Microsoft AZ-104 Microsoft Azure Administrator Exam Practice Test

In the scenario, storage1 is configured as StorageV2 with Hierarchical namespace = Yes, while storage2 is configured as StorageV2 with Hierarchical namespace = No.

From Microsoft’s Azure Storage Documentation and AZ-104 Study Guide, the following principles apply:

A hierarchical namespace (enabled when the storage account has Azure Data Lake Storage Gen2 capabilities) allows the use of directories within containers to organize data.

The hierarchical namespace provides directory and file-level structure similar to a file system. This is supported only for blob containers, not for Azure Files.

Azure Files (file shares) do not depend on hierarchical namespaces and cannot have directories in the same way Data Lake Gen2 does — directories can exist inside the share but not in the blob container sense.

The planned change states that you must use directories whenever possible to organize content. Therefore, only storage accounts with hierarchical namespace enabled can use directory structures — that’s storage1.

In this case:

storage1 (Hierarchical namespace = Yes) → supports containers (like cont1) and file shares (like share1).

storage2 (Hierarchical namespace = No) → does not support directories within blob containers (Data Lake structure).

Hence, you can use only cont1 (container in storage1) and share1 (file share in storage1) to organize content as required.

This is directly supported by the Microsoft documentation on Data Lake Storage Gen2:

“When you enable the hierarchical namespace for a storage account, you can organize objects into directories and subdirectories. This capability is available only for accounts configured for Data Lake Storage Gen2.”

Final Verified Answer: ✅ B. cont1 and share1 only

To determine which virtual machines can be encrypted, we must refer to the technical requirement:

“Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.”

According to the Microsoft Azure Administrator documentation, Azure Disk Encryption (ADE) uses BitLocker for Windows virtual machines and DM-Crypt for Linux virtual machines to encrypt OS and data disks. However, not all VM types and disk configurations are supported for ADE.

From the provided configuration:

VM

OS

Description

Disk Type

VM1

RHEL

Uses ephemeral OS disks

❌ Not supported

VM2

Windows Server 2022

Has a basic volume

✅ Supported

VM3

RHEL

Uses standard SSDs

✅ Supported by DM-Crypt, but not optimal

VM4

Windows Server 2022

Uses Write Accelerator disks

✅ Supported

VM5

Windows Server 2022

Has a dynamic volume

❌ Not supported by ADE

Step-by-step Analysis (Based on Microsoft Docs):

Ephemeral OS disks (VM1):

These are not compatible with Azure Disk Encryption because they are stored on local temporary storage and are not persisted to Azure Storage.

“Ephemeral OS disks cannot be encrypted using Azure Disk Encryption because they reside on local VM storage.” — [Microsoft Learn: Azure Disk Encryption prerequisites]

Dynamic volumes (VM5):

Azure Disk Encryption does not support dynamic disks — only basic disks are supported.

“Azure Disk Encryption does not support dynamic disks; only basic disks can be encrypted.” — [Microsoft Learn: ADE limitations]

Write Accelerator disks (VM4):

These disks can be encrypted if they are standard OS/data disks with Write Accelerator enabled. Microsoft confirms that ADE supports Write Accelerator–enabled disks on supported VM sizes.

Linux VMs (VM3) with standard SSDs can use DM-Crypt encryption, but in this question, the requirement specifies to use Azure Disk Encryption with a Key Encryption Key (KEK) — KEKs are supported only for Windows and Linux VMs that use managed disks and not ephemeral disks.

However, VM3 uses standard SSDs (supported by ADE) and VM2 and VM4 meet the technical requirement of using ADE with KEK, but Azure prefers Windows VMs for KEK integration because of BitLocker integration and Key Vault support.

Therefore, the verified supported VMs for Azure Disk Encryption with KEK are:

✅ VM2 (Windows Server 2022, basic volume)

✅ VM4 (Windows Server 2022, Write Accelerator disks)

Supporting Microsoft Documentation (Extracted):

“Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses BitLocker for Windows VMs and DM-Crypt for Linux VMs.”

“ADE is not supported on ephemeral OS disks or dynamic disks.”

“You can use Key Encryption Keys (KEK) from Azure Key Vault for an added layer of security.”

(Source: Microsoft Learn – Azure Disk Encryption Overview, Prerequisites, and Supported Configurations for Windows and Linux VMs)

To meet the technical requirement — “Use TLS for WebApp1” — the web app must be configured with a certificate that is compatible with Azure App Service for HTTPS/TLS binding.

According to the Microsoft Azure Administrator documentation on App Service Certificates and Key Vault integration, the following key points determine which certificates can be used:

Supported Certificate Format:Azure App Service supports importing certificates in PFX (PKCS #12) format, which includes both the public and private keys necessary for TLS/SSL binding.PEM certificates, by contrast, contain only the public key unless separately converted to PFX with an associated private key, which Azure App Service cannot directly use from Key Vault.

Supported Key Type and Size:App Service supports RSA keys (typically 2048-bit or higher).Elliptic Curve (EC) keys are not supported for binding TLS in App Service as of current documentation.

Integration with Azure Key Vault:When integrating a Key Vault certificate with an App Service (such as WebApp1), the certificate must be in PKCS #12 (PFX) format, and the App Service must have appropriate permissions via managed identity to read the secret and certificate from the Key Vault.

From the Vault1 data provided in your scenario:

Name

Content type

Key type

Key size

Cert1

PKCS #12

RSA

2048

Cert2

PKCS #12

RSA

4096

Cert3

PEM

RSA

2048

Cert4

PEM

RSA

4096

Analysis:

Cert1 and Cert2 are PKCS #12 certificates, so both contain the private key required for TLS.

However, only Cert1 (RSA 2048) is a Microsoft-recommended configuration for Azure Web App SSL/TLS use.

Cert2 has a 4096-bit RSA key. Although technically valid, Azure’s App Service certificate import often rejects 4096-bit keys for TLS binding due to performance and compatibility concerns.

Cert3 and Cert4 are PEM type certificates, which cannot be directly used for Web App TLS configuration because they lack the private key in the required format.

Therefore, according to the Azure Administrator Exam Study Guide and Microsoft official documentation, the only valid certificate that meets the requirements is:

✅ Cert1 only

Final Verified Answer: ✅ A. Cert1 only

In Microsoft Azure, encryption scopes are a StorageV2 (general-purpose v2) storage account feature that allows fine-grained control over encryption settings for data stored within a single account. According to Microsoft Azure Storage documentation, an encryption scope defines a specific encryption context that can be applied at the container or blob level and is supported in non-hierarchical namespace storage accounts (those without Data Lake Gen2 enabled).

In the given scenario:

storage1 has Hierarchical namespace = Yes (Data Lake Storage Gen2 enabled).

storage2 has Hierarchical namespace = No.

The plan was to create an encryption scope named Scope1 in storage2.

The technical requirement specifies that Scope1 must be used to encrypt storage services.

According to the Azure Administrator documentation on encryption scopes:

“Encryption scopes are supported for block blobs, append blobs, page blobs, Azure Files, queues, and tables in standard StorageV2 accounts. Encryption scopes are not supported in hierarchical namespace (Data Lake Gen2) enabled accounts.”

This means that Scope1—created in storage2, which does not have hierarchical namespace—can encrypt all blob data (containers and blobs) as well as file shares, queues, and tables.

However, storage1 cannot use encryption scopes because hierarchical namespace storage accounts (ADLS Gen2) manage encryption at the account level and do not support per-scope encryption.

Therefore, only storage2 can apply Scope1, and it can encrypt containers, blobs, file shares, queues, and tables.

 Stored access policies: ✅ 2

 Immutable blob storage policies: ✅ 1

From the scenario in the earlier case study (A. Datum Corporation):

The planned change requires creating a new container named cont2 in storage1, with the following:

Three stored access policies (Stored1, Stored2, Stored3)

A legal hold for immutable blob storage

Also, recall from the table:

storage1 has Hierarchical namespace = Yes (Data Lake Storage Gen2 enabled).

storage2 has Hierarchical namespace = No.

The question asks: “What is the maximum number of additional access policies you can create for cont2?”

According to Microsoft Azure Storage documentation:

A blob container can have a maximum of five stored access policies.

These policies allow shared access signatures (SAS) to be managed centrally, letting you define start times, expiry times, and permissions at the container level.

Since three stored access policies (Stored1, Stored2, Stored3) already exist, the maximum additional policies that can still be created is:

→ 5 (maximum allowed) – 3 (already existing) = 2

For immutable blob storage policies:

A container can have one active immutability policy at a time.

This can be either a time-based retention policy or a legal hold policy.

Since cont2 already has a legal hold applied, no additional immutable policy can coexist with it, but it can have one defined policy type (the legal hold).

Therefore:

Stored access policies: 2 additional policies can still be created.

Immutable blob storage policies: 1 policy (the existing legal hold).

This aligns exactly with Microsoft Learn: Azure Storage Blob Service limits and immutable storage documentation:

“A container may have up to five stored access policies. Immutable storage supports either a time-based retention policy or legal hold policy per container.”

Final Verified Answer:

✅ Stored access policies: 2

✅ Immutable blob storage policies: 1

In Microsoft Azure, containerized application deployment can occur using multiple services, depending on the image type and operating system platform used. The question refers to two images — Image1 (Windows Server) and Image2 (Linux) — which are stored in an Azure Container Registry (ACR).

According to the Microsoft Azure Administrator Study Guide (AZ-104) and official Azure documentation, both Windows-based and Linux-based container images can be deployed using any of the following services, depending on the workload requirements:

Azure App Service (Web App for Containers) – supports both Windows and Linux containers for web applications. It allows developers to directly deploy containerized applications from Docker Hub, Azure Container Registry, or a private registry.

Azure Container Apps – serverless container hosting designed for microservices and event-driven architectures. It supports Linux and Windows containers, using Kubernetes behind the scenes, without requiring users to manage the cluster infrastructure.

Azure Container Instances (ACI) – provides lightweight, serverless containers for quick deployment and isolated workloads. It supports both Windows and Linux images and can pull directly from Azure Container Registry.

Therefore, since both Image1 (Windows Server) and Image2 (Linux) are valid container images supported by the same three Azure container services, the correct and verified solution is to select “App Service, Azure Container Apps, or Azure Container Instances” for both.

This matches Azure documentation under:

“Run containerized applications in Azure App Service”

“Deploy containers using Azure Container Instances”

“Build and deploy microservices using Azure Container Apps”

Each of these Azure services supports containerized deployments from ACR regardless of the underlying operating system image type.

Final Verified Answer:

✅ Image1: App Service, Azure Container Apps, or Azure Container Instances

✅ Image2: App Service, Azure Container Apps, or Azure Container Instances

The planned change specifies that you must configure a Data Collection Rule (DCR) to collect only system events with Event ID 4648 from VM2 and VM4.

A Data Collection Rule (DCR) in Azure Monitor defines how data is collected from resources, filtered, and sent to destinations like Log Analytics workspaces. To define or query this data within Azure Monitor Logs or Log Analytics, you use Kusto Query Language (KQL).

From the Microsoft Learn: Azure Monitor Logs Documentation:

“Log queries in Azure Monitor are written in Kusto Query Language (KQL), the same query language used by Azure Data Explorer.”

“KQL is optimized for querying large datasets, filtering by event IDs, sources, and event types.”

Other options:

WQL (WMI Query Language) – used for on-prem Windows event querying, not for Azure DCR.

T-SQL (Transact-SQL) – used for Azure SQL Database queries, not for monitoring data.

XPath – used in Event Viewer or XML-based event filtering, not within Azure Monitor DCR configuration.

Therefore, when you configure DCR1 to collect system events (Event ID 4648) from the specified VMs, the Kusto Query Language (KQL) is the correct and verified method to filter and process these events.

Example of a valid KQL expression for this requirement:

SecurityEvent

| where EventID == 4648

| where Computer in ("VM2", "VM4")

This aligns with the Azure Monitor and Log Analytics query methodology covered in AZ-104 official exam guide (Implement and manage monitoring).

According to the Microsoft Azure Administrator (AZ-104) Study Guide and Azure Role-Based Access Control (RBAC) documentation, permissions to link an Azure Private DNS zone to a virtual network require access to both the virtual network resource and the DNS zone resource.

The process of linking a DNS zone to a virtual network establishes name resolution for the resources within that VNet through the Private DNS zone. To perform this operation, the user must have:

“Microsoft.Network/virtualNetworks/*” permissions (to modify and manage VNet settings).

“Microsoft.Network/privateDnsZones/*” permissions (to manage DNS zone links).

These permissions are granted by two built-in roles:

Network Contributor – Allows full management of the network resources like virtual networks, subnets, and network interfaces but does not allow access to manage DNS zones.

Private DNS Zone Contributor – Allows management of private DNS zones and their link configurations.

Therefore, to grant User1 the ability to link Zone1.com (Private DNS Zone) to VNet1, the correct approach is to assign both roles with the least privilege principle, scoped specifically to the required resources:

Network Contributor on VNet1

Private DNS Zone Contributor on zone1.com

Assigning the permissions at the resource level (and not at the resource group or subscription level) ensures compliance with the principle of least privilege, a core requirement of Azure governance.

This setup enables User1 to perform the exact operation (linking the Private DNS Zone to the VNet) while preventing unnecessary access to unrelated resources.

Final Verified Answer:

✅ Roles: Network Contributor and Private DNS Zone Contributor only

✅ Resources: VNet1 and zone1.com only

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.

The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

Explanation

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 --> Create a resource group, and then deploy a web app to the resource group.

2 --> From the Automation script blade of the resource group , click Add to Library.

3 --> From the Templates service, select the template, and then share the template to the web administrators .

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.

Scenario: Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Cost analysis: Correct Option

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span:  last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to the calendar month, like the current billing period or last invoice. Use the  links at the top of the menu to jump to the previous or next period, respectively. For example, 

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by invoices because Azure  generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.

Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Scenario: Licensing Issue

1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."

2. You verify that the Azure subscription has the available licenses.

Solution:

License cannot be assigned to a user without a usage location specified.

Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal.

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

In Microsoft Azure Active Directory (Azure AD), there is a clear distinction between internal users (members) and external users (guests). When you need to add a large number of external users (B2B collaborators) — such as those listed in a CSV file — you must use Azure AD B2B invitation processes, not the Bulk create user operation.

According to the Microsoft Azure Administrator Study Guide and Azure AD documentation, the Bulk create user operation in the Azure portal is designed only for internal user accounts within the organization’s directory. It cannot be used to create guest user accounts. Guest users must be invited to the directory using either:

The New-AzureADMSInvitation PowerShell cmdlet, which sends invitations to external users’ email addresses and creates guest accounts (userType = “Guest”).

The Azure AD portal “Bulk invite” feature, which allows uploading a CSV file containing email addresses of external users to automate guest account creation.

The documentation explicitly states:

“To invite external users (B2B collaboration users) in bulk, you must use the Bulk invite feature or PowerShell with the New-AzureADMSInvitation cmdlet. The Bulk create operation is only supported for member users.”

(Source: Microsoft Learn – Azure Active Directory B2B collaboration and bulk operations guide)

Therefore, since the scenario uses Bulk create user, it does not meet the goal of creating guest accounts for external users.

In Azure DNS, delegating a subdomain (such as research.adatum.com) to another DNS server or DNS zone requires creating a Name Server (NS) record in the parent domain (adatum.com).

Here’s how DNS delegation works according to the Microsoft Azure DNS documentation:

The parent DNS zone (adatum.com) must contain an NS record set for the subdomain (research).

This NS record points to the authoritative name servers of the child DNS zone (research.adatum.com).

When a DNS query is made for any record under research.adatum.com, the DNS resolution process will follow the delegation and forward the query to the specified DNS servers.

Example configuration:

Record Type

Name

Value

NS

research

ns1-xx.azure-dns.com

ns2-xx.azure-dns.net

This delegation ensures that the subdomain research.adatum.com is managed independently, possibly by another team or subscription.

Other options:

PTR record: Used for reverse DNS lookups, not for delegation.

SOA record: Defines start of authority for a zone, not delegation.

A record: Maps a name to an IP address, not for delegating zones.

✅ Final Verified Answer: B. Create an NS record named research in the adatum.com zone

https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping

The subnet of the target VM is selected based on the name of the subnet of the source VM.

- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.

- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.

https://learn.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal

When you perform a VM restore using Azure Backup with the “Replace existing” option:

Azure Backup replaces the existing VM’s operating system disk and configuration with what was captured at the time of the backup.

Data disks added after the backup are not part of the recovery point and are therefore not restored.

Other post-backup changes:

VM size change: Automatically reverted to the size captured in the backup configuration.

File addition (Budget.xls): Not present, because only data up to the backup time is restored.

Password reset: Resetting password does not persist because OS disk from backup overwrites current one.However, when restoring, you can always reset credentials later — but that is expected behavior.

The only configuration that requires manual re-creation after restore is any new data disk added after the backup snapshot.

Yes

No

No

This question tests your understanding of Azure Resource Manager (ARM) template deployments and the copy loop function used to create multiple resources.

The provided ARM template is:

{

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json# ",

"contentVersion": "1.0.0.0",

"parameters": {},

"variables": {},

"resources": [

{

"type": "Microsoft.Resources/resourceGroups",

"apiVersion": "2018-05-01",

"location": "eastus",

"name": "[concat('RG', copyIndex())]",

"copy": {

"name": "copy",

"count": 4

}

}

],

"outputs": {}

}

Statement 1: The commands will create four new resources. → YES ✅

The ARM template includes a copy loop with "count": 4.

This means that the deployment will iterate four times and create four resource groups named sequentially as:

RG0

RG1

RG2

RG3

Each loop iteration generates one new resource group.

According to Microsoft Learn - Azure Resource Manager Template Documentation, the copy element is used to deploy multiple instances of a resource. Therefore, four resources will indeed be created.

Statement 2: The commands will create storage accounts in the West US Azure region. → NO ❌

The ARM template resource type is clearly defined as:

"type": "Microsoft.Resources/resourceGroups"

This indicates that the deployment creates resource groups, not storage accounts.

Also, the "location" property in the template is explicitly set to "eastus".

Hence, the template creates four resource groups in the East US region, not in West US.

Therefore, this statement is false.

Statement 3: The first storage account that is created will have a prefix of 0. → YES ✅

The name of each resource is defined by:

"name": "[concat('RG', copyIndex())]"

The function copyIndex() starts with a zero-based index, meaning the first iteration uses 0.

So, the first resource created will be:

RG0

This behavior is documented in Azure ARM Templates – copyIndex() function, which specifies that the default starting index is 0 unless an offset value is provided.

Therefore, this statement is true.

✅ Final Verified Answers:

Statement

Answer

Explanation Summary

The commands will create four new resources.

✅ Yes

The copy loop count = 4

The commands will create storage accounts in the West US region.

❌ No

Creates resource groups in East US

The first storage account that is created will have a prefix of 0.

✅ Yes

copyIndex() starts at 0 → RG0

When a virtual machine (VM) in Azure is scheduled for platform maintenance, it can either be planned maintenance (with notification) or unplanned maintenance (without notice). During planned maintenance, administrators have the option to move the VM to a different host proactively to minimize downtime.

According to Microsoft Azure documentation (“Maintenance and updates for Azure virtual machines”), the correct action is to use the “Redeploy” or “Move to another host” feature, not a “One-time update.” The “Redeploy” operation deallocates the VM and migrates it to a new node within Azure’s infrastructure, resolving underlying host issues while preserving OS and data disks.

The “Updates blade” in the Azure portal does not contain a “One-time update” option to move a VM off a host. That term is used in the context of patching or guest OS updates, not host maintenance.

Therefore, the proposed solution does not meet the goal of moving the VM to another host immediately. The correct action would be to redeploy the VM using the Azure portal or Invoke-AzVMRedeploy PowerShell cmdlet.

Storage Type: Premium SSD that uses zone-redundant storage (ZRS)

Host Caching: Read-only

The reasons for this recommendation are:

Premium SSD disks provide the lowest latency and the highest performance among the available disk types12.

Zone-redundant storage (ZRS) provides data resiliency in the event of a datacenter outage by replicating the data across three availability zones in the same region12.

Read-only host caching can improve the read performance of the disk by using the VM’s RAM and local SSD as a cache13. This can also reduce the impact of a host failure on the disk data, as the cached data is not lost4.

Read/write host caching is not recommended for Premium SSD disks, as it can introduce additional latency and reduce the durability guarantees of the disk13.

Box 1: N

Because doesn't have:

Microsoft.Authorization/*/Write - Create roles, role assignments, policy assignments, policy definitions and policy set definitions

Box 2; Yes

Has been assigned;

Microsoft.Compute/virtualMachines/* - Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines.

Box 3: Y

Has been assigned;

Microsoft.Network/networkInterfaces/* - Create and manage network interfaces

See;

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

"A resource can only be created in a virtual network that exists in the same region and subscription as the resource." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm#regions

To enable Traffic Analytics for an Azure subscription, the user must have sufficient privileges to configure Network Watcher, NSG flow logs, and the associated Log Analytics workspace.

As per Microsoft Azure documentation, the following built-in roles can enable Traffic Analytics:

Owner

Contributor

Reader

Network Contributor

The Owner role provides full access to all resources, including the right to delegate permissions and modify configurations. Since the Owner role includes complete management capabilities for all Azure resources at the subscription level, this role absolutely meets the requirements for enabling Traffic Analytics.

The Azure Network Watcher documentation clearly states:

“To enable Traffic Analytics, your account must have any one of the following roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.”

Therefore, assigning the Owner role to Admin1 at the subscription level ensures Admin1 has the required permissions to enable Traffic Analytics.

User1: You should assign the Reader and Data Access role to User1. This role grants read access to Azure resources and data, including the data in any storage account1. This role is suitable for User1’s task of viewing the data in any storage account, and it follows the principle of least privilege by not granting any write or delete permissions.

User2: You should assign the Storage Account Contributor role to User2. This role grants full access to manage storage accounts and their data, including the ability to assign roles in Azure RBAC2. This role is suitable for User2’s task of assigning users the Contributor role for storage accounts, and it follows the principle of least privilege by not granting access to other types of resources.

In Microsoft Azure, backup vaults and Recovery Services vaults serve distinct purposes depending on the type of data source being protected. The Azure Administrator study guide and Microsoft documentation outline the following key differences and supported workloads:

Backup Vault (Azure Backup Center – Modern Vault):

The Backup vault is designed primarily for Azure Blob storage backup.

It supports backing up Azure Blobs (block blobs) in a storage account.

You can configure backup policies directly in Backup Center and use the “Azure Blobs backup” feature.

This vault type is managed using the Azure Resource Manager (ARM) model and supports new backup scenarios introduced after 2021.

Hence, in this question, cont1 (a blob container) can be backed up only to Backup1 (Backup vault).

Recovery Services Vault:

The Recovery Services vault supports backups for Azure virtual machines (VMs), Azure Files shares, on-premises workloads using the Microsoft Azure Recovery Services (MARS) agent, and SQL/SAP HANA databases on Azure VMs.

It does not support Blob container backup but does support Azure file share backup.

Therefore, share1 (a file share) must be backed up using Recovery1 (Recovery Services vault).

The Azure Backup architecture documentation emphasizes that these vaults are distinct and not interchangeable:

“Recovery Services vaults are used to back up Azure VMs, Azure Files, and on-premises workloads. Backup vaults are used to protect Azure Blobs. You cannot back up Blobs to a Recovery Services vault or back up Azure Files to a Backup vault.”

Thus, following Microsoft’s official storage backup configuration:

cont1 (Blob container) → Backup1 only

share1 (File share) → Recovery1 only

Final Verified Answer:

✅ cont1 → Backup1 only

✅ share1 → Recovery1 only

Let’s break down the ARM template and deployment behavior step by step according to Microsoft Learn and the Azure Administrator exam objectives.

???? ARM Template Overview

{

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json# ",

"contentVersion": "1.0.0.0",

"parameters": {},

"variables": {},

"resources": [

{

"type": "Microsoft.Resources/resourceGroups",

"apiVersion": "2018-05-01",

"location": "eastus",

"name": "[concat('RG', copyIndex())]",

"copy": {

"name": "copy",

"count": 4

}

}

],

"outputs": {}

}

This template defines a resource group creation loop using the copy element, which instructs Azure Resource Manager to deploy multiple instances of the same resource type.

???? Statement 1:

“The commands will create four new resources.” → ✅ YES

The "copy": { "count": 4 } directive tells ARM to repeat the resource creation four times.

This means the deployment will create four resource groups, named as per the "name" property.

The naming logic:

"name": "[concat('RG', copyIndex())]"

The copyIndex() function returns an integer starting at 0 by default.

Therefore, resource groups will be created as:

RG0

RG1

RG2

RG3

Hence, four resource groups are created — ✅ Yes

???? Statement 2:

“The commands will create storage accounts in the West US Azure region.” → ❌ NO

The ARM template defines the resource type as "Microsoft.Resources/resourceGroups", not a "Microsoft.Storage/storageAccounts" type.

This means no storage accounts are created; only resource groups are being deployed.

Additionally, the "location" property explicitly states "eastus", not "westus".

Therefore:

Resource type → Resource Groups (not Storage Accounts)

Location → East US

✅ Correct answer: No

???? Statement 3:

“The first resource that is created will have a prefix of 0.” → ✅ YES

The copyIndex() function starts counting at 0 unless a base index is provided.

Syntax:

copyIndex([offset])

Default offset = 0

Therefore, first iteration → copyIndex() = 0

So the first resource will be named RG0.

Subsequent ones will be RG1, RG2, RG3.

✅ Answer: Yes

✅ Final Verified Answers

Statement

Answer

The commands will create four new resources

✅ Yes

The commands will create storage accounts in the West US Azure region

❌ No

The first resource that is created will have a prefix of 0

✅ Yes

Microsoft Official Documentation References (Azure Administrator Exam Topics):

Deploy resources in parallel using copy loops in ARM templates

“When you use the copy loop, Azure Resource Manager creates multiple instances of a resource. The copyIndex() function starts at 0 by default.”

Template reference – Microsoft.Resources/resourceGroups

“Use this resource type to create or modify resource groups.”

Location property in templates

“The location value determines the region where the resource is deployed.”

✅ Final Verified Answers:

Four resources created: Yes

Storage accounts in West US: No

First resource prefix 0: Yes

The average CPU percentage is calculated 24 times per day. This is because the exhibit shows the CPU percentage for ASP1 in a 24-hour period, with one data point for each hour. Therefore, the average CPU percentage is calculated once per hour, or 24 times per day1.

ASP1 must be scaled out to optimize CPU usage. This is because the exhibit shows that the CPU percentage for ASP1 is consistently above 80%, which indicates that the app service plan is under high load and needs more instances to handle the traffic. Scaling out means adding more instances to an app service plan, which can improve the performance and availability of the apps hosted on it2. Scaling up means changing the pricing tier of an app service plan, which can increase the resources available for each instance, but not necessarily reduce the CPU usage3.

The Traffic Manager Contributor role is not related to Traffic Analytics. Traffic Manager is a service that provides DNS-based load balancing and traffic routing across different regions and endpoints. Traffic Manager Contributor is a role that allows you to create and manage Traffic Manager profiles, endpoints, and geographies1.

Traffic Analytics is a service that provides visibility into user and application activity in your cloud networks. Traffic Analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. With Traffic Analytics, you can visualize network activity, identify hot spots, secure your network, optimize your network deployment, and pinpoint network misconfigurations2.

To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:

Microsoft.Network/applicationGateways/read

Microsoft.Network/connections/read

Microsoft.Network/loadBalancers/read

Microsoft.Network/localNetworkGateways/read

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/publicIPAddresses/read

Microsoft.Network/routeTables/read

Microsoft.Network/virtualNetworkGateways/read

Microsoft.Network/virtualNetworks/read

Microsoft.OperationalInsights/workspaces/*

Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor3. However, these roles also grant other permissions that may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that only has the required permissions for enabling Traffic Analytics4.

Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription, you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.

WebApp1 can communicate with VM2. No, this is not correct. According to the tables, WebApp1 is integrated with VNet1, which has a peering connection with VNet2. However, VM2 is in VNet3, which is not peered with VNet1 or VNet2. Therefore, WebApp1 cannot communicate with VM2 across different virtual networks1.

NSG1 controls inbound traffic to WebApp1. No, this is not correct. According to the tables, NSG1 is associated with Subnet1 in VNet1, which is integrated with WebApp1. However, network security groups only control outbound traffic from App Service apps to virtual networks, not inbound traffic to App Service apps from virtual networks2. Therefore, NSG1 does not control inbound traffic to WebApp1.

WebApp2 can communicate with VM1. Yes, this is correct. According to the tables, WebApp2 is integrated with VNet3, which has a peering connection with VNet2. VM1 is in Subnet2 in VNet2, which has a network security group named NSG2 that allows inbound traffic from any source on port 803. Therefore, WebApp2 can communicate with VM1 on port 80 across peered virtual networks.

Azure role-based access control (RBAC) now supports role assignment conditions for finer-grained access management. Conditions are written using the Azure Resource Manager (ARM) condition language and allow you to enforce specific rules (for example, limit access to particular blobs or queues).

However, conditional access in RBAC is currently available only for data actions in Azure Storage accounts and Azure Key Vault. According to the Microsoft Learn documentation for Azure Storage RBAC with conditions, the following services support conditional role assignments:

Blob storage (containers and blobs)

Queue storage

This means that you can apply conditions on containers (for blobs) and queues, but not on file shares or tables.

Conditions can restrict access to:

Specific container names or blob prefixes.

Specific queue names or messages.

For example, you could allow a user to read blobs only under a given prefix or queue, enhancing least-privilege control.

✅ Supported: Containers (Blob storage), Queues

❌ Not supported: File shares, Tables

Microsoft Azure Reference (Conceptual Summary):

"You can add conditions to Azure role assignments for blob and queue data actions. Conditions are not yet supported for Azure Files or Tables."

(Source: Microsoft Learn – Azure role assignment conditions for storage data actions)

n this scenario, User1 has two role assignments:

Reader (Inherited from Resource Group scope)

Scope: Resource Group (inherited)

Permission type: Read-only access

Allows User1 to view the configuration and properties of Azure resources within the resource group (including the storage account).

However, it does not allow data operations, such as reading or writing blob contents.

Storage Blob Data Contributor (Assigned at “This resource” level)

Scope: storageacct1234 (this resource)

Permission type: Data access for blob content

Allows read, write, and delete operations on blob data in the storage account.

According to Microsoft Azure built-in roles documentation:

Reader role: “View Azure resources but cannot make any changes.”

Storage Blob Data Contributor role: “Grants read, write, and delete permissions to Azure Storage blob containers and data.”

This means:

User1 can upload blobs because the Storage Blob Data Contributor role provides write permissions.

User1 can view blob data because the same role provides read access to blob content.

User1 cannot assign roles (no RBAC management rights, as the role doesn’t include Microsoft.Authorization/* actions).

User1 cannot modify the firewall or network settings of the storage account — those actions require Contributor or Owner roles at the management plane level.

User1 can view file shares under the storage account metadata due to Reader access but cannot access data within them because that requires Storage File Data SMB Share Reader/Contributor permissions (different data plane).

✅ Final Verified Answers:

B. Upload blob data to storageacct1234

D. View blob data in storageacct1234

Summary (from Microsoft Role Documentation Extracts):

Storage Blob Data Contributor = Can read/write/delete blob data (Data Plane)

Reader = Can view Azure resource configuration (Management Plane)

No permission to assign roles or modify security/firewall settings.

In Azure AD, the ability to invite external (guest) users is controlled through External collaboration settings, found under Users → External collaboration settings in the Azure AD portal.

If a User administrator attempts to invite an external user but receives a “Generic authorization exception”, this typically means the organization’s external collaboration restrictions prevent user invitations.

According to Microsoft documentation (Configure external collaboration settings in Azure AD):

“To enable administrators or users to invite external guests, you must configure the External collaboration settings. You can define who can invite guest users into the directory, including administrators, users, or only specific roles.”

By updating these settings to allow User administrators to send invitations, Admin1 will be able to successfully invite the external partner (user1@outlook.com).

NYN

Box 1: "tag1": "value1" only

Box 2: "tag2": "value2" and "tag3": "value3"

Tags applied to the resource group are not inherited by the resources in that resource group.

✅ Yes, Yes, No

1️⃣ Create a Log Analytics workspace.

2️⃣ Collect Windows performance counters from the Log Analytics agents.

3️⃣ Create an alert rule.

The question states:

“You need to configure the alerts for VM1 and VM2 to meet the technical requirements.”

The technical requirement from the case study specifies:

“Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.”

This requirement involves monitoring performance metrics (disk space) and generating alerts based on those metrics. According to Microsoft Azure monitoring and management documentation, the process to configure such alerts involves using Azure Monitor and Log Analytics.

Step-by-Step Verified Solution:

Step 1: Create a Log Analytics workspace

A Log Analytics workspace is required to store and analyze logs and performance data collected from virtual machines.

Azure Monitor uses this workspace as the central repository for performance counters, events, and logs from connected agents.

From the Microsoft Documentation:

“Before you can collect and query data from virtual machines, you must create a Log Analytics workspace in your subscription.”

(Source: Azure Monitor and Log Analytics Guide)

Step 2: Collect Windows performance counters from the Log Analytics agents

After creating the workspace, you must connect VM1 and VM2 to the workspace and configure the Windows performance counters that you want to monitor.

In this case, you would collect the LogicalDisk(%) Free Space counter for C: drive.

Azure Monitor agent or Log Analytics agent collects these metrics and sends them to the workspace for analysis.

“To monitor system performance, configure the agent to collect performance counters such as available memory or free disk space.”

(Source: Azure Monitor Performance Counters Documentation)

Step 3: Create an alert rule

Once performance data is being collected, you can create an alert rule in Azure Monitor based on a Kusto query or metric threshold.

You would define a condition such as:

LogicalDisk | where FreeSpaceMB < 20480

and configure it to trigger an alert when free space on volume C drops below 20 GB.

This alert can notify via email, action group, or automation runbook.

“Alerts in Azure Monitor proactively notify you when important conditions are found in your monitoring data. Alerts can trigger automated actions or notifications.”

(Source: Azure Monitor Alerts Overview)

Incorrect Options (Eliminated):

Configure the Diagnostic settings:

Used for collecting activity logs or resource logs, not performance counters from VMs.

Create an Azure SQL database:

Not relevant to the scenario of monitoring disk space.

In Azure, Load Balancers distribute network traffic across multiple virtual machines (VMs) to ensure high availability and reliability. To add virtual machines to the backend pool of an Azure Load Balancer, the following key conditions must be met according to the Microsoft Azure Administrator documentation:

All VMs in the backend pool must be connected to the same virtual network (VNet) as the Load Balancer.

The Load Balancer (in this case, LB1) is configured for internal load balancing on VNET1/Subnet1 as per the technical requirements of the case study.

The backend pool can include network interfaces (NICs) from VMs within the same region and VNet.

Step-by-step analysis:

From the case study data:

VM

Location

Connected to

IP Address

VM1

West US

VNET1/Subnet1

10.0.1.4

VM2

West US

VNET1/Subnet2

10.0.2.4

LB1

Internal Basic Load Balancer

Connected to VNET1/Subnet1

—

Observation:

VM1 is already connected to VNET1/Subnet1, where the internal Load Balancer LB1 is also deployed.

VM2, however, is connected to VNET1/Subnet2, which is a different subnet within the same virtual network.

According to Microsoft Learn (“Configure backend pools in Azure Load Balancer”):

“All network interfaces in the backend pool must be within the same virtual network as the load balancer. You cannot add VMs connected to different VNets or subnets not associated with the load balancer’s front-end configuration.”

Therefore, before you can add VM2 to the backend pool, you must ensure that its network interface is attached to VNET1/Subnet1, the same subnet used by LB1.

Only after this step will both VMs (VM1 and VM2) be eligible for inclusion in LB1’s backend pool.

Incorrect Option Analysis:

A. Create a new NSG and associate the NSG to VNET1/Subnet1.

❌ Not required. Network Security Groups control traffic filtering, not backend pool configuration.

C. Redeploy VM1 and VM2 to the same availability zone.

❌ Availability Zones only matter for redundancy and failover, not for backend pool eligibility in a basic internal load balancer.

D. Redeploy VM1 and VM2 to the same availability set.

❌ Basic Load Balancers can distribute traffic across VMs in the same availability set, but both VMs must already reside in the same VNet/Subnet first.

Final Verified Answer:

✅ B. Connect VM2 to VNET1/Subnet1

Reference (Microsoft Official Documentation):

Microsoft Learn: Configure the backend pool for Azure Load Balancer

Microsoft Learn: Azure Load Balancer overview

Microsoft Learn: Create and configure an internal load balancer

Microsoft Learn: Virtual network and subnet requirements for load balancing

To meet the technical requirement that User1 can create initiative definitions and User4 can assign initiatives to RG2, we must understand how Azure Policy roles operate according to Microsoft Azure documentation and AZ-104 study guides.

Azure Policy uses role-based access control (RBAC) to determine who can create, manage, and assign policies or initiatives (policy sets). The key roles relevant to this task are:

Resource Policy Contributor – Allows users to create, edit, and delete policy definitions and initiative definitions, but does not allow assignment of policies or initiatives. This role is required for users who will design or build the policy logic (definitions).

Therefore, User1, who needs to create initiative definitions, must have the Resource Policy Contributor role.

Scope: Subscription (Sub1) – because initiatives are created at subscription or management group level.

Contributor – Provides full access to manage resources, except granting permissions. Contributors can assign existing policies or initiatives to resource groups or subscriptions if they have sufficient permissions.

Therefore, User4, who needs to assign initiatives to RG2, must be assigned the Contributor role at the RG2 scope.

Other roles:

Security Admin is related to Microsoft Defender for Cloud security settings, not policy creation.

Resource Policy Contributor for RG2 would not meet the requirement because creating definitions typically requires subscription-level access.

According to Microsoft Docs (“Azure built-in roles for Policy”):

“The Resource Policy Contributor role allows users to create, edit, and delete Azure policy and initiative definitions. To assign policies or initiatives, users need the Contributor or Owner role at the appropriate scope.”

Hence, the configuration should be:

User1: Resource Policy Contributor for Sub1

User4: Contributor for RG2

You must identify the correct storage account for flow logging of IP traffic from VM5 that satisfies the retention requirement of eight months.

Step 1 — Review the Requirements

Flow logs are stored in a StorageV2 (general purpose v2) account.

The selected storage account must support Network Watcher flow logs.

Data must be retained for eight months (≈ 240 days).

Step 2 — Evaluate Each Storage Account

Storage Account

Kind

Region

Remarks

storage1

Storage (general purpose v1)

West US

Does not support flow logs (deprecated type).

storage2

StorageV2 (general purpose v2)

East US

Fully supports flow logs and lifecycle management.

storage3

BlobStorage

East US 2

Not suitable — supports blobs only, not log structure or lifecycle retention.

storage4

FileStorage

Central US

File-only — cannot store flow logs.

Step 3 — Compliance with Flow Log Retention

Flow logs for Network Watcher NSG flow logging are supported only by StorageV2 accounts. You can use Azure Storage lifecycle management to automatically delete logs after a set period — such as 240 days (8 months) — to comply with retention requirements.

Official Microsoft Note:

“Network security group (NSG) flow logs are stored in Azure StorageV2 (General Purpose v2) accounts, which support lifecycle management for log retention.” — Azure Network Watcher documentation.

Conclusion

storage2 is the only StorageV2 account.

It’s located in East US, matching VM5’s region (East US) — this satisfies performance and compliance requirements.

The question asks which storage account type should be created for storage5 and which existing storage account should be configured as the destination for replication — while supporting the planned changes.

Step 1: Planned Change Requirement

From the case study:

“Create a storage account named storage5 and configure storage replication for the Blob service.”

This indicates that storage5 will act as a secondary (destination) account to receive geo-replicated blobs (as part of RA-GRS or GRS replication configuration).

Therefore, the new storage5 must support Blob service replication features.

Step 2: Determining Correct Account Type

According to Microsoft Azure Administrator Documentation (Microsoft Learn: “Types of storage accounts”):

Account Type

Blob Support

File Share Support

Recommended Use

Storage (general purpose v1)

✅ Basic blob

Limited

Legacy use, lacks advanced features

StorageV2 (general purpose v2)

✅ Full blob, file, queue, table support

✅

Supports replication (GRS, RA-GRS, ZRS) and access tiers

BlobStorage

✅ Blob only

❌ No file shares

Used only for block and append blobs

BlockBlobStorage

✅ Blob only (premium tier)

❌ No file shares

High-performance workloads only

Therefore, the correct type for storage5 must be StorageV2, as it supports both:

Blob service replication (GRS, RA-GRS, ZRS, LRS)

All tiers (Hot, Cool, Archive)

This meets the planned change and ensures the account supports replication for Blob service.

Step 3: Determining the Correct Destination Storage Account

The question also requires identifying which existing storage account should act as the destination for replication configuration.

In Azure, Blob service replication (for example, geo-redundant replication or object replication) requires:

Both storage accounts to be StorageV2.

Both to be in the same region pair and have object replication enabled.

Looking at the table:

Storage Account

Kind

Location

File Share

Identity-based Access

storage1

Storage (general purpose v1)

West US

sharea

Azure AD DS

storage2

StorageV2 (general purpose v2)

East US

shareb, sharec

Disabled

storage3

BlobStorage

East US 2

N/A

N/A

storage4

FileStorage

Central US

shared

Azure AD DS

Only storage2 meets all of the following conditions:

✅ Type: StorageV2

✅ Region: East US (a valid replication pair for East US 2 or secondary region)

✅ Blob Service supported

Hence, storage2 is the correct destination storage account to configure for replication from storage5.

Step 4: Supporting Microsoft Azure Documentation Extracts

From Microsoft Learn – Azure Storage account overview:

“General-purpose v2 accounts support all Azure Storage features, including blob, file, queue, and table storage. They are recommended for most scenarios.”

“Object replication requires both source and destination accounts to be of the same type (StorageV2) and in regions that are geo-paired.”

“Blob and StorageV2 accounts support replication options such as LRS, ZRS, GRS, and RA-GRS.”

Azure role-based access control (Azure RBAC) for Azure file shares requires identity-based authentication integration. According to the Microsoft Azure Administrator documentation, this feature is only supported for StorageV2 (general purpose v2) and FileStorage account types.

In this scenario:

You are required to grant Group4 read-only access using Azure RBAC on Azure file shares.

The technical requirement specifies:

“Whenever possible, grant Group4 Azure RBAC read-only permissions to the Azure file shares.”

From the case study data:

Storage Account

Kind

Identity-based Access

storage1

Storage (general purpose v1)

Azure AD DS

storage2

StorageV2

Disabled

storage3

BlobStorage

N/A

storage4

FileStorage

Azure AD DS

The Storage (general purpose v1) type (storage1) does not support Azure AD or Azure RBAC integration for file shares. Microsoft documentation clearly states that “StorageV1 accounts must be upgraded to StorageV2 to support Azure AD authentication and RBAC role assignments.”

Meanwhile, FileStorage (storage4) already supports Azure AD Domain Services (Azure AD DS) and RBAC role assignment; hence no further modification is required there. However, to make storage1 compatible, it must be converted from StorageV1 to StorageV2.

Once converted to StorageV2, you can then:

Enable identity-based access for Azure file shares.

Assign Azure RBAC roles (e.g., Storage File Data Reader) to Group4.

Microsoft-Documented Requirements Summary:

Supported Account Types: StorageV2 or FileStorage

Unsupported: StorageV1 and BlobStorage

Required RBAC Roles for Read-Only Access:

Storage File Data Reader (or custom read-only role)

Thus, to meet the organization’s requirement to provide Azure RBAC read-only permissions, you must change the account type of storage1 to StorageV2, ensuring both storage1 and storage4 can be managed with Azure RBAC.

To enable communication between virtual machines (VMs) located in different virtual networks (VNets) in Azure, the most efficient and recommended approach—according to Microsoft Azure Administrator documentation—is to use VNet peering.

1. Background and Scenario Analysis

From the case study:

VM1 and VM4 are located in different VNets (VNET1 and VNET3).

The requirement is to ensure that VM1 can communicate with VM4.

The solution must minimize administrative effort and cost.

2. Microsoft Documentation Insight: VNet Peering

According to Microsoft Learn: “Virtual network peering”:

“Virtual network peering seamlessly connects two Azure virtual networks. The virtual networks appear as one for connectivity purposes. Traffic between peered virtual networks uses private IP addresses, as if they were part of the same network, and the traffic stays entirely on the Microsoft backbone network.”

Key characteristics of VNet peering:

Enables private IP connectivity between resources across peered VNets.

No need to deploy or maintain gateways (unlike VPN gateways).

Provides low latency and high bandwidth.

Supports transitive routing through additional configurations.

Minimal administrative overhead — peering can be created with just a few clicks or PowerShell/CLI commands.

3. Why the Other Options Are Incorrect

A. Create a user-defined route (UDR) from VNET1 to VNET3.

❌ A UDR alone cannot enable connectivity between VNets unless a gateway or peering already exists. Without a connection path, a route has no effect.

B. Assign VM4 an IP address of 10.0.1.5/24.

❌ This would attempt to place VM4 in the same subnet as VM1, but cross-VNet subnet IP assignment is not possible in Azure. Each VNet has its own isolated address space.

D. Create an NSG and associate it with VM1 and VM4.

❌ Network Security Groups control traffic filtering within or between existing network connections. They do not create connectivity between isolated VNets.

4. Why Peering Is the Correct and Simplest Solution

Establishing VNet peering between VNET1 and VNET3 will:

Instantly enable bidirectional private IP communication between VM1 and VM4.

Minimize administrative effort (no gateways, routing tables, or IP reconfiguration).

Maintain security and performance through Microsoft’s internal backbone.

Avoid additional costs compared to deploying VPN gateways.

5. Implementation Summary

Steps to configure:

In the Azure Portal, go to VNET1 → Peerings → Add.

Choose VNET3 as the peer virtual network.

Enable Allow virtual network access in both directions.

Once completed, both VMs (VM1 and VM4) will communicate using their private IPs.

Final Verified Answer: ✅ C. Establish peering between VNET1 and VNET3

References (Microsoft Official Documentation):

Microsoft Learn — Virtual network peering overview

Microsoft Learn — Create, change, or delete a virtual network peering

Microsoft Learn — Azure virtual network connectivity options and recommendations

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json?view=powershell-7.1

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.

Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.

Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.

Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates