AZ-104 Study Material

You have an Azure subscription.
You plan to implement four Azure virtual networks that will be peered. All virtual
machines will use a DNS suffix of contoso.com.
You need to configure name resolution for the virtual networks to ensure that all the
virtual machines can communicate by using their FQDNs. The solution must
minimize administrative effort.
What should you use?

Select only one answer.
a DNS server on an Azure virtual machine
✅
Azure-provided name resolution
an Azure Private DNS zone
an Azure public DNS zone
✅ explanation: Azure Private DNS allows for private name resolution between Azure
virtual networks. Azure public DNS provides DNS for public access, such as name
resolution for a publicly accessible website. Azure-provided name resolution does
not support user-defined domain names and only supports a single virtual network. A
DNS server on a virtual machine can also be used to achieve the goal but involves
much more administrative effort to implement and maintain than using Azure Private
DNS.
Name resolution for resources in Azure virtual networks | Microsoft Learn
Host your domain on Azure DNS - Training | Microsoft Learn
You have an Azure subscription that contains four virtual machines. Each virtual
machine is connected to a subnet on a different virtual network.
You install the DNS Server role on a virtual machine named VM1.
You configure each virtual network to use the IP address of VM1 as the DNS server.
You need to ensure that all four virtual machines can resolve IP addresses by using
VM1.
What should you do?

✅ Configure network peering.
Create and associate a route table to all four subnets.
Configure a DNS server on all four virtual machines.
Create Site-to-Site (S2S) VPNs.
✅ Explanation: By default, Azure virtual machines can communicate only with other
virtual machines that are connected to the same virtual network. If you want a virtual
machine to communicate with other virtual machines that are connected to other
virtual networks, you must configure network peering.
A route table controls how network traffic is routed. But without network peering,
network traffic is still limited to single virtual network.
Configuring a Site-to-Site (S2S) VPN is incorrect because you are not connecting
on-premises virtual machines to the cloud.
Azure virtual network service endpoints | Microsoft Learn
Configure network routing and endpoints - Training | Microsoft Learn
You have an Azure virtual network named VNet1.
You create an Azure Private DNS zone named contoso.com.
You need to ensure that the virtual machines on VNet1 register in the contoso.com
private DNS zone.
What should you do?

Configure each virtual machine to use a custom DNS server.
Add Azure DNS Private Resolver to VNet1.
Configure VNet1 to use a custom DNS server.
✅ Add a virtual network link to contoso.com.
✅
Explanation: To associate a virtual network to a private DNS zone, you add the
virtual network to the zone by creating a virtual network link.
Azure DNS Private Resolver is used to proxy DNS queries between on-premises
environments and Azure DNS.
A custom DNS server will work if you deploy a DNS server as a virtual machine or an
appliance, however, this configuration does not work with a private DNS zone.
Quickstart - Create an Azure private DNS zone using the Azure portal | Microsoft
Learn
Configure Azure DNS - Training | Microsoft Learn
You have an Azure subscription that contains the following virtual networks:
● VNet1 has an IP address range of 192.168.0.0/24.

You need configure virtual network peering.
Which two peerings can you create? Each correct answer presents complete
solution.
Select all answers that apply.
✅ VNet1 can be peered with VNet2.
VNet1 can be peered with VNet3.
✅ VNet2 can be peered with VNet3.
VNet3 can be peered with VNet1.
Explanation: VNet1 and VNet2 have non-overlapping IP addresses. For virtual
network peering, both virtual networks must have non-overlapping IP addresses.
Azure Virtual Network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
You have an Azure virtual network that contains four subnets. Each subnet contains
10 virtual machines.
You plan to configure a network security group (NSG) that will allow inbound traffic
over TCP port 8080 to two virtual machines on each subnet. The NSG will be
associated to each subnet.
You need to recommend a solution to configure the inbound access by using the
fewest number of NSG rules possible.
What should you use as the destination in the NSG?

✅ an application security group
the subnets of the virtual machines
a service tag
Explanation: Application security groups allow you to group together the network
interfaces from multiple virtual machines, and then use the group as the source or
destination in an NSG rule. The network interfaces must be in the same virtual
network.
You can use the IP address of each virtual machine as the destination, but you must
create a rule for each virtual machine.
Using the subnets will require four rules and will also allow traffic to all the virtual
machines on those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure
Backup.
Azure application security groups overview | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
You have a virtual machine named VM1 that is assigned to a network security group
(NSG) named NSG1.
NSG1 has the following outbound security rules:
Rule1:
● Priority: 900
● Name: BlockInternet
● Port: 80
● Protocol: TCP
● Source: Any
● Destination: Any
● Action: Block
Rule2:
● Priority: 1000
● Name: AllowInternet
● Port: 80
● Protocol: TCP
● Source: Any
● Destination: Any
● Action: Allow
You need to ensure that internet access to VM1 on port 80 is allowed.
What should you do?

✅ Change the priority of Rule2.
Change the name of Rule1.
Change the action of Rule2.
Change the source of Rule 2.
Explanation: Rule1 has higher priority, so the action will be blocked. You can
increase the priority of Rule2, decrease the priority of Rule1, or change the action of
Rule1 to achieve the goal.
Azure network security groups overview | Microsoft Learn
You have three network security groups (NSGs) named NSG1, NSG2, and NSG3.
Port 80 is blocked in NSG3 and allowed in NSG1 and NSG2.
You have four Azure virtual machines that have the following configurations:
VM1:
● Subnet: Subnet1
● Network card: NIC1
● NIC1 is assigned to NSG2.
VM2:
● Subnet: Subnet1
VM3:
● Subnet: Subnet3
VM4:
● Subnet: Subnet2
You have the following subnets:
● Subnet1 is assigned to NSG1.

● Subnet2 is assigned to NSG3.
● Subnet 3 does not have an NSG assigned.
Which virtual machine will allow traffic from the internet on port 80?
✅ VM1
VM2
VM3
VM4
Explanation:On VM1, both NSGs assigned to Subnet1 and the NIC1 card allow
traffic on port 80. On VM2, NSG1 allows traffic, but NSG3 blocks traffic for the
network interface. On VM3 and VM4, NSG3 blocks traffic.
Network security group - how it works | Microsoft Learn
Your company plans to migrate servers from on-premises to Azure. There will be
dev, test, and production virtual machines on a single virtual network.
You need to restrict traffic between the dev, test, and production virtual machines to
specific ports.

✅ a network security group (NSG)
an Azure firewall
an Azure load balancer
an Azure VPN gateway
Explanation:Must configure network security group (NSG) rules to allow TCP or
ICMP traffic for specific ports. Azure Firewall is a managed service that protects your
Azure services across multiple virtual networks. Load balancers are used to
distribute incoming traffic to available backend servers. Azure VPN is used to have a
connection establishment between on-premises and Azure.
You deploy web servers to two virtual machines named VM1 and VM2 in an
availability set named AVSet1.
You need to configure Azure Load Balancer with a backend pool of VM1 and VM2.
The solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
✅ Basic Azure Load Balancer with Basic SKU public IP
Basic Azure Load Balancer with Standard SKU public IP
Azure Standard Load Balancer with Basic SKU public IP
Azure Standard Load Balancer with Standard SKU public IP
Explanation: Basic Azure Load Balancer supports deployment in a single availability
zone. Basic Azure Load Balancer supports only Basic SKU public IP. Azure Standard
Load Balancer is zone-redundant, but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
You migrate a web app from on-premises to an Azure virtual machine. The web app
was configured by using load balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with
the web server and must check whether the server is listening on port 80.
Which command should you run?

Get-AzVirtualNetworkUsageList
nbtstat -c
✅
Test-NetConnection localhost
netstat -an
Explanation: Using netstat -an will list the ports that the server is listening on.
Test-NetConnection will perform a ping/ICMP test. Nbtstat -c checks the NBT
cache. Get-AzVirtualNetwork gets the virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
You have an Azure subscription that contains multiple virtual machines and a public
load balancer named PLB1. PLB1 is configured to balance ports 80 and 443 on the
virtual machines.
A virtual machine named VM1 will be used to connect to all other virtual machines by
using RDP.
You need to forward all RDP requests to VM1 only.
What should you do?

✅ Configure an inbound NAT rule.
Configure a public IP address.
Add a load balancer named LB1 to VM1.
Explanation: Configuring an inbound NAT rule allows you to connect to virtual
machines on an Azure virtual network by using the Azure Load Balancer IP address
and port number.
Configure VPN NAT rules for your gateway - Azure Virtual WAN | Microsoft Learn
You have an Azure subscription that contains a resource group named RG1. RG1
contains two virtual machines named VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use
Azure Monitor metrics.
Which two actions should you perform? Each correct answer presents part of the
solution.
Configure Network In and Network Out.
Configure a log alert.
✅ Use packet capture.
✅ Install AzureNetworkWatcherExtension.
Explanation: Azure Network Watcher variable packet capture allows you to create
packet capture sessions to track traffic to and from a virtual machine. Packet capture
helps to diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the
Azure portal | Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
has a virtual network named VNet3, a virtual machine named VM1, and a public IP
address named PubIP1. All the resources are in the West US Azure region.
You plan to create and configure a network security group (NSG) named NSG1 for
the following types of traffic:
● Remote Desktop Management

● HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the
solution.
✅
✅
New-AzNetworkSecurityRuleConfig
New-AzNetworkSecurityGroup
Add-AzNetworkInterfaceTapConfig
Add-AzLoadBalancerFrontendIpConfig
Explanation: New-AzNetworkSecurityRuleConfig allows you to create a rule and
provide the type, protocol, direction, and port number. New-AzNetworkSecurityGroup
creates a network security group (NSG). -SecurityRules specifies a list of network
security rule objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn
You plan to use the following two Azure Resource Manager (ARM) templates to
provision virtual machines:
Template.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploy
mentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Virtual Machine."
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
},
"dnsLabelPrefix": {
"type": "string",
"defaultValue": "[concat('vm-',
uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Unique DNS Name for the Public IP used

to access the Virtual Machine."
},
...
"apiVersion": "2019-12-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('storageAccountName')]",
"[variables('nicName')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
...
Template.parameters.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploy
mentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"value": ""
},
"adminPassword": {
...
Which two resources should you provision to ensure that the password can be
stored securely?
✅
✅
Azure Key Vault
Access Policy
an Azure Storage account
an Azure compliance policy
Explanation: You must create a new key vault, create the password from there, and
then specify the parameters. You must also create a Key Vault access policy to use
in the template.
ARM template documentation | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft
Learn
contains an Azure virtual machine named VM1.
You need to use VM1 as a template to create a new Azure virtual machine.
Which three methods can you use to complete the task? Each correct answer
presents a complete solution.
✅From RG1, select Export template, select Download, and then, from Azure Cloud
Shell, run the cmdlet.
✅From Azure Cloud Shell, run the
New-AzResourceGroupDeployment
and
Save-AzDeploymentTemplate
cmdlets.
✅From VM1, select Export template, and then select Deploy.
New-AzResourceGroupDeployment
From Azure Cloud Shell, run the Save-AzDeploymentScriptLog and

New-AzResourceGroupDeployment cmdlets.
From Azure Cloud Shell, run the Get-AzVM and New-AzVM cmdlets.
Explanation: From RG1, selecting the Download option from the Export template
page exports the Azure Resource Manager (ARM) template from the resource group
properties. You can then deploy the ARM template by running the
New-AzResourceGroupDeployment cmdlet.
By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM
template. You can then deploy the ARM template by running the
New-AzResourceGroupDeployment cmdlet.
From VM1, selecting the Deploy option from the Export template page allows you to
deploy a new Azure virtual machine and use the configuration of VM1 as the
template.
The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment
script execution.
The Get-AzVM cmdlet generates a list of virtual machines that are created in the
Azure subscription.
Export template in Azure portal - Azure Resource Manager | Microsoft Learn
Export template in Azure PowerShell - Azure Resource Manager | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
You have an Azure Resource Manager (ARM) template named deploy.json that is
stored in an Azure Blob storage container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?

-Tag
✅
-Templatefile
-TemplateUri
-TemplateSpecId
Explanation: The PowerShell deployment cmdlets can be used to deploy JSON
templates that are stored locally in a resources group as a template spec, or from a
web-based location. You can use the -TemplateUri parameter to specify a
web-based location, such as GitHub or an Azure Blob Storage account. You can use
-Templatefile to specify a local file. You can use -TemplateSpecId to specify a
template that was save to Azure as a template spec.
Deploy resources with PowerShell and template - Azure Resource Manager |
Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft
Learn
Next
Your company has a set of resources deployed to an Azure subscription. The

resources are deployed to a resource group named app-grp1 by using Azure
Resource Manager (ARM) templates.
You need to verify the date and the time that the resources in app-grp1 were created.
Which blade should you review for app-grp1 in the Azure portal?
✅
Metrics
Deployments
Policy
Diagnostics setting
Explanation: Navigating to the Diagnostics settings blade provides the ability to
diagnose errors or review warnings. Navigating to the Metrics blade provides metrics
information (CPU, resources) to users. On the Deployments blade for the resource
group (app-grp1), all the details related to a deployment, such as the name, status,
date last modified, and duration, are visible. Navigating to the Policy blade only
provides information related to the policies enforced on the resource group.
Azure AD deployment checklist - Microsoft Entra | Microsoft Learn
Configure Azure resources with tools - Training | Microsoft Learn
You have an Azure virtual network that contains two subnets named Subnet1 and
Subnet2. You have a virtual machine named VM1 that is connected to Subnet1. VM1
runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
What should you do first?

✅
From the Azure portal, create an IP group.
From the Azure portal, add a network interface.
Sign in to Windows Server and create a network bridge.
From the Azure portal, modify the IP configurations of an existing network interface.
Explanation: A network interface is used to connect a virtual machine to a subnet.
Since VM1 is connected to Subnet1, VM1 already has a network interface attached
that is connected to Subnet1. To connect VM1 directly to Subnet2, you must create a
new network interface that is connected to Subnet2. Next, you must attach the new
network interface to VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and subnets.
A network bridge allows you to connect multiple existing network connection in
Windows together. Changing the IP configurations of the existing network interface
results in VM1 being connected to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
You have an Azure subscription that contains an Azure Storage account named
vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1?

a queue
a table
✅
a blob container
a file share
explanation:An Azure container instance (Docker container) can mount Azure File
Storage shares as directories and use them as persistent storage. An Azure
container instance cannot mount and use as persistent storage blob containers,
queues and tables.
Persistent Docker volumes with Azure File Storage | Azure Blog and Updates |
Microsoft Azure
Configure Azure Container Instances - Training | Microsoft Learn
Your development team plans to deploy an Azure container instance. The container
needs a persistent storage layer.
Which service should you use?

✅
Azure Blob storage
Azure Files
Azure Queue Storage
Explanation: You can persist data for Azure Container Instances with the use of
Azure Files. Azure Files offers fully managed file shares hosted in Azure Storage
that are accessible via the industry standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft
Learn
Explore Azure Storage services - Training | Microsoft Learn
You have an Azure subscription that contains a Docker container image named
container1.
You create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
✅
Publish
Runtime stack
Pricing plan
Continuous deployment
Explanation: If you want to run a Docker container as an Azure web service, you must
configure the Publish option and select Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want
to deploy a Docker container as web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable
when you publish a Docker container as an Azure web app.
Overview - Azure App Service | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
You have an Azure subscription that contains multiple resource groups and Azure
App Service web apps. A resource group named RG1 hosts a web app named
appservice1. The App Service uses an imported SSL certificate.
You create a resource group named RG2.
You plan to move all the resources in RG1 to RG2.
solution.
✅
✅
Delete the SSL Certificate from RG1 and upload it to RG2.
Move all the resources from RG1 to RG2.
Create a new App Service plan in RG2.
Create a new web app in RG2.
Explanation: The SSL certificate must be deleted. You cannot move the load balancer
and it must be removed before you move the resources. You will have to move all
other resources to RG2.
Move Azure App Service resources across resource groups or subscriptions - Azure
Resource Manager | Microsoft Learn
Configure Azure App Service - Training | Microsoft Learn
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU
percentage goes beyond 80 percent for a duration of 15 minutes.
solution.
✅
Scale up the App Service plan.
Configure a deployment slot.
✅
Scale out the App Service plan.
Configure a scaling condition to scale based on a metric, and then add the rules.
Configure a scaling condition to scale based on an instance count, and then set the
instance count.
Explanation: Scale up the web app by adding more CPU, memory, and disk space to
fulfill the requirement. Increase the number of virtual machine instances that run the
app. The scale settings take only seconds to apply and affect all the apps in the App
Service plan. Then, you must set up a scaling condition with the required metrics to
scale up/down and scale out/in when certain thresholds are met.
Scale up features and capacities - Azure App Service | Microsoft Learn
Configure Azure App Service - Training | Microsoft Learn
You need to create an Azure App Service web app that runs on Windows. The web
app requires scaling to five instances, 45 GB of storage, and a custom domain
name. The solution must minimize costs.
Which App Service plan should you use?

Free
✅
Basic
Standard
Premium
Ans: The Standard service plan can host unlimited web apps, up to 50 GB of disk
space, and up to 10 instances. The plan will cost approximately $0.10/hour. The
Free plan only offers 1 GB of disk size and 0 instances to host the app. The
Premium plan offers 250 GB of disk space and up to 30 instances and will cost
approximately $0.20/hour. The Basic plan offers 10 GB of disk space and up to three
virtual machines.
App Service Pricing | Microsoft Azure
Configure Azure App Service plans - Training | Microsoft Learn
You have an Azure virtual network named VNet1.
You deploy an Azure App Service web app named WebApp1.
You need to ensure that you can access WebApp1 by using an IP address from
VNet1.
What should you do?

Add a peering to VNet1.
Deploy Azure Bastion to VNet1.
✅
Add VNet integration to WebApp1.
Add a private endpoint connection to WebApp1.
Expl: A private endpoint connection will expose a web app on a virtual network and
provide the web app with an IP address on the virtual network. The web app can
then be accessed through the virtual network instead of using the public endpoint.
VNet integration provides web app outbound access to a virtual network. Azure
Bastion provides administrative RDP/SSH access to virtual machines through the
Azure portal. Peering provides connections between virtual networks.
Connect privately to an Azure Web App using Private Endpoint | Microsoft Learn
Host a web application with Azure App Service - Training | Microsoft Learn
You have an Azure AD tenant that uses Azure AD Connect to sync with an Active
Directory Domain Services (AD DS) domain.
You need to ensure that users can reset their AD DS password from the Azure
portal. The users must be able to use two methods to reset their password.
solution.
✅
✅
Run Azure AD Connect and select Password writeback.
From Password reset in the Azure portal, configure the Authentication methods
settings.
From Password reset in the Azure portal, configure the Notifications settings.
From Password reset in the Azure portal, configure the Registration settings.
Run Azure AD Connect and select Device writeback.
Exp: You must run the Azure AD Connect Wizard to enable Password writeback. You
must configure the authentication option to enable the two methods required to reset
a password.
Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft
Learn
Implement Azure AD self-service password reset - Training | Microsoft Learn
You have an Azure AD tenant.
Your company has several offices in the same region. Each office has a dedicated IT
staff.
You need to ensure that the IT staff in each office can manage passwords for their
users and administrators.
solution.
✅
✅
From the Azure portal, add administrative units.
Assign the Helpdesk administrator role.
Assign the Password administrator role.
From the Azure portal, create a new custom role.
Exp: You must create an administrative unit and the Helpdesk role assignment allows
members to change password for both users and other administrators.
Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following
details:
● Id: 8755b347-3545-3876-3987-999999999999
● DisplayName: Ben Smith
● Mail: [email protected]
● UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
Which statement accurately describes the user?

The user was deleted.
✅
The user account was disabled.
The user was a guest in the tenant.
The user was assigned an administrative role.
Exp: For guest users, the user principal name (UPN) will contain the email of the
guest user (bsmith_contoso.com) followed by #EXT# followed by the domain name
of the tenant (@fabrikam.com). Regular Azure AD users appear in a format of
[email protected].
B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
You plan to create 100 new users by using the Bulk create users operation in the
Azure Active Directory admin center.
You need to create a CSV file that contains the user information.
Which attributes should you specify in the CSV file for each user?
displayName, givenName, surname, and department
givenName, surname, usageLocation, and department
userPrincipalName, givenName, usageLocation, and country
✅ displayName, userPrincipalName, passwordProfile, and accountEnabled
Explanation: When you use the Bulk create users operation, you must specify four
things: the display name, the UPN, the initial password, and whether the account is
enabled or disabled. All other fields are optional.
Bulk create users in the Azure Active Directory portal - Microsoft Entra | Microsoft
Learn
Configure user and group accounts - Training | Microsoft Learn
Your Azure AD tenant and on-premises Active Directory domain contain multiple
users.
You need to configure self-service password reset (SSPR) password writeback

functionality. The solution must minimize costs.
Which Azure AD edition should you use?

✅
Azure AD Free
Azure AD Premium P1
Azure AD Premium P2
Ans: Only Azure AD Premium P1 and P2 support SSPR, but Azure AD Premium P1
is the lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra |
Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training | Microsoft
Learn
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
{
"Name": "Custom Role",
"Id": null,
"IsCustom": true,
"Description": "Custom Role description",
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
}
Which three actions can be performed by a user that is assigned the custom role?
Each correct answer presents a complete solution.
✅
✅
Read all virtual machine settings.
✅
Call Microsoft Support.
Create and read a snapshot.
Create and delete a snapshot.
Create virtual machines.
Exp: The role can read all compute resources, call Microsoft support roles, and allow
the creation and reading of a snapshot.
Azure custom roles - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
An administrator manages access to resources at the resource group level. The

assignment process is automated by running the following PowerShell script nightly.
$rg = "RG1"
$RoleName = "CustomRole1"
$Role = Get-AzRoleDefinition -Name $RoleName
New-AzRoleAssignment -SignInName [email protected] `
-RoleDefinitionName $Role.Name `
-ResourceGroupName $rg
User1 is unable to access the RG1 resource group. You discover that the script fails
to complete for new users.
You run Get-AzRoleDefinition | Format-Table -Property Name, Id and receive the

following information:
Name: Custom Role 1, ID: 111-222-333
Name: Owner, ID: 222-333-444
Name: Contributor, ID: 333-444-555
Name: Reader, ID: 666-777-888
You need to modify the script to ensure that it does not fail in the future.
What should you change in the script?

✅$RoleName = "111-222-333"
$Role = Get-AzRoleAssignment -Name $RoleName
$Role = Add-AzRoleDefinition -Name $RoleName
$Role = Set-AzRoleAssignment -Name $RoleName
Exp: You should use the ID of the role in case the role name was changed to prevent
such a change from breaking the script.
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
contains a virtual machine named VM1 connected to a virtual network named
Network1.
A user named Admin1 must be able to change the settings of Network1.
You need to use PowerShell to assign Admin1 the appropriate role and permissions.
Which two PowerShell statements should you use to complete the task? Each
correct answer presents part of the solution.
✅
$User = Get-AzADServicePrinciple -DisplayName admin1
New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Network
Contributor" ` -ResourceName Network1 ` -ResourceType
Microsoft.Network/virtualNetworks ` -ResourceGroupName RG1
New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Virtual
✅
Machine Contributor" ` -ResourceGroupName RG1
$User = Get-AzADUser -DisplayName admin1
Exp: Before assigning an RBAC role to a user, you must use the Get-AzADUser
cmdlet to obtain the ID of the user. The New-AzRoleAssignment cmdlet can be used
to assign an RBAC role to any resource. If you assign the Virtual Machine
Contributor role to RG1, it will only allow changes to the virtual machine, it will not
allow Admin1 to manage the virtual network. To modify network settings, you must
assign the Network Contributor role.
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer
✅
subscriptions
✅
storage account data
virtual machines
management groups
✅resource groups
Exp: You can use delete locks to block the deletion of virtual machines, subscriptions,
and resource groups. You cannot use delete locks on management groups or
storage account data.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft
Learn
Use Azure Resource Manager - Training | Microsoft Learn
You plan to create an Azure Policy definition named Policy1.
You need to include remediation information to indicate when users use Microsoft
Defender for Cloud Regulatory and Compliance.
To which definition section should you add remediation information for Policy1?
✅
metadata
parameters
policyRule
mode
Exp: You must use the RemediationDescription field in the metadata section from
properties to specify a custom recommendation. The remaining options are Azure
policies, but do not allow specific custom remediation information.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft
Learn
Configure Azure Policy - Training | Microsoft Learn
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.
You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be pinned as a chart on the
dashboard?
✅
14
30
90
180
Exp: Data pinned on a shared dashboard can only be displayed for a maximum of 14
days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
You need to create Azure alerts based on metric values and activity log events.
The solution must meet the following requirements:
● Set a limit on how many times an alert notification is sent.

● Call an Azure function when an alert is triggered.
● Configure the alert to have a severity of warning when triggered.
Which two resources should you create? Each correct answer presents part of the
solution.
✅
a notification
an action group
✅
a secure webhook
an alert rule
Exp: You must create an action group to set up an action and create an alert rule to
set the severity of the errors. A notification is only used to send email and you do not
need to call a webhook.
Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
You need to find the root cause of the performance issue.
✅
Azure Monitor
activity logs
Azure Advisor
Azure Cost
Exp: Azure Monitor stores metrics in a time-series database that is optimized for
analyzing time-stamped data. Activity logs detect and address issues before users
notice them proactivity. Azure Advisor analyzes configuration and usage metrics but
does not provide time-lapsed data. Azure Cost only helps to optimize and reduce
overall Azure spending.
Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn
You have a Kusto query that returns 1,000 events from the SecurityEvent table in
Azure Monitor.
You need to configure the query to aggregate the results by the Account column.
Which operator should you use?

extend
✅
project
summarize
where
Exp: Summarize is used to group records from one or more columns of data. Where
is used to filter the rows. Project is used to rename and select columns. Extend is
used to add columns.
Get started with log queries in Azure Monitor - Azure Monitor | Microsoft Learn
You have an Azure virtual machine named VM1 that is protected by using Azure site
recovery.
You fail over VM1 from the primary region to the secondary region.
You need to reprotect VM1 after the failover so that VM1 will replicate back to the
primary region.
What is the VM1 status before the reprotection?

Starting failover
Committing failover
✅
Failover confirmed
Failover committed
Exp: Before you begin, you must ensure that the virtual machine status is Failover
committed. This will ensure replication back to the primary region.
Tutorial to fail over Azure VMs to a secondary region for disaster recovery with Azure
Site Recovery. - Azure Site Recovery | Microsoft Learn
Configure file and folder backups - Training | Microsoft Learn
You have an Azure virtual machine that you back up by using Azure Backup.
The backup policy sub type is Standard, and the backup policy has the following
configurations:
● Backup schedule frequency: Weekly

● Retain instant recovery snapshot(s) for: 5 days
● Retention of weekly backup point: On Sunday at 8:00 AM for 12 weeks
You plan to reduce the amount of storage used by Instant Restore.
You need to instance recovery snapshots to be retained for only two days.

Provision an additional blob storage container.
✅
Change Policy sub type to Enhanced.
Change the backup schedule frequency to Daily.
Change Retention of weekly backup point to 1 week.
Exp: You can choose to store between one and five instant recovery snapshots and
the default value is two. However, when the backup schedule frequency is weekly,
you must retain five instant recovery snapshots.
Azure Instant Restore Capability - Azure Backup | Microsoft Learn
Configure file and folder backups - Training | Microsoft Learn
You need to create an Azure Storage account that supports the Azure Data Lake
Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a
complete solution.
✅
premium block blobs
premium file shares
✅
premium page blobs
standard general-purpose v2
Exp: To support Data Lake Storage, the storage account must support blob storage,
which is available as standard general-purpose v2 and premium block blobs.
Additionally, when you create the storage account, you must enable the hierarchical
namespace.
Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage |
Microsoft Learn
Determine storage account types - Training | Microsoft Learn
You have an Azure Storage account named corpimages and an on-premises shared
folder named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete
solution?
✅Azcopy copy \\server1\images
https://corpimages.blog.core.windows.net/public -recursive
Azcopy sync \\server1\images https://corpimages.blog.core.windows.net/public
-recursive
Set-AzStorageBlobContent -Container "ContosoUpload" -File "\\server1\images"
✅
-Blob " corporateimages "
Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent
-Container " corpimages"
Exp: The AzCopy command allows you to copy all files to a storage account. You
then use Get-ChildItem with the path parameter, recurse to select everything, and
then use the Set-AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
You have an Azure Storage account.
You need to copy data to the storage account by using the AzCopy tool.
Which two types of data storage are supported by AzCopy? Each correct answer
✅
✅
blob
file
queue
table
Exp: You can provide authorization credentials by using Azure AD, or by using a
shared access signature (SAS) token. Both storage types, blob and file, are
supported in AzCopy.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
You have an Azure Storage account named storageaccount1 with a blob container
named container1 that stores confidential information.
You need to ensure that content in container1 is not modified or deleted for six
months after the last modification date.
What should you configure?
✅
the immutability policy
a custom Azure role
lifecycle management
the change feed
Exp: A timed-based retention policy or legal hold policies can be applied to block
deletion. Immutability policies can be scoped to a blob version or to a container.
Overview of immutable storage for blob data - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos.
Users reported that 99 percent of the assigned storage is used.
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents
part of the solution.
✅Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1
✅Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName
-EnableLargeFileShare
Storage1 -Name Share1 -QuotaGiB 102400

Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1
-Type "Standard_RAGRS"
New-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName
Storage1 -Name Share1 -QuotaGiB 100GB
Exp: You must enable the storage account to support large files and update the
storage account quota to 102,400 GB. You do not need to change the type of
storage account, and you are updating the existing share.
Object replication overview - Azure Storage | Microsoft Learn
You create an Azure Storage account.
You need to create a lifecycle management rule to move blobs to Cool storage if the
blobs have not been used for 30 days.
✅
Enable access tracking.
Refresh the blob inventory.
Enable versioning for blobs.
Rotate the storage account keys.
Exp: A lifecycle management rule can be used to move or delete blobs automatically.
The rule can be based on the time the blob was last modified or the time the blob
was last accessed (read or write). To perform an action based on the access time,
access tracking must be enabled. This can incur additional storage costs.
Configure a lifecycle management policy - Azure Storage | Microsoft Learn
You have an Azure Storage account that contains a file share.
Several users work from a secure location that limits outbound traffic to the internet.
You need to ensure that the users at the secure location can access the file share in
Azure.
Which outbound port should you allow from the secure location?
80
✅
443
445
5671
Exp: For accessing the file share, port 445 must be open. Port 5671 is used to send
health information to Azure AD. It is recommended, but not required, in the latest
versions. Port 80 is used to download certificate revocation lists (CRLs) to verify
TLS/SSL certificates. Port 443 is used to sync with Azure AD.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft
Learn
Configure Azure Storage security - Training | Microsoft Learn
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
✅
Archive
Hot
Cold
Exp: Archive is an offline tier that is optimized for storing data that is rarely accessed
and has flexible latency requirements. Data in the Archive tier must be stored for a
minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
You have an Azure subscription and an on-premises Hyper-V virtual machine named
VM1. VM1 contains a single virtual disk.
You plan to use VM1 as a template to deploy 25 new Azure virtual machines.
You need to upload VM1 to Azure.
Which cmdlet should you run?

✅Add-AzVhd
New-AzVM
New-AzDisk
New-AzDataShare
Exp: Add-AzVhd: Uploads an on-premises VHD to Azure
New-AzVM: Used to create a new virtual machine
New-AzDisk: Used to create a managed disk
New-AzDataShare: Used to create an Azure data share
Create a VM from an uploaded generalized Windows VHD - Azure Virtual Machines |
Microsoft Learn
Upload a VHD to Azure or copy a disk across regions - Azure PowerShell - Azure
Virtual Machines | Microsoft Learn
Configure virtual machines - Training | Microsoft Learn
You have an Azure virtual machine that runs Linux. The virtual machine hosts a
custom application that outputs log data in the JSON format.
You need to recommend a solution to collect the logs in Azure Monitor.
What should you include in the recommendation?

the Azure VMAccess extension
the Custom Script Extension Version 2 extension
✅
the DSC extension for Linux
the Log Analytics agent for Linux
Exp: You can use the Log Analytics agent for Linux as part of a solution to collect
JSON output from the Linux virtual machines.
The Azure Custom Script Extension is used for post-deployment configuration,
software installation, or any other configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to
manage an IT and development infrastructure with configuration as code.
The Azure VMAccess extension acts as a KVM switch that allows you to access the
console to reset access to Linux or perform disk-level maintenance.
Collecting custom JSON data sources with the Log Analytics agent for Linux in
Azure Monitor - Azure Monitor | Microsoft Learn
You have 100 virtual machines deployed to Azure. You have Azure Monitor alerts
configured for CPU and memory utilization for the virtual machines.
You open Azure Monitor alerts and discover 50 closed alerts for the virtual machines.
What can cause the alert state to be Closed?

The alerts are older than 60 days.
✅
The conditions that caused the alerts are no longer present.
An administrator manually changed the state of the alerts.
The alert rule contains an action group that remediates the alert conditions.
Exp: The alert state is manually set by the user and does not have any automated
logic behind it. The alert state can be either New, Acknowledged, or Closed.
Manage Azure Monitor alerts - Training | Microsoft Learn
You have an Azure virtual machine named Server1 that runs Windows Server.
You need to configure Azure Backup to back up files and folders.
What should you install on Server1?
✅
the Microsoft Azure Recovery Services (MARS) agent
Microsoft Azure Site Recovery Provider
the Azure Connected Machine agent
Microsoft Azure Backup Server (MABS)
Exp: The Microsoft Azure Recovery Service (MARS) agent must be installed on the
servers. The MARS agent is mandatory to perform backup and recovery services for
any servers.
Manage the Azure recovery services agent - Training | Microsoft Learn
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual network named VNet1 and a VPN gateway. Sub2 contains a
virtual network named VNet2.
You have an on-premises device named Device1 that runs Windows and has a
Point-to-Site (P2S) VPN client installed.
You configure network peering between VNet1 and VNet2.
You need to ensure that Device1 can access VNet2 when a VPN connection is
established.
What should you do?
✅
Download and reinstall the P2S VPN client on Device1.
Create a private endpoint in Sub2.
Deploy Azure Front Door to Sub2.
Run the New-SelfSignedCertificate cmdlet on Device1.
Exp: Point-to-Site (P2S) VPN clients must be downloaded and reinstalled again after
virtual network peering is successfully configured to ensure that the new routes are
downloaded to the client.
A private endpoint and Azure Front Door are not required nor used to be able to
access VNet2 from VNet1.
Device1 already has a digital certificate when you install the P2S VPN client, so you
do not need to create new certificate manually.
Create, change, or delete an Azure virtual network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
You have an Azure subscription that contains network security groups (NSGs).
Which two resources can be associated with a NSG? Each correct answer presents
a complete solution.
✅
✅
network interfaces
subnets
Azure Network Watcher
Azure Monitor
Exp: You can use a network security group (NSG) to be assigned to a network
interface. NSGs can be associated with subnets or individual virtual machine
instances within that subnet. When an NSG is associated with a subnet, the access
control list (ACL) rules apply to all virtual machine instances of that subnet.
You have an Azure subscription that contains a network security group (NSG) named
NSG1.
You plan to configure NSG1 to allow the following types of traffic:
● Remote Desktop Management

● Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of
the solution.
80
✅443
25
✅3389
587
Exp: You must open port 443 to secured HTTPS traffic, port 3389 for Remote
Desktop, and 587 to send outbound email by using authenticated SMTP relay. Port
80 is used for unsecured traffic. Port 25 is used by mail traffic.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft
Learn
You have an Azure subscription that contains an ASP.NET application. The

application is hosted on four Azure virtual machines that run Windows Server 2022.
You have a load balancer named LB1 to load balances requests to the virtual
machines.
You need to ensure that site users connect to the same web server for all requests
made to the application.
solution.
✅
✅
Set Session persistence to Client IP.
Set Session persistence to Protocol.
Set Session persistence to None.
Configure an inbound NAT rule.
Exp: By setting Session persistence to Client IP and Protocol, you ensure that site
users connect to the same web server for all requests made to the application.
Setting Session persistence to None disables sticky sessions and an inbound NAT
rule is used to forward traffic from a load balancer frontend to a backend pool.
Azure Load Balancer distribution modes | Microsoft Learn
You have an Azure subscription that contains virtual machines, virtual networks,
application gateways, and load balancers.
You need to monitor the network health of the resources.
Which Azure service should you use?

Azure Resource Manager
✅Azure Network Watcher
network security groups (NSGs)
Azure Monitor
Exp: Azure Network Watcher provides tools to monitor, diagnose, view metrics, and
enable or disable logs for resources on an Azure virtual network. Azure Resource
Manager is the deployment and management service for Azure. Network security
groups (NSGs) are used only for security, not monitoring. Azure Monitor is used for
the HTTP Data Collector API to send log data to Log Analytics.
Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
You plan to create a storage account named storage1.
You need to ensure that storage1 provides POSIX-compliant access control lists
(ACLs).
Which option should you configure when creating storage1?
✅
hierarchical namespace
access tier
version-level immutable support
SFTP
Exp: AzureData Lake Storage Gen2 implements an access control
model that supports both Azure role-based access control (Azure
RBAC) and POSIX-like access control lists (ACLs).
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace
must be used. The remaining options are valid for a storage account, but do not
provide the POSIX-compliant feature.
Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn
Configure storage accounts - Training | Microsoft Learn
Your need to create an Azure Storage account that meets the following
requirements:
● Stores data in a minimum of two availability zones

● Provides high availability
Which type of storage redundancy should you use?

geo-redundant storage (GRS)
✅
read-access geo-redundant storage (RA-GRS)
zone-redundant storage (ZRS)
locally-redundant storage (LRS)
Exp: Zone-redundant storage (ZRS) replicates a storage account synchronously
across three Azure availability zones in the primary region. For ensuring high
availability, Microsoft recommends using ZRS in the primary region and also
replicating to a secondary region.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
You have an Azure subscription that contains the following StorageV2 (general
purpose v2) storage accounts:
● store1 is a Premium account that uses geo-redundant storage (GRS)

redundancy.
● store2 is a Standard account that uses locally-redundant storage (LRS)
redundancy.
● store3 is a Premium account that uses read-access geo-redundant
storage (RA-GRS) redundancy.
● store4 is a Premium account that uses RA-GRS redundancy.
You need to identify which storage account can be converted to zone-redundant

replication (ZRS) for live migration.
Which storage account should you identify?

✅
store1
store2
store3
store4
Exp: Only zone-redundant replication (ZRS) supports StorageV2, FileStorage, and
BlockBlobStorage accounts. Live migration is not supported for read-access
geo-redundant storage (RA-GRS) and only standard storage accounts can be used.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
You plan to create a storage account named storage1 to store images.
You need to replicate the images to a new storage account.

What are three requirements of storage1? Each correct answer presents part of a
complete solution.
✅
blob versioning
a container
a file share
queues
standard general-purpose v2
Exp: Versioning must be enabled for the source and target. An object type container
is needed to replicate the images. You must create a StandardV2 storage account.
File shares are not needed, and queues are unsupported for replication.
Object replication overview - Azure Storage | Microsoft Learn

AZ-104 Study Material

Uploaded by

Copyright:

Available Formats

AZ-104 Study Material

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AZ-104 Study Material

Uploaded by

Copyright:

Available Formats

You have an Azure subscription.

What should you use?

What should you do?

You have an Azure virtual network named VNet1.

You create an Azure Private DNS zone named contoso.com.

What should you do?

● VNet1 has an IP address range of 192.168.0.0/24.

You need configure virtual network peering.

What should you use as the destination in the NSG?

NSG1 has the following outbound security rules:

You need to ensure that internet access to VM1 on port 80 is allowed.

What should you do?

You have the following subnets:

● Subnet1 is assigned to NSG1.

What should you use?

Which command should you run?

You need to forward all RDP requests to VM1 only.

What should you do?

● Remote Desktop Management

NSG1 will be used on the subnets of multiple virtual networks.

"description": "User name for the Virtual Machine."

"description": "Password for the Virtual Machine."

"description": "Unique DNS Name for the Public IP used

From Azure Cloud Shell, run the Save-AzDeploymentScriptLog and

You plan to deploy the template by running the New-AzDeployment cmdlet.

Which parameter should you use to reference the template?

Your company has a set of resources deployed to an Azure subscription. The

You need to ensure that VM1 is connected directly to both subnets.

What should you do first?

You create an Azure container instance named container1.

You need to configure persistent storage for container1.

What should you create in vmstorageaccount1?

Which service should you use?

You create a new Azure web app named WebApp1.

Which WebApp1 setting should you configure?

You create a resource group named RG2.

You plan to move all the resources in RG1 to RG2.

Which App Service plan should you use?

You have an Azure virtual network named VNet1.

You deploy an Azure App Service web app named WebApp1.

What should you do?

You have an Azure AD tenant.

You have an Azure subscription.

Which statement accurately describes the user?

You need to configure self-service password reset (SSPR) password writeback

Which Azure AD edition should you use?

"Name": "Custom Role",

"Description": "Custom Role description",

You have an Azure subscription.

An administrator manages access to resources at the resource group level. The

You run Get-AzRoleDefinition | Format-Table -Property Name, Id and receive the

Name: Custom Role 1, ID: 111-222-333

Name: Owner, ID: 222-333-444

Name: Contributor, ID: 333-444-555

Name: Reader, ID: 666-777-888

What should you change in the script?

A user named Admin1 must be able to change the settings of Network1.

You have several management groups and Azure subscriptions.

You want to prevent the accidental deletion of resources.