PracticeTest AZ 104

Answer Summary
Below is a summary of your answers.
Back to Report
Question 1 of 50
Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.
You need to configure self-service password reset (SSPR) password writeback functionality. The solution must
minimize costs.
Which Microsoft Entra ID edition should you use?
Your Answer
 Microsoft Entra ID P1
This answer is correct.
Correct Answer
Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn
Question 2 of 50
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
{
"Name": "Custom Role",
"Id": null,
"IsCustom": true,
"Description": "Custom Role description",
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a
complete solution.
Your Answer
 Call Microsoft Support.

 Create and read a snapshot.

 Create virtual machines.
This answer is incorrect.
Correct Answer


 Read all virtual machine settings.
The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a
snapshot.
Azure custom roles - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
Question 3 of 50
You have the following resource groups, management groups, and Azure subscriptions:
 Two resource groups named RG1 and RG2 that are associated with a subscription named 111-222-
333 and a management group named MG1

 Two resource group named RG10 and RG11 that are associated with a subscription named 222-333-
 Two resource group named RG11 and RG12 that are associated with a subscription named 555-666-
You need to assign a role to a user to ensure the user can view all the resources in the subscriptions. The solution
must use the principle of least privilege.
Which role should you assign?
Your Answer
 the Reader role for MG1 and MG2
Correct Answer
 the Reader role for MG1 and MG2
Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user access to all resources is
to assign a role at the management group level.
Steps to assign an Azure role - Azure RBAC | Microsoft Learn
Question 4 of 50
You have an Azure subscription that contains multiple virtual machines.
You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use
the principle of least privilege.
Which role should you assign to User1?
Your Answer
 Reader
Correct Answer
 Reader
The Reader role allows you to view all the resources but does not allow you to make any changes. The Contributor
role allows you to manage all the resources, the Billing Reader role provides read access only to billing data, and the
Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.
Azure built-in roles - Azure RBAC | Microsoft Learn
Question 5 of 50
You have an Azure subscription and a user named User1.

You need to assign User1 a role that allows the user to create and manage all types of resources in the subscription.
The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
 Contributor
Correct Answer
 Contributor
Users with the Contributor role can create and manage all types of resources but cannot delegate new access to other
users. Users with the Reader role can view existing Azure resources but cannot perform any action against them. Users
with the API Management Service Contributor role can only manage API Management services and APIs. Users with
the Owner role provides full access to all resources, including the right to delegate access to others.
Question 6 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine that runs
daily reports.
You need to ensure that the virtual machine shuts down when resource group costs exceed 75 percent of the
allocated budget.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
 Create an action group of type Runbook, and then select Scale Up VM.

 From Cost Management + Billing, modify the Budgets settings.
Correct Answer
 Create an action group of type Runbook, and then select **Stop VM** as an action.

You must go to Cost Management + Billing, and then Budgets to edit the budget associated with the resource group
resources. You must also create a new action group of the Runbook type, and then choose Stop VM as an action. The
cost analysis will not stop the virtual machine from running and the Scale Up VM action group is not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
Configure subscriptions - Training | Microsoft Learn
Question 7 of 50
You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
Your Answer
 management groups

 resource groups

 subscriptions
Correct Answer
 resource groups

 subscriptions

 virtual machines
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use
delete locks on management groups or storage account data.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Use Azure Resource Manager - Training | Microsoft Learn
Question 8 of 50
You have an Azure subscription that contains 25 virtual machines.
You need to ensure that each virtual machine is associated to a specific department for reporting purposes.
What should you use?
Your Answer
 tags
Correct Answer
 tags
Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as
virtual machines and associating each resource to a department for billing and reporting purposes.
Administrative units are containers used for delegating administrative roles to manage a specific portion of Microsoft
Entra. Administrative units cannot contain Azure virtual machines.
Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure
subscriptions.
Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A
storage account cannot contain virtual machines.
Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager | Microsoft
Learn
Configure virtual machines - Training | Microsoft Learn
Question 9 of 50
You have an Azure subscription.
You plan to create an Azure Policy definition named Policy1.
You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory
and Compliance.
To which definition section should you add remediation information for Policy1?
Your Answer
 metadata
Correct Answer
 metadata
You must use the RemediationDescription field in the metadata section from properties to specify a custom
recommendation. The remaining options are Azure policies, but do not allow specific custom remediation
information.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Configure Azure Policy - Training | Microsoft Learn
Question 10 of 50
You have an Azure subscription that contains a tenant named contoso.com.
All users in contoso.com are currently able to invite external users to B2B collaboration.
You need to ensure that only members of the Guest Inviter, User Administrator, and Global Administrator roles can
invite guest users.
What should you configure?
Your Answer
 Conditional Access
Correct Answer
 External collaboration settings
External collaboration settings let you specify which roles in your organization can invite external users for B2B
collaboration. These settings also include options for allowing or blocking specific domains and options for restricting
which external guest users can see in your Microsoft Entra directory.
Conditional Access allows you to apply rules to strengthen authentication and block access to resources from
unknown locations.
Cross-tenant access settings are used to configure collaboration with a specific Microsoft Entra organization.
Access reviews are not used to control who can invite guest users.
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Enable B2B external collaboration settings - Microsoft Entra | Microsoft Learn
Question 11 of 50
You have a Microsoft Entra tenant.
Your company has several offices in the same region. Each office has a dedicated IT staff.
You need to ensure that the IT staff in each office can manage passwords for their users and administrators.
Your Answer
 Assign the Helpdesk Administrator role.
Correct Answer

 From the Azure portal, add administrative units.
You must create an administrative unit and the Helpdesk role assignment allows members to change password for
both users and other administrators.
Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 12 of 50
You need to generate the shared access signature (SAS) token required to authorize a request to a resource.
Which two parameters are required for the SAS token? Each correct answer presents part of the solution
Your Answer
 SignedIP (sip)
Correct Answer
 SignedResourceTypes (srt)

 `SignedServices (ss) `
SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is required
to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers to the time when the
SAS becomes valid. If unmentioned, the start time is assumed to be the time when the storage service receives the
request. SignedIP (sip) is an optional parameter that refers to the range of IP addresses from which to accept
requests.
Create an account SAS - Azure Storage | Microsoft Learn
Configure Azure Storage security - Training | Microsoft Learn
Question 13 of 50
You need to create an Azure Storage account that supports the Azure Data Lake Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a complete solution.
Your Answer
 premium block blobs
Correct Answer

 standard general-purpose v2
To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-
purpose v2 and premium block blobs. Additionally, when you create the storage account, you must enable the
hierarchical namespace.
Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage | Microsoft Learn
Determine storage account types - Training | Microsoft Learn
Question 14 of 50
Your need to create an Azure Storage account that meets the following requirements:
 Stores data in a minimum of two availability zones
 Provides high availability
Which type of storage redundancy should you use?
Your Answer
 locally-redundant storage (LRS)
Correct Answer
 zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure availability zones in the
primary region. For ensuring high availability, Microsoft recommends using ZRS in the primary region and also
replicating to a secondary region.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
Question 15 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
 Hierarchical namespace: Disabled
 Default access tier: Hot
 Blob public access: Enabled
 Blob soft delete: Enabled (7 days)
 Container soft delete: Enabled (7 days)
 Versioning: Disabled
 Change feed: Enabled
 NFS v3: Disabled
 Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object replication?
Your Answer
 Blob soft delete
Correct Answer
 Versioning
Versioning must be enabled for both the source and destination accounts. In this scenario, versioning is currently
disabled.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 16 of 50
You have two premium block blob Azure Storage accounts named storage1 and storage2.
You need to configure object replication from storage1 to storage2.
Which three features should be enabled before configuring object replication? Each correct answer presents part of
the solution.
Your Answer
 blob versioning for storage1

Correct Answer


 change feed for storage1
Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you
must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.
Configure object replication - Azure Storage | Microsoft Learn
Question 17 of 50
You create an Azure Storage account.
You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have not been used for 30
days.
What should you do first?
Your Answer
 Enable versioning for blobs.
Correct Answer
 Enable access tracking.
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time
the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the
access time, access tracking must be enabled. This can incur additional storage costs.
Configure a lifecycle management policy - Azure Storage | Microsoft Learn

Question 18 of 50
You have an Azure Storage account that contains a file share.
Several users work from a secure location that limits outbound traffic to the internet.
You need to ensure that the users at the secure location can access the file share in Azure by using SMB protocol.
Which outbound port should you allow from the secure location?
Your Answer
 80
Correct Answer
 445
For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Microsoft Entra. It
is recommended, but not required, in the latest versions. Port 80 is used to download certificate revocation lists (CRLs)
to verify TLS/SSL certificates. Port 443 is used for https traffic, for example to sync AD DS with Microsoft Entra.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn
Question 19 of 50
You have an Azure subscription and an on-premises Hyper-V virtual machine named VM1. VM1 contains a single
virtual disk.
You plan to use VM1 as a template to deploy 25 new Azure virtual machines.
You need to upload VM1 to Azure.
Which cmdlet should you run?
Your Answer
 Add-AzVhd
Correct Answer
 Add-AzVhd
Add-AzVhd: Uploads an on-premises VHD to Azure
New-AzVM: Used to create a new virtual machine
New-AzDisk: Used to create a managed disk
New-AzDataShare: Used to create an Azure data share
Create a VM from an uploaded generalized Windows VHD - Azure Virtual Machines | Microsoft Learn
Upload a VHD to Azure or copy a disk across regions - Azure PowerShell - Azure Virtual Machines | Microsoft Learn

Question 20 of 50
You plan to create a storage account named storage1.
You need to ensure that storage1 provides POSIX-compliant access control lists (ACLs).
Which option should you configure when creating storage1?
Your Answer
 access tier
Correct Answer
 hierarchical namespace
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace must be used. The remaining
options are valid for a storage account, but do not provide the POSIX-compliant feature.
Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn
Configure storage accounts - Training | Microsoft Learn
Question 21 of 50
You plan to create a storage account named storage1 to store images.
You need to replicate the images to a new storage account.
What are three requirements of storage1? Each correct answer presents part of a complete solution.
Your Answer
 a container
Correct Answer
 a container

 blob versioning

Versioning must be enabled for the source and target. An object type container is needed to replicate the images.
You must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for
replication.

Question 22 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure virtual machine
named VM1.
You need to use VM1 as a template to create a new Azure virtual machine.
Which three methods can you use to complete the task? Each correct answer presents a complete solution.
Your Answer
 From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-
AzResourceGroupDeployment cmdlets.

 From RG1, select Export template, select Download, and then, from Azure Cloud Shell, run the New-
AzResourceGroupDeployment cmdlet.

 From VM1, select Export template, and then select Deploy.
Correct Answer
 From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-
AzResourceGroupDeployment cmdlets.

 From RG1, select Export template, select Download, and then, from Azure Cloud Shell, run the New-

 From VM1, select Export template, and then select Deploy.
From RG1, selecting the Download option from the Export template page exports the Azure Resource Manager (ARM)
template from the resource group properties. You can then deploy the ARM template by running the New-
By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM template. You can then deploy
the ARM template by running the New-AzResourceGroupDeployment cmdlet.
From VM1, selecting the Deploy option from the Export template page allows you to deploy a new Azure virtual
machine and use the configuration of VM1 as the template.
The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment script execution.
The Get-AzVM cmdlet generates a list of virtual machines that are created in the Azure subscription.
Export template in Azure portal - Azure Resource Manager | Microsoft Learn
Export template in Azure PowerShell - Azure Resource Manager | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 23 of 50
You have an Azure subscription that contains a resource group named RG1.
You have an Azure Resource Manager (ARM) template for an Azure virtual machine.
You need to use PowerShell to provision a virtual machine in RG1 by using the template.
Which PowerShell cmdlet should you run?
Your Answer
 New-AzResourceGroupDeployment
Correct Answer
 New-AzResourceGroupDeployment
Virtual machines are deployed to resource groups, so you must run the New-AzResourceGroupDeployment cmdlet.
You can deploy virtual machines to subscriptions or management groups directly, therefore, New-
AzManagementGroupDeployment and New-AzSubscriptionDeployment cannot be used. New-AzVM can be used to
provision a new virtual machine, but without using a template.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Question 24 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure Blob storage
container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?
Your Answer
 -TemplateUri
Correct Answer
 -TemplateUri
The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in a resources
group as a template spec, or from a web-based location. You can use the -TemplateUri parameter to specify a web-
based location, such as GitHub or an Azure Blob Storage account. You can use -Templatefile to specify a local file.
You can use -TemplateSpecId to specify a template that was save to Azure as a template spec.
Question 25 of 50
Your company has a set of resources deployed to an Azure subscription. The resources are deployed to a resource
group named app-grp1 by using Azure Resource Manager (ARM) templates.
You need to verify the date and the time that the resources in app-grp1 were created.
Which blade should you review for app-grp1 in the Azure portal?
Your Answer
 Deployments
Correct Answer
 Deployments
Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review warnings. Navigating to
the Metrics blade provides metrics information (CPU, resources) to users. On the Deployments blade for the resource
group (app-grp1), all the details related to a deployment, such as the name, status, date last modified, and duration,
are visible. Navigating to the Policy blade only provides information related to the policies enforced on the resource
group.
Azure AD deployment checklist - Microsoft Entra | Microsoft Learn
Configure Azure resources with tools - Training | Microsoft Learn
Question 26 of 50
You are creating an Azure virtual machine that will run Windows Server.
You need to ensure that VM1 will be part of a virtual machine scale set.
Which setting should you configure during the creation of the virtual machine?
Your Answer
 Availability options
Correct Answer
You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add
virtual machines with a discounted price. Region will not affect the configuration of the availability options. The
management setting allows you to configure the monitoring and management options for the virtual machine.
Availability options for Azure Virtual Machines - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 27 of 50
You have two Azure virtual machines named VM1 and VM2 that run Windows Server 2022.
VM1 has a single data disk that stores backup files.
You need to move the data disk from VM1 to VM2 as quickly as possible.
Your Answer
 Detach the data disk from VM1.
Correct Answer
You can detach a disk from a running virtual machine (hot removal). You do not need to stop VM2 or restart the VM1.
Detach a data disk from a Windows VM - Azure - Azure Virtual Machines | Microsoft Learn
Question 28 of 50
You have an Azure virtual machine.
You receive a notification that the virtual machine is going to be affected by an underlying maintenance activity on
the physical infrastructure.
You need to move the virtual machine to a different host to avoid a service interruption.
What should you do?
Your Answer
 Apply an Azure policy.
Correct Answer
 Redeploy the virtual machine.
You must redeploy the virtual machine, which can move the virtual machine to a different host. Azure will shut down
the virtual machine and move the virtual machine to a new node within the Azure infrastructure.
Redeploy Windows virtual machines in Azure - Virtual Machines | Microsoft Learn
Question 29 of 50
You have an Azure subscription that contains an Azure Storage account named vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1?
Your Answer
 a blob container
Correct Answer
 a file share
An Azure container instance (Docker container) can mount Azure File Storage shares as directories and use them as
persistent storage. An Azure container instance cannot mount and use as persistent storage blob containers, queues
and tables.
Persistent Docker volumes with Azure File Storage | Azure Blog and Updates | Microsoft Azure
Configure Azure Container Instances - Training | Microsoft Learn
Question 30 of 50
You have an Azure subscription that contains a Docker container image named container1.
You create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
Your Answer
 Continuous deployment
Correct Answer
 Publish
If you want to run a Docker container as an Azure web service, you must configure the Publish option and select
Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a Docker container as
web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker
container as an Azure web app.
Overview - Azure App Service | Microsoft Learn
Question 31 of 50
You have an Azure subscription that contains an Azure App Service web app named App1.
You have the following diagnostic logging configurations:
 Application Logging (FileSystem): Error
 Application Logging (Blob): Information

 Detailed Error Message: Warning
 Web Server Logging: Verbose
You need to configure diagnostic logging to store all warnings or higher.
Which types of diagnostic logging and severity should you enable?
Your Answer
 Application Logging (Blob)
Correct Answer

 Warning
You must enable the Application Logging (Blob) diagnostic, which can be stored for more than a week. You must also
set the severity level to warning, to store warning, error, and critical log messages.
Enable diagnostics logging - Azure App Service | Microsoft Learn
Configure Azure App Service - Training | Microsoft Learn
Question 32 of 50
You plan to deploy a web app in a Linux-based Docker container.
You need to recommend a solution for the deployment of the web app that meets the following requirements:
 Supports a custom domain name
 Provides the ability to scale out automatically based on demand.
 Minimizes administrative effort
 Minimizes costs
Which solution should you recommend?
Your Answer
 Azure App Service
Correct Answer
 Azure App Service
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale Sets, Azure Kubernetes Service
(AKS), and Azure Container Instances are more difficult to administer and more costly.
Configure Azure App Service plans - Training | Microsoft Learn

Question 33 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains an application named App1
and a container app named containerapp1.
App1 is experiencing performance issues when attempting to add messages to the containerapp1 queue.
You need to create a job to perform an application resource cleanup when a new message is added to a queue.
Which command should you run?
Your Answer
 az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type
"Event" \ -replica-timeout 60 --replica-retry-limit 1 ...
Correct Answer
 az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type
"Event" \ -replica-timeout 60 --replica-retry-limit 1 ...
Azure Container Apps jobs enable you to run containerized tasks that execute for a finite duration, and then exit. You
can use jobs to perform tasks such as data processing, machine learning, or any scenario where on-demand
processing is required. Container apps and jobs run in the same environment, allowing them to share capabilities such
as networking and logging.
A job's trigger type determines how the job is started. The following trigger types are available:
Manual: Manual jobs are triggered on demand.
Schedule: Scheduled jobs are triggered at specific times and can run repeatedly.
Event: Event-driven jobs are triggered by events such as a message arriving in a queue.
Jobs in Azure Container Apps (preview) | Microsoft Learn
Question 34 of 50
You have an Azure subscription that contains two resource groups named RG1 and RG2.
RG1 contains the following resources:
 A virtual network named VNet1 located in the East US Azure region
 A network security group (NSG) named NSG1 located in the West US Azure region
 A virtual network named VNet3 located in the West US Azure region
You need to apply NSG1.
To which subnets can you apply NSG1?
Your Answer
 the subnets of VNet1 only
Correct Answer
You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West
US region.
Plan Azure virtual networks | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 35 of 50
You have an Azure subscription that contains a network security group (NSG) named NSG1.
You plan to configure NSG1 to allow the following types of traffic:
 Remote Desktop Management
 Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Your Answer
 443

 3389
Correct Answer
 443

 3389
You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send outbound email by
using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is used by mail traffic.
Question 36 of 50
You have a virtual machine named VM1 that is assigned to a network security group (NSG) named NSG1.
NSG1 has the following outbound security rules:
Rule1:
 Priority: 900
 Name: BlockInternet
 Port: 80
 Protocol: TCP
 Source: Any
 Destination: Any
 Action: Block
Rule2:
 Priority: 1000
 Name: AllowInternet
 Port: 80
 Protocol: TCP
 Source: Any
 Action: Allow
You need to ensure that internet access to VM1 on port 80 is allowed.
What should you do?
Your Answer
 Change the action of Rule2.
Correct Answer
 Change the priority of Rule2.
Rule1 has higher priority, so the action will be blocked. You can increase the priority of Rule2, decrease the priority of
Rule1, or change the action of Rule1 to achieve the goal.
Azure network security groups overview | Microsoft Learn
Question 37 of 50
You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the internet.
Which Azure service should you deploy?
Your Answer
 Azure Bastion
Correct Answer
 Azure Bastion

Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without exposing RDP and
SSH ports. Azure Monitor helps you maximize the availability and performance of applications and services. Azure
Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an
Azure virtual network. Remote Desktop is a feature of the operating system, which exposes the RDP port to connect
to a server from the internet.
About Azure Bastion | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
Question 38 of 50
You have three network security groups (NSGs) named NSG1, NSG2, and NSG3. Port 80 is blocked in NSG3 and
allowed in NSG1 and NSG2.
You have four Azure virtual machines that have the following configurations:
VM1:
 Subnet: Subnet1
 Network card: NIC1
 NIC1 is assigned to NSG2.
VM2:
 Subnet: Subnet1
VM3:
 Subnet: Subnet3
VM4:
 Subnet: Subnet2
You have the following subnets:
 Subnet1 is assigned to NSG1.
 Subnet2 is assigned to NSG3.
 Subnet 3 does not have an NSG assigned.
Which virtual machine will allow traffic from the internet on port 80?
Your Answer
 VM2
Correct Answer
 VM1
On VM1, both NSGs assigned to Subnet1 and the NIC1 card allow traffic on port 80. On VM2, NSG1 allows traffic, but
NSG3 blocks traffic for the network interface. On VM3 and VM4, NSG3 blocks traffic.
Network security group - how it works | Microsoft Learn
Question 39 of 50
Your company plans to migrate servers from on-premises to Azure. There will be dev, test, and production virtual
machines on a single virtual network.
You need to restrict traffic between the dev, test, and production virtual machines to specific ports.
Your Answer
 an Azure firewall
Correct Answer
 a network security group (NSG)
Must configure network security group (NSG) rules to allow TCP or ICMP traffic for specific ports. Azure Firewall is a
managed service that protects your Azure services across multiple virtual networks. Load balancers are used to
distribute incoming traffic to available backend servers. Azure VPN is used to have a connection establishment
between on-premises and Azure.
Question 40 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability set named AVSet1.
You need to configure Azure Load Balancer with a backend pool of VM1 and VM2. The solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
 Azure Standard Load Balancer with Basic SKU public IP
Correct Answer
 Basic Azure Load Balancer with Basic SKU public IP
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only
Basic SKU public IP. Azure Standard Load Balancer is zone-redundant, but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
Question 41 of 50
You migrate a web app from on-premises to an Azure virtual machine. The web app was configured by using load
balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the web server and must check
whether the server is listening on port 80.
Your Answer
 `Get-AzVirtualNetworkUsageList `
Correct Answer
 netstat -an
Using netstat -an will list the ports that the server is listening on. Test-NetConnection will perform a ping/ICMP
test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a virtual network named VNet1 and a virtual machine named VM1.
VM1 can only be accessed from the internal network.
An external contractor needs access to VM1. The solution must minimize administrative effort.
Your Answer
 a public IP address
Correct Answer
 a public IP address
To share a virtual machine with an external user, you must add a public IP address to the virtual machine. An
additional IP address or firewall configuration will not help in this case. Configuring a S2S VPN does not have minimal
administrative effort.
Virtual networks and virtual machines in Azure | Microsoft Learn
Quickstart - Create a Windows VM in the Azure portal - Azure Virtual Machines | Microsoft Learn
Question 43 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
You add a new subdomain named test.contoso.com.
You plan to delegate test.contoso.com to a different DNS server.
How should you configure the domain delegation?
Your Answer
 Add an A record for test.contoso.com.
Correct Answer
 Add an NS record set named test to the contoso.com zone.
You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be created at the apex
of the zone named contoso.com. You do not need to create the SOA record set in test.contoso.com. It must only be
created in contoso.com. You do not need to create or modify the DNS A record.
Delegate a subdomain - Azure DNS | Microsoft Learn
Host your domain on Azure DNS - Training | Microsoft Learn
Question 44 of 50
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.
You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be pinned as a chart on the dashboard?
Your Answer
 14
Correct Answer
 14
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 45 of 50
You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom application that outputs log
data in the JSON format.
You need to recommend a solution to collect the logs in Azure Monitor.
What should you include in the recommendation?
Your Answer
 the Log Analytics agent for Linux
Correct Answer
You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the Linux virtual
machines.
The Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other
configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development
infrastructure with configuration as code.
The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or
perform disk-level maintenance.
Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure Monitor - Azure Monitor |
Microsoft Learn
Question 46 of 50
You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are configured with
the default backup policy.
What is the retention period of virtual machine backups in the default backup policy?
Your Answer
 30 days
Correct Answer
 30 days
By default, backups of virtual machines are kept for 30 days.
Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn
Configure virtual machine backups - Training | Microsoft Learn
Question 47 of 50
You have an Azure subscription that contains two protected virtual machines named VM1 and VM2. VM1 and VM2
are backed up to a Recovery Service vault named Vault1 by using the same backup policy.
Your company plans to create additional virtual machines and Recovery Services vaults. During this process, Vault1
will be decommissioned.
You need to delete Vault1.

Which three actions should you perform before you can delete Vault1? Each correct answer presents part of the
solution.
Your Answer
 Delete VM1 and VM2.

 Disable the soft delete feature and delete all data.

 Stop the backup of VM1 and VM2.
Correct Answer
 Disable the soft delete feature and delete all data.

 Permanently remove any items in the soft delete state.

 Stop the backup of VM1 and VM2.
You must stop the backups so that you can prepare to move to the new policy. The soft delete feature is enabled by
default, so it must be disabled. You must remove all the items that are in the soft delete state. Deleting the virtual
machines is not required. You cannot delete the policy without deleting the vault and backup, and a new policy is not
required.
Overview of Recovery Services vaults - Azure Backup | Microsoft Learn
Delete a Microsoft Azure Recovery Services vault - Azure Backup | Microsoft Learn
Question 48 of 50
You have an Azure virtual machine named VM1 that is protected by using Azure site recovery.
You fail over VM1 from the primary region to the secondary region.
You need to reprotect VM1 after the failover so that VM1 will replicate back to the primary region.
What is the VM1 status before the reprotection?
Your Answer
 Failover confirmed
Correct Answer
 Failover committed
Before you begin, you must ensure that the virtual machine status is Failover committed. This will ensure replication
back to the primary region.

Tutorial to fail over Azure VMs to a secondary region for disaster recovery with Azure Site Recovery. - Azure Site
Recovery | Microsoft Learn
Configure file and folder backups - Training | Microsoft Learn
Question 49 of 50
You have an Azure virtual machine that you back up by using Azure Backup.
The backup policy sub type is Standard, and the backup policy has the following configurations:
 Backup schedule frequency: Weekly
 Retain instant recovery snapshot(s) for: 5 days
 Retention of weekly backup point: On Sunday at 8:00 AM for 12 weeks
You plan to reduce the amount of storage used by Instant Restore.
You need to instance recovery snapshots to be retained for only two days.
Your Answer
 Change Policy sub type to Enhanced.
Correct Answer
 Change the backup schedule frequency to **Daily**.
You can choose to store between one and five instant recovery snapshots and the default value is two. However,
when the backup schedule frequency is weekly, you must retain five instant recovery snapshots.
Azure Instant Restore Capability - Azure Backup | Microsoft Learn
Configure file and folder backups - Training | Microsoft Learn
Question 50 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains two virtual machines
named VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure Monitor metrics.
Your Answer
 Install AzureNetworkWatcherExtension.

 Use packet capture.
Correct Answer

Azure Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and
from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the Azure portal | Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Skip to main content
 Learn
 Documentation
 Training
 Credentials
 Q&A
 Code Samples
 Assessments
 Shows
Credentials
 Browse Credentials
 Certification Renewals
 FAQ & Help
1. Learn
2. Credentials
3. Browse Credentials
4. Exam AZ-104: Microsoft Azure Administrator

Practice Assessment Results: December 30, 2023
Practice Assessment for Exam AZ-104: Microsoft Azure Administrator

It took you 45 minutes to complete this assessment.
Overall Results
To be better prepared for the exam, aim to achieve a score of 80% or higher in multiple attempts.
Score: 44%
Show My Answers
Performance by assessment section
To further strengthen your skills in the following areas, refer to the Customized Learning Material section below.
Manage Azure identities and governance
Implement and manage storage
Deploy and manage Azure compute resources
Implement and manage virtual networking
Monitor and maintain Azure resources
Ready to take the exam?
Schedule exam Take another practice assessment.
Customized learning material to improve your skills
Because you scored lower in "Manage Azure identities and governance":

o Automate Azure tasks using scripts with PowerShell
o 71 mins

o Allow users to reset their password with Microsoft Entra self-service password reset
o 31 mins

o Create Azure users and groups in Microsoft Entra ID
o 41 mins

o Introduction to Azure Advisor
o 16 mins

o Configure Azure alerts
o 19 mins

o Configure Azure Policy
o 40 mins

o Configure role-based access control
o 46 mins

o Configure subscriptions
o 27 mins

o Configure user and group accounts
o 50 mins

o Configure virtual machines
o 40 mins

o Use Azure Resource Manager
o 30 mins
Because you scored lower in "Implement and manage storage":

o Configure Azure Files and Azure File Sync
o 21 mins

o Configure Azure Blob Storage
o 45 mins

o Configure storage accounts
o 38 mins

o Configure Azure Storage security
o 55 mins

o Configure Azure Storage with tools
o 20 mins

o 40 mins
Because you scored lower in "Deploy and manage Azure compute resources":

o Automate Azure tasks using scripts with PowerShell
o 71 mins

o Deploy Azure infrastructure by using JSON ARM templates
o 43 mins

o Configure Azure App Service plans
o 21 mins

o Configure Azure App Service
o 62 mins

o Configure Azure Container Instances
o 26 mins

o Configure Azure resources with tools
o 46 mins

o Configure resources with Azure Resource Manager templates
o 41 mins

o Configure storage accounts
o 38 mins

o Configure virtual machine availability
o 63 mins

o 40 mins

o Configure virtual networks
o 35 mins
Because you scored lower in "Implement and manage virtual networking":

o Host your domain on Azure DNS
o 43 mins

o Configure Azure DNS
o 31 mins

o Configure Azure Load Balancer
o 70 mins

o Configure network routing and endpoints
o 51 mins

o Configure network security groups
o 36 mins

o Configure virtual networks
o 35 mins

o Configure Azure Virtual Network peering
o 41 mins
Because you scored lower in "Monitor and maintain Azure resources":

o Configure Azure alerts
o 19 mins

o Configure Azure Monitor
o 59 mins

o Configure file and folder backups
o 63 mins

o Configure Log Analytics
o 24 mins

o Configure Network Watcher
o 19 mins

o Configure virtual machine backups
o 76 mins
Save your customized collection
English (United States)
Your Privacy Choices
Theme
 Previous Versions
 Blog
 Contribute
 Privacy
 Terms of Use
 Trademarks
 © Microsoft 2023
Answer Summary
Back to Report
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the
tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The attribute values will be set by the
HR department.
Your Answer
 Assign the licenses to the dynamic groups.
 Create dynamic groups.
Correct Answer
To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and
configure rules based on custom attributes. The dynamic group must be added to a license group for automatic
synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the
organization that are in scope for an assignment policy rule and creates assignments for the users who don't have
assignments to an access package; automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn
Question 2 of 50
You have a Microsoft Entra tenant that uses Microsoft Entra Connect to sync with an Active Directory Domain Services
(AD DS) domain.
You need to ensure that users can reset their AD DS password from the Azure portal. The users must be able to use
two methods to reset their password.
Your Answer
 From Password reset in the Azure portal, configure the Authentication methods settings.
 Run Microsoft Entra Connect and select Password writeback.
Correct Answer
 From Password reset in the Azure portal, configure the Authentication methods settings.
 Run Microsoft Entra Connect and select Password writeback.

You must run the Microsoft Entra Connect Wizard to enable Password writeback. You must configure the
authentication option to enable the two methods required to reset a password.
Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft Learn
Implement Azure AD self-service password reset - Training | Microsoft Learn
Question 3 of 50
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details:
 Id: 8755b347-3545-3876-3987-999999999999
 DisplayName: Ben Smith
 Mail: bsmith@contoso.com
 UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
Which statement accurately describes the user?
Your Answer
 The user was a guest in the tenant.
Correct Answer
 The user was a guest in the tenant.
For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed
by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a
format of user@fabrikam.com.
B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Question 4 of 50
You create a new user named User1.
You need to assign a Microsoft 365 E5 license to User1.
Which user attribute should be configured for User1 before you can assign the license?
Your Answer
 Usage location
Correct Answer
 Usage location
Not all Microsoft 365 services are available in all locations. Before a license can be assigned to a user, you must
specify the Usage location. The attributes of First name, Last name, Other email address, and User type are not
mandatory for license assignment.
Assign or remove licenses - Microsoft Entra | Microsoft Learn
Question 5 of 50
Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.
You need to configure self-service password reset (SSPR) password writeback functionality. The solution must
minimize costs.
Which Microsoft Entra ID edition should you use?
Your Answer
Correct Answer
Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn
Question 6 of 50
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
{
"Name": "Custom Role",
"Id": null,
"IsCustom": true,
"Description": "Custom Role description",
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a
complete solution.
Your Answer
Correct Answer
The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a
snapshot.
Azure custom roles - Azure RBAC | Microsoft Learn
Question 7 of 50
You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
 Manage containers within the storage accounts.
 View storage account access keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
Your Answer
 Storage Account Contributor
Correct Answer
Storage Account Contributor allows the management of storage accounts. It provides access to the account key,
which can be used to access data via Shared Key authorization. Storage Blob Data Contributor grants permissions to
read, write, and delete Azure Storage containers and blobs. Reader allows you to view all resources but does not allow
you to make any changes. Owner grants full access to manage all resources, including the ability to assign roles in
Azure RBAC.
Question 8 of 50
daily reports.
allocated budget.
Your Answer
Correct Answer

Question 9 of 50
You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local
datacenter.
You need to identify which virtual machines are underutilized.
Which Azure Advisor settings should you use?
Your Answer
 Cost
Correct Answer
 Cost
The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual
machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High
availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency,
resource manageability, and deployment best practices.
Introduction to Azure Advisor - Training | Microsoft Learn
Question 10 of 50
Your Answer
 resource groups
 subscriptions
Correct Answer
 resource groups
 subscriptions
Question 11 of 50
Your Answer
Correct Answer
Question 12 of 50
Your Answer
Correct Answer
requests.
Question 13 of 50
Your Answer
Correct Answer
Question 14 of 50
Your Answer
 read-access geo-redundant storage (RA-GRS)
Correct Answer
Question 15 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
 `Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -recursive `
 Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container "

corpimages"
Correct Answer

corpimages"
The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with
the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 16 of 50
You have two premium block blob Azure Storage accounts named storage1 and storage2.
You need to configure object replication from storage1 to storage2.
Which three features should be enabled before configuring object replication? Each correct answer presents part of
the solution.
Your Answer
Correct Answer
Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you
must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.
Configure object replication - Azure Storage | Microsoft Learn
Question 17 of 50
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos. Users reported that 99 percent of the
assigned storage is used.
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the solution.
Your Answer
 Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
 Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name

share1 -QuotaGiB 102400
Correct Answer

You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You
do not need to change the type of storage account, and you are updating the existing share.
Question 18 of 50
You create an Azure Storage account.
You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have not been used for 30
days.
Your Answer
Correct Answer
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time
the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the
access time, access tracking must be enabled. This can incur additional storage costs.
Configure a lifecycle management policy - Azure Storage | Microsoft Learn
Question 19 of 50
You have an Azure subscription and an on-premises Hyper-V virtual machine named VM1. VM1 contains a single
virtual disk.
You plan to use VM1 as a template to deploy 25 new Azure virtual machines.
You need to upload VM1 to Azure.
Which cmdlet should you run?
Your Answer
 Add-AzVhd
Correct Answer
 Add-AzVhd
Add-AzVhd: Uploads an on-premises VHD to Azure
New-AzVM: Used to create a new virtual machine
New-AzDisk: Used to create a managed disk
New-AzDataShare: Used to create an Azure data share
Create a VM from an uploaded generalized Windows VHD - Azure Virtual Machines | Microsoft Learn
Upload a VHD to Azure or copy a disk across regions - Azure PowerShell - Azure Virtual Machines | Microsoft Learn
Question 20 of 50
You have an Azure subscription that contains a storage account named storage1 and a Microsoft Entra tenant named
contoso.com.
You plan to provide identity-based access to storage1.
Which type of data storage should you configure?
Your Answer
 file shares
Correct Answer
 file shares
File shares can be configured to use Microsoft Entra Kerberos to provide identity-based access to data storage.
Configure storage accounts - Training | Microsoft Learn
Compare storage for file shares and blob data - Training | Microsoft Learn
Question 21 of 50
Your Answer
 a container
 blob versioning
Correct Answer
 a container
 blob versioning
Versioning must be enabled for the source and target. An object type container is needed to replicate the images. You
must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for replication.
Question 22 of 50
You plan to use the following two Azure Resource Manager (ARM) templates to provision virtual machines:
Template.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Virtual Machine."
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
},
"dnsLabelPrefix": {
"type": "string",
"defaultValue": "[concat('vm-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual
Machine."
},
...
"apiVersion": "2019-12-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('storageAccountName')]",
"[variables('nicName')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
...
Template.parameters.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"parameters": {
"adminUsername": {
"value": ""
},
"adminPassword": {
...
Which two resources should you provision to ensure that the password can be stored securely?
Your Answer
 Access Policy
 Azure Key Vault
Correct Answer
 Access Policy
 Azure Key Vault

You must create a new key vault, create the password from there, and then specify the parameters. You must also
create a Key Vault access policy to use in the template.
ARM template documentation | Microsoft Learn
Question 23 of 50
container.
Your Answer
 -TemplateUri
Correct Answer
 -TemplateUri
Question 24 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the Azure Resource Manager (ARM)
library.
What can you configure during the deployment of the template?
Your Answer
 the resource group
Correct Answer

When you deploy a resource by using a template, you can mention the resource group for the deployment. The
resource group is a container for Azure resources and makes it easier to manage the resources.
Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn
New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn
Configure resources with Azure Resource Manager templates - Training | Microsoft Learn
Question 25 of 50
Your Answer
 Deployments
Correct Answer
 Deployments
group.
Question 26 of 50
You have two Azure virtual machines named VM1 and VM2 that run Windows Server 2022.
VM1 has a single data disk that stores backup files.
You need to move the data disk from VM1 to VM2 as quickly as possible.
Your Answer
Correct Answer
You can detach a disk from a running virtual machine (hot removal). You do not need to stop VM2 or restart the VM1.
Detach a data disk from a Windows VM - Azure - Azure Virtual Machines | Microsoft Learn
Question 27 of 50
You plan to deploy an Azure virtual machine.
You are evaluating whether to use an Azure Spot instance.
Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a complete solution.
Your Answer
 the Azure capacity needs
 the current price of the instance
Correct Answer
Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be
stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot
instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for
workloads that do not require any specific SLA.
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 28 of 50
Your development team plans to deploy an Azure container instance. The container needs a persistent storage layer.
Which service should you use?
Your Answer
 Azure Blob storage
Correct Answer
 Azure Files

You can persist data for Azure Container Instances with the use of Azure Files. Azure Files offers fully managed file
shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft Learn
Explore Azure Storage services - Training | Microsoft Learn
Question 29 of 50
You have an Azure subscription that contains a Docker container image named container1.
You create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
Your Answer
 Publish
Correct Answer
 Publish
If you want to run a Docker container as an Azure web service, you must configure the Publish option and select
Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a Docker container as
web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker
container as an Azure web app.
Question 30 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You plan to add scaling rules to cont1.
You need to ensure that cont1 replicas are created based on received messages in Azure Service Bus.
Which scale trigger should you use?
Your Answer
 event-driven
Correct Answer
 event-driven
Azure Container Apps allows a set of triggers to create new instances, called replicas. For Azure Service Bus, an event-
driven trigger can be used to run the escalation method. The remaining scale triggers cannot use a scale rule based
on messages in an Azure service bus.
Scaling in Azure Container Apps | Microsoft Learn
Question 31 of 50
You have an Azure subscription that contains an Azure App Service web app named App1.
You have the following diagnostic logging configurations:
 Application Logging (FileSystem): Error
 Application Logging (Blob): Information
 Detailed Error Message: Warning
 Web Server Logging: Verbose
You need to configure diagnostic logging to store all warnings or higher.
Which types of diagnostic logging and severity should you enable?
Your Answer
 Warning
Correct Answer
 Warning
You must enable the Application Logging (Blob) diagnostic, which can be stored for more than a week. You must also
set the severity level to warning, to store warning, error, and critical log messages.
Enable diagnostics logging - Azure App Service | Microsoft Learn
Question 32 of 50
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU percentage goes beyond 80 percent for a
duration of 15 minutes.
Your Answer
 Configure a scaling condition to scale based on a metric, and then add the rules.
 Scale up the App Service plan.
Correct Answer
Scale up the web app by adding more CPU, memory, and disk space to fulfill the requirement. Increase the number of
virtual machine instances that run the app. The scale settings take only seconds to apply and affect all the apps in the
App Service plan. Then, you must set up a scaling condition with the required metrics to scale up/down and scale
out/in when certain thresholds are met.
Scale up features and capacities - Azure App Service | Microsoft Learn
Question 33 of 50
You have an Azure subscription that contains a container app named App1. App1 is configured to use cached data.
You plan to create a new container.
You need to ensure that the new container automatically refreshes the cache used by App1.
Which type of container should you configure?
Your Answer
 sidecar
Correct Answer
 sidecar
Azure Container Apps manages the details of Kubernetes and container orchestration. Containers in Azure Container
Apps can use any runtime, programming language, or development stack of your choice. You can define multiple
containers in a single container app to implement the sidecar pattern, for example, an agent that reads logs from the
primary app container in a shared volume and forwards them to a logging service.
Containers in Azure Container Apps | Microsoft Learn
Question 34 of 50
You have an Azure subscription that contains network security groups (NSGs).
Which two resources can be associated with a NSG? Each correct answer presents a complete solution.
Your Answer
 network interfaces
 subnets
Correct Answer
 network interfaces
 subnets
You can use a network security group (NSG) to be assigned to a network interface. NSGs can be associated with
subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the
access control list (ACL) rules apply to all virtual machine instances of that subnet.
Question 35 of 50
Your Answer
Correct Answer
You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West US
region.
Question 36 of 50
 Secured HTTPS
Your Answer
 443
 3389
Correct Answer
 443
 3389
Question 37 of 50
You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual machines.
You plan to configure a network security group (NSG) that will allow inbound traffic over TCP port 8080 to two virtual
machines on each subnet. The NSG will be associated to each subnet.

You need to recommend a solution to configure the inbound access by using the fewest number of NSG rules
possible.
What should you use as the destination in the NSG?
Your Answer
 an application security group
Correct Answer
Application security groups allow you to group together the network interfaces from multiple virtual machines, and
then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual
network.
You can use the IP address of each virtual machine as the destination, but you must create a rule for each virtual
machine.
Using the subnets will require four rules and will also allow traffic to all the virtual machines on those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure Backup.
Azure application security groups overview | Microsoft Learn
Question 38 of 50
You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the internet.
Which Azure service should you deploy?
Your Answer
 Azure Bastion
Correct Answer
 Azure Bastion
Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without exposing RDP and
SSH ports. Azure Monitor helps you maximize the availability and performance of applications and services. Azure
Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an
Azure virtual network. Remote Desktop is a feature of the operating system, which exposes the RDP port to connect
to a server from the internet.

About Azure Bastion | Microsoft Learn
Question 39 of 50
You have an Azure subscription that contains an ASP.NET application. The application is hosted on four Azure virtual
machines that run Windows Server 2022.
You have a load balancer named LB1 to load balances requests to the virtual machines.
You need to ensure that site users connect to the same web server for all requests made to the application.
Your Answer
 Configure an inbound NAT rule.
 Set Session persistence to **None**.
Correct Answer
 Set Session persistence to Client IP.
 Set Session persistence to Protocol.
By setting Session persistence to Client IP and Protocol, you ensure that site users connect to the same web server for
all requests made to the application. Setting Session persistence to None disables sticky sessions and an inbound NAT
rule is used to forward traffic from a load balancer frontend to a backend pool.
Azure Load Balancer distribution modes | Microsoft Learn
Question 40 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a virtual network named VNet3, a
virtual machine named VM1, and a public IP address named PubIP1. All the resources are in the West US Azure
region.
You plan to create and configure a network security group (NSG) named NSG1 for the following types of traffic:
 HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the solution.
Your Answer
 New-AzNetworkSecurityGroup
 New-AzNetworkSecurityRuleConfig
Correct Answer
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol, direction, and port
number. New-AzNetworkSecurityGroup creates a network security group (NSG). -SecurityRules specifies a list of
network security rule objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn
Question 41 of 50
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2.
You need to ensure that the resources on both VNet1 and VNet2 can communicate seamlessly between both
networks.
What should you configure from the Azure portal?
Your Answer
 peerings
Correct Answer
 peerings
You can connect virtual networks to each other with virtual network peering. Once the virtual networks are peered,
the resources on both virtual networks can communicate with each other with the same latency and bandwidth as
though the resources were on the same virtual network.
Configure Azure Virtual Network peering - Training | Microsoft Learn
Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a virtual network named VNet1.
You plan to deploy a virtual machine named VM1 to be used as a network inspection appliance.
You need to ensure that all network traffic passes through VM1.
What should you do?
Your Answer
 Configure a user-defined route.
Correct Answer
Azure automatically creates a route table for each subnet on an Azure virtual network and adds system default routes
to the table. You can override some of the Azure system routes with custom user-defined routes and add more
custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes on a subnet's route
table.
Configure network routing and endpoints - Training | Microsoft Learn
Azure virtual network traffic routing | Microsoft Learn
Question 43 of 50
Your Answer
Correct Answer
Question 44 of 50
You need to create Azure alerts based on metric values and activity log events.
The solution must meet the following requirements:
 Set a limit on how many times an alert notification is sent.
 Call an Azure function when an alert is triggered.
 Configure the alert to have a severity of warning when triggered.
Which two resources should you create? Each correct answer presents part of the solution.
Your Answer
 an action group
 an alert rule
Correct Answer
 an action group
 an alert rule
You must create an action group to set up an action and create an alert rule to set the severity of the errors. A
notification is only used to send email and you do not need to call a webhook.
Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn
Question 45 of 50
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
You need to find the root cause of the performance issue.
Your Answer
 Azure Monitor
Correct Answer
 Azure Monitor

Azure Monitor stores metrics in a time-series database that is optimized for analyzing time-stamped data. Activity
logs detect and address issues before users notice them proactivity. Azure Advisor analyzes configuration and usage
metrics but does not provide time-lapsed data. Azure Cost only helps to optimize and reduce overall Azure spending.
Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn
Question 46 of 50
Your Answer
Correct Answer
machines.
Microsoft Learn
Question 47 of 50
You have 100 virtual machines deployed to Azure. You have Azure Monitor alerts configured for CPU and memory
utilization for the virtual machines.
You open Azure Monitor alerts and discover 50 closed alerts for the virtual machines.
What can cause the alert state to be Closed?
Your Answer
 An administrator manually changed the state of the alerts.
Correct Answer
 An administrator manually changed the state of the alerts.
The alert state is manually set by the user and does not have any automated logic behind it. The alert state can be
either New, Acknowledged, or Closed.
Manage Azure Monitor alerts - Training | Microsoft Learn
Question 48 of 50
You have an Azure virtual machine named Server1 that runs Windows Server.
You need to configure Azure Backup to back up files and folders.
What should you install on Server1?
Your Answer
 the Microsoft Azure Recovery Services (MARS) agent
Correct Answer
 the Microsoft Azure Recovery Services (MARS) agent
The Microsoft Azure Recovery Service (MARS) agent must be installed on the servers. The MARS agent is mandatory
to perform backup and recovery services for any servers.
Manage the Azure recovery services agent - Training | Microsoft Learn
Question 49 of 50
You have an Azure subscription that contains the following resources:
 Eight virtual networks
 24 virtual machines
 16 storage accounts
You need to implement a monitoring solution that provides the ability to view diagnostics and telemetry data
generated by Azure resources.
What should you include in the solution?
Your Answer
 a Log Analytics workspace

Correct Answer
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as
Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration
and can combine data from multiple services.
Log Analytics workspace overview - Azure Monitor | Microsoft Docs
Determine Log Analytics uses - Training | Microsoft Learn
Question 50 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains two virtual machines named
VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure Monitor metrics.
Your Answer
 Configure a log alert.
Correct Answer
Azure Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and
from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the Azure portal | Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn

 Learn
 Documentation
 Training
 Credentials
 Q&A
 Code Samples
 Assessments
 Shows
Credentials
 FAQ & Help
1. Learn
2. Credentials

Overall Results
Score: 90%
Show My Answers
Implement and manage storage
Deploy and manage Azure compute resources
Implement and manage virtual networking
Monitor and maintain Azure resources
Ready to take the exam?
Schedule exam Take another practice assessment.
Customized learning material to improve your skills
Congratulations, you passed all the sections! If you have passed multiple attempts, consider scheduling an exam.
Go to exam details
English (United States)
Your Privacy Choices
Theme
 Previous Versions
 Blog
 Contribute
 Privacy
 Terms of Use
 Trademarks
 © Microsoft 2023
Answer Summary
Back to Report
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the
tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The attribute values will be set by the
HR department.
Your Answer
 Assign the licenses to the security groups.
 Create an automatic assignment policy.
Correct Answer

To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and
configure rules based on custom attributes. The dynamic group must be added to a license group for automatic
synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the
organization that are in scope for an assignment policy rule and creates assignments for the users who don't have
assignments to an access package; automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn
Question 2 of 50
You have an Azure subscription that contains multiple virtual machines.
You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use
the principle of least privilege.
Which role should you assign to User1?
Your Answer
 Contributor
Correct Answer
 Reader
The Reader role allows you to view all the resources but does not allow you to make any changes. The Contributor
role allows you to manage all the resources, the Billing Reader role provides read access only to billing data, and the
Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.
Question 3 of 50
You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
 Manage containers within the storage accounts.
 View storage account access keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
Your Answer
 Owner
Correct Answer
Storage Account Contributor allows the management of storage accounts. It provides access to the account key,
which can be used to access data via Shared Key authorization. Storage Blob Data Contributor grants permissions to
read, write, and delete Azure Storage containers and blobs. Reader allows you to view all resources but does not allow
you to make any changes. Owner grants full access to manage all resources, including the ability to assign roles in
Azure RBAC.
Question 4 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine named
VM1 connected to a virtual network named Network1.
A user named Admin1 must be able to change the settings of Network1.
You need to use PowerShell to assign Admin1 the appropriate role and permissions.
Which two PowerShell statements should you use to complete the task? Each correct answer presents part of the
solution.
Your Answer
 New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Network Contributor" ` -
ResourceName Network1 ` -ResourceType Microsoft.Network/virtualNetworks ` -
ResourceGroupName RG1
 New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Virtual Machine

Contributor" ` -ResourceGroupName RG1
Correct Answer
 New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Network Contributor" ` -
ResourceName Network1 ` -ResourceType Microsoft.Network/virtualNetworks ` -
ResourceGroupName RG1
 $User = Get-AzADUser -DisplayName admin1

Before assigning an RBAC role to a user, you must use the Get-AzADUser cmdlet to obtain the ID of the user. The
New-AzRoleAssignment cmdlet can be used to assign an RBAC role to any resource. If you assign the Virtual Machine
Contributor role to RG1, it will only allow changes to the virtual machine, it will not allow Admin1 to manage the
virtual network. To modify network settings, you must assign the Network Contributor role.
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Question 5 of 50
You have an Azure subscription and a user named User1.
You need to assign User1 a role that allows the user to create and manage all types of resources in the subscription.
The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
 Owner
Correct Answer
 Contributor
Users with the Contributor role can create and manage all types of resources but cannot delegate new access to other
users. Users with the Reader role can view existing Azure resources but cannot perform any action against them. Users
with the API Management Service Contributor role can only manage API Management services and APIs. Users with
the Owner role provides full access to all resources, including the right to delegate access to others.
Question 6 of 50
daily reports.
allocated budget.
Your Answer
 Create an action group of type Runbook, and then select Scale Up VM.
Correct Answer

Question 7 of 50
You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local
datacenter.
You need to identify which virtual machines are underutilized.
Which Azure Advisor settings should you use?
Your Answer
 High Availability
Correct Answer
 Cost
The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual
machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High
availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency,
resource manageability, and deployment best practices.
Introduction to Azure Advisor - Training | Microsoft Learn
Question 8 of 50
Your Answer
 resource groups
Correct Answer
 resource groups
 subscriptions
Question 9 of 50
You have an Azure subscription that contains 200 virtual machines.
You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.
You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must
minimize administrative effort.
Your Answer
 an action group
Correct Answer
 an action group
Whenever Azure Advisor detects a new recommendation for resources, an event is stored in the Azure Activity log.
You can set up alerts for these events from Azure Advisor. You can select a subscription and optionally a resource
group to specify the resources for which you want to receive alerts. You also need to create an action group that will
contain all the users to be notified.
Create action groups - Training | Microsoft Learn
Create Azure Advisor alerts for new recommendations using Azure portal - Azure Advisor | Microsoft Learn
Question 10 of 50
You plan to create an Azure Policy definition named Policy1.
You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory and
Compliance.
To which definition section should you add remediation information for Policy1?
Your Answer
 metadata
Correct Answer
 metadata
You must use the RemediationDescription field in the metadata section from properties to specify a custom
recommendation. The remaining options are Azure policies, but do not allow specific custom remediation
information.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Configure Azure Policy - Training | Microsoft Learn
Question 11 of 50
Your Answer
 From the Azure portal, create a new custom role.

Correct Answer

Question 12 of 50
Your Answer
Correct Answer
requests.
Question 13 of 50
Your Answer
Correct Answer
Question 14 of 50
Your Answer
 locally-redundant storage (LRS)
Correct Answer
Question 15 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
corpimages"
 Set-AzStorageBlobContent -Container "ContosoUpload" -File "\\server1\images" -Blob "

corporateimages "
Correct Answer

corpimages"
The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with
the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 16 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
 Hierarchical namespace: Disabled
 Default access tier: Hot
 Blob public access: Enabled
 Blob soft delete: Enabled (7 days)
 Container soft delete: Enabled (7 days)
 Versioning: Disabled
 Change feed: Enabled
 NFS v3: Disabled
 Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object replication?
Your Answer
 Blob soft delete
Correct Answer
 Versioning
Versioning must be enabled for both the source and destination accounts. In this scenario, versioning is currently
disabled.
Question 17 of 50
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos. Users reported that 99 percent of the
assigned storage is used.
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the solution.
Your Answer
 Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -Type "Standard_RAGRS"

Correct Answer

You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You
do not need to change the type of storage account, and you are updating the existing share.
Question 18 of 50
You have an Azure Storage account that contains a file share.
Several users work from a secure location that limits outbound traffic to the internet.
You need to ensure that the users at the secure location can access the file share in Azure by using SMB protocol.
Which outbound port should you allow from the secure location?
Your Answer
 80
Correct Answer
 445
For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Microsoft Entra. It
is recommended, but not required, in the latest versions. Port 80 is used to download certificate revocation lists (CRLs)
to verify TLS/SSL certificates. Port 443 is used for https traffic, for example to sync AD DS with Microsoft Entra.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn
Question 19 of 50
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
Your Answer
 Cold
Correct Answer
 Archive
Archive is an offline tier that is optimized for storing data that is rarely accessed and has flexible latency requirements.
Data in the Archive tier must be stored for a minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
Question 20 of 50
You have an Azure subscription that contains a storage account named storage1.
You need to provide storage1 with access to a partner organization. Access to storage1 must expire after 24 hours.
Your Answer
 a shared access signature (SAS)
Correct Answer
 a shared access signature (SAS)
A SAS provides secure delegated access to resources in a storage account. With a SAS, you have granular control over
how a client can access data, including time restrictions.
Access keys and Azure CDN provide permanent access to resources. They will require manual steps to remove access.
Lifecycle management is not needed.
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
Question 21 of 50
Your Answer
 a file share
 blob versioning
Correct Answer
 a container
 blob versioning
Versioning must be enabled for the source and target. An object type container is needed to replicate the images. You
must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for replication.
Question 22 of 50
You plan to use the following two Azure Resource Manager (ARM) templates to provision virtual machines:
Template.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Virtual Machine."
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
},
"dnsLabelPrefix": {
"type": "string",
"defaultValue": "[concat('vm-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual
Machine."
},
...
"apiVersion": "2019-12-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('storageAccountName')]",
"[variables('nicName')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
...
Template.parameters.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"parameters": {
"adminUsername": {
"value": ""
},
"adminPassword": {
...
}
}
}
Which two resources should you provision to ensure that the password can be stored securely?
Your Answer
 Access Policy
 Azure Key Vault

Correct Answer
 Access Policy
 Azure Key Vault

You must create a new key vault, create the password from there, and then specify the parameters. You must also
create a Key Vault access policy to use in the template.
ARM template documentation | Microsoft Learn
Question 23 of 50
container.
Your Answer
 `-Templatefile `
Correct Answer
 -TemplateUri
Question 24 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the Azure Resource Manager (ARM)
library.
What can you configure during the deployment of the template?
Your Answer
 the disk assigned to virtual machine
Correct Answer
When you deploy a resource by using a template, you can mention the resource group for the deployment. The
resource group is a container for Azure resources and makes it easier to manage the resources.
Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn
New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn
Configure resources with Azure Resource Manager templates - Training | Microsoft Learn
Question 25 of 50
Your Answer
 Deployments
Correct Answer
 Deployments
group.
Question 26 of 50
You are creating an Azure virtual machine that will run Windows Server.
You need to ensure that VM1 will be part of a virtual machine scale set.
Which setting should you configure during the creation of the virtual machine?
Your Answer
 Region
Correct Answer
You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add
virtual machines with a discounted price. Region will not affect the configuration of the availability options. The
management setting allows you to configure the monitoring and management options for the virtual machine.
Availability options for Azure Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 27 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You have a virtual machine
named VM1 that is connected to Subnet1. VM1 runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
Your Answer
 From the Azure portal, create an IP group.
Correct Answer
 From the Azure portal, add a network interface.
A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to Subnet1, VM1
already has a network interface attached that is connected to Subnet1. To connect VM1 directly to Subnet2, you must
create a new network interface that is connected to Subnet2. Next, you must attach the new network interface to
VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network bridge allows you to
connect multiple existing network connection in Windows together. Changing the IP configurations of the existing
network interface results in VM1 being connected to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Question 28 of 50
You have an Azure virtual machine.
You receive a notification that the virtual machine is going to be affected by an underlying maintenance activity on
the physical infrastructure.
You need to move the virtual machine to a different host to avoid a service interruption.
What should you do?
Your Answer
 Apply an Azure tag.
Correct Answer
 Redeploy the virtual machine.
You must redeploy the virtual machine, which can move the virtual machine to a different host. Azure will shut down
the virtual machine and move the virtual machine to a new node within the Azure infrastructure.
Redeploy Windows virtual machines in Azure - Virtual Machines | Microsoft Learn
Question 29 of 50
You plan to deploy an Azure virtual machine.
You are evaluating whether to use an Azure Spot instance.
Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a complete solution.
Your Answer
 the average CPU usages of the instance
Correct Answer

Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be
stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot
instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for
workloads that do not require any specific SLA.
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 30 of 50
You have an Azure subscription that contains an Azure Storage account named vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1?
Your Answer
 a file share
Correct Answer
 a file share
An Azure container instance (Docker container) can mount Azure File Storage shares as directories and use them as
persistent storage. An Azure container instance cannot mount and use as persistent storage blob containers, queues
and tables.
Persistent Docker volumes with Azure File Storage | Azure Blog and Updates | Microsoft Azure
Question 31 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You plan to add scaling rules to cont1.
You need to ensure that cont1 replicas are created based on received messages in Azure Service Bus.
Which scale trigger should you use?
Your Answer
 CPU usage
Correct Answer
 event-driven
Azure Container Apps allows a set of triggers to create new instances, called replicas. For Azure Service Bus, an event-
driven trigger can be used to run the escalation method. The remaining scale triggers cannot use a scale rule based
on messages in an Azure service bus.
Scaling in Azure Container Apps | Microsoft Learn
Question 32 of 50
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU percentage goes beyond 80 percent for a
duration of 15 minutes.
Your Answer
 Configure a scaling condition to scale based on an instance count, and then set the instance count.
Correct Answer

Scale up the web app by adding more CPU, memory, and disk space to fulfill the requirement. Increase the number of
virtual machine instances that run the app. The scale settings take only seconds to apply and affect all the apps in the
App Service plan. Then, you must set up a scaling condition with the required metrics to scale up/down and scale
out/in when certain thresholds are met.
Scale up features and capacities - Azure App Service | Microsoft Learn
Question 33 of 50
You need to create an Azure App Service web app that runs on Windows. The web app requires scaling to five
instances, 45 GB of storage, and a custom domain name. The solution must minimize costs.
Which App Service plan should you use?
Your Answer
 Standard
Correct Answer
 Standard
The Standard service plan can host unlimited web apps, up to 50 GB of disk space, and up to 10 instances. The plan
will cost approximately $0.10/hour. The Free plan only offers 1 GB of disk size and 0 instances to host the app. The
Premium plan offers 250 GB of disk space and up to 30 instances and will cost approximately $0.20/hour. The Basic
plan offers 10 GB of disk space and up to three virtual machines.
App Service Pricing | Microsoft Azure
Configure Azure App Service plans - Training | Microsoft Learn
Question 34 of 50
Your Answer
 the subnets of VNet1 and VNet2
Correct Answer
You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West US
region.
Question 35 of 50
 Secured HTTPS
Your Answer
 443
 3389
Correct Answer
 443
 3389
Question 36 of 50
You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual machines.
You plan to configure a network security group (NSG) that will allow inbound traffic over TCP port 8080 to two virtual
machines on each subnet. The NSG will be associated to each subnet.
You need to recommend a solution to configure the inbound access by using the fewest number of NSG rules
possible.
What should you use as the destination in the NSG?
Your Answer
Correct Answer
Application security groups allow you to group together the network interfaces from multiple virtual machines, and
then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual
network.
You can use the IP address of each virtual machine as the destination, but you must create a rule for each virtual
machine.
Using the subnets will require four rules and will also allow traffic to all the virtual machines on those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure Backup.
Azure application security groups overview | Microsoft Learn
Question 37 of 50
You have a virtual machine named VM1 that is assigned to a network security group (NSG) named NSG1.
NSG1 has the following outbound security rules:
Rule1:
 Priority: 900
 Name: BlockInternet
 Port: 80
 Protocol: TCP
 Source: Any
 Action: Block
Rule2:
 Priority: 1000
 Name: AllowInternet
 Port: 80
 Protocol: TCP
 Source: Any
 Action: Allow
You need to ensure that internet access to VM1 on port 80 is allowed.
What should you do?
Your Answer
Correct Answer
Rule1 has higher priority, so the action will be blocked. You can increase the priority of Rule2, decrease the priority of
Rule1, or change the action of Rule1 to achieve the goal.
Question 38 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability set named AVSet1.
You need to configure Azure Load Balancer with a backend pool of VM1 and VM2. The solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
 Azure Standard Load Balancer with Basic SKU public IP
Correct Answer
 Basic Azure Load Balancer with Basic SKU public IP
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only
Basic SKU public IP. Azure Standard Load Balancer is zone-redundant, but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Question 39 of 50
You migrate a web app from on-premises to an Azure virtual machine. The web app was configured by using load
balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the web server and must check
whether the server is listening on port 80.
Your Answer
 `nbtstat -c `
Correct Answer
 netstat -an
Using netstat -an will list the ports that the server is listening on. Test-NetConnection will perform a ping/ICMP
test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
Question 40 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a virtual network named VNet3, a
virtual machine named VM1, and a public IP address named PubIP1. All the resources are in the West US Azure
region.
You plan to create and configure a network security group (NSG) named NSG1 for the following types of traffic:
 HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the solution.
Your Answer
 Add-AzNetworkInterfaceTapConfig
Correct Answer
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol, direction, and port
number. New-AzNetworkSecurityGroup creates a network security group (NSG). -SecurityRules specifies a list of
network security rule objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn
Question 41 of 50
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2.
You need to ensure that the resources on both VNet1 and VNet2 can communicate seamlessly between both
networks.
What should you configure from the Azure portal?
Your Answer
 peerings
Correct Answer
 peerings
You can connect virtual networks to each other with virtual network peering. Once the virtual networks are peered,
the resources on both virtual networks can communicate with each other with the same latency and bandwidth as
though the resources were on the same virtual network.
Configure Azure Virtual Network peering - Training | Microsoft Learn
Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a virtual network named VNet1.
You plan to deploy a virtual machine named VM1 to be used as a network inspection appliance.
You need to ensure that all network traffic passes through VM1.
What should you do?
Your Answer
Correct Answer
Azure automatically creates a route table for each subnet on an Azure virtual network and adds system default routes
to the table. You can override some of the Azure system routes with custom user-defined routes and add more
custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes on a subnet's route
table.
Configure network routing and endpoints - Training | Microsoft Learn
Azure virtual network traffic routing | Microsoft Learn
Question 43 of 50
Your Answer
 Add an A record for test.contoso.com.
Correct Answer
Question 44 of 50
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.
You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be pinned as a chart on the dashboard?
Your Answer
 30
Correct Answer
 14
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Question 45 of 50
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
You need to find the root cause of the performance issue.
Your Answer
 activity logs
Correct Answer
 Azure Monitor
Azure Monitor stores metrics in a time-series database that is optimized for analyzing time-stamped data. Activity
logs detect and address issues before users notice them proactivity. Azure Advisor analyzes configuration and usage
metrics but does not provide time-lapsed data. Azure Cost only helps to optimize and reduce overall Azure spending.
Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn
Question 46 of 50
Your Answer
Correct Answer
machines.
Microsoft Learn
Question 47 of 50
You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are configured with
the default backup policy.
What is the retention period of virtual machine backups in the default backup policy?
Your Answer
 90 days
Correct Answer
 30 days
By default, backups of virtual machines are kept for 30 days.

Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn
Question 48 of 50
You have an Azure subscription that contains the following resources:
 Eight virtual networks
 24 virtual machines
 16 storage accounts
You need to implement a monitoring solution that provides the ability to view diagnostics and telemetry data
generated by Azure resources.
What should you include in the solution?
Your Answer
 metrics logs
Correct Answer
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as
Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration
and can combine data from multiple services.
Log Analytics workspace overview - Azure Monitor | Microsoft Docs
Determine Log Analytics uses - Training | Microsoft Learn
Question 49 of 50
You plan to provision an Azure subscription that will contain the following virtual networks:
 VNet1 in the East US Azure region with two subnets
 VNet2 in the East US region with four subnets
 VNet3 in the West Europe Azure region with four subnets
 VNet4 in the West Europe region with two subnets
How many Azure Network Watcher instances will be provisioned as part of the deployment?
Your Answer
 2
Correct Answer
 2
Azure Network Watcher is a regional service that allows you to monitor and diagnose conditions at a network
scenario level in, to, and from Azure. When you create or update a virtual network in a subscription, Network Watcher
will be enabled automatically in the virtual network's region. There is no impact on resources or associated charges for
automatically enabling Network Watcher.
Create an Azure Network Watcher instance | Microsoft Learn
Question 50 of 50
You have an Azure subscription that contains virtual machines, virtual networks, application gateways, and load
balancers.
You need to monitor the network health of the resources.
Which Azure service should you use?
Your Answer
 Azure Network Watcher
Correct Answer
 Azure Network Watcher
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources on
an Azure virtual network. Azure Resource Manager is the deployment and management service for Azure. Network
security groups (NSGs) are used only for security, not monitoring. Azure Monitor is used for the HTTP Data Collector
API to send log data to Log Analytics.
Azure Network Watcher | Microsoft Learn
 Learn
 Documentation
 Training
 Credentials
 Q&A
 Code Samples
 Assessments
 Shows
Credentials
 FAQ & Help
1. Learn
2. Credentials


Overall Results
Score: 30%
Show My Answers

Implement and

PracticeTest AZ 104

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PracticeTest AZ 104

Uploaded by

Copyright:

Available Formats

Answer Summary

Below is a summary of your answers.

Which Microsoft Entra ID edition should you use?

This answer is correct.

This answer is correct.

"Name": "Custom Role",

"Description": "Custom Role description",

This answer is correct.

This answer is correct.

This answer is incorrect.

This answer is correct.

This answer is correct.

This answer is correct.

Azure custom roles - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

333 and a management group named MG1

999 and a management group named MG1

666 and a management group named MG1

444 and a management group named MG2

888 and a management group named MG2

must use the principle of least privilege.

Which role should you assign?

This answer is correct.

This answer is correct.

to assign a role at the management group level.

Steps to assign an Azure role - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

You have an Azure subscription that contains multiple virtual machines.

the principle of least privilege.

Which role should you assign to User1?

This answer is correct.

This answer is correct.

Azure built-in roles - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

You have an Azure subscription and a user named User1.

This answer is correct.

This answer is correct.

Azure built-in roles - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

This answer is incorrect.

This answer is correct.

This answer is correct.

This answer is correct.

You have several management groups and Azure subscriptions.

You want to prevent the accidental deletion of resources.

This answer is incorrect.

This answer is correct.

This answer is correct.

This answer is correct.

This answer is correct.

This answer is correct.

delete locks on management groups or storage account data.

Use Azure Resource Manager - Training | Microsoft Learn

You have an Azure subscription that contains 25 virtual machines.

What should you use?

This answer is correct.

This answer is correct.

Entra. Administrative units cannot contain Azure virtual machines.

storage account cannot contain virtual machines.

Configure virtual machines - Training | Microsoft Learn

You have an Azure subscription.

You plan to create an Azure Policy definition named Policy1.

This answer is correct.

This answer is correct.