Skip to Content

Exam AZ-104 Microsoft Azure Administrator Questions and Answers – Page 2

The latest Microsoft AZ-104 Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-104 Azure Administrator exam and earn Microsoft AZ-104 Azure Administrator certification.

AZ-104 Microsoft Azure Administrator Exam Questions and Answers

Exam Question 111

You have an Azure subscription that contains the following resources:

  • A virtual network that has a subnet named Subnet1
  • Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
  • A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  • Priority: 100
  • Source: Any
  • Source port range: *
  • Destination: *
  • Destination port range: 3389
  • Protocol: UDP
  • Action: Allow

VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?

A. Yes
B. No

Correct Answer:
A. Yes

Answer Explanation:
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.

Reference:
Microsoft Docs > Troubleshoot > Azure > Virtual Machines > Cannot connect to my VM > Windows > RDP troubleshooting > Troubleshoot Remote Desktop connections to an Azure virtual machine

Exam Question 112

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

Name Connected virtual machines
Subnet1 VM1, VM2
Subnet2 VM3, VM4
Subnet3 VM5, VM6
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:

  • Allow web requests from the internet to VM3, VM4, VM5, and VM6.
  • Allow all connections between VM1 and VM2.
  • Allow Remote Desktop connections to VM1.
  • Prevent all other network traffic to VNET1.

What is the minimum number of NSGs you should create?

A. 1
B. 3
C. 4
D. 12

Correct Answer:
C. 4

Answer Explanation:
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).

Reference:
Microsoft Docs > Network security groups > Default security rules

Exam Question 113

You have an Azure subscription that contains the resources shown in the following table.

Name Type Resource group
VNET1 Virtual network RG1
VM1 Virtual machine RG1
You have an Azure subscription that contains the resources shown in the following table.

The Not allowed resource types Azure policy is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines

In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
What should you do first?

A. Remove Microsoft.Compute/virtualMachines from the policy.
B. Create an Azure Resource Manager template
C. Add a subnet to VNET1.
D. Remove Microsoft.Network/virtualNetworks from the policy.

Correct Answer:
A. Remove Microsoft.Compute/virtualMachines from the policy.

Answer Explanation:
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.
Virtual Networks and Virtual Machines are prohibited.

Reference:
Microsoft Docs > Azure Policy Samples

Exam Question 114

Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com.
Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:

  • The DNS Manager console
  • Azure PowerShell
  • Azure CLI 2.0

You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
What should you use?

A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console

Correct Answer:
A. Azure CLI

Answer Explanation:
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI).
Zone file import is not currently supported via Azure PowerShell or the Azure portal.
Step 1: Installing the DNS migration script
Open an elevated PowerShell window (Administrative mode) and run following command
install-script PrivateDnsMigrationScript
Step 2: Running the script
Execute following command to run the script
PrivateDnsMigrationScript.ps1

Reference:
Microsoft Docs > Migrating legacy Azure DNS private zones to new resource model

Exam Question 115

You have a public load balancer that balances ports 80 and 443 across three virtual machines.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?

A. an inbound NAT rule
B. a new public load balancer for VM3
C. a frontend IP configuration
D. a load balancing rule

Correct Answer:
A. an inbound NAT rule

Reference:
Microsoft Docs > Tutorial: Configure port forwarding in Azure Load Balancer using the Azure portal

Exam Question 116

You have an Azure subscription that contains the resources in the following table.

Name Type Detail
VNet1 Virtual network Not applicable
Subnet1 Subnet Hosted on VNet1
VM1 Virtual machine On Subnet1
VM2 Virtual machine On Subnet1
You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)

You configure the network security group (NSG) shown in the exhibit.

You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?

A. Disassociate the NSG from a network interface
B. Change the Port_80 inbound security rule.
C. Associate the NSG to Subnet1.
D. Change the DenyWebSites outbound security rule.

Correct Answer:
C. Associate the NSG to Subnet1.

Answer Explanation:
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.

Reference:
Microsoft Docs > Create, change, or delete a network security group

Exam Question 117

You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?

A. Move VM1 to Subscription2.
B. Move VNet1 to Subscription2.
C. Modify the IP address space of VNet2.
D. Provision virtual network gateways.

Correct Answer:
D. Provision virtual network gateways.

Answer Explanation:
The virtual networks can be in the same or different regions, and from the same or different subscriptions.
When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.

Reference:
Microsoft Docs > Configure a VNet-to-VNet VPN gateway connection by using the Azure portal

Exam Question 118

You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.

You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.

The planned disk configurations for VM1 are shown in the following exhibit.

The planned disk configurations for VM1 are shown in the following exhibit.

You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Use managed disks
B. OS disk type
C. Availability options
D. Size
E. Image

Correct Answer:
A. Use managed disks
B. OS disk type

Answer Explanation:
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
B: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone dropdown.

Reference:
Microsoft Docs > Azure > Site Recovery > Move Azure VMs into Availability Zones
Microsoft Docs > Azure > Virtual Machines > Windows > Create a virtual machine in an availability zone using the Azure portal

Exam Question 119

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1.
VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?

A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1

Correct Answer:
A. From the Azure portal, modify the Managed Identity settings of VM1

Answer Explanation:
Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable the system-assigned managed identity for VM using the Azure portal.
A managed identity from Azure Active Directory allows your app to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.
User assigned managed identities can be used on Virtual Machines and Virtual Machine Scale Sets.

Exam Question 120

You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:

Name Type Description
VM1 Virtual Machine VM1 is running and configured to back up to Vault1 daily
Vault1 Recovery Services Vault Vault includes all backups of VM1
VNET1 Virtual Network VNET1 has a resource lock of type Delete

You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1

Correct Answer:
C. Turn off VM1 and remove the resource lock from VNET1

Answer Explanation:
When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and currently stored operations.

Manage Azure identities and governance

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

  • File servers
  • Domain controllers
  • Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

  • A SQL database
  • A web front end
  • A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

  • Move all the tiers of App1 to Azure.
  • Move the existing product blueprint files to Azure Blob storage.
  • Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

  • Move all the virtual machines for App1 to Azure.
  • Minimize the number of open ports between the App1 tiers.
  • Ensure that all the virtual machines for App1 are protected by backups.
  • Copy the blueprint files to Azure over the Internet.
  • Ensure that the blueprint files are stored in the archive storage tier.
  • Ensure that partner access to the blueprint files is secured and temporary.
  • Prevent user passwords or hashes of passwords from being stored in Azure.
  • Use unmanaged standard storage for the hard disks of the virtual machines.
  • Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
  • Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

  • Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
  • Designate a new user named Admin1 as the service admin for the Azure subscription.
  • Admin1 must receive email alerts regarding service outages.
  • Ensure that a new user named User3 can create network objects for the Azure subscription.
    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.