AZ-104 Exam Dumps - Microsoft Azure Administrator

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/co nditional-access/overview

https://docs.microsoft.com/en-us/az ure/active-directory/authentication/howto-mfa-userstates

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

References:

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom- role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

https://docs.micr osoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

https://docs.microsoft.c om/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/c onvertto-json?view=powershell-7.1

https://docs.microsoft.com/en-u s/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

Scenario: Licensing Issue

1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."

2. You verify that the Azure subscription has the available licenses.

Solution:

License cannot be assigned to a user without a usage location specified.

Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal.

Cost analysis: Correct Option

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span:  last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to the calendar month, like the current billing period or last invoice. Use the <PREVIOUS and NEXT> links at the top of the menu to jump to the previous or next period, respectively. For example, <PREVIOUS will switch from the Last 7 days to 8-14 days ago or 15-21 days ago.

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by invoices because Azure  generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.

Scenario: Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

References: https://www.microsoft.com/en -us/download/details.aspx?id=36832

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

• Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.
• Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

References: https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

References:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

Scenario:

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.

The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

References:

https://docs.microsoft.com/en-us/azure /active-directory/fundamentals/add-custom-domain

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

• A SQL database
• A web front end
• A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

• Technical requirements include:
• Move all the virtual machines for App1 to Azure.
• Minimize the number of open ports between the App1 tiers.

References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

Change the Service administrator for an Azure subscription

• Sign in to Account Center as the Account administrator.
• Select a subscription.
• On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.

References: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

References: https://www.sherweb.com/bl og/active-directory-federation-services/

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

From scenario:

• Ensure that only users who are part of a group named Pilot can join devices to Azure AD
• Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Explanation

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 --> Create a resource group, and then deploy a web app to the resource group.

2 --> From the Automation script blade of the resource group , click Add to Library.

3 --> From the Templates service, select the template, and then share the template to the web administrators .

References:

https://docs. microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

The connection monitor capability in Azure Network Watcher monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.

Box 1: No

Two methods are required.

Box 2: No

Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

Box 3: Yes

As a User Administrator User3 can add security questions to the reset process.

References:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

https://docs.m icrosoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq

Box 1 : Set-AzureRmVirtualNetworkGatewayDefaultSite

The Set-AzureRmVirtualNetworkGatewayDefaultSite cmdlet assigns a forced tunneling default site to a virtual network gateway. Forced tunneling provides a way for you to redirect Internet-bound traffic from Azure virtual machines to your on-premises network; this enables you to inspect and audit traffic before releasing it. Forced tunneling is carried out by using a virtual private network (VPN) tunnel; this tunnel requires a default site, a local gateway where all the Azure Internet-bound traffic is redirected. Set-AzureRmVirtualNetworkGatewayDefaultSite provides a way to change the default site assigned to a gateway.

Box 2 : 0.0.0.0/0

Forced tunneling must be associated with a VNet that has a route-based VPN gateway. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.

  

Forced Tunneling:

The following diagram illustrates how forced tunneling works

Step 1: Deploy an EC2 virtual machine as a configuration server

Prepare source include:

• Use an EC2 instance that's running Windows Server 2012 R2 to create a configuration server and register it with your recovery vault.

• Configure the proxy on the EC2 instance VM you're using as the configuration server so that it can access the service URLs.

Step 2: Install Azure Site Recovery Unified Setup.

Download Microsoft Azure Site Recovery Unified Setup. You can download it to your local machine and then copy it to the VM you're using as the configuration server.

Step 3: Enable replication for VM1.

Enable replication for each VM that you want to migrate. When replication is enabled, Site Recovery automatically installs the Mobility service.

References:

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-aws-azure

If you want to live migration from RA-GRS to ZRS, at first you have to Switch the storage tier to LRS and then only you can request a live migration.

You need to change to Basic pricing Tier.

Note: The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Basic tier has no such cap.

References:

https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

Explanation

Modify the Name Server (NS) record.

References:

https://docs.microsoft .com/en-us/azure/dns/dns-delegate-domain-azure-dns

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

Application Security Group can be associated with NICs.

References:

https://docs.microsoft.com/en-us/azure/virtua l-network/security-overview#application-security-groups

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Graphical user interface, text, application, email Description automatically generated

Box 1: No

The Azure Policy will add Tag4 to RG1.

Box 2: No

Tags applied to the resource group or subscription aren't inherited by the resources although you can enable inheritance with Azure Policy. Storage1 has Tag3: Value1 and the Azure Policy will add Tag4.

Box 3: No

Tags applied to the resource group or subscription aren't inherited by the resources so VNET1 does not have Tag2.

VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET1.

In Project Details, specify the project name, and geography in which you want to create the project. Review supported geographies for public and government clouds.

        

References:

https://docs.microsoft.com/en-us/azu re/migrate/how-to-add-tool-first-time

Not VM1 because it has BitLocker enabled.

Not VM2 because the OS disk is larger than 2TB.

Not VMC because the Data disk is larger than 4TB.

References:

https://docs.microsoft.com/en-us/azure/site-r ecovery/hyper-v-azure-support-matrix#azure-vm-requirements

…

"storageProfile": {

"imageReference": {

"publisher": "MicrosoftWindowsServer",

"offer": "WindowsServer",

"sku": "2016-Datacenter",

"version": "latest"

},

…

References:

https:// docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate

This is an excerpt from the official documentation in the section "Reverse DNS Considerations" Form : https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#dns-client-configuration [... " - All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net - Forward lookup on FQDNs of form [vmname].internal.cloudapp.net will resolve to IP address assigned to the virtual machine. - If the virtual network is linked to an Azure DNS private zones as a registration virtual network, the reverse DNS queries will return two records. One record will be of the form [vmname].[privatednszonename] and the other will be of the form [vmname].internal.cloudapp.net "...]

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

Vm1 is in Pool1. Rule2 applies to Pool1, Listener 2, and site2.contoso.com

When moving a virtual network, you must also move its dependent resources. For example, you must move gateways with the virtual network. VM W10, which is in Vnet1, is not a dependent resource.

The Microsoft Azure Data Box cloud solution lets you send terabytes of data into and out of Azure in a quick, inexpensive, and reliable way.

https://docs.microsoft.com/en-us/azure/databox/data-box-overview

Box 1: 4

Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.

The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

Box 2: 2

Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.

Box 3: 2

Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

Text Description automatically generated

A Backend Pool configured by IP address has the following limitations:

• Standard load balancer only

DC1 : Not supported as it is Gen2 and OS disk size is greater than 300 GB

FS1 : Not supported as it is Gen2 and  Linux VM. Linux Generation 2 VMs aren't supported.

CA1 : Not supported as bitlocker is enabled. BitLocker must be disabled before you enable replication for a VM.

SQL1: Supported

Statement 1: Yes

If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other files that are already on other endpoints in the sync group.

Statement 2: No

Files present in any server endpoint will not be overwritten by the files present in cloud endpoint. Hence this statement is false.

If you add a server location with an existing set of files as a server endpoint to a sync group, those files will be merged with any other files already on other endpoints in the sync group but not vice versa.

Statement 3: Yes

Azure File Sync has a simple architecture : cloud endpoints, which is the Azure File Sync service and server endpoints, which are the registered servers with the service. On top of that, we have Sync Groups, which combine one cloud endpoint with one or more server endpoints. All members of this group will receive the replicated data where the central location will be the cloud endpoint.

References:

https://docs. microsoft.com/en-us/azure/storage/files/storage-sync-files-planning

http:// techgenix.com/azure-file-sync-replicating-data/

A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

Installing Azure CLI doesn't mean that Azure Kubernates client is installed. So before running kubectl client command, you have install kubectl, the Kubernetes command-line client.

First need to run az aks install-cli to install Kubernetes CLI, which is kubectl

Box1 : 10.0.0.0/16

Address prefix in networking refer to the destination IP address range. In this scenario, destination is Vnet1 , hence Address prefix will be the address space of Vnet1.

Box 2 : Virtual appliance

Next hop gets the next hop type and IP address of a packet from a specific VM and NIC. Knowing the next hop helps you determine if traffic is being directed to the intended destination, or whether the traffic is being sent nowhere

Next Hop --> VM1 --> Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)

Box 3 : GatewaySubnet

In the scenario it is asked for all the inbound traffic to Vnet1. Inbound traffic is flowing through SubnetGW. You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.So its traffic from Gateway subnet only.

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.

References:

https://docs.micro soft.com/en-us/azure/storage/common/storage-import-export-service

1. Select the resource group (Here RG1)  you want to examine.

2. Select the link under Deployments.

3. Select one of the deployments from the deployment history.

4. You will see a history of deployment for the resource group, including the correlation ID.

https://docs.microsoft.com/d e-de/azure/virtual-machines/windows/tutorial-availability-sets

Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there are a minimum of three separate zones in all enabled regions.

Statement 1 : Basic load balancer supports Virtual machine in a single Availability set or virtual machine scale set (VMSS) only . Hence this statement is correct.

Statement 2 : Basic load balancer supports Virtual machine in a single Availability set or virtual scale set only or one standalone VM. VM3 and VM4 are not part of any availability set or VMSS .Hence this statement is incorrect.

Statement 3 :  Basic load balancer supports Virtual machine in a single Availability set or virtual scale set only or one standalone VM. VM5 and VM6 are not part of any availability set or VMSS .Hence this statement is incorrect.

References:

https://docs.microsoft.com/en-us/azure/load-balancer/load -balancer-overview

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the Microsoft System Center Service Manager.

With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

References:

https://docs.microsoft.com/en- us/azure/azure-monitor/platform/itsmc-overview

Box 1 = max value

Box 2 = 20

Explanation

Use max for platformFaultDomainCount

2 or 3 is max value, depending on which region you are in.

Use 20 for platformUpdateDomainCount

Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.

References:

https://www.i tprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks

https://github.com/Azure/acs-engine/issues/1030

Explanation

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

Box 1: 60

One alert per minute will trigger one email per minute.

Box 2: 12

No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.

Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate limiting ensures that alerts are manageable and actionable.

The rate limit thresholds are:

SMS: No more than 1 SMS every 5 minutes.

Voice: No more than 1 Voice call every 5 minutes.

Email: No more than 100 emails in an hour.

Other actions are not rate limited.

References:

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/monitoring-and-diagnostics/monitoring-overview-alerts.md

Installing Azure CLI doesn't mean that Azure Kubernates client is installed. So before running kubectl client command, you have install kubectl, the Kubernetes command-line client.

First need to run az aks install-cli to install Kubernetes CLI, which is kubectl

Resource Group location of VMSS1 is the RG2 location, which is West US.

Only Proximity2, which also in RG2, is location in West US

Box 1: No

Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though.

Box 2: No

Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution virtual network.

Box 3: Yes

VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.

By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network.

References: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.

Azure Backup supports backup of 64-bit Windows 10 operating system.

Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.

Azure Backup supports backup of VM that are shutdown or offline.

NSG flow log data is written to an Azure Storage account. You need to create an Azure Storage account, With an Azure Storage account NSG flow logs can be enabled.

Enable network watcher in the East US region.

NSG flow logging requires the Microsoft.Insights provider.

References:

https://docs.microsoft.c om/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

When deploying a virtual machine from a template, you must specify:

• the Resource Group name and location for the VM
• the administrator username and password
• an unique DNS name for the public IP

Box 1: "tag1": "value1" only

Box 2: "tag2": "value2" and "tag3": "value3"

Tags applied to the resource group are not inherited by the resources in that resource group.

References:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Box 1:

Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.

Box 2:

Only Shared Access Signature (SAS) token is supported for File storage.

The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.

Virtual Networks and Virtual Machines are prohibited.

You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.

Remove vault dependencies and delete vault

In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.

References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.

Box 1 : VM1 and VM2 only

When recovering files, you can't restore files to a previous or future operating system version.You can restore files from a VM to the same server operating system, or to the compatible client operating system. Therefore -

"VM1 and VM2 only" is the best answer since both run on Windows Server 2016.

"A new Azure virtual machine only" ,this will also work but why to create unnecessary new VM in Azure if existing VM will do the task. So this option is incorrect.

Box 2 :  VM1 or A new Azure virtual machine only

When restoring a VM, you can't use the replace existing VM option for encrypted VMs. This option is only supported for unencrypted managed disks. And also You can restore files from a VM to the same server operating system, or to the compatible client operating system only. Hence "VM1 or A new Azure virtual machine only" is correct answer.

References:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

https://docs.microsof t.com/en-us/azure/backup/backup-azure-restore-files-from-vm#system-requirements