Answer Summary

Below is a summary of your answers.

Back to Report

Question 1 of 50

You have a Microsoft Entra tenant.

You create a new user named User1.

You need to assign a Microsoft 365 E5 license to User1.

Which user attribute should be configured for User1 before you can assign the license?

Your Answer

 First name

This answer is incorrect.

Correct Answer

 Usage location

This answer is correct.

Not all Microsoft 365 services are available in all locations. Before a license can be assigned to a user,
you must specify the Usage location. The attributes of First name, Last name, Other email address,
and User type are not mandatory for license assignment.

Assign or remove licenses - Microsoft Entra | Microsoft Learn

Question 2 of 50

Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.

You need to configure self-service password reset (SSPR) password writeback functionality. The
solution must minimize costs.

Which Microsoft Entra ID edition should you use?

Your Answer

 Microsoft Entra ID P1

This answer is correct.

Correct Answer

 Microsoft Entra ID P1
This answer is correct.

Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.

Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn

What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn

Question 3 of 50

You have the following resource groups, management groups, and Azure subscriptions:

 Two resource groups named RG1 and RG2 in a subscription named 111-222-333 and a
management group named MG1.

 Two resource groups named RG3 and RG4 in a subscription named 777-888-999 and a
management group named MG1.

 Two resource groups named RG5 and RG6 in a subscription named 444-555-666 and a
management group named MG1.

 Two resource group named RG10 and RG11 in a subscription named 222-333-444 and a
management group named MG2.

 Two resource group named RG11 and RG12 in a subscription named 555-666-888 and a
management group named MG2.

You need to assign a role to a user to ensure the user can view all the resources in the subscriptions.
The solution must use the principle of least privilege.

Which role should you assign?

Your Answer

 the Reader role for MG1 and MG2

This answer is correct.

Correct Answer

 the Reader role for MG1 and MG2

This answer is correct.

Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user access
to all resources is to assign a role at the management group level.

Steps to assign an Azure role - Azure RBAC | Microsoft Learn

Secure your Azure resources with Azure role-based access control (Azure RBAC) - Training | Microsoft
Learn

Question 4 of 50
You have an Azure subscription.

You run the following command:

Get-AzRoleDefinition | Format-Table -Property Name, Id

The command output contains data that includes the following:

CustomRole1 111-222-333-444-555

Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635

Contributor b24988ac-6180-42a0-ab88-20f7382dd24c

Reader acdd72a7-3385-48ef-bd42-f606fba81ae7

You have a script that manages access to resources at the resource group level. The assignment
process is automated by running the following PowerShell script nightly.

$rg = "RG1"

$RoleName = "111-222-333-444-555"

$Role = Get-AzRoleDefinition -Name $RoleName

New-AzRoleAssignment -SignInName [email protected]

-RoleDefinitionName $Role.Name `

-ResourceGroupName $rg

User1 is unable to access the RG1 resource group. You discover that the script fails to complete for
User1.

You need to modify the script to ensure that it does not fail.

What should you change in the script?

Your Answer

 $Role = Set-AzRoleAssignment -Name $RoleName

This answer is incorrect.

Correct Answer

 $RoleName = "CustomRole1"

This answer is correct.

For the script to work as written, the $RoleName variable should refer to the name instead of the ID.

Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Secure your Azure resources with Azure role-based access control (Azure RBAC) - Training | Microsoft
Learn

Question 5 of 50

You have an Azure subscription that contains multiple virtual machines.

You need to ensure that a user named User1 can view all the resources in a resource group named
RG1. You must use the principle of least privilege.

Which role should you assign to User1?

Your Answer

 Reader

This answer is correct.

Correct Answer

 Reader

This answer is correct.

The Reader role allows you to view all the resources but does not allow you to make any changes.
The Contributor role allows you to manage all the resources, the Billing Reader role provides read
access only to billing data, and the Tag Contributor role allows you to manage entity tags without
providing access to the entities themselves.

Azure built-in roles - Azure RBAC | Microsoft Learn

Secure your Azure resources with Azure role-based access control (Azure RBAC) - Training | Microsoft
Learn

Question 6 of 50

You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual
machine that runs daily reports.

You need to ensure that the virtual machine shuts down when resource group costs exceed 75
percent of the allocated budget.

Which two actions should you perform? Each correct answer presents part of the solution.

Your Answer

 Create an action group of type Runbook, and then select Stop VM as an action.

This answer is correct.

Correct Answer

 Create an action group of type Runbook, and then select Stop VM as an action.
This answer is correct.

 From Cost Management + Billing, modify the Budgets settings.

This answer is correct.

You must go to Cost Management + Billing, and then Budgets to edit the budget associated with the
resource group resources. You must also create a new action group of the Runbook type, and then
choose Stop VM as an action. The cost analysis will not stop the virtual machine from running and
the Scale Up VM action group is not required.

Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn

Question 7 of 50

You have an Azure subscription that contains hundreds of virtual machines that were migrated from
a local datacenter.

You need to identify which virtual machines are underutilized.

Which Azure Advisor settings should you use?

Your Answer

 Performance

This answer is incorrect.

Correct Answer

 Cost

This answer is correct.

The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to
identify the virtual machines that are underutilized. The Performance blade allows you to improve
the speed of your applications. High availability is unavailable via Azure Advisor. Operational
Excellence helps you achieve process and workflow efficiency, resource manageability, and
deployment best practices.

Introduction to Azure Advisor - Training | Microsoft Learn

Question 8 of 50

You have an Azure subscription.

You plan to create an Azure Policy definition named Policy1.

You need to include remediation information in Policy.

To which definition section should you add remediation information for Policy1?

Your Answer
  policyRule

This answer is incorrect.

Correct Answer

 metadata

This answer is correct.

You must use the RemediationDescription field in the metadata section from properties to specify a
custom recommendation. The remaining options are Azure policies, but do not allow specific custom
remediation information.

Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn

Improve incident response with alerting on Azure - Training | Microsoft Learn

Question 9 of 50

You have an Azure subscription that is linked to a Microsoft Entra tenant named contoso.com.

All users in contoso.com are currently able to invite external users to B2B collaboration.

You need to ensure that only members of the Guest Inviter, User Administrator, and Global
Administrator roles can invite guest users.

What should you configure?

Your Answer

 Cross-tenant access settings

This answer is incorrect.

Correct Answer

 External collaboration settings

This answer is correct.

External collaboration settings let you specify which roles in your organization can invite external
users for B2B collaboration. These settings also include options for allowing or blocking specific
domains and options for restricting which external guest users can see in your Microsoft Entra
directory.

Conditional Access allows you to apply rules to strengthen authentication and block access to
resources from unknown locations.

Cross-tenant access settings are used to configure collaboration with a specific Microsoft Entra
organization.

Access reviews are not used to control who can invite guest users.
Enable B2B external collaboration settings - Microsoft Entra | Microsoft Learn

Question 10 of 50

A financial institution is implementing Azure to enhance their infrastructure. They need to maintain
strict access controls due to regulatory requirements.

You need to ensure that the finance team can view costs and manage budgets for Azure services
without the ability to modify resources.

Which role should you assign to the finance team at the subscription scope?

Your Answer

 Billing Reader

This answer is incorrect.

Correct Answer

 Cost Management Contributor

This answer is correct.

The Cost Management Contributor role allows viewing costs and managing budgets without the
ability to modify resources, which is appropriate for the finance team. The Billing Reader role is
incorrect because it only provides access to view billing information, not manage budgets. The
Contributor role is incorrect because it allows for management of resources. The Reader role is
incorrect because it does not provide capabilities to manage budgets.

Manage access to your Azure environment with Azure role-based access control - Cloud Adoption
Framework | Microsoft Learn

What is Azure RBAC? - Training | Microsoft Learn

Question 11 of 50

Contoso, Ltd. has multiple Azure subscriptions and resources that need to be efficiently managed.

You need to manage access, policies, and compliance across all subscriptions in a unified manner.

What three tasks should you perform? Each correct answer presents part of the solution.

Your Answer

 Create a management group and assign all subscriptions to it.

This answer is correct.

 Apply necessary policies at the management group level.

This answer is correct.

Correct Answer

 Create a management group and assign all subscriptions to it.

This answer is correct.

 Apply necessary policies at the management group level.

This answer is correct.

 Configure role-based access control at the management group level.

This answer is correct.

Creating a management group and assigning all subscriptions to it allows for efficient management of
access, policies, and compliance across all subscriptions. Applying policies and configuring role-based
access control at the management group level ensures that these settings are inherited by all
subscriptions within the group. Managing each subscription individually or applying policies and
access control at the individual resource level would not be as efficient or unified.

Organize your Azure resources effectively - Cloud Adoption Framework | Microsoft Learn

Question 12 of 50

You need to generate the shared access signature (SAS) token for an Azure storage account.

Which two parameters are required for the SAS token? Each correct answer presents part of the
solution

Your Answer

 SignedIP (sip)

This answer is incorrect.

 SignedResourceTypes (srt)

This answer is correct.

Correct Answer

 SignedResourceTypes (srt)

This answer is correct.

 SignedServices (ss)

This answer is correct.

SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is
required to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers
to the time when the SAS becomes valid. If unmentioned, the start time is assumed to be the time
when the storage service receives the request. SignedIP (sip) is an optional parameter that refers to
the range of IP addresses from which to accept requests.

Create an account SAS - Azure Storage | Microsoft Learn

Configure Azure Storage security - Training | Microsoft Learn

Question 13 of 50

You need to create an Azure Storage account that meets the following requirements:

 Stores data in multiple Azure regions

 Supports reading the data from primary and secondary regions

Which type of storage redundancy should you use?

Your Answer

 read-access geo-redundant storage (RA-GRS)

This answer is correct.

Correct Answer

 read-access geo-redundant storage (RA-GRS)

This answer is correct.

Since you must ensure that data can be read from a secondary region, you must choose read-access
geo-redundant storage (RA-GRS).

Data redundancy - Azure Storage | Microsoft Learn

Determine replication strategies - Training | Microsoft Learn

Question 14 of 50

You have an Azure Storage account.

You need to copy data to the storage account by using the AzCopy tool.

Which two types of data storage are supported by AzCopy? Each correct answer presents a complete
solution.

Your Answer

 blob

This answer is correct.

 file

This answer is correct.

Correct Answer

 blob

This answer is correct.

 file

This answer is correct.

You can provide authorization credentials by using Microsoft Entra, or by using a shared access
signature (SAS) token. Both storage types, blob and file, are supported in AzCopy.

Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn

Upload, download, and manage data with Azure Storage Explorer - Training | Microsoft Learn

Question 15 of 50

You have an Azure Storage account named storageaccount1 with a blob container named container1
that stores confidential information.

You need to ensure that content in container1 is not modified or deleted for six months after the last
modification date.

What should you configure?

Your Answer

 the immutability policy

This answer is correct.

Correct Answer

 the immutability policy

This answer is correct.

A timed-based retention policy or legal hold policies can be applied to block deletion. Immutability
policies can be scoped to a blob version or to a container.

Overview of immutable storage for blob data - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

Question 16 of 50

You have an Azure subscription that contains multiple storage accounts.

A storage account named storage1 has a file share that stores marketing videos. Users reported that
99 percent of the assigned storage is used.

You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the solution.

Your Answer

 Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare

This answer is correct.

 Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName

storage1 -Name share1 -QuotaGiB 102400

This answer is correct.

Correct Answer

 Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare

This answer is correct.

 Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName

storage1 -Name share1 -QuotaGiB 102400

This answer is correct.

You must enable the storage account to support large files and update the storage account quota to
102,400 GB. You do not need to change the type of storage account, and you are updating the
existing share.

Object replication overview - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

Question 17 of 50

You have an Azure Storage account that contains a file share.

Several users work from a secure location that limits outbound traffic to the internet.

You need to ensure that the users at the secure location can access the file share in Azure by using
SMB protocol.

Which outbound port should you allow from the secure location?

Your Answer

 445

This answer is correct.

Correct Answer

 445

This answer is correct.

For accessing the file share, port 445 must be open. Port 5671 is used to send health information to
Microsoft Entra. It is recommended, but not required, in the latest versions. Port 80 is used to
download certificate revocation lists (CRLs) to verify TLS/SSL certificates. Port 443 is used for https
traffic, for example to sync AD DS with Microsoft Entra.

Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn

Configure Azure Storage security - Training | Microsoft Learn

Question 18 of 50

You have an Azure subscription that contains a storage account named storage1.

You need to provide a partner organization with access to storage1. Access to storage1 must expire
after 24 hours.

What should you configure?

Your Answer

 a shared access signature (SAS)

This answer is correct.

Correct Answer

 a shared access signature (SAS)

This answer is correct.

A SAS provides secure delegated access to resources in a storage account. With a SAS, you have
granular control over how a client can access data, including time restrictions.

Access keys and Azure CDN provide permanent access to resources. They will require manual steps
to remove access. Lifecycle management is not needed.

Configure Azure Storage security - Training | Microsoft Learn

Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn

Question 19 of 50

You have an Azure subscription that contains a storage account named storage1.

You need to ensure that access to storage1 is disabled from the internet.

What should you configure on storage1?

Your Answer

 Networking

This answer is correct.

Correct Answer

 Networking

This answer is correct.

The Networking node of a storage account provides settings to configure public network access and
network routing. To disable public network access, you can disable public network access, or
configure the access to only allow specific virtual networks and IP addresses.

Configure Azure Storage security - Training | Microsoft Learn

Configure Azure Storage firewalls and virtual networks | Microsoft Learn

Question 20 of 50

You have an Azure subscription.

You plan to create a storage account named storage1 to store images.

You need to replicate the images to a new storage account.

What are three requirements of storage1? Each correct answer presents part of a complete solution.

Your Answer

 a file share

This answer is incorrect.

 standard general-purpose v2

This answer is correct.

Correct Answer

 a container

This answer is correct.

 blob versioning

This answer is correct.

 standard general-purpose v2

This answer is correct.

Versioning must be enabled for the source and target. An object type container is needed to replicate
the images. You must create a StandardV2 storage account. File shares are not needed, and queues
are unsupported for replication.

Object replication overview - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

Question 21 of 50

A company is using Azure Blob Storage to store large amounts of unstructured data that is accessed
infrequently but requires fast retrieval when needed.

You need to minimize storage costs while ensuring data retrieval performance is not compromised.

What should you do?

Your Answer

 Configure the access tier of the Azure Blob Storage account to Cool.

This answer is incorrect.

Correct Answer

 Configure the access tier of the Azure Blob Storage account to Cold.

This answer is correct.

The Cold access tier is cost-effective for storing large amounts of data that is infrequently accessed.
The Hot access tier is more expensive and is optimized for data that is accessed frequently. Object
replication is not related to cost optimization but rather to data availability and redundancy.

Storage account overview - Azure Storage | Microsoft Learn

Connect Azure Storage Explorer to a storage account - Training | Microsoft Learn

Question 22 of 50

You have an Azure subscription that contains a resource group named RG1.

You have an Azure Resource Manager (ARM) template for an Azure virtual machine.

You need to use PowerShell to provision a virtual machine in RG1 by using the template.

Which PowerShell cmdlet should you run?

Your Answer

 New-AzVM

This answer is incorrect.

Correct Answer

 New-AzResourceGroupDeployment

This answer is correct.

Virtual machines are deployed to resource groups, so you must run the New-
AzResourceGroupDeployment cmdlet. You can deploy virtual machines to subscriptions or
management groups directly, therefore, New-AzManagementGroupDeployment and New-
AzSubscriptionDeployment cannot be used. New-AzVM can be used to provision a new virtual
machine, but without using a template.

Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn

Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn

Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn

Question 23 of 50

You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure
Blob storage container.

You plan to deploy the template by running the New-AzDeployment cmdlet.

Which parameter should you use to reference the template?

Your Answer

 -TemplateUri

This answer is correct.

Correct Answer

 -TemplateUri

This answer is correct.

The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in
a resources group as a template spec, or from a web-based location. You can use the -
TemplateUri parameter to specify a web-based location, such as GitHub or an Azure Blob Storage
account. You can use -Templatefile to specify a local file. You can use -TemplateSpecId to specify a
template that was save to Azure as a template spec.

Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn

Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn

Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn

Question 24 of 50

You plan to deploy an Azure virtual machine based on a basic template stored in the Azure Resource
Manager (ARM) library.

What can you configure during the deployment of the template?

Your Answer

 the size of virtual machine

This answer is incorrect.

Correct Answer

 the resource group

This answer is correct.

When you deploy a resource by using a template, you can mention the resource group for the
deployment. The resource group is a container for Azure resources and makes it easier to manage
the resources.

Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn

New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn

Question 25 of 50

You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You have
a virtual machine named VM1 that is connected to Subnet1. VM1 runs Windows Server.

You need to ensure that VM1 is connected directly to both subnets.

What should you do first?

Your Answer

 From the Azure portal, add a network interface.

This answer is correct.

Correct Answer

 From the Azure portal, add a network interface.

This answer is correct.

A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to
Subnet1, VM1 already has a network interface attached that is connected to Subnet1. To connect
VM1 directly to Subnet2, you must create a new network interface that is connected to Subnet2.
Next, you must attach the new network interface to VM1.

An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network bridge
allows you to connect multiple existing network connection in Windows together. Changing the IP
configurations of the existing network interface results in VM1 being connected to Subnet2 but not
to Subnet1.

Virtual networks and virtual machines in Azure | Microsoft Learn

Configure virtual networks - Training | Microsoft Learn

Question 26 of 50

You plan to deploy an Azure virtual machine.

You are evaluating whether to use an Azure Spot instance.

Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a
complete solution.

Your Answer

 the Azure capacity needs

This answer is correct.

 the current price of the instance

This answer is correct.

Correct Answer

 the Azure capacity needs

This answer is correct.

 the current price of the instance

This answer is correct.

Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual
machines can be stopped by Azure when Azure needs the capacity for other pay-as-you-go
workloads, or when the price of the spot instance exceeds the maximum price that you have set.
These virtual machines are good for dev, testing, or for workloads that do not require any specific
SLA.

Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn

Configure virtual machine availability - Training | Microsoft Learn

Question 27 of 50

Your development team plans to deploy an Azure container instance. The container needs a
persistent storage layer.

Which service should you use?

Your Answer

 Azure Blob storage

This answer is incorrect.

Correct Answer

 Azure Files

This answer is correct.

You can persist data for Azure Container Instances with the use of Azure Files. Azure Files offers fully
managed file shares hosted in Azure Storage that are accessible via the industry standard Server
Message Block (SMB) protocol.

Mount Azure Files volume to container group - Azure Container Instances | Microsoft Learn

Explore Azure Storage services - Training | Microsoft Learn

Question 28 of 50

You have an Azure subscription that contains a Docker container image named container1.

You plan to create a new Azure web app named WebApp1.

You need to ensure that you can use container1 for WebApp1.

Which WebApp1 setting should you configure?

Your Answer

 Continuous deployment

This answer is incorrect.

Correct Answer

 Publish

This answer is correct.

If you want to run a Docker container as an Azure web service, you must configure the Publish option
and select Docker container.

Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a
Docker container as web app, the runtime stack option is unavailable.

Pricing plan specifies the location, features, and costs of the web app.

Continuous deployment is a strategy for software releases. This option is unavailable when you
publish a Docker container as an Azure web app.

Overview - Azure App Service | Microsoft Learn

Configure Azure Container Instances - Training | Microsoft Learn

Question 29 of 50
You have an Azure subscription that contains multiple resource groups and Azure App Service web
apps. A resource group named RG1 hosts a web app named appservice1. The App Service uses a free
App Service Managed SSL certificate.

You create a resource group named RG2.

You plan to move all the resources in RG1 to RG2.

Which two actions should you perform? Each correct answer presents part of the solution.

Your Answer

 Create a new web app in RG2.

This answer is incorrect.

 Move all the resources from RG1 to RG2.

This answer is correct.

Correct Answer

 Delete the SSL Certificate from RG1 and upload it to RG2.

This answer is correct.

 Move all the resources from RG1 to RG2.

This answer is correct.

The SSL certificate must be deleted. You will have to move all other resources to RG2.

Move Azure App Service resources across resource groups or subscriptions - Azure Resource
Manager | Microsoft Learn

Configure Azure App Service - Training | Microsoft Learn

Question 30 of 50

You have a Basic Azure App Service plan that contains a web app.

You need to ensure that the web app can scale automatically when the CPU percentage goes beyond
80 percent for a duration of 15 minutes.

Which two actions should you perform? Each correct answer presents part of the solution.

Your Answer

 Configure a deployment slot.

This answer is incorrect.

Correct Answer
  Configure a scaling condition to scale based on a metric, and then add the rules.

This answer is correct.

 Scale up the App Service plan.

This answer is correct.

Scale up the web app by adding more CPU, memory, and disk space to fulfill the requirement.
Increase the number of virtual machine instances that run the app. The scale settings take only
seconds to apply and affect all the apps in the App Service plan. Then, you must set up a scaling
condition with the required metrics to scale up/down and scale out/in when certain thresholds are
met.

Scale up features and capacities - Azure App Service | Microsoft Learn

Configure Azure App Service - Training | Microsoft Learn

Question 31 of 50

You have an Azure subscription that contains a container app named App1. App1 is configured to use
cached data.

You plan to create a new container.

You need to ensure that the new container automatically refreshes the cache used by App1.

Which type of container should you configure?

Your Answer

 privileged

This answer is incorrect.

Correct Answer

 sidecar

This answer is correct.

Azure Container Apps manages the details of Kubernetes and container orchestration. Containers in
Azure Container Apps can use any runtime, programming language, or development stack of your
choice. You can define multiple containers in a single container app to implement the sidecar
pattern, for example, an agent that reads logs from the primary app container in a shared volume
and forwards them to a logging service.

Containers in Azure Container Apps | Microsoft Learn

Question 32 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains an
application named App1 and a container app named containerapp1.

App1 is experiencing performance issues when attempting to add messages to the containerapp1
queue.

You need to create a job to perform an application resource cleanup when a new message is added
to a queue.

Which command should you run?

Your Answer

 az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type "Event"

-replica-timeout 60 --replica-retry-limit 1 ...

This answer is correct.

Correct Answer

 az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type "Event"

-replica-timeout 60 --replica-retry-limit 1 ...

This answer is correct.

Azure Container Apps jobs enable you to run containerized tasks that execute for a finite duration,
and then exit. You can use jobs to perform tasks such as data processing, machine learning, or any
scenario where on-demand processing is required. Container apps and jobs run in the same
environment, allowing them to share capabilities such as networking and logging.

A job's trigger type determines how the job is started. The following trigger types are available:

Manual: Manual jobs are triggered on demand.

Schedule: Scheduled jobs are triggered at specific times and can run repeatedly.

Event: Event-driven jobs are triggered by events such as a message arriving in a queue.

Jobs in Azure Container Apps (preview) | Microsoft Learn

Question 33 of 50

You have an Azure subscription that contains a web app named App1.

You configure App1 with a custom domain name of webapp1.contoso.com.

You need to create a DNS record for App1. The solution must ensure that App1 remains accessible if
the IP address changes.

Which type of DNS record should you create?

Your Answer
  A

This answer is incorrect.

Correct Answer

 CNAME

This answer is correct.

For web apps, you create either an A (Address) record or a CNAME (Canonical Name) record. An A
record maps a domain name to an IP address. A CNAME record maps a domain name to another
domain name. DNS uses the second name to look up the address. Users still see the first domain
name in their browser. If the IP address changes, a CNAME entry is still valid, whereas an A record
must be updated.

Configure Azure App Service - Training | Microsoft Learn

Create custom domain names - Training | Microsoft Learn

Question 34 of 50

You have two Azure subscriptions named Sub1 and Sub2.

Sub1 contains a virtual network named VNet1 and a VPN gateway. Sub2 contains a virtual network
named VNet2.

You have an on-premises device named Device1 that runs Windows and has a Point-to-Site (P2S) VPN
client installed.

You configure network peering between VNet1 and VNet2.

You need to ensure that Device1 can access VNet2 when a VPN connection is established.

What should you do?

Your Answer

 Create a private endpoint in Sub2.

This answer is incorrect.

Correct Answer

 Download and reinstall the P2S VPN client on Device1.

This answer is correct.

Point-to-Site (P2S) VPN clients must be downloaded and reinstalled again after virtual network
peering is successfully configured to ensure that the new routes are downloaded to the client.

A private endpoint and Azure Front Door are not required nor used to be able to access VNet2 from
VNet1.
Device1 already has a digital certificate when you install the P2S VPN client, so you do not need to
create new certificate manually.

Create, change, or delete an Azure virtual network peering | Microsoft Learn

Question 35 of 50

You have an Azure subscription that contains two resource groups named RG1 and RG2.

RG1 contains the following resources:

 A virtual network named VNet1 located in the East US Azure region

 A network security group (NSG) named NSG1 located in the West US Azure region

RG2 contains the following resources:

 A virtual network named VNet2 located in the East US Azure region

 A virtual network named VNet3 located in the West US Azure region

You need to associate NSG1.

To which subnets can you associate NSG1?

Your Answer

 the subnets of all the virtual networks

This answer is incorrect.

Correct Answer

 the subnets of VNet3 only

This answer is correct.

You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1
is in the West US region.

Plan Azure virtual networks | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

Question 36 of 50

You have an Azure subscription that contains a network security group (NSG) named NSG1.

You plan to configure NSG1 to allow the following types of traffic:

 Remote Desktop Management

 Secured HTTPS

Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Your Answer

 443

This answer is correct.

 3389

This answer is correct.

Correct Answer

 443

This answer is correct.

 3389

This answer is correct.

You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send
outbound email by using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is
used by mail traffic.

Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

Question 37 of 50

You create several Azure virtual machines that run Windows Server.

You need to connect to the virtual machines without exposing RDP ports over the internet.

Which Azure service should you deploy?

Your Answer

 Azure Bastion

This answer is correct.

Correct Answer

 Azure Bastion

This answer is correct.

Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without
exposing RDP and SSH ports. Azure Monitor helps you maximize the availability and performance of
applications and services. Azure Network Watcher provides tools to monitor, diagnose, view metrics,
and enable or disable logs for resources in an Azure virtual network. Remote Desktop is a feature of
the operating system, which exposes the RDP port to connect to a server from the internet.
About Azure Bastion | Microsoft Learn

Configure virtual networks - Training | Microsoft Learn

Question 38 of 50

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2.

You need to ensure that the resources on both VNet1 and VNet2 can communicate seamlessly
between both networks.

What should you configure from the Azure portal?

Your Answer

 peerings

This answer is correct.

Correct Answer

 peerings

This answer is correct.

You can connect virtual networks to each other with virtual network peering. Once the virtual
networks are peered, the resources on both virtual networks can communicate with each other with
the same latency and bandwidth as though the resources were on the same virtual network.

Configure Azure Virtual Network peering - Training | Microsoft Learn

Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn

Question 39 of 50

You have an Azure subscription that contains a virtual network named VNet1.

You plan to enable VNet1 connectivity to on-premises resources by using an encrypted connection.

What should you configure for VNet1?

Your Answer

 a virtual network gateway

This answer is correct.

Correct Answer

 a virtual network gateway

This answer is correct.

A VPN gateway is a type of virtual network gateway that sends encrypted traffic between a virtual
network and an on-premises location across a public connection. You can also use a VPN gateway to
send traffic between virtual networks across the Azure backbone. A VPN gateway connection relies
on the configuration of multiple resources, each of which contains configurable settings.

Introduction to Azure VPN Gateway - Training | Microsoft Learn

Question 40 of 50

You have an Azure subscription.

You plan to implement four Azure virtual networks that will be peered. All virtual machines will use a
DNS suffix of contoso.com.

You need to configure name resolution for the virtual networks to ensure that all the virtual
machines can communicate by using their FQDNs. The solution must minimize administrative effort.

What should you use?

Your Answer

 an Azure Private DNS zone

This answer is correct.

Correct Answer

 an Azure Private DNS zone

This answer is correct.

Azure Private DNS allows for private name resolution between Azure virtual networks. Azure public
DNS provides DNS for public access, such as name resolution for a publicly accessible website. Azure-
provided name resolution does not support user-defined domain names and only supports a single
virtual network. A DNS server on a virtual machine can also be used to achieve the goal but involves
much more administrative effort to implement and maintain than using Azure Private DNS.

Name resolution for resources in Azure virtual networks | Microsoft Learn

Host your domain on Azure DNS - Training | Microsoft Learn

Question 41 of 50

You have an Azure subscription that contains an Azure DNS zone named contoso.com.

You add a new subdomain named test.contoso.com.

You plan to delegate test.contoso.com to a different DNS server.

How should you configure the domain delegation?

Your Answer
  Add an A record for test.contoso.com.

This answer is incorrect.

Correct Answer

 Add an NS record set named test to the contoso.com zone.

This answer is correct.

You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be
created at the apex of the zone named contoso.com. You do not need to create the SOA record set in
test.contoso.com. It must only be created in contoso.com. You do not need to create or modify the
DNS A record.

Delegate a subdomain - Azure DNS | Microsoft Learn

Host your domain on Azure DNS - Training | Microsoft Learn

Question 42 of 50

You have an Azure subscription that contains four virtual machines. Each virtual machine is
connected to a subnet on a different virtual network.

You install the DNS Server role on a virtual machine named VM1.

You configure each virtual network to use the IP address of VM1 as the DNS server.

You need to ensure that all four virtual machines can resolve IP addresses by using VM1.

What should you do?

Your Answer

 Configure network peering.

This answer is correct.

Correct Answer

 Configure network peering.

This answer is correct.

By default, Azure virtual machines can communicate only with other virtual machines that are
connected to the same virtual network. If you want a virtual machine to communicate with other
virtual machines that are connected to other virtual networks, you must configure network peering.

A route table controls how network traffic is routed. But without network peering, network traffic is
still limited to single virtual network.

Configuring a Site-to-Site (S2S) VPN is incorrect because you are not connecting on-premises virtual
machines to the cloud.
Azure virtual network service endpoints | Microsoft Learn

Question 43 of 50

An organization uses a Microsoft Azure Standard Load Balancer to distribute traffic across multiple
virtual machines (VMs) in a backend pool. Users report intermittent connectivity issues with
applications on these VMs.

You need to troubleshoot and resolve connectivity issues.

Each correct answer presents part of the solution. Which three actions should you perform?

Your Answer

 Check the health probe configuration.

This answer is correct.

 Increase the timeout setting.

This answer is incorrect.

 Modify the session persistence setting.

This answer is incorrect.

Correct Answer

 Check the health probe configuration.

This answer is correct.

 Ensure VMs respond to the configured port.

This answer is correct.

 Verify NSG rules allow inbound traffic.

This answer is correct.

To troubleshoot and resolve connectivity issues with a Microsoft Azure Standard Load Balancer, it is
essential to check the health probe configuration, ensure VMs respond to the configured port, and
verify that NSG rules allow inbound traffic. These actions address potential misconfigurations that
could prevent traffic from reaching VMs. Modifying the session persistence setting, increasing the
timeout setting, or restarting the VMs do not directly resolve connectivity issues and may introduce
new limitations or misconceptions.

Secure storage endpoints - Training | Microsoft Learn

Create network security group rules - Training | Microsoft Learn

Troubleshoot common problems with Azure Load Balancer | Microsoft Learn

Question 44 of 50

You have a Kusto query that returns 1,000 events from the SecurityEvent table in Azure Monitor.

You need to configure the query to aggregate the results by the Account column.

Which operator should you use?

Your Answer

 summarize

This answer is correct.

Correct Answer

 summarize

This answer is correct.

Summarize is used to group records from one or more columns of data. Where is used to filter the
rows. Project is used to rename and select columns. Extend is used to add columns.

Get started with log queries in Azure Monitor - Azure Monitor | Microsoft Learn

Introduction to Azure Monitor - Training | Microsoft Learn

Question 45 of 50

You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom application
that outputs log data in the JSON format.

You need to recommend a solution to collect the logs in Log Analytics workspace.

What should you include in the recommendation?

Your Answer

 the Azure Monitor agent for Linux

This answer is correct.

Correct Answer

 the Azure Monitor agent for Linux

This answer is correct.

You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the
Linux virtual machines.

The Azure Custom Script Extension is used for post-deployment configuration, software installation,
or any other configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to manage an IT and
development infrastructure with configuration as code.

The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset
access to Linux or perform disk-level maintenance.

Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure Monitor - Azure
Monitor | Microsoft Learn

Improve incident response with alerting on Azure - Training | Microsoft Learn

Question 46 of 50

You have 100 virtual machines deployed to Azure. You have Azure Monitor alerts configured for CPU
and memory utilization for the virtual machines.

You open Azure Monitor alerts and discover 50 closed alerts for the virtual machines.

What can cause the alert state to be Closed?

Your Answer

 The alert rule contains an action group that remediates the alert conditions.

This answer is incorrect.

Correct Answer

 An administrator manually changed the state of the alerts.

This answer is correct.

The alert state is manually set by the user and does not have any automated logic behind it. The alert
state can be either New, Acknowledged, or Closed.

Manage Azure Monitor alerts - Training | Microsoft Learn

Improve incident response with alerting on Azure - Training | Microsoft Learn

Question 47 of 50

You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are
configured with the default backup policy.

What is the retention period of virtual machine backups in the default backup policy?

Your Answer

 30 days

This answer is correct.

Correct Answer
  30 days

This answer is correct.

By default, backups of virtual machines are kept for 30 days.

Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn

Question 48 of 50

You have an Azure subscription that contains two virtual machines named VM1 and VM2.

VM1 and VM2 are backed up to a Recovery Service vault named Vault1 by using the same backup
policy.

Your company plans to create additional virtual machines and Recovery Services vaults. During this
process, Vault1 will be decommissioned.

You need to delete Vault1.

Which three actions should you perform before you can delete Vault1? Each correct answer presents
part of the solution.

Your Answer

 Disable the soft delete feature and delete all data.

This answer is correct.

 Permanently remove any items in the soft delete state.

This answer is correct.

 Stop the backup of VM1 and VM2.

This answer is correct.

Correct Answer

 Disable the soft delete feature and delete all data.

This answer is correct.

 Permanently remove any items in the soft delete state.

This answer is correct.

 Stop the backup of VM1 and VM2.

This answer is correct.

You must stop the backups so that you can prepare to move to the new policy. The soft delete
feature is enabled by default, so it must be disabled. You must remove all the items that are in the
soft delete state. Deleting the virtual machines is not required. You cannot delete the policy without
deleting the vault and backup, and a new policy is not required.

Overview of Recovery Services vaults - Azure Backup | Microsoft Learn

Delete a Microsoft Azure Recovery Services vault - Azure Backup | Microsoft Learn

Question 49 of 50

You have an Azure subscription that contains the following resources:

 Eight virtual networks

 24 virtual machines

 16 storage accounts

You need to implement a monitoring solution that provides the ability to view diagnostics and
telemetry data generated by Azure resources.

What should you include in the solution?

Your Answer

 a Log Analytics workspace

This answer is correct.

Correct Answer

 a Log Analytics workspace

This answer is correct.

A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure
services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own
data repository and configuration and can combine data from multiple services.

Log Analytics workspace overview - Azure Monitor | Microsoft Learn

Analyze your Azure infrastructure by using Azure Monitor logs - Training | Microsoft Learn

Question 50 of 50

You have an Azure subscription that contains virtual machines, virtual networks, application
gateways, and load balancers.

You need to monitor the network health of the resources.

Which Azure service should you use?

Your Answer

 Azure Monitor
This answer is incorrect.

Correct Answer

 Azure Network Watcher

This answer is correct.

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs
for resources on an Azure virtual network. Azure Resource Manager is the deployment and
management service for Azure. Network security groups (NSGs) are used only for security, not
monitoring. Azure Monitor is used for the HTTP Data Collector API to send log data to Log Analytics.

Azure Network Watcher | Microsoft Learn

Introduction to Azure Network Watcher - Training | Microsoft Learn

Skip to main content

Learn

 Discover

 Product documentation

 Development languages

 Topics

Credentials

 Browse Credentials

 Certification Renewals

 FAQ & Help

1. Learn

2. Credentials
 3. Browse Credentials

4. Microsoft Certified: Azure Administrator Associate

Practice Assessment Results: June 8, 2025

Practice Assessment for Exam AZ-104: Microsoft Azure Administrator

It took you 22 minutes to complete this assessment.

Overall Results

To be better prepared for the exam, aim to achieve a score of 80% or higher in multiple attempts.

Score: 50%

Show My Answers

Performance by assessment section

To further strengthen your skills in the following areas, refer to the Customized Learning Material
section below.

Manage Azure identities and governance

Implement and manage storage

Deploy and manage Azure compute resources

Implement and manage virtual networking

Monitor and maintain Azure resources

Ready to take the exam?

Schedule exam Take another practice assessment.

Customized learning material to improve your skills

Because you scored lower in "Manage Azure identities and governance":

o Manage users and groups in Microsoft Entra ID

o 50 mins

o Allow users to reset their password with Microsoft Entra self-service password reset
 o 31 mins

o Improve incident response with Azure Monitor alerts

o 58 mins

o Introduction to Azure Advisor

o 16 mins

o Introduction to Azure virtual machines

o 67 mins

o Secure your Azure resources with Azure role-based access control (Azure RBAC)

o 37 mins

o Create, configure, and manage identities

o 64 mins

Because you scored lower in "Implement and manage storage":

o Introduction to Azure virtual machines

o 67 mins

o Upload, download, and manage data with Azure Storage Explorer

o 37 mins

o Configure Azure Files

o 36 mins

o Configure Azure Blob Storage

 o 63 mins

o Configure storage accounts

o 47 mins

o Configure Azure Storage security

o 34 mins

Because you scored lower in "Deploy and manage Azure compute resources":

o Automate Azure tasks with Azure PowerShell

o 71 mins

o Deploy Azure infrastructure by using JSON ARM templates

o 43 mins

o Introduction to Kubernetes

o 53 mins

o Introduction to Azure virtual machines

o 67 mins

o Configure Azure App Service plans

o 24 mins

o Configure Azure App Service

o 44 mins

o Configure Azure Container Instances

 o 37 mins

o Configure storage accounts

o 47 mins

o Configure virtual machine availability

o 41 mins

o Configure virtual networks

o 42 mins

Because you scored lower in "Implement and manage virtual networking":

o Host your domain on Azure DNS

o 43 mins

o Introduction to Azure Load Balancer

o 18 mins

o Introduction to Azure VPN Gateway

o 18 mins

o Create a Windows virtual machine in Azure

o 51 mins

o Improve application scalability and resiliency by using Azure Load Balancer

o 47 mins

o Configure network security groups

 o 37 mins

o Configure storage accounts

o 47 mins

o Configure virtual networks

o 42 mins

o Configure Azure Virtual Network peering

o 38 mins

Save your customized collection

English (United States)

Your Privacy Choices

Theme

 Previous Versions

 Blog

 Contribute

 Privacy

 Terms of Use

 Trademarks

 © Microsoft 2025