Welcome to the AZ-104 Official Practice Test – Part 8.
In this part, I have given my detailed explanations of the 10 official questions from Microsoft. Unlike on the Microsoft website, the explanations include screenshots to help you prepare for the AZ-104 exam.
That said, these tests are very simple, and they should only be used to brush up on the basics. The real exam would rarely be this easy. To get more rigorous practice and even in-depth knowledge, check out my AZ-104 practice tests.
Once done, check out the AZ-104 questions Part – 9 and an accompanying YouTube video to be published soon.
Q71] You have an Azure subscription that contains multiple resource groups and Azure App Service web apps. A resource group named RG1 hosts a web app named appservice1. The App Service uses a free App Service Managed SSL certificate.
You create a resource group named RG2.
You plan to move all the resources in RG1 to RG2.
Which two actions should you perform? Each correct answer presents part of the solution.
a. Create a new App Service plan in RG2.
b. Create a new web app in RG2.
c. Delete the SSL Certificate from RG1 and upload it to RG2.
d. Move all the resources from RG1 to RG2.
You cannot move a free App Service managed certificate. Instead, delete the managed certificate, move the web app to a new resource group, and then recreate the certificate.
Options C and D are the correct answer choices.
Q72] You have an Azure subscription.
You plan to deploy a web app in a Linux-based Docker container.
You need to recommend a solution for the deployment of the web app that meets the following requirements:
1] Supports a custom domain name
2] Provides the ability to scale out automatically based on demand.
3] Minimizes administrative effort
4] Minimizes costs
Which solution should you recommend?
a. Azure App Service
b. Azure Container Instances
c. Azure Kubernetes Service (AKS)
d. Azure Virtual Machine Scale Sets
Azure App Service supports custom domain names.
Azure App service also provides the ability to scale out automatically based on demand.
Azure Virtual Machine Scale Sets, Azure Kubernetes Service, and Azure Container Instances are more difficult to administer and are more costly.
Option A is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/azure/app-service/manage-automatic-scaling
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
Q73] You have a Microsoft Entra tenant that uses Microsoft Entra Connect to sync with an Active Directory Domain Services (AD DS) domain.
You need to ensure that users can reset their AD DS password from the Azure portal. The users must be able to use two methods to reset their password.
Which two actions should you perform? Each correct answer presents part of the solution.
a. From Password reset in the Azure portal, configure the Authentication methods settings.
b. From Password reset in the Azure portal, configure the Notifications settings.
c. Run Microsoft Entra Connect and select Device writeback.
d. Run Microsoft Entra Connect and select Password writeback.
To configure the authentication methods that users can use to reset their passwords, go to the Authentication Methods section from Password Reset in the Azure portal.
Option A is one of the correct answers.
In a hybrid environment, if users reset their AD DS passwords in the Azure portal, the passwords will be different between the two directories.
So you need to configure password writeback in Microsoft Entra Connect to synchronize password changes in Microsoft Entra back to your on-premises AD DS.
After enabling password writeback in Microsoft Entra Connect, configure Microsoft Entra SSPR to writeback through Microsoft Entra Connect Sync agents.
After these two steps, users who reset their passwords have the updated password synchronized.
Q74] You have a Microsoft Entra tenant.
You create a new user named User1.
You need to assign a Microsoft 365 E5 license to User1. Which user attribute should be configured for User1 before you can assign the license?
a. First name
b. Last name
c. Other email address
d. Usage location
e. User type
Microsoft services are not available in all locations. So, before a license is assigned to a user, we need to assign the Usage location property to the user in Microsoft Entra ID.
Option D is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/entra/fundamentals/license-users-groups#available-license-plans
Other properties like User type, email addresses, and Names are not prerequisites for assigning licenses.
Q75] You have an Azure subscription that contains multiple virtual machines.
You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use the principle of least privilege.
Which role should you assign to User1?
a. Billing Reader
b. Contributor
c. Reader
d. Tag Contributor
Since the user needs to view only the resources in a resource group, assign the reader role to the user.
Option C is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader
The Contributor role provides more permissions than necessary.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#contributor
The Billing Reader role provides read access only to billing data.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#billing-reader
And the Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance#tag-contributor
Q76] You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
1] Manage containers within the storage accounts.
2] View storage account access keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
a. Owner
b. Reader
c. Storage Account Contributor
d. Storage Blob Data Contributor
The Storage Account Contributor role has the action Microsoft.Storage/storageAccounts/* defined, which includes the permission to return access keys for the storage account.
The action also includes permissions like (Microsoft.Storage/storageAccounts/blobServices/containers) to manage storage account containers.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor
The Storage Blob Data Contributor role has permissions in the Data Actions section, meaning any user assigned to the role can access the data. Per the question, the solution must use the principle of least privilege and there is no need for data access.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-contributor
The owner role grants access to manage all Azure resources, which is not required.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#owner
And the reader role can only view resources but cannot manage them.
Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader
Q77] You have an Azure subscription that contains 200 virtual machines.
You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.
You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must minimize administrative effort. What should you configure?
a. An action group
b. An application security group
c. An Azure Automation account
d. A capacity reservation group
To notify your Azure admins whenever Azure Advisor alerts trigger, use the Action group while creating the alerts.
Option A is the correct answer.
Reference Link: https://learn.microsoft.com/en-us/azure/advisor/advisor-alerts-portal
A capacity reservation group contains multiple capacity reservations that comprise a set of one or more capacity instances, which enables you to reserve Compute capacity in an Azure region for any duration of time.
Reference Link: https://learn.microsoft.com/en-us/azure/virtual-machines/capacity-reservation-overview
Option D is incorrect.
I am sure by now you should be aware of what an application security group and an Azure Automation account are.
Q78] You have an Azure subscription that contains a resource group named RG1.
You have an Azure Resource Manager (ARM) template for an Azure virtual machine.
You need to use PowerShell to provision a virtual machine in RG1 by using the template.
Which PowerShell cmdlet should you run?
a. New-AzManagementGroupDeployment
b. New-AzResourceGroupDeployment
c. `New-AzSubscriptionDeployment `
d. New-AzVM
We deploy virtual machines to a resource group, so run the New-AzResourceGroupDeployment Powershell command to deploy the template to a resource group. Option B is the correct answer.
As their name indicates, New-AzManagementGroupDeployment and New-AzSubscriptionDeployment commands deploy the template to the management group and subscription scope, respectively. Options A and C are incorrect.
Reference Link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell#deployment-scope
The command New-AzVM creates a new VM. Option D is incorrect.
Reference Link: https://learn.microsoft.com/en-us/powershell/module/az.compute/new-azvm
Q79] You have an Azure subscription that contains an Azure Storage account named vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1?
a. A blob container
b. A file share
c. A queue
d. A table
By default, Azure container instances are stateless. If the container crashes, all its data will be lost. To persist state, mount an Azure File Share as a directory and use it as persistent storage.
Reference Link: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files
Option B is the correct answer.
Other options like blob containers, queues, and tables cannot be mounted.
Q80] You have an Azure subscription that contains two resource groups named RG1 and RG2.
RG1 contains the following resources:
1] A virtual network named VNet1 located in the East US Azure region
2] A network security group (NSG) named NSG1 located in the West US Azure region
RG2 contains the following resources:
1] A virtual network named VNet2 located in the East US Azure region
2] A virtual network named VNet3 located in the West US Azure region
You need to apply NSG1.
To which subnets can you apply NSG1?
a. The subnets of all the virtual networks
b. The subnets of VNet1 only
c. The subnets of VNet1 and VNet2
d. The subnets of VNet3 only
When associating an NSG with a subnet, the portal only shows VNets and subnets deployed in the same region as the NSG. So, you can apply NSG1 to the subnets of VNet3 only.
Reference Link: https://learn.microsoft.com/en-us/answers/questions/932282/virtual-network-not-part-of-the-nsg-listing
Check out my AZ-104 practice tests (with discount code).
Follow Me to Receive Updates on the AZ-104 Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
