troubleshoot
C. Connection monitor
D. NSG flow logs
Selected Answer: C
Question #: 384
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 385
Topic #: 3
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database
B. Azure Blob Storage
C. Azure SQL Database
D. the Azure File Sync Storage Sync Service
Selected Answer: B
Question #: 388
Topic #: 4
You have web apps in the West US, Central US and East US Azure regions.
You have the App Service plans shown in the following table.
You plan to create an additional App Service plan named ASP5 that will use the Linux operating system.
You need to identify in which of the currently used locations you can deploy ASP5.
What should you recommend?
A. West US, Central US, or East US
B. Central US only
C. East US only
D. West US only
Selected Answer: U
Question #: 389
Topic #: 3
You plan to create an Azure Storage account named storage1 that will contain a file share named share1.
You need to ensure that share1 can support SMB Multichannel. The solution must minimize costs.
How should you configure storage?
A. Premium performance with locally-redundant storage (LRS)
B. Standard performance with zone-redundant storage (ZRS)
C. Premium performance with geo-redundant storage (GRS)
D. Standard performance with locally-redundant storage (LRS)
Selected Answer: A
Question #: 391
Topic #: 3
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. Azure Data Lake Store
B. Azure File Storage
C. Azure SQL Database
D. the Azure File Sync Storage Sync Service
Selected Answer: B
Question #: 392
Topic #: 5
You have an Azure subscription that contains two virtual machines as shown in the following table.
You perform a reverse DNS lookup for 10.0.0.4 from VM2.
Which FQDN will be returned?
A. vm1.core.windows.net
B. vm1.azure.com
C. vm1.westeurope.cloudapp.azure.com
D. vm1.internal.cloudapp.net
Selected Answer: D
Question #: 393
Topic #: 4
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?
A. the New-AzConfigurationAssignment cmdlet
B. a Desired State Configuration (DSC) extension
C. Azure Active Directory (Azure AD) Application Proxy
D. Azure Application Insights
Selected Answer: B
Question #: 395
Topic #: 2
You have an Azure subscription that contains 10 virtual machines, a key vault named Vault1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region.
The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet.
You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort
What should you configure as the destination of the outbound security rule for NSG1?
A. an application security group
B. a service tag
C. an IP address range
Selected Answer: B
Question #: 396
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 397
Topic #: 3
You have an Azure subscription that contains a storage account named storage1.
You plan to use conditions when assigning role-based access control (RBAC) roles to storage1.
Which storage1 services support conditions when assigning roles?
A. containers only
B. file shares only
C. tables only
D. queues only
E. containers and queues only
F. files shares and tables only
Selected Answer: E
Question #: 399
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 400
Topic #: 5
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a service endpoint to VNet1
B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
Selected Answer: CE
Question #: 401
Topic #: 2
You have an Azure AD tenant named adatum.com that contains the groups shown in the following table.
Adatum.com contains the users shown in the following table.
You assign the Azure Active Directory Premium Plan 2 license to Group1 and User4.
Which users are assigned the Azure Active Directory Premium Plan 2 license?
A. User4 only
B. User1 and User4 only
C. User1, User2, and User4 only
D. User1, User2, User3, and User4
Selected Answer: B
Question #: 404
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 405
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Storage account named storage1.
You need to enable a user named User1 to list and regenerate storage account keys for storage1.
Solution: You assign the Storage Account Encryption Scope Contributor Role to User1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 408
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 409
Topic #: 2
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Assign User1 the Network Contributor role for VNet1.
B. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
C. Assign User1 the Owner role for VNet1.
D. Assign User1 the Network Contributor role for RG1.
Selected Answer: C
Question #: 413
Topic #: 4
You have an Azure subscription that contains the resources shown in the following table.
All virtual machines run Windows Server 2016.
On VM1, you back up a folder named Folder1 as shown in the following exhibit.
You plan to restore the backup to a different virtual machine.
You need to restore the backup to VM2.
What should you do first?
A. From VM1, install the Windows Server Backup feature.
B. From VM2, install the Microsoft Azure Recovery Services Agent.
C. From VM1, install the Microsoft Azure Recovery Services Agent.
D. From VM2, install the Windows Server Backup feature.
Selected Answer: B
Question #: 415
Topic #: 2
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader role for Subscript on 1. Assign User1 the Contributor role for RG1.
B. Assign User1 the Owner role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription 1.
D. Assign User1 the Contributor role for VNet1.
Selected Answer: B
Question #: 416
Topic #: 3
You have an Azure Storage account that contains 5,000 blobs accessed by multiple users.
You need to ensure that the users can view only specific blobs based on blob index tags.
What should you include in the solution?
A. a role assignment condition
B. a stored access policy
C. just-in-time (JIT) VM access
D. a shared access signature (SAS)
Selected Answer: D
Question #: 417
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 418
Topic #: 3
You have an Azure Storage account named storage1.
For storage1, you create an encryption scope named Scope1.
Which storage types can you encrypt by using Scope?
A. file shares only
B. containers only
C. file shares and containers only
D. containers and tables only
E. file shares, containers, and tables only
F. file shares, containers, tables, and queues
Selected Answer: C
Question #: 419
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a connection monitor.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 420
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 421
Topic #: 2
Your on-premises network contains a VPN gateway.
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
What should you configure?
A. Azure Application Gateway
B. private endpoints
C. a network security group (NSG)
D. Azure Virtual WAN
Selected Answer: B
Question #: 424
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG2 and Central US.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 425
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 427
Topic #: 3
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. Azure Data Factory
B. the Azure File Sync Storage Sync Service
C. Azure File Storage
D. Azure SQL Database
Selected Answer: C
Question #: 428
Topic #: 2
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
B. Assign User1 the Access Administrator role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
D. Assign User1 the Network Contributor role for RG1.
Selected Answer: B
Question #: 429
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG2 and West US.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 432
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Monitor, you create a metric on Network In and Network Out.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 433
Topic #: 4
You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the resource group.
Which cmdlet should you run to deploy the template?
A. New-AzResource
B. New-AzResourceGroupDeployment
C. New-AzTenantDeployment
D. New-AzDeployment
Selected Answer: D
Question #: 435
Topic #: 2
You have an Azure subscription that contains the resources shown in the following table.
You need to assign User1 the Storage File Data SMB Share Contributor role for share1.
What should you do first?
A. Enable identity-based data access for the file shares in storage1.
B. Modify the security profile for the file shares in storage1.
C. Select Default to Azure Active Directory authorization in the Azure portal for storage1.
D. Configure Access control (IAM) for share1.
Selected Answer: A
Question #: 436
Topic #: 3
You have an Azure virtual machine named VM1 and an Azure key vault named Vault1.
On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK).
You need to prepare Vault1 for Azure Disk Encryption.
Which two actions should you perform on Vault1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Select Azure Virtual machines for deployment.
B. Create a new key.
C. Create a new secret.
D. Configure a key rotation policy.
E. Select Azure Disk Encryption for volume encryption.
Selected Answer: BE
Question #: 437
Topic #: 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 439
Topic #: 3
You have an Azure subscription that contains a virtual machine named VM1 and an Azure key vault named KV1.
You need to configure encryption for VM1. The solution must meet the following requirements:
• Store and use the encryption key in KV1.
• Maintain encryption if VM1 is downloaded from Azure.
• Encrypt both the operating system disk and the data disks.
Which encryption method should you use?
A. customer-managed keys
B. Confidential disk encryption
C. Azure Disk Encryption
D. encryption at host
Selected Answer: C
Question #: 440
Topic #: 2
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1.
D. Assign User1 the Contributor role for VNet1.
Selected Answer: B
Question #: 441
Topic #: 4
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?
A. the Publish-AzVMDscConfiguration cmdlet
B. Azure Application Insights
C. Azure Custom Script Extension
D. a Microsoft Endpoint Manager device configuration profile
Selected Answer: C
