az-104_2-2025

100% Valid and Newest Version AZ-104 Questions & Answers shared by Certleader
https://www.certleader.com/AZ-104-dumps.html (232 Q&As)
AZ-104 Dumps
Microsoft Azure Administrator
https://www.certleader.com/AZ-104-dumps.html
The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 1
- (Topic 5)
You have an Azure subscription that contains two Log Analytics workspaces named Workspace 1 and Workspace? and 100 virtual machines that run Windows
Server.
You need to collect performance data and events from the virtual machines. The solution must meet the following requirements:
• Logs must be sent to Workspace! and Workspace?
• All Windows events must be captured
• All security events must be captured.
What should you install and configure on each virtual machine?
A. the Azure Monitor agent

B. the Windows Azure diagnostics extension (WAD)
C. the Windows VM agent
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview Azure Monitor Agent (AMA) collects monitoring data from the guest operating
system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and
Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.
NEW QUESTION 2
HOTSPOT - (Topic 5)
You have an Azure Load Balancer named LB1.
You assign a user named User1 the roles shown in the following exhibit.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
User Access Administrator can only assign access to other users
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory- admin-roles
Virtual Machine Contributor can Manage VMs, which includes deleting VMs too. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles#virtual-machine-contributor
https://docs.microsoft.com/en-us/answers/questions/350635/can-virtual-machine-contributor-create-vm.html
NEW QUESTION 3
- (Topic 5)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the
stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The Logic App Operator role only grants the ability to read, enable, disable, and run logic apps. It does not grant the ability to create logic apps. To create logic
apps, you need to assign the Logic App Contributor role or a higher-level role such as Owner or Contributor. Then, References: [Built-in roles for Azure resources]
[Azure Logic Apps permissions and access control]
NEW QUESTION 4

HOTSPOT - (Topic 5)
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1 : 4
As there are 4 distinct set of resource types (Ingress, Egress, Delete storage account, Restore blob ranges), so you need 4 alert rules. In one alert rule you can't
specify different type of resources to monitor. So you need 4 alert rules.
Box 2 : 3
There are 3 distinct set of "Users to notify" as (User 1 and User 3), (User1 only), and (User1, User2, and User3). You can't set the action group based on existing
group (Group1 and Group2) as there is no specific group for User1 only. So you need to create 3 action group.
NEW QUESTION 5
HOTSPOT - (Topic 5)
You have an Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: storageaccount1 and storageaccount2 only Box 2: All the storage accounts
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
? General-purpose v2 (GPv2) accounts are storage accounts that support all of the
latest features for blobs, files, queues, and tables.
? Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
? General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-account- options
NEW QUESTION 6
HOTSPOT - (Topic 5)
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the
graphic.
A. Mastered
B. Not Mastered
Answer: A
Explanation:

https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network#add-or-remove-an-address-range
NEW QUESTION 7
- (Topic 5)
You have an Azure subscription that contains the resources shown in the following table.
The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2 which is connected toVNET1. What should you do first?
Create an Azure Resource Manager template.

A.
B. AddasubnettoVNET1.
C. Remove Microsof
D. Network/virtualNetworks from the policy.
E. Remove Microsoft.Compute/virtualMachines from the policy.
Answer: C
Explanation:
To create a new virtual machine named VM2 which is connected to VNET1 in RG1, you need to remove Microsoft.Network/virtualNetworks from the policy. This is
because the Not allowed resource types Azure policy denies the deployment of the specified resource types in the scope of the assignment. In this case, the policy
is assigned to RG1 and uses the parameters Microsoft.Network/virtualNetworks and Microsoft.Compute/virtualMachines. This means that you cannot create or
update any virtual networks or virtual machines in RG1. Therefore, to create VM2 and connect it to VNET1, you need to remove Microsoft.Network/virtualNetworks
from the policy parameters. This will allow you to create or update virtual networks in RG1, but still prevent you from creating or updating virtual machines.
Alternatively, you can also exclude VNET1 from the policy assignment scope, but this will affect the compliance of the policy for the entire virtual network.
References:
? Not allowed resource types (Deny)
? Create and manage policies to enforce compliance
NEW QUESTION 8
DRAG DROP - (Topic 5)
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party
registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in
the correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
The process is simple:
? Add the custom domain name to your directory
? Add a DNS entry for the domain name at the domain name registrar
? Verify the custom domain name in Azure AD
References: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
NEW QUESTION 9
HOTSPOT - (Topic 5)
Your company purchases a new Azure subscription.
You create a file named Deploy json as shown in the following exhibit

You connect to the subscription and run the following cmdlet:

New-AzDeployment -Location westus -TemplateFile “deploy.json”"
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
A. Mastered
B. Not Mastered
Answer: A

Explanation:
Based on the file named Deploy.json and the cmdlet you ran, here are the answers to your statements:
? You can deploy a virtual machine to RGI. = No
? You can deploy a virtual machine to RG2. = No
? You can manually create a resource group named RG3. = Yes Let me explain why:
? The Deploy.json file defines a template for creating a resource group and a virtual machine in Azure. The template has two parameters: resourceGroupName
and vmName. The template also has two resources: one for the resource group and one for the virtual machine. The resource group resource has a property
called name, which is set to the value of the resourceGroupName parameter. The virtual machine resource has a property called location, which is set to the value
of the location parameter of the deployment cmdlet.
? The cmdlet you ran specifies the location as westus and the template file as Deploy.json. However, it does not specify any values for the resourceGroupName
and vmName parameters. Therefore, the cmdlet will prompt you to enter those values interactively before creating the deployment.
? If you enter RGI as the value for the resourceGroupName parameter and VM1 as the value for the vmName parameter, then the cmdlet will create a resource
group named RGI and a virtual machine named VM1 in the westus location. Therefore, you can deploy a virtual machine to RGI.
? However, if you enter RG2 as the value for the resourceGroupName parameter, then the cmdlet will fail with an error. This is because RG2 already exists in your
subscription and you cannot create a resource group with the same name as an existing one. Therefore, you cannot deploy a virtual machine to RG2 using this
template and cmdlet.
? You can manually create a resource group named RG3 by using another cmdlet: New-AzResourceGroup. This cmdlet takes two parameters: Name and
RG3 in westus:
Location. For example, you
New-AzResourceGroup can RG3
-Name run the following
-Location cmdlet to create a resource group named
westus
NEW QUESTION 10
- (Topic 5)
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named
Subnet1. Subnet1 is in a virtual network named VNet1. You need to prevent VM1 from accessing VM2 on port 3389.
What should you do?
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.
B. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
C. Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.
D. Configure Azure Bastion in VNet1.
Answer: A
NEW QUESTION 10
- (Topic 5)
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.

You need to ensure that VM1 can be created in an Availability Zone.

Which two settings should you modify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Use managed disks

B. Availability options
C. OS disk type
D. Size
E. Image
Answer: AB
Explanation:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-
availability- zone https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability https://docs.microsoft.com/en-us/azure/availability-zones/az-
overview#availability-zones
NEW QUESTION 11
HOTSPOT - (Topic 5)
You manage two Azure subscriptions named Subscription 1 and Subscription2. Subscription! has following virtual networks:
The virtual networks contain the following subnets:

Subscnption2 contains the following virtual network:

- Name: VNETA
• Address space: 10.10.128.0/17
• Region: Canada Central
VNETA contains the following subnets:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 14
HOTSPOT - (Topic 5)
You need to configure a new Azure App Service app named WebApp1. The solution must meet the following requirements:
• WebApp1 must be able to verify a custom domain name of app.contoso.com.
• WebApp1 must be able to automatically scale up to eight instances.
• Costs and administrative effort must be minimized.
Which pricing plan should you choose, and which type of record should you use to verify the domain? To answer, select the appropriate options in the answer
area.
NOTE: Each correct answer is worth one point.

Answer:
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 18
- (Topic 5)
You have an Azure subscription named Subscription 1 and an on-premises deployment of Microsoft System Center Service Manager Subscription! contains a
virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent. What should you do first?
A. Create a notification.
B. Create an automation runbook.
C. Deploy the IT Service Management Connector (ITSM).
D. Deploy a function app
Answer: C
Explanation:
IT Service Management Connector (ITSMC) allows you to connect Azure to
a supported IT Service Management (ITSM) product or service. Azure services like Azure Log Analytics and Azure Monitor provide
tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM
product or service. ITSMC provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with
the following ITSM tools: ServiceNow, System Center Service Manager, Provance, Cherwell.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-overview
NEW QUESTION 21
HOTSPOT - (Topic 4)
You need to create storage5. The solution must support the planned changes.
Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the appropriate
options in the answer area.
Answer:

A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 25
HOTSPOT - (Topic 4)
You implement the planned changes for NSG1 and NSG2.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 30
HOTSPOT - (Topic 4)
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 35
- (Topic 4)
You need to add VM1 and VM2 to the backend poo! of LB1. What should you do first?
A. Create a new NSG and associate the NSG to VNET1/Subnet1.

B. Connect VM2 to VNET1/Subnet1.
C. Redeploy VM1 and VM2 to the same availability zone.
D. Redeploy VM1 and VM2 to the same availability set.
Answer: B
NEW QUESTION 38
- (Topic 3)

You need to move the blueprint files to Azure. What should you do?
A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
B. Use the Azure Import/Export service.
C. Generate an access ke
D. Map a drive, and then copy the files by using File Explorer.
E. Use Azure Storage Explorer to copy the files.
Answer: D
Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and
download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage. Technical Requirements include: Copy the blueprint files to Azure over
the Internet.
References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science- process/move-data-to-azure-blob-using-azure-storage-explorer
NEW QUESTION 40
HOTSPOT - (Topic 3)
You need to identify the storage requirements for Contoso.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the
Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:
* 1. Storing TBs of structured data capable of serving web scale applications
* 2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access
* 3. Quickly querying data using a clustered index
* 4. Accessing data using the OData protocol and LINQ queries with WCF Data Service.NET Libraries Statement 3: No
File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go
with this storage option.

NEW QUESTION 44
- (Topic 2)
You need to resolve the Active Directory issue. What should you do?
A. From Active Directory Users and Computers, select the user accounts, and then modify the User Principal Name value.
B. Run idfix.exe, and then use the Edit action.
C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.
D. From Azure AD Connect, modify the outbound synchronization rule.
Answer: B
Explanation:
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for
migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory
synchronization
with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters. You suspect that some of the characters are unsupported in Azure AD.
References: https://www.microsoft.com/en-us/download/details.aspx?id=36832
NEW QUESTION 46
- (Topic 2)
Which blade should you instruct the finance department auditors to use?
A. invoices
B. partner information
C. cost analysis
D. External services
Answer: C
Explanation:
Cost analysis: Correct Option
In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month.
Below options are available in Cost analysis blade for filtering information by time span: last 7 days, last 30 days, and custom date range. Choosing the first option
(last 7 days) auditors can view the costs by time span.
Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days,
the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to
the calendar month, like the
current billing period or last invoice. Use the <PREVIOUS andNEXT> links at the top of the menu to jump to the previous or next period, respectively. For example,
<PREVIOUS will switch from the Last 7 days to8-14 days ago o1r 5-21 days ago.

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by
invoices because Azure generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane
would be empty. Below is from Microsoft document:
Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets,
you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for
reviewing all Azure costs from the past week which is required for audit.
Payment method: Incorrect Option
Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.
Reference:

https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost- analysis
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/download-azure-invoice-daily-usage-date
NEW QUESTION 51
- (Topic 2)
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.onmicrosoft.com
C. humongousinsurance.local
D. humongousinsurance.com
Answer: D
Explanation:
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.
The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization
probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD
allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
NEW QUESTION 55
- (Topic 2)
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
A. Join the client computers in the Miami office to Azure AD.

B. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
C. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
D. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication
E.
Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
Answer: BD
Explanation:
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted,
but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and
users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar
to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add- custom-domain
NEW QUESTION 58
HOTSPOT - (Topic 1)
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role- powershell
Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json https://docs.microsoft.com/en-us/powershell/module/az.resources/get- azroledefinition?view=azps-5.9.0
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role- powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto- json?view=powershell-7.1
https://docs.microsoft.com/en-us/powershell/module/azuread/get- azureaddirectoryrole?view=azureadps-2.0
NEW QUESTION 61
- (Topic 1)
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.
What should you include in the recommended?
A. Azure AP B2C
B. Azure AD Identity Protection
C. an Azure logic app and the Microsoft Identity Management (MIM) client
D. dynamic groups and conditional access policies
Answer: D
Explanation:
Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is
conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the
admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate
dynamic group on next AADC delta sync.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic- membership
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-
mfa- userstates
NEW QUESTION 66
HOTSPOT - (Topic 5)
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup Policy1 as shown in the exhibit. (Click the Exhibit tab.)

You configure the backup of VM1 to use Policy1 on Thursday, January 1.

You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and on January 15? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: 6
4 daily + 1 weekly + monthly
Box 2: 8
4 daily + 2 weekly + monthly + yearly

NEW QUESTION 71
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in t he answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers https://docs.microsoft.com/en-us/azure/storage/common/storage-account-
overview
NEW QUESTION 74
- (Topic 5)
You have an Azure Kubernetes Service (AKS) cluster named AKS1. You need to configure cluster autoscaler for AKS1.
Which two tools should you use? Each correct answer presents a complete solution, NOTE: Each correct selection is worth one point
A. the set-AzAKs cmdlet

B. the Azure portal
C. The az aks command
D. the kubect1 command
E. the set Azure cmdlet
Answer: BC
Explanation:
AKS clusters can scale in one of two ways: - The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The
cluster then automatically increases the number of nodes. - The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource
demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
NEW QUESTION 79
- (Topic 5)
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles;
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?
Assign User1 the Contributor role for VNet1.

A.
B. Remove User from the Security Reader and Reader roles tot Subscription1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the User Access Administrator role for VNet1
Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory- admin-
roles#:~:text=The%20User%20Access%20Administrator%20role%20enables%20the%20u
ser%20to%20grant,Azure%20subscriptions%20and%20management%20groups.

NEW QUESTION 82
HOTSPOT - (Topic 5)
You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2. The subscription contains the
resources shown in the following table.
The subscription contains the alert rules shown in the following table.
The users perform the following actions:

• User1 creates a new virtual disk and attaches the disk to VM1.
• User2 creates a new resource tag and assigns the tag to RG1 and VM1.
Which alert rules are triggered by each user? To answer, select the appropriate options in the answer area.
Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
In this case, you have two alert rules: Alert1 and Alert2. Alert1 has a scope of RG1, which means it applies to all the resources in the resource group named RG1.
Alert1 has a condition of All Administrative operations, which means it triggers when any administrative operation is performed on the resources in RG1. An
administrative operation is any operation that changes the configuration or state of a resource, such as creating, deleting, updating, or restarting.
Alert2 has a scope of VM1, which means it applies only to the virtual machine named VM1. Alert2 also has a condition of All Administrative operations, which
means it triggers when any administrative operation is performed on VM1.
Now, let’s see which alert rules are triggered by each user.
User1 creates a new virtual disk and attaches the disk to VM1. This is an administrative operation on VM1, so it triggers Alert2. However, it does not trigger Alert1,
because the new disk is not part of RG1. Therefore, the correct answer for User1 is C. Only Alert2 is triggered.
User2 creates a new resource tag and assigns the tag to RG1 and VM1. This is also an administrative operation on both RG1 and VM1, so it triggers both Alert1
and Alert2. Therefore, the correct answer for User2 is D. Alert1 and Alert2 are triggered.
NEW QUESTION 87
- (Topic 5)
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to Appl are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections 10 Appl from 131.107.100.50 over TCP port 443 fail. You verity that the Load Balancer rules are configured correctly.
You need to ensure that connections to Appl can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the Azureload Balancer source and has a priority of 150.
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 91
- (Topic 5)
Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources: A web app named
webapp1
A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1. What should you deploy?
A. an Azure Application Gateway

B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway
Answer: C
Explanation:
A Site-to-Site VPN gateway connection can be used to connect your on- premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN
tunnel. This type of connection requires a VPN device, a VPN gateway, located on- premises that has an externally facing public IP address assigned to it.
A: Application Gateway is for http, https and Websocket - Not SMB
B: Application Proxy is also for accessing web applications on-prem - Not SMB. Application Proxy is a feature of Azure AD that enables users to access on-
from a remote client.
premises
Reference: web applications
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
NEW QUESTION 95
- (Topic 5)
You have an Azure AD tenant that contains the groups shown In the following table.
You purchase Azure Active Directory Premium P2 licenses. To which groups can you assign a license?
A. Group 1 only
B. Group1 and Group3 only
C. Group3 and Group4 only
D. Group1, Group2, and Group3 only
E. Group1, Group2, Group3, and Group4
Answer: B
Explanation:
To assign a license to a group, the group must be a security group, not an Office 365 group or a mail-enabled security group1. According to the image, Group1

and Group3 are security groups, while Group2 and Group4 are Office 365 groups. Therefore, only Group1 and Group3 can be assigned a license.
To assign a license to a group, you need to follow these steps2:
? Sign in to the Azure portal with a license administrator account.
? Go to Azure Active Directory > Licenses and select the product license that you want to assign to groups.
? Select Assign at the top of the page and then select Users and groups.
? Search for and select the group that you want to assign the license to and then select OK.
? Select Assignment options to enable or disable specific services within the product license and then select OK.
? Select Assign at the bottom of the page to complete the assignment.
NEW QUESTION 99
- (Topic 5)
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.
What should you configure?
A. load balancing
B. private endpoints
C. Azure Firewall rules
D. Routing preference
Answer: D
Explanation:
Routing preference is a feature that allows you to configure how network traffic is routed to your storage account from clients over the internet. By default, traffic
from the internet is routed to the public endpoint of your storage account over the Microsoft global network, which is optimized for low-latency path selection and
high reliability. Both inbound and outbound traffic are routed through the point of presence (POP) that is closest to the client. This ensures that traffic to and from
your storage account traverses over the Microsoft global network for the bulk of its path, maximizing network performance. You can also change the routing
preference to use internet routing, which minimizes the traversal of your traffic over the Microsoft global network, handing it off to the transit ISP at the earliest
opportunity. This lowers networking costs, but may compromise network performance. Therefore, to ensure that inbound user traffic uses the Microsoft POP
closest to the user’s location, you should configure routing preference to use the Microsoft global network as the default routing option for your storage account.
References:
? Network routing preference for Azure Storage
? Configure network routing preference for Azure Storage
NEW QUESTION 102

- (Topic 5)
You have an Azure virtual machine named VM1. Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.
You need to specify which resource type to monitor. What should you specify?
A. metric alert
B. Azure Log Analytics workspace
C. virtual machine
D. virtual machine extension
Answer: B
Explanation:
Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log
Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
NEW QUESTION 105

- (Topic 5)
You have an Azure subscription named Subscription1 that is used be several departments at your company. Subscription1 contains the resources in the following
table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. RG1
B. VM1
C. Storage1

D. Container1
Answer: A
Explanation:
* 1. View template from deployment history
Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
* 2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for
parameters. To see the template that you used for the deployment, select View template.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
NEW QUESTION 107

- (Topic 5)
You have an Azur« subscription that contains a virtual machine named VM1 and an Azure key vault named KV1.
You need to configure encryption for VM1. The solution must meet the following requirements:
• Store and use the encryption key in KV1.
• Maintain encryption if VM1 is downloaded from Azure.
• Encrypt both the operating system disk and the data disks. Which encryption method should you use?
A. encryption at host
B. customer-managed keys
C. Azure Disk Encryption
D. Confidential disk encryption
Answer: C
Explanation:
Azure Disk Encryption is a service that helps you encrypt your Windows and Linux IaaS virtual machine disks1. It uses BitLocker for Windows and DM-Crypt for
Linux to provide volume encryption for the OS and data disks2. Azure Disk Encryption requires that you use a key encryption key in Azure Key Vault to encrypt the
volume encryption key, which is then stored on the disk. You can use either a service-managed key or a customer- managed key in Azure Key Vault3. Azure Disk
Encryption also supports encrypting virtual machine disks that are downloaded from Azure4.
NEW QUESTION 112

- (Topic 5)
You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1. What should
you do first?
A. Upload a certificate.
B. Add a connection string.
C. Stop webapp1.
D. Create a DNS record.
Answer: D
Explanation:
You can use either a CNAME record or an A record to map a custom DNS name to App Service. You should use CNAME records for all custom DNS names
except root domains (for example, contoso.com). For root domains, use A records. Reference: https://docs.microsoft.com/en-us/Azure/app-service/app-service-
web-tutorial-custom- domain
NEW QUESTION 117

HOTSPOT - (Topic 5)
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VMet1 contains one subnet named
Subnet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual
machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log
Analytics environment with its own data repository, data sources, and solutions.
Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP addresses that connect to the
ILB can be monitored when the diagnostics are enabled on a Network Security Group.
We cannot enable diagnostics on an internal load balancer to check for the IP addresses. As for Internal LB, it is basic one. Basic can only connect to storage
account. Also, Basic LB has only activity logs, which doesn't include the connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
NEW QUESTION 119

- (Topic 5)
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Network Watcher, you create a connection monitor.
A. Yes
B. No
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
NEW QUESTION 124

HOTSPOT - (Topic 5)
You have the following custom role-based access control (RBAC) role.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: N
Because doesn't have:
Microsoft.Authorization/*/Write - Create roles, role assignments, policy assignments, policy definitions and policy set definitions
Box 2; Yes
Has been assigned;
Microsoft.Compute/virtualMachines/* - Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute
scripts on virtual machines.
Box 3: Y
Has been assigned;
Microsoft.Network/networkInterfaces/* - Create and manage network interfaces
See;
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
NEW QUESTION 127

HOTSPOT - (Topic 5)
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have two external partner organizations named fabrilcam.com and litwareinc.com. FabtAam.com is configured as a connected organization.
You create an access package as shown in the Access package exhibit. (Click the Access package lab.)

You configure the external user lifecycle settings as shown in the Lifecycle exhibit. (Click the lifecycle tab)
For each of the following statements, select Yes if the statement is true Otherwise, select No
Note: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
? Litwareinc.com users can be assigned to package1. = No
? After 365 days, fabrikam.com users will be removed from Group1. = Yes
? After 395 days, fabrikam.com users will be removed from the contoso.com tenant

= No
? Litwareinc.com users cannot be assigned to package1 because they are not a connected organization in the contoso.com tenant. Only users from connected
organizations can request access packages that are configured for external users1
? Fabrikam.com users will be removed from Group1 after 365 days because the
access package has an expiration policy of 365 days for external users. This means that the access assignments for external users will end after 365 days, unless
they are renewed or extended2
? Fabrikam.com users will not be removed from the contoso.com tenant after 395
days because the external user lifecycle settings have a deletion policy of 30 days after blocking. This means that external users will be blocked from signing in
after 365 days of inactivity, and then deleted after another 30 days. Therefore, the total time before deletion is 395 days of inactivity, not 395 days from the date of
assignment3
NEW QUESTION 132

HOTSPOT - (Topic 5)
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.
What should you identify? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: ASP1 ASP3
Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux.
Not ASP2: The region in which your app runs is the region of the App Service plan it's in.
Box 2: ASP1
ASP.NET apps can be hosted on Windows only.
NEW QUESTION 134

- (Topic 5)
You have an Azure subscription that contains a storage account named storage. You have the devices shown in the following table.

From which devices can you use AzCopy to copy data to storage1?
A. Device1 and Device2 only

B. Device1, Device2 and Device3
C. Device’ only
Device and Device3 only
D.
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy- v10#download-azcopy
NEW QUESTION 135

- (Topic 5)
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support.
What should you identify?
A. Storage1
B. Storage2
C. Storage3
D. Storage4
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/storage/common/redundancy- migration?tabs=portal
NEW QUESTION 137

- (Topic 5)
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.
Solution: From the Redeploy blade, you click Redeploy. Does this meet the goal?
Yes
A.
B. No
Answer: A
Explanation:
Redeploying the virtual machine moves it to a new host within the same region and availability set. This can help resolve any underlying issues with the current
host. Redeploying the virtual machine does not affect the configuration or data on the virtual machine. Then, References: [Redeploy Windows VM to new Azure
node]
NEW QUESTION 142

HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the blob storage and file storage in storage1. Which authentication method should you use for each type of storage? To
answer, select
the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Box 1:
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2:
Only Shared Access Signature (SAS) token is supported for File storage.
NEW QUESTION 145

HOTSPOT - (Topic 5)
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Exhibit tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Exhibit tab.)

A. Mastered
B. Not Mastered
Answer: A
Explanation:
They are all Global admins so they can all modify user permission. i.e add self as owner etc.
You can be GA in one of the subscription, it doesn't mean that you can create the resources in all subscription. As a Global Administrator in Azure Active Directory
(Azure AD), you might not have access to all subscriptions and management groups in your directory. Azure AD and Azure resources are secured independently
from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD.
However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory
NEW QUESTION 150

HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that stores images.
You need to create a new storage account and replicate the images in storage1 to the new account by using object replication.
How should you configure the new account? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered

Answer: A
Explanation:
Graphical user interface, text, application Description automatically generated
NEW QUESTION 151

- (Topic 5)
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial
reporting app named App1 that does not support multiple active instances. At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.
What task should you include in the runbook?
A. Add the Azure Performance Diagnostics agent to VM1.

B. Modify the VM size property of VM1.
C. Add VM1 to a scale set.
D. Increase the vCPU quota for the subscription.
E. Add a Desired State Configuration (DSC) extension to VM1.
Answer: B
Explanation:
To create a scheduled runbook to increase the processor performance of VM1 at the end of each month, you need to modify the VM size property of VM1. This will
allow you to scale up the VM to a larger size that has more CPU cores and memory. You can use Azure Automation to create a PowerShell runbook that changes
the VM size using the Set-AzVM cmdlet. You can then schedule the runbook to run at the end of each month using the Azure portal or Azure PowerShell. For more
information, see How to resize a virtual machine in Azure using Azure Automation1.
NEW QUESTION 155

HOTSPOT - (Topic 5)
You have an Azure AD tenant that is linked to the subscriptions shown in the following table.
You have the resource groups shown In the following table.
You assign roles to users as shown in the following table.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
? User1 can resize VM1. Yes, this is correct. According to the tables, User1 is assigned the Contributor role at the subscription level for Sub1. The Contributor role
grants full access to manage all resources in the subscription, including the ability to resize virtual machines1. Therefore, User1 can resize VM1, which is a
resource in RG1 under Sub1.
? User2 can create a new storage account in RG1. No, this is not correct. According to the tables, User2 is assigned the Reader role at the resource group level for
RG1. The Reader role grants read-only access to view existing resources in the resource group, but not to create, update, or delete any resources2. Therefore,
User2 cannot create a new storage account in RG1.
? User3 can assign User1 the Owner role for RG3. No, this is not correct. According to the tables, User3 is assigned the Storage Account Contributor role at the

resource group level for RG3. The Storage Account Contributor role grants full access to manage storage accounts and their data in the resource group, but not
to assign roles to other users3. To assign roles to other users, User3 would need a role that has Microsoft.Authorization/roleAssignments/write permissions, such
as User Access Administrator or Owner4. Therefore, User3 cannot assign User1 the Owner role for RG3.
NEW QUESTION 159

- (Topic 5)
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade.

B. General settings from the Groups blade.
C. User settings from the Users blade.
D. Providers from the MFA Server blade.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
NEW QUESTION 163

- (Topic 5)
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named VNET1 and
VNET2 that are peered.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1. You need to configure NSG1 to allow inbound access from the internet to
Bastion1.
Which port should you configure for the inbound security rule?
A. 22
B. 443
C. 3389
D. 8080
Answer: B
Explanation:
Azure Bastion is a service that provides secure and seamless RDP/SSH connectivity to virtual machines directly over TLS from the Azure portal or via native
client. Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This
enables the traffic to traverse firewalls more securely. To allow inbound access from the internet to Bastion1, you need to configure NSG1 to allow port 443 for the
inbound security rule. References:
? What is Azure Bastion?
? About Azure Bastion configuration settings
NEW QUESTION 168

- (Topic 5)
You have an Azure DNS zone named adatum.com. You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure. What
should you do?
A. Create an PTR record named research in the adatum.com zone.

B. Create an NS record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an A record named *. research in the adatum.com zone
Answer: B
Explanation:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
NEW QUESTION 169

- (Topic 5)
You plan to move a distributed on-premises app named App1 to an Azure subscription. After the planned move, App1 will be hosted on several Azure virtual
machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.
What should you create?
one virtual machine scale set that has 10 virtual machines instances
A.
B. one Availability Set that has three fault domains and one update domain
C. one Availability Set that has 10 update domains and one fault domain
D. one virtual machine scale set that has 12 virtual machines instances
Answer: A
Explanation:
A virtual machine scale set is a group of identical virtual machines that are centrally managed, configured, and updated1. A virtual machine scale set can
automatically increase or decrease the number of virtual machine instances in response to demand or a defined schedule2. A virtual machine scale set also
provides high availability and fault tolerance by distributing the virtual machine instances across multiple fault domains and update domains3.
A fault domain is a logical group of underlying hardware that share a common power source and network switch. A fault domain can fail due to hardware or

software failures, power outages, or network interruptions4. A virtual machine scale set can have up to five fault domains in a region.
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. An update domain can be affected by
planned events, such as OS updates, application updates, or configuration changes4. A virtual machine scale set can have up to 20 update domains in a region.
By creating a virtual machine scale set that has 10 virtual machine instances, you can ensure that App1 always runs on at least eight virtual machines during
planned Azure maintenance. This is because the default configuration of a virtual machine scale set is to have five fault domains and five update domains. This
means that at any given time, only one fault domain or one update domain can be unavailable due to maintenance or failure. Therefore, at least eight out of 10
virtual machine instances will be available to run App1. An availability set is another option for providing high availability and fault tolerance for your virtual
machines. An availability set is a logical grouping of two or more virtual machines that are deployed across multiple fault domains and update domains. However,
an availability set does not provide automatic scaling of resources or load balancing of traffic. You need to manually create and manage the number of virtual
machine instances in an availability set.
Therefore, a virtual machine scale set is a better option than an availability set for your scenario. To create a virtual machine scale set, you can follow these steps:
? Sign in to the Azure portal.
? Select Create a resource > Compute > Virtual machine scale set.
? On the Basics tab, enter a name for your scale set, select your subscription and resource group, select Windows Server 2019 as the image type, and enter a
username and password for the administrator account.
? On the Instance details tab, select the region where you want to deploy your scale set, select the size of the virtual machine instances, and enter 10 as the initial
instance count.
? On the Scaling tab, configure the scaling policy for your scale set based on metrics or schedule.
? On the Load balancing tab, configure the load balancer for your scale set to
distribute traffic across the instances.
? On the Management tab, configure the diagnostics settings, automatic OS upgrades, extensions, and backup options for your scale set.
? On the Advanced tab, configure the availability zone, proximity placement group, accelerated networking, host group, and custom script extension options for
your scale set.
? On the Tags tab, optionally add tags to your scale set resources.
? On the Review + create tab, review your settings and select Create.
NEW QUESTION 173

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the resources shown in the following table.
RG2 contains the resources shown in the following table.
You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1. Which resources should you
identify? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:

NEW QUESTION 177

- (Topic 5)
You have an Azure AD tenant that is linked to 10 Azure subscriptions. You need to centrally monitor user activity across all the subscriptions. What should you
use?
A. Activity log filters

B. Log Analytics workspace
C. access reviews
D. Azure Application Insights Profiler
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace Send the activity log to a Log
Analytics workspace to enable the Azure Monitor Logs feature, where you: - Consolidate log entries from multiple Azure subscriptions and tenants into one location
for analysis together.
NEW QUESTION 178

- (Topic 5)
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter. NVA and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production
subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
• The NVAs must run in an active-active configuration that uses automatic failover.
• The toad balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Add two load balancing rules that have HA Ports enabled and Floating IP disabled.
B. Deploy a basic load balancer.
C. Add a frontend IP configuration, a backend pool, and a health probe.
D. Add two load balancing rules that have HA Ports and Floating IP enabled.
E. Deploy a standard load balancer.
F. Add a frontend IP configuration, two backend pools, and a health probe.
Answer: DEF
NEW QUESTION 180

- (Topic 5)
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE Each correct selection is worth one point.
A. Modify the extensionProfile section of the Azure Resource Manager template.

B. Create a new virtual machine scale set in the Azure portal.
C. Create an Azure policy.
D. Create an automation account.
E. Upload a configuration script.
Answer: AB
Explanation:
To automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image and has web server components installed, you
need to perform the following actions:
? Modify the extensionProfile section of the Azure Resource Manager template. This section defines the extensions that are applied to the scale set virtual
machines after they are provisioned. You can use the Custom Script Extension to run PowerShell scripts that install and configure the web server components. For
more information, see Deploy an application to an Azure Virtual Machine Scale Set1.
commands to install and configure the web server
? Upload a configuration
components. script.
You can upload theThis is the
script to aPowerShell script that
storage account or a contains the
GitHub repository, and then reference it in the extensionProfile section of the template. For an
example of a configuration script, see Tutorial: Install applications in Virtual Machine Scale Sets with Azure PowerShell2.
NEW QUESTION 183

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the virtual machines shown in the following table.
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule;
• Priority: 100
• Name: Rule1
• Port: 3389
• Protocol: TCP
• Source: Any

• Destination: Any
• Action: Allow
NSG1 is associated to Subnet! NSG2 is associated to the network interface of VM2.
Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
No: VM1 has default rules which denies any port open for inbound rules Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
NEW QUESTION 187

- (Topic 5)
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. a Security group that uses the Assigned membership type

B. an Office 365 group that uses the Assigned membership type
C. an Office 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type
Answer: BC
Explanation:
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove
inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
NEW QUESTION 188

- (Topic 5)
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
NEW QUESTION 192

HOTSPOT - (Topic 5)
You have the Azure resources shown on the following exhibit.

You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Sub1, RG1, and VM1 only
You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
Box 2: Sub1, RG1, and VM1 only
You apply tags to your Azure resources, resource groups, and subscriptions.
NEW QUESTION 195

HOTSPOT - (Topic 5)
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have
higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as
rules with higher priorities are not processed. https://docs.microsoft.com/en-us/azure/virtual-network/network-security- groups-overview
NEW QUESTION 200

- (Topic 5)
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
A. Yes
B. No
Answer: B
Explanation:
No, this does not meet the goal. Creating a resource lock and assigning it to the subscription is not enough to ensure that when an NSG is created, it automatically
blocks TCP port 8080 between the virtual networks. This is because a resource lock does not affect the configuration or functionality of a resource, but only
prevents it from being deleted or modified1. A resource lock does not apply any security rules to an NSG or a virtual network.
To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs. A policy definition is a set of rules and actions that
Azure performs when evaluating your resources2. You can use a policy definition to specify the required properties and values for NSGs, such as the direction,
protocol, source, destination, and port of the security rule. You can then assign the policy definition to the subscription scope, so that it applies to all the resource
groups and virtual networks in the subscription.
NEW QUESTION 204

HOTSPOT - (Topic 5)
You have an Azure subscription.
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:

NEW QUESTION 205

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.

You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 209

- (Topic 5)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique
solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure
subscription.
Solution: You assign the Owner role at the subscription level to Admin1. Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The Owner role is a very high-level role that grants full access to manage all resources in the scope, including the ability to assign roles to other users. This role
does not follow the principle of least privilege, which means that you should only grant the minimum level of access required to accomplish the goal.
To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:
? Microsoft.Network/applicationGateways/read
? Microsoft.Network/connections/read
? Microsoft.Network/loadBalancers/read
? Microsoft.Network/localNetworkGateways/read
? Microsoft.Network/networkInterfaces/read
? Microsoft.Network/networkSecurityGroups/read
? Microsoft.Network/publicIPAddresses/read
? Microsoft.Network/routeTables/read
? Microsoft.Network/virtualNetworkGateways/read
? Microsoft.Network/virtualNetworks/read
? Microsoft.OperationalInsights/workspaces/*
Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor1. However, these roles also grant other permissions that
may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that
only has the required permissions for enabling Traffic Analytics2.
Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription,
you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.
NEW QUESTION 212

- (Topic 5)
You have an Azure subscription that contains the virtual machines shown in the following table.
javascript:void(0)
You deploy a load balancer that has the following configurations:

• Name: LB1
• Type internal
• SKU: Standard

• Virtual network VNET1

You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
A. Yes
No
B.
Answer: B
Explanation:
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public
IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they
have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Note: Load balancer and the public IP address SKU must match when
you use them with public IP addresses.
NEW QUESTION 213

- (Topic 5)
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
What should you deploy?
A. all three virtual machines in a single Availability Zone

B. all virtual machines in a single Availability Set
C. each virtual machine in a separate Availability Zone
D. each virtual machine in a separate Availability Set
Answer: C
Explanation:
An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For example, if you create three or more VMs across three
zones in an Azure region, your VMs are effectively distributed across three fault domains and three update domains. The Azure platform recognizes this
distribution across update domains to make sure that VMs in different zones are not updated at the same time.
Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-availability/5-review-availability-zones
NEW QUESTION 218

- (Topic 5)
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1. Which account can be used to export the data.
What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Answer: D
Explanation:
Azure Import/Export service supports the following of storage accounts:
Standard General Purpose v2 storage accounts (recommended for most scenarios) Blob Storage accounts
General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types: Import supports Azure Blob storage and Azure File storage Export supports Azure Blob storage.
Azure Files not supported.
Only storage4 can be exported.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export- requirements
NEW QUESTION 221

HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that contains a blob container. The blob container has a default access tier of Hot. Storage1 contains a
container named container!
You create lifecycle management rules in storage1 as shown in the following table.

You perform the actions shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth
one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
File3.docx is a blob in container1 that was uploaded on October 1 and edited on October 2. According to the lifecycle management rule 2, any blob in container1
that has not been modified for 5 days will be deleted. Therefore, on October 7, File3.docx will be deleted from the storage account. Therefore, on October 10, you
cannot read File3.docx because it no longer exists.
NEW QUESTION 222

HOTSPOT - (Topic 5)
You have an Azure subscription.
You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the template? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
- dependsON: resoureceID
- storageProfile: ImageReference Reference :
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency#dependson
https://learn.microsoft.com/en-us/javascript/api/@azure/arm-compute/storageprofile?view=azure-node-latest
NEW QUESTION 227

- (Topic 5)
You have two Azure subscriptions named Sub1 and Sub2.
Sub! contains a virtual machine named VM1 and a storage account named storage1.
VM1 is associated to the resources shown in the following table. You need to move VM1 to Sub2.
Which resources should you move to Sub2?
A. VM1, Disk1. and Netlnt1 only

B. VM1. Disk1. and VNet1 only
C. VM1. Disk1. and storage1 only
D. VM1. Disk1. Netlnt1, and VNet1
Answer: D
Explanation:
When you move a virtual machine to a different subscription, you need to move all the resources that are associated with the virtual machine, such as the disks,
the network interface, and the virtual network. You cannot move a virtual machine without moving its dependent resources. You also need to ensure that the target
subscription supports the same region, resource type, and API version as the source subscription. Then, References: [Move a Windows VM to another Azure
subscription or resource group]
NEW QUESTION 231

- (Topic 5)
You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1. A user named User1
has the following roles for Subscription1:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?
A. Remove User1 from the Security Reader and Reader roles for Subscription1.
B. Assign User1 the Owner role for VNet1.
C. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
D. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1
Answer: B
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory- admin- roles#:~:text=The%20User%20Access%20Administrator%20role%20
enables%20the%20user%20to%20grant,Azure%20subscriptions%20and%20management%20groups.
NEW QUESTION 233

HOTSPOT - (Topic 5)
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.
Which user can perform each configuration? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
User1 - The Owner Role lets you manage everything, including access to resources.
User3 - The Network Contributor role lets you manage networks, including creating subnets.
User2 - The Security Admin role can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and
recommendations.
NEW QUESTION 234

You have an Azure subscription that contains virtual machine named VM1.
You need to back up VM. The solution must ensure that backups are stored across three availability zones in the primary region.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
According to 1, Availability Zones are unique physical locations within an Azure region that provide high availability and disaster recovery for your virtual machines.
To back up your VM across three availability zones in the primary region, you need to perform the following actions in sequence:
? Create a Recovery Services vault2 that will store your backups and enable geo-
redundancy for cross-region protection.
? For VM1, create a backup policy and configure the backup2 to use the Recovery Services vault as the backup destination.
? Configure a replication policy1 that will replicate your VM1 to another availability zone in the same region.
NEW QUESTION 238

- (Topic 5)
correct solution.
stated goals.
After you Some
answer question in
a question sets
thismight have
section, more
you will than
NOTone correct
be able solution,
to return to it.while
As aothers
result,might
thesenot have a will not appear in the review screen.
questions
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the
500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation. Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite?source=recommendations
NEW QUESTION 240

HOTSPOT - (Topic 5)
You plan to use Azure Network Watcher to perform the following tasks:
? Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine
? Task2: Validate outbound connectivity from an Azure virtual machine to an
external host
Which feature should you use for each task? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Task 1: IP flow verify
The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound).
IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule
allowed or denied the communication, so that you can resolve the problem.
Task 2: Connection troubleshoot
The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns
similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time.
NEW QUESTION 241

- (Topic 5)
You have an Azure subscription. The subscription contains a storage account named storage1 that has the lifecycle management rules shown in the following
table.
On June 1, you store a blob named File1 in the Hot access tier of storage1. What is the state of File1 on June 7?
stored in the Archive access tier

A.
B. stored in the Hot access tier
C. stored in the Cool access tier
D. deleted
Answer: D
Explanation:
If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper
than action tierToArchive. Action tierToArchive is cheaper than action tierToCool. https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-
overview
NEW QUESTION 243

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the hierarchy shown in the following exhibit.

You create an Azure Policy definition named Policy1.

To which Azure resources can you assign Policy and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate
options in the answer
NOTE Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
* 1. Tenant Root Group, ManagementGroup1, Subscription1 and RG1 https://learn.microsoft.com/en-us/answers/questions/1086208/assign-policy-to-specific-
resource-in-azure
* 2. ManagementGroup1, Subscription1, RG1, and VM1
NEW QUESTION 245

HOTSPOT - (Topic 5)
You plan to deploy the following Azure Resource Manager (ARM) template.

For each of the following statements, select Yes . Otherwise, select No. NOTE: Each correct selection is worth one point.
Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
? LB1 will be connected to a subnet named LB1 in VNET1. Yes, this is correct. The template specifies that the load balancer resource named LB1 has a property
called frontendIPConfigurations, which defines the subnet where the load balancer is located. The value of this property is a reference to the resource ID of the
subnet named LB1 in VNET1. You can see this reference in line 38 of the template1.
? LB1 can be deployed only to the resource group that contains VNET1. No, this is
not correct. The template does not specify a resource group for the load balancer resource, which means it can be deployed to any resource group in the same

subscription as VNET1. However, if you want to deploy the load balancer to a specific resource group, you can add a property called resourceGroup to the
reference of the subnet in line 382.
? The value of the sku variable can be provided as a parameter when the template is
deployed. No, this is not correct. The template defines the sku variable as a constant value of “Standard” in line 9. This means that the value cannot be changed
or overridden by a parameter when the template is deployed. If you want to make the sku value configurable, you need to change the variable definition to a
parameter definition, and use the parameter reference instead of the variable reference in line 363.
NEW QUESTION 247

HOTSPOT - (Topic 5)
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
? Can be assigned only to the resource groups in Subscription1
? Prevents the management of the access permissions for the resource groups
? Allows the viewing, creating, modifying, and deleting of resource within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer
area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: "/subscription/c276fc76-9cd4-44c9-99a7-4fd71546436e"
In the assignableScopes you need to mention the subscription ID where you want to implement the RBAC
Box 2: "Microsoft.Authorization/*" Microsoft.Authorization/* is used to Manage authorization
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
NEW QUESTION 249

HOTSPOT - (Topic 5)
You have the role assignment file shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes
NOTE: Each correct selection is worm one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 252

- (Topic 5)

You need to perform the tasks shown in the following table.
Which tasks can you perform by using Azure Storage Explorer?
A. Task1 and Task3 only

B. Task1, Task2, and Task3 only
C. Task1, Task3, and Task4 only
D. Task2, Task3, and Task4 only
E. Task1, Task2, Task3, and Task4
Answer: D
NEW QUESTION 257

- (Topic 5)
You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contoso data.
Which command should you run?
A. https://contosodata.blob.core.windows.net/public
B. azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot
C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
D. az storage blob copy start-batch D:\Folder1 https:// contosodata.blob.core.windows.net/public
Answer: C
Explanation:
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-
copy
NEW QUESTION 259

- (Topic 5)
You have an Azure AD tenant named adatum.com that contains the groups shown in the following table.
Adatum.com contains the users shown in the following table.
You assign the Azure AD Premium P2 license to Group l and User4. Which users are assigned the Azure AD Premium P2 license?
A. User4 only
B. User1 and User4 only
C. User1. User2. and User4 only
D. User1, User2, User3, and User4
Answer: B
Explanation:
? According to the Microsoft documentation, when you assign a license to a group, all members of that group are automatically assigned the license. However, if a
user is already assigned the same license directly or through another group, the license is not duplicated.

? In your scenario, you assigned the Azure AD Premium P2 license to Group1 and User4. This means that all members of Group1, which are User1 and User2,
will also get the license. User4 will get the license directly.
? User3 will not get the license because they are not a member of Group1 or assigned the license directly.
? Therefore, the users who are assigned the Azure AD Premium P2 license are
User1, User2, and User4 only.
NEW QUESTION 263

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You configure the network interfaces of the virtual machines to use the settings shown in the following table
From the settings of VNET1, you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP address of
193.77.134.10.
Answer:
A. Mastered
B. Not Mastered
Answer: A

Explanation:
Box 1: Yes
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
Box 2: No
You can set DNS servers per VM or cloud service to override the default network settings.
Box 3: Yes
You can set DNS servers per VM or cloud service to override the default network settings.
NEW QUESTION 265

- (Topic 5)
You need to configure a proximity placement group for VMSS1. Which proximity placement groups should you use?
A. Proximity2 only
B. Proximity 1, Proximity2, and Proximity3
C. Proximity 1 and Proximity3 only
D. Proximity1 only
Answer: A
Explanation:
Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency among them, for
improved application performance.
Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a deployment constraint
when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity placement group, the virtual machines are
placed in the same data center, resulting in lower and deterministic latency for your applications.
The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center. Accordingly, it should be
proximity 2 only.
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups
NEW QUESTION 266

HOTSPOT - (Topic 5)
You have an Azure subscription that contains
the users shown in the following table. The groups are configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Answer:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are- role-assignable-groups-protected
"Group nesting isn't supported. A group can't be added as a member of a role-assignable group."
For the second question:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage- groups#add-or-remove-a-group-from-another-group
"We currently don't support:
Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups. "
For the third question, although it appears truncated in the screenshot (ending with "for...") there is a reference about Microsoft 365 groups support for roles
assignment here: https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-roleassignments-to-groups-work
"To assign a role to a group, you must create a new security or Microsoft 365 group with the is AssignableToRole property set to true. "
NEW QUESTION 271

- (Topic 5)
You have an Azure Storage account named storage1.
For storage 1. you create an encryption scope named Scope1. Which storage types can you encrypt by using Scope1?
A. file shares only

B. containers only
C. file shares and containers only
D. containers and tables only
E. file shares, containers, and tables only
F. file shares, containers, tables, and queues
Answer: B
Explanation:
"Encryption scopes enable you to manage encryption at the level of an individual blob or container." https://learn.microsoft.com/en-
us/azure/storage/blobs/encryption-scope- manage?tabs=portal
NEW QUESTION 276

- (Topic 5)
You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library. You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
A. virtual machine size

B. operating system
C. administrator username
D. resource group
Answer: D
Explanation:
Resource Group is the correct Answer Admin user, password, vm size and os are the part of ARM templates. But resource group is not hence needs to be
mentioned while deployment! Refer below sample ARM template for reference in which all above attributes passed in parameter. https://github.com/Azure/azure-
quickstart-templates/blob/master/101- vm-simple-windows/azuredeploy.json
NEW QUESTION 280

- (Topic 5)
You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has
a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution
must ensure that all the applications can still be accesses by the Internet users.
What should you do?
A. Modify the address space of the local network gateway.

B. Remove the public IP addresses from the virtual machines.
C. Modify the address space of Subnet1.

D. Create a deny rule in a network security group (NSG) that is linked to Subnet1
Answer: D
Explanation:
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP
SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.
or
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
NEW QUESTION 281

HOTSPOT - (Topic 5)
You have Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following resource groups:
RG1 includes a web app named App1 in the West Europe location. Subscription2 contains the following resource groups:
Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
App1 present in RG1 and in RG1 there is no lock available. So you can move App1 to other resource groups, RG2, RG3, RG4.
Note:
App Service resources can only be moved from the resource group in which they were originally created. If an App Service resource is no longer in its original
resource group, move it back to its original resource group.
NEW QUESTION 284

......

Thank You for Trying Our Product
* 100% Pass or Money Back

All our products come with a 90-day Money Back Guarantee.
* One year free update
You can enjoy free update one year. 24x7 online support.
* Trusted by Millions
We currently serve more than 30,000,000 customers.
* Shop Securely
All transactions are protected by VeriSign!
100% Pass Your AZ-104 Exam with Our Prep Materials Via below:
https://www.certleader.com/AZ-104-dumps.html

Powered by TCPDF (www.tcpdf.org)

az-104_2-2025

Uploaded by

Copyright:

Available Formats

az-104_2-2025

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

az-104_2-2025

Uploaded by

Copyright:

Available Formats

100% Valid and Newest Version AZ-104 Questions & Answers shared by Certleader

https://www.certleader.com/AZ-104-dumps.html (232 Q&As)

Microsoft Azure Administrator

The Leader of IT Certification visit - https://www.certleader.com

A. the Azure Monitor agent

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

NOTE: Each correct selection is worth one point.

The Leader of IT Certification visit - https://www.certleader.com

Create an Azure Resource Manager template.

The Leader of IT Certification visit - https://www.certleader.com

You connect to the subscription and run the following cmdlet:

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

You need to ensure that VM1 can be created in an Availability Zone.

A. Use managed disks

The virtual networks contain the following subnets:

The Leader of IT Certification visit - https://www.certleader.com

Subscnption2 contains the following virtual network:

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

A. Create a new NSG and associate the NSG to VNET1/Subnet1.

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

Invoice: Incorrect Option

Resource Provider: Incorrect Option

The Leader of IT Certification visit - https://www.certleader.com

A. Join the client computers in the Miami office to Azure AD.

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

You configure the backup of VM1 to use Policy1 on Thursday, January 1.

The Leader of IT Certification visit - https://www.certleader.com

A. the set-AzAKs cmdlet

Assign User1 the Contributor role for VNet1.

The Leader of IT Certification visit - https://www.certleader.com

The users perform the following actions:

The Leader of IT Certification visit - https://www.certleader.com

A. an Azure Application Gateway

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 102

NEW QUESTION 105

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 107

NEW QUESTION 112

NEW QUESTION 117

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 119

NEW QUESTION 124

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 127

The Leader of IT Certification visit - https://www.certleader.com

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 132

NEW QUESTION 134

The Leader of IT Certification visit - https://www.certleader.com

A. Device1 and Device2 only

NEW QUESTION 135

NEW QUESTION 137