az-104_5

Recommend!!
Get the Full AZ-104 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/AZ-104-exam-dumps.html (232 New Questions)
Microsoft
Exam Questions AZ-104
Microsoft Azure Administrator
Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Recommend!! Get the Full AZ-104 dumps in VCE and PDF From SurePassExam
NEW QUESTION 1
- (Topic 5)
You have an Azure subscription. The subscription contains virtual machines that connect to a virtual network named VNet1.
You plan to configure Azure Monitor for VM Insights.
You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.
What should you create first?
A. an Azure Monitor Private Link Scope (AMPIS)

B. a private endpoint
C. a Log Analytics workspace
D. a data collection rule (DCR)
Answer: A
Explanation:
Azure Monitor for VM Insights is a feature of Azure Monitor that provides comprehensive monitoring and diagnostics for your Azure virtual machines and virtual
machine scale sets. It collects performance data, process information, and network dependencies from your virtual machines and displays them in interactive
charts and maps. You can use Azure Monitor for VM Insights to troubleshoot performance issues, optimize resource utilization, and identify network bottlenecks1.
To enable Azure Monitor for VM Insights, you need to install two agents on your virtual machines: the Azure Monitor agent (preview) and the Dependency agent.
The Azure Monitor agent collects performance metrics and sends them to a Log Analytics workspace. The Dependency agent collects process information and
network dependencies and sends them to the InsightsMetrics table in the same workspace2.
By default, the agents communicate with Azure Monitor over the public internet. However, if you want to ensure that all the virtual machines only communicate with
Azure Monitor through a virtual network named VNet1, you need to configure private network access for the agents.
Private network access allows the agents to communicate with Azure Monitor using a
private endpoint, which is a special network interface that connects your virtual network to
an Azure service without exposing it to the public internet. A private endpoint uses a private IP address from your virtual network address space, so you can
secure and control the network traffic between your virtual machines and Azure Monitor3.
To configure private network access for the agents, you need to create an Azure Monitor Private Link Scope (AMPIS) first. An AMPIS is a resource that groups
one or more Log Analytics workspaces together and associates them with a private endpoint. An AMPIS allows you to manage the private connectivity settings for
multiple workspaces in one place4.
After creating an AMPIS, you need to create a private endpoint in VNet1 and link it to the AMPIS. This will enable the agents on your virtual machines to send data
to the Log Analytics workspaces in the AMPIS using the private IP address of the private endpoint5.
NEW QUESTION 2
HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that contains two containers named container 1 and container2. Blob versioning is enabled for both
containers.
You periodically take blob snapshots of critical blobs. You create the following lifecycle management policy:

For each of the following statements, select Yes If the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Based on the lifecycle management policy you created and the information from the web search results, here are the answers to your statements:
? A blob snapshot automatically moves to the Cool access tier after 15 days. = Yes
? A blob version in container2 automatically moves to the Archive access tier after 30 days. = No
? A rehydrated version automatically moves to the Archive access tier after 30 days.
= No

? The lifecycle management policy you created has two rules: one for container1 and one for container2. The rule for container1 has an action that moves blob
snapshots to the Cool access tier if they are older than 15 days. Therefore, a blob snapshot in container1 will automatically move to the Cool access tier after 15
days, regardless of the access tier of the base blob.
? The rule for container2 has an action that moves blob versions to the Archive
access tier if they are older than 30 days and have a prefix match of “archive/”. Therefore, a blob version in container2 will only automatically move to the Archive
access tier after 30 days if its name starts with “archive/”. Otherwise, it will remain in its current access tier.
? A rehydrated version is a blob version that was previously in the Archive access
tier and was restored to an online access tier (Hot or Cool) by using the rehydrate priority option1. A rehydrated version does not automatically move to the Archive
access tier after 30 days, unless there is a lifecycle management policy rule that explicitly specifies this action. In your case, neither of the rules applies to
rehydrated versions, so they will stay in their online access tiers until you manually change them or delete them.
NEW QUESTION 3
- (Topic 5)
You have an Azure subscription that contains the resources in the following table.
VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop. You configure the network
security group (NSG) shown in the exhibit. (Click the Exhibit button.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet. What should you do?
A. Associate the NSG to Subnet1.

B. Disassociate the NSG from a network interface.
C. Change the DenyWebSites outbound security rule.
D. Change the Port_80 inbound security rule
Answer: A
Explanation:
Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, "Associated with: 0 subnets, 0 NIC's",
so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC or Subnet. Reference:
https://docs.microsoft.com/en-us/azure/virtual- network/manage-network-security-group
NEW QUESTION 4

- (Topic 5)
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.
You need to provide internet users with access to the applications that run in Cluster1. Which IP address should you include in the DNS record for Ousted?
A. 172.17.7.1
B. 131.107.2.1
C. 192.168.10.2
D. 10.0.10.11
Answer: B
Explanation:
When any internet user will try to access the cluster which is behind a load balancer, traffic
will first hit to load balancer front end IP. So in the DNS configuration you have to provide the IP address of the load balancer.
Reference:
https://stackoverflow.com/questions/43660490/giving-a-dns-name-to-azure-load-balancer
NEW QUESTION 5
HOTSPOT - (Topic 5)
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A

Explanation:
Box 1 : 4
As there are 4 distinct set of resource types (Ingress, Egress, Delete storage account, Restore blob ranges), so you need 4 alert rules. In one alert rule you can't
specify different type of resources to monitor. So you need 4 alert rules.
Box 2 : 3
There are 3 distinct set of "Users to notify" as (User 1 and User 3), (User1 only), and (User1, User2, and User3). You can't set the action group based on existing
group (Group1 and Group2) as there is no specific group for User1 only. So you need to create 3 action group.
NEW QUESTION 6
HOTSPOT - (Topic 5)
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the
graphic.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network#add-or-remove-an-address-range
NEW QUESTION 7
HOTSPOT - (Topic 5)
You have an Azure subscription that contains the container images shown in the following table.
You plan to use the following services:

• Azure Container Instances
• Azure Container Apps
• Azure App Service
In which services can you run the images? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Image 1: Azure Container Apps only.image 2: Azure Container Instances, Azure Container Apps, and App Services.
The images you have in your Azure subscription are different types of container images that can run on different Azure services. A container image is a package of
software that includes everything needed to run an application, such as code, libraries, dependencies, and configuration files. Container images are portable and
consistent across different environments, such as development, testing, and production.
Azure Container Instances is a service that allows you to run containers directly on the Azure cloud, without having to manage any infrastructure or orchestrators.
You can use Azure Container Instances to run any container image that is compatible with the Docker image format and follows the Open Container Initiative (OCI)
specification. You can also run Windows or Linux containers on Azure Container Instances.
Azure Container Apps is a service that allows you to build and deploy cloud-native applications and microservices using serverless containers. You can use Azure
Container Apps to run any container image that is compatible with the Docker image format and follows the Open Container Initiative (OCI) specification. You can
also run Windows or Linux containers on Azure Container Apps.
Azure App Service is a service that allows you to build and host web applications, mobile backends, and RESTful APIs using various languages and frameworks.
You can use Azure App Service to run custom container images that are compatible with the Docker image format and follow the App Service Docker image
contract. You can also run Windows or Linux containers on Azure App Service.
NEW QUESTION 8
DRAG DROP - (Topic 5)
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party
registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in
the correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
The process is simple:
? Add the custom domain name to your directory
? Add a DNS entry for the domain name at the domain name registrar
? Verify the custom domain name in Azure AD
References: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
NEW QUESTION 9
- (Topic 5)
You have an Azure subscription that contains two virtual machines named VM1 and VM2 You create an Azure load balancer.
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.
Which two additional load balance resources should you create before you can create the load balancing rule? Each correct answer presents part of the solution
MOTL Each correct selection 5 worth one point.
A. a frontend IP address
B. a backend pool

C. a health probe
D. an inbound NAT rule
E. a virtual network
Answer: AC
Explanation:
To create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2, you need to create two additional load balance resources: a frontend
IP address and a health probe.
A frontend IP address is the IP address that the clients use to access the load balancer. It can be either public or private, depending on the type of load balancer. A
address is required for any load balancing rule1.
frontend
A health IP
probe is used to monitor the health and availability of the backend instances. It can be either TCP, HTTP, or HTTPS, depending on the protocol of the
load balancing rule. A health probe is required for any load balancing rule1.
A backend pool is a group of backend instances that receive the traffic from the load balancer. You already have a backend pool that contains VM1 and VM2, so
you don’t need to create another one.
An inbound NAT rule is used to forward traffic from a specific port on the frontend IP address to a specific port on a backend instance. It’s not required for a load
balancing rule, but it can be used to access individual instances for troubleshooting or maintenance purposes1.
A virtual network is a logical isolation of Azure resources within a region. It’s not a load balance resource, but it’s required for creating an internal load balancer or
connecting virtual machines to a load balancer2.
NEW QUESTION 10
HOTSPOT - (Topic 5)
Peering for VNET2 is configured as shown in the following exhibit.
Peering for VNET3 is configured as shown in the following exhibit.
How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.
Answer:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1. VNET2 and VNET3 Box 2: VNET1
Gateway transit is disabled.
NEW QUESTION 10
HOTSPOT - (Topic 5)
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.
You create two user accounts that are configured as shown in the following table.
To which groups do User1 and User2 belong? To answer. select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Group 1 only First rule applies
Box 2: Group1 and Group2 only Both membership rules apply.
References: https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create- collections

NEW QUESTION 15
HOTSPOT - (Topic 5)
You need to configure a new Azure App Service app named WebApp1. The solution must meet the following requirements:
• WebApp1 must be able to verify a custom domain name of app.contoso.com.
• WebApp1 must be able to automatically scale up to eight instances.
• Costs and administrative effort must be minimized.
Which pricing plan should you choose, and which type of record should you use to verify the domain? To answer, select the appropriate options in the answer
area.
NOTE: Each correct answer is worth one point.
Answer:
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 18
- (Topic 5)
You have an Azure subscription that contains the resources shown in the following table.
You configure Azure Site Recovery to replicate VM1 between the East US and W«t US regions.
You perform a test failove of VM1 and specify VNET2 as the target v>riual network. When the test version of VM1 is created, to which subnet will the virtual
machine be
connected?

A. Testsubnet1
B. RecoverySubnetB
C. DemoSubnrt1
RecovetySubnelA
D.
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping
The subnet of the target VM is selected based on the name of the subnet of the source VM.
- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
NEW QUESTION 21
HOTSPOT - (Topic 5)
You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.
You need to recommend a networking solution to meet the following requirements:

• Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
• Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection
is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional
scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and
vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. Application gateway which uses WAF
tier.
NEW QUESTION 24
- (Topic 5)
You have an Azure App Services web app named App1. You plan to deploy App1 by using Web Deploy.
You need to ensure that the developers of App1 can use their Azure Active Directory (Azure AD) credentials to deploy content to App1. The solution must use the
principle of least privilege.
What should you do?
A. Configure app-level credentials for FTPS.

B. Assign The Website Contributor role to the developers.
C. Assign the Owner role to the developers.
D. Configure user-level credentials for FTPS.
Answer: B
Explanation:
"To secure app deployment from a local computer, Azure App Service supports two types of credentials for local Git deployment and FTP/S deployment. These
credentials are not the same as your Azure subscription credentials." https://learn.microsoft.com/en- us/azure/app-service/deploy-configure-credentials?tabs=cli

NEW QUESTION 29
- (Topic 5)
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Metrics
B. Customer insights
C. Monitor
D. Advisor
Answer: D
Explanation:
The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for specific
subscriptions and resource types. The recommendations are divided into five categories:
Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications. For more information, see Advisor
Reliability recommendations.
Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security recommendations.
Performance: To improve the speed of your applications. For more information, see Advisor Performance recommendations.
Cost: To optimize and reduce your overall Azure spending. For more information, see Advisor Cost recommendations.
Operational Excellence: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more information, see
Advisor Operational Excellence recommendations.
NEW QUESTION 33
You have a windows 11 device named Device1 and an Azure subscription that contains the resources shown in the following table.
Device 1 has Azure PowerShell and Azure Command-Line Interface (CLI) installed. From Device1, you need to establish a Remote Desktop connection to VM1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
NEW QUESTION 34
HOTSPOT - (Topic 4)
You implement the planned changes for NSG1 and NSG2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
A. Mastered

B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 38
HOTSPOT - (Topic 4)
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 41
- (Topic 4)
You need to add VM1 and VM2 to the backend poo! of LB1. What should you do first?
A. Create a new NSG and associate the NSG to VNET1/Subnet1.

B. Connect VM2 to VNET1/Subnet1.

C. Redeploy VM1 and VM2 to the same availability zone.
D. Redeploy VM1 and VM2 to the same availability set.
Answer: B
NEW QUESTION 44
- (Topic 4)
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention
requirements.
Which storage account should you identify?
A. storage4
B. storage1
C. storage2
D. storage3
Answer: D
NEW QUESTION 48
- (Topic 3)
You need to implement a backup solution for App1 after the application is moved. What should you create first?
A. a recovery plan
B. an Azure Backup Server
C. a backup policy
D. a Recovery Services vault
Answer: D
Explanation:
A Recovery Services vault is a logical container that stores the backup data for each
protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the
Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines. Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups. References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
NEW QUESTION 53
- (Topic 3)
You need to recommend an identify solution that meets the technical requirements. What should you recommend?
A. federated single-on (SSO) and Active Directory Federation Services (AD FS)
B. password hash synchronization and single sign-on (SSO)
C. cloud-only user accounts
D. Pass-through Authentication and single sign-on (SSO)
Answer: A
Explanation:
Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a
company’s network.
Scenario: Technical Requirements include:
Prevent user passwords or hashes of passwords from being stored in Azure. References: https://www.sherweb.com/blog/active-directory-federation-services/

NEW QUESTION 57
- (Topic 3)
You need to meet the user requirement for Admin1. What should you do?
A. From the Subscriptions blade, select the subscription, and then modify the Properties.
B. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.
C. From the Azure Active Directory blade, modify the Properties.
D. From the Azure Active Directory blade, modify the Groups.
Answer: A
Explanation:
Change the Service administrator for an Azure subscription
? Sign in to Account Center as the Account administrator.
? Select a subscription.
? On the right side, select Edit subscription details.
Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.
References: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
NEW QUESTION 59
- (Topic 3)
You are planning the move of App1 to Azure. You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1. What should you recommend?
A. Create an outgoing security rule for port 443 from the Interne
B. Associate the NSG to all the subnets.
C. Create an incoming security rule for port 443 from the Interne
D. Associate the NSG to all the subnets.
E. Create an incoming security rule for port 443 from the Interne
F. Associate the NSG to the subnet that contains the web servers.
G. Create an outgoing security rule for port 443 from the Interne
H. Associate the NSG to the subnet that contains the web servers.
Answer: C
Explanation:
As App1 is public-facing we need an incoming security rule, related to the access of the web servers.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing
middle tier. Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
NEW QUESTION 61
HOTSPOT - (Topic 3)
You need to identify the storage requirements for Contoso.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the
Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:
* 1. Storing TBs of structured data capable of serving web scale applications
* 2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access
* 3. Quickly querying data using a clustered index
* 4. Accessing data using the OData protocol and LINQ queries with WCF Data Service.NET Libraries Statement 3: No
File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go
with this storage option.
NEW QUESTION 64
HOTSPOT - (Topic 3)
You need to recommend a solution for App1. The solution must meet the technical requirements. What should you include in the recommendation? To answer,
select the appropriate options in the answer area.
Answer:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.
Description automatically generated with medium confidence

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
? A SQL database
? A web front end
? A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
? Technical requirements include:
? Move all the virtual machines for App1 to Azure.
? Minimize the number of open ports between the App1 tiers.
References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n- tier/n-tier-sql-server
NEW QUESTION 66
- (Topic 2)
You need to resolve the Active Directory issue. What should you do?
A. From Active Directory Users and Computers, select the user accounts, and then modify the User Principal Name value.
B. Run idfix.exe, and then use the Edit action.
C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.
D. From Azure AD Connect, modify the outbound synchronization rule.
Answer: B
Explanation:
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for
migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory
synchronization
with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters. You suspect that some of the characters are unsupported in Azure AD.
References: https://www.microsoft.com/en-us/download/details.aspx?id=36832
NEW QUESTION 68
- (Topic 2)
Which blade should you instruct the finance department auditors to use?
A. invoices
B. partner information
C. cost analysis
D. External services
Answer: C
Explanation:
Cost analysis: Correct Option
In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month.
Below options are available in Cost analysis blade for filtering information by time span: last 7 days, last 30 days, and custom date range. Choosing the first option
(last 7 days) auditors can view the costs by time span.
Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days,
the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to
the calendar month, like the
current billing period or last invoice. Use the <PREVIOUS andNEXT> links at the top of the menu to jump to the previous or next period, respectively. For example,
<PREVIOUS will switch from the Last 7 days to8-14 days ago o1r 5-21 days ago.

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by
invoices because Azure generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane
would be empty. Below is from Microsoft document:
Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets,
you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for
reviewing all Azure costs from the past week which is required for audit.
Payment method: Incorrect Option
Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.
Reference:

https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost- analysis
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/download-azure-invoice-daily-usage-date
NEW QUESTION 73
- (Topic 2)
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE Each correct selection is worth one
point.
A. Azure Active Directory (AD) Identity Protection and an Azure policy

B. a Recovery Services vault and a backup policy
C. an Azure Key Vault and an access policy
D. an Azure Storage account and an access policy
Answer: C
Explanation:
D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure
AD Connect.
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using
Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
NEW QUESTION 74
- (Topic 2)
You need to resolve the licensing issue before you attempt to assign the license again. What should you do?
A. From the Groups blade, invite the user accounts to a new group.
B. From the Profile blade, modify the usage location.
C. From the Directory role blade, modify the directory role.
Answer: B
Explanation:
Scenario: Licensing Issue
* 1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one
user."
* 2. You verify that the Azure subscription has the available licenses. Solution:
License cannot be assigned to a user without a usage location specified.
Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the
Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-resolve-problems

NEW QUESTION 75
HOTSPOT - (Topic 2)
You are evaluating the name resolution for the virtual machines after the planned implementation of the Azure networking infrastructure.
Answer:
A. Mastered
B. Not Mastered

Answer: A
Explanation:
Statement 1: Yes
All client computers in the Paris office will be joined to an Azure AD domain.
A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.
Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual
network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private
zone.
Statement 2: Yes
A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named
humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
As this is a registration network so this will work.

Statement 3: No
Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources
Network thus not able to register its hostname with humongoinsurance.local
NEW QUESTION 80
HOTSPOT - (Topic 1)
You need to the appropriate sizes for the Azure virtual for Server2.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal.
Box 2: Install the Azure Site Recovery Provider
Azure Site Recovery can be used to manage migration of on-premises machines to Azure.
Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure. Server2 has the Hyper-V host role.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure
NEW QUESTION 83
- (Topic 2)
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
B. Add http://autogon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami

office.
C. Join the client computers in the Miami office to Azure AD.
D. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.
Answer: BE
Explanation:
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using
Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure
AD Connect.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick- start
NEW QUESTION 86
HOTSPOT - (Topic 5)
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup Policy1 as shown in the exhibit. (Click the Exhibit tab.)

You configure the backup of VM1 to use Policy1 on Thursday, January 1.

You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and on January 15? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: 6
4 daily + 1 weekly + monthly
Box 2: 8
4 daily + 2 weekly + monthly + yearly

NEW QUESTION 90
HOTSPOT - (Topic 5)
You plan to create a role definition to meet the following requirements:
• Users must be able to view the configuration data of a storage account.
• Users must be able to perform all actions on a virtual network.
• The solution must use the principle of least privilege.
What should you include in the role definition for each requirement? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Perform all actions on a virtual network: “Microsoft.Network/virtualNetworks/*”
View the configuration data of a storage account: “Microsoft.Storage/StorageAccounts/read”
To perform all actions on a virtual network, you need to use the wildcard () character in the action string, which grants access to all actions that match the string.
The action string for virtual networks is "Microsoft.Network/virtualNetworks/". To view the configuration data of a storage account, you need to use the read action
substring in the action string, which enables read actions (GET). The action string for storage accounts is “Microsoft.Storage/StorageAccounts/read”. References:
? https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions
? https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
NEW QUESTION 93
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in t he answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers https://docs.microsoft.com/en-us/azure/storage/common/storage-account-
overview
NEW QUESTION 97
- (Topic 5)
You have an Azure Kubernetes Service (AKS) cluster named AKS1. You need to configure cluster autoscaler for AKS1.
Which two tools should you use? Each correct answer presents a complete solution, NOTE: Each correct selection is worth one point
A. the set-AzAKs cmdlet

B. the Azure portal
C. The az aks command

D. the kubect1 command

E. the set Azure cmdlet
Answer: BC
Explanation:
AKS clusters can scale in one of two ways: - The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The
cluster then automatically increases the number of nodes. - The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource
demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
NEW QUESTION 98
- (Topic 5)
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles;
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?
Assign User1 the Contributor role for VNet1.

A.
B. Remove User from the Security Reader and Reader roles tot Subscription1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the User Access Administrator role for VNet1
Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory- admin-
roles#:~:text=The%20User%20Access%20Administrator%20role%20enables%20the%20u
ser%20to%20grant,Azure%20subscriptions%20and%20management%20groups.
NEW QUESTION 101

HOTSPOT - (Topic 5)
You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2. The subscription contains the
resources shown in the following table.
The subscription contains the alert rules shown in the following table.
The users perform the following actions:

• User1 creates a new virtual disk and attaches the disk to VM1.
• User2 creates a new resource tag and assigns the tag to RG1 and VM1.
Which alert rules are triggered by each user? To answer, select the appropriate options in the answer area.
Answer:

A. Mastered
B. Not Mastered
Answer: A
Explanation:
In this case, you have two alert rules: Alert1 and Alert2. Alert1 has a scope of RG1, which means it applies to all the resources in the resource group named RG1.
Alert1 has a condition of All Administrative operations, which means it triggers when any administrative operation is performed on the resources in RG1. An
administrative operation is any operation that changes the configuration or state of a resource, such as creating, deleting, updating, or restarting.
Alert2 has a scope of VM1, which means it applies only to the virtual machine named VM1. Alert2 also has a condition of All Administrative operations, which
means it triggers when any administrative operation is performed on VM1.
Now, let’s see which alert rules are triggered by each user.
User1 creates a new virtual disk and attaches the disk to VM1. This is an administrative operation on VM1, so it triggers Alert2. However, it does not trigger Alert1,
because the new disk is not part of RG1. Therefore, the correct answer for User1 is C. Only Alert2 is triggered.
User2 creates a new resource tag and assigns the tag to RG1 and VM1. This is also an administrative operation on both RG1 and VM1, so it triggers both Alert1
and Alert2. Therefore, the correct answer for User2 is D. Alert1 and Alert2 are triggered.
NEW QUESTION 106

- (Topic 5)
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to Appl are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections 10 Appl from 131.107.100.50 over TCP port 443 fail. You verity that the Load Balancer rules are configured correctly.
You need to ensure that connections to Appl can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the Azureload Balancer source and has a priority of 150.
Does this meet the goal?
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 111

- (Topic 5)
You plan to create the Azure web apps shown in the following Table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation:
NET Core 3.0: Windows and Linux ASP .NET V4.7: Windows only PHP 7.3: Windows and Linux Ruby 2.6: Linux only Also, you can’t use Windows and Linux
Apps in the same App Service Plan, because when you create a new App Service plan you have to choose the OS type. You can't mix Windows and Linux apps in

the same App Service plan. So, you need 2 ASPs. Reference: https://docs.microsoft.com/en-us/azure/app-service/overview
NEW QUESTION 116

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the subnets shown in the following table.
The subscription contains the storage accounts shown in the following table.
You create a service endpoint policy named policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in the subscription.
Fow each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:
A. Mastered
B. Not Mastered
Answer: A
Explanation:
? Policy1 can be applied to Subnet3. = YES
? Only storage1 and storage2 can be accessed from VNet2. = NO
? Only storage2 can be accessed from VNet3. = Yes
? According to the Microsoft documentation, a service endpoint policy can be applied to any subnet in a virtual network that has a service endpoint enabled for the
same service as the policy. In your scenario, Subnet3 has a service endpoint enabled for Microsoft.Storage, which is the same service as policy1. Therefore,
policy1 can be applied to Subnet3.
? According to the Microsoft documentation, when you configure network rules for a
storage account, you can limit access to your storage account to requests that come from specified IP addresses, IP ranges, subnets in an Azure virtual network,
or resource instances of some Azure services. In your scenario, storage1 and storage2 have network rules that allow access from Subnet1 and Subnet2
respectively. However, this does not mean that only these subnets can access the storage accounts. Other subnets or resources that have the same IP range or
resource ID as Subnet1 or Subnet2 can also access the storage accounts. For example, Subnet4 in VNet2 has the same IP range as Subnet1 in VNet1, so it can
also access storage1. Similarly, Subnet5 in VNet3 has the same IP range as Subnet2 in VNet1, so it can also access storage2. Therefore, only storage1 and
storage2 cannot be accessed from VNet2.
? According to the Microsoft documentation, when you create a private endpoint for
a storage account, you assign a private IP address from your virtual network to the storage account. This enables secure traffic between your virtual network and
the storage account over a private link. In your scenario, you have created a private endpoint for storage2 in Subnet6 of VNet3. This means that only Subnet6 can
access storage2 over the private link. However, this does not mean that only Subnet6 can access storage2 at all. Other subnets or resources that have the same
IP range or resource ID as Subnet6 can also access storage2 over the public endpoint of the storage account. For example, Subnet7 in VNet4 has the same IP
range as Subnet6 in VNet3, so it can also access storage2 over the public endpoint. Therefore, only storage2 cannot be accessed from VNet3.
NEW QUESTION 119

HOTSPOT - (Topic 5)
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines
that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1 = max value Box 2 = 20
Explanation
Use max for platformFaultDomainCount
2 or 3 is max value, depending on which region you are in. Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for
the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
References:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks
https://github.com/Azure/acs-engine/issues/1030
NEW QUESTION 120

- (Topic 5)
You have an Azure subscription that contains an Azure Stream Analytics job named Job1.
You need to monitor input events for Job1 to identify the number of events that were NOT processed.
Which metric should you use?
A. Output Events
B. Backlogged Input Events
C. Out-of-Order Events
D. Late Input Events
Answer: B
Explanation:
Backlogged Input Events is a metric that shows the number of input events that are waiting to be processed by the Stream Analytics job1. This metric indicates the
performance and health of the job, as well as the input data rate and latency. If the Backlogged Input Events metric is high or increasing, it means that the job is
not able to keep up with the incoming events and some events are not processed in a timely manner2.
Output Events is a metric that shows the number of output events that are emitted by the Stream Analytics job1. This metric indicates the output data rate and
throughput of the job. It does not show how many input events were not processed by the job.
Out-of-Order Events is a metric that shows the number of input events that arrive out of order based on their timestamp1. This metric indicates the quality and
consistency of the input data source. It does not show how many input events were not processed by the job. Late Input Events is a metric that shows the number
of input events that arrive after the late arrival window has expired1. This metric indicates the timeliness and reliability of the input data source. It does not show
how many input events were not processed by the job.
NEW QUESTION 121

- (Topic 5)
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.
What should you configure?
A. load balancing
B. private endpoints
C. Azure Firewall rules
D. Routing preference
Answer: D

Explanation:
Routing preference is a feature that allows you to configure how network traffic is routed to your storage account from clients over the internet. By default, traffic
from the internet is routed to the public endpoint of your storage account over the Microsoft global network, which is optimized for low-latency path selection and
high reliability. Both inbound and outbound traffic are routed through the point of presence (POP) that is closest to the client. This ensures that traffic to and from
your storage account traverses over the Microsoft global network for the bulk of its path, maximizing network performance. You can also change the routing
preference to use internet routing, which minimizes the traversal of your traffic over the Microsoft global network, handing it off to the transit ISP at the earliest
opportunity. This lowers networking costs, but may compromise network performance. Therefore, to ensure that inbound user traffic uses the Microsoft POP
closest to the user’s location, you should configure routing preference to use the Microsoft global network as the default routing option for your storage account.
References:
? Network routing preference for Azure Storage
? Configure network routing preference for Azure Storage
NEW QUESTION 126

- (Topic 5)
LB1 is configured as shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements: Provide Remote Desktop access to VM2 from the internet by using port 3389.
A. A frontend IP address
B. A health probe
C. A load balancing rule
D. A backend pool
Answer: A
Explanation:
To create an inbound NAT rule, you need to specify a frontend IP address and a frontend port for the load balancer to receive the traffic, and a backend IP address
and a backend port for the load balancer to forward the traffic to1. According to the first table, LB1 has only one frontend IP address, which is 40.121.183.105.
However, this frontend IP address is already used by the existing inbound NAT rule named rule1, which forwards port 80 to VM1 on port 802. Therefore, you
cannot use the same frontend IP address and port for another inbound NAT rule.
To solve this problem, you need to create a new frontend IP address for LB1 before you can create the new inbound NAT rules. You can do this by using the
Azure portal, PowerShell, or CLI3. After you create a new frontend IP address, you can use it to create the new inbound NAT rules that meet your requirements.
NEW QUESTION 131

- (Topic 5)
You have an Azure virtual machine named VM1. Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.
You need to specify which resource type to monitor. What should you specify?
A. metric alert
B. Azure Log Analytics workspace
C. virtual machine
D. virtual machine extension
Answer: B
Explanation:
Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log
Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
NEW QUESTION 135


You have an Azure Linux virtual machine that is protected by Azure Backup. One week ago, two files were deleted from the virtual
machine.
You need to reses clients connect n on-premises computer as quickly as possible.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.
Step 0. In the virtual machine's menu, click Backup to open the Backup dashboard. Step 1. In the Backup dashboard menu, click File Recovery.
Step 2. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is already
selected.
Step 3: To download the software used to copy files from the recovery point, click Download Executable (for Windows Azure VM) or Download Script (for Linux
Azure VM, a python script is generated).
Step 4: Copy the files by using AzCopy
AzCopy is a command-line utility designed for copying data to/from Microsoft Azure Blob, File, and Table storage, using simple commands designed for optimal
performance. You can copy data between a file system and a storage account, or between storage accounts.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy
NEW QUESTION 140

HOTSPOT - (Topic 5)
You have an Azure subscription. The subscription contains a storage account named storage1 that has the lifecycle management rules shown in the following
table.
On June 1, you store two blobs in storage1 as shown in the following table.
A. Mastered

B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 142

- (Topic 5)
You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1. What should
you do first?
A. Upload a certificate.
B. Add a connection string.
C. Stop webapp1.
D. Create a DNS record.
Answer: D
Explanation:
You can use either a CNAME record or an A record to map a custom DNS name to App Service. You should use CNAME records for all custom DNS names
except root domains (for example, contoso.com). For root domains, use A records. Reference: https://docs.microsoft.com/en-us/Azure/app-service/app-service-
web-tutorial-custom- domain
NEW QUESTION 145

HOTSPOT - (Topic 5)
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VMet1 contains one subnet named
Subnet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual
machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log
Analytics environment with its own data repository, data sources, and solutions.
Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP addresses that connect to the
ILB can be monitored when the diagnostics are enabled on a Network Security Group.
We cannot enable diagnostics on an internal load balancer to check for the IP addresses. As for Internal LB, it is basic one. Basic can only connect to storage
account. Also, Basic LB has only activity logs, which doesn't include the connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
NEW QUESTION 148

HOTSPOT - (Topic 5)
You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have two external partner organizations named fabrilcam.com and litwareinc.com. FabtAam.com is configured as a connected organization.
You create an access package as shown in the Access package exhibit. (Click the Access package lab.)
You configure the external user lifecycle settings as shown in the Lifecycle exhibit. (Click the lifecycle tab)
For each of the following statements, select Yes if the statement is true Otherwise, select No
Note: Each correct selection is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:

? Litwareinc.com users can be assigned to package1. = No

? After 365 days, fabrikam.com users will be removed from Group1. = Yes
? After 395 days, fabrikam.com users will be removed from the contoso.com tenant
= No
? Litwareinc.com users cannot be assigned to package1 because they are not a connected organization in the contoso.com tenant. Only users from connected
organizations can request access packages that are configured for external users1
? Fabrikam.com users will be removed from Group1 after 365 days because the
access package has an expiration policy of 365 days for external users. This means that the access assignments for external users will end after 365 days, unless
they are renewed or extended2
? Fabrikam.com users will not be removed from the contoso.com tenant after 395
days because the external user lifecycle settings have a deletion policy of 30 days after blocking. This means that external users will be blocked from signing in
after 365 days of inactivity, and then deleted after another 30 days. Therefore, the total time before deletion is 395 days of inactivity, not 395 days from the date of
assignment3
NEW QUESTION 150

- (Topic 5)
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2. What should you do first?
A. Move VM1 to Subscription2.

B. Modify the IP address space of VNet2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2.
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal
NEW QUESTION 151

HOTSPOT - (Topic 5)
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.
What should you identify? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered

Answer: A
Explanation:
Box 1: ASP1 ASP3
Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux.
Not ASP2: The region in which your app runs is the region of the App Service plan it's in.
Box 2: ASP1
ASP.NET apps can be hosted on Windows only.
NEW QUESTION 154

- (Topic 5)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the
stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows
Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Performance Monitor, you create a Data Collector Set
(DCS).
A. Yes
B. No
Answer: B
Explanation:
Correct answer is packet capture in Azure Network Watcher. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
NEW QUESTION 157

- (Topic 5)
You have an Azure subscription that contains a virtual machine named VM1.
You plan to deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.
You need to ensure that the alert rule sends an email message to two users named User1 and User2.
What should you create for Azure Monitor?
A. an action group
B. a mail-enabled security group
C. a distribution group
D. a Microsoft 365 group
Answer: A
Explanation:
An action group is a collection of notification preferences that can be used by Azure Monitor to send alerts to users or groups when an alert rule is triggered. An
action group can include email recipients, SMS recipients, voice call recipients, webhook URLs, Azure functions, Logic Apps, and more. To send an email
message to two users named User1 and User2 when CPU usage on VM1 exceeds 80 percent, you need to create an action group that contains their email
addresses and associate it with the alert rule. References:
? Create and manage action groups in the Azure portal
? Create, view, and manage Metric alerts using Azure Monitor
NEW QUESTION 159

- (Topic 5)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the
stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom
Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.
Solution: From the Update management blade, you click Enable. Does this meet the goal?
A. Yes
B. No
Answer: B
NEW QUESTION 164

- (Topic 5)
You have an Azure subscription that has the public IP addresses shown in the following table.

You plan to deploy an instance of Azure Firewall Premium named FW1. Which IP addresses can you use?
A. IP2 Only
B. IP1 and lP2 only
C. IP1, IP2, and IP5 only
D. IP1, IP2, IP4, and IP5 only
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at- a-glance
Azure Firewall
- Dynamic IPv4: No
- Static IPv4: Yes
Dynamic IPv6: No
-- Static IPv6: No
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip- firewall
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall requires at least one public static IP
address to be configured. This IP or set of IPs are used as the external connection point to the firewall. Azure Firewall supports standard SKU public IP addresses.
Basic SKU public IP address and public IP prefixes aren't supported.
NEW QUESTION 169

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the resources shown in the following table
In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the command? To answer, select the appropriate options in the answer area,
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 170

HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the blob storage and file storage in storage1. Which authentication method should you use for each type of storage? To
answer, select
the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Box 1:
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2:
Only Shared Access Signature (SAS) token is supported for File storage.
NEW QUESTION 175

HOTSPOT - (Topic 5)
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.
Subscripton1 contains the virtual machines in the following table.
In Subscription1, you create a load balancer that has the following configurations:
? Name: LB1
? SKU: Basic
? Type: Internal
? Subnet: Subnet12
? Virtual network: VNET1
NOTE: each correct selection is worth one point.
A. Mastered
B. Not Mastered

Answer: A
Explanation:
NEW QUESTION 177

- (Topic 5)
You plan to deploy the Azure container instances shown in the following table.
Which instances can you deploy to a container group?
A. Instance1 only
B. Instance2only
C. Instance1 and lnstance2 only
D. Instance3 and Instance4 only
Answer: D
Explanation:
instances-container-groups Multi-container groups currently
https://learn.microsoft.com/en-us/azure/container-instances/container-
support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a single container instance. While we are working
to bring all features to Windows containers, you can find current platform differences in the service
NEW QUESTION 180

HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that stores images.
You need to create a new storage account and replicate the images in storage1 to the new account by using object replication.
How should you configure the new account? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Graphical user interface, text, application Description automatically generated
NEW QUESTION 183

HOTSPOT - (Topic 5)
You have an Azure subscription that contains a virtual machine named VM1.
To VM1, you plan to add a 1-TB data disk that meets the following requirements:
• Provides data resiliency in the event of a datacenter outage.
• Provides the lowest latency and the highest performance.
• Ensures that no data loss occurs if a host fails.
You need to recommend which type of storage and host caching to configure for the new

data disk.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Storage Type: Premium SSD that uses zone-redundant storage (ZRS) Host Caching: Read-only
The reasons for this recommendation are:
? Premium SSD disks provide the lowest latency and the highest performance among the available disk types12.
? Zone-redundant storage (ZRS) provides data resiliency in the event of a datacenter outage by replicating the data across three availability zones in the same
region12.
? Read-only host caching can improve the read performance of the disk by using the VM’s RAM and local SSD as a cache13. This can also reduce the impact of a
host failure on the disk data, as the cached data is not lost4.
? Read/write host caching is not recommended for Premium SSD disks, as it can introduce additional latency and reduce the durability guarantees of the disk13.
NEW QUESTION 186

- (Topic 5)
You create an Azure VM named VM1 that runs Windows Server 2019. VM1 is configured as shown in the exhibit (Click the Exhibit tab.)
You need to enable Desired State Configuration for VM1. What should you do first?
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 188

HOTSPOT - (Topic 5)
You have an Azure AD tenant that is linked to the subscriptions shown in the following table.

You have the resource groups shown In the following table.
You assign roles to users as shown in the following table.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
? User1 can resize VM1. Yes, this is correct. According to the tables, User1 is assigned the Contributor role at the subscription level for Sub1. The Contributor role
grants full access to manage all resources in the subscription, including the ability to resize virtual machines1. Therefore, User1 can resize VM1, which is a
resource in RG1 under Sub1.
? User2 can create a new storage account in RG1. No, this is not correct. According to the tables, User2 is assigned the Reader role at the resource group level for
RG1. The Reader role grants read-only access to view existing resources in the resource group, but not to create, update, or delete any resources2. Therefore,
User2 cannot create a new storage account in RG1.
? User3 can assign User1 the Owner role for RG3. No, this is not correct. According to the tables, User3 is assigned the Storage Account Contributor role at the
resource group level for RG3. The Storage Account Contributor role grants full access to manage storage accounts and their data in the resource group, but not
to assign roles to other users3. To assign roles to other users, User3 would need a role that has Microsoft.Authorization/roleAssignments/write permissions, such
as User Access Administrator or Owner4. Therefore, User3 cannot assign User1 the Owner role for RG3.
NEW QUESTION 193

HOTSPOT - (Topic 5)
The subscription contains the virtual machines shown in the following table.
The subscription contains the Azure App Service web apps shown in the following table.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
? WebApp1 can communicate with VM2. No, this is not correct. According to the tables, WebApp1 is integrated with VNet1, which has a peering connection with
VNet2. Therefore, WebApp1 cannot communicate with VM2
VNet2. However,virtual
across different VM2 networks1.
is in VNet3, which is not peered with VNet1 or
? NSG1 controls inbound traffic to WebApp1. No, this is not correct. According to the tables, NSG1 is associated with Subnet1 in VNet1, which is integrated with
WebApp1. However, network security groups only control outbound traffic from App Service apps to virtual networks, not inbound traffic to App Service apps from
virtual networks2. Therefore, NSG1 does not control inbound traffic to WebApp1.
? WebApp2 can communicate with VM1. Yes, this is correct. According to the tables, WebApp2 is integrated with VNet3, which has a peering connection with
VNet2. VM1 is in Subnet2 in VNet2, which has a network security group named NSG2 that allows inbound traffic from any source on port 803. Therefore,
WebApp2 can communicate with VM1 on port 80 across peered virtual networks.
NEW QUESTION 196

- (Topic 5)
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image namedImage1. Image1 contains a Microsoft SQL Server instance
that requires persistent storage.
You need to configure a storage service for Container1. What should you use?
A. Azure Files
B. Azure Blob storage
C. Azure Queue storage
D. Azure Table storage
Answer: A
Explanation:
https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with- azure-file-storage/
NEW QUESTION 199

- (Topic 5)
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named VNET1 and
VNET2 that are peered.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1. You need to configure NSG1 to allow inbound access from the internet to
Bastion1.
Which port should you configure for the inbound security rule?
A. 22
B. 443
C. 3389
D. 8080
Answer: B
Explanation:
Azure Bastion is a service that provides secure and seamless RDP/SSH connectivity to virtual machines directly over TLS from the Azure portal or via native
client. Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This
enables the traffic to traverse firewalls more securely. To allow inbound access from the internet to Bastion1, you need to configure NSG1 to allow port 443 for the
inbound security rule. References:
? What is Azure Bastion?
? About Azure Bastion configuration settings
NEW QUESTION 203

- (Topic 5)
You plan to move a distributed on-premises app named App1 to an Azure subscription. After the planned move, App1 will be hosted on several Azure virtual
machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.
What should you create?
one virtual machine scale set that has 10 virtual machines instances
A.
B. one Availability Set that has three fault domains and one update domain
C. one Availability Set that has 10 update domains and one fault domain
D. one virtual machine scale set that has 12 virtual machines instances

Answer: A
Explanation:
A virtual machine scale set is a group of identical virtual machines that are centrally managed, configured, and updated1. A virtual machine scale set can
automatically increase or decrease the number of virtual machine instances in response to demand or a defined schedule2. A virtual machine scale set also
provides high availability and fault tolerance by distributing the virtual machine instances across multiple fault domains and update domains3.
A fault domain is a logical group of underlying hardware that share a common power source and network switch. A fault domain can fail due to hardware or
software failures, power outages, or network interruptions4. A virtual machine scale set can have up to five fault domains in a region.
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. An update domain can be affected by
planned events, such as OS updates, application updates, or configuration changes4. A virtual machine scale set can have up to 20 update domains in a region.
By creating a virtual machine scale set that has 10 virtual machine instances, you can ensure that App1 always runs on at least eight virtual machines during
planned Azure maintenance. This is because the default configuration of a virtual machine scale set is to have five fault domains and five update domains. This
means that at any given time, only one fault domain or one update domain can be unavailable due to maintenance or failure. Therefore, at least eight out of 10
virtual machine instances will be available to run App1. An availability set is another option for providing high availability and fault tolerance for your virtual
machines. An availability set is a logical grouping of two or more virtual machines that are deployed across multiple fault domains and update domains. However,
an availability set does not provide automatic scaling of resources or load balancing of traffic. You need to manually create and manage the number of virtual
machine instances in an availability set.
Therefore, a virtual machine scale set is a better option than an availability set for your scenario. To create a virtual machine scale set, you can follow these steps:
? Sign in to the Azure portal.
? Select Create a resource > Compute > Virtual machine scale set.
? On the Basics tab, enter a name for your scale set, select your subscription and resource group, select Windows Server 2019 as the image type, and enter a
username and password for the administrator account.
? On the Instance details tab, select the region where you want to deploy your scale set, select the size of the virtual machine instances, and enter 10 as the initial
instance count.
? On the Scaling tab, configure the scaling policy for your scale set based on metrics or schedule.
? On the Load balancing tab, configure the load balancer for your scale set to
distribute traffic across the instances.
? On the Management tab, configure the diagnostics settings, automatic OS upgrades, extensions, and backup options for your scale set.
? On the Advanced tab, configure the availability zone, proximity placement group, accelerated networking, host group, and custom script extension options for
your scale set.
? On the Tags tab, optionally add tags to your scale set resources.
? On the Review + create tab, review your settings and select Create.
NEW QUESTION 207

HOTSPOT - (Topic 5)
You create the following file named Deploy.json.
You connect to the subscription and run the following commands.
A. Mastered
B. Not Mastered
Answer: A
Explanation:

NEW QUESTION 209

- (Topic 5)
You have an Azure AD tenant that is linked to 10 Azure subscriptions. You need to centrally monitor user activity across all the subscriptions. What should you
use?
A. Activity log filters

B. Log Analytics workspace
C. access reviews
D. Azure Application Insights Profiler
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace Send the activity log to a Log
Analytics workspace to enable the Azure Monitor Logs feature, where you: - Consolidate log entries from multiple Azure subscriptions and tenants into one location
for analysis together.
NEW QUESTION 211

- (Topic 5)
You have an Azure App Service app named App1 that contains two running instances. You have an autoscale rule configured as shown in the following exhibit.

For the Instance limits scale condition setting, you set Maximum to 5. During a 30-minute period, App1 uses 80 percent of the available memory.
What is the maximum number of instances for App1 during the 30-minute period?
A. Mastered
B. Not Mastered
Answer: A
NEW QUESTION 216

- (Topic 5)
You have an Azure Resource Manager that is used to deploy an Azure virtual machine.
Template1 contains the following text:

The variables section in Template1 contains the following text: "location": "westeurope"
The resources section in Template1 contains the following text:
You need to deploy the virtual machine to the West US location by using Template1. What should you do?
A. Modify the location in the resource section to westus

B. Select West US during the deployment
C. Modify the location in the variables section to westus
Answer: A
Explanation:
You can change the location in resources. Parameters used to define the value of some variables to be able to use in different places in the template resources.
used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not
Resources are
mentioned directly, then it will check parameters if it is specified in the resources. Based on this question, the value of location is defined directly in resources. so
you change the resources location value.
Use location parameter. To allow flexibility when deploying your template, use a parameter to specify the location for resources. Set the default value of the
parameter to resourceGroup().location.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/resource- location?tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template- syntax#resources
NEW QUESTION 220

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the virtual machines shown in the following table.
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule;
• Priority: 100
• Name: Rule1
• Port: 3389
• Protocol: TCP
• Source: Any
• Destination: Any
• Action: Allow
NSG1 is associated to Subnet! NSG2 is associated to the network interface of VM2.
Answer:
A. Mastered
B. Not Mastered
Answer: A

Explanation:
No: VM1 has default rules which denies any port open for inbound rules Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
NEW QUESTION 221

- (Topic 5)
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
NEW QUESTION 225

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage accounts support lifecycle management, and which storage accounts support moving data to the Archive access tier. What
should you identify for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct answer is worth one point.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
1) storage1, storage2, storage3
"Lifecycle management policies are supported for block blobs and append blobs in general- purpose v2, premium block blob, and Blob Storage accounts."
https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
2) storage2
"The archive tier isn't supported for ZRS, GZRS, or RA-GZRS accounts." https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#archive-
access-tier
NEW QUESTION 228

HOTSPOT - (Topic 5)
You have the Azure resources shown on the following exhibit.
You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: Sub1, RG1, and VM1 only
You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
Box 2: Sub1, RG1, and VM1 only
You apply tags to your Azure resources, resource groups, and subscriptions.
NEW QUESTION 232

HOTSPOT - (Topic 5)
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have
higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as
rules with higher priorities are not processed. https://docs.microsoft.com/en-us/azure/virtual-network/network-security- groups-overview

NEW QUESTION 236

HOTSPOT - (Topic 5)
You have an Azure subscription that contains the storage accounts shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the
graphic.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Box 1: contoso104 only
Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.
Box 2: contoso101, contoso102, and contos103 only
NEW QUESTION 237

HOTSPOT - (Topic 5)
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the appropriate options in the answer area.

A. Mastered
B. Not Mastered
Answer: A
Explanation:

NEW QUESTION 239

- (Topic 5)
Your on-premises network contains a VPN gateway.
You need to ensure that all the traffic from VM1 to storage! travels across the Microsoft backbone network.
What should you configure?
A. private endpoints
Azure Firewall
B.
C. Azure AD Application Proxy
D. Azure Peering Service
Answer: B
Explanation:
Per the MS documentation, private endpoint seems to be the proper choice: "You can use private endpoints for your Azure Storage accounts to allow clients on a
virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage
account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone
network, eliminating exposure from the public internet." Link: https://learn.microsoft.com/en-us/azure/storage/common/storage-private- endpoints
NEW QUESTION 240

HOTSPOT - (Topic 5)

You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 242

- (Topic 5)
You have a Recovery Services vault named RSV1. RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days.
RSV1 performs daily backups of VM1. VM1 hosts a static website that was updated eight days ago.
You need to recover VM1 to a point eight days ago. The solution must minimize downtime. What should you do first?
A. Deallocate VM1.
B. Restore VM1 by using the Replace existing restore configuration option.
C. Delete VM1.
D. Restore VM1 by using the Create new restore configuration option.
Answer: D
Explanation:
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
To recover VM1 to a point eight days ago, you need to use the Azure Backup service to restore the VM from a recovery point. A recovery point is a snapshot of the
VM data at a specific point in time. Azure Backup creates recovery points according to the backup policy that you configure for the Recovery Services vault1.
In this case, the Recovery Services vault named RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days. This means
that you can restore the VM from any point in the last 14 days, as long as there is a recovery point available. Since you need to recover VM1 to a point eight days
ago, you can use the daily backup recovery point that was created on that day2.
To restore the VM from a recovery point, you have two options: Replace existing or Create new. The Replace existing option overwrites the existing VM with the

restored data, while the Create new option creates a new VM with the restored data. The Replace existing option requires you to deallocate or delete the existing
without affecting
VM before restoring
the existing VM, whichit, which can cause
minimizes downtime
downtime andloss3.
and data data loss. The Create new option allows you to restore the VM
Therefore, the best option is to restore VM1 by using the Create new restore configuration option. This will create a new VM with the same name as VM1 and
append a suffix to it, such as -Restored. You can then verify that the new VM has the correct data and configuration, and switch over to it when you are ready. You
can also delete the original VM if you don’t need it anymore3.
NEW QUESTION 247

- (Topic 5)
You have an Azure subscription that contains the virtual machines shown in the following table.
javascript:void(0)
You deploy a load balancer that has the following configurations:

• Name: LB1
• Type internal
• SKU: Standard
• Virtual network VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
A. Yes
No
B.
Answer: B
Explanation:
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public
IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they
have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Note: Load balancer and the public IP address SKU must match when
you use them with public IP addresses.
NEW QUESTION 248

HOTSPOT - (Topic 5)
You have an Azure subscription named Subscription1 that contains the following resource group:
? Name: RG1
? Region: West US
? Tag: “tag1”: “value1”
You assign an Azure policy named Policy1 to Subscription1 by using the following
configurations:
? Exclusions: None
? Policy definition: Append tag and its default value
? Assignment name: Policy1
? Parameters:
- Tag name: Tag2
- Tag value: Value2
After Policy1 is assigned, you create a storage account that has the following configurations:
? Name: storage1
? Location: West US
? Resource group: RG1
? Tags: “tag3”: “value3”
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered

Answer: A
Explanation:
Box 1: "tag1": "value1" only
Box 2: "tag2": "value2" and "tag3": "value3"
Tags applied to the resource group are not inherited by the resources in that resource group.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using- tags
NEW QUESTION 250

- (Topic 5)
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1. Which account can be used to export the data.
What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Answer: D
Explanation:
Azure Import/Export service supports the following of storage accounts:
Standard General Purpose v2 storage accounts (recommended for most scenarios) Blob Storage accounts
General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types: Import supports Azure Blob storage and Azure File storage Export supports Azure Blob storage.
Azure Files not supported.
Only storage4 can be exported.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export- requirements
NEW QUESTION 252

HOTSPOT - (Topic 5)
You have an Azure Storage account named storage1 that contains a blob container. The blob container has a default access tier of Hot. Storage1 contains a
container named container!
You create lifecycle management rules in storage1 as shown in the following table.
You perform the actions shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth
one point.
A. Mastered

B. Not Mastered
Answer: A
Explanation:
File3.docx is a blob in container1 that was uploaded on October 1 and edited on October 2. According to the lifecycle management rule 2, any blob in container1
that has not been modified for 5 days will be deleted. Therefore, on October 7, File3.docx will be deleted from the storage account. Therefore, on October 10, you
cannot read File3.docx because it no longer exists.
NEW QUESTION 254

HOTSPOT - (Topic 5)
You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the template? To answer, select the appropriate options in the answer area.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
- dependsON: resoureceID
- storageProfile: ImageReference Reference :
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency#dependson
https://learn.microsoft.com/en-us/javascript/api/@azure/arm-compute/storageprofile?view=azure-node-latest
NEW QUESTION 257

- (Topic 5)
You have two Azure subscriptions named Sub1 and Sub2.
Sub! contains a virtual machine named VM1 and a storage account named storage1.
VM1 is associated to the resources shown in the following table. You need to move VM1 to Sub2.
Which resources should you move to Sub2?
A. VM1, Disk1. and Netlnt1 only

B. VM1. Disk1. and VNet1 only
C. VM1. Disk1. and storage1 only
D. VM1. Disk1. Netlnt1, and VNet1
Answer: D
Explanation:
When you move a virtual machine to a different subscription, you need to move all the resources that are associated with the virtual machine, such as the disks,
the network interface, and the virtual network. You cannot move a virtual machine without moving its dependent resources. You also need to ensure that the target
subscription supports the same region, resource type, and API version as the source subscription. Then, References: [Move a Windows VM to another Azure
subscription or resource group]
NEW QUESTION 259

- (Topic 5)
You create an App Service plan named plan1 and an Azure web app named webapp1. You discover that the option to create a staging slot is unavailable. You
need to create a staging slot for plan1.
What should you do first?
A. From webapp1, modify the Application settings.

B. From webapp1, add a custom domain.
C. From plan1, scale up the App Service plan.
D. From plan1, scale out the App Service plan.
Answer: C
Explanation:
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots. If the app isn't already in the Standard,
Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you
Premium, or
have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots,
autoscaling, and more.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
NEW QUESTION 262

You have an Azure subscription that contains virtual machine named VM1.
You need to back up VM. The solution must ensure that backups are stored across three availability zones in the primary region.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
According to 1, Availability Zones are unique physical locations within an Azure region that provide high availability and disaster recovery for your virtual machines.
To back up your VM across three availability zones in the primary region, you need to perform the following actions in sequence:
? Create a Recovery Services vault2 that will store your backups and enable geo-
redundancy for cross-region protection.
? For VM1, create a backup policy and configure the backup2 to use the Recovery Services vault as the backup destination.
? Configure a replication policy1 that will replicate your VM1 to another availability zone in the same region.
NEW QUESTION 267

- (Topic 5)
You have an Azure subscription. The subscription contains a storage account named storage1 that has the lifecycle management rules shown in the following
table.
On June 1, you store a blob named File1 in the Hot access tier of storage1. What is the state of File1 on June 7?
stored in the Archive access tier

A.
B. stored in the Hot access tier
C. stored in the Cool access tier
D. deleted
Answer: D
Explanation:
If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper
than action tierToArchive. Action tierToArchive is cheaper than action tierToCool. https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-
overview
NEW QUESTION 268

......

Thank You for Trying Our Product
We offer two products:
1st - We have Practice Tests Software with Actual Exam Questions
2nd - Questons and Answers in PDF Format
AZ-104 Practice Exam Features:
* AZ-104 Questions and Answers Updated Frequently
* AZ-104 Practice Questions Verified by Expert Senior Certified Staff
* AZ-104 Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* AZ-104 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year
100% Actual & Verified — Instant Download, Please Click

Order The AZ-104 Practice Test Here

Powered by TCPDF (www.tcpdf.org)

az-104_5

Uploaded by

Copyright:

Available Formats

az-104_5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

az-104_5

Uploaded by

Copyright:

Available Formats

Recommend!!

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. an Azure Monitor Private Link Scope (AMPIS)

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Associate the NSG to Subnet1.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

You plan to use the following services:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Peering for VNET3 is configured as shown in the following exhibit.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

You need to recommend a networking solution to meet the following requirements:

A. Configure app-level credentials for FTPS.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Create a new NSG and associate the NSG to VNET1/Subnet1.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

B. Connect VM2 to VNET1/Subnet1.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Description automatically generated with medium confidence

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Invoice: Incorrect Option

Resource Provider: Incorrect Option

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Azure Active Directory (AD) Identity Protection and an Azure policy

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

As this is a registration network so this will work.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

You configure the backup of VM1 to use Policy1 on Thursday, January 1.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. the set-AzAKs cmdlet

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

D. the kubect1 command

Assign User1 the Contributor role for VNet1.

NEW QUESTION 101

The users perform the following actions:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

NEW QUESTION 106

NEW QUESTION 111

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

NEW QUESTION 116

The subscription contains the subnets shown in the following table.

NEW QUESTION 119

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

NEW QUESTION 120

NEW QUESTION 121

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

NEW QUESTION 126

LB1 is configured as shown in the following table.

NEW QUESTION 131