Microsoft AZ-104 Microsoft Azure Administrator Exam Practice Test

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

References:

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

A screenshot of a computer Description automatically generated

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

• Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
• Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
• Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
• Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

A diagram of a computer network Description automatically generated

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

References:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/co nditional-access/overview

https://docs.microsoft.com/en-us/az ure/active-directory/authentication/howto-mfa-userstates

A close-up of a book Description automatically generated

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom- role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

https://docs.micr osoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

https://docs.microsoft.c om/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/c onvertto-json?view=powershell-7.1

https://docs.microsoft.com/en-u s/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.

References:

https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app

A white paper with black text Description automatically generated

https://learn.microsoft.com/en-us/azure/backup/backup-azure-files?tabs=backup-center

https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm#back-up-from-azure-vm-settings

Table Description automatically generated

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application, email Description automatically generated

A white background with black text Description automatically generated

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

• Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.A screenshot of a computer Description automatically generated
• Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

References: https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

Moving the virtual machine to a different subscription does not change the host that the virtual machine runs on. It only changes the billing and management of the resources. To move the virtual machine to a different host, you need to redeploy it or use Azure Site Recovery. Then, References: [Move resources to new resource group or subscription] [Redeploy Windows VM to new Azure node] [Use Azure Site Recovery to migrate Azure VMs between Azure regions]

https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options

To recover VM1 to a point eight days ago, you need to use the Azure Backup service to restore the VM from a recovery point. A recovery point is a snapshot of the VM data at a specific point in time. Azure Backup creates recovery points according to the backup policy that you configure for the Recovery Services vault1.

In this case, the Recovery Services vault named RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days. This means that you can restore the VM from any point in the last 14 days, as long as there is a recovery point available. Since you need to recover VM1 to a point eight days ago, you can use the daily backup recovery point that was created on that day2.

To restore the VM from a recovery point, you have two options: Replace existing or Create new. The Replace existing option overwrites the existing VM with the restored data, while the Create new option creates a new VM with the restored data. The Replace existing option requires you to deallocate or delete the existing VM before restoring it, which can cause downtime and data loss. The Create new option allows you to restore the VM without affecting the existing VM, which minimizes downtime and data loss3.

Therefore, the best option is to restore VM1 by using the Create new restore configuration option. This will create a new VM with the same name as VM1 and append a suffix to it, such as -Restored. You can then verify that the new VM has the correct data and configuration, and switch over to it when you are ready. You can also delete the original VM if you don’t need it anymore3.

1. daysAfterModificationGreaterThan

2. Blockblob

https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview#rule-actions

daysAfterModificationGreaterThan

• Litwareinc.com users can be assigned to package1. = No
• After 365 days, fabrikam.com users will be removed from Group1. = Yes
• After 395 days, fabrikam.com users will be removed from the contoso.com tenant = No

• Litwareinc.com users cannot be assigned to package1 because they are not a connected organization in the contoso.com tenant. Only users from connected organizations can request access packages that are configured for external users1
• Fabrikam.com users will be removed from Group1 after 365 days because the access package has an expiration policy of 365 days for external users. This means that the access assignments for external users will end after 365 days, unless they are renewed or extended2
• Fabrikam.com users will not be removed from the contoso.com tenant after 395 days because the external user lifecycle settings have a deletion policy of 30 days after blocking. This means that external users will be blocked from signing in after 365 days of inactivity, and then deleted after another 30 days. Therefore, the total time before deletion is 395 days of inactivity, not 395 days from the date of assignment3

The Traffic Manager Contributor role is not related to Traffic Analytics. Traffic Manager is a service that provides DNS-based load balancing and traffic routing across different regions and endpoints. Traffic Manager Contributor is a role that allows you to create and manage Traffic Manager profiles, endpoints, and geographies1.

Traffic Analytics is a service that provides visibility into user and application activity in your cloud networks. Traffic Analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. With Traffic Analytics, you can visualize network activity, identify hot spots, secure your network, optimize your network deployment, and pinpoint network misconfigurations2.

To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:

• Microsoft.Network/applicationGateways/read
• Microsoft.Network/connections/read
• Microsoft.Network/loadBalancers/read
• Microsoft.Network/localNetworkGateways/read
• Microsoft.Network/networkInterfaces/read
• Microsoft.Network/networkSecurityGroups/read
• Microsoft.Network/publicIPAddresses/read
• Microsoft.Network/routeTables/read
• Microsoft.Network/virtualNetworkGateways/read
• Microsoft.Network/virtualNetworks/read
• Microsoft.OperationalInsights/workspaces/*

Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor3. However, these roles also grant other permissions that may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that only has the required permissions for enabling Traffic Analytics4.

Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription, you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.

The maximum size of an Azure Files Resource of a file share is 5 TB.

The exhibit shows that you have an autoscale rule configured for your App Service app named App1. The rule is based on the memory percentage metric, which measures the average amount of memory used by all the instances of your app. The rule has the following settings:

• Scale out action: Add 1 instance when the memory percentage is greater than or equal to 80% for a duration of 10 minutes.
• Scale in action: Remove 1 instance when the memory percentage is less than or equal to 60% for a duration of 10 minutes.
• Instance limits: The minimum number of instances is 2, and the maximum number of instances is 5.

According to the question, during a 30-minute period, App1 uses 60% of the available memory. This means that the scale in action is triggered, but not the scale out action. Therefore, one instance is removed from App1 every 10 minutes, until the minimum number of instances is reached.

Since App1 initially has two running instances, after the first 10 minutes, one instance is removed and App1 has one instance left. However, since the minimum number of instances is set to 2, another instance is added back to App1 to meet the minimum requirement. Therefore, after the first 10 minutes, App1 still has two instances.

After the second 10 minutes, the same process repeats. One instance is removed due to the scale in action, and another instance is added back due to the minimum requirement. Therefore, after the second 10 minutes, App1 still has two instances.

After the third 10 minutes, there is no change in the number of instances, because App1 already has the minimum number of instances. Therefore, after the third 10 minutes, App1 still has two instances.

Therefore, during the 30-minute period, App1 never has more than two instances running at any given time. However, since one instance is removed and added back every 10 minutes, there are four different instances that are used by App1 during the period. Hence, the maximum number of instances for App1 during the period is four.

No, this does not meet the goal. Assigning a built-in policy definition to the subscription is not enough to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. This is because there is no built-in policy definition that matches this requirement. The closest built-in policy definition is “Network security groups should not allow unrestricted inbound traffic on well-known ports”, but this policy only blocks TCP port 80 and 443, not 80801.

To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs. A policy definition is a set of rules and actions that Azure performs when evaluating your resources2. You can use a policy definition to specify the required properties and values for NSGs, such as the direction, protocol, source, destination, and port of the security rule. You can then assign the policy definition to the subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.

According to 1, Availability Zones are unique physical locations within an Azure region that provide high availability and disaster recovery for your virtual machines. To back up your VM across three availability zones in the primary region, you need to perform the following actions in sequence:

• Create a Recovery Services vault2 that will store your backups and enable geo-redundancy for cross-region protection.
• For VM1, create a backup policy and configure the backup2 to use the Recovery Services vault as the backup destination.
• Configure a replication policy1 that will replicate your VM1 to another availability zone in the same region.

https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

References: https://www.sherweb.com/bl og/active-directory-federation-services/

A screenshot of a computer Description automatically generated

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

A diagram of a computer network Description automatically generated with medium confidence

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

• A SQL database
• A web front end
• A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

• Technical requirements include:
• Move all the virtual machines for App1 to Azure.
• Minimize the number of open ports between the App1 tiers.

References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

Change the Service administrator for an Azure subscription

• Sign in to Account Center as the Account administrator.
• Select a subscription.
• On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.

References: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator

A screenshot of a computer Description automatically generated

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

From scenario:

• Ensure that only users who are part of a group named Pilot can join devices to Azure AD
• Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

Scenario:

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.