Welcome to the AZ-104 Official Practice Test – Part 2.
In this part, I have given my detailed explanations of the 10 official questions from Microsoft. Unlike on the Microsoft website, the explanations include screenshots to help you prepare for the AZ-104 exam.
That said, these tests are very simple, and they should only be used to brush up on the basics. The real exam would rarely be this easy. To get more rigorous practice and even in-depth knowledge, check out my AZ-104 practice tests.
Once done, check out the AZ-104 questions Part -3 and the accompanying AZ-104 Practice Test video.
Q11] You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The solution must minimize administrative effort. Which two actions should you perform? Each correct answer presents part of the solution.
a. Assign the licenses to the dynamic groups.
b. Assign the licenses to the security groups.
c. Create an automatic assignment policy.
d. Create dynamic groups.
e. Create security groups.
Dynamic groups allow you to define membership based on the properties of the user in Microsoft Entra ID.
Suppose we need to assign product licenses only to the managers of a company and the license assignment must be dynamically added/removed to the users based on changes in their designation.
While creating a new group in Microsoft Entra ID, set the group membership type as a dynamic user.
To define dynamic user members, add a dynamic query that selects all users with the job title of Managers.
So, creating dynamic groups is one of the correct answers.
After the dynamic group is created, go to the licenses page, and assign the product licenses to the dynamic group.
All current users in the group determined by the dynamic membership rules will get the license automatically.
So, assigning the licenses to the dynamic groups is the other correct answer.
Note: You need to have at least Microsoft Entra P1 to be able to use dynamic groups.
Reference Link: https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule
Q12] You have an Azure subscription.
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details:
1] Id: 8755b347-3545-3876-3987-999999999999
2] DisplayName: Ben Smith
3] Mail: [email protected]
4] UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
Which statement accurately describes the user?
a. The user account is disabled.
b. The user is a guest in the tenant.
c. The user is assigned an administrative role.
d. The user is deleted.
Let’s add a guest user in the Microsoft Entra ID tenant, which will also send an invitation to the user to join the tenant.
Similar to the User Principal Name(UPN) given in the question, the UPN of the guest user has the characters of the guest user’s email address, followed by EXT, and then the tenant’s domain.
So, this proves that the user is a guest user. Option B is the correct answer.
Q13] You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
{
“Name”: “Custom Role”,
“Id”: null,
“IsCustom”: true,
“Description”: “Custom Role description”,
“Actions”: [
“Microsoft.Compute/*/read”,
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
“Microsoft.Support/*”
],
“NotActions”: [
“Microsoft.Compute/snapshots/delete”
],
“AssignableScopes”: [
“/subscriptions/00000000-0000-0000-0000-000000000000”,
“/subscriptions/11111111-1111-1111-1111-111111111111”
]
}
Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a complete solution.
a. Call Microsoft Support.
b. Create and delete a snapshot.
c. Create and read a snapshot.
d. Create virtual machines.
e. Read all virtual machine settings.
The Microsoft.Support/* includes all permissions listed under Microsoft.Support resource provider. The user assigned the custom role can call Microsoft support. So, option A is one of the correct answers.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/general#microsoftsupport
The write permission for the snapshot allows a user to create a new snapshot. The read permission for the snapshot allows a user to read a snapshot.
Option C is the other correct answer.
The delete permission in the NotActions section ensures the user cannot delete a snapshot. So, option B is incorrect.
Finally, there is only a read permission for all resource types under Microsoft.Compute resource provider. So, the user can read all virtual machine settings. He cannot create a VM. So, option D is incorrect. Option E is the other correct answer.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute
Q14] You have the following resource groups, management groups, and Azure subscriptions:
1] Two resource groups named RG1 and RG2 that are associated with a subscription named 111-222-333 and a management group named MG1
2] Two resource groups named RG3 and RG4 that are associated with a subscription named 777-888-999 and a management group named MG1
3] Two resource groups named RG5 and RG6 that are associated with a subscription named 444-555-666 and a management group named MG1
4] Two resource groups named RG10 and RG11 that are associated with a subscription named 222-333-444 and a management group named MG2
5] Two resource groups named RG11 and RG12 that are associated with a subscription named 555-666-888 and a management group named MG2
You need to assign a role to a user to ensure the user can view all the resources in the subscriptions. The solution must use the principle of least privilege.
Which role should you assign?
a. The Billing Reader role for all the subscriptions
b. The Billing Reader role for MG1 and MG2
c. The Contributor role for MG1 and MG2
d. The Reader role for MG1 and MG2
Well, this is a very simple question, and you don’t need to map out the hierarchy of the given artifacts. But understand the hierarchy of the artifacts, in general. Each directory has a single top-level management group called the root management group.
Under the root management group, you can have several management groups or directly create subscriptions. Each management group can further have many subscriptions. And, multiple resource groups can be created in a subscription.
In the given question, we have two management groups MG1 and MG2, and all subscriptions are created in these two management groups only as there is no mention of a tenant root group. The resource groups are created in these subscriptions.
So to ensure that the user can view all the resources in the subscription, assign a reader role to the management groups, MG1 and MG2. Option D is the correct answer.
The Contributor role assigns more than read permissions. Option C is incorrect.
Reference Link:https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#hierarchy-of-management-groups-and-subscriptions
Q15] You have an Azure subscription and a user named User1.
You need to assign User1 a role that allows the user to create and manage all types of resources in the subscription. The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
a. API Management Service Contributor
b. Contributor
c. Owner
d. Reader
The Contributor role grants access to manage all resources in the subscription but does not allow the user to assign roles, manage blueprints, etc.,
Option B is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#contributor
The owner role grants access to manage all resources, including the ability to assign roles. Option C is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#owner
The Reader role allows the user to view all resources, but it does not allow him to make any changes.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader
The other specific roles are generally not important for the exam, and you can make an educated guess to eliminate those options. For example, the API Management Service Contributor role seems like a contributor role for a specific Azure service. So it definitely cannot manage all types of resources.
Q16] You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local data center.
You need to identify which virtual machines are underutilized.
Which Azure Advisor settings should you use?
a. Cost
b. High Availability
c. Operational Excellence
d. Performance
Azure Advisor provides several recommendations based on Cost, Operational Excellence, Performance, etc.,
Of these, high availability is not an Azure Advisor setting. Option B is incorrect.
The Cost blade in Azure Advisor gives recommendations about optimizing costs, which include identifying underutilized virtual machines. Option A is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-cost-recommendations
The Performance blade helps improve the speed and responsiveness of your apps. Option D is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-performance-recommendations
The operational excellence blade helps you with following deployment best practices and achieving efficiency. Option C is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-operational-excellence-recommendations
Q17] You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
a. Management groups
b. Resource groups
c. Storage account data
d. Subscriptions
e. Virtual machines
Azure resource locks apply only to control plane operations, not to data plane operations. This means a Delete lock on a storage account will prevent the storage account resource from deletion. However, it will not prevent the blob data in the storage account from deletion. Option C is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#understand-scope-of-locks
As you can observe, you can apply a resource lock to individual resources, a resource group, or a subscription.
Options B, D, and E are correct answer choices.
You cannot apply a lock to the management group.
Option A is incorrect.
Q18] You have an Azure subscription.
You plan to create an Azure Policy definition named Policy1.
You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory and Compliance.
To which definition section should you add remediation information for Policy1?
a. Metadata
b. Mode
c. Parameters
d. policyRule
Use the RemediationDescription field in the metadata section under properties to add remediation information for the Azure policy.
Option A is the correct answer.
The policyRule section consists of if and then blocks. In the if block, you define one or more conditions that specify when the policy is enforced. Option D is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule
The Mode section defines which resource types are evaluated for a policy definition. Option B is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics#mode
The parameter section simplifies policy definition by allowing you to reuse fields for different scenarios. Option C is incorrect too.
Reference Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-parameters
Q19] You have an Azure subscription that contains a tenant named contoso.com.
All users in contoso.com are currently able to invite external users to B2B collaboration.
You need to ensure that only members of the Guest Inviter, User Administrator, and Global Administrator roles can invite guest users.
What should you configure?
a. Access reviews
b. Conditional Access
c. Cross-tenant access settings
d. External collaboration settings
External collaboration settings let you specify what roles in your organization can invite external users for B2B collaboration, in addition to managing the access of guest users, and cross-tenant invitations.
To ensure that only the Guest Inviter, User Administrator, and Global administrator can invite guest users, select the option Only users assigned to specific admin roles can invite guest users.
Option D is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure#configure-settings-in-the-portal
Cross-tenant access settings are a part of External collaboration settings, which are used to configure collaboration with other Microsoft Entra organizations.
Option C is incorrect.
Reference Link: https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration
Conditional Access requires a user to complete an action that strengthens authentication if he needs access to a resource. Option B is incorrect.
Reference Link: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
Access reviews in Microsoft Entra ID enable you to review user access periodically to ensure that only the right people have continued access. Option A is incorrect.
Reference Link: https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview
Q20] You are responsible for managing user identities and governance within your Azure environment.
You need to ensure that a new employee can create and manage user accounts and groups, manage support tickets, and monitor service health.
You need to use the principle of least privilege.
Which Microsoft Entra role should you assign to the new employee?
a. User Administrator
b. Billing Administrator
c. Global Administrator
d. Service Administrator
The user administrator role provides permissions to create and manage users and groups, manage support tickets, and monitor service health. Option A is the correct answer.
A Global administrator can manage all aspects of Microsoft Entra ID and services that use Microsoft Entra identities. It provides way more privileges than required for the given tasks. Option C is incorrect.
A billing administrator is focused on only the financial aspects. Option B is incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#microsoft-entra-roles
A Service administrator is not a Microsoft Entra role. It is a classic subscription administrator role that is retired.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles
Check out my AZ-104 practice tests (with discount code).
Follow Me to Receive Updates on the AZ-104 Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
