Professional Documents
Culture Documents
AZ-104 Exam - Free Actual Q&as, Page 1 - ExamTopics
AZ-104 Exam - Free Actual Q&as, Page 1 - ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 1/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
:
tiene una suscripción de Azure que contiene las alertas que se muestran en la siguiente exposición.
Utilice los menús desplegables para seleccionar la opción de respuesta que completa cada afirmación según la información presentada en el
gráfico.
You can test this yourself by using the Microsoft learn, see;
https://learn.microsoft.com/en-us/training/modules/incident-response-with-alerting-on-azure/4-exercise-metric-alerts
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 3/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 7 - Testlet 1
Question #1 Topic 7
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 4/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
HOTSPOT -
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
Hot Area:
Box 1: Selected
As per User requirements “Ensure that only users who are part of a group named Pilot can join devices to Azure AD.”
So, “Selected” must be selected for “User may join devices to Azure AD”
Box 2: Yes
As per User Requirements “Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their
identity”.
So, “Yes” must be selected for “Require Multi-Factor Auth to join devices”.
upvoted 83 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 5/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Box 2: Yes -
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 6/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 7/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 7
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 8/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
You need to meet the user requirement for Admin1.
What should you do?
C. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings
D. From the Subscriptions blade, select the subscription, and then modify the Properties
As per User Requirements “Designate a new user named Admin1 as the service admin for the Azure subscription.”
So, In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of your
subscription.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 9/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Should be C: but the question looks old and depends when MS update it.
upvoted 1 times
However, it's important to note that the classic deployment model is being phased out in favor of the Azure Resource Manager deployment model,
which uses a different approach to manage access control and resource permissions.
In the context of the given scenario, the requirement to assign the Service Administrator role to Admin1 is better accomplished using Option C,
which applies to the Azure Resource Manager deployment model. The Access control (IAM) settings provide a more granular and flexible way to
manage roles and permissions for Azure resources, including the subscription, which allows you to assign the Service Administrator role to Admin1
as well as manage other roles and permissions for users, groups, and applications.
upvoted 4 times
"Designate a new user named Admin1 as the service admin for the Azure subscription.”
This means you need to change the Service Admin!
So, you need to
"Follow these steps to change the Service Administrator in the Azure portal."
Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
Sign in to the Azure portal as the Account Administrator.
Open Cost Management + Billing and select a subscription.
In the left navigation, click Properties.
Click Change service admin.
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 10/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
In this screenshot on the left side menu the "Properties" blade is listed
My permissions
Resource providers
Deployments
Properties <<<<<<<<<<<<<<<
Resource locks
Looking in the Azure portal nowadays, the "Properties" blade is no longer there.
Also, removing a service admin is done via IAM > Classic admins > remove.
ANSWER IS C
upvoted 3 times
Access control (IAM) allows you to manage access to your Azure resources, and you can assign roles to users, groups, and services to grant specific
permissions to manage the resources. By modifying the IAM settings for the subscription, you can assign the "Owner" role to Admin1, which will
grant them full access to manage the subscription, and also allow them to receive email alerts regarding service outages.
Option A refers to modifying groups in Azure AD, which is not related to the user requirement for Admin1.
Option B and D refer to modifying the properties of Azure AD or the subscription, but they do not provide the necessary options to assign roles
and permissions for Admin1 to manage the subscription and receive email alerts.
upvoted 4 times
Classic admins:
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
Scroll down to remove service admin and you will see the role is located in classic admin role section. Which could not be assigned through
IAM.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 11/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Service admins are not part of the new Azure RBAC model. If you don't see it it's because you are not on classic deployment model.
"Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are
still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator.
For more information, see Azure Resource Manager vs. classic deployment."
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 12/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 8 - Testlet 10
Question #1 Topic 8
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 13/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
HOTSPOT -
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the
answer area.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 14/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
"If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you
create a vault in another location."
https://learn.microsoft.com/en-us/azure/backup/backup-architecture#backup-policy-essentials
"A policy can be assigned to many resources. An Azure VM backup policy can be used to protect many Azure VMs"
I'm going to say 3 for Box 2, because it looks like you can add the same policy to multiple items;
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 15/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/azure/backup/backup-azure-files?tabs=backup-center
https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm#back-up-from-azure-vm-settings
upvoted 1 times
waqy 3 days, 2 hours ago
exact this question and this case study came on 23rd June 2023. I passed. 100 % from ET all questions
upvoted 1 times
Total 6 Backup Policies --> We require one per storage account and Virtual Machine across the 3 Recovery Service Vaults.
upvoted 3 times
Result: 6 Polices
upvoted 3 times
Source: https://learn.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
upvoted 1 times
6 Backups policies:
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 16/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 17/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 8
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 18/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
DRAG DROP -
You need to configure the alerts for VM1 and VM2 to meet the technical requirements.
Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 19/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Agree with others but Log Analytics agent is being deprecated so should be phased out;
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-agent
upvoted 2 times
Create a Log Analytics workspace: This will create a central location to store log data from multiple sources, including the performance counters
from VM1 and VM2.
Configure the Diagnostic settings: This will enable the VMs to send their performance counter data to the Log Analytics workspace.
Create an alert rule: This will create a rule that monitors the performance counters of VM1 and VM2 and triggers an alert if the free space on
volume C is less than 20 GB.
The correct sequence of actions is:
Actions
Create a Log Analytics workspace.
Configure the Diagnostic settings.
Create an alert rule.
upvoted 3 times
Ref: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters
upvoted 7 times
Reference
help to set up azure alert for disk space alert when 10gb or less
https://learn.microsoft.com/en-us/answers/questions/165893/help-to-set-up-azure-alert-for-disk-space-alert-wh.html
upvoted 8 times
Ref:
Step 1 、 2 and 3 :
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/tutorial-resource-logs
Step 3 Detail:
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 21/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
I enabled diagnostic setting on my VM. The metrics go to a table in a storage account not in Log Analytics Workspace.
upvoted 1 times
See - https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert#prerequisites
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 22/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 9 - Testlet 2
Question #1 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 23/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
HOTSPOT -
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical
requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 24/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 25/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
Aluksy 2 months, 2 weeks ago
Answer Valid, In exam today 08 April 2023. Scored 830.
upvoted 4 times
As per Microsoft documentation, Resource Policy Contributor provides “users with rights to create/modify resource policy, create a support ticket
and read resources/hierarchy”.
Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
upvoted 3 times
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.
- Create and manage policy assignments
- Create and manage policy definitions
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 26/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 27/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 28/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
You need to ensure that you can grant Group4 Azure RBAC read only permissions to all the Azure file shares.
What should you do?
C. On storage1 and storage4, change the Account kind type to StorageV2 (general purpose v2).
D. Create a shared access signature (SAS) for storage1, storage2, and storage4.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#enable-identity-based-authentication
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 29/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 15 times
To grant Group4 Azure RBAC read-only permissions to all the Azure file shares, you should enable identity-based access for the file shares on
storage2. Identity-based access enables you to manage access to file shares based on Azure AD identities, including users, groups, and service
principals. By enabling identity-based access, you can grant access to specific users or groups and manage access control centrally from Azure AD.
Recreating storage2 with Hierarchical namespace enabled (Option B) is not relevant to granting RBAC permissions to Azure file shares.
Changing the account kind type to StorageV2 (general purpose v2) (Option C) is not relevant to granting RBAC permissions to Azure file shares.
Creating a shared access signature (SAS) (Option D) provides temporary access to resources in storage accounts, but it does not allow you to grant
RBAC permissions to Azure file shares.
Therefore, the correct answer is A. On storage2, enable identity-based access for the file shares.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 30/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 31/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 10 - Testlet 3
Question #1 Topic 10
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 32/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
A. a recovery plan
C. a backup policy
As per requirements:
- Move all the tiers of App1 to Azure.
- There are three application tiers, each with five virtual machines.
- Ensure that all the virtual machines for App1 are protected by backups.
Before starting the backup process, you must create a Recovery Services Vault as an initial step, as a place for the backups, or restore points, to be
stored. Later steps include downloading recovery services agent, installing and registering the agent.
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job
for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Reference:
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure
upvoted 82 times
You need to create a Recovery Services vault to implement a backup solution for App1 after it is moved to Azure. A Recovery Services vault is an
Azure resource used to manage backup and disaster recovery. It provides a consistent, scalable, and reliable backup and restore experience for
virtual machines. Once the Recovery Services vault is created, you can configure backup policies and associate them with virtual machines.
upvoted 1 times
App1 on VM and since this is the first thing, then you need Recovery Services vault
VM backup = Recovery Services vault first
simple.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 33/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
To implement a backup solution for App1 after the application is moved to Azure, the first step is to create a Recovery Services vault.
upvoted 1 times
Mazinger 4 months, 1 week ago
D. a Recovery Services vault
To implement a backup solution for App1 after the application is moved, the first thing you should create is a Recovery Services vault. A Recovery
Services vault is an Azure resource that allows you to manage backup and disaster recovery for virtual machines, files, and other resources. You can
use the Recovery Services vault to create a backup policy, which defines the backup schedule, retention policy, and other settings for the backups.
Once you have created the Recovery Services vault, you can create a backup policy (Option C) that defines the backup schedule and retention
policy for the application.
An Azure Backup Server (Option B) is a hybrid backup solution that allows you to back up on-premises data to the cloud. It is not necessary for
backing up an application in Azure.
A recovery plan (Option A) is a set of predefined steps that you can use to recover a system or application from a disaster. It is not necessary for
setting up a backup solution.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 34/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 35/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 10
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 36/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
You need to move the blueprint files to Azure.
What should you do?
A. Generate an access key. Map a drive, and then copy the files by using File Explorer.
D. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
As per requirements:
- Move the existing product blueprint files to Azure Blob storage.
- Copy the blueprint files to Azure over the Internet.
- Ensure that the blueprint files are stored in the archive storage tier.
- Ensure that partner access to the blueprint files is secured and temporary.
- Minimize administrative effort whenever possible.
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it
to upload and download data from Azure blob storage. It’s the best solution, because copies data through Internet and minimizes administrative
effort.
C: Azure Import/Export service is not using Internet, but ships data drives using a shipping carrier such as FedEx, UPS, or DHL.
D: You can't use SAS with a mapped drive.
upvoted 94 times
To move the blueprint files to Azure Blob storage, you can use Azure Storage Explorer. This tool provides a user-friendly interface for managing
Azure Storage resources, including Blob storage. You can use it to upload the blueprint files to the appropriate Blob storage container in Azure.
This method is more efficient and secure than using File Explorer or generating a shared access signature (SAS) to map a drive and copy the files.
The Azure Import/Export service is typically used to move large amounts of data to and from Azure, but it is not necessary in this scenario since the
blueprint files can be moved over the internet.
upvoted 1 times
Only remaining answer is: Azure Storage Explorer, which can be used to copy files to blob storage
Azure Import/Ex
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 38/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 39/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 10
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 40/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
HOTSPOT -
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
YNN
upvoted 8 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 41/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Yes to statement 1: Contoso requires a storage account that supports Blob storage. This is because Contoso plans to move the existing product
blueprint files to Azure Blob storage.
No to statement 2: Contoso does not require a storage account that supports Azure table storage. There is no indication in the scenario that
Contoso needs to use Azure table storage.
No to statement 3: Contoso does not require a storage account that supports Azure File Storage. There is no indication in the scenario that
Contoso needs to use Azure File Storage.
upvoted 1 times
- Yes: they mentioned move files to blob storage + unmanaged storage is used for VM's disks.
- NO: Azure files is not required + you can't archive them
- NO: Azure tables are not needed as they act as structured NoSQL which is not required with SQL on VM.
upvoted 5 times
Box 2: No -
Box 3: No -
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 42/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 43/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 11 - Testlet 4
Question #1 Topic 11
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 44/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
HOTSPOT -
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 45/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Standard (general-purpose v2) supports tier for Blob service and for Azure file.
Container1 with tier: Can be created in storage2 (storagev2) and storage3. The question refers to BlobStorage (standard legacy one that supports
tier) and not to BlockBlobStorage (Premium one that doesn’t support tier).
In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as blob containers, queues, or tables. File
shares can be deployed into the transaction optimized (default), hot, or cool tiers.
Storage accounts that support tiering Object storage data tiering between hot, cool, and archive is simply supported in Blob storage and GPv2
accounts. General Purpose v1 aka GPv1 accounts don’t maintain tiering. Therefore, customers should easily convert their existing GPv1 or Blob
storage accounts into GPv2 accounts through the Azure portal.
Storage1: No: Although GPv1 can do fileshares it cannot be used for tiering.
Storage2: Yes: Blob containers can be stored in GPv2 and tiering is supported
Storage3: Yes: This is literally blob storage and a blob container and supports tiering.
Storage4: No: Can only be used to storage Azure file shares.
upvoted 15 times
upvoted 1 times
zzreflexzz 1 month, 4 weeks ago
on exam 4/29/23
upvoted 3 times
[ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal]
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 47/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 48/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 11
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 49/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
HOTSPOT -
You need to create storage5. The solution must support the planned changes.
Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the
appropriate options in the answer area.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 50/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Account Kind: Storage GPv2. It says nothing about Premium block blob accounts.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 52/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Azure Blob Storage contains three types of blobs: Block, Page and Append. A block is a single unit in a Blob.
Object replication is supported for general-purpose v2 storage accounts, and for premium block blob accounts in preview. Both the source and
destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append
blobs and page blobs are not supported.
Note: Object replication is supported when the source and destination accounts are in the hot or cool tier. The source and destination accounts
may be in different tiers.
In the question it states Blob Service but it literally means blob block as there are three types of blob storage and only block blobs are supported
for replication.
https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
upvoted 13 times
Ash3250 1 year, 8 months ago
DevOppsite, Have you received the questions from this Dump?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 53/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 11
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 54/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements.
Which storage account should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 55/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Reference:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
upvoted 41 times
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#how-logging-
works:~:text=Retention%20is%20available%20only%20if%20you%20use%20General%20purpose%20v2%20Storage%20accounts%20(GPv2).
upvoted 3 times
Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#how-logging-works
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 56/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
Retention is available only if you use General purpose v2 Storage accounts (GPv2)
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 57/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 12 - Testlet 5
Question #1 Topic 12
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.
Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 58/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
What should you use?
A. Diagram in VNet1
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 60/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 13 - Testlet 6
Question #1 Topic 13
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.
Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 61/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
You need to ensure that VM1 can communicate with VM4. The solution must minimize the administrative effort.
What should you do?
Establishing VNet peering between VNET1 and VNET3 will allow VM1 to communicate with VM4 without the need for any additional configuration
on the virtual machines themselves. VNet peering enables traffic to flow securely between virtual networks across Azure regions with low latency
and high bandwidth. This approach minimizes administrative effort as there is no need to create or manage any additional network security groups
or user-defined routes.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 62/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Has anybody considered that answer C is with or without context is already wrong by the wording? "Assign VM 4 an IP address of 10.0.1.5/24". A
/24 is a subnet CIDR only if it would be a /32 this answer would be valid.
upvoted 3 times
Establishing peering between the virtual networks (VNETs) allows traffic to flow between them without the need for additional configuration or
routing. This solution minimizes administrative effort, as it requires only a single step to set up the peering. Option A, creating an NSG, would
require additional rules and configuration to allow communication between VM1 and VM4. Option C, assigning a specific IP address to VM4, does
not address the issue of network communication. Option D, creating a user-defined route, would also require additional configuration and
management.
upvoted 6 times
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic
between virtual machines in the same network, traffic is routed through Microsoft's private network only.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic
between virtual machines in the same network, traffic is routed through Microsoft's private network only.
upvoted 1 times
For the second option I think that C is the only one that make sense...
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 63/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 64/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 13
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.
Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 65/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
HOTSPOT -
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 66/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
favela 9 months, 3 weeks ago
Yes today I face this question and my score was 900
upvoted 5 times
Answer is correct.
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 68/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 14 - Testlet 7
Question #1 Topic 14
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 69/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
HOTSPOT -
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: 1
1 VNET and then follow the N-tier application architecture.
Box 2: 3
3 Subnets (1 Subnet for each tier of the App1). The tiers can communicate each other, because they are inside the same VNET. Of course you would
need additional NSGs to restrict traffic.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server
upvoted 106 times
Box 1: 1
1 VNET and then follow the N-tier application architecture.
Box 2: 3
3 Subnets (1 Subnet for each tier of the App1). The tiers can communicate each other, because they are inside the same VNET. Of course you would
need additional NSGs to restrict traffic.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 71/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 72/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 14
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 73/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
A. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
B. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
To provide users with access to App1, we need to allow incoming traffic to the web front end tier on port 443, which is used for HTTPS. The NSG
should be associated with the subnet that contains the web servers to ensure that only traffic to and from the web front end is allowed.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 74/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
upvoted 1 times
Outbound rules are irrelevant here. Inbound rule to 443 should only apply to the web tier.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 75/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 76/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 15 - Testlet 8
Question #1 Topic 15
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 77/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
HOTSPOT -
You implement the planned changes for NSG1 and NSG2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 78/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
1-The rule is configured inbound from VM1 and VM2 will allow the traffic because of stateful firewall inspection, the traffic is allowed to come
in. If the traffic is initiated from VM2 them it wouldn't work.
Create an NSG named NSG1 that will have the custom INBOUND security rules shown in the following table.
Create an NSG named NSG2 that will have the custom OUTBOUND security rules shown in the following table.
It's YYN.
upvoted 3 times
They are in the same subnet and VM1 doesn't have restriction on outbound and VM2 doesn't have restriction on inbound
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 79/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Rule 400 only permit ping from 10.0.2.0/24 to 10.0.1.0/24. VM3 has 172.16.1.4 IP address
Rule 200 only permit virtualNetwork (VNET1) destination RDP and VM3 is in VirtualNetwork VNET2
upvoted 19 times
From VM1, you can Esablish a Remote Desktop sesion to VM2: Yes
They are in the same VNET and VM1 doesn't have restriction on outbound and VM2 doesn't have restriction on inbound
Rule 400 only permit ping from 10.0.2.0/24 to 10.0.1.0/24. VM3 has 172.16.1.4 IP address, but there are implicit rules: any(port) any(protocol)
virtualnetwork(source) to virtualnetwork (destination). The VNETs are peered and ping works.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 80/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
NO - Rule 200 outbound for VNET1/Subent2 and Rule 500 for Income from VNET1/Subent2(10.0.2.0/24) deny the traffic through port3389. VM1
don't have restriction to request on port 3389 to Subnet2 VM2, but VM2 when response on this request from VM1 on 3389 RULE 200 in NSG2 will
deny this message from VM2 response
YES - VNET1 and VNET2 are peered and default 65000 Rule AllowVnetOutBound allow any protocol and any port. Keep in mind default rules
existing in NSG
NO Rule 200 Deny
upvoted 5 times
VM2/VNET1/SUBNET2/10.0.2.4
*/VNET1/SUBNET2/NSG2/OUTBOUND - Deny 3389 from 10.0.0.0/16 to vnet
*/VNET1/SUBNET2/NSG2/OUTBOUND - Allow ICMP from 10.0.2.0/24 to 10.0.1.0/24
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 3 times
Box1 - YES
VM1 no outbound rules
VM2 no Inbound rules.
same VNET, subnet to subnet Allowed by default.
Box2 - NO
VM2 has outbound ICMP rule to Allow from 10.0.2.0/24 to 10.0.1.0/24 only. VM3 is 172.16.1.4 but VNET1 and VNET2 are peered which means
inbound traffic between subnets has not restriction.
Box3 - NO
VM2 has outbound RDP rule to Deny from 10.0.0.0/16 to any VNET.
upvoted 7 times
"Associate NSG1 to the network interface of VM1" which is DENYING inbound traffic for 3389 from VM2. but the question states FROM VM1 -->
VM2 . so the NSG1 does not come in play as it is only for INBOUND RDP TRAFFIC TO VM1 not outbound vm
YES
YES
NO - as the outbound traffic is from source 10.0.0.0/16 ( the entire 10.0.255.255, that VM2 fails in) with port 3389 to any VNET
upvoted 1 times
NO : VM2 => VM3 (RDP connection) NG2 (outbound rule), hence NOT allowed
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 82/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 15
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 83/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
You need to add VM1 and VM2 to the backend pool of LB1.
What should you do first?
upvoted 5 times
_adem Most Recent 3 weeks, 3 days ago
Question on exam on 02/06/2023. I passed. Chose the most voted for answer
upvoted 3 times
"It's not possible to switch a VM between subnets/vnets without deallocating/deleting-recreating the VM.
Source: https://learn.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm
upvoted 2 times
If they are already in the same availability set , then you don't need to do B anyway, your a good little Azure admin, keep it up and create your
backend pool with them in it. The fact that this question is being asked with no option of 'nothing' means they are not already in the same AS.
upvoted 5 times
I don't like the wording of answer C, because you need to recreate not redeploy the VMs but the rest of the answers make no sense.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 85/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
I really don't like term "Redeploy" in answer C. Redeploy has a specific meaning - it means restart VM on a new set of hardware. To add to an
availability set we actually need to recreate both VMs
upvoted 3 times
*The Standard tier can span any virtual machine in a single virtual network (Vnet), including blends of scale sets, availability sets, and machines. In
another mening "Any virtual machines or virtual machine scale sets (VMSS) in a single virtual network"
upvoted 3 times
A Basic Load Balancer can only support multiple VMs if they're in a single Availability Set or a VM Scale Set.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 86/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 15
You need to ensure that VM1 can communicate with VM4. The solution must minimize administrative effort.
To ensure that VM1 can communicate with VM4, we need to establish connectivity between the two virtual networks (VNET1 and VNET3) where the
VMs reside. VNet peering enables us to connect two virtual networks together so that VMs in either network can communicate with each other.
With VNet peering, the virtual networks are connected directly using the Azure backbone network, so we do not need to create any user-defined
routes or assign specific IP addresses to VMs. Additionally, peering reduces administrative effort by eliminating the need for complex network
configurations.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 87/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 16 - Testlet 9
Question #1 Topic 16
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.
Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 88/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
HOTSPOT -
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 89/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
this casestudy but not same question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 90/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 16
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.
Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 91/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical
requirements.
What should you include in the recommendation?
A. Azure AD B2C
D. an Azure logic app and the Microsoft Identity Management (MIM) client
If you work through Microsoft Learn like I did, I'll give you a tip: Do everything you learn directly in Azure once yourself. This is the only way to have
a chance to answer the questions that are not listed here.
upvoted 56 times
To automate the configuration for the finance department users, we need to dynamically assign them to appropriate groups and enforce
conditional access policies based on their group membership. Dynamic groups are Azure AD security groups whose membership is based on user
or device attributes, such as department, job title, or location. We can create dynamic groups for the finance department users based on their
department attribute. Then we can use conditional access policies to restrict access to specific applications or resources based on the users' group
membership. For example, we can enforce multifactor authentication (MFA) for users in the finance group when they access sensitive financial
applications. Dynamic groups and conditional access policies meet the technical requirements by ensuring that user access is controlled based on
their group membership and by automating the process of assigning users to the appropriate groups.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 93/94
26/6/23, 23:16 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 94/94