In this article, you will be trying out AZ-104 exam questions and answers which help in your preparation for the actual Microsoft Azure Administrator certification exam. The AZ-104: Microsoft Azure Administrator certification exam evaluates you for your understanding of the implementation, monitoring, and management of the Microsoft Azure Environment in any organization.
As a Microsoft Certified Azure Administrator Associate, you would play the part of a team responsible for the implementation of an organization’s Cloud Infrastructure. Just follow these free practice questions, and assess your preparation for the AZ-104 certification exam.
Let’s start learning !
What to expect in the AZ-104 exam?
If you are planning to take up the AZ-104 exam what can you expect?
AZ-104 exam is covered in 5 sections: Azure Governance and Identities, Manage and implement storage, Azure compute resources, virtual networking, and Maintain and monitor Azure resources. Each domain has a different weightage.
To prepare for the AZ-104 exam even though no pre-requests are required it is recommended to have at least six months of hands-on experience in azure administration, and a core understanding of AWS services, workload, security, and governance.
Exam format for AZ-104 exam
Domains covered in AZ-104 exam
AZ-104 exam consists of five domains as follows:
| Domain | Weightage |
| Handle Azure Governance and Identities | 15-20% |
| Manage and implement storage | 15-20% |
| Implement Azure compute resources | 20-25% |
| Handle and configure virtual networking | 20-25% |
| Maintain and monitor Azure resources | 10-15% |
Domain : Manage Azure identities and governance
Q1 : Company WhizLabs has 2 Azure subscriptions named “Staging” and “Production”.
The “Staging” subscription has the following resource groups.
| Name | Region | Lock type |
| rg-staging-1 | West Europe | None |
| rg-staging-2 | West Europe | Read-only |
The company has deployed a storage account stwhizlabs to the rg-staging-1 resource group.
The “Production” subscription has the following resource groups.
| Name | Region | Lock type |
| rg-production-3 | East Asia | Delete |
| rg-production-4 | Central US | None |
Would you be able to move stwhizlabs resource to the rg-production-3 resource group?
A. Yes
B. No
Correct Answer: A
Explanation
We can move resources from one resource group to another, and in this case the source resource group does not have any lock defined and receiving resource group has got delete lock, which stops from deleting of resources. Below is the further explanation of what delete lock does.
Delete lock on a resource group means that any resource which is contained by a resource group cannot be deleted. The idea behind delete lock is to avoid any resource deletion even by mistake. A resource group can be deleted by a user by mistake, in case, there is no lock on the resource group. A malicious user can also delete a group, without delete lock. This can cause serious problem in production system, and may even impact the end user.
Delete lock puts no other restrictions. Resources can always be added to a resource group with delete lock.
From this explanation it is clear that A (yes) is the correct answer, all other answers are wrong. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources, https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
Note – below screenshots are added for reference purposes.
Domain : Manage Azure identities and governance
Q2 : A company has an Azure subscription named whizlabstaging. They also have a resource group named whizlabs-rg. The resource group has an internal load balancer named “whizlab-internal” and a public load balancer named “whizlab-public”. They want to give a user named “whizlabusr” permissions to configure both load balancers. The solution must follow the principle of least privilege.
Which role would you assign to the user to allow a health probe to the load balancer “whizlab-public”?
A. Contributor role on whizlab-internal
B. Network Contributor role on whizlab-internal\
C. Network Contributor role on whizlabs-rg
D. Owner role on whizlab-internal
Correct Answer: C
Explanation
An Azure public load balancer is a load balancer that has been assigned a public IP and can be accessed from the internet. While a private or internal load balance has a private IP and cannot be accessed from outside the vnet.
Options A & D are incorrect because there provide a lot more access than required
Option B is incorrect because it does not provide access to a public load balancer
Option C is correct because it will provide access to both public and private load balancers at whizlabs-rg resource group level. It also follows the principle of the least privileges.
For more information on Role-based access control, please visit the following URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Domain : Manage Azure identities and governance
Q3 : A company has an Azure AD directory that contains the following users.
| Name | Role |
| whizlabusr1 | None |
| whizlabusr2 | Global administrator |
| whizlabusr3 | Cloud device administrator |
| whizlabusr4 | Intune administrator |
The Azure AD Tenant has the following device settings.
- Users can join devices to Azure AD.
- Additional local administrators on Azure AD joined devices is set to None.
The user whizlabusr1 goes ahead and joins a Windows 10 computer to the Azure AD tenant.
You need to identify those users that would be added to the local Administrators group on the computer.
A. whizlabusr1 only
B. whizlabusr2 only
C. whizlabusr1, whizlabusr2 and whizlabusr3 only
D. whizlabusr1 and whizlabusr2 only
E. whizlabusr1, whizlabusr2, whizlabusr3 and whizlabusr4
Correct Answer: C
Explanation
When a device is joined to Azure AD, the user who joins the computer to the domain is added as the local administrator. Also, the Global Administrator will be added as an administrator to the system.
Hence C is the correct answer and all other answers are wrong.
This is also mentioned in the Microsoft documentation.
For more information on managing the local administrators in the Azure AD join process, please visit the following URL: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin, https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference?WT.mc_id=Portal-Microsoft_AAD_IAM#device-administrators-permissions
Domain : Implement and manage storage
Q4 : A company has the following resources.
- A file share named whizlabshare in an Azure storage account.
- The file share contains a file named whizlab1.txt
- An Azure File Sync Service resource.
- The following on-premise Windows 2016 servers with their respective file shares and contents.
| Name | Share | Contents |
| whizlabsrv1 | D:\whizlabdata1 | whizlab1.txt, whizlab2.txt |
| whizlabsrv2 | D:\whizlabdata2 | whizlab2.txt, whizlab3.txt |
The following steps are conducted at separate time spans.
- First, the file share is added to a Sync group named whizlabgroup in the Azure File Sync Service resource.
- The server whizlabsrv1 (D:\whizlabdata1) is added as a server endpoint.
- The server whizlabsrv2 (D:\whizlabdata2) is added as a server endpoint.
Would the file whizlab1.txt on the cloud endpoint be overwritten by whizlab1.txt from D:\ whizlabdata1 share?
A. Yes
B. No
Correct Answer: B
Explanation
From the initial bullet points, there is a file share named ‘whizlabshare’ contains a file named ‘whizlab1.txt’. Then there are servers, shares, with different contents in the table.
You have a duplicate file on the file share and the file server. The file on the file server will have its name appended with the name of the server.
After adding the cloud endpoint and the first server endpoint, you will have the following files in the file share.
whizlab1.txt
whizlab1-whizlabsrv1.txt
whizlab2.txt
For more information on working with the File Sync Service, please visit the following URL: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal
Domain : Monitor and back up Azure resources
Q5 : You have to configure Application Insights for a set of applications. Each application has different requirements. Below are the requirements for each application.
- whizlabapp1 – Be able to see if users are progressing through the entire business process for the application.
- whizlabapp2 – Here, one should analyze the load times and other properties that could influence conversion rates for the application.
- whizlabapp3 – Here, one should be able to analyze how many users return to the application.
- whizlabapp4 – Here, one should be able to see the places where users repeat the same action over and over again.
Which of the following feature of Application Insights could be used for the application whizlabapp2?
A. Impact
B. Retention
C. User Flows
D. Funnels
Correct Answer: A
Explanation
This can be accomplished with the Impact feature of Application Insights.
The Microsoft documentation mentions the following.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect.
For more information on the Impact feature, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-impact
Domain : Monitor and back up Azure resources
Q6 : You have to configure Application Insights for a set of applications. Each application has different requirements. Below are the requirements for each application.
- whizlabapp1 – Be able to see if users are progressing through the entire business process for the application.
- whizlabapp2 – Here, one should analyze the load times and other properties that could influence conversion rates for the application.
- whizlabapp3 – Here, one should be able to analyze how many users return to the application.
- whizlabapp4 – Here, one should be able to see the places where users repeat the same action over and over again.
Which of the following feature of Application Insights could be used for the application whizlabapp3?
A. Impact
B. Retention
C. User Flows
D. Funnels
Correct Answer: B
Explanation
This can be accomplished with the Retention feature of Application Insights.
The Microsoft documentation mentions the following.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect.
For more information on the Retention feature, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-retention
Domain : Monitor and back up Azure resources
Q7 : You have to configure Application Insights for a set of applications. Each application has different requirements. Below are the requirements for each application.
- whizlabapp1 – Be able to see if users are progressing through the entire business process for the application.
- whizlabapp2 – Here one should be able to analyze the load times and other properties that could influence conversion rates for the application.
- whizlabapp3 – Here one should be able to analyze how many users return to the application.
- whizlabapp4 – Here one should be able to see the places where users repeat the same action over and over again.
Which of the following feature of Application Insights could be used for the application whizlabapp4?
A. Impact
B. Retention
C. User Flows
D. Funnels
Correct Answer: C
Explanation
This can be accomplished with the User Flows feature of Application Insights.
The Microsoft documentation mentions the following.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect.
For more information on the User Flows feature, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-flows
Domain : Configure and manage virtual networking
Q8 : You have set up a computer named whizlabclient1 that has a point-to-site VPN connection to an Azure virtual network named whizlabnetwork. The point-to-site connection makes use of a self-signed certificate. You now have to establish a point-to-site VPN connection to the same virtual network from another computer named whizlabclient2. The VPN client configuration package is downloaded and installed on the whizlabclient2 computer.
You decide to use Azure Active Directory to authenticate the whizlabclient2 computer.
Would the above decision fulfill the requirement?
A. Yes
B. No
Correct Answer: B
Explanation
There is no need to use the Azure Active Directory to authenticate the whizlabclient2 computer.
Azure accepts a P2S VPN connection, but the user has to be authenticated first.
There are two mechanisms that Azure offers to authenticate a connecting user.
- Authenticate using the native Azure certificate authentication
- Authenticate using the native Azure Active Directory authentication
So there is already native Azure Certificate authentication used for clients connecting to a VNet over a Point-to-Site VPN connection.
Once you obtain a root certificate, you upload the public key information to Azure. The root certificate is then considered ‘trusted’ by Azure for connection over P2S to the virtual network. You also generate client certificates from the trusted root certificate and then install them on each client computer. The client certificate is used to authenticate the client when it initiates a connection to the VNet.
In the question, it is already mentioned that a VPN client should have a VPN client certificate so there is no need for AD authentication. Hence B is the right answer.
For more information on Point-to-Site VPN connections, please visit the following URL: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
Domain : Manage Azure identities and governance
Q9 : A company currently has an Azure account and subscription. They are planning to make their application available 99.99% of the time using Virtual Machines and a Load balancer. Which of the following would need to be in place? You have to minimize costs associated with the solution.
A. Create a Basic Load balancer
B. Create a Standard Load balancer
C. Add 2 Virtual Machines to the backend pool
D. Add a Virtual Machine to the backend pool
Correct Answers: B and C
Explanation
To solve this problem you need to use a Standard Load balancer with two virtual machines as a backend pool.
This is clearly mentioned in the Microsoft documentation.
Since this is clearly given in the Microsoft documentation, all other options are incorrect.
For more information on the SLA for the Load balancer, please go to the below URL: https://azure.microsoft.com/en-us/support/legal/sla/load-balancer/v1_0/
Domain : Configure and manage virtual networking
Q10 : A company has set up a Load balancer that load balances traffic on ports 80 and 443 across 3 virtual machines. You have to ensure that users are assigned the same web server for the duration of their session. Which of the following would you configure for this requirement?
A. Floating IP
B. Health Probe
C. Session Persistence
D. TCP Reset
Correct Answer: C
Explanation
The Microsoft documentation mentions Session Persistence or Source IP affinity mode, as mentioned below.
Option A is incorrect since this is used when you have multiple front-end IPs.
Option B is incorrect since this is used to check the health of the back-end VM’s.
Option D is incorrect since this is used for an idle timeout.
For more information on load balancer distribution mode, please go to the below URL: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode
Domain : Manage Azure identities and governance
Q11 : You are the Azure administrator for a company. You have to create a custom role based on the Virtual Machine Contributor role. You have to complete the following PowerShell script.
Which of the following would come in SLOT 2?
A. Get-AzRoleDefinition
B. New-AzRoleDefinition
C. Set-AzRoleDefinition
D. Create-AzRoleDefinition
Correct Answer: B
Explanation
After we created a new role definition for “Virtual Machine Reader” based on “Virtual Machine Contributor”, we can commit a new role definition.
All other options are incorrect.
For more information on creating a custom role, please visit the below URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
Domain : Deploy and manage Azure compute resources
Q12 : A company has the following set of Virtual Machines defined in the Azure account.
| Name | Region |
| whizlabs-vm1 | East US |
| whizlabs-vm2 | Central US |
The company wants to move whizlabs-vm1 to another subscription. Which of the following can be implemented to fulfill this requirement?
A. Move the Virtual Machine to the Central US region first
B. You cannot move the Virtual Machine across subscriptions. You would need to delete and recreate the VM in the new subscription
C. Use the Move-AzResource powershell command to move the Virtual Machine
D. Use the Move-VMResource powershell command to move the Virtual Machine
Correct Answer: C
Explanation
You can move Azure resources across subscriptions using the Move-AzResource PowerShell command. There are just some restrictions when moving Virtual Machines.
Below is the command provided in the Microsoft documentation.
Option A is incorrect since you don’t need to move the Virtual machine to any specific region before moving it to the destination.
Option B is incorrect since you can move resources across subscriptions.
Option D is incorrect since the right command is Move-AzResource.
For more information on moving virtual machines, one can go to the following link: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
Domain : Configure and manage virtual networking
Q13 : Your company has an Azure account and subscription. The subscription contains a virtual machine named demovm.
In your office, you have Windows 10 PC named Computer1 that is connected to the Internet.
You add a network interface to demovm as shown in the exhibit below.
From Computer1 you want to access a web service running on port 80 after demovm is started.
Which of the following must be done for this to work?
A. Attach a network interface
B. Add an incoming network security group rule for allowing traffic on port 80
C. Add an outgoing network security group rule for allowing traffic on port 80
D. Delete the DenyAllOutBound outbound port rule
E. Delete the DenyAllInBound inbound port rule
Correct Answer: B
Explanation
Here you need to add an incoming rule to allow traffic on port 80
Option A is incorrect since this needs to be done for the currently attached network interface.
Option C is incorrect since the incoming traffic needs to be allowed.
Options D and E are incorrect since you cannot delete the built-in network security group rules.
For more information on Network security groups, please go to the below URL: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Domain : Configure and manage virtual networking
Q14 : You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network security groups that you require?
A. 1
B. 2
C. 5
D. 10
Correct Answer: A
Explanation
A network security group can have multiple network interfaces assigned to it, as shown in the below diagram.
The question clearly states that the virtual machines all require the same inbound and outbound security rules. Hence we should use just the same network security group for all network interfaces.
For more information on network security groups, please visit the below URL: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
Domain : Implement and manage storage
Q15 : A company needs to create a storage account that must follow the requirements below.
- Users should be able to add files such as images and videos.
- Ability to store archive data.
- File shares need to be in place, which can be accessed across several VM’s.
- The data needs to be available even if a region goes down.
- The solution needs to be cost-effective.
Which of the following type of storage account would you create for this purpose?
A. BlockBlob Storage
B. General Purpose(v1)
C. General Purpose(v2)
D. Table storage
Correct Answer: C
Explanation
The below snapshot from the Microsoft documentation shows the different types of storage accounts.
Option B is incorrect since General Purpose V1 is not available anymore.
As we can see that only General Purpose v2 supports all of the requirements. Hence all other options are incorrect.
For more information on storage accounts, please visit the below URL: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
Domain : Deploy and manage Azure compute resources
Q16 : A company wants to deploy a virtual machine using a Resource Manager template. The template needs to be submitted via Azure CLI commands. The template is stored in a file named storage.json.
You need to complete the below CLI command.
Which of the following would go into SLOT 1?
A. Template
B. Deployment
C. Resource
D. Vm
Correct Answer: B
Explanation
SLOT 1 covers the word “deployment”.
All other options are incorrect.
For more information on deploying templates via the CLI, please visit the below URL: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-cli
Domain : Configure and manage virtual networking
Q17 : A company plans to use Azure Network watcher to perform the following tasks.
- Find out if a network security rule prevents a network packet from reaching a virtual machine hosted in an Azure virtual network.
- Find out if there is outbound connectivity between an Azure virtual machine and an external host.
Which of the following Network watcher feature would you use for the following requirement?
“Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network.”
A. IP Flow Verify
B. Next Hop
C. Packet Capture
D. Traffic Analysis
Correct Answer: A
Explanation
This can be done with the IP Flow Verify feature. The Microsoft documentation mentions the following.
Option B is incorrect since this feature is used to get the next hop type and IP address of a specific VM packet.
Option C is incorrect since this feature is used for deep-dive network packet capture.
Option D is incorrect since this feature is a cloud-based solution that provides visibility into user and application activity in cloud networks.
For more information on the IP Flow Verify feature, please visit the below URL: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Domain : Implement and manage storage
Q18 : Your company wants to provision an Azure storage account. The storage account needs to meet the following requirements.
- Should be able to support hot, cool, and archive blob tiers.
- Should be able to provide fault tolerance if a disaster hits the Azure region, which has the storage account.
- Should minimize on costs.
You need to complete the below command to create the storage account.
Which of the following would go into Slot2?
A. Standard_GRS
B. Standard_LRS
C. Standard_RAGRS
D. Premium_LRS
Correct Answer: A
Explanation
Standard_GRS, which is geo-redundant storage would ensure that data is available in a secondary region if the primary region goes down.
The Microsoft documentation mentions the following.
Options B and D are incorrect since these don’t guarantee that data will be available if a region goes down.
Option C is incorrect since the costs would be more than Standard_GRS.
For more information on geo-redundant storage, please visit the below URL: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
Domain : Manage Azure identities and governance
Q19 : A company has set up an Azure subscription. They have provisioned a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.
- GroupA – This group should have the ability to manage the storage account.
- GroupB – This group should be able to manage containers within a storage account.
- GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control.
You need to assign the relevant Role-Based Access Control, ensuring the privilege of least access.
Which of the following would you assign to GroupB?
A. Owner
B. Contributor
C. Storage Account Contributor
D. Storage Blob Data Contributor
E. Storage Blob Data Owner
Correct Answer: D
Explanation
This can be accomplished with the Storage Blob Data Contributor.
The Microsoft documentation mentions the following.
Options A and B are incorrect since these would provide more permissions than required.
Options C and E are incorrect since these roles don’t have the required permissions.
For more information on built-in roles, please visit the below URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Domain : Deploy and manage Azure compute resources
Q20 : As an IT admin, you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script.
Which of the following would go into Slot5?
A. Set-AzVM
B. Update-AzVM
C. Get-AzVM
D. New-AzVM
Correct Answer: B
Explanation
An example of this is given in the Microsoft documentation.
Since this is clearly given in the Microsoft documentation, all other options are incorrect.
For more information on managing data disk, please visit the below URL: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-manage-data-disk
Domain : Manage Azure identities and governance
Q21 : A company is planning to use Azure for the various services they offer. They want to ensure that they can bill each department for the resources they consume. They decide to use Azure policies to separate the bills department wise.
Would this fulfill the requirement?
A. Yes
B. No
Correct Answer: B
Explanation
Azure policies are used from a governance perspective and can’t be used to create bills department wise.
For more information on Azure policies, please visit the below URL: https://docs.microsoft.com/en-us/azure/governance/policy/overview
Domain : Manage Azure identities and governance
Q22 : A company has an Azure subscription that contains the following resource groups.
| Name | Lock Name | Lock type |
| whizlabs-rg1 | None | None |
| whizlabs-rg2 | whizlablock1 | Delete |
The resource group whizlabs-rg1 contains the following resources.
| Name | Type | Lock Name | Lock type |
| whizlabstore2090 | Storage account | whizlablock2 | Delete |
| whizlabnetwork | Virtual network | whizlablock3 | Read-only |
| whizlabip | Public IP address | None | None |
Would you be able to move the resource whizlabstore2090 from the resource group whizlabs-rg1 to whizlabs-rg2?
A. Yes
B. No
Correct Answer: A
Explanation
Delete lock on a resource group, means that any resource, which is contained by a resource group, cannot be deleted. The idea behind delete lock is to avoid any resource deletion by mistake. Moreover, if an entire resource group is deleted, in production, by a malicious user or by mistake, it can cause serious problems, which may even impact the end-users. Delete lock puts no other restrictions. Resources can always be added to a resource group with a delete lock.
From this explanation, it is clear, that correct A (yes) is the correct answer, and all other answers are wrong.
For more information on resource locks, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Domain : Manage Azure identities and governance
Q23 : A company has an Azure subscription that contains the following resource groups.
| Name | Lock Name | Lock type |
| whizlabs-rg1 | None | None |
| whizlabs-rg2 | whizlablock1 | Delete |
The resource group whizlabs-rg1 contains the following resources.
| Name | Type | Lock Name | Lock type |
| whizlabstore2090 | Storage account | whizlablock2 | Delete |
| whizlabnetwork | Virtual network | whizlablock3 | Read-only |
| whizlabip | Public IP address | None | None |
Would you be able to move the resource whizlabnetwork from the resource group whizlabs-rg1 to whizlabs-rg2?
A. Yes
B. No
Correct Answer: A
Explanation
We would be able to move the resource whizlabnetwork from the resource group whizlabs-rg1 to whizlabs-rg2. The virtual network whizlabnetwork has a Read-only lock. It means that we can’t delete or modify this resource without removing the lock. But this lock doesn’t prevent us from moving a resource from one resource group to another. The current whizlabnetwork resource group, whizlabs-rg1, doesn’t have any locks. The destination resource group, whizlab-rg2, has a Delete lock. This lock prevents the deletion of this resource group and all resources within it. It doesn’t restrict the movement of the resources to this group from other groups.
Hence, A is the correct answer.
For more information on resource locks, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Domain : Configure and manage virtual networking
Q24 : A company has the following virtual machines defined as part of their subscription.
| Name | Operating System | Connect to |
| vmwhizlab1 | Windows Server 2019 | SubnetA |
| vmwhizlab2 | Windows Server 2019 | SubnetB |
- Public IP addresses are assigned to the virtual machines.
- At the operating system level, incoming remote desktop connections have been allowed.
- Both of the subnets are in the same virtual network.
- A network security group named nsg-whizlab1 has been assigned to SubnetA. This network security group only has the default rules.
- A network security group named nsg-whizlab2 has been assigned to the network interface of vmwhizlab2. This network security group has an additional rule with the following details.
- Priority: 100
- Name: nsgrule
- Port: 3389
- Protocol: TCP
- Source: Any
- Destination: Any
- Action: Allow
Is it possible to remote desktop to Public IP of vmwhizlab2 from vmwhizlab1?
A. Yes
B. No
Correct Answer – B
Explanation
- If we would have not added nsg-whizlab1 to SubnetA, then RDP to vmwhizlab1 is possible.
The reason, since we have created a Windows VM, the RDP port is by-default added to Inbound rules.
- In the given scenario, we are creating a new NSG called nsg-whizlab1, and it does not have an RDP port added to it. We need to get it added by creating a new rule.
Due to this reason “remote desktop” to vmwhizlab2 from vmwhizlab1 is not possible.
Hence, B is the correct answer.
Domain : Implement and manage storage
Q25 : A company has two applications, wlappA and wlAppB. Below are the details of each application.
- wlappA – This application is deployed to an Azure Web App. Managed Identity has been enabled for the web app.
- wlappB – This application is deployed to an Azure Container Instance. Managed Identity has been enabled on the container instance.
These applications require access to a storage account. The solution needs to limit the use of secrets. Also, wlappB should only be able to access the storage account for a maximum of 15 days.
Which of the following features needs to be used to allow wlappA to access the storage account?
A. CORS
B. Access Keys
C. Shared Access Signatures
D. Managed Identity
Correct Answer: D
Explanation
Managed identities are identities created by ARM (Azure Resource Manager) and assigned to the resource for which it is enabled. The big advantage of managed identity is that its life cycle is tightly coupled with the resource. When a resource is deleted the corresponding Manage Identity is also deleted. This means a security admin will not have to maintain Managed Identity.
Since WlAppA uses Managed Identity, WlAppA can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys are not ideal in this scenario.
Option A is incorrect since this is used to enable or disable Cross-Origin Resource sharing.
Option B is incorrect We use this option to have an authorized access to the storage account created, and in this scenario, we are working with managed identities. So no need for access keys for authorized acess.
Option C is incorrect since this is required to provide access to the storage account’s resources for a specified period of time.
Option D is correct since we need to minimize the use of secrets. Hence, we can use the Managed Identity to access the Key vault to get the storage account keys’ values.
For more information on working with access keys, please visit the following URL: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Domain: Implement and manage storage
Q26 : A multinational company has a storage account named “mncstore”.
The communication between a client application and the storage account is encrypted using Transport Layer Security (TLS). Which of the following TLS version is not supported by the azure storage account?
-
1.0
-
1.1
-
1.2
-
1.3
Correct Answer: D
Explanation: Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
Option A is incorrect because 1.0 is supported for backward compatibility of previous version of TLS that is now deprecated for most of the applications.
Option B is incorrect because 1.1 is still supported for the legacy applications.
Option C is incorrect because azure storage uses the 1.2 version for TLS public endpoints.
Option D is correct because it is not supported by the azure storage account at the moment.
Domain: Deploy and manage Azure compute resources
Q 27: ABCD Corp. is a multinational company which develops software.
Research department of the company creates and destroys virtual machines on a regular basis for their development and testing purposes. Which of the following VM series is well suited for the given scenario?
- Ls-Series
- F-Series
- Bs-Series
- Mv2-Series
Correct Answer: C
Explanation: Bs-series VMs are economical virtual machines that provide a low-cost option for workloads that typically run at a low to moderate baseline CPU utilization, but sometimes need to burst to significantly higher CPU utilization when the demand rises. Bs-series VMs are not hyperthreaded.
Example workloads include development and test servers, low-traffic web servers, small databases, micro services, servers for proof-of-concepts, and build servers.
Option A is incorrect because the Ls-series VMs are storage optimised, and are ideal for applications requiring low latency, high throughput, and large local disk storage.
Option B is incorrect because F-series VMs has a higher CPU-to-memory ratio. They are equipped with 2 GB RAM and 16 GB of local solid-state drive (SSD) per CPU core and are optimized for compute intensive workloads.
Option C is correct because Bs-series VMs are economical virtual machines that provide a low-cost option for workloads that typically run at a low to moderate baseline CPU utilization, but sometimes need to burst to significantly higher CPU utilization when the demand rises. This is best suited for the test/dev environments.
Option D is incorrect because The Azure Mv2-series virtual machines are hyper-threaded and feature Intel® Xeon® Platinum 8180M 2.5GHz (Skylake) processors, offering up to 416 vCPU on a single VM and offer 3TB, 6 TB, and 12 TB memory configurations. This is by far the largest-memory virtual machine offered on Azure and provides unparalleled computational performance to support large in-memory databases.
Reference: https://azure.microsoft.com/en-in/pricing/details/virtual-machines/series/
Domain: Deploy and manage Azure compute resources
Q 28: A small organization has 5 Windows Server 2022 Images storage in Azure Compute Gallery. Each of these images is 2 TB in size. The company wants to deploy VMs from these images in the quickest way possible. Which of the following technologies will assist them in achieving this?
- Generalize Image
- Shallow Replication
- Specialize Image
- Direct Share
Correct Answer: B
Explanation: When you create an image version, you can set the ‘replication mode’ to shallow for development and test. Shallow replication skips copying the image, so the image version is ready much faster. Shallow replication can also be useful if you have very large images (up to 32TB) that aren’t frequently deployed. As the source image isn’t copied, larger disks can be used.
Option A is incorrect because Generalizing Image is a process that removes machine and user-specific information from the VM.
Option B is correct because Shallow replication skips copying the image, so the image version is ready much faster.
Option C is incorrect because specialized images do not have an ‘osProfile’ associated with them. VMs and scale sets created from specialized images can be up and running quickly. Because they are created from a source that has already been through the first boot, VMs created from these images boot faster.
Option D is incorrect because direct share shares the gallery with subscriptions and tenants. Only the owner of a subscription, or a user or service principal with the Compute Gallery Sharing Admin role at the subscription or gallery level, can share the gallery.
Domain: Configure and manage virtual networking
Type – drag and drop – Matching
Q 29: Microsoft Azure provides a number of solutions for load balancing and secure network connections in the cloud. Below are some of the networking solutions and their definitions, matching the correct solution with their definition.
|
|
|
B. Network security as a natural extension of an application’s structure. |
|
C. Application-level routing and load balancing services that let you build a scalable and highly available web front end in Azure. |
|
D. Load-balance internet and private network traffic with high performance and low latency. |
Correct Answer: 1-D, 2-A, 3-B, 4-C
| 1. Load balancer | D. Load-balance internet and private network traffic with high performance and low latency. |
| 2. Network Security Groups | A. Filter network traffic to and from Azure resources in an Azure virtual network. |
| 3. Application Security Groups | B. Network security as a natural extension of an application’s structure. |
| 4. Azure Application Gateway | C. Application-level routing and load balancing services that let you build a scalable and highly available web front end in Azure. |
Explanation:
Load balancer: Load-balance internet and private network traffic with high performance and low latency. Instantly add scale to your applications and enable high availability. Load Balancer works across virtual machines, virtual machine scale sets, and IP addresses.
Network Security Groups: You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Application Security Groups: Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.
Azure Application Gateway: Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure. You control the size of the gateway and scale your deployment based on your needs.
Reference:
https://azure.microsoft.com/en-us/services/application-gateway/
https://azure.microsoft.com/en-us/services/load-balancer/
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Domain: Monitor and maintain Azure resources
Type – drag and Drop – Arranging
Q 30: A multinational company has its infrastructure in Azure Cloud. They have 4 virtual machines hosting various applications. The company wants to backup these VMs using Azure Backup. What is the correct order of configuring the VMs for backup?
A. Click on +Backup Sign
B. Create a Recovery Services vault
C. Open Backup Center
D. Create or select existing backup policy
E. Click on Add and select the VMs to be backed up
F. Click on Enable backup
Correct Order: B-C-A-D-E-F
Correct Answer:
B. Create a Recovery Services vault
C. Open Backup Center
A. Click on +Backup Sign
D. Create or select existing backup policy
E. Click on Add and select the VMs to be backed up
F. Click on Enable backup
Explanation: Before you could backup Azure Virtual Machines, you need to have a recovery services vault. Once you have the recovery services vault created, open the backup center, click on Backup and add the VMs that need to be backed up and enable backup.
To configure the backup, first we need to create Recovery services. Once the recovery services vault is created, create a backup policy and add the VM to the backup policy and then click on the enable backup option to complete the configuration of the backup.
Reference: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
Domain: Monitor and maintain Azure resources
Q 31: A multinational company has its infrastructure in Azure Cloud. After reviewing quarterly reports, they found that they are overspending their budget limits. Thus, the company recommended setting alerts in cost management to have better visibility. Which of the following alert types cannot be set for cost management?
A. Budget alert
B. Credit alert
C. Department spending quota alert
D. Forecast alert
Correct Answer: D
Explanation: You can view forecasted costs narrowed to a single service. For example, you might want to see forecasted costs for just virtual machines, however, you can’t set up alerts for the same.
Option A is incorrect because Budget alerts notifies you when your spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget.
Option B is incorrect because Credit alerts notify you when your Azure Prepayment is consumed. Credit alerts are generated automatically at 90% and at 100% of your Azure Prepayment credit balance.
Option C is incorrect because Department spending quota alerts notify you when department spending reaches a fixed threshold of the quota.
Option D is correct because you can view forecasted costs narrowed to a single service. For example, you might want to see forecasted costs for just virtual machines, however, you can’t set up an alert for the same.
Domain: Monitor and maintain Azure resources
Q 32: An international IT company has deployed 200 Windows and Linux virtual machines in the Azure cloud. The company is planning on setting up VM insights in all Virtual Machines. Which of the following are the requirements for rolling out VM insights? (Select Three)
A. A connection from the virtual machine to the address 169.254.169.254.
B. A Log Analytics workspace
C. Global Administrator Rights
D.A Dependency Agent
E. A separate network Subnet
Correct Answer: A, B, D
Explanation: VM insights monitor the performance and health of your virtual machines and virtual machine scale sets, including their running processes and dependencies on other resources. It can help deliver predictable performance and availability of vital applications by identifying performance bottlenecks and network issues and can also help you understand whether an issue is related to other dependencies.
Option A is correct because dependency agents for VM Insights require a connection from the virtual machine to the address 169.254.169.254. This is the Azure metadata service endpoint. Ensure that firewall settings allow connections to this endpoint.
Option B is correct because VM insights collect its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace.
Option C is incorrect because Global Administrator rights are not required for configuring VM insights.
Option D is correct because VM insights require the Dependency agent that is how it interacts with VMs.
Option E is incorrect because no separate subnet is required for this rollout.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-enable-overview
Domain:Monitor and maintain Azure resources
Q 33: A multinational software development company has its head office in Virginia, US, and branch office in Houston, US. The company has 100 Virtual machines running on-premises. The company has configured Azure Site recovery in Azure Cloud for their business continuity plan. The network connectivity is lost due to the cyclone at the head office region. What steps need to be taken to failover the systems to the azure cloud? Please list them in the correct order.
A. Select the VM and Click on Failover
B. Commit
C. Go to Recovery Services Vault > Replicated Items
D. Choose the Recovery Point and Shutdown the source server
Correct Order: C-A-D-B
C. Go to Recovery Services Vault > Replicated Items
A. Select the VM and Click on Failover
D. Choose the Recovery Point and Shutdown the source server
B. Commit
Explanation:
To failover the servers over to azure, we first need to browse Recovery Services Vault and choose the Replicated Items, select the VM which you would like to failover and click on Failover option.
You will be provided with the option of choosing Recovery Point that you would like to restore from the server.
At this point you are ready to shut down the source server. Once you are ready and have tested the failover, please click on Commit.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-failover-failback
Domain: Configure and manage virtual networking
Q 34: A small corporation has 50 VMs (Virtual Machines) on-premises and 20 VMs in Azure. On-premises is connected to Azure using site to site connectivity. 5 Azure VMs are having network connectivity issues. Which of the following solutions would you utilize to examine the connectivity issues?
A. Microsoft Management Agent
B. Dependency Agent
C. Azure Network Watcher
D. Azure Log Analytics
Correct Answer: C
Explanation: Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.
Option A is incorrect because the Microsoft Monitoring Agent is a service used to watch and report on application and system health on a Windows computer.
Option B is incorrect because the Dependency Agent discovers data about processes running on the VM and external process dependencies.
Option C is correct because Network Watcher provides the ability to diagnose the most common VPN Gateway and Connections issues.
Option D is incorrect because Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor logs and interactively analyze their results.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
Domain: Deploy and manage Azure compute resources
Q 35: A Multinational Company is preparing a test environment for the Research team. The team deployed the latest Visual Studio edition. The test environment requires several third-party applications to support the application testing across the organization. The support team created a customized image for the research team. The customized VM must be saved to allow provisioning in the future. Which of the following locations would be suitable for storing this image?
A. Azure Blob Storage
B. Azure Files
C. Remote File Server
D. On-prem Server Location
Correct Answer: A
Explanation: Managed images are helpful in the development and test environments where you need a consistent baseline VM. A managed image resource can be stored as either a managed disk or an unmanaged disk in a storage account.
Option A is correct because all the images that are going to be used for deploying virtual machines in the cloud need to be stored in Azure blobs as an object.
Option B is incorrect because Azure Files cannot be used to store images as these are accessible via the industry-standard SMB.
Option C is incorrect because VM images need to be stored in Azure for deploying the VMs in the cloud.
Option D is incorrect because on-prem server would not allow deployment of the VM over the cloud.
Summary
Did you find these free questions and answers helpful? Well, there are a lot more unique questions in Microsoft Azure Administrator AZ-104 Practice Tests. Before you take the actual AZ-104 exam, learn through these mock tests which help in passing the exam on the very first attempt. Keep Learning and growing with Whizlabs!
- 25 Free Questions on MS-101: Microsoft 365 Mobility and Security - November 13, 2022
- What is Snowpipe & how does it works? - October 7, 2022
- Preparation Guide on DP-420 Designing and Implementing Cloud-Native Applications Using Microsoft Azure Cosmos DB Certification - September 12, 2022
- Preparation guide on MB-910: Microsoft Dynamics 365 Fundamentals (CRM) Certification Exam - August 5, 2022
- Snowflake Certifications – Which snowflake certification is best for you? - July 11, 2022
- All you need to know about Certified Ethical Hacker Certification - June 16, 2022
- What are Hands-On Labs? A beginner’s guide to Hands-on Labs - May 17, 2022
- 25 Free Question on Salesforce Administrator Certification - April 26, 2022