Skip to Content

Exam AZ-104 Microsoft Azure Administrator Questions and Answers – Page 2 Part 1

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest Microsoft AZ-104 Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-104 Azure Administrator exam and earn Microsoft AZ-104 Azure Administrator certification.

Question 121

You need to meet the user requirement for Admin1.
What should you do?

A. From the Azure Active Directory blade, modify the Groups
B. From the Azure Active Directory blade, modify the Properties
C. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings
*D. From the Subscriptions blade, select the subscription, and then modify the Properties

Explanation:

Scenario:

  • Designate a new user named Admin1 as the service admin for the Azure subscription.
  • Admin1 must receive email alerts regarding service outages.

Follow these steps to change the Service Administrator in the Azure portal.

  1. Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
  2. Sign in to the Azure portal as the Account Administrator.
  3. Open Cost Management + Billing and select a subscription.
  4. In the left navigation, click Properties.
  5. Click Service Admin.

Question 122

You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.

Name Virtual network name DNS suffix configured in Windows Server
VM1 VNET1 Contoso.com
VM2 VNET2 Contoso.com

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)

For controso.com, you create a virtual network link named link1

You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?

*A. Update the DNS suffix on VM1 to be adatum.com
B. Configure the name servers for adatum.com at the domain registrar
C. Create an SRV record in the contoso.com zone
D. Modify the Access control (IAM) settings for link1

Explanation:

If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must either use Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.

Question 123

You have an Azure subscription that contains the virtual machines shown in the following table.

Name Public IP SKU Connected to Status
VM1 None VNET1/Subnet1 Stopped (deallocated)
VM2 Basic VNET1/Subnet2 Running

You deploy a load balancer that has the following configurations:

  • Name: LB1
  • Type: Internal
  • SKU: Standard
  • Virtual network: VNET1

You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
Does this meet the goal?

A. Yes
*B. No

Explanation:

A Backend Pool configured by IP address has the following limitations: Standard load balancer only

Question 124

You have an Azure subscription that contains the virtual machines shown in the following table.

Name Public IP SKU Connected to Status
VM1 None VNET1/Subnet1 Stopped (deallocated)
VM2 Basic VNET1/Subnet2 Running

You deploy a load balancer that has the following configurations:

  • Name: LB1
  • Type: Internal
  • SKU: Standard
  • Virtual network: VNET1

You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine.
Does this meet the goal?

*A. Yes
B. No

Explanation:

A Backend Pool configured by IP address has the following limitations: Standard load balancer only

Question 125

You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
Does this meet the goal?

*A. Yes
B. No

Explanation:

Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.

Question 126

You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

The network interface for VM1 is configured as shown in the exhibit.

You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.
You need to ensure that users can connect to the website from the Internet.
What should you do?

A. Modify the protocol of Rule4
B. Delete Rule1
*C. For Rule5, change the Action to Allow and change the priority to 401
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.

Explanation:

HTTPS uses port 443.
Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.

Note: There are several versions of this question in the exam. The question has two possible correct answers:

  1. Change the priority of Rule3 to 450.
  2. For Rule5, change the Action to Allow and change the priority to 401.

Other incorrect answer options you may see on the exam include the following:

  • Modify the action of Rule1.
  • Change the priority of Rule6 to 100.
  • For Rule4, change the protocol from UDP to Any.

Configure and manage virtual networking

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

  • File servers
  • Domain controllers
  • Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:

  • A SQL database
  • A web front end
  • A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

  • Move all the tiers of App1 to Azure.
  • Move the existing product blueprint files to Azure Blob storage.
  • Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

  • Move all the virtual machines for App1 to Azure.
  • Minimize the number of open ports between the App1 tiers.
  • Ensure that all the virtual machines for App1 are protected by backups.
  • Copy the blueprint files to Azure over the Internet.
  • Ensure that the blueprint files are stored in the archive storage tier.
  • Ensure that partner access to the blueprint files is secured and temporary.
  • Prevent user passwords or hashes of passwords from being stored in Azure.
  • Use unmanaged standard storage for the hard disks of the virtual machines.
  • Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
  • Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

  • Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
  • Designate a new user named Admin1 as the service admin for the Azure subscription.
  • Admin1 must receive email alerts regarding service outages.
  • Ensure that a new user named User3 can create network objects for the Azure subscription.

Question 127

You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?

*A. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
B. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.

Explanation:

Incoming and the web server subnet only, as users access the web front end by using HTTPS only.
Note Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

  • A SQL database
  • A web front end
  • A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Monitor and back up Azure resources: Question Set 1

Question 128

You have an Azure web app named webapp1.
Users report that they often experience HTTP 500 errors when they connect to webapp1.
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details.
What should you do first?

*A. From webapp1, enable Web server logging
B. From Azure Monitor, create a workbook
C. From Azure Monitor, create a Service Health alert
D. From webapp1, turn on Application Logging

Explanation:

To enable web server logging for Windows apps in the Azure portal, navigate to your app and select App Service logs.
For Web server logging, select Storage to store logs on blob storage, or File System to store logs on the App Service file system.
In Retention Period (Days), set the number of days the logs should be retained.

Question 129

You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the following table:

Name Operating system Auto-shutdown
VM1 Windows Server 2012 R2 Off
VM2 Windows Server 2016 19:00
VM3 Ubuntu Server 18.04 LTS Off
VM4 Windows 10 19:00

You plan to schedule backups to occur every night at 23:00.
Which virtual machines can you back up by using Azure Backup?

A. VM1 and VM3 only
*B. VM1, VM2, VM3 and VM4
C. VM1 and VM2 only
D. VM1 only

Explanation:

Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Azure Backup supports backup of VM that are shutdown or offline.

Question 130

You have the Azure virtual machines shown in the following table:

Name Azure region
VM1 West Europe
VM2 West Europe
VM3 North Europe
VM4 North Europe

You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?

*A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy

Explanation:

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services.
Back up the VM to a different region or subscription: Not supported.
To successfully back up, virtual machines must be in the same subscription as the vault for backup.