Skip to Content

Exam AZ-104 Microsoft Azure Administrator Questions and Answers – Page 3 Part 1

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest Microsoft AZ-104 Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-104 Azure Administrator exam and earn Microsoft AZ-104 Azure Administrator certification.

Question 241

You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
How should you complete the JSON definition

Answer:
Answer: How should you complete the JSON definition?
Explanation:

Box 1: “*/read”,
*/read lets you view everything, but not make any changes.
Box 2: ” Microsoft.Support/*”
The action Microsoft.Support/* enables creating and management of support tickets.

Question 242

You have an Azure subscription named Subscription1.
In Subscription1, you create an Azure web app named WebApp1. WebApp1 will access an external service that requires certificate authentication.
You plan to require the use of HTTPS to access WebApp1.
You need to upload certificates to WebApp1.
In which formats should you upload the certificate? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Certificate format for HTTPS access:

  • CER
  • CRL
  • CRT
  • PFX

Certificate format for external service access:

  • CER
  • CRL
  • CRT
  • PFX

Answer:
Certificate format for HTTPS access: PFX
Certificate format for external service access: CER

Explanation:

A PFX file contains the public key file (SSL Certificate) and its unique private key file. This is required for HTTPS access. The web app will distribute the public key (in a CER file) to clients that connect to the web app.
The CER file is an SSL Certificate which has the public key of the external service. The external service will have the private key associated with the public key contained in the CER file.

Question 243

You are building a custom Azure function app to connect to Azure Event Grid.
You need to ensure that resources are allocated dynamically to the function app. Billing must be based on the executions of the app.
What should you configure when you create the function app?

*A. the Windows operating system and the Consumption plan hosting plan
B. the Windows operating system and the App Service plan hosting plan
C. the Docker container and an App Service plan that uses the Bl1 pricing tier
D. the Docker container and an App Service plan that uses the SI pricing

Explanation:

Azure Functions runs in two different modes: Consumption plan and Azure App Service plan. The Consumption plan automatically allocates compute power when your code is running. Your app is scaled out when needed to handle load, and scaled down when code is not running.

Question 244

You need to meet the user requirement for Admin1.
What should you do?

*A. From the Subscriptions blade, select the subscription, and then modify the Properties.
B. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.
C. From the Azure Active Directory blade, modify the Properties.
D. From the Azure Active Directory blade, modify the Groups.

Explanation:

Change the Service administrator for an Azure subscription

  • Sign in to Account Center as the Account administrator.
  • Select a subscription.
  • On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.

Question 245

You have an Azure App Service plan named AdatumASP1 that uses the P2v2 pricing tier. AdatumASP1 hosts Ml Azure web app named adatumwebapp1. You need to delegate the management of adatumwebapp1 to a group named Devs. Devs must be able to perform the following tasks:

  • Add deployment slots.
  • View the configuration of AdatumASP1.
  • Modify the role assignment for adatumwebapp1.

Which role should you assign to the Devs group?

*A. Owner
B. Contributor
C. Web Plan Contributor
D. Website Contributor

Explanation:

Owner : Correct Choice
The Owner role lets you manage everything, including access to resources.
Contributor : Incorrect Choice
With contributor role you can Add deployment slots and View the configuration of App service plan but you can’t Modify the role assignment. For this you need User Access Administrator or Owner role. So this is incorrect.
Web Plan Contributor : Incorrect Choice
The Web Plan Contributor role lets you manage the web plans for websites, but not access to them. So this option is incorrect.
Website Contributor : Incorrect Choice
The Website Contributor role lets you manage websites (not web plans), but not access to them. So this is incorrect option.
Note: As per least privilege principle it is not advisable to provide owner role to any group, rather you should create custom RBAC role with custom policy and use that role for this operation. However as this option is not available here so only option to go with owner role.

Question 246

You have an Azure subscription that contains the following resources:

  • A virtual network that has a subnet named Subnet1
  • Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
  • A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  • Priority: 100
  • Source: Any
  • Source port range: *
  • Destination: *
  • Destination port range: 3389
  • Protocol: UDP
  • Action: Allow

VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You modify the custom rule for NSG-VM1 to use the internet as a source and TCP as a protocol.
Does this meet the goal?

A. Yes
*B. No

Explanation:

NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface.

By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation. Subnets usually do not have any NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it won’t have an RDP rule by default, thus blocking inbound connections.

Request first goes to NSG -subnet1 and as there is no allow rule for RDP so it will block the request by default.Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound RDP connection.

Question 247

You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Ta add a backend pool to LB1:

  • Contributor on LB1
  • Network Contributor on LB1
  • Network Contributor on RG1
  • Owner on LB1

To add a health probe to LB2:

  • Contributor on LB2
  • Network Contributor on LB2
  • Network Contributor on RG1
  • Owner on LB2

Answer:
Ta add a backend pool to LB1: Network Contributor on LB1
To add a health probe to LB2: Network Contributor on LB2

Explanation:

The Network Contributor role lets you manage networks, but not access them.

Question 248

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:

Name Type Member of
User1 Member Group1
User2 Guest Group1
User3 Member None
UserA Member Group2
UserB Guest Group2

User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

  • User3 can perform an access review of User1: No
  • User3 can perform an access review of UserA: No
  • User3 can perform an access review of UserB: Yes

Question 249

You have Azure Active Directory tenant named Contoso.com that includes following users:

Name Role
User1 Cloud device administrator
User2 User administrator

Contoso.com includes following Windows 10 devices:

Name Join type
Device1 Azure AD registered
Device2 Azure AD joined

You create following security groups in Contoso.com:

Name Membership Type Owner
Group1 Assigned User2
Group2 Dynamic Device User2

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

  • User1 can add Device2 to Group1: Yes
  • User2 can add Device1 to Group1: No
  • User2 can add Device2 to Group2: Yes

Explanation:

Box 1: Yes –
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups – Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD
Box 2: No –
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential.
Box 3: Yes –
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.

Question 250

You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to VNET1.
You successfully deploy the following resources in an Azure Resource Manager template.
You successfully deploy the following resources in an Azure Resource Manager template.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

  • VM1 and VM2 can connect to VNET1: Yes
  • If an Azure datacenter becomes unavailable, VM1 or VM2 will be available: Yes
  • If the East US 2 region becomes unavailable, VM1 or VM2 will be available: No

Explanation:

Box 1: Yes –
Box 2: Yes –
VM1 is in Zone1, while VM2 is on Zone2.
Box 3: No –