AZ-104 Exam Dumps - Microsoft Azure Administrator

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

References:

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/co nditional-access/overview

https://docs.microsoft.com/en-us/az ure/active-directory/authentication/howto-mfa-userstates

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

A white background with black text Description automatically generated

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.

The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

References:

https://docs.microsoft.com/en-us/azure /active-directory/fundamentals/add-custom-domain

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.

Scenario: Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

References: https://www.microsoft.com/en -us/download/details.aspx?id=36832

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

References:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

• Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.A screenshot of a computer Description automatically generated
• Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

References: https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date

Scenario: Licensing Issue

1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."

2. You verify that the Azure subscription has the available licenses.

Solution:

License cannot be assigned to a user without a usage location specified.

Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal.

Explanation

A screenshot of a computer Description automatically generated

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 --> Create a resource group, and then deploy a web app to the resource group.

2 --> From the Automation script blade of the resource group , click Add to Library.

3 --> From the Templates service, select the template, and then share the template to the web administrators .

References:

https://docs. microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

Cost analysis: Correct Option

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span:  last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to the calendar month, like the current billing period or last invoice. Use the <PREVIOUS and NEXT> links at the top of the menu to jump to the previous or next period, respectively. For example, <PREVIOUS will switch from the Last 7 days to 8-14 days ago or 15-21 days ago.

A screenshot of a calendar Description automatically generated

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by invoices because Azure  generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:

A screenshot of a computer screen Description automatically generated

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

Table Description automatically generated

https://learn.microsoft.com/en-us/azure/backup/backup-azure-files?tabs=backup-center

https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm#back-up-from-azure-vm-settings

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Allowed resources types: Objects (access by name)

Allowed Permissions: Read (you need download) and List (you need to see the object to read it)

No, this does not meet the goal. Assigning a built-in policy definition to the subscription is not enough to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. This is because there is no built-in policy definition that matches this requirement. The closest built-in policy definition is “Network security groups should not allow unrestricted inbound traffic on well-known ports”, but this policy only blocks TCP port 80 and 443, not 80801.

To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs. A policy definition is a set of rules and actions that Azure performs when evaluating your resources2. You can use a policy definition to specify the required properties and values for NSGs, such as the direction, protocol, source, destination, and port of the security rule. You can then assign the policy definition to the subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.

A close-up of a person's face Description automatically generated

In this case, you have two alert rules: Alert1 and Alert2. Alert1 has a scope of RG1, which means it applies to all the resources in the resource group named RG1. Alert1 has a condition of All Administrative operations, which means it triggers when any administrative operation is performed on the resources in RG1. An administrative operation is any operation that changes the configuration or state of a resource, such as creating, deleting, updating, or restarting.

Alert2 has a scope of VM1, which means it applies only to the virtual machine named VM1. Alert2 also has a condition of All Administrative operations, which means it triggers when any administrative operation is performed on VM1.

Now, let’s see which alert rules are triggered by each user.

User1 creates a new virtual disk and attaches the disk to VM1. This is an administrative operation on VM1, so it triggers Alert2. However, it does not trigger Alert1, because the new disk is not part of RG1. Therefore, the correct answer for User1 is C. Only Alert2 is triggered.

User2 creates a new resource tag and assigns the tag to RG1 and VM1. This is also an administrative operation on both RG1 and VM1, so it triggers both Alert1 and Alert2. Therefore, the correct answer for User2 is D. Alert1 and Alert2 are triggered.

If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper than action tierToArchive. Action tierToArchive is cheaper than action tierToCool. https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview

Box 1 : Containers will get the IP address from the virtual network subnet CIDr which is 10.244.0.0/16

Box 2 : Services in the AKS cluster will be assigned an IP address in the service CIDR which is 10.0.0.0/16

Box 1: 2

There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update domains will have one VM. Only one update domain is rebooted at a time.

Therefore, a maximum of two VMs will be offline.

Box 2: 7

There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain.

A rack failure will affect one fault domain so 7 VMs will be offline.

A white background with black text Description automatically generated

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#:~:text=The%20User%20Access%20Administrator%20role%20enables%20the%20user%20to%20grant,Azure%20subscriptions%20and%20management%20groups .

A virtual machine scale set is a group of identical virtual machines that are automatically distributed across fault domains and update domains in one or more placement groups1. A fault domain is a logical group of underlying hardware that share a common power source and network switch, and a failure in one fault domain will not affect virtual machines in other fault domains2. An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time3.

By creating a virtual machine scale set with 12 instances, you can ensure that App1 has high availability and scalability. You can configure the scale set to have a minimum number of instances that must always be running, and a maximum number of instances that can be scaled up or down based on demand or a schedule. You can also configure the scale set to use automatic OS image upgrades, which will apply updates to the virtual machines in batches, ensuring that at least one instance is always running during the upgrade process.

All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So, VM1, VM2 and VM3 will auto-register their host records to contoso.com.

None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet (adatum.com)

Box 1: Yes

Auto registration is enabled for private Azure DNS zone named contoso.com.

Box 2: Yes

Auto registration is enabled for private Azure DNS zone named contoso.com.

Box 3: No

None of the VM will auto-register to the public Azure DNS zone named adatum.com

Graphical user interface, text, application Description automatically generated

A screenshot of a computer Description automatically generated

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

• Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
• Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
• Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
• Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

A diagram of a computer network Description automatically generated

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

To ensure that User1 can deploy virtual machines and manage virtual networks, you need to assign an RBAC role that grants the necessary permissions to perform these tasks. The solution must also use the principle of least privilege, which means that you should only grant the minimum level of access required to accomplish the goal.

Based on these requirements, the best RBAC role to assign to User1 is D. Virtual Machine Contributor. This role allows User1 to create and manage virtual machines, disks, snapshots, and network interfaces. It also allows User1 to connect virtual machines to existing virtual networks and subnets. However, it does not allow User1 to create or delete virtual networks or subnets, or to access the virtual machines themselves. This role follows the principle of least privilege by limiting User1’s access to only the resources and actions that are relevant to deploying virtual machines and managing virtual networks1.

Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.

References: https://docs.microsoft.com/en-us/azure/dns/dns-import-export

Based on the file named Deploy.json and the cmdlet you ran, here are the answers to your statements:

• You can deploy a virtual machine to RGI. = No
• You can deploy a virtual machine to RG2. = No
• You can manually create a resource group named RG3. = Yes

Let me explain why:

• The Deploy.json file defines a template for creating a resource group and a virtual machine in Azure. The template has two parameters: resourceGroupName and vmName. The template also has two resources: one for the resource group and one for the virtual machine. The resource group resource has a property called name, which is set to the value of the resourceGroupName parameter. The virtual machine resource has a property called location, which is set to the value of the location parameter of the deployment cmdlet.
• The cmdlet you ran specifies the location as westus and the template file as Deploy.json. However, it does not specify any values for the resourceGroupName and vmName parameters. Therefore, the cmdlet will prompt you to enter those values interactively before creating the deployment.
• If you enter RGI as the value for the resourceGroupName parameter and VM1 as the value for the vmName parameter, then the cmdlet will create a resource group named RGI and a virtual machine named VM1 in the westus location. Therefore, you can deploy a virtual machine to RGI.
• However, if you enter RG2 as the value for the resourceGroupName parameter, then the cmdlet will fail with an error. This is because RG2 already exists in your subscription and you cannot create a resource group with the same name as an existing one. Therefore, you cannot deploy a virtual machine to RG2 using this template and cmdlet.
• You can manually create a resource group named RG3 by using another cmdlet: New-AzResourceGroup. This cmdlet takes two parameters: Name and Location. For example, you can run the following cmdlet to create a resource group named RG3 in westus:

New-AzResourceGroup -Name RG3 -Location westus

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace Send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you: - Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.

NET Core 3.0: Windows and Linux ASP .NET V4.7: Windows only PHP 7.3: Windows and Linux Ruby 2.6: Linux only Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs. Reference: https://docs.microsoft.com/en-us/azure/app-service/overview

Box1 = To minimize the network costs of accessing adatum22, modify the Default routing tier setting. 

Explanation: The default routing tier setting determines how network traffic is routed from the internet to the storage account. By default, the Microsoft global network routing option is selected, which means that traffic is routed over the Microsoft global network for the bulk of its path, maximizing network performance and reliability. However, this option also incurs network charges for data transfer between different Azure regions. The internet routing option, on the other hand, minimizes the traversal of traffic over the Microsoft global network, handing it off to the transit ISP at the earliest opportunity. This option lowers networking costs, but may compromise network performance and reliability. Therefore, to minimize the network costs of accessing adatum22, which is located in the East US region, from the West US region, you should modify the default routing tier setting to use internet routing instead of Microsoft global network routing. For more information, see Network routing preference for Azure Storage.

Box2 = Encryption Type

https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal

A white paper with black text Description automatically generated