Microsoft

AZ-104 Exam
Azure Administrator Associate

Questions & Answers

(Demo Version - Limited Content)

Thank you for Downloading AZ-104 exam PDF Demo

Get Full File:

https://www.certsland.com/az-104-dumps/

www.certsland.com
Questions & Answers PDF Page 2

Version:40.4

Topic 1, Litware, inc.

Overview

Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.

The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York
office has 200 employees.

All the resources used by Litware are hosted on-premises.

Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a
domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.

Existing Environment

The network contains an Active Directory forest named Litware.com. All domain controllers are
configured as DNS servers and host the Litware.com DNS zone.

www.certsland.com
Questions & Answers PDF Page 3

Litware has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective
department. All the user accounts have the department attribute set to their respective department.
New users are added frequently.

Litware.com contains a user named User1.

All the offices connect by using private links.

Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can
be configured as a VPN device.

All infrastructure servers are virtualized. The virtualization environment contains the servers in the
following table.

Litware uses two web applications named App1 and App2. Each instance on each web application
requires 1GB of memory.

The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).

www.certsland.com
Questions & Answers PDF Page 4

Planned Changes

Litware plans to implement the following changes:

• Deploy Azure ExpressRoute to the Montreal office.

• Migrate the virtual machines hosted on Server1 and Server2 to Azure.

• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).

• Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.

Technical requirements

Litware must meet the following technical requirements:

• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can
scale up to five instance*.

• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications
servers in the Montreal office.

• Ensure that routing information is exchanged automatically between Azure and the routers in the
Montreal office.

• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.

• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.

• Connect the New Your office to VNet1 over the Internet by using an encrypted connection.

• Create a workflow to send an email message when the settings of VM4 are modified.

• Create a custom Azure role named Role1 that is based on the Reader role.

• Minimize costs whenever possible.

Question: 1

www.certsland.com
Questions & Answers PDF Page 5

You discover that VM3 does NOT meet the technical requirements.

You need to verify whether the issue relates to the NSGs.

What should you use?

A. Diagram in VNet1

B. the security recommendations in Azure Advisor

C. Diagnostic settings in Azure Monitor

D. Diagnose and solve problems in Traffic Manager Profiles

E. IP flow verify in Azure Network Watcher

Answer: E
Explanation:

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers
in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information
consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied
by a security group, the name of the rule that denied the packet is returned. While any source or
destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues
from or to the internet and from or to the on-premises environment.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

www.certsland.com
Questions & Answers PDF Page 6

Question: 2

You need to meet the technical requirement for VM4.

What should you create and configure?

A. an Azure Notification Hub

B. an Azure Event Hub

C. an Azure Logic App

D. an Azure services Bus

Answer: B
Explanation:

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or
third-party resources. These resources can publish those events to an Azure event grid. In turn, the
event grid pushes those events to subscribers that have queues, webhooks, or event hubs as
endpoints. As a subscriber, your logic app can wait for those events from the event grid before
running automated workflows to perform tasks - without you writing any code.

Reference:

https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-
logic-app

Question: 3

www.certsland.com
Questions & Answers PDF Page 7

You need to recommend a solution to automate the configuration for the finance department users.
The solution must meet the technical requirements.

What should you include in the recommended?

A. Azure AP B2C

B. Azure AD Identity Protection

C. an Azure logic app and the Microsoft Identity Management (MIM) client

D. dynamic groups and conditional access policies

Answer: D
Explanation:

Technically, The finance department needs to migrate their users from AD to AAD using AADC based
on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also
often get promotions and/or join other departments and when that occurs, the user's OU attribute
will change when the admin puts the user in a new OU, and the dynamic group conditional access
exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on
next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-
membership

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Question: 4

HOTSPOT

www.certsland.com
Questions & Answers PDF Page 8

You need to the appropriate sizes for the Azure virtual for Server2.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 9

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

Reference:

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Question: 5
HOTSPOT

www.certsland.com
Questions & Answers PDF Page 10

You need to implement Role1.

Which command should you run before you create Role1? To answer, select the appropriate options
in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
Explanation:

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-
5.9.0

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-
json?view=powershell-7.1

https://docs.microsoft.com/en-us/powershell/module/azuread/get-
azureaddirectoryrole?view=azureadps-2.0

www.certsland.com
Questions & Answers PDF Page 11

Question: 6
HOTSPOT

You need to meet the connection requirements for the New York office.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Box 1: Create a virtual network gateway and a local network gateway.

www.certsland.com
Questions & Answers PDF Page 12

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises
network through a VPN appliance. For more information, see Connect an on-premises network to a
Microsoft Azure virtual network. The VPN gateway includes the following elements:

Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is
responsible for routing traffic from the on-premises network to the VNet.

Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the
cloud application to the on-premises network is routed through this gateway.

Connection. The connection has properties that specify the connection type (IPSec) and the key
shared with the on-premises VPN appliance to encrypt traffic.

Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various
requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network
gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

Incorrect Answers:

Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not go over the internet.

www.certsland.com
Questions & Answers PDF Page 13

Reference:

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-
networking/vpn

Question: 7
You need to ensure that VM1 can communicate with VM4. The solution must minimize
administrative effort.

What should you do?

A. Create a user-defined route from VNET1 to VNET3.

B. Assign VM4 an IP address of 10.0.1.5/24.

C. Establish peering between VNET1 and VNET3.

D. Create an NSG and associate the NSG to VMI and VM4.

Answer: B
Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Question: 8

HOTSPOT

You implement the planned changes for NSG1 and NSG2.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

www.certsland.com
Questions & Answers PDF Page 14

NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Topic 2, Humongous Insurance

Overview

Existing Environment

Huongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.
Each has 5000 users.

Active Directory Environment

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.

The functional level of the forest is Windows Server 2012.

www.certsland.com
Questions & Answers PDF Page 15

You recently provisioned an Azure Active Directory (Azure AD) tenant.

Network Infrastructure

Each office has a local data center that contains all the servers for that office. Each office has a
dedicated connection to the Internet.

Each office has several link load balancers that provide access to the servers.

Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Licensing Issue

You attempt to assign a license in Azure to several users and receive the following error message:
"Licenses not assigned. License agreement failed for one user."

You verify that the Azure subscription has the available licenses.

Requirements

Planned Changes

Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users
who will be hired during the next 12 months. All the resources used by the Paris office users will be
hosted in Azure.

Planned Azure AD Infrastructure

The on-premises Active Directory domain will be synchronized to Azure AD.

www.certsland.com
Questions & Answers PDF Page 16

All client computers in the Paris office will be joined to an Azure AD domain.

Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:

Default Azure system routes that will be the only routes used to route traffic

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4

You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote
gateways setting for the Paris-VNet peerings.

You plan to create a private DNS zone named humongousinsurance.local and set the registration
network to the ClientResources-VNet virtual network.

Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2,
Windows Server 2016, or Red Hat Linux.

Department Requirements

Humongous Insurance identifies the following requirements for the company's departments:

Web administrators will deploy Azure web apps for the marketing department. Each web app will be
added to a separate resource group. The initial configuration of the web apps will be identical. The
web administrators have permission to deploy web apps to resource groups.

During the testing phase, auditors in the finance department must be able to review all Azure costs

www.certsland.com
Questions & Answers PDF Page 17

from the past week.

Authentication Requirements

Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD
Seamless SSO) when accessing resources in Azure.

Question: 9
DRAG DROP

You need to prepare the environment to ensure that the web administrators can deploy the web
apps as quickly as possible.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 18

Explanation

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 --> Create a resource group, and then deploy a web app to the resource group.

2 --> From the Automation script blade of the resource group , click Add to Library.

3 --> From the Templates service, select the template, and then share the template to the web
administrators .

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-
templates-use-the-portal

www.certsland.com
Questions & Answers PDF Page 19

Question: 10

Which blade should you instruct the finance department auditors to use?

A. Partner information

B. Overview

C. Payment methods

D. Invoices

Answer: D
Explanation:

You can opt in and configure additional recipients to receive your Azure invoice in an email. This
feature may not be available for certain subscriptions such as support offers, Enterprise Agreements,
or Azure in Open.

Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click
Invoices then Email my invoice.

www.certsland.com
Questions & Answers PDF Page 20

Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all
Azure costs from the past week.

Reference: https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-
usage-date

Question: 11

You need to prepare the environment to meet the authentication requirements.

Which two actions should you perform? Each correct answer presents part of the solution.

www.certsland.com
Questions & Answers PDF Page 21

NOTE Each correct selection is worth one point.

A. Azure Active Directory (AD) Identity Protection and an Azure policy

B. a Recovery Services vault and a backup policy

C. an Azure Key Vault and an access policy

D. an Azure Storage account and an access policy

Answer: C
Explanation:

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or
Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD
URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:
https://autologon.microsoftazuread-sso.com

Incorrect Answers:

A: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be
Azure AD Joined.

C: Azure AD connect does not port 8080. It uses port 443.

E: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).

Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure
AD Seamless SSO) when accessing resources in Azure.

Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be
synchronized to Azure AD.

www.certsland.com
Questions & Answers PDF Page 22

Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-
aadconnect-sso-quick-start

Question: 12

You need to define a custom domain name for Azure AD to support the planned infrastructure.

Which domain name should you use?

A. Join the client computers in the Miami office to Azure AD.

B. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in

the Miami office.

C. Allow inbound TCP port 8080 to the domain controllers in the Miami office.

D. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication

E. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami
office.

Answer: BD
Explanation:

Every Azure AD directory comes with an initial domain name in the form of
domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can
add your corporate domain name to Azure AD as well. For example, your organization probably has
other domain names used to do business and users who sign in using your corporate domain name.
Adding custom domain names to Azure AD allows you to assign user names in the directory that are
familiar to your users, such as ‘[email protected].’ instead of 'alice@domain
name.onmicrosoft.com'.

www.certsland.com
Questions & Answers PDF Page 23

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office.
Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to
Azure AD.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-
domain

Question: 13

You need to resolve the Active Directory issue.

What should you do?

A. From Active Directory Users and Computers, select the user accounts, and then modify the User
Principal Name value.

B. Run idfix.exe, and then use the Edit action.

C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.

D. From Azure AD Connect, modify the outbound synchronization rule.

Answer: B

www.certsland.com
Questions & Answers PDF Page 24

Explanation:

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-
premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is
intended for the Active Directory administrators responsible for directory synchronization with Azure
Active Directory.

Scenario: Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Reference: https://www.microsoft.com/en-us/download/details.aspx?id=36832

Question: 14

Which blade should you instruct the finance department auditors to use?

A. invoices

B. partner information

C. cost analysis

D. External services

Answer: C
Explanation:

Cost analysis: Correct Option

www.certsland.com
Questions & Answers PDF Page 25

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to
determine expenditure of last few day, weeks, and month. Below options are available in Cost
analysis blade for filtering information by time span: last 7 days, last 30 days, and custom date
range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to
common date ranges quickly. Examples include the last seven days, the last month, the current year,
or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing
period, which isn't bound to the calendar month, like the current billing period or last invoice. Use
the <PREVIOUS and NEXT> links at the top of the menu to jump to the previous or next period,
respectively. For example, <PREVIOUS will switch from the Last 7 days to 8-14 days ago or 15-21 days
ago.

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your
requirement is to know the last week's cost then that also not filled by invoices because Azure
generates invoice at the end of the month. Even though Invoices have custom timespan, but when
you put in dates for a week, the pane would be empty. Below is from Microsoft document:

www.certsland.com
Questions & Answers PDF Page 26

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers
and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault
resource provider. This resource provider offers a resource type called vaults for creating the key
vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for
audit.

Reference:

https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost-analysis

https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/download-azure-invoice-
daily-usage-date

Question: 15

You need to define a custom domain name for Azure AD to support the planned infrastructure.

www.certsland.com
Questions & Answers PDF Page 27

Which domain name should you use?

A. ad.humongousinsurance.com

B. humongousinsurance.onmicrosoft.com

C. humongousinsurance.local

D. humongousinsurance.com

Answer: D
Explanation:

Every Azure AD directory comes with an initial domain name in the form of
domainname.onmicrosoft.com.

The initial domain name cannot be changed or deleted, but you can add your corporate domain
name to Azure AD as well. For example, your organization probably has other domain names used to
do business and users who sign in using your corporate domain name. Adding custom domain names
to Azure AD allows you to assign user names in the directory that are familiar to your users, such as
‘[email protected].’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office.
Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to
Azure AD.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

www.certsland.com
Questions & Answers PDF Page 28

Question: 16

You need to prepare the environment to meet the authentication requirements.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Allow inbound TCP port 8080 to the domain controllers in the Miami office.

B. Add http://autogon.microsoftazuread-sso.com to the intranet zone of each client computer in the

Miami

office.

C. Join the client computers in the Miami office to Azure AD.

D. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami
office.

E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.

Answer: BE
Explanation:

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD
URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:
https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or
Pass-through Authentication, and can be enabled via Azure AD Connect.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

www.certsland.com
Questions & Answers PDF Page 29

Question: 17

You need to resolve the licensing issue before you attempt to assign the license again.

What should you do?

A. From the Groups blade, invite the user accounts to a new group.

B. From the Profile blade, modify the usage location.

C. From the Directory role blade, modify the directory role.

Answer: B
Explanation:

Scenario: Licensing Issue

1. You attempt to assign a license in Azure to several users and receive the following error message:
"Licenses not assigned. License agreement failed for one user."

2. You verify that the Azure subscription has the available licenses.

Solution:

License cannot be assigned to a user without a usage location specified.

Some Microsoft services aren't available in all locations because of local laws and regulations. Before
you can assign a license to a user, you must specify the Usage location property for the user. You can
specify the location under the User > Profile > Settings section in the Azure portal.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-
resolve-problems

www.certsland.com
Questions & Answers PDF Page 30

Question: 18

HOTSPOT

You are evaluating the name resolution for the virtual machines after the planned implementation of
the Azure networking infrastructure.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 31

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual
networks. Automatic registration of virtual machines from a virtual network that's linked to a private
zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks
that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You
plan to create a private DNS zone named humongousinsurance.local and set the registration network
to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register
hostname records. Since Subnet4 not connected to Client Resources Network thus not able to
register its hostname with humongoinsurance.local

Reference:

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-
and-role-instances

Question: 19
HOTSPOT

You are evaluating the connectivity between the virtual machines after the planned implementation
of the Azure networking infrastructure.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

www.certsland.com
Questions & Answers PDF Page 32

Answer:
Explanation:

Once the VNets are peered, all resources on one VNet can communicate with resources on the other
peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs
on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to
connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default.
Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet;
and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

Reference:

www.certsland.com
Questions & Answers PDF Page 33

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

https://docs.microsoft.com/en-us/azure/networking/networking-overview#internet-connectivity

Topic 3, Contoso Ltd

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner
organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

File servers

Domain controllers

Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client
computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

A SQL database

A web front end

A processing middle tier

www.certsland.com
Questions & Answers PDF Page 34

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

Move all the tiers of App1 to Azure.

Move the existing product blueprint files to Azure Blob storage.

Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.

Ensure that all the virtual machines for App1 are protected by backups.

Copy the blueprint files to Azure over the Internet.

Ensure that the blueprint files are stored in the archive storage tier.

Ensure that partner access to the blueprint files is secured and temporary.

Prevent user passwords or hashes of passwords from being stored in Azure.

Use unmanaged standard storage for the hard disks of the virtual machines.

Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile
phone to verify their identity.

Minimize administrative effort whenever possible.

www.certsland.com
Questions & Answers PDF Page 35

User Requirements

Contoso identifies the following requirements for users:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

Designate a new user named Admin1 as the service administrator of the Azure subscription.

Admin1 must receive email alerts regarding service outages.

Ensure that a new user named User3 can create network objects for the Azure subscription.

Question: 20

You need to meet the user requirement for Admin1.

What should you do?

A. From the Subscriptions blade, select the subscription, and then modify the Properties.

B. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM)
settings.

C. From the Azure Active Directory blade, modify the Properties.

D. From the Azure Active Directory blade, modify the Groups.

Answer: A
Explanation:

Change the Service administrator for an Azure subscription

Sign in to Account Center as the Account administrator.

www.certsland.com
Questions & Answers PDF Page 36

Select a subscription.

On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure
subscription.

Reference: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-
administrator

Question: 21

You need to move the blueprint files to Azure.

What should you do?

A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File
Explorer.

B. Use the Azure Import/Export service.

C. Generate an access key. Map a drive, and then copy the files by using File Explorer.

D. Use Azure Storage Explorer to copy the files.

Answer: D
Explanation:

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data
on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob

www.certsland.com
Questions & Answers PDF Page 37

storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

Reference: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-
process/move-data-to-azure-blob-using-azure-storage-explorer

Question: 22

You need to implement a backup solution for App1 after the application is moved.

What should you create first?

A. a recovery plan

B. an Azure Backup Server

C. a backup policy

D. a Recovery Services vault

Answer: D
Explanation:

A Recovery Services vault is a logical container that stores the backup data for each protected
resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a
recovery point inside the Recovery Services vault.

Scenario:

www.certsland.com
Questions & Answers PDF Page 38

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

Reference: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

Question: 23

HOTSPOT

You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Answer:

www.certsland.com
Questions & Answers PDF Page 39

Explanation:

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier
application, using SQL Server on Windows for the data tier.

www.certsland.com
Questions & Answers PDF Page 40

Scenario: You have a public-facing application named App1. App1 is comprised of the following three
tiers:

A SQL database

A web front end

A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Technical requirements include:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.

Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-
tier-sql-server

Question: 24
HOTSPOT

You need to configure the Device settings to meet the technical requirements and the user
requirements.

Which two settings should you modify? To answer, select the appropriate settings in the answer area.

www.certsland.com
Questions & Answers PDF Page 41

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 42

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

www.certsland.com
Questions & Answers PDF Page 43

From scenario:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD

Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile
phone to verify their identity.

Question: 25

You need to recommend an identify solution that meets the technical requirements.

What should you recommend?

A. federated single-on (SSO) and Active Directory Federation Services (AD FS)

B. password hash synchronization and single sign-on (SSO)

C. cloud-only user accounts

D. Pass-through Authentication and single sign-on (SSO)

Answer: A
Explanation:

Active Directory Federation Services is a feature and web service in the Windows Server Operating
System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

www.certsland.com
Questions & Answers PDF Page 44

Reference: https://www.sherweb.com/blog/active-directory-federation-services/

Question: 26

You are planning the move of App1 to Azure.

You create a network security group (NSG).

You need to recommend a solution to provide users with access to App1.

What should you recommend?

A. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the
subnets.

B. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the
subnets.

C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet
that contains the web servers.

D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet
that contains the web servers.

Answer: C
Explanation:

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

www.certsland.com
Questions & Answers PDF Page 45

Scenario: You have a public-facing application named App1. App1 is comprised of the following three
tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Question: 27

HOTSPOT

You need to identify the storage requirements for Contoso.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 46

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that
the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.

Statement 2: No

Azure Table storage stores large amounts of structured dat

a. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the
Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table
storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be
denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions
like *.docx, *.png and *.bak then you should probably go with this storage option.

Reference:

https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-
to-azure-blob-using-azure-storage-explorer

www.certsland.com
Questions & Answers PDF Page 47

https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-overview

https://www.serverless360.com/blog/azure-blob-storage-vs-file-storage

Topic 4, Contoso Ltd (Consulting Company)

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on
this exam. You must manage your time to ensure that you are able to complete all questions included
on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is
provided in the case study. Case studies might contain exhibits and other resources that provide
more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your
answers and to make changes before you move to the next section of the exam. After you begin a
new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane
to explore the content of the case study before you answer the questions. Clicking these buttons
displays information such as business requirements, existing environment, and problem statements.
If the case study has an All Information tab, note that the information displayed is identical to the
information displayed on the subsequent tabs. When you are ready to answer a question, click the
Question button to return to the question.

Overview

www.certsland.com
Questions & Answers PDF Page 48

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle
and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.

The Azure AD tenant contains the users shown in the following table.

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.

www.certsland.com
Questions & Answers PDF Page 49

User1 manages the resources in RG1. User4 manages the resources in RG2.

Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.

Sub1 contains the storage accounts shown in the following table.

www.certsland.com
Questions & Answers PDF Page 50

Requirements

Planned Changes

Contoso plans to implement the following changes:

Create a blob container named container1 and a file share named share1 that will use the Cool
storage tier.

Create a storage account named storage5 and configure storage replication for the Blob service.

Create an NSG named NSG1 that will have the custom inbound security rules shown in the following
table.

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the
following table.

www.certsland.com
Questions & Answers PDF Page 51

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

Create container1 and share1.

Use the principle of least privilege.

Create an Azure AD security group named Group4.

Back up the Azure file shares and virtual machines by using Azure Backup.

Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1

Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.

Question: 28
HOTSPOT

You need to create container1 and share1.

www.certsland.com
Questions & Answers PDF Page 52

Which storage accounts should you use for each resource? To answer, select the appropriate options
in t he answer area.

NOTE: Each correct selection is worth one point.

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 53

Reference:

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

Question: 29

HOTSPOT

You need to create storage5. The solution must support the planned changes.

Which type of storage account should you use, and which account should you configure as the
destination storage account? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

www.certsland.com
Questions & Answers PDF Page 54

Answer:
Explanation:

www.certsland.com
Questions & Answers PDF Page 55

Reference:

https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal

Question: 30
HOTSPOT

You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to
RG2. The solution must meet the technical requirements.

Which role should you assign to each user? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

www.certsland.com
Questions & Answers PDF Page 56

Answer:
Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/governance/policy/overview

www.certsland.com
 Thank You for trying AZ-104 PDF Demo

https://www.certsland.com/az-104-dumps/

Start Your AZ-104 Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount on the purchase of PDF file. Test your
AZ-104 preparation with actual exam questions

www.certsland.com