The latest Microsoft AZ-104 Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-104 Azure Administrator exam and earn Microsoft AZ-104 Azure Administrator certification.
Question 111
You have an Azure subscription that contains the following resources:
- A virtual network that has a subnet named Subnet1
- Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
- A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
- Priority: 100
- Source: Any
- Source port range: *
- Destination: *
- Destination port range: 3389
- Protocol: UDP
- Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?
*A. Yes
B. No
Explanation:
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Question 112
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
| Name | Connected virtual machines |
|---|---|
| Subnet1 | VM1, VM2 |
| Subnet2 | VM3, VM4 |
| Subnet3 | VM5, VM6 |
Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
- Allow web requests from the internet to VM3, VM4, VM5, and VM6.
- Allow all connections between VM1 and VM2.
- Allow Remote Desktop connections to VM1.
- Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
A. 1
B. 3
*C. 4
D. 12
Explanation:
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Question 113
You have an Azure subscription that contains the resources shown in the following table.
| Name | Type | Resource group |
|---|---|---|
| VNET1 | Virtual network | RG1 |
| VM1 | Virtual machine | RG1 |
The Not allowed resource types Azure policy is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
What should you do first?
*A. Remove Microsoft.Compute/virtualMachines from the policy.
B. Create an Azure Resource Manager template
C. Add a subnet to VNET1.
D. Remove Microsoft.Network/virtualNetworks from the policy.
Explanation:
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.
Virtual Networks and Virtual Machines are prohibited.
Question 114
Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com.
Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
- The DNS Manager console
- Azure PowerShell
- Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
What should you use?
*A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console
Explanation:
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI).
Zone file import is not currently supported via Azure PowerShell or the Azure portal.
Step 1: Installing the DNS migration script
Open an elevated PowerShell window (Administrative mode) and run following command
install-script PrivateDnsMigrationScript
Step 2: Running the script
Execute following command to run the script
PrivateDnsMigrationScript.ps1
Question 115
You have a public load balancer that balances ports 80 and 443 across three virtual machines.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?
*A. an inbound NAT rule
B. a new public load balancer for VM3
C. a frontend IP configuration
D. a load balancing rule
Question 116
You have an Azure subscription that contains the resources in the following table.
| Name | Type | Detail |
|---|---|---|
| VNet1 | Virtual network | Not applicable |
| Subnet1 | Subnet | Hosted on VNet1 |
| VM1 | Virtual machine | On Subnet1 |
| VM2 | Virtual machine | On Subnet1 |
VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?
A. Disassociate the NSG from a network interface
B. Change the Port_80 inbound security rule.
*C. Associate the NSG to Subnet1.
D. Change the DenyWebSites outbound security rule.
Explanation:
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Question 117
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
A. Move VM1 to Subscription2.
B. Move VNet1 to Subscription2.
C. Modify the IP address space of VNet2.
*D. Provision virtual network gateways.
Explanation:
The virtual networks can be in the same or different regions, and from the same or different subscriptions.
When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.
Question 118
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
*A. Use managed disks
*B. OS disk type
C. Availability options
D. Size
E. Image
Explanation:
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
B: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone dropdown.
Question 119
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1.
VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?
*A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1
Explanation:
Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable the system-assigned managed identity for VM using the Azure portal.
A managed identity from Azure Active Directory allows your app to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.
User assigned managed identities can be used on Virtual Machines and Virtual Machine Scale Sets.
Question 120
You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
| Name | Type | Description |
|---|---|---|
| VM1 | Virtual Machine | VM1 is running and configured to back up to Vault1 daily |
| Vault1 | Recovery Services Vault | Vault includes all backups of VM1 |
| VNET1 | Virtual Network | VNET1 has a resource lock of type Delete |
You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
*C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1
Explanation:
When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and currently stored operations.
Manage Azure identities and governance
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
- File servers
- Domain controllers
- Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
- A SQL database
- A web front end
- A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
- Move all the tiers of App1 to Azure.
- Move the existing product blueprint files to Azure Blob storage.
- Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
- Move all the virtual machines for App1 to Azure.
- Minimize the number of open ports between the App1 tiers.
- Ensure that all the virtual machines for App1 are protected by backups.
- Copy the blueprint files to Azure over the Internet.
- Ensure that the blueprint files are stored in the archive storage tier.
- Ensure that partner access to the blueprint files is secured and temporary.
- Prevent user passwords or hashes of passwords from being stored in Azure.
- Use unmanaged standard storage for the hard disks of the virtual machines.
- Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
- Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
- Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
- Designate a new user named Admin1 as the service admin for the Azure subscription.
- Admin1 must receive email alerts regarding service outages.
- Ensure that a new user named User3 can create network objects for the Azure subscription.