Az 104

Question 1

What is Azure Active Directory (Azure AD)?

Answer 1

Azure AD is Microsoft’s cloud-based identity and access management service. It is used for authentication and authorization in Azure, Microsoft 365, and other cloud applications.

Question 2

What is Azure AD Connect, and why is it used?

Answer 2

Azure AD Connect is a tool that syncs on-premises Active Directory (AD) objects (users, groups, passwords) with Azure AD. It enables hybrid identity and single sign-on (SSO).

Question 3

How does Azure AD Join differ from Hybrid AD Join?

Answer 3

Azure AD Join → Device is only in Azure AD (cloud-only).
Hybrid AD Join → Device is joined to both on-prem AD and Azure AD (hybrid setup).

Question 4

What does the NetLogon service do in Active Directory?

Answer 4

The NetLogon service handles authentication requests for domain-joined computers in on-prem AD. It does not sync users to Azure AD.

Question 5

How do you check the Azure AD Connect sync status?

Answer 5

Get-ADSyncScheduler

Displays the sync schedule and last sync status.

Question 6

Name two security enhancements in Azure AD.

Answer 6

1. Multi-Factor Authentication (MFA) – Adds an extra verification step for users.
2. Conditional Access – Enforces security rules based on location, device, etc.

Question 7

How does Pass-Through Authentication (PTA) differ from Password Hash Sync (PHS)?

Answer 7

PHS – Syncs password hashes to Azure AD, allowing authentication in the cloud.
PTA – Sends authentication requests to on-prem AD in real-time.

Question 8

What is the role of VPNs or ExpressRoute in a hybrid identity setup?

Answer 8

VPNs or ExpressRoute provide secure connectivity between on-prem AD and Azure AD, allowing domain controllers to communicate with cloud services securely.

Question 9

What troubleshooting steps should you take if a user is not syncing to Azure AD?

Answer 9

1. Check the Azure AD Connect sync status using:
   Get-ADSyncScheduler
2. Manually force a sync if needed:
   Start-ADSyncSyncCycle -PolicyType Delta
3. Ensure the user object is in scope for synchronization.

Question 10

PowerShell Cmdlets for Azure VM Image Creation

Answer 10

First, generalize the VM using Sysprep. Then, use Azure Storage tools like AzCopy or the Azure Portal to upload the VHD. Finally, use New-AzImageConfig and New-AzImage to create the image resource.

Question 11

Automating VM Configuration

Answer 11

Use the Azure Custom Script Extension.

Question 12

Updating VPN Clients for Routing Changes

Answer 12

Download and reinstall the updated VPN client package from the Azure Virtual Network Gateway’s Point-to-Site configuration.

Question 13

Steps to Update a VPN Client in Azure

Answer 13

1. Go to Azure Portal → Virtual Network Gateway (VNetA). 2. Navigate to ‘Point-to-Site Configuration.’ 3. Download the updated VPN client package. 4. Uninstall the existing VPN client on the Windows 10 workstation. 5. Install the new VPN client and reconnect.

Question 14

Site-to-Site VPN vs. Point-to-Site VPN

Answer 14

Site-to-Site VPN: Connects an on-premises network to an Azure virtual network. Point-to-Site VPN: Connects individual client devices to an Azure virtual network.

Question 15

Static vs. Dynamic Routing in VPN Gateways

Answer 15

Static routes require manual updates to include new network prefixes, whereas dynamic routing automatically learns new routes.

Question 16

PowerShell Cmdlets for Azure VMs

Answer 16

New-AzImageConfig: Creates a configuration object for an Azure VM image.
New-AzImage: Creates an Azure VM image resource from a generalized VHD.
New-AzVM: Creates a new Azure virtual machine.
Add-AzImageDataDisk: Adds a data disk to an existing VM.

Question 17

What is the purpose of SQL Server Always On availability groups?

Answer 17

SQL Server Always On availability groups provide high availability and disaster recovery for databases by maintaining a primary replica for read-write operations and secondary replicas for read-only or backup operations.

Question 18

What role does an Azure internal load balancer play in SQL Server Always On configurations?

Answer 18

An Azure internal load balancer acts as a listener, routing client traffic to the active primary replica of the availability group.

Question 19

What type of health probe is typically used for SQL Server Always On availability groups with an ILB?

Answer 19

A TCP health probe on a custom port (e.g., 59999) is used to monitor the status of SQL Server instances.

Question 20

Is session persistence necessary for SQL Server Always On configurations with an ILB?

Answer 20

Session persistence is not typically required for SQL Server Always On configurations. It is often set to ‘None’ as SQL Server manages connections through the listener.

Question 21

What is the purpose of enabling Floating IP (Direct Server Return) in ILB configurations for SQL Server Always On?

Answer 21

Floating IP allows the load balancer to route traffic directly to the active SQL Server instance without rewriting the destination IP address, which is critical for Always On availability groups.

Question 22

Why is creating an HTTP health probe on port 1433 incorrect for SQL Server Always On?

Answer 22

Port 1433 is used for SQL Server database engine connections, not HTTP. A TCP health probe on a custom port is needed, not HTTP on port 1433.

Question 23

What are the key configurations needed for an ILB to act as a listener for SQL Server Always On?

Answer 23

Key configurations include enabling Floating IP (Direct Server Return), setting up a TCP health probe on a custom port, and defining appropriate load-balancing rules.

Question 24

Name three ways you can manage Azure services.

Answer 24

Azure Portal, Azure CLI, and Azure PowerShell.

Question 25

What is the purpose of the Azure portal dashboard?

Answer 25

To provide a customizable view of your Azure resources and services.

Question 26

How do you access the Azure Cloud Shell from the Azure portal?

Answer 26

By clicking the Cloud Shell icon in the top navigation bar.

Question 27

Can you create multiple dashboards in the Azure portal?

Answer 27

Yes, you can create and customize multiple dashboards.

Question 28

How can you find a specific service or resource in the Azure portal if you don't know where it is located?

Answer 28

Use the search bar at the top of the portal.

Question 29

What is the purpose of 'Azure Preview' features?

Answer 29

To allow users to test upcoming features before they are generally available.

Question 30

Is it possible to share a customized Azure portal dashboard with other users?

Answer 30

Yes, dashboards can be shared with specific users or groups.

Question 31

Where can you find information about the health of Azure services in a specific region?

Answer 31

In Azure Service Health.

Question 32

What are the benefits of customizing the Azure portal dashboard?

Answer 32

Improved efficiency, personalized view, quick access to services, and better monitoring.

Question 33

How do you navigate to different Azure services within the portal?

Answer 33

Using the navigation menu on the left side of the portal.

Question 34

What is Azure Advisor?

Answer 34

A tool that provides recommendations for optimizing Azure resources for cost, performance, security, and reliability.

Question 35

How do you access Azure Advisor?

Answer 35

From the navigation menu in the Azure portal.

Question 36

What is Azure Cost Estimator?

Answer 36

A tool that helps estimate costs for Azure services before deploying them.

Question 37

How do you manage Azure subscriptions within the portal?

Answer 37

Through the 'Subscriptions' section in the navigation menu.

Question 38

What is Azure Resource Groups?

Answer 38

A way to organize related resources for easier management and billing.

Question 39

How do you create a new Azure Resource Group?

Answer 39

By navigating to 'Resource groups' in the navigation menu and clicking 'New resource group.'

Question 40

What is Azure Role-Based Access Control (RBAC)?

Answer 40

A system for controlling access to Azure resources based on user roles.

Question 41

How do you assign roles in Azure RBAC?

Answer 41

Through the 'Access control (IAM)' section in the resource or resource group settings.

Question 42

What is Azure Monitor?

Answer 42

A service that provides monitoring and analytics capabilities for Azure resources.

Question 43

What is Azure Policy?

Answer 43

A service that helps enforce compliance and governance across Azure resources.

Question 44

How do you access Azure Policy?

Answer 44

From the navigation menu in the Azure portal.

Question 45

What is Azure Service Health?

Answer 45

A service that provides personalized health information and alerts for Azure services.

Question 46

How do you access Azure Service Health?

Answer 46

From the navigation menu in the Azure portal.

Question 47

What is Azure Cost Analysis?

Answer 47

A tool that helps analyze and manage Azure costs.

Question 48

How do you access Azure Cost Analysis?

Answer 48

Through the 'Cost Management + Billing' section in the navigation menu.

Question 49

What is Azure Active Directory (AAD)?

Answer 49

A service that provides identity and access management for Azure resources.

Question 50

How do you manage Azure Active Directory users?

Answer 50

Through the 'Azure Active Directory' section in the navigation menu.

Question 51

What is Azure Security Center?

Answer 51

A service that provides threat protection and security monitoring for Azure resources.

Question 52

How do you access Azure Security Center?

Answer 52

From the navigation menu in the Azure portal.

Question 53

What is a UDR in Azure?

Answer 53

A custom route created by users to control traffic in a VNet.

Question 54

Where do you apply a Route Table containing UDRs?

Answer 54

At the subnet level.

Question 55

What’s a typical use case for a Virtual Appliance as a next hop?

Answer 55

To send traffic through a firewall or NVA.

Question 56

What is the effect of setting next hop to 'None'?

Answer 56

Traffic is blocked to the destination.

Question 57

Which has higher priority—UDR or system route?

Answer 57

UDR overrides system routes.

Question 58

Does a UDR apply to inbound or outbound traffic?

Answer 58

Outbound only.

Question 59

What next hop type is used to route traffic to the internet?

Answer 59

Internet.

Question 60

What does NSG stand for and what does it control?

Answer 60

Network Security Group – controls inbound/outbound traffic.

Question 61

What does ASG stand for and what is it used for?

Answer 61

Application Security Group – logically groups VMs for NSG rules.

Question 62

Can you apply an NSG to a VM directly?

Answer 62

Yes, via its NIC.

Question 63

What evaluates first: subnet NSG or NIC NSG?

Answer 63

Both are evaluated, and the most restrictive rule applies.

Question 64

Can ASGs contain IP addresses?

Answer 64

No – only VM NICs can be members of ASGs.

Question 65

What happens if two rules in an NSG conflict?

Answer 65

The rule with the lowest priority number wins.

Question 66

What's the default behavior of an NSG if no custom rule matches?

Answer 66

Default rules apply, like: Deny all inbound from the internet Allow VNet-to-VNet traffic

Question 67

What is Azure Bastion used for?

Answer 67

Secure browser-based RDP/SSH to VMs without using public IPs.

Question 68

What is the required name for the Bastion subnet?

Answer 68

AzureBastionSubnet

Question 69

Which port is used by Azure Bastion?

Answer 69

Port 443 (HTTPS)

Question 70

Can you RDP to a VM using Bastion if the VM has no public IP?

Answer 70

✅ Yes

Question 71

Does Azure Bastion work across VNets by default?

Answer 71

❌ No, unless you're using Bastion Premium with VNet peering.

Question 72

What is the minimum subnet size for Azure Bastion?

Answer 72

/27

Question 73

Is Azure Bastion free?

Answer 73

❌ No, it’s billed by usage and data.

Question 74

What does a Service Endpoint do?

Answer 74

Extends VNet to Azure services over Azure backbone, using public service DNS.

Question 75

What does a Private Endpoint do?

Answer 75

Maps a private IP from your VNet to an Azure service using Private Link.

Question 76

Can you use DNS with Private Endpoints?

Answer 76

✅ Yes, but it uses private DNS zones (e.g. privatelink.blob.core.windows.net).

Question 77

Do Service Endpoints require public IPs?

Answer 77

❌ No, traffic goes over Azure backbone, not public internet.

Question 78

Are Service Endpoints free?

Answer 78

✅ Yes, included in the price of the Azure service.

Question 79

What is the main purpose of Azure DNS?

Answer 79

To host and manage DNS domains, resolving domain names to IP addresses for public or private access.

Question 80

What is the difference between a public and private DNS zone?

Answer 80

Public DNS zones resolve names for internet access; private DNS zones resolve names within Azure VNets.

Question 81

What is required to use Azure DNS for a public domain like contoso.com?

Answer 81

Delegate the domain by updating the registrar’s NS records to Azure’s name servers (e.g., ns1-01.azure-dns.com).

Question 82

Which DNS record type maps a name to an IPv4 address?

Answer 82

A record.

Question 83

Why is a private DNS zone critical for private endpoints?

Answer 83

It resolves the service’s DNS name (e.g., privatelink.blob.core.windows.net) to a private IP within the VNet.

Question 84

What does TTL in a DNS record control?

Answer 84

The time (in seconds) that resolvers cache the record before querying again.

Question 85

Can Azure DNS host a domain without delegating it to Azure’s name servers?

Answer 85

No, delegation to Azure’s name servers is required for Azure DNS to manage the domain.

Question 86

Name a common use case for a private DNS zone.

Answer 86

Resolving private endpoint names (e.g., Azure SQL) to private IPs within a VNet for secure access.

Question 87

What layer does Azure Load Balancer operate at, and what protocols does it handle?

Answer 87

Layer 4 (Transport Layer), handles TCP and UDP protocols.

Question 88

What is the purpose of a health probe in Azure Load Balancer?

Answer 88

Checks the health of backend resources (e.g., VMs) to ensure only healthy ones receive traffic.

Question 89

What’s the difference between Basic and Standard SKU for Azure Load Balancer?

Answer 89

Basic is free, limited features, no SLA. Standard supports availability zones, SLA, and is production-grade.

Question 90

Name the five main components of Azure Load Balancer.

Answer 90

Frontend IP, Backend Pool, Health Probe, Load Balancing Rules, NAT Rules. (Mnemonic: F-B-H-L-N)

Question 91

What is session persistence, and what are its options?

Answer 91

Controls how client requests are routed. Options: None, Client IP, Client IP and Protocol.

Question 92

When would you use a Public Load Balancer vs. an Internal Load Balancer?

Answer 92

Public: For internet-facing apps (e.g., websites). Internal: For private apps within a VNet (e.g., databases).

Question 93

How does Azure Load Balancer ensure high availability?

Answer 93

Uses Availability Zones (Standard SKU) or Availability Sets to distribute VMs and handle failures.

Question 94

What is the purpose of a NAT rule in Azure Load Balancer?

Answer 94

Maps specific ports to allow direct access to backend VMs (e.g., SSH on port 22).

Question 95

What is the purpose of an Azure Load Balancer?

Answer 95

Distributes incoming network traffic across multiple VMs to ensure high availability and performance.

Question 96

What are the two types of Azure Load Balancer?

Answer 96

Public (for internet traffic) and Internal (for private network traffic).

Question 97

What is a backend pool in the context of a load balancer?

Answer 97

A group of VMs that receive traffic from the load balancer.

Question 98

Why is a health probe necessary for load balancing?

Answer 98

It checks if VMs are healthy (e.g., responding on port 80) to ensure traffic is sent only to operational VMs.

Question 99

What does an availability set do for VMs?

Answer 99

Places VMs across different physical servers (fault domains) and update schedules (update domains) to ensure high availability.

Question 100

What port is typically used for HTTP traffic in a load balancing rule?

Answer 100

Port 80.

Question 101

What is the role of a Network Security Group (NSG) in a load balancing setup?

Answer 101

Controls traffic by allowing or denying specific ports (e.g., allow port 80 for HTTP).

Question 102

Why should VMs be in the same VNet for load balancing?

Answer 102

Ensures they can communicate with the load balancer and each other securely.

Question 103

What is session persistence in a load balancing rule?

Answer 103

Ensures a user’s requests go to the same VM for consistency (also called client IP affinity).

Question 104

What SKU is recommended for production load balancing in AZ-104?

Answer 104

Standard SKU (supports advanced features and availability zones).