Examtopics Microsoft's AZ-104 Yes or No

Question #: 2 Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question
has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor
Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
Community vote distribution
• B (100%)
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-
users-mfa
• B (88%)
• 13%
Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.
A. Yes
B. No
Suggested Answer: A 🗳️
• A (93%)
• 7%
Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication
option has been configured as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD)
obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed
that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
A. Yes
B. No
Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new
one and reactivate your existing server with activation credentials from the new provider.
You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication
provider data. You cannot change the usage model (enabled user or authentication) after an MFA provider is created.
Reference: https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
B (94%)
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per
Authentication option has been configured as the usage model.
Solution: You reconfigure the existing usage model via the Azure CLI.
A. Yes
B. No
You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication
provider data. You cannot change the usage model (enabled user or authentication) after an MFA provider is created.
• B (90%)
• 10%
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per
Authentication option has been configured as the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor
Authentication provider data.
A. Yes
B. No
B (81%)
A (19%)
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid
coexistence with the on-premises Active Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to
Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
A. Yes
B. No
Reference: https://blog.kloud.com.au/2016/03/08/azure-ad-connect-manual-sync-cycle-with-powershell-start-adsyncsynccycle/
• B (64%)
• A (35%)
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has
a distinctive result. Establish if the solution satisfies the requirements.
Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.
A. Yes
B. No
Correct Answer: B 🗳️
• B (100%)
Solution: You restart the NetLogon service on a domain controller.
A. Yes
B. No
• B (100%)
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a
file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual
machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
A. Yes
B. No
You should use the Resource Group blade
questions talk about VM and storage account both which can only be reviewed at RG level accessing the Virtual
Machine blade does not provide access to the ARM template used by Jon Ross to deploy the virtual machine and an
additional Azure Storage account. The Virtual Machine blade only displays information about the virtual machine
itself and its related resources, but not the ARM template used to deploy it. To review the ARM template used by Jon
Ross, you need to access the deployment history of the resource group where the virtual machine and additional
storage account were deployed. This will show all deployments made to the resource group, including the ARM
template used for the deployment.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
• B (100%)
file share.
Solution: You access the Resource Group blade.
A. Yes
B. No
To view a template from deployment history:
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last
deployment. Select this link.
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select
this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its
operations and the values that you provided for parameters. To see the template that you used for the deployment,
select View template.
• A (100%)
file share.
Solution: You access the Container blade.
A. Yes
B. No
You should use the Resource Group blade
• B (100%)
Your company's Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN
connection exists between your company's on- premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10.
After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are
able to access VirtualNetworkB from the company's on-premises network. However, you find that you cannot
establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.
Solution: You choose the Allow gateway transit setting on VirtualNetworkA.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
B (100%)
Solution: You choose the Allow gateway transit setting on VirtualNetworkB.
A. Yes
B. No
B (100%)
Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation.
A. Yes
B. No
Correct Answer: A 🗳️
• A (97%)
Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You create an HTTP health probe on port 1433.
A. Yes
B. No
• B (100%)
Solution: You set Session persistence to Client IP.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-
alwayson-int-listener
B (71%)
A (29%)
Solution: You enable Floating IP.
A. Yes
B. No
• A (79%)
• B (18%)
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be
able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for each user.
Does this meet the goal?
A. Yes
B. No
The New-AzureADUser cmdlet creates a user in Azure Active Directory (Azure AD).
Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.
Reference: https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation
• B (91%)
• 9%
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation.
A. Yes
B. No
Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.
• B (92%)
Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation.
A. Yes
B. No
• B (80%)
• A (20%)
Solution: You create a PowerShell script that runs the New-MgUser cmdlet for each external user.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/new-mguser?view=graph-powershell-
1.0&preserve-view=true
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mginvitation?view=graph-
powershell-1.0&preserve-view=true
B (94%)
6%
Solution: You create a PowerShell script that runs the New-MgInvitation cmdlet for each external user.
A. Yes
B. No
A (80%)
B (20%)
Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user.
A. Yes
B. No
Use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite
• A (89%)
• 11%
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1.
Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
A. Yes
B. No
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs. The
Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a
logic app.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
• B (100%)
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
A. Yes
B. No
You would need the Logic App Contributor role.
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
• B (100%)
Solution: On Dev, you assign the Contributor role to the Developers group.
A. Yes
B. No
The Contributor role can manage all resources (and add resources) in a Resource Group.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor
A (100%)
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
A. Yes
B. No
https://www.examtopics.com/discussions/microsoft/view/67429-exam-az-104-topic-2-question-51-discussion/
• A (50%)
• B (49%)
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to
enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
A. Yes
B. No
Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure
roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
A (60%)
B (40%)
Solution: You assign the Owner role at the subscription level to Admin1.
A. Yes
B. No
Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-fa
A (71%)
B (29%)
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1.
A. Yes
B. No
B (97%)
3%
Solution: You assign the Reader role at the subscription level to Admin1.
A. Yes
B. No
Your account must meet one of the following to enable traffic analytics:Your account must have any one of the following Azure
B (73%)
A (27%)
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure CLI, you run az aks.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
B (100%)
Solution: From Azure CLI, you run the kubectl client.
A. Yes
B. No
• A (100%)
Solution: From Azure CLI, you run azcopy.
A. Yes
B. No
B (100%)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within
an hour.
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the
Microsoft Monitoring Agent on VM1.You create an alert in Azure Monitor and specify the storage account as the source
Does that meet the goal?
A. Yes
B. No
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring
Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
B (100%)
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within
an hour.
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source
A. Yes
B. No
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring
Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
B (100%)
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1
within an hour.
Solution: You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install
the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics
workspace as the source.
A. Yes
B. No
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that
automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record
is created and it can be configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure,
other cloud providers, and on- premises. It collects data into a Log Analytics workspace.
Reference: https://docs.microsoft.com/en-us/azure/azuremonitor/learn/tutorial-response
https://docs.microsoft.com/enus/azure/azure-monitor/platform/agents-overview
A (100%)
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1
within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft
Monitoring Agent VM extension to VM1. You create an alert in Azure Monitor and specify the Log Analytics
workspace as the source.
A. Yes
B. No
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring Agent VM extension.
B (67%)
A (33%)
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager
template named ARM1.json. You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
A. Yes
B. No
You would need to redeploy the VM.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
B (100%)
Solution: From the Redeploy blade, you click Redeploy.
A. Yes
B. No
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all
your configuration options and associated resources.
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
A (100%)
Solution: From the Update management blade, you click Enable.
A. Yes
B. No
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
B (100%)
Solution: From the Overview blade, you move the virtual machine to a different resource group.
A. Yes
B. No
S uggested Answer: B 🗳️
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
B (100%)
You have an Azure subscription that contains the resources shown in the following table.
VM1 connects to VNET1.

You need to connect VM1 to VNET2.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
A. Yes
B. No
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can
change the subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
B (100%)

Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to
VNET2.
A. Yes
B. No
A (100%)
Solution: You turn off VM1, and then you add a new network interface to VM1.
A. Yes
B. No
B (100%)

Solution: You create a new network interface, and then you add the network interface to VM1.
A. Yes
B. No
B (100%)
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1.
RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-
template?tabs=azure-powershell
B (100%)
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.
A. Yes
B. No
B (100%)
Solution: From the RG1 blade, you click Automation script.
A. Yes
B. No
B (100%)
Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
A (100%)
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by
using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
A. Yes
B. No
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location,
here West US, also referred to as a region.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
A (75%)
B (25%)
Solution: You create NIC2 in RG2 and Central US.
A. Yes
B. No
B (100%)
Solution: You create NIC2 in RG2 and West US.
A. Yes
B. No
A (100%)
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop
connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1.
NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the
*destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
A. Yes
B. No
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
A (69%)
B (31%)
connections
✑ Priority: 100
✑ Source: Any
✑ Destination: *
✑Protocol: UDP
✑ Action: Allow
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the
VirtualNetwork destination for port range 3389 and uses the UDP protocol.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
B (76%)
A (20%)
connections
✑ Priority: 100
✑ Source: Any
✑ Destination: *
✑ Protocol: UDP
✑ Action: Allow
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet
source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
A. Yes
B. No
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
A (55%)
B (45%)
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named
VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
A. Yes
B. No
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a
client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is
not installed, authentication fails.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
B (100%)
Solution: You join Computer2 to Azure Active Directory (Azure AD).
A. Yes
B. No
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
B (100%)
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
A. Yes
B. No
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client
certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not
installed, authentication fails.
A (100%)
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
A. Yes
B. No
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client
certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not
installed, authentication fails.
B (100%)
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate
resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
B (83%)
A (17%)
resource groups.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
A. Yes
B. No
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/builtin-policies
B (100%)
resource groups.
Solution: You assign a built-in policy definition to the subscription.
A. Yes
B. No
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by
describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily
manage your resources.
Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
B (100%)
resource groups.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
A. Yes
B. No
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by
describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily
manage your resources.
Reference:https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
A (100%)
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then
start VM1.
A. Yes
B. No
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
B (100%)

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and
then stop VM2.
A. Yes
B. No
B (100%)

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the
network interface of each virtual machine.
A. Yes
B. No
A (83%)
B (17%)

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You disassociate the public IP address from the network interface of VM2.
A. Yes
B. No
A (100%)
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to
App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution:You create an inbound security rule that denies all traffic from 131.107.100.50 source and has a cost of 64999.
A. Yes
B. No
Reference: https://fastreroute.com/azure-network-security-groups-explained/
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules
http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
B (100%)
Solution: You delete the BlockAllOther443 inbound security rule.
A. Yes
B. No
Reference:https://fastreroute.com/azure-network-security-groups-explained/
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
B (51%)
A (49%)
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
A. Yes
B. No
The rule currently has the highest priority.
Reference: https://fastreroute.com/azure-network-security-groups-explained/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-
existing-vm
B (83%)
A (17%)
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost
of 150.
A. Yes
B. No
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
B (53%)
A (47%)
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture.
A. Yes
B. No
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual
machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering
network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal
A (81%)
B (19%)
Solution: From Azure Network Watcher, you create a connection monitor.
A. Yes
B. No
Reference: https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-
public-regions/
B (88%)
A(12%)
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
A. Yes
B. No
Use the Connection Monitor feature of Azure Network Watcher.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
B (100%)
Solution: From Azure Monitor, you create a metric on Network In and Network Out.
• A. Yes
• B. No
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/
B (100%)

Examtopics Microsoft's AZ-104 Yes or No

Uploaded by

Copyright:

Available Formats

Examtopics Microsoft's AZ-104 Yes or No

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Examtopics Microsoft's AZ-104 Yes or No

Uploaded by

Copyright:

Available Formats

Question #: 2 Topic #: 1

VM1 connects to VNET1.

VM1 connects to VNET1.

VM1 connects to VNET1.

You deploy a load balancer that has the following configurations:

You deploy a load balancer that has the following configurations:

You deploy a load balancer that has the following configurations:

You deploy a load balancer that has the following configurations:

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.