Improve AZ-104 Study Guides 2021

NEW QUESTION 1

You have an Azure subscription that contains an Azure Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
Number of methods required to reset: 2
Methods available to users: Mobile phone, Security questions
Number of questions required to register: 3
Number of questions required to reset: 3 You select the following security questions:
What is your favorite food?
In what city was your first job?
What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: No
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through
Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.
An administrator cannot use secret Questions & Answers as a method to reset password. Box 2: Yes
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.
Box 3: Yes References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment

NEW QUESTION 2

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

NEW QUESTION 3

You need to meet the technical requirement for VM4. What should you create and configure?

• A. an Azure Notification Hub
• B. an Azure Event Hub
• C. an Azure Logic App
• D. an Azure services Bus

Answer: B

Explanation:
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app

NEW QUESTION 4

You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of 131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
Ensure that you can upload the disk files to account1.
Ensure that you can attach the disks to VM1.
Prevent all other access to account1.
Which two actions should you perform? Each correct selection presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.
• B. From the Firewalls and virtual networks blade of account1, select Selected networks.
• C. From the Firewalls and virtual networks blade of acount1, add VNet1.
• D. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account.
• E. From the Service endpoints blade of VNet1, add a service endpoint.

Answer: BE

Explanation:
B: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
Azure portal
Navigate to the storage account you want to secure.
Click on the settings menu called Firewalls and virtual networks.
To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'.
Click Save to apply your changes. E: Grant access from a Virtual Network
Storage accounts can be configured to allow access only from specific Azure Virtual Networks.
By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

NEW QUESTION 5

You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:
Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted
by malicious attacks that exploit commonly known vulnerabilities. References:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

NEW QUESTION 6

You need to use Azure Automation State Configuration to manage the ongoing consistency of virtual machine configurations.
Which five actions should you perform in sequence? To answer, move the appropriate action from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Step 1: Upload a configuration to Azure Automation State Configuration. Import the configuration into the Automation account.
Step 2: Compile a configuration into a node configuration.
A DSC configuration defining that state must be compiled into one or more node configurations (MOF document), and placed on the Automation DSC Pull Server.
Step 3: Onboard the virtual machines to Azure Automation State Configuration. Onboard the Azure VM for management with Azure Automation State Configuration Step 4: Assign the node configuration
Step 5: Check the compliance status of the node
Each time Azure Automation State Configuration performs a consistency check on a managed node, the node sends a status report back to the pull server. You can view these reports on the page for that node.
On the blade for an individual report, you can see the following status information for the corresponding consistency check:
The report status — whether the node is "Compliant", the configuration "Failed", or the node is "Not Compliant"
References:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

NEW QUESTION 7

You have an Azure subscription named Subscription1 that contains the resources in the following table.
You install the Web Server server role (IIS) on WM1 and VM2, and then add VM1 and VM2 to LB1. LB1 is configured as shown in the LB1 exhibit. (Click the Exhibit button.)

Rule1 is configured as shown in the Rule1 exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 8

You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 9

You have Azure virtual machines that run Windows Server 2021 and are configured as shown in the following table.

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For contoso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)

You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com.
VM1 can resolve other hosts on the internet.
You need to ensure that VM1 can resolve host names in adatum.com. What should you do?

• A. Update the DNS suffix on VM1 to be adatum.com.
• B. Create an SRV record in the contoso.com zone.
• C. Configure the name servers for adatum.com at the domain registrar.
• D. Modify the Access control (IAM) settings for link1.

Answer: D

NEW QUESTION 10

You discover that VM3 does NOT meet the technical requirements. You need to verify whether the issue relates to the NSGs.
What should you use?

• A. Diagram in VNet1
• B. the security recommendations in Azure Advisor
• C. Diagnostic settings in Azure Monitor
• D. Diagnose and solve problems in Traffic Manager Profiles
• E. IP flow verify in Azure Network Watcher

Answer: E

Explanation:
Scenario: Litware must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

NEW QUESTION 11

You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. an XML manifest file
• B. a driveset CSV file
• C. a dataset CSV file
• D. a PowerShell PS1 file
• E. a JSON configuration file

Answer: BC

Explanation:
B: Modify the driveset.csv file in the root folder where the tool resides.
C: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files

NEW QUESTION 12

You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1. After creating Backup1, you perform the following changes to VM1:
Modify the size of VM1.
Copy a file named Budget.xls to a folder named Data.
Reset the password for the built-in administrator account.
Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1. You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?

• A. Modify the size of VM1.
• B. Add a data disk.
• C. Reset the password for the built-in administrator account.
• D. Copy Budget.xls to Data.

Answer: D

Explanation:
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks

NEW QUESTION 13

You have an Azure subscription that contains the virtual machines shown in the following table.

VM1 and VM2 use public IP addresses. From Windows Server 2021 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default and the following custom incoming rule:
Priority: 100
Name: Rule1
Port: 3389
Protocol: TCP
Source: Any
Destination: Any
Action: Allow
NSG1 connects to Subnet1. NSG2 connects to the network interface of VM2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: No
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Box 2: Yes
NSG2 will allow this. Box 3: Yes
NSG2 will allow this.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default. References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

NEW QUESTION 14

Your network contains an on-premises Active Directory domain named adatum.com. The domain contains an organizational unit (OU) named OU1. OU1 contains the objects shown in the following table.

You sync OU1 to Azure Active Directory (Azure AD) by using Azure AD Connect. You need to identify which objects are synced to Azure AD.
Which objects should you identify?

• A. User1 and Group1 only
• B. User1, Group1, and Group2 only
• C. User1, Group1, Group2, and Computer1
• D. Computer1 only

Answer: B

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization

NEW QUESTION 15

You have an Azure virtual machine named VM1 that runs Windows Server 2021. You sign in to VM1 as a user named User 1 and perform the following actions:
* Create files on drive C.
* Create files on drive 0.
* Modify the screen saver timeout.
* Change the desktop background. You plan to redeploy VM1.
Which changes will be lost after you redeploy VM1?

• A. the modified screen saver timeout
• B. the new desktop background
• C. the new files on drive
• D. The new files on drive C

Answer: D

NEW QUESTION 16

You have peering configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: vNET6 only
Box 2: Modify the address space
The virtual networks you peer must have non-overlapping IP address spaces. References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-cons

NEW QUESTION 17

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2021.
You need to create an alert in Azure when more than two error events are logged to the System log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation:
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on-premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

NEW QUESTION 18

You have a sync group that has the endpoints shown in the following table.

Cloud tiering is enabled for Endpoint3.
You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.
You need to identify on which endpoints File1 and File2 will be available within 24 hours of adding the files. What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
File1: Endpoint3 only
Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier files to your Azure file shares. This converts on-premises file shares into a cache, rather than a complete copy of the dataset, to help you manage space efficiency on your server. With cloud tiering, infrequently used or accessed files can be tiered to Azure Files.
File2: Endpoint1, Endpoint2, and Endpoint3 References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-cloud-tiering

NEW QUESTION 19

You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is protected by RSV1.
You need to use RSV2 to protect VM2. What should you do first?

• A. From the RSV1 blade, click Backup items and stop the VM2 backup.
• B. From the RSV1 blade, click Backup Jobs and export the VM2 backup.
• C. From the RSV1 blade, click Backu
• D. From the Backup blade, select the backup for the virtual machine, and then click Backup.
• E. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault.

Answer: D

Explanation:
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

NEW QUESTION 20

You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.

Adatum.com has the following configurations: Users may join devices to Azure AD is set to User1.
Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer. User1 joins Computer1 to adatum.com. You need to identify which users are added to the local Administrators group on Computer1.

• A. User1 only
• B. User1, User2, and User3 only
• C. User1 and User2 only
• D. User1, User2, User3, and User4
• E. User2 only

Answer: C

Explanation:
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners are granted local administrator rights by default.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

NEW QUESTION 21

You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.) You deploy a web server on VM1, and then create a secure website that is accessible by using the
HTTPS protocol VM1 is used as a web server only.
You need to ensure that users can connect to the website from the Internet.
What should you do?

• A. Change the priority of Rule3 to 450.
• B. Change the priority of Rule6 to 100
• C. DeleteRule1.
• D. Create a new inbound rule that allows TCP protocol 443 and configure the protocol to have a priority of 501.

Answer: D

NEW QUESTION 22

You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop. You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit button.)

You need to prevent users of VM1 and VM2 from accessing websites on the Internet.
What should you do?

• A. Associate the NSG to Subnet1.
• B. Disassociate the NSG from a network interface.
• C. Change the DenyWebSites outbound security rule.
• D. Change the Port_80 inbound security rule.

Answer: A

Explanation:
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
References: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

NEW QUESTION 23

You have an Azure subscription that contains an Azure Storage account.
You plan to copy an on-premises virtual machine image to a container named vmimages. You need to create the container for the planned image.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
azcopy make 'https://<storage-account-name>.file.core.windows.net/<file-share-name><SAS-token>'

NEW QUESTION 24
......