In this article, you will be trying out AZ-104 exam questions and answers which help in your preparation for the actual Microsoft Azure Administrator certification exam. The AZ-104: Microsoft Azure Administrator certification exam evaluates you for your understanding of the implementation, monitoring, and management of the Microsoft Azure Environment in any organization.
As a Microsoft Certified Azure Administrator Associate, you would play the part of a team responsible for the implementation of an organization’s Cloud Infrastructure. Just follow these free practice questions, and assess your preparation for the AZ-104 certification exam.
Let’s start learning !
What to expect in the AZ-104 exam?
If you are planning to take up the AZ-104 exam what can you expect?
AZ-104 exam is covered in 5 sections: Azure Governance and Identities, Manage and implement storage, Azure compute resources, virtual networking, and Maintain and monitor Azure resources. Each domain has a different weightage.
To prepare for the AZ-104 exam even though no pre-requests are required it is recommended to have at least six months of hands-on experience in azure administration, and a core understanding of AWS services, workload, security, and governance.
Exam format for AZ-104 exam
Domains covered in AZ-104 exam
AZ-104 exam consists of five domains as follows:
| Domain | Weightage |
| Manage Azure identities and governance | (20–25%) |
| Implement and manage storage | (15–20%) |
| Deploy and manage Azure compute resources | (20–25%) |
| Implement and manage virtual networking | (15–20%) |
| Monitor and maintain Azure resources | (10–15%) |
Domain : Manage Azure identities and governance
Q1 : Company WhizLabs has 2 Azure subscriptions named “Staging” and “Production”.
The “Staging” subscription has the following resource groups.
| Name | Region | Lock type |
| rg-staging-1 | West Europe | None |
| rg-staging-2 | West Europe | Read-only |
The company has deployed a storage account stwhizlabs to the rg-staging-1 resource group.
The “Production” subscription has the following resource groups.
| Name | Region | Lock type |
| rg-production-3 | East Asia | Delete |
| rg-production-4 | Central US | None |
Would you be able to move stwhizlabs resource to the rg-production-3 resource group?
A. Yes
B. No
Correct Answer: A
Explanation
We can move resources from one resource group to another, and in this case the source resource group does not have any lock defined and receiving resource group has got delete lock, which stops from deleting of resources. Below is the further explanation of what delete lock does.
Delete lock on a resource group means that any resource which is contained by a resource group cannot be deleted. The idea behind delete lock is to avoid any resource deletion even by mistake. A resource group can be deleted by a user by mistake, in case, there is no lock on the resource group. A malicious user can also delete a group, without delete lock. This can cause serious problem in production system, and may even impact the end user.
Delete lock puts no other restrictions. Resources can always be added to a resource group with delete lock.
From this explanation it is clear that A (yes) is the correct answer, all other answers are wrong. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources, https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
Note – below screenshots are added for reference purposes.
Domain : Manage Azure identities and governance
Q2 : A company has an Azure subscription named whizlabstaging. They also have a resource group named whizlabs-rg. The resource group has an internal load balancer named “whizlab-internal” and a public load balancer named “whizlab-public”. They want to give a user named “whizlabusr” permissions to configure both load balancers. The solution must follow the principle of least privilege.
Which role would you assign to the user to allow a health probe to the load balancer “whizlab-public”?
A. Contributor role on whizlab-internal
B. Network Contributor role on whizlab-internal\
C. Network Contributor role on whizlabs-rg
D. Owner role on whizlab-internal
Correct Answer: C
Explanation
An Azure public load balancer is a load balancer that has been assigned a public IP and can be accessed from the internet. While a private or internal load balance has a private IP and cannot be accessed from outside the vnet.
Options A & D are incorrect because there provide a lot more access than required
Option B is incorrect because it does not provide access to a public load balancer
Option C is correct because it will provide access to both public and private load balancers at whizlabs-rg resource group level. It also follows the principle of the least privileges.
For more information on Role-based access control, please visit the following URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Domain : Manage Azure identities and governance
Q3 : A company has an Azure AD directory that contains the following users.
| Name | Role |
| whizlabusr1 | None |
| whizlabusr2 | Global administrator |
| whizlabusr3 | Cloud device administrator |
| whizlabusr4 | Intune administrator |
The Azure AD Tenant has the following device settings.
- Users can join devices to Azure AD.
- Additional local administrators on Azure AD joined devices is set to None.
The user whizlabusr1 goes ahead and joins a Windows 10 computer to the Azure AD tenant.
You need to identify those users that would be added to the local Administrators group on the computer.
A. whizlabusr1 only
B. whizlabusr2 only
C. whizlabusr1, whizlabusr2 and whizlabusr3 only
D. whizlabusr1 and whizlabusr2 only
E. whizlabusr1, whizlabusr2, whizlabusr3 and whizlabusr4
Correct Answer: C
Explanation
When a device is joined to Azure AD, the user who joins the computer to the domain is added as the local administrator. Also, the Global Administrator will be added as an administrator to the system.
Hence C is the correct answer and all other answers are wrong.
This is also mentioned in the Microsoft documentation.
For more information on managing the local administrators in the Azure AD join process, please visit the following URL: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin, https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference?WT.mc_id=Portal-Microsoft_AAD_IAM#device-administrators-permissions
Domain : Implement and manage storage
Q4 : A company has the following resources.
- A file share named whizlabshare in an Azure storage account.
- The file share contains a file named whizlab1.txt
- An Azure File Sync Service resource.
- The following on-premise Windows 2016 servers with their respective file shares and contents.
| Name | Share | Contents |
| whizlabsrv1 | D:\whizlabdata1 | whizlab1.txt, whizlab2.txt |
| whizlabsrv2 | D:\whizlabdata2 | whizlab2.txt, whizlab3.txt |
The following steps are conducted at separate time spans.
- First, the file share is added to a Sync group named whizlabgroup in the Azure File Sync Service resource.
- The server whizlabsrv1 (D:\whizlabdata1) is added as a server endpoint.
- The server whizlabsrv2 (D:\whizlabdata2) is added as a server endpoint.
Would the file whizlab1.txt on the cloud endpoint be overwritten by whizlab1.txt from D:\ whizlabdata1 share?
A. Yes
B. No
Correct Answer: B
Explanation
From the initial bullet points, there is a file share named ‘whizlabshare’ contains a file named ‘whizlab1.txt’. Then there are servers, shares, with different contents in the table.
You have a duplicate file on the file share and the file server. The file on the file server will have its name appended with the name of the server.
After adding the cloud endpoint and the first server endpoint, you will have the following files in the file share.
whizlab1.txt
whizlab1-whizlabsrv1.txt
whizlab2.txt
For more information on working with the File Sync Service, please visit the following URL: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal
Domain : Monitor and maintain Azure resources
Q5 : You have to configure Application Insights for a set of applications. Each application has different requirements. Below are the requirements for each application.
- whizlabapp1 – Be able to see if users are progressing through the entire business process for the application.
- whizlabapp2 – Here, one should analyze the load times and other properties that could influence conversion rates for the application.
- whizlabapp3 – Here, one should be able to analyze how many users return to the application.
- whizlabapp4 – Here, one should be able to see the places where users repeat the same action over and over again.
Which of the following feature of Application Insights could be used for the application whizlabapp2?
A. Impact
B. Retention
C. User Flows
D. Funnels
Correct Answer: A
Explanation
This can be accomplished with the Impact feature of Application Insights.
The Microsoft documentation mentions the following.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect.
For more information on the Impact feature, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-impact
Domain : Monitor and maintain Azure resources
Q6 : You have to configure Application Insights for a set of applications. Each application has different requirements. Below are the requirements for each application.
- whizlabapp1 – Be able to see if users are progressing through the entire business process for the application.
- whizlabapp2 – Here, one should analyze the load times and other properties that could influence conversion rates for the application.
- whizlabapp3 – Here, one should be able to analyze how many users return to the application.
- whizlabapp4 – Here, one should be able to see the places where users repeat the same action over and over again.
Which of the following feature of Application Insights could be used for the application whizlabapp3?
A. Impact
B. Retention
C. User Flows
D. Funnels
Correct Answer: B
Explanation
This can be accomplished with the Retention feature of Application Insights.
The Microsoft documentation mentions the following.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect.
For more information on the Retention feature, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-retention
Domain : Monitor and maintain Azure resources
Q7 : You have to configure Application Insights for a set of applications. Each application has different requirements. Below are the requirements for each application.
- whizlabapp1 – Be able to see if users are progressing through the entire business process for the application.
- whizlabapp2 – Here one should be able to analyze the load times and other properties that could influence conversion rates for the application.
- whizlabapp3 – Here one should be able to analyze how many users return to the application.
- whizlabapp4 – Here one should be able to see the places where users repeat the same action over and over again.
Which of the following feature of Application Insights could be used for the application whizlabapp4?
A. Impact
B. Retention
C. User Flows
D. Funnels
Correct Answer: C
Explanation
This can be accomplished with the User Flows feature of Application Insights.
The Microsoft documentation mentions the following.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect.
For more information on the User Flows feature, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-flows
Domain : Implement and manage virtual networking
Q10 : A company has set up a Load balancer that load balances traffic on ports 80 and 443 across 3 virtual machines. You have to ensure that users are assigned the same web server for the duration of their session. Which of the following would you configure for this requirement?
A. Floating IP
B. Health Probe
C. Session Persistence
D. TCP Reset
Correct Answer: C
Explanation
The Microsoft documentation mentions Session Persistence or Source IP affinity mode, as mentioned below.
Option A is incorrect since this is used when you have multiple front-end IPs.
Option B is incorrect since this is used to check the health of the back-end VM’s.
Option D is incorrect since this is used for an idle timeout.
For more information on load balancer distribution mode, please go to the below URL: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode
Domain : Manage Azure identities and governance
Q11 : You are the Azure administrator for a company. You have to create a custom role based on the Virtual Machine Contributor role. You have to complete the following PowerShell script.
Which of the following would come in SLOT 2?
A. Get-AzRoleDefinition
B. New-AzRoleDefinition
C. Set-AzRoleDefinition
D. Create-AzRoleDefinition
Correct Answer: B
Explanation
After we created a new role definition for “Virtual Machine Reader” based on “Virtual Machine Contributor”, we can commit a new role definition.
All other options are incorrect.
For more information on creating a custom role, please visit the below URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
Domain : Deploy and manage Azure compute resources
Q12 : A company has the following set of Virtual Machines defined in the Azure account.
| Name | Region |
| whizlabs-vm1 | East US |
| whizlabs-vm2 | Central US |
The company wants to move whizlabs-vm1 to another subscription. Which of the following can be implemented to fulfill this requirement?
A. Move the Virtual Machine to the Central US region first
B. You cannot move the Virtual Machine across subscriptions. You would need to delete and recreate the VM in the new subscription
C. Use the Move-AzResource powershell command to move the Virtual Machine
D. Use the Move-VMResource powershell command to move the Virtual Machine
Correct Answer: C
Explanation
You can move Azure resources across subscriptions using the Move-AzResource PowerShell command. There are just some restrictions when moving Virtual Machines.
Below is the command provided in the Microsoft documentation.
Option A is incorrect since you don’t need to move the Virtual machine to any specific region before moving it to the destination.
Option B is incorrect since you can move resources across subscriptions.
Option D is incorrect since the right command is Move-AzResource.
For more information on moving virtual machines, one can go to the following link: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
Domain : Implement and manage virtual networking
Q13 : Your company has an Azure account and subscription. The subscription contains a virtual machine named demovm.
In your office, you have Windows 10 PC named Computer1 that is connected to the Internet.
You add a network interface to demovm as shown in the exhibit below.
From Computer1 you want to access a web service running on port 80 after demovm is started.
Which of the following must be done for this to work?
A. Attach a network interface
B. Add an incoming network security group rule for allowing traffic on port 80
C. Add an outgoing network security group rule for allowing traffic on port 80
D. Delete the DenyAllOutBound outbound port rule
E. Delete the DenyAllInBound inbound port rule
Correct Answer: B
Explanation
Here you need to add an incoming rule to allow traffic on port 80
Option A is incorrect since this needs to be done for the currently attached network interface.
Option C is incorrect since the incoming traffic needs to be allowed.
Options D and E are incorrect since you cannot delete the built-in network security group rules.
For more information on Network security groups, please go to the below URL: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Domain : Implement and manage virtual networking
Q14 : You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network security groups that you require?
A. 1
B. 2
C. 5
D. 10
Correct Answer: A
Explanation
A network security group can have multiple network interfaces assigned to it, as shown in the below diagram.
The question clearly states that the virtual machines all require the same inbound and outbound security rules. Hence we should use just the same network security group for all network interfaces.
For more information on network security groups, please visit the below URL: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
Domain : Implement and manage storage
Q15 : A company needs to create a storage account that must follow the requirements below.
- Users should be able to add files such as images and videos.
- Ability to store archive data.
- File shares need to be in place, which can be accessed across several VM’s.
- The data needs to be available even if a region goes down.
- The solution needs to be cost-effective.
Which of the following type of storage account would you create for this purpose?
A. BlockBlob Storage
B. General Purpose(v1)
C. General Purpose(v2)
D. Table storage
Correct Answer: C
Explanation
The below snapshot from the Microsoft documentation shows the different types of storage accounts.
Option B is incorrect since General Purpose V1 is not available anymore.
As we can see that only General Purpose v2 supports all of the requirements. Hence all other options are incorrect.
For more information on storage accounts, please visit the below URL: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
Domain : Deploy and manage Azure compute resources
Q16 : A company wants to deploy a virtual machine using a Resource Manager template. The template needs to be submitted via Azure CLI commands. The template is stored in a file named storage.json.
You need to complete the below CLI command.
Which of the following would go into SLOT 1?
A. Template
B. Deployment
C. Resource
D. Vm
Correct Answer: B
Explanation
SLOT 1 covers the word “deployment”.
All other options are incorrect.
For more information on deploying templates via the CLI, please visit the below URL: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-cli
Domain : Implement and manage virtual networking
Q17 : A company plans to use Azure Network watcher to perform the following tasks.
- Find out if a network security rule prevents a network packet from reaching a virtual machine hosted in an Azure virtual network.
- Find out if there is outbound connectivity between an Azure virtual machine and an external host.
Which of the following Network watcher feature would you use for the following requirement?
“Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network.”
A. IP Flow Verify
B. Next Hop
C. Packet Capture
D. Traffic Analysis
Correct Answer: A
Explanation
This can be done with the IP Flow Verify feature. The Microsoft documentation mentions the following.
Option B is incorrect since this feature is used to get the next hop type and IP address of a specific VM packet.
Option C is incorrect since this feature is used for deep-dive network packet capture.
Option D is incorrect since this feature is a cloud-based solution that provides visibility into user and application activity in cloud networks.
For more information on the IP Flow Verify feature, please visit the below URL: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Domain : Implement and manage storage
Q18 : Your company wants to provision an Azure storage account. The storage account needs to meet the following requirements.
- Should be able to support hot, cool, and archive blob tiers.
- Should be able to provide fault tolerance if a disaster hits the Azure region, which has the storage account.
- Should minimize on costs.
You need to complete the below command to create the storage account.
Which of the following would go into Slot2?
A. Standard_GRS
B. Standard_LRS
C. Standard_RAGRS
D. Premium_LRS
Correct Answer: A
Explanation
Standard_GRS, which is geo-redundant storage would ensure that data is available in a secondary region if the primary region goes down.
The Microsoft documentation mentions the following.
Options B and D are incorrect since these don’t guarantee that data will be available if a region goes down.
Option C is incorrect since the costs would be more than Standard_GRS.
For more information on geo-redundant storage, please visit the below URL: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
Domain : Manage Azure identities and governance
Q19 : A company has set up an Azure subscription. They have provisioned a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.
- GroupA – This group should have the ability to manage the storage account.
- GroupB – This group should be able to manage containers within a storage account.
- GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control.
You need to assign the relevant Role-Based Access Control, ensuring the privilege of least access.
Which of the following would you assign to GroupB?
A. Owner
B. Contributor
C. Storage Account Contributor
D. Storage Blob Data Contributor
E. Storage Blob Data Owner
Correct Answer: D
Explanation
This can be accomplished with the Storage Blob Data Contributor.
The Microsoft documentation mentions the following.
Options A and B are incorrect since these would provide more permissions than required.
Options C and E are incorrect since these roles don’t have the required permissions.
For more information on built-in roles, please visit the below URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Domain : Deploy and manage Azure compute resources
Q20 : As an IT admin, you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script.
Which of the following would go into Slot5?
A. Set-AzVM
B. Update-AzVM
C. Get-AzVM
D. New-AzVM
Correct Answer: B
Explanation
An example of this is given in the Microsoft documentation.
Since this is clearly given in the Microsoft documentation, all other options are incorrect.
For more information on managing data disk, please visit the below URL: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-manage-data-disk
Domain : Manage Azure identities and governance
Q21 : A company is planning to use Azure for the various services they offer. They want to ensure that they can bill each department for the resources they consume. They decide to use Azure policies to separate the bills department wise.
Would this fulfill the requirement?
A. Yes
B. No
Correct Answer: B
Explanation
Azure policies are used from a governance perspective and can’t be used to create bills department wise.
For more information on Azure policies, please visit the below URL: https://docs.microsoft.com/en-us/azure/governance/policy/overview
Domain : Manage Azure identities and governance
Q22 : A company has an Azure subscription that contains the following resource groups.
| Name | Lock Name | Lock type |
| whizlabs-rg1 | None | None |
| whizlabs-rg2 | whizlablock1 | Delete |
The resource group whizlabs-rg1 contains the following resources.
| Name | Type | Lock Name | Lock type |
| whizlabstore2090 | Storage account | whizlablock2 | Delete |
| whizlabnetwork | Virtual network | whizlablock3 | Read-only |
| whizlabip | Public IP address | None | None |
Would you be able to move the resource whizlabstore2090 from the resource group whizlabs-rg1 to whizlabs-rg2?
A. Yes
B. No
Correct Answer: A
Explanation
Delete lock on a resource group, means that any resource, which is contained by a resource group, cannot be deleted. The idea behind delete lock is to avoid any resource deletion by mistake. Moreover, if an entire resource group is deleted, in production, by a malicious user or by mistake, it can cause serious problems, which may even impact the end-users. Delete lock puts no other restrictions. Resources can always be added to a resource group with a delete lock.
From this explanation, it is clear, that correct A (yes) is the correct answer, and all other answers are wrong.
For more information on resource locks, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Domain : Manage Azure identities and governance
Q23 : A company has an Azure subscription that contains the following resource groups.
| Name | Lock Name | Lock type |
| whizlabs-rg1 | None | None |
| whizlabs-rg2 | whizlablock1 | Delete |
The resource group whizlabs-rg1 contains the following resources.
| Name | Type | Lock Name | Lock type |
| whizlabstore2090 | Storage account | whizlablock2 | Delete |
| whizlabnetwork | Virtual network | whizlablock3 | Read-only |
| whizlabip | Public IP address | None | None |
Would you be able to move the resource whizlabnetwork from the resource group whizlabs-rg1 to whizlabs-rg2?
A. Yes
B. No
Correct Answer: A
Explanation
We would be able to move the resource whizlabnetwork from the resource group whizlabs-rg1 to whizlabs-rg2. The virtual network whizlabnetwork has a Read-only lock. It means that we can’t delete or modify this resource without removing the lock. But this lock doesn’t prevent us from moving a resource from one resource group to another. The current whizlabnetwork resource group, whizlabs-rg1, doesn’t have any locks. The destination resource group, whizlab-rg2, has a Delete lock. This lock prevents the deletion of this resource group and all resources within it. It doesn’t restrict the movement of the resources to this group from other groups.
Hence, A is the correct answer.
For more information on resource locks, please visit the following URL: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Domain : Implement and manage virtual networking
Q24 : A company has the following virtual machines defined as part of their subscription.
| Name | Operating System | Connect to |
| vmwhizlab1 | Windows Server 2019 | SubnetA |
| vmwhizlab2 | Windows Server 2019 | SubnetB |
- Public IP addresses are assigned to the virtual machines.
- At the operating system level, incoming remote desktop connections have been allowed.
- Both of the subnets are in the same virtual network.
- A network security group named nsg-whizlab1 has been assigned to SubnetA. This network security group only has the default rules.
- A network security group named nsg-whizlab2 has been assigned to the network interface of vmwhizlab2. This network security group has an additional rule with the following details.
- Priority: 100
- Name: nsgrule
- Port: 3389
- Protocol: TCP
- Source: Any
- Destination: Any
- Action: Allow
Is it possible to remote desktop to Public IP of vmwhizlab2 from vmwhizlab1?
A. Yes
B. No
Correct Answer – B
Explanation
- If we would have not added nsg-whizlab1 to SubnetA, then RDP to vmwhizlab1 is possible.
The reason, since we have created a Windows VM, the RDP port is by-default added to Inbound rules.
- In the given scenario, we are creating a new NSG called nsg-whizlab1, and it does not have an RDP port added to it. We need to get it added by creating a new rule.
Due to this reason “remote desktop” to vmwhizlab2 from vmwhizlab1 is not possible.
Hence, B is the correct answer.
Domain : Implement and manage storage
Q25 : A company has two applications, wlappA and wlAppB. Below are the details of each application.
- wlappA – This application is deployed to an Azure Web App. Managed Identity has been enabled for the web app.
- wlappB – This application is deployed to an Azure Container Instance. Managed Identity has been enabled on the container instance.
These applications require access to a storage account. The solution needs to limit the use of secrets. Also, wlappB should only be able to access the storage account for a maximum of 15 days.
Which of the following features needs to be used to allow wlappA to access the storage account?
A. CORS
B. Access Keys
C. Shared Access Signatures
D. Managed Identity
Correct Answer: D
Explanation
Managed identities are identities created by ARM (Azure Resource Manager) and assigned to the resource for which it is enabled. The big advantage of managed identity is that its life cycle is tightly coupled with the resource. When a resource is deleted the corresponding Manage Identity is also deleted. This means a security admin will not have to maintain Managed Identity.
Since WlAppA uses Managed Identity, WlAppA can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys are not ideal in this scenario.
Option A is incorrect since this is used to enable or disable Cross-Origin Resource sharing.
Option B is incorrect We use this option to have an authorized access to the storage account created, and in this scenario, we are working with managed identities. So no need for access keys for authorized acess.
Option C is incorrect since this is required to provide access to the storage account’s resources for a specified period of time.
Option D is correct since we need to minimize the use of secrets. Hence, we can use the Managed Identity to access the Key vault to get the storage account keys’ values.
For more information on working with access keys, please visit the following URL: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Domain: Implement and manage storage
Q26 : A multinational company has a storage account named “mncstore”.
The communication between a client application and the storage account is encrypted using Transport Layer Security (TLS). Which of the following TLS version is not supported by the azure storage account?
-
1.0
-
1.1
-
1.2
-
1.3
Correct Answer: D
Explanation: Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
Option A is incorrect because 1.0 is supported for backward compatibility of previous version of TLS that is now deprecated for most of the applications.
Option B is incorrect because 1.1 is still supported for the legacy applications.
Option C is incorrect because azure storage uses the 1.2 version for TLS public endpoints.
Option D is correct because it is not supported by the azure storage account at the moment.
Domain: Deploy and manage Azure compute resources
Q 27: ABCD Corp. is a multinational company which develops software.
Research department of the company creates and destroys virtual machines on a regular basis for their development and testing purposes. Which of the following VM series is well suited for the given scenario?
- Ls-Series
- F-Series
- Bs-Series
- Mv2-Series
Correct Answer: C
Explanation: Bs-series VMs are economical virtual machines that provide a low-cost option for workloads that typically run at a low to moderate baseline CPU utilization, but sometimes need to burst to significantly higher CPU utilization when the demand rises. Bs-series VMs are not hyperthreaded.
Example workloads include development and test servers, low-traffic web servers, small databases, micro services, servers for proof-of-concepts, and build servers.
Option A is incorrect because the Ls-series VMs are storage optimised, and are ideal for applications requiring low latency, high throughput, and large local disk storage.
Option B is incorrect because F-series VMs has a higher CPU-to-memory ratio. They are equipped with 2 GB RAM and 16 GB of local solid-state drive (SSD) per CPU core and are optimized for compute intensive workloads.
Option C is correct because Bs-series VMs are economical virtual machines that provide a low-cost option for workloads that typically run at a low to moderate baseline CPU utilization, but sometimes need to burst to significantly higher CPU utilization when the demand rises. This is best suited for the test/dev environments.
Option D is incorrect because The Azure Mv2-series virtual machines are hyper-threaded and feature Intel® Xeon® Platinum 8180M 2.5GHz (Skylake) processors, offering up to 416 vCPU on a single VM and offer 3TB, 6 TB, and 12 TB memory configurations. This is by far the largest-memory virtual machine offered on Azure and provides unparalleled computational performance to support large in-memory databases.
Reference: https://azure.microsoft.com/en-in/pricing/details/virtual-machines/series/
Q 30: A multinational company has its infrastructure in Azure Cloud. They have 4 virtual machines hosting various applications. The company wants to backup these VMs using Azure Backup. What is the correct order of configuring the VMs for backup?
A. Click on +Backup Sign
B. Create a Recovery Services vault
C. Open Backup Center
D. Create or select existing backup policy
E. Click on Add and select the VMs to be backed up
F. Click on Enable backup
Correct Order: B-C-A-D-E-F
Correct Answer:
B. Create a Recovery Services vault
C. Open Backup Center
A. Click on +Backup Sign
D. Create or select existing backup policy
E. Click on Add and select the VMs to be backed up
F. Click on Enable backup
Explanation: Before you could backup Azure Virtual Machines, you need to have a recovery services vault. Once you have the recovery services vault created, open the backup center, click on Backup and add the VMs that need to be backed up and enable backup.
To configure the backup, first we need to create Recovery services. Once the recovery services vault is created, create a backup policy and add the VM to the backup policy and then click on the enable backup option to complete the configuration of the backup.
Reference: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
Domain: Monitor and maintain Azure resources
Q 31: A multinational company has its infrastructure in Azure Cloud. After reviewing quarterly reports, they found that they are overspending their budget limits. Thus, the company recommended setting alerts in cost management to have better visibility. Which of the following alert types cannot be set for cost management?
A. Budget alert
B. Credit alert
C. Department spending quota alert
D. Forecast alert
Correct Answer: D
Explanation: You can view forecasted costs narrowed to a single service. For example, you might want to see forecasted costs for just virtual machines, however, you can’t set up alerts for the same.
Option A is incorrect because Budget alerts notifies you when your spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget.
Option B is incorrect because Credit alerts notify you when your Azure Prepayment is consumed. Credit alerts are generated automatically at 90% and at 100% of your Azure Prepayment credit balance.
Option C is incorrect because Department spending quota alerts notify you when department spending reaches a fixed threshold of the quota.
Option D is correct because you can view forecasted costs narrowed to a single service. For example, you might want to see forecasted costs for just virtual machines, however, you can’t set up an alert for the same.
Domain: Monitor and maintain Azure resources
Q 32: An international IT company has deployed 200 Windows and Linux virtual machines in the Azure cloud. The company is planning on setting up VM insights in all Virtual Machines. Which of the following are the requirements for rolling out VM insights? (Select Three)
A. A connection from the virtual machine to the address 169.254.169.254.
B. A Log Analytics workspace
C. Global Administrator Rights
D.A Dependency Agent
E. A separate network Subnet
Correct Answer: A, B, D
Explanation: VM insights monitor the performance and health of your virtual machines and virtual machine scale sets, including their running processes and dependencies on other resources. It can help deliver predictable performance and availability of vital applications by identifying performance bottlenecks and network issues and can also help you understand whether an issue is related to other dependencies.
Option A is correct because dependency agents for VM Insights require a connection from the virtual machine to the address 169.254.169.254. This is the Azure metadata service endpoint. Ensure that firewall settings allow connections to this endpoint.
Option B is correct because VM insights collect its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace.
Option C is incorrect because Global Administrator rights are not required for configuring VM insights.
Option D is correct because VM insights require the Dependency agent that is how it interacts with VMs.
Option E is incorrect because no separate subnet is required for this rollout.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-enable-overview
Domain:Monitor and maintain Azure resources
Q 33: A multinational software development company has its head office in Virginia, US, and branch office in Houston, US. The company has 100 Virtual machines running on-premises. The company has configured Azure Site recovery in Azure Cloud for their business continuity plan. The network connectivity is lost due to the cyclone at the head office region. What steps need to be taken to failover the systems to the azure cloud? Please list them in the correct order.
A. Select the VM and Click on Failover
B. Commit
C. Go to Recovery Services Vault > Replicated Items
D. Choose the Recovery Point and Shutdown the source server
Correct Order: C-A-D-B
C. Go to Recovery Services Vault > Replicated Items
A. Select the VM and Click on Failover
D. Choose the Recovery Point and Shutdown the source server
B. Commit
Explanation:
To failover the servers over to azure, we first need to browse Recovery Services Vault and choose the Replicated Items, select the VM which you would like to failover and click on Failover option.
You will be provided with the option of choosing Recovery Point that you would like to restore from the server.
At this point you are ready to shut down the source server. Once you are ready and have tested the failover, please click on Commit.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-failover-failback
Domain: Monitor and maintain Azure resources
Q 34: A small corporation has 50 VMs (Virtual Machines) on-premises and 20 VMs in Azure. On-premises is connected to Azure using site to site connectivity. 5 Azure VMs are having network connectivity issues. Which of the following solutions would you utilize to examine the connectivity issues?
A. Microsoft Management Agent
B. Dependency Agent
C. Azure Network Watcher
D. Azure Log Analytics
Correct Answer: C
Explanation: Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.
Option A is incorrect because the Microsoft Monitoring Agent is a service used to watch and report on application and system health on a Windows computer.
Option B is incorrect because the Dependency Agent discovers data about processes running on the VM and external process dependencies.
Option C is correct because Network Watcher provides the ability to diagnose the most common VPN Gateway and Connections issues.
Option D is incorrect because Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor logs and interactively analyze their results.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
Domain: Deploy and manage Azure compute resources
Q 35: A Multinational Company is preparing a test environment for the Research team. The team deployed the latest Visual Studio edition. The test environment requires several third-party applications to support the application testing across the organization. The support team created a customized image for the research team. The customized VM must be saved to allow provisioning in the future. Which of the following locations would be suitable for storing this image?
A. Azure Blob Storage
B. Azure Files
C. Remote File Server
D. On-prem Server Location
Correct Answer: A
Explanation: Managed images are helpful in the development and test environments where you need a consistent baseline VM. A managed image resource can be stored as either a managed disk or an unmanaged disk in a storage account.
Option A is correct because all the images that are going to be used for deploying virtual machines in the cloud need to be stored in Azure blobs as an object.
Option B is incorrect because Azure Files cannot be used to store images as these are accessible via the industry-standard SMB.
Option C is incorrect because VM images need to be stored in Azure for deploying the VMs in the cloud.
Option D is incorrect because on-prem server would not allow deployment of the VM over the cloud.
Outdated Questions:
Domain: Implement and manage virtual networking
Type – drag and drop – Matching
Q 29: Microsoft Azure provides a number of solutions for load balancing and secure network connections in the cloud. Below are some of the networking solutions and their definitions, matching the correct solution with their definition.
|
|
|
B. Network security as a natural extension of an application’s structure. |
|
C. Application-level routing and load balancing services that let you build a scalable and highly available web front end in Azure. |
|
D. Load-balance internet and private network traffic with high performance and low latency. |
Correct Answer: 1-D, 2-A, 3-B, 4-C
| 1. Load balancer | D. Load-balance internet and private network traffic with high performance and low latency. |
| 2. Network Security Groups | A. Filter network traffic to and from Azure resources in an Azure virtual network. |
| 3. Application Security Groups | B. Network security as a natural extension of an application’s structure. |
| 4. Azure Application Gateway | C. Application-level routing and load balancing services that let you build a scalable and highly available web front end in Azure. |
Explanation:
Load balancer: Load-balance internet and private network traffic with high performance and low latency. Instantly add scale to your applications and enable high availability. Load Balancer works across virtual machines, virtual machine scale sets, and IP addresses.
Network Security Groups: You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Application Security Groups: Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.
Azure Application Gateway: Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure. You control the size of the gateway and scale your deployment based on your needs.
Reference:
https://azure.microsoft.com/en-us/services/application-gateway/
https://azure.microsoft.com/en-us/services/load-balancer/
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Domain: Deploy and manage Azure compute resources
Q 28: A small organization has 5 Windows Server 2022 Images storage in Azure Compute Gallery. Each of these images is 2 TB in size. The company wants to deploy VMs from these images in the quickest way possible. Which of the following technologies will assist them in achieving this?
- Generalize Image
- Shallow Replication
- Specialize Image
- Direct Share
Correct Answer: B
Explanation: When you create an image version, you can set the ‘replication mode’ to shallow for development and test. Shallow replication skips copying the image, so the image version is ready much faster. Shallow replication can also be useful if you have very large images (up to 32TB) that aren’t frequently deployed. As the source image isn’t copied, larger disks can be used.
Option A is incorrect because Generalizing Image is a process that removes machine and user-specific information from the VM.
Option B is correct because Shallow replication skips copying the image, so the image version is ready much faster.
Option C is incorrect because specialized images do not have an ‘osProfile’ associated with them. VMs and scale sets created from specialized images can be up and running quickly. Because they are created from a source that has already been through the first boot, VMs created from these images boot faster.
Option D is incorrect because direct share shares the gallery with subscriptions and tenants. Only the owner of a subscription, or a user or service principal with the Compute Gallery Sharing Admin role at the subscription or gallery level, can share the gallery.
Domain: Describe cloud concepts
You have been asked to identify various benefits of the Cloud. Which of the following should you recommend for each requirement?
Drag the appropriate cloud benefit to the correct answer area.
Incorrect part: (Random match)
| Benefit | Answer Area |
| Scalability | The ability of the system to recover from failures and continue to work. |
| Manageability | Forecasting the cost of the cloud spend. |
| Reliability | Ability to adjust resources to meet varying demand |
| Predictability | Using the web portal, CLI, and/or PowerShell to create and delete resources in the cloud |
Correct answers – Correct Match
1-C, 2-D, 3-A, 4-B
Explanation:
| Scalability | Ability to adjust resources to meet varying demand |
| Manageability | Using the web portal, CLI, and/or PowerShell to create and delete resources in the cloud |
| Reliability | The ability of the system to recover from failures and continue to work. |
| Predictability | Forecasting the cost of the cloud spend |
Explanation:
Scalability: The number of users may vary. So, the ability to add the resource capacity when the user load increases and decrease resource capacity when the user load decreases.
Manageability: We can create, update, delete and list the azure resources by using Azure Portal, Azure CLI, and Azure PowerShell. to manage your cloud environment and resources.
Reliability: Cloud computing makes data backup, disaster recovery, and business continuity easier and less expensive because data can be mirrored at multiple redundant sites. So it helps the system to recover from failures and continue to work.
Predictability: With the use of tools like Pricing Calculator, you can Forecast the cost of your cloud spends.
Reference:
Describe the benefits of high availability and scalability in the cloud – Learn | Microsoft Docs
Describe the benefits of reliability and predictability in the cloud – Learn | Microsoft Docs
Describe the benefits of manageability in the cloud – Learn | Microsoft Docs
https://docs.microsoft.com/en-us/azure/cost-management-billing/understand/plan-manage-costs
Q#2
Type: Drag and Drop – Matching
Domain: Describe Azure architecture and services
Your company has an on-premise data center (private cloud) and now they are planning to implement a hybrid cloud environment. Which Azure service do you recommend choosing for the requirements in the answer area?
Drag the appropriate service to the correct answer area.
| Azure Service | Answer Area |
| Azure ExpressRoute | Protect Cloud and On-prem resources and services from security Vulnerabilities |
| Azure VPN | Managing users from both on-premises and in the cloud |
| Azure Active Directory | Migrate Critical workloads from on-prem to Azure which requires a bandwidth of 100 Gbps. |
| Microsoft Defender for Cloud | Connect on-prem network to Azure virtual network and send encrypted traffic between them. |
Correct Answer – Correct Match
1-C, 2-D, 3-B, 4-A
| Azure ExpressRoute | Migrate Critical workloads from on-prem to Azure which requires a bandwidth of 100 Gbps |
| Azure VPN | Connect on-prem network to Azure virtual network and send encrypted traffic between them. |
| Azure Active Directory | Managing users from both on-premises and in the cloud |
| Microsoft Defender for Cloud | Protect Cloud and On-prem resources and services from security Vulnerabilities |
Explanation:
Azure ExpressRoute: Connects your on-premise network to Microsoft Cloud Services by using a fast, private connection using Fiber optic Cables. It provides bandwidth up to 100 Gbps.
Azure VPN: Azure VPN helps you to connect your Azure Virtual Network to any other network (it may be your on-prem network or another cloud provider’s network)
Azure VPN gives a maximum bandwidth of 10 Gbps only.
Azure Active Directory: With Active Directory P1 License, users can access both on-premises and cloud resources.
Microsoft Defender for Cloud: It continually accesses, secures, and defends your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources.
Reference:
What is hybrid identity with Azure Active Directory? – Microsoft Entra | Microsoft Docs
https://azure.microsoft.com/en-in/services/expressroute/
What is Microsoft Defender for Cloud? – Microsoft Defender for Cloud | Microsoft Docs
About Azure VPN Gateway | Microsoft Docs
rag and Drop – Ordering (Arranging) [Keeping the remaining as ‘No order’]
Domain: Describe Azure architecture and services
Azure Storage account access tiers organize your data based on how frequently it will be accessed and how long it will be retained. So, Arrange the storage access tiers with their data access time periods in descending order. i.e. the access tier with the maximum number of days comes first followed by the second highest and so on. (Select Three)
Options on the left side
A. Coldline storage
B. Cool
C. Archive
D. Nearline storage
E. Hot
Correct Answer (dragged to the right side):
Correct Sequence: C, B, E (Archive, Cool, Hot)
Explanation: Azure Storage account has various access tiers. They are categorized on the basis of how frequently your data will be accessed and how long it will be retained.
The time periods for various access tiers of Azure Storage Account is
| Access Tier | Time Period (in days) |
| Hot | Frequent |
| Cool | 30 |
| Archive | 180 |
Hence in descending order of access tiers according to the time period should be
- Archive
- Cool
- Hot
Options A and D are Incorrect: Nearline storage and Coldline are the storage classes (access tiers) in Google Cloud Platform (GCP), not Azure
Reference:
Hot, Cool, and Archive access tiers for blob data – Azure Storage | Microsoft Docs
https://aws.amazon.com/s3/storage-classes/
https://cloud.google.com/storage/docs/storage-classes
Domain: Describe Azure management and governance
You need to monitor your workloads in Azure to maximize the availability and performance of your applications running in Azure.
Identify the appropriate azure service for the monitoring requirements given in the answer area and then Drag the appropriate service to the correct answer area.
Incorrect matching
| Azure Service | Answer Area |
| Azure Monitor | Setup an email alert to a specified group of people when the average CPU Utilization of VM1 gets more than 80%. Here VM1 is an azure virtual Machine. |
| Log Analytics | Monitoring User and session counts for live web apps that are running in Azure |
| Azure Monitor Alerts | Azure service to Collect, analyze and visualize logs and metrics collected from Azure resources, your on-premises resources, and even multi-cloud resources |
| Application Insights | Edit and run log queries to perform statistical analysis and visualize the result |
Correct Answers: 1-C, 2- D, 3-A, 4-B
| Azure Monitor | Azure service to Collect, analyze and visualize logs and metrics collected from Azure resources, your on-premises resources, and even multi-cloud resources |
| Log Analytics | Edit and run log queries to perform statistical analysis and visualize the result |
| Azure Monitor Alerts | Setup an email alert to a specified group of people when the average CPU Utilization of VM1 gets more than 80%. Here VM1 is an azure virtual Machine. |
| Application Insights | Monitoring User and session counts for live web apps that are running in Azure |
Explanation:
Azure Monitor: Azure’s native monitoring service which collects logs and metrics from Azure resources, your on-premises resources, and even multi-cloud resources
Azure Log Analytics: You can write a simple query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze the records.
Azure Monitor Alerts: It helps to send automated emails to participants of an action group whenever your specified threshold is crossed.
An Action Group is simply a group of notification recipients (people’s email ID, Mobile number who wish to receive the notification)
Application Insights: It monitors your web applications. Application Insights is capable of monitoring applications running in Azure, on-premises, or in a different cloud environment.
You can monitor a wide range of things like Request rates, response times, failure rates, and User and session count
Reference:
Azure monitoring services –
Describe Azure Monitor – Learn | Microsoft Docs
Overview of Azure Monitor Alerts – Azure Monitor | Microsoft Docs
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
Domain: Describe Azure management and governance
Identify the appropriate management tool for the requirements given in the answer area.
Drag the appropriate service to the correct answer area.
| Management Tools | Answer Area |
| Azure Portal | Use az vm create command to create an Azure Virtual Machine |
| Azure CLI | Use the New-AzResourceGroup cmdlet to create an Azure resource group |
| Azure Powershell | Create a series of the dependable resource by using azure’s native Infrastructure as Code tool |
| Azure Resource Manager (ARM) Template | Watching a pictorial representation of actual Azure spent and forecasted cost in Cost Management and Billing Tab |
Correct Answer – Correct matching is given below.
Correct Answers: 1-D, 2- A, 3-B, 4-C
Explanation:
| Azure Portal | Watching a pictorial representation of actual Azure spent and forecasted cost in Cost Management and Billing Tab |
| Azure CLI | Use az vm create command to create an Azure Virtual Machine |
| Azure Powershell | Use the New-AzResourceGroup cmdlet to create an Azure resource group |
| Azure Resource Manager (ARM) Template | Create a series of the dependable resource by using azure’s native Infrastructure as Code tool. |
Azure Portal: Azure portal is a web-based, unified console that provides an alternative to command-line tools. With the Azure portal, you can manage your Azure subscription by using a graphical user interface. You can:
- Build, manage, and monitor everything from simple web apps to complex cloud deployments
- Create custom dashboards for an organized view of resources
- Configure accessibility options for an optimal experience
Screenshot of Azure Cost Management and Billing Tab`
Image Source: https://docs.microsoft.com/en-us/azure/cost-management-billing/understand/plan-manage-costs
Azure CLI: It can be installed locally on Windows, Linux, and Mac platforms. It helps to manage azure resources via the command line. Every Azure CLI command begins with “az”
Azure Powershell: Azure PowerShell is a set of commands called command-lets (cmdlets) for managing Azure resources directly from PowerShell
Azure Resource Manager (ARM) Template: These templates are written in JSON which helps you to Create a series of the dependable resource by using azure’s native Infrastructure as Code tool
Reference:
New-AzResourceGroup (Az.Resources) | Microsoft Docs
What is the Azure CLI? | Microsoft Docs
ARM template frequently asked questions | Microsoft Docs
Domain: Describe Azure management and governance
You are a Cloud Engineer at Whizlabs Technologies, your company wants to host a SQL Server in Azure Virtual Machine (Azure VM) with the following Requirements:
- The VM size should be at least 8GB.
- The VM with SQL Server should be non-routable via the internet.
- The SQL Server VM should be accessible to other azure resources within the same azure virtual network as the SQL Server VM.
- The SQL Server needs to run only during the company’s office hours. Hence It does not needs to run 24X7.
- If possible try to use your existing On-Premise SQL Server Licenses in Azure.
- Minimum Latency to your end users who are based in India.
As a Cloud Engineer of Whizlabs Technologies, you should suggest the ways to optimize the cloud spent on the above SQL Server. Which of the following can be utilized to achieve the goal? [SELECT TWO]
(Options on the left):
- Azure Reserved Instance
- Choosing a cheaper Azure Region (East US)
- Azure Hybrid Benefit
- Deallocate the VM when not in use
- Make a VM of small size like 2 GB (To save cost)
- Implement Azure Advisor Cost Recommendations
Correct Answer (dragged to the right side):
- Azure Hybrid Benefit
- Deallocate the VM when not in use
- Implement Azure Advisor Cost Recommendations
Explanation:
Option A is Incorrect: The requirements do not explicitly mention if the company needs to run this VM for 1 or more years. Hence Azure Reserved Instances Benefit is not applicable
Option B is Incorrect: Azure Charges its customer for the Data going out of Azure. Hence choosing a region different from the end users’ region may not be highly beneficial.
Also, selecting a region far away from the customers may result in latency issues.
Option C is Correct: The question mentions that the company already has some on-premise SQL Server Licenses, hence it can use the azure hybrid benefit.
Option D is Correct: Deallocating the VM helps us to save the CPU Cost, but you still have to pay for the OS Disk of the VM. More Details here.
Also according to the company’s requirements, the VM should only work during office hours. Hence deallocation will help save some costs.
Option E is Incorrect: The requirements clearly say the VM should of at least 8 GB in size
Option F is Correct: Azure Advisor is like a cloud consultant that helps you follow the best practices recommended by Microsoft Azure. It gives cost recommendations also to optimize your cloud spending.
It gives recommendations on cost, reliability, performance, operational excellence, and security to optimize your cloud environment.
Reference:
Describe factors that can affect costs in Azure – Learn | Microsoft Docs
https://azure.microsoft.com/en-in/pricing/hybrid-benefit
Azure Reserved Virtual Machine Instances | Microsoft Azure
Introduction to Azure Advisor – Azure Advisor | Microsoft Docs
Domain: Describe Azure architecture and services
You found that GRS automatically replicates data from your primary region to a secondary region (also known as Region Pair). So, as part of your business continuity and disaster recovery strategy, your company decided to choose GRS replication for your Azure Storage Account.
So, Can we choose the secondary region in the ‘Region Pair’ where we want to replicate our data?
A. True
B. False
Correct Answer: True
Explanation: The Question asks if a customer can choose the Region Pairs or if They are pre-decided from Microsoft.
Microsoft Docs clearly says, “ it is not possible to create your own regional pairings.”
Every Azure Region is paired with another Azure Region for cross-region replication based on proximity. Every Region Pair is at least 300 miles of separation.
For example, if you created a storage account in East US Region, with GRS Replication it will automatically pick West US as a secondary region.
Reference: Cross-region replication in Azure | Microsoft Docs
Domain: Describe Azure management and governance
Your company is considering to adopt Azure for running their business workloads. But they have a few requirements given in the answer area. So, drag the appropriate tool that matches the given in the answer area.
| Management Tool | Answer Area (Use Case) |
| Service Trust Portal | Compare & Predict the savings after comparing a cloud-hosted solution with an on-premises hosted solution |
| Pricing Calculator | Compare and Predict the costs of azure services |
| Total Cost of Ownership (TCO) Calculator | Get Information about azure service issues and planned maintenance |
| Azure Service Health | Get information about international standards, compliance documents, and audit results that Azure provides for itself |
Explanation:
Correct Answer – Correct Option
1-D,2-B,3-A,4-C
| Service Trust Portal | Get information about international standards, compliance documents and audit results that Azure provides for itself |
| Pricing Calculator | Compare and Predict the costs of azure services |
| Total Cost of Ownership (TCO) Calculator | Compare & Predict the savings after comparing a cloud-hosted solution with an on-premises hosted solution |
| Azure Service Health | Get Information about azure service issues and planned maintenance |
Service Trust Portal: It is a web portal that provides details about the data protection standards and regulatory requirements, Like FedRamp, and ISO 27001 which are fulfilled by Microsoft Azure.
Pricing Calculator: this is a tool that helps you estimate the cost of Azure products. The options that you can configure in the Pricing Calculator vary between products, but basic configuration options include
- Region
- Tier
- Offers and Discounts (like Azure Hybrid Benefit / Azure Reservations)
Total Cost of Ownership (TCO) Calculator: A tool to estimate cost savings you can realize by migrating to Azure.
- You can also generate a report that compares the costs of on-premises infrastructures with the costs of using Azure products and services in the cloud.
Azure Service Health: It helps to know about any regional outage of an azure service. Like Azure Virtual Machines not working in East US Region.
It also informs about any planned maintenance which may impact your Azure resources.
Reference:
Service Trust Portal (microsoft.com)
https://azure.microsoft.com/pricing/calculator
What is Azure Service Health? – Azure Service Health | Microsoft Docs
https://azure.microsoft.com/en-in/pricing/tco/calculator
Domain: Describe Azure management and governance
Identify the appropriate Azure Service for the requirements given in the answer area. Drag the appropriate service to the correct answer area.
| Azure Service | Answer Area |
| Microsoft Defender for Cloud | A service which helps to Deny the creation of any other resource which is not defined in the list of allowed resources. |
| Azure Advisor | An Azure Service which tracks security Vulnerabilities, and detects and resolves threats to resources, and services. |
| Azure Policy | It helps to create a Package that consists of a set of resource groups, policies, role assignments, and ARM template deployments to help with environment setup. |
| Azure Blueprint | An Azure service provides recommendations to implement or maintain well-architected framework principles (cost-effectiveness, performance, Reliability). |
Explanation :
(Correct Answers – Correct Match)
1-B, 2-D, 3-A, 4-C
| Microsoft Defender for Cloud | An Azure Service which tracks security Vulnerabilities; detects and resolves threats to resources and services. |
| Azure Advisor | An Azure service provides recommendations to implement or maintain well-architected framework principles (cost-effectiveness, performance, Reliability) |
| Azure Policy | A service that helps to Deny the creation of any other resource which is not defined in the list of allowed resources. |
| Azure Blueprint | It Helps to create a Package that consists of a set of resource groups, policies, role assignments, and ARM template deployments to help with environment setup. |
Microsoft Defender for Cloud: It continually accesses, secures, and defends your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources.
Azure Advisor: Azure Advisor is like a cloud consultant that helps you follow the best practices recommended by Microsoft Azure (Known as the well-architected Framework) to optimize your cloud environment.
Azure Policy: It helps to enforce organizational standards and to assess compliance at scale. It can audit or block the creation of resources that do not comply with your policy definition. There are 800+ Built In policy definitions.
Like, Block the creation of Resources if ‘Tag’ is missing or Allowing only the creation of resources that are specified in the policy definition as ‘Allowed’
Azure Blueprint: Blueprints are a declarative way to preserve the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed).
Reference:
Introduction to Azure Advisor – Azure Advisor | Microsoft Docs
Overview of Azure Policy – Azure Policy | Microsoft Docs
What is Microsoft Defender for Cloud? – Microsoft Defender for Cloud | Microsoft Docs
Overview of Azure Blueprints – Azure Blueprints | Microsoft Docs
Domain: Describe Azure architecture and services
Can Azure Active Directory save its activity logs to Azure Monitor?
A. Yes
B. No
Answer: A
Explanation: Azure Monitor is a native monitoring tool for Azure Resources. Azure Monitor helps to Collect, analyze and visualize logs and metrics collected from Azure resources, your on-premises resources, and even multi-cloud resources.
You can route Azure Active Directory (Azure AD) activity logs to several endpoints for long-term retention and data insights.
Azure Active Directory Activity Logs can be shared with Azure Monitor for rich visualization and monitoring capabilities.
Reference: Azure AD Activity Logs in Azure Monitor – Microsoft Entra | Microsoft Docs
Domain : Manage Azure identities and governance
Q9 : A company currently has an Azure account and subscription. They are planning to make their application available 99.99% of the time using Virtual Machines and a Load balancer. Which of the following would need to be in place? You have to minimize costs associated with the solution.
A. Create a Basic Load balancer
B. Create a Standard Load balancer
C. Add 2 Virtual Machines to the backend pool
D. Add a Virtual Machine to the backend pool
Correct Answers: B and C
Explanation
To solve this problem you need to use a Standard Load balancer with two virtual machines as a backend pool.
This is clearly mentioned in the Microsoft documentation.
Since this is clearly given in the Microsoft documentation, all other options are incorrect.
For more information on the SLA for the Load balancer, please go to the below URL: https://azure.microsoft.com/en-us/support/legal/sla/load-balancer/v1_0/
Domain : Implement and manage virtual networking
Q8 : You have set up a computer named whizlabclient1 that has a point-to-site VPN connection to an Azure virtual network named whizlabnetwork. The point-to-site connection makes use of a self-signed certificate. You now have to establish a point-to-site VPN connection to the same virtual network from another computer named whizlabclient2. The VPN client configuration package is downloaded and installed on the whizlabclient2 computer.
You decide to use Azure Active Directory to authenticate the whizlabclient2 computer.
Would the above decision fulfill the requirement?
A. Yes
B. No
Correct Answer: B
Explanation
There is no need to use the Azure Active Directory to authenticate the whizlabclient2 computer.
Azure accepts a P2S VPN connection, but the user has to be authenticated first.
There are two mechanisms that Azure offers to authenticate a connecting user.
- Authenticate using the native Azure certificate authentication
- Authenticate using the native Azure Active Directory authentication
So there is already native Azure Certificate authentication used for clients connecting to a VNet over a Point-to-Site VPN connection.
Once you obtain a root certificate, you upload the public key information to Azure. The root certificate is then considered ‘trusted’ by Azure for connection over P2S to the virtual network. You also generate client certificates from the trusted root certificate and then install them on each client computer. The client certificate is used to authenticate the client when it initiates a connection to the VNet.
In the question, it is already mentioned that a VPN client should have a VPN client certificate so there is no need for AD authentication. Hence B is the right answer.
For more information on Point-to-Site VPN connections, please visit the following URL: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
Summary
Did you find these free questions and answers helpful? Well, there are a lot more unique questions in Microsoft Azure Administrator AZ-104 Practice Tests. Before you take the actual AZ-104 exam, learn through these mock tests which help in passing the exam on the very first attempt. Keep Learning and growing with Whizlabs!
- 25 Free Questions on MS-101: Microsoft 365 Mobility and Security - November 13, 2022
- What is Snowpipe & how does it works? - October 7, 2022
- Preparation Guide on DP-420 Designing and Implementing Cloud-Native Applications Using Microsoft Azure Cosmos DB Certification - September 12, 2022
- Preparation guide on MB-910: Microsoft Dynamics 365 Fundamentals (CRM) Certification Exam - August 5, 2022
- Snowflake Certifications – Which snowflake certification is best for you? - July 11, 2022
- All you need to know about Certified Ethical Hacker Certification - June 16, 2022
- What are Hands-On Labs? A beginner’s guide to Hands-on Labs - May 17, 2022
- 25 Free Question on Salesforce Administrator Certification - April 26, 2022
Hi, How to get mock tests for AZ-104. Please share the link