Microsoft AZ-104 Microsoft Azure Administrator Exam Practice Test

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.

Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.

Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.

Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json?view=powershell-7.1

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.

Scenario: Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Cost analysis: Correct Option

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span:  last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to the calendar month, like the current billing period or last invoice. Use the  links at the top of the menu to jump to the previous or next period, respectively. For example, 

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by invoices because Azure  generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

Explanation

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 --> Create a resource group, and then deploy a web app to the resource group.

2 --> From the Automation script blade of the resource group , click Add to Library.

3 --> From the Templates service, select the template, and then share the template to the web administrators .

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.

The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.

Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Scenario: Licensing Issue

1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."

2. You verify that the Azure subscription has the available licenses.

Solution:

License cannot be assigned to a user without a usage location specified.

Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal.

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

Explanation

They are all Global admins so they can all modify user permission. i.e add self as owner etc.

You can be GA in one of the subscription, it doesn't mean that you can create the resources in all subscription. As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD.

However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory

To generate a shared access signature (SAS) that meets the requirements, you should enable the following three settings:

Service: Blob

Allowed resource types: Container

Allowed permissions: Read and List

These settings will ensure that the SAS can only be used to enumerate and download blobs stored in container1, and not to perform any other operations on the storage account or the blobs. This follows the principle of least privilege, which means granting the minimum permissions necessary for a task.

You can use the Azure portal or Azure Storage Explorer to create a SAS token with these settings. For more information, see Create shared access signature (SAS) tokens for storage containers and blobs - Azure AI services | Microsoft Learn.

To ensure that the members of Group1 can upload files by using the Azure portal, they need to have both data access and management access to the storage account. Data access refers to the ability to read, write, or delete blob data in the storage account. Management access refers to the ability to view the storage account resources in the Azure portal, but not modify them. The Azure role-based access control (Azure RBAC) system provides built-in roles that encompass common sets of permissions for data access and management access. The Storage Blob Data Contributor role grants read, write, and delete access to blob data in the storage account. The Reader role grants view access to the storage account resources in the Azure portal. Therefore, by assigning both roles to Group1, the members of the group can upload files by using the Azure portal. This solution also follows the principle of least privilege, as the group members are only granted the minimum permissions required to perform the task. References:

Assign an Azure role for access to blob data

Data access from the Azure portal

Box 1: "tag1": "value1" only

Box 2: "tag2": "value2" and "tag3": "value3"

Tags applied to the resource group are not inherited by the resources in that resource group.

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup

In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container. https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups

Partial backups are supported for custom backups (not for automatic backups). Sometimes you don't want to back up everything on your app. To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of your app. Specify the list of files and folders you want to exclude in this file.

RG1 has the Tag2: IT tag assigned only. No, this is not correct. According to the tables, RG1 has two tags assigned: Tag2: IT and Tag3: value2. The Azure policy does not affect RG1, because it is excluded from the scope of the policy. Therefore, RG1 does not have the Tag4: value4 tag appended by the policy.

Storage1 has the Tag1: subscription, Tag2: IT, Tag3: value1, and Tag4: value4 tags assigned. Yes, this is correct. According to the tables, Storage1 has three tags assigned: Tag1: subscription, Tag2: IT, and Tag3: value1. The Azure policy affects Storage1, because it is within the scope of the policy and not excluded. Therefore, Storage1 has the Tag4: value4 tag appended by the policy.

VNET1 has the Tag2: IT and Tag3: value2 tags assigned only. Yes, this is correct. According to the tables, VNET1 has two tags assigned: Tag2: IT and Tag3: value2. The Azure policy does not affect VNET1, because it is excluded from the scope of the policy. Therefore, VNET1 does not have the Tag4: value4 tag appended by the policy.

Box 1: Remove the public IP address from VM1

If the Public IP on VM1 is set to Dynamic, that means it is a Public IP with Basic SKU because Public IPs with Standard SKU have Static assignments by default, that cannot be changed. We cannot associate Basic SKUs IPs with Standard SKUs LBs. One cannot create a backend SLB pool if the VM to be associated has a Public IP. For Private IP  it doesn't matter weather it is dynamic or static, still we can add the such VM into the SLB backend pool.

Box 2: Create and configure an NSG

Standard Load Balancer is built on the zero trust network security model at its core. Standard Load Balancer secure by default and is part of your virtual network. The virtual network is a private and isolated network. This means Standard Load Balancers and Standard Public IP addresses are closed to inbound flows unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. To learn more about NSGs and how to apply them for your scenario, see Network Security Groups. Basic Load Balancer is open to the internet by default.

A Basic Load Balancer can use the Basic SKU Public IP address's, but a Standard load balancer requires a Standard SKU Public IP address.

Excerpt from link below:

The standard SKU is required if you associate the address to a standard load balancer. For more information about standard load balancers, see Azure load balancer standard SKU.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address

Excerpt from link below:

Key scenarios that you can accomplish using Azure Standard Load Balancer include:

-Enable support for load-balancing of IPv6.

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#why-use-azure-load-balancer

https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping

The subnet of the target VM is selected based on the name of the subnet of the source VM.

- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.

- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.

The average CPU percentage is calculated 24 times per day. This is because the exhibit shows the CPU percentage for ASP1 in a 24-hour period, with one data point for each hour. Therefore, the average CPU percentage is calculated once per hour, or 24 times per day1.

ASP1 must be scaled out to optimize CPU usage. This is because the exhibit shows that the CPU percentage for ASP1 is consistently above 80%, which indicates that the app service plan is under high load and needs more instances to handle the traffic. Scaling out means adding more instances to an app service plan, which can improve the performance and availability of the apps hosted on it2. Scaling up means changing the pricing tier of an app service plan, which can increase the resources available for each instance, but not necessarily reduce the CPU usage3.

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring

The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.

Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a connection, you may find that you can decrease the latency by moving your Azure resources to different Azure regions.

https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal &pivots=vaults-recovery-services-vault#before-you-start

Before you start

Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.

Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.

Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the providers - Microsoft.RecoveryServices and Microsoft.DataProtection . For more information, see Azure

Azure Import/Export service supports the following of storage accounts:

✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)

✑ Blob Storage accounts

✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

Azure Import/Export service supports the following storage types:

✑ Import supports Azure Blob storage and Azure File storage

✑ Export supports Azure Blob storage. Azure Files not supported.

Only storage4 can be exported.

Box 1: "/subscription/c276fc76-9cd4-44c9-99a7-4fd71546436e"

In the assignableScopes you need to mention the subscription ID where you want to implement the RBAC

Box 2: "Microsoft.Authorization/*"

Microsoft.Authorization/* is used to Manage authorization

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

A SQL database

A web front end

A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Technical requirements include:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

From scenario:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD

Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

Scenario:

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

Change the Service administrator for an Azure subscription

Sign in to Account Center as the Account administrator.

Select a subscription.

On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.