az-104 practice-001
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The attribute values will be set by the HR department.
Which two actions should you perform? Each correct answer presents part of the solution.
To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and configure rules based on custom attributes. The dynamic group must be added to a license group for automatic synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the organization that are in scope for an assignment policy rule and creates assignments for the users who don't have assignments to an access package; automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 2 of 50
UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a format of user@fabrikam.com.
B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Question 4 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine named VM1 connected to a virtual network named Network1.
A user named Admin1 must be able to change the settings of Network1.
You need to use PowerShell to assign Admin1 the appropriate role and permissions.
Which two PowerShell statements should you use to complete the task? Each correct answer presents part of the solution.
Before assigning an RBAC role to a user, you must use the Get-AzADUser cmdlet to obtain the ID of the user. The New-AzRoleAssignment cmdlet can be used to assign an RBAC role to any resource. If you assign the Virtual Machine Contributor role to RG1, it will only allow changes to the virtual machine, it will not allow Admin1 to manage the virtual network. To modify network settings, you must assign the Network Contributor role.
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
For a service principal, the ObjectId identifies the application or service that the service principal represents.
For an Azure AD user, the ObjectId identifies the person who the user represents.
Question 7 of 50
You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use delete locks on management groups or storage account data.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
Virtual machines属于resource
Question 8 of 50
You have an Azure subscription that contains 25 virtual machines.
You need to ensure that each virtual machine is associated to a specific department for reporting purposes.
What should you use?
Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as virtual machines and associating each resource to a department for billing and reporting purposes.
Administrative units are containers used for delegating administrative roles to manage a specific portion of Microsoft Entra. Administrative units cannot contain Azure virtual machines.
Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure subscriptions.
Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A storage account cannot contain virtual machines.
Configure virtual machines - Training | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains 200 virtual machines.
You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.
You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must minimize administrative effort.
What should you configure?
Whenever Azure Advisor detects a new recommendation for resources, an event is stored in the Azure Activity log. You can set up alerts for these events from Azure Advisor. You can select a subscription and optionally a resource group to specify the resources for which you want to receive alerts. You also need to create an action group that will contain all the users to be notified.
Question 10 of 50
You have an Azure subscription that contains a tenant named contoso.com.
All users in contoso.com are currently able to invite external users to B2B collaboration.
You need to ensure that only members of the Guest Inviter, User Administrator, and Global Administrator roles can invite guest users.
What should you configure?
External collaboration settings let you specify which roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains and options for restricting which external guest users can see in your Microsoft Entra directory.
Conditional Access allows you to apply rules to strengthen authentication and block access to resources from unknown locations.
Cross-tenant access settings are used to configure collaboration with a specific Microsoft Entra organization.
Access reviews are not used to control who can invite guest users.
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Enable B2B external collaboration settings - Microsoft Entra | Microsoft Learn
Question 11 of 50
Your company has a main office in Seattle and a branch office in New York.
You have an Azure subscription that contains an application named App1 and a user named User1 located in the Seattle office.
User1 travels to the New York office and receives the following error message when attempting to sign in to App1: “Your sign-in was blocked.”
When located in the Seattle office, the access of User1 functions properly, and no other users report issues with accessing App1.
You need to ensure that User1 can sign in to App1.
What should you do from the Microsoft Azure portal?
Identity Protection provides organizations with three reports that they can use to investigate identity risks in their environment. These reports are Risky users, Risky sign-ins, and Risk detections. Investigation of events is key to better understanding and identifying any weak points in your security strategy. When users sign in to Azure from a remote location, Identity protection may identify these users as risky users. Unless the user risk is remediated, they will not be able to sign in. You can dismiss a user risk from the Risky users report in Identity Protection.
Question 13 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure virtual machine named VM1.
You need to use VM1 as a template to create a new Azure virtual machine.
Which three methods can you use to complete the task? Each correct answer presents a complete solution.
From RG1, selecting the Download option from the Export template page exports the Azure Resource Manager (ARM) template from the resource group properties. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.
By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM template. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.
From VM1, selecting the Deploy option from the Export template page allows you to deploy a new Azure virtual machine and use the configuration of VM1 as the template.
The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment script execution.
The Get-AzVM cmdlet generates a list of virtual machines that are created in the Azure subscription.
Export template in Azure portal - Azure Resource Manager | Microsoft Learn
Export template in Azure PowerShell - Azure Resource Manager | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 14 of 50
You are creating an Azure virtual machine that will run Windows Server.
You need to ensure that VM1 will be part of a virtual machine scale set.
Which setting should you configure during the creation of the virtual machine?
You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add virtual machines with a discounted price. Region will not affect the configuration of the availability options. The management setting allows you to configure the monitoring and management options for the virtual machine.
Availability options for Azure Virtual Machines - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 15 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You have a virtual machine named VM1 that is connected to Subnet1. VM1 runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
What should you do first?
A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to Subnet1, VM1 already has a network interface attached that is connected to Subnet1. To connect VM1 directly to Subnet2, you must create a new network interface that is connected to Subnet2. Next, you must attach the new network interface to VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network bridge allows you to connect multiple existing network connection in Windows together. Changing the IP configurations of the existing network interface results in VM1 being connected to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Question 16 of 50
Your company plans to host an application on four Azure virtual machines.
You need to ensure that at least two virtual machines are available if a single Azure datacenter fails.
Which availability option should you select for the virtual machine?
To protect against datacenter level failures, and if you want connectivity to multiple machines, you must ensure that the virtual machines are deployed across various availability zones.
What are Azure regions and availability zones? | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 17 of 50
You are deploying a virtual machine by using an availability set in the East US Azure region.
You have deployed 18 virtual machines in two fault domains and 10 update domains.
Microsoft performed planned physical hardware maintenance in the East US region.
What is the maximum number of virtual machines that will be unavailable?
18 virtual machines are shared across 10 update domains. The first 10 virtual machines go to 10 update domains, so eight update domains will have two virtual machines. When there is physical hardware maintenance, some virtual machines will be unavailable based on their configuration. If there was a rack failure, then 18 virtual machines will be distributed to two fault domains with nine virtual machines each.
Availability sets overview - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Review update domains and fault domains - Training | Microsoft Learn
感觉题目和答案对不上,minium应该是2,maximum应该是9
Question 18 of 50
Your development team plans to deploy an Azure container instance. The container needs a persistent storage layer.
Which service should you use?
You can persist data for Azure Container Instances with the use of Azure Files. Azure Files offers fully managed file shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft Learn
Explore Azure Storage services - Training | Microsoft Learn
Question 19 of 50
You have an Azure subscription that contains a Docker container image named container1.
You create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
If you want to run a Docker container as an Azure web service, you must configure the Publish option and select Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a Docker container as web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker container as an Azure web app.
Overview - Azure App Service | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 21 of 50
You have an Azure subscription that contains multiple resource groups and Azure App Service web apps. A resource group named RG1 hosts a web app named appservice1. The App Service uses an imported SSL certificate.
You create a resource group named RG2.
You plan to move all the resources in RG1 to RG2.
Which two actions should you perform? Each correct answer presents part of the solution.
The SSL certificate must be deleted. You will have to move all other resources to RG2.
Configure Azure App Service - Training | Microsoft Learn
Question 23 of 50
You have an Azure subscription.
You plan to deploy a web app in a Linux-based Docker container.
You need to recommend a solution for the deployment of the web app that meets the following requirements:
- Supports a custom domain name
- Provides the ability to scale out automatically based on demand.
- Minimizes administrative effort
- Minimizes costs
Which solution should you recommend?
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale Sets, Azure Kubernetes Service (AKS), and Azure Container Instances are more difficult to administer and more costly.
Overview - Azure App Service | Microsoft Learn
Configure Azure App Service plans - Training | Microsoft Learn
Question 24 of 50
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.
You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be pinned as a chart on the dashboard?
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
