Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ104 > Mall Academy AZ-104 Azure Administrator Practice Exam #1 > Flashcards

Mall Academy AZ-104 Azure Administrator Practice Exam #1 Flashcards

1
Q

You have an Azure subscription that contains the resources shown in the following table.

Name Type Resource Group
VNET1 Virtual Network RG1
VM1 Virtual Machine RG1

The Not Allowed resource types Azure Policy is assigned to RG1 and uses the following parameters:

Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines

In RG1, you need to create a new virtual machine named V2, and then connect to VM2 to VNET1. What should you do first?

A. Remove Microsoft.Compute/virtualMachines from the policy
B. Create an Azure Resource Manager Template
C. Add a subnet to VNET1
D. Remove Microsoft.Network/virtualNetworks from the policy

A

A. Remove Microsoft.Compute/virtualMachines from the policy

Explanation:
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.Virtual Networks and Virtual Machines are prohibited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (Network Security Groupss) in the subscription.

You need to ensure that when an Network Security Groups is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.

Does this meet the goal?

A. No
B. Yes

A

A. No

Explanation:
You should use a policy definition. Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit. What caused AlexW to be blocked?

A. The user reported a fraud alert when prompted for additional authentication
B. The user account password expired
C. The user entered an incorrect PIN four times within 10 minutes
D. An administrator manually blocked the user

A

D. An administrator manually blocked the user

Explanation:
Only an admin can block users and not a reason and complaints in terms of the software way of working.

An Administrator can block a user:

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > MFA > Block/unblock users.
  3. Select Add to block a user.
  4. Select the Replication Group. Enter the username for the blocked user as username@domain.com. Enter a comment in the Reason field, for example: Lost phone.
  5. Select Add to finish blocking the user.

Reference:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Azure Log Analytics can consolidate machine data from on-premises and cloud-based workloads and this data is indexed and categorized for quick searching. Data can be collected only from Windows machines.

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
Azure Log Analytics can consolidate machine data from on premises and cloud based workloads and this data is indexed and categorized for quick searching. Data can be collected from both Windows and Linux machines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.

Your company has a public DNS zone for contoso.com.

You add contoso.com as a custom domain name to Azure AD.You need to ensure that Azure can verify the domain name.

Which type of DNS record should you create?

A. PTR
B. SRV
C. RRSIG
D. TXT

A

D. TXT

Explanation:
You can use either a TXT or MX record to verify the custom domain in the Azure AD

References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have two Azure virtual networks named VNet1 and VNet2.

VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.

VM1 hosts a frontend application that connects to VM2 to retrieve data.

Users report that the frontend application is slower than usual.

You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.

Which Azure Network Watcher feature should you use?

A. Connection Troubleshoot
B. IP Flow Verify
C. Network Security Groups flow logs
D. Connection Monitor

A

D. Connection Monitor

Explanation:
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency and network topology changes between the VM and the endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have the Azure virtual networks shown in the following table.

To which virtual networks can you establish a peering connection from VNet1?

A. VNet2 only
B. VNet2, VNet3 and VNet4
C. VNet2 and VNet3 only
D. VNet3 and VNet4 only

A

D. VNet3 and VNet4 only

Explanation:
To avoid IP address overlaps, we can only peer with VNET3 and VNET4.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

Each virtual machine uses a static IP address.You need to create network security groups (Network Security Groupss) to meet following requirements:

✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.

✑ Allow all connections between VM1 and VM2.

✑ Allow Remote Desktop connections to VM1.

Prevent all other network traffic to VNET1.What is the minimum number of Network Security Groupss you should create?

A. 1
B. 3
C. 4
D. 12

A

C. 4

Explanation:
A network security group (Network Security Groups) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).

Network Security Groupss can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). Each network security group also contains default security rules.

References: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Performance Monitor, you create a Data Collector Set (DCS).

Does this meet the goal?

A. No
B. Yes

A

A. No

Explanation:
Use the Connection Monitor feature of Azure Network Watcher.

References: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure DNS zone named adatum.com.You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.What should you do?

A. Create an NS record named research in the adatum.com zone
B. Create an A record named *.research in the adatum.com zone
C. Modify the SOA record of adatum.com
D. Create a PTR record named research in the adatum.com zone

A

A. Create an NS record named research in the adatum.com zone

Explanation:
You need to create a name server (NS) record for the zone. References: https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Role-based access control allows you to grant users, groups, and service principals access to Azure resources at the subscription, resource group, or resource scopes with RBAC inheritance. The three core roles are Owner, Administrator, and Guest.

A. FALSE
B. TRUE

A

A. FALSE

Explanation:
Role-based access control allows you to grant users, groups, and service principals access to Azure resources at the subscription, resource group, or resource scopes with RBAC inheritance. The three core roles are Owner, Contributor, and Reader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Azure storage accounts provide ___________________ .

A. blobs
B. tables
C. Queues
D. Files

A

A. blobs
B. tables
C. Queues
D. Files

Explanation:
Azure storage accounts provide 4 separate services: blobs, tables, queues and files. Understand the usage scenarios of each service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the picture.

You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol.

VM1 is used as a web server only.

You need to ensure that users can connect to the website from the internet. What should you do?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.

Subscription1 is associated to Tenant1. Multi-factor authentication (MFA) is enabled for all the users in Tenant1.

You need to enable MFA for the users in Tenant2. The solution must maintain MFA for Tenant1.

What should you do first?

A. Change the directory for subscription1
B. Configure the MFA server setting in Tenant1
C. Create and link a subscription to Tenant2
D. Transfer the administration of Subsription1 to a global admin of Tenant2

A

C. Create and link a subscription to Tenant2

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.

You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.

You need to ensure that the users can use single-sign-on (SSO) to access Azure resources.

What should you do first?

A. From the on premises network, deploy Active Directory Federation Services (AD FS)
B. From the server that runs Azure AD Connect, modify the filtering options
C. From Azure AD, add and verify a custom domain name
D. From the on premises network, request a new cert that contains the AD Domain name

A

C. From Azure AD, add and verify a custom domain name

Explanation:
Every new Azure AD tenant comes with an initial domain name, domainname.onmicrosoft.com. You can’t change or delete the initial domain name, but you can add your organization’s names to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.

References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have an Azure Active Directory (Azure AD) tenant.All administrators must enter a verification code to access the Azure portal.You need to ensure that the administrators can access the Azure portal only from your on-premises network.What should you configure?

A. the MFA service settings
B. The default for all the roles in Azure AD privileged identity management
C. an Azure AD Identity Protection user risk policy

A

A. the MFA service settings

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (Network Security Groupss) in the subscription.

You need to ensure that when an Network Security Groups is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You configure a custom policy definition, and then you assign the policy to the subscription.

Does this meet the goal?

A. No
B. Yes

A

B. Yes

Explanation:
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You can create resources only from the Azure Resource Manager templates

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
You can create resources from the portal, PowerShell, the CLI tools, and Azure Resource Manager templates. You should understand when to use which tool and how to configure the resource during provisioning and after provisioning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer.Which two actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.

A. Reset GW1
B. Add a public IP address space to VNet1
C. Add a connection to GW1
D. Delete GW1
E. Create a route based virtual network gateway

A

D. Delete GW1
E. Create a route based virtual network gateway

Explanation:
A VPN gateway is used when creating a VPN connection to your on-premises network.Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface). Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.

Incorrect Answers: Point-to-Site connections do not require a VPN device or a public-facing IP address.

References: https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You have an Azure Active Directory (Azure AD) tenant. You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the GlobalAdministrators group authenticate to Azure AD from untrusted locations.You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.What should you do?

A. From the MFA page, modify the user settings
B. From the Azure portal, modify session control of Policy 1
C. From the Azure portal, modify grant control of Policy1
D. From the MFA page, modify the service settings

A

C. From the Azure portal, modify grant control of Policy1

Explanation:
There are two types of controls: Grant controls “ To gate access Session controls “ To restrict access to a sessionGrant controls oversee whether a user can complete authentication and reach the resource that they’re attempting to sign-in to.

If you have multiple controls selected, you can configure whether all of them are required when your policy is processed.

The current implementation of Azure Active Directory enables you to set the following grant control requirements:

Reference: https://blog.lumen21.com/2017/12/15/conditional-access-in-azure-active-directory/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A resource group are multiple resources in one group, not necessary a logical grouping.

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
A resource group is a logical grouping of resources. For example, a Resource Group where you deploy a VM compute instance may be composed of a Network Interface Card (NIC), a Virtual Machine, a Virtual Network, and a Public IP Address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A resource is simply a single service instance in Azure. Most services in Azure can be represented as a resource. For example, a Web App instance is a resource. An App Service Plan is also a resource. Even a SQL Database instance is a resource.

A. FALSE
B. TRUE

A

B. TRUE

Explanation:
A resource is simply a single service instance in Azure. Most services in Azure can be represented as a resource. For example, a Web App instance is a resource. An App Service Plan is also a resource. Even a SQL Database instance is a resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Azure Network Watcher, you create a connection monitor.

Does this meet the goal?

A. Yes
B. NO

A

A. Yes

Explanation:
References: https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?

A. Yes
B. No

A

A. Yes

Explanation:
Answer is Yes. Create a connection monitor to monitor communication over i.e TCP port 22, from VM1 to VM2

Read link below.

You need to inspect and capture all the network traffic from VM1 to VM2 for a period of three hours. through Azure Network Watcher, you create a packet capture.

https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

The User administrator role is assigned to a user named Admin1.

An external partner has a Microsoft account that uses the user1@outlook.com sign in.Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user user1@outlook.com “ Generic authorization exception.”

You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.

What should you do?

A. From the Custom Domain names blade, add a custom domain
B. From the Organizational Relationships blade, add an identity provider
C. From the Users blade, modify the external collaboration settings
D. From the Roles and administrators blade, assign the security admin to role to admin1

A

C. From the Users blade, modify the external collaboration settings

Explanation:

26
Q

A template can simplify orchestration because you only need to deploy the template to deploy all of your resources.

A. FALSE
B. TRUE

A

B. TRUE

Explanation:
A template can simplify orchestration because you only need to deploy the template to deploy all of your resources.

27
Q

Azure Log Analytics has many management solutions that help administrators gain value out of complex machine data. These solutions contain pre-built visualizations and queries that help surface insights quickly.

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
Azure Log Analytics has many management solutions that help administrators gain value out of complex machine data. These solutions contain pre-built visualizations and queries that help surface insights quickly.

28
Q

You have an Azure subscription that contains the resources in the following table.
To which subnets can you apply Network Security Groups1?

A
29
Q

You have five Azure virtual machines that run Windows Server 2016.

The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Protocol to UDP
B. Session persistence to Client IP
C. Idle Time out (minutes) to 20
D. Session persistence to None

A

B. Session persistence to Client IP

Explanation:
You can set the sticky session in load balancer rules with setting the session persistence as the client IP.

References: https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

30
Q

You have an Azure subscription named Subscription1 that contains the resource groups shown in the following table.

In RG1, you create a virtual machine named VM1 in the East Asia location.

You plan to create a virtual network named VNET1.

You need to create VNET1, and then connect VM1 to VNET1.

What are two possible ways to achieve this goal?

Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A
31
Q

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.

On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.

You configure virtual network peering between VNet1 and VNet2.

You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.

You need to ensure that you can connect Client1 to VNet2.

What should you do?

A. Download and reinstall the VPN client configuration package on Client1
B. Select Allow gateway transit on VNet2
C. Enable BGP on VPNGW1
D. Select Allow gateway transit on VNet1

A

A. Download and reinstall the VPN client configuration package on Client1

Explanation:
The problem states that you have created the point-to-site VPN before you configured peering.

Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering

or the network topology.

32
Q

You have an Azure Active Directory (Azure AD) tenant.

All administrators must enter a verification code to access the Azure portal.

You need to ensure that the administrators can access the Azure portal without entering a verification code when they are connecting from your on-premises network.

Consider that some IP restrictions are included inside the sign in risk policy.

What should you configure?

A. An Azure AD Identity Protection user risk policy
B. An Azure AD Identity Protection sign in risk policy
C. The default for all the roles in Azure AD Privileged Identity Management

A

B. An Azure AD Identity Protection sign in risk policy

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettingsManage identities

33
Q

You set the multi-factor authentication status for a user named admin1@contoso.com to Enabled. Admin1 accesses the Azure portal by using a web browser. Which additional security verifications can Admin1 use when accessing the Azure portal?

A. A phone call, an email message that contains a verification code and a text message that contains an app password
B. An app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator App
C. A phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app
D. An app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app

A

C. A phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app

Explanation:

34
Q

You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop.You configure the network security group (Network Security Groups) shown in the picture.

You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80. What should you do?

A
35
Q

Azure Management Groups can be used to control policy and RBAC for multiple subscriptions.

Management groups enable organizational alignment for your Azure subscriptions through custom hierarchies and groupings.

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
Azure Management Groups can be used to control policy and RBAC for multiple subscriptions.

Management groups enable organizational alignment for your Azure subscriptions through custom hierarchies and groupings.

36
Q

You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.

From Azure, you download and install the VPN client configuration package on a computer named Computer2.

You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.

Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?

A. No
B. Yes

A

B. Yes

Explanation:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

37
Q

A resource group template is a JSON file that allows you to declaratively describe a set of resources. These resources can then be added to a new or existing resource group. For example, a template can contain the configuration necessary to create two API App instances, a Mobile App instance, and a Document DB instance.

A. FALSE
B. TRUE

A

B. TRUE

Explanation:
A resource group template is a JSON file that allows you to declaratively describe a set of resources. These resources can then be added to a new or existing resource group. For example, a template can contain the configuration necessary to create two API App instances, a Mobile App instance, and a Document DB instance.

38
Q

You have an Active Directory forest named contoso.com. You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs. You need to ensure that the synchronization completes successfully and that exports, imports and synchronization could run. What should you do?

A. Run Azure AD Connect and disable staging mode
B. From Synchronization Service Manager, run a full import
C. From Azure PowerShell, run StartAdSyncSyncCycle “PolicyType Initial
D. Run Azure AD Connect and set the SSO method to Pass through Authentication

A

A. Run Azure AD Connect and disable staging mode

Explanation:
Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.

39
Q

You have a virtual network named VNet1 as shown in the picture.

No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named VNet2 in the same region.

VNet2 has an address space of 10.2.0.0/16.

You need to create the peering.

What should you do first?

A
40
Q

Queries in Log Analytics can be saved for quick access and visualized and shared using Azure Dashboards. To analyze data outside of Log Analytics you can export the data to Excel and Power BI.

A. FALSE
B. TRUE

A

B. TRUE

Explanation:
Queries in Log Analytics can be saved for quick access and visualized and shared using Azure Dashboards. To analyze data outside of Log Analytics you can export the data to Excel and Power BI.

41
Q

Azure Monitor is a single-pane of glass for accessing Azure metrics, tenant and resource diagnostic logs, Log Analytics, service health, and alerts.

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
Azure Monitor is a single-pane of glass for accessing Azure metrics, tenant and resource diagnostic logs, Log Analytics, service health, and alerts.

42
Q

You sign up for Azure Active Directory (Azure AD) Premium.You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.What should you configure in Azure AD?

A. Providers from the MFA Server Blade
B. General Settings from the Groups Blase
C. User settings from the Users blade
D. Device settings from the Devices blade

A

C. User settings from the Users blade

Explanation:
You add the admin to the device administrator role (now: Cloud Device Administrator role)

43
Q

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VM1. VM1 is in a resource group named RG1.VM1 runs services that will be used to deploy resources to RG1.You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.What should you do first?

A. From the Azure portal, modify the Access control (IAM) settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Policies settings of RG1
D. From the Azure portal, modify the value of the Manager Service Identity option for VM1

A

D. From the Azure portal, modify the value of the Manager Service Identity option for VM1

Explanation:
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. References: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

44
Q

You can configure alerts based on metric alerts (captured from Azure Metrics) to Activity Log alerts that can notify only with an Azure Automation Runbook (and not by email).

A. FALSE
B. TRUE

A

A. FALSE

Explanation:
You can configure alerts based on metric alerts (captured from Azure Metrics) to Activity Log alerts that can notify by email, web hook, SMS, Logic Apps, or even an Azure Automation Runbook.

45
Q

The Standard performance tier uses

A. solid state disks and is only used for unmanaged VM disks
B. magnetic disks and supports all services

A

B. magnetic disks and supports all services

Explanation:
The Standard performance tier uses magnetic disks and supports all services. The Premium tier uses solid-state disks and is only used for unmanaged VM disks.

46
Q

Tags in Azure can be used to logically organize resources by categories. Each tag is a name and a value pair. However, tags can not be shared across multiple resources.

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
Tags in Azure can be used to logically organize resources by categories. Each tag is a name and a value pair. Tags can be shared across multiple resources and enforced with Azure Policy.

47
Q

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that is configured for hybrid coexistence with the on-premises ActiveDirectory domain. The tenant contains the users shown in the following table.

Whenever possible, you need to enable Azure Multi-Factor Authentication (MFA) for the users in contoso.com.

Which users should you enable for Azure MFA?

A. User1, User2, and User 3 only
B. User1
C. User1 and User2 only
D. User1, User2, User3, and User4

A

D. User1, User2, User3, and User4

Explanation:

48
Q

Blob storage supports …… types of blobs, and …… access tiers.

A. 3
B. 4
C. 2
D. 1

A

A. 3

Explanation:
Blob storage supports three types of blobs (block, page and append blobs), and three access tiers (hot, cool, and archive).

49
Q

You have an Azure subscription that contains a virtual network named VNet1.

VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.

The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.

You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:

✑ The NVAs must run in an active-active configuration that uses automatic failover.

✑ The NVAs must load balance traffic to two services on the Production subnet.

The services have different IP addresses.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Added two load balancing rules that have HA Ports enabled and Floating IP disabled
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add a frontend IP configuration, two backend pools and a health probe
E. Deploy a basic load balanacer

A

B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add a frontend IP configuration, two backend pools and a health probe

Explanation:
A standard load balancer is required for the HA ports.Two backend pools are needed as there are two services with different IP addresses.Floating IP rule is used where backend ports are reused.Incorrect Answers:F: HA Ports are not available for the basic load balancer. References: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview

50
Q

You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.

You add a network interface named Interface1 to VM1 as shown in the picture.

From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.

You need to establish a Remote Desktop connection to VM1.

What should you do first?

A
51
Q

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?

A. NSEC
B. SEC
C. DNSKEY
D. MX

A

D. MX

Explanation:
References: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

52
Q

Azure Policy is a service that lets you create, manage, and apply policy to Azure resources at a subscription, resource group, or resource level. Policies enforce different rules over your Azure resources, so those resources remain compliant with your organization’s standards.

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
Azure Policy is a service that lets you create, manage, and apply policy to Azure resources at a subscription, resource group, or resource level. Policies enforce different rules over your Azure resources, so those resources remain compliant with your organization’s standards.

53
Q

A template allows you to configure multiple resources simultaneously and use variables/parameters/functions to create dependencies between resources.

A. FALSE
B. TRUE

A

B. TRUE

Explanation:
A template allows you to configure multiple resources simultaneously and use variables/parameters/functions to create dependencies between resources.

54
Q

Storage accounts must specify a replication mode. Options are locally redundant, zone-redundant, geo-redundant and read-access georedundant storage.

A .TRUE
B. FALSE

A

A .TRUE

Explanation:
Storage accounts must specify a replication mode. Options are locally redundant, zone-redundant, geo-redundant and read-access georedundant storage.

55
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (Network Security Groupss) in the subscription.

You need to ensure that when an Network Security Groups is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You create a resource lock, and then you assign the lock to the subscription.Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is a way to do this with both ASM and ARM resources using Azure resource lock. Reference: https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azure-lock-to-control-your-azure-resources/

56
Q

You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.You have a Microsoft account that you use to sign in to both tenants.You need to configure the default sign-in tenant for the Azure portal.What should you do?

A. From the Azure Portal, configure the portal settings
B. From Azure Cloud Shell, run Set-AzureRmSubscription
C. From the Azure portal, change the directory
D. From Azure Cloud Shell, run Set-AzureRmContext

A

D. From Azure Cloud Shell, run Set-AzureRmContext

Explanation:
Let’s analyze the answers

  • From Azure Cloud Shell, run Set-AzureRmSubscription.

R: Allows you to configure the subscription to connect to by default.

This does not solve the requested

From Azure Cloud Shell, run Set-AzureRmContext.

It allows you to configure the directory and subscription to which you want to connect by default. This meets the request.

From the Azure portal, configure the portal settings.

From the portal settings you cannot define the default directory to which you want to connect. It does not comply with what is required.

From the Azure portal, change the directory.

It refers to changing the directory, but not specific in which option of the entire portal the change can be made.

The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information. References: https://docs.microsoft.com/en-us/powershell/module/azurerm.profile/set-azurermcontext

57
Q

Your company has a main office in London that contains 100 client computers. Three years ago, you migrated to Azure Active Directory (Azure AD). The company’s security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD. A remote user named User1 is unable to join a personal device to Azure AD from a home network. You verify that other users can join their devices to Azure AD. You need to ensure that User1 can join the device to Azure AD.

What should you do?

A. Assign the User administrator role to User1
B. From the Device settings blade, modify the Users may join devices to Azure AD setting
C. Create a point to site VPN from the home network of User1 to Azure
D. From the Device settings blade, modify the Maximum number of devices per user setting

A

D. From the Device settings blade, modify the Maximum number of devices per user setting

Explanation:
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.Incorrect

Answers:

The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and None.

The default is All.

Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.

References: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azure-ad-join/

58
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.You hire a temporary vendor. The vendor uses a Microsoft account that has a sign-in of user1@outlook.com.You need to ensure that the vendor can authenticate to the tenant by using user1@outlook.com.What should you do?

A. From the Azure portal, add a custom domain name, create a new Azure AD user, and then specify user1@outlook.com as the username
B. From the Azure portal, add a new guest user, and then specify user1@outlook.com as the email address
C. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the “UserPrincipalName user1@outlook.com parameter
D. From Windows PowerShell, run the New-AzureADUser cmdlet and specidy the “UserPrincipalName user1@outlook.com parameter

A

B. From the Azure portal, add a new guest user, and then specify user1@outlook.com as the email address

Explanation:
You hire a temporary vendor. The vendor has to login to your tenant using the @outlook.com.

So you invite the vendor as a guest user.

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-external-user?view=azure-devops&tabs=preview-page

59
Q

You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.

From Azure, you download and install the VPN client configuration package on a computer named Computer2.

You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.

Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.

Does this meet the goal?

A. No
B. Yes

A

A. No

Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2.Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.

References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

60
Q

Azure does not offer a rich ecosystem of governance controls with user-level and platform-level controls in the form of role-based access control (RBAC) and Azure Policy.

A. FALSE
B. TRUE

A

A. FALSE

Explanation:
Azure offers a rich ecosystem of governance controls with user-level and platform-level controls in the form of role-based access control (RBAC) and Azure Policy.

AZ104 (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions