Lead2pass Dump1

Welcome to download the Newest 2passeasy AZ-104 dumps
https://www.2passeasy.com/dumps/AZ-104/ (413 New Questions)
Exam Questions AZ-104

Microsoft Azure Administrator
https://www.2passeasy.com/dumps/AZ-104/
Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 1
- (Exam Topic 5)
Your network contains an on-premises Active Directory forest named contoso.com that contains two domains named contoso.com and east.contoso.com.
The forest contains the users shown in the following table.
You plan to sync east.contoso.com to an Azure Active Directory (Azure AD) tenant by using Azure AD Connect.
You need to select an account for Azure AD Connect to use to connect to the forest. Which account should you select?
A. User1
B. User2
C. User3
D. User4
Answer: D
Explanation:
It is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
NEW QUESTION 2
- (Exam Topic 5)
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1. Which two actions should you perform? Each
correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a service endpoint to VNet1

B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
Answer: CE
Explanation:
C: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on
router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically
built on firewall devices that perform packet filtering.
IPsec tunnel encryption and decryption are added to the packet filtering and processing engine. Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-
connect-multiple-policybased-rm-ps
NEW QUESTION 3
- (Exam Topic 5)
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database

B. Azure File Storage
C. the Azure File Sync Storage Sync Service
D. Azure Data Factory
Answer: B
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB. References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
NEW QUESTION 4
- (Exam Topic 4)
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in
external.contoso.com.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
A. Yes
B. No
Answer: B
Explanation:
Only a global administrator can add users to this tenant. References:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
NEW QUESTION 5
- (Exam Topic 4)
You have an Azure subscription that contains a resource group named Test RG. You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
You need to delete TestRG. What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1.
B. Turn off VM1 and delete all data in Vault1.
C. Remove the resource lock from VNET1 and delete all data in Vault1.
D. Turn off VM1 and remove the resource lock from VNET1.
Answer: D
Explanation:
When you want to delete the resource, you first need to remove the lock.
References:
https://docs.microsoft.com/sv-se/azure/azure-resource-manager/management/lock-resources
NEW QUESTION 6
- (Exam Topic 4)
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
Adatum.com has the following configurations: Users may join devices to Azure AD is set to User1.
Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer. User1 joins Computer1 to adatum.com. You need to identify which users are added to the local
Administrators group on Computer1.
A. User1 only
B. User1, User2, and User3 only
C. User1 and User2 only
D. User1, User2, User3, and User4
E. User2 only
Answer: C
Explanation:
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. Users added here are
added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners are granted local administrator rights by
default.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

NEW QUESTION 7
- (Exam Topic 4)
You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1. After creating Backup1, you perform the following changes to VM1:
Modify the size of VM1.
Copy a file named Budget.xls to a folder named Data.
Reset the password for the built-in administrator account.
Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1. You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?
A. Modify the size of VM1.

B. Add a data disk.
C. Reset the password for the built-in administrator account.
D. Copy Budget.xls to Data.
Answer: D
Explanation:
The scenario mentioned in the question, we are using the replace option. So in this case we would lose the existing data written to the disk after the backup was
taken. The file was copied to the disk after the backup was taken. Hence, we would need to copy the file once again.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks
NEW QUESTION 8
- (Exam Topic 4)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the
stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions
will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at
regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an automated
response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on-
premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
NEW QUESTION 9
- (Exam Topic 4)
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to grant three users named User1, User2, and
User3 access to a temporary Microsoft SharePoint
document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. a Security group that uses the Assigned membership type

B. an Office 365 group that uses the Assigned membership type
C. an Office 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type
Answer: BC
Explanation:
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove
inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
NEW QUESTION 10
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active Directory
domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
Number of methods required to reset: 2
Methods available to users: Mobile phone, Security questions
Number of questions required to register: 3
Number of questions required to reset: 3 You select the following security questions:
What is your favorite food?
In what city was your first job?
What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: No
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through
Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin
accounts to Azure AD.
An administrator cannot use secret Questions & Answers as a method to reset password. Box 2: Yes
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.
Box 3: Yes References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
NEW QUESTION 10
- (Exam Topic 4)
You have an Azure virtual machine named VM1 that runs Windows Server 2019. You sign in to VM1 as a user named User 1 and perform the following actions:
* Create files on drive C.
* Create files on drive 0.
* Modify the screen saver timeout.
* Change the desktop background. You plan to redeploy VM1.
Which changes will be lost after you redeploy VM1?
A. the modified screen saver timeout

B. the new desktop background
C. the new files on drive
D. The new files on drive C
Answer: D
NEW QUESTION 14
- (Exam Topic 4)
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US. Does this meet the goal?
A. Yes
B. NO

Answer: A
Explanation:
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a
region.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
NEW QUESTION 19
- (Exam Topic 4)
A. Yes
B. No
Answer: A
Explanation:
NEW QUESTION 22
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.
You add 14 virtual machines to WEBPROD-AS-USE2.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
A. Mastered
B. Not Mastered
Answer: A

Explanation:
Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update domains will have
one VM. Only one update domain is rebooted at a time.
Therefore, a maximum of two VMs will be offline. Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault domain so 7 VMs
will be offline.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
NEW QUESTION 24
- (Exam Topic 4)
You have an Azure Linux virtual machine that is protected by Azure Backup. One week ago, two files were deleted from the virtual machine.
You need to restore the deleted files to an on-premises computer as quickly as possible.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.
Step 0. In the virtual machine's menu, click Backup to open the Backup dashboard. Step 1. In the Backup dashboard menu, click File Recovery.
Step 2. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is already
selected.
Step 3: To download the software used to copy files from the recovery point, click Download Executable (for Windows Azure VM) or Download Script (for Linux
Azure VM, a python script is generated).
Step 4: Copy the files by using AzCopy
AzCopy is a command-line utility designed for copying data to/from Microsoft Azure Blob, File, and Table storage, using simple commands designed for optimal
performance. You can copy data between a file system and a storage account, or between storage accounts.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy
NEW QUESTION 28
- (Exam Topic 4)
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a
self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: You modify the Azure Active Directory (Azure AD)
authentication policies.
Does this meet this goal?
A. Yes
B. No
Answer: B
Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2. Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root
certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NEW QUESTION 32
- (Exam Topic 4)
You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt.
You on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.

You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1. For each of the following statements, select Yes if the
statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Statement 1: Yes
If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other files that are already
on other endpoints in the sync group.
Statement 2: No
Files present in any server endpoint will not be overwritten by the files present in cloud endpoint. Hence this statement is false.
If you add a server location with an existing set of files as a server endpoint to a sync group, those files will be merged with any other files already on other
endpoints in the sync group but not vice versa.
Statement 3: Yes
Azure File Sync has a simple architecture : cloud endpoints, which is the Azure File Sync service and server endpoints, which are the registered servers with the
service. On top of that, we have Sync Groups, which combine one cloud endpoint with one or more server endpoints. All members of this group will receive the
replicated data where the central location will be the cloud endpoint.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning
http://techgenix.com/azure-file-sync-replicating-data/
NEW QUESTION 35
- (Exam Topic 4)
A. Yes
B. No
Answer: A
Explanation:
NEW QUESTION 38
- (Exam Topic 4)
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: can connect to the container from any device
In the policy "osType": "window" refer that it will create a container in a container group that runs Windows but it won't block access depending on device type.
Box 2: the container will restart automatically
Docker provides restart policies to control whether your containers start automatically when they exit, or wh Docker restarts. Restart policies ensure that linked
containers are started in the correct order. Docker recommends that you use restart policies, and avoid using process managers to start containers.
on-failure : Restart the container if it exits due to an error, which manifests as a non-zero exit code. As the flag is mentioned as "on-failure" in the policy, so it will
restart automatically

Reference:
https://docs.microsoft.com/en-us/cli/azure/container?view=azure-cli-latest https://docs.docker.com/config/containers/start-containers-automatically/
NEW QUESTION 41
- (Exam Topic 4)
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a
self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: On Computer2, you set the Startup type for the
IPSec Policy Agent service to Automatic. Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed
root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NEW QUESTION 42
- (Exam Topic 4)
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
A. Mastered
B. Not Mastered

Answer: A
Explanation:
Box 1: add an address space
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you specify, based on
the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a subnet
Address space is present but need to add subnet
References:
https://docs.microsoft.com/en-us/microsoft-365/solutions/cloud-architecture-models?view=o365-worldwide https://docs.microsoft.com/en-us/azure/virtual-
network/virtual-networks-static-private-ip-arm-pportal
NEW QUESTION 47
- (Exam Topic 4)
You have several Azure virtual machines on a virtual network named VNet1. You configure an Azure Storage account as shown in the following exhibit.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: never
For Subnet 10.2.9.0/24, endpoint (Refer to first endpoint) is not enabled into the storage account shown in th exhibit. Hence there would not be any connectivity to
the file shares in storage account. To establish this connection you must have to enable the endpoint.
Box 2: never
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an
exception to enable Azure Backup service to access the network restricted storage account. As this required setting is missing , so Azure backup will not be able to
take backup of unmanaged disks.

Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-
accounts-secured-with-azurestorage
NEW QUESTION 51
- (Exam Topic 4)
You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol VM1 is used as a web server only.
You need to ensure that users can connect to the website from the Internet. What should you do?
A. Change the priority of Rule3 to 450.

B. Change the priority of Rule6 to 100
C. DeleteRule1.
D. Create a new inbound rule that allows TCP protocol 443 and configure the protocol to have a priority of 501.
E. For Rule5, change the Action to Allow and change the priority to 401
Answer: D
NEW QUESTION 54
- (Exam Topic 4)
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. For contoso.com, you create a virtual network link
named link1 as shown in the exhibit. (Click the Exhibit
tab.)

You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the internet.
You need to ensure that VM1 can resolve host names in adatum.com. What should you do?
A. Update the DNS suffix on VM1 to be adatum.com.

B. Create an SRV record in the contoso.com zone.
C. Configure the name servers for adatum.com at the domain registrar.
D. Modify the Access control (IAM) settings for link1.
Answer: C
Explanation:
Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for adatum.com to. You
configure this by configuring the name servers for adatum.com at the domain registrar.
ence:
https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal
NEW QUESTION 56
- (Exam Topic 4)
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group. Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
NEW QUESTION 57
- (Exam Topic 4)
You create an Azure subscription named Subscription1 and an associated Azure Active Directory (Azure AD) tenant named Tenant1. Tenant1 contains the users
in the following table.
You need to add an Azure AD Privileged Identity Management application to Tenant1. Which account can you use?
A. [email protected]
B. [email protected]
C. [email protected]
D. [email protected]
Answer: B

Explanation:
Admin2 is not Global Administrator, so this option is incorrect. [email protected] : Incorrect Choice
Although this user is Global Administrator but referring to the least privileges principal and default domain consideration this option is incorrect.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started https://docs.microsoft.com/en-us/azure/active-directory-
domain-services/tutorial-create-instance
NEW QUESTION 58
- (Exam Topic 4)
You have an azure subscription named Subscription that contains the resource groups shown in the following table.
In RG1, you create a virtual machine named VM1 in the East Asia location. You plan to create a virtual network named VNET1.
You need to create VNET, and then connect VM1 to VNET1.
What are two possible ways to achieve this goal? Each correct answer presents a complete a solution. NOTE: Each correct selection is worth one point.
A. Create VNET1 in RG2, and then set East Asia as the location.
B. Create VNET1 in a new resource group in the West US location, and then set West US as the location.
C. Create VNET1 in RG1, and then set East Asia as the location
D. Create VNET1 in RG1, and then set East US as the location.
E. Create VNET1 in RG2, and then set East US as the location.
Answer: AC
Explanation:
A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network you connect it to.
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, also referred to as a region.
Note, Resource groups can span multiple Regions, but VNets only can hold resources (VMs, Network Adapters) that exists in the same region.
So in this scenario, you need to create VNET1 in any RG and set location as East Asia. Reference:
NEW QUESTION 62
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster
named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the
contoso.com users.
What should you do first?
A. From contoso.com, modify the Organization relationships settings.

B. From contoso.com, create an OAuth 2.0 authorization endpoint.
C. Recreate AKS1.
D. From AKS1, create a namespace.
Answer: B
Explanation:
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. To obtain a
kubectl configuration context, a user can run the az aks get-credentials command. When a user then interacts with the AKS cluster with kubectl, they're prompted
to sign in with their Azure AD credentials. This approach provides a single source for user account management and password credentials. The user can only
access the resources as defined by the cluster administrator.
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more
information on OpenID Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify
authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster.
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/ https://docs.microsoft.com/en-us/azure/aks/concepts-identity
NEW QUESTION 67
- (Exam Topic 4)

You have an Active Directory domain named contoso.com that contains the objects shown in the following table.
The groups have the memberships shown in the following table.
OU1 and OU2 are synced to Azure Active Directory (Azure AD).
You modify the synchronization settings and remove OU1 from synchronization. You sync Active Directory and Azure AD.
Which objects are in Azure AD?
A. User4 and Group2 only

B. User2, Group1, User4, and Group2 only
C. User1, User2, Group1, User4, and Group2 only
D. User1, User2, User3, User4, Group1, and Group2
Answer: C
NEW QUESTION 69
- (Exam Topic 4)
You create an App Service plan named App1 and an Azure web app named webapp1. You discover that the option to create a staging slot is unavailable. You
need to create a staging slot for App1.
A. From webapp1, modify the Application settings.

B. From webapp1, add a custom domain.
C. From App1, scale up the App Service plan.
D. From App1, scale out the App Service plan.
Answer: C
Explanation:
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots,
autoscaling, and more.
You scale up by changing the pricing tier of the App Service plan that your app belongs to. Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
NEW QUESTION 74
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1 : 4
As there are 4 distinct set of resource types (Ingress, Egress, Delete storage account, Restore blob ranges), so you need 4 alert rules. In one alert rule you can't
specify different type of resources to monitor. So you need 4 alert rules.
Box 2 : 3
There are 3 distinct set of "Users to notify" as (User 1 and User 3), (User1 only), and (User1, User2, and User3). You can't set the action group based on existing
group (Group1 and Group2) as there is no specific group for User1 only. So you need to create 3 action group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
NEW QUESTION 76
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Storage account.
You plan to copy an on-premises virtual machine image to a container named vmimages. You need to create the container for the planned image.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: make
Here the purpose is to 'create a container". So the correct command would be azcopy make. Box 2: blob
The requirement is for storing that image, it's not used to build AKS. So blob is correct option. Reference:
https://adamtheautomator.com/azcopy-copy-files/
NEW QUESTION 80
- (Exam Topic 4)
You have an Azure Migrate project that has the following assessment properties:
Target location: East US
Storage redundancy: Locally redundant
Comfort factor: 2.0
Performance history: 1 month
Percentile utilization: 95th
Pricing tier: Standard
Offer: Pay as you go
You discover the following two virtual machines:
A virtual machine named VM1 that runs Windows Server 2016 and has 10 CPU cores at 20 percent utilization
A virtual machine named VM2 that runs Windows Server 2012 and has four CPU cores at 50 percent utilization
How many CPU cores will Azure Migrate recommend for each virtual machine? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
The equation is: ‘core usage x comfort factor’. The comfort factor is 2.0.
So VM 1 is 10 cores at 20% utilization which equals 2 cores. Multiply that the comfort factor and you get 4 cores.
VM 2 is 4 cores at 50% utilization which equals 2 cores. Multiply that the comfort factor and you get 4 cores.
NEW QUESTION 85
- (Exam Topic 4)
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
A. an XML manifest file

B. a driveset CSV file
C. a dataset CSV file
D. a PowerShell PS1 file
E. a JSON configuration file
Answer: BC
Explanation:
B: Modify the driveset.csv file in the root folder where the tool resides.
C: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the
dataset.csv file
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
NEW QUESTION 90
- (Exam Topic 4)
You have Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following resource groups:
RG1 includes a web app named App1 in the West Europe location. Subscription2 contains the following resource groups:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
App1 present in RG1 and in RG1 there is no lock available. So you can move App1 to other resource groups, RG2, RG3, RG4.
Note:
App Service resources can only be moved from the resource group in which they were originally created. If an App Service resource is no longer in its original
resource group, move it back to its original resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-mov
NEW QUESTION 94
- (Exam Topic 4)
N NO: 26 HOTSPOT
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: 5
A public and a private IP address can be assigned to a single network interface. Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group
can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
NEW QUESTION 97
- (Exam Topic 4)
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. Azure Data Lake Store

B. a virtual machine
C. the Azure File Sync Storage Sync Service
D. Azure Blob storage
Answer: D
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
NEW QUESTION 101

- (Exam Topic 4)
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG2 and Central US. Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a
region.
References:
NEW QUESTION 103

- (Exam Topic 4)
You have an Azure Active Directory (Azure AD) tenant named contoso.com. Multi-factor authentication (MFA) is enabled for all users.
You need to provide users with the ability to bypass MFA for 10 days on devices to which they have successfully signed in by using MFA.
What should you do?
A. From the multi-factor authentication page, configure the users’ settings.

B. From Azure AD, create a conditional access policy.
C. From the multi-factor authentication page, configure the service settings.
D. From the MFA blade in Azure AD, configure the MFA Server settings.
Answer: C
Explanation:
Enable remember Multi-Factor Authentication
Sign in to the Azure portal.
On the left, select Azure Active Directory > Users.
Select Multi-Factor Authentication.
Under Multi-Factor Authentication, select service settings.
On the Service Settings page, manage remember multi-factor authentication, select the Allow users to remember multi-factor authentication on devices they
trust option.
Select Save.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
NEW QUESTION 106

- (Exam Topic 4)
You have an Azure subscription that contains the resources in the following table.
VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop. You configure the network
security group (NSG) shown in the exhibit. (Click the Exhibit button.)

You need to prevent users of VM1 and VM2 from accessing websites on the Internet.
What should you do?
A. Associate the NSG to Subnet1.

B. Disassociate the NSG from a network interface.
C. Change the DenyWebSites outbound security rule.
D. Change the Port_80 inbound security rule.
Answer: A
Explanation:
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
References: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
NEW QUESTION 108

- (Exam Topic 4)
You have an Azure Active Directory tenant named Contoso.com that includes following users:
Contoso.com includes following Windows 10 devices:
You create following security groups in Contoso.com:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Yes
User1 is a Cloud Device Administrator. Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD Box 2: No
User2 is a User Administrator. Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential.
Box 3: Yes
User2 is a User Administrator. Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2. References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
NEW QUESTION 111

- (Exam Topic 4)
You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure
resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. a public load balancer

B. Traffic Manager
C. an Azure Content Delivery Network (CDN)
D. an internal load balancer
E. an Azure Application Gateway
Answer: DE
Explanation:
Line-of-business apps means custom apps. Generally these are used by internal staff members of the company. Azure Application Gateway is a web traffic load
balancer that enables you to manage traffic to your web applications.
Internal Load Balancer provides a higher level of availability and scale by spreading incoming requests across virtual machines (VMs) within the virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/application-gateway/overview
NEW QUESTION 116

- (Exam Topic 4)
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
The Contributor role can manage all resources (and add resources) in a Resource Group. Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
NEW QUESTION 118

- (Exam Topic 4)
You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:

Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional
scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and
vulnerabilities. Web applications are increasingly targeted
by malicious attacks that exploit commonly known vulnerabilities. References:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
NEW QUESTION 123

- (Exam Topic 3)
You need to recommend a solution for App1. The solution must meet the technical requirements. What should you include in the recommendation? To answer,
select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements include:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server
NEW QUESTION 127

- (Exam Topic 3)
You need to move the blueprint files to Azure.
What should you do?
A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
B. Use the Azure Import/Export service.
C. Generate an access ke
D. Map a drive, and then copy the files by using File Explorer.
E. Use Azure Storage Explorer to copy the files.
Answer: D
Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and
download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage. Technical Requirements include: Copy the blueprint files to Azure over
the Internet. References:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-us
NEW QUESTION 131

- (Exam Topic 3)
You need to identify the storage requirements for Contoso.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these. Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the
Azure cloud. Azure tables are ideal for storing structured,
non-relational data. Common uses of Table storage include:
* 1. Storing TBs of structured data capable of serving web scale applications
* 2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access
* 3. Quickly querying data using a clustered index
* 4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries Statement 3: No
File Storage can be used if your business use case needs to deal mostly with standard File extensions like

*.docx, *.png and *.bak then you should probably go with this storage option.
Reference:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-us https://docs.microsoft.com/en-
us/azure/storage/tables/table-storage-overview https://www.serverless360.com/blog/azure-blob-storage-vs-file-storage
NEW QUESTION 135

- (Exam Topic 3)
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Selected
Only selected users should be able to join devices
Box 2: Yes
Require Multi-Factor Auth to join devices. From scenario:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
NEW QUESTION 138

- (Exam Topic 2)
You need to define a custom domain name for Azure AD to support the planned infrastructure. Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.onmicrosoft.com
C. humongousinsurance.local
D. humongousinsurance.com
Answer: D
Explanation:
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted,
but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and
users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar
to your users, such as ‘[email protected].’ instead of 'alice@domain name.onmicrosoft.com'.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com Planned Azure AD Infrastructure: The on-premises Active
Directory domain will be synchronized to Azure
AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
NEW QUESTION 142

- (Exam Topic 2)
You need to resolve the Active Directory issue. What should you do?
A. From Active Directory Users and Computers, select the user accounts, and then modify the User Principal Name value.
B. Run idfix.exe, and then use the Edit action.
C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.
D. From Azure AD Connect, modify the outbound synchronization rule.
Answer: B
Explanation:
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for
migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters. You suspect that some of the characters are unsupported in Azure AD.
References: https://www.microsoft.com/en-us/download/details.aspx?id=36832
NEW QUESTION 147

- (Exam Topic 2)
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Scenario:
* 1. Web administrators will deploy Azure web apps for the marketing department.
* 2. Each web app will be added to a separate resource group.
* 3. The initial configuration of the web apps will be identical.
* 4. The web administrators have permission to deploy web apps to resource groups. Steps:
* 1 --> Create a resource group, and then deploy a web app to the resource group.
* 2 --> From the Automation script blade of the resource group , click Add to Library.
* 3 --> From the Templates service, select the template, and then share the template to the web administrators . References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-p
NEW QUESTION 149

- (Exam Topic 2)
You are evaluating the connectivity between the virtual machines after the planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-
VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each
other.
All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet
will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview https://docs.microsoft.com/en-us/azure/networking/networking-
overview#internet-connectivity
NEW QUESTION 154

- (Exam Topic 2)
You need to resolve the licensing issue before you attempt to assign the license again. What should you do?
A. From the Groups blade, invite the user accounts to a new group.
B. From the Profile blade, modify the usage location.
C. From the Directory role blade, modify the directory role.
Answer: B
Explanation:
Scenario: Licensing Issue
* 1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one
user."
* 2. You verify that the Azure subscription has the available licenses. Solution:
License cannot be assigned to a user without a usage location specified.
Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the
Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-resolve-problems
NEW QUESTION 159

- (Exam Topic 2)
Which blade should you instruct the finance department auditors to use?
A. invoices
B. partner information
C. cost analysis
D. External services
Answer: C
Explanation:
Cost analysis: Correct Option
In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month.
Below options are available in Cost analysis blade for filtering information by time span:
last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.
Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days,
the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to
the calendar month, like the current billing period or last invoice. Use the <PREVIOUS andNEXT>
links at the top of the menu to jump to the previous or next period, respectively. For example, <PREVIOUS
will switch from the Last 7 days to 8-14 days ago or 15-21 days ago.
Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by
invoices because Azure generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane

would be empty. Below is from Microsoft document:
Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets,
you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for
reviewing all Azure costs from the past week which is required for audit.
Payment method: Incorrect Option
Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost-analysis https://docs.microsoft.com/en-us/azure/cost-management-
billing/manage/download-azure-invoice-daily-usage-d
NEW QUESTION 163

- (Exam Topic 1)
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Create a virtual network gateway and a local network gateway.
Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see
Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the
VNet.
Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed
through this gateway.
Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section
below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

NEW QUESTION 167

- (Exam Topic 5)
You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
You create a new Azure subscription named AZPT2.

You need to identify which resources can be moved to AZPT2. Which resources should you identify?
A. VM1, storage1, VNET1, and VM1Managed only

B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only
Answer: C
Explanation:
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscrip https://docs.microsoft.com/en-us/azure/key-
vault/general/keyvault-move-subscription
NEW QUESTION 172

- (Exam Topic 5)
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
You run Azure Network Watcher as shown in the following exhibit.
You run Network Watcher again as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: No
It limits traffic to VM2, but not VM1 traffic. Box 2: Yes
Yes, the destination is VM2. Box 3: No
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
NEW QUESTION 173

- (Exam Topic 5)
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:
Operating system: Windows Server 2016
Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
he Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 1
Below is clearly mentioned in the official Website
"The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total instance count, subject to a
minimum batch size of one virtual machine."
So, 20% from 4 ~1
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set https://docs.microsoft.com/en-us/azure/virtual-
machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
NEW QUESTION 176

- (Exam Topic 5)
You have an Azure Storage account named storage1. You plan to use AzCopy to copy data to storage1.
You need to identify the storage services in storage1 to which you can copy the data. What should you identify?
A. blob, file, table, and queue

B. blob and file only
C. file and table only
D. file only
E. blob, table, and queue only
Answer: B
Explanation:
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
NEW QUESTION 179

- (Exam Topic 5)
You have an on-premises network that you plan to connect to Azure by using a site-to-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16. VNet1 contains a subnet named Subnet1 that uses an
address space of 10.0.0.0/24.

You need to create a site-to-site VPN to Azure.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN
gateways, see About VPN gateway.
* 1. Create a virtual network

You can create a VNet with the Resource Manager deployment model and the Azure portal
* 2. Create the gateway subnet :
The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify
when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.
* 3. Create the VPN gateway :
You create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
* 4. Create the local network gateway:
The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the
on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN
device. The address prefixes you specify are the prefixes located on your on-premises network. If your
on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
* 5. Configure your VPN device:
Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you
need the following:
A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We
recommend that you generate a more complex key to use.
The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP
address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.
* 6. Create the VPN connection:
Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
NEW QUESTION 181

- (Exam Topic 5)
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the
following table.
Subnet1 contains a virtual appliance named VM1 that operates as a router. You create a routing table named RT1.
You need to route all inbound traffic to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box1 : 10.0.0.0/16
Address prefix in networking refer to the destination IP address range. In this scenario, destination is Vnet1 , hence Address prefix will be the address space of
Vnet1.
Box 2 : Virtual appliance
Next hop gets the next hop type and IP address of a packet from a specific VM and NIC. Knowing the next hop helps you determine if traffic is being directed to the
intended destination, or whether the traffic is being sent nowhere
Next Hop --> VM1 --> Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
Box 3 : GatewaySubnet
In the scenario it is asked for all the inbound traffic to Vnet1. Inbound traffic is flowing through SubnetGW. You need to route all inbound traffic from the VPN
gateway to VNet1 through VM1.So its traffic from Gateway subnet only.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table https://docs.microsoft.com/en-us/azure/network-watcher/network-
watcher-next-hop-overview
NEW QUESTION 182

- (Exam Topic 5)
You have an Azure subscription named Subscription1 that has the following providers registered:
Authorization
Automation
Resources
Compute
KeyVault
Network
Storage
Billing
Web
Subscription1 contains an Azure virtual machine named VM1 that has the following con figurations:
* Private IP address: 10.0.0.4 (dynamic)
* Network security group (NSG): NSG1
* Public IP address: None
* Availability set: AVSet
* Subnet: 10.0.0.0/24
* Managed disks: No
* Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Register the Microsoft.Insights resource provider

B. Add an Azure Network Watcher connection monitor
C. Register the Microsoft.LogAnalytics provider
D. Enable Azure Network Watcher in the East US Azure region
E. Create an Azure Storage account
F. Enable Azure Network Watcher flow logs
Answer: CDE
Explanation:
NSG flow log data is written to an Azure Storage account. You need to create an Azure Storage account, With an Azure Storage account NSG flow logs can be
enabled.
Enable network watcher in the East US region.
NSG flow logging requires the Microsoft.Insights provider. References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
NEW QUESTION 184

- (Exam Topic 5)
Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains a datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks
are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.

What should you create?
A. three virtual WANs and one virtual hub

B. three virtual hubs and one virtual WAN
C. three On-premises data gateways and one Azure Application Gateway
D. three Azure Application Gateways and one On-premises data gateway
Answer: A
Explanation:
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface.
The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure
VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks.
Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use
the Microsoft backbone for any-to-any (any spoke) connectivity.
Virtual WAN offers the following advantages:

Integrated connectivity solutions in hub and spoke: Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub.
Automated spoke setup and configuration: Connect your virtual networks and workloads to the Azure hub seamlessly.
Intuitive troubleshooting: You can see the end-to-end flow within Azure, and then use this information to take required actions.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
NEW QUESTION 188

- (Exam Topic 5)
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties?
A. From the Directory role blade, modify the directory role.

B. From the Groups blade, invite the user account to a new group.
C. From the Licenses blade, assign a new license.
Answer: A
Explanation:
Assign a role to a user
Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
Select Azure Active Directory, select Users, and then select a specific user from the list.
For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access
administrator.
Press Select to save. References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-p
NEW QUESTION 189

- (Exam Topic 5)
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in
the following exhibit.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: No
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5
does not belong to the registration virtual network though.
Box 2: No
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution
virtual network.
Box 3: Yes
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual
machines within the registration virtual network.
References: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
NEW QUESTION 190

- (Exam Topic 5)
You need to create an alert in Azure when more than two error events are logged to the System log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add an extension to VM1. You create an alert in Azure Monitor and
specify the Log Analytics workspace as the source.
A. Yes
B. No
Answer: B
Explanation:

Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
NEW QUESTION 191

- (Exam Topic 5)
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features. What should you do?
A. From the Groups blade of each user, invite the users to a group.
B. From the Licenses blade of Azure AD, assign a license.
C. From the Directory role blade of each user, modify the directory role.
D. From the Azure AD domain, add an enterprise application.
Answer: B
Explanation:
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with
active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other
tenants.
Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can
set this value in the Azure Active Directory > Users > Profile > Settings area in Azure AD. Any user whose usage location is not specified inherits the location of the
Azure AD organization.
You can add the licensing rights to users or to an entire group. Check the reference link for the steps. References: https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/license-users-groups
NEW QUESTION 194

- (Exam Topic 5)
You have an Azure subscription that contains the resources shown in the following table.
The Not allowed resources types Azure policy is assigned to RG1 and uses the following parameters:
In RG1, you need to create a new virtual named VM2, and then connected VM2 to VNET1. What should you do first?
A. Remove Microsoft.Network/virtualNetworks from the policy.

B. Create an Azure Resource Manager template.
C. Remove Microsoft.Compute/virtualMachines from the policy.
D. Add a subnet to VNET1.
Answer: C
Explanation:
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.
Virtual Networks and Virtual Machines are prohibited. Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types
NEW QUESTION 199

- (Exam Topic 5)
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting
VM1 and VM2.
What should you include in the Availability Set?
A. one update domain

B. two fault domains
C. one fault domain
D. two update domains
Answer: D
Explanation:
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the
impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
NEW QUESTION 202

- (Exam Topic 5)
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)

No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering. What should you do first?
A. Configure a service endpoint on VNet2.

B. Modify the address space of VNet1.
C. Add a gateway subnet to VNet1.
D. Create a subnet on VNet1 and VNet2.
Answer: B
Explanation:
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the
same as VNet2, and thus overlaps. We need to change the address space for VNet1.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-cons
NEW QUESTION 204

- (Exam Topic 5)
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image namedImage1.
Image1 contains a Microsoft SQL Server instance that requires persistent storage. You need to configure a storage service for Container1.
What should you use?
A. Azure Files
B. Azure Blob storage
C. Azure Queue storage
D. Azure Table storage
Answer: A
Explanation:
Microsoft have Docker Volume Plugin for Azure file storage which provides exactly this and it is used for Azure file shares.
Azure File Storage volume plugin is not limited to ease of container migration. It also allows a file share to be shared among multiple containers (even though they
are on different hosts) to collaborate on workloads, share configuration or secrets of an application running on multiple hosts. Another use case is uploading
metrics and diagnostics data such as logs from applications to a file share for further processing.
Reference:
https://azure.microsoft.com/en-gb/blog/persistent-docker-volumes-with-azure-file-storage/
NEW QUESTION 207

- (Exam Topic 5)
You have an Azure subscription that contains the resources shown in the following table:
You assign a policy to RG6 as shown in the following table:
To RG6, you apply the tag: RGroup: RG6.

You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
VNET1: Department: D1, and Label:Value1 only.
Tags applied to the resource group or subscription are not inherited by the resources.
Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or across a whole Azure
subscription.
VNET2: Label:Value1 only. Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
NEW QUESTION 211

- (Exam Topic 5)
You save VM1 as a template named Template1 to the Azure Resource Manager library. You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
A. virtual machine size

B. operating system
C. administrator username
D. resource group
Answer: D
Explanation:
When deploying a virtual machine from a template, you must specify:
the Resource Group name and location for the VM
the administrator username and password
an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
NEW QUESTION 216

- (Exam Topic 5)
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced
and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
References: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
NEW QUESTION 221

- (Exam Topic 5)
You have a virtual network named VNET1 that contains the subnets shown in the following table:

You have two Azure virtual machines that have the network configurations shown in the following table:
For NSG1, you create the inbound security rule shown in the following table:
For NSG2, you create the inbound security rule shown in the following table:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Yes
The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or Subnet1 where
VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the NSG1 rule has a
higher priority (or lower value) than the NSG2 rule.
Box 2: Yes
No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.
Box 3: Yes
No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules,
which allow communication, are thus applied. Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
NEW QUESTION 223

- (Exam Topic 5)
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
A. Yes
B. No
Answer: A
NEW QUESTION 227

- (Exam Topic 5)
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using
templates.
You need to view the date and time when the resources were created in RG1. Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
Answer: A
Explanation:
* 1. Select the resource group (Here RG1) you want to examine.
* 2. Select the link under Deployments.
* 3. Select one of the deployments from the deployment history.
* 4. You will see a history of deployment for the resource group, including the correlation ID.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history?tabs=azure-porta
NEW QUESTION 229

- (Exam Topic 5)
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named GUI. Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users. Which two actions should you perform? Each correct answer
presents part of the solution.
NOTE Each correct selection is worth one point.
A. Stop webapp1 prod.

B. Stop webapp1-test
C. Deploy the App1 update to webapp1-test, and then test the update.
D. Deploy the App1 update to webapp1-prod, and then test the update.
E. Swap the slots.
Answer: CE
Explanation:
You can validate web app changes in a staging deployment slot before swapping it with the production slot. Deploying an app to a slot first and swapping it into
production makes sure that all instances of the slot are
warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, and no requests are
dropped because of swap operations. You can automate this entire workflow by configuring auto swap when pre-swap validation isn't needed.
After the swap you can deploy the App1 update to webapp1-test, and then test the update. If the changes swapped into the production slot aren't as per your
expectation then you can perform the same swap immediately to get your "last known good site" back.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
NEW QUESTION 231

- (Exam Topic 5)
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group. Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The Logic App Operator role only lets you read, enable and disable logic app. With it you can view the logic app and run history, and enable/disable. Cannot edit or
update the definition.
You would need the Logic App Contributor role. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
NEW QUESTION 235

- (Exam Topic 5)
You have the App Service plan shown in the following exhibit.

The scale-in settings for the App Service plan are configured as shown in the following exhibit.
The scale out rule is configured with the same duration and cool down tile as the scale in rule.
A. Mastered
B. Not Mastered
Answer: A
Explanation:

NEW QUESTION 240

- (Exam Topic 5)
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1 = max value Box 2 = 20

Use max for platformFaultDomainCount
* 2 or 3 is max value, depending on which region you are in. Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for
the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
References:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disk https://github.com/Azure/acs-engine/issues/1030
NEW QUESTION 244

- (Exam Topic 5)
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
NEW QUESTION 249

- (Exam Topic 5)
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
NEW QUESTION 250

- (Exam Topic 5)
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines. What should you modify on VM1?
A. Integration Services
B. the network adapters
C. the memory
D. the hard drive
E. the processor
Answer: D
Explanation:
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports
only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a
generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=%2fazure
NEW QUESTION 251

- (Exam Topic 5)
You have an Azure web app named webapp1.
Users report that they often experience HTTP 500 errors when they connect to webapp1.
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details.
A. From webapp1, enable Web server logging

B. From Azure Monitor, create a workbook
C. From Azure Monitor, create a Service Health alert
D. From webapp1, turn on Application Logging
Answer: A
Explanation:
To resolve this you need to catch connection error. When the connection fails for webapp, it happens on web server, not within application. You can find out the
web server log by below steps:
Open the web application --> Go to Application Service logs --> Go to Web server logging (there are multiple switches there)
You can also see the errors live going to "Log stream" pane.
To ensure that you will get web server log, you have to enable it.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs
NEW QUESTION 252

- (Exam Topic 5)
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.

You need to delete the Recovery Services vault. What should you do first?
A. From the Recovery Service vault, stop the backup of each backup item.
B. From the Recovery Service vault, delete the backup data.
C. Modify the disaster recovery properties of each virtual machine.
D. Modify the locks of each virtual machine.
Answer: A
Explanation:
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to
receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL
Servers in Azure VM, and Azure virtual machines.
References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
NEW QUESTION 256

- (Exam Topic 5)
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage. You need to use AzCopy to copy data to the blob
storage and file storage in storage1.
Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Box 1:
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage. Box 2:
Only Shared Access Signature (SAS) token is supported for File storage. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
NEW QUESTION 261

- (Exam Topic 5)
You have an on-premises file server named Server1 that runs Windows Server 2016. You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group. You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3: Add a server endpoint
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud
endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
NEW QUESTION 266

- (Exam Topic 5)
You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template.
Admin1 deploys the template by using Azure PowerShell and receives
the following error message: “User failed validation to purchase resources. Error message: “Legal terms have not been accepted for this item on this subscription.
To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkI
d=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.”
You need to ensure that Admin1 can deploy the Marketplace resource successfully. What should you do?
A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet

B. From the Azure portal, register the Microsoft.Marketplace resource provider
C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
D. From the Azure portal, assign the Billing administrator role to Admin1
Answer: C
Explanation:
The Set-AzMarketplaceTerms cmdlet saves the terms object for given publisher id(Publisher), offer id(Product) and plan id(Name) tuple.
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps
NEW QUESTION 268

- (Exam Topic 5)
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: 10 years
The yearly backup point occurs to 1 March and its retention period is 10 years. Box 2: 36 months
The monthly backup point occurs on the 1st of every month and its retention period is 36 months.
NEW QUESTION 272

- (Exam Topic 5)
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1. You need to identify which storage account can be used to export the data.
What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Answer: D
Explanation:
Azure Import/Export service supports the following of storage accounts:

Standard General Purpose v2 storage accounts (recommended for most scenarios)

Blob Storage accounts
General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments), Azure Import/Export service supports the following storage
types:
Import supports Azure Blob storage and Azure File storage
Export supports Azure Blob storage
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
NEW QUESTION 277

- (Exam Topic 5)
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager
template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed. What should you use?
A. Azure Active Directory (Azure AD) Application Proxy

B. Azure Application Insights
C. Azure Custom Script Extension
D. the New-AzConfigurationAssignement cmdlet
Answer: C
Explanation:
The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software installation, or
any other configuration / management task. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run time.
The Custom Script extension integrates with Azure Resource Manager templates, and can also be run using the
Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API. You can use the Custom Script Extension with both Windows and Linux VMs.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-automate-vm-deployment?toc=https%
NEW QUESTION 278

......

THANKS FOR TRYING THE DEMO OF OUR PRODUCT
Visit Our Site to Purchase the Full Set of Actual AZ-104 Exam Questions With Answers.
We Also Provide Practice Exam Software That Simulates Real Exam Environment And Has Many Self-Assessment Features. Order the
AZ-104 Product From:
https://www.2passeasy.com/dumps/AZ-104/
Money Back Guarantee
AZ-104 Practice Exam Features:
* AZ-104 Questions and Answers Updated Frequently
* AZ-104 Practice Questions Verified by Expert Senior Certified Staff
* AZ-104 Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* AZ-104 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

Powered by TCPDF (www.tcpdf.org)

Lead2pass Dump1

Uploaded by

Copyright:

Available Formats

Lead2pass Dump1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lead2pass Dump1

Uploaded by

Copyright:

Available Formats

Welcome to download the Newest 2passeasy AZ-104 dumps

https://www.2passeasy.com/dumps/AZ-104/ (413 New Questions)

Exam Questions AZ-104

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Add a service endpoint to VNet1

A. an Azure Cosmos DB database

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

You need to delete TestRG. What should you do first?

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Modify the size of VM1.

A. a Security group that uses the Assigned membership type

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. the modified screen saver timeout

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

You add 14 virtual machines to WEBPROD-AS-USE2.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Change the priority of Rule3 to 450.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Update the DNS suffix on VM1 to be adatum.com.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. From contoso.com, modify the Organization relationships settings.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

The groups have the memberships shown in the following table.

A. User4 and Group2 only

A. From webapp1, modify the Application settings.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NOTE: Each correct selection is worth one point.

A. an XML manifest file

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Azure Data Lake Store

NEW QUESTION 101

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 103

A. From the multi-factor authentication page, configure the users’ settings.

NEW QUESTION 106

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Associate the NSG to Subnet1.

NEW QUESTION 108

Contoso.com includes following Windows 10 devices:

You create following security groups in Contoso.com:

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 111

A. a public load balancer

NEW QUESTION 116

NEW QUESTION 118

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

You need to recommend a networking solution to meet the following requirements:

NEW QUESTION 123

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 127

NEW QUESTION 131

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 135