AZ-104 Exam Dumps and Azure Administrator Associate Braindumps

Your NovaTech subscription contains an availability set named Core-AS-02 that is configured with 6 update domains and you place 33 virtual machines into Core-AS-02. After a scheduled platform update one update domain is rebooted at a time. What is the minimum number of virtual machines that will remain available?

• ❏ A. 30 virtual machines

• ❏ B. 27 virtual machines

• ❏ C. 22 virtual machines

• ❏ D. 28 virtual machines

An IT team at a mid sized retailer manages an Active Directory forest named example.com. They installed Azure AD Connect and configured password hash synchronization as the single sign on method while staging mode was turned on. When they inspect the Synchronization Service Manager no synchronization jobs are listed. What action will enable imports exports and synchronization to run and ensure the synchronization completes successfully?

• ❏ A. Start a full synchronization from Azure PowerShell using Start-ADSyncSyncCycle with PolicyType Initial

• ❏ B. Disable staging mode in Azure AD Connect and rerun the configuration

• ❏ C. Reconfigure Azure AD Connect to use pass through authentication instead of password hash synchronization

Refer to the BreezySoft Inc case study by opening this link in a new tab and answer based on that document https://docs.google.com/document/d/1aBcD3FgHijkLmnOPqRstUvWxYz9876543210/edit?usp=sharing For the statement below choose Yes if the statement is true otherwise choose No “From VMB you can ping VMC”?

• ❏ A. No

• ❏ B. Yes

You manage file resiliency for a collection of files stored on an Azure file share for a design firm named Nimbus Technologies. A team member accidentally deleted a critical document and you need to restore it. Which Azure capability most directly enables recovery of the deleted file?

• ❏ A. Azure File Sync

• ❏ B. Azure Files snapshots

• ❏ C. Azure File share backup

• ❏ D. Soft delete for Azure Files

Which role assignments would allow Alice to read storage data in any storage account and allow Ben to grant the Contributor role to storage accounts while adhering to the principle of least privilege?

• ❏ A. Storage Account Contributor to Alice and Owner to Ben

• ❏ B. Storage Blob Data Reader to Alice and User Access Administrator to Ben

• ❏ C. Reader to Alice and Owner to Ben

Your Azure subscription contains virtual machines that connect to a virtual network named ProdVNet. You plan to enable Azure Monitor for VM Insights and you must ensure that the virtual machines communicate with Azure Monitor only through ProdVNet. What should you create first?

• ❏ A. a data collection rule (DCR)

• ❏ B. a private endpoint

• ❏ C. an Azure Monitor Private Link scope resource (AMPLS)

• ❏ D. a Log Analytics workspace

A cloud operations team manages an Azure virtual machine named AppServer3 that runs Windows Server 2022 and was created with the default disk layout. You sign in as Admin1 and do these tasks. You save files to the C drive. You save files to the D drive. You change the screen saver timeout. You change the desktop wallpaper. You plan to redeploy AppServer3. Which of these changes will be removed when the VM is redeployed?

• ❏ A. New files placed on the C drive

• ❏ B. The updated desktop wallpaper

• ❏ C. Files created on the D drive

• ❏ D. The modified screen saver timeout

A company named example.com maintains a Microsoft Entra tenant and a subscription named DevSubscription. The tenant contains a security group named AppDevelopers and the subscription contains a resource group named DevRG. You must enable the AppDevelopers group to create Azure Logic Apps inside the DevRG resource group. The proposed solution is to assign the Logic App Contributor role to the AppDevelopers group at the DevRG scope. Does this meet the requirement?

• ❏ A. No

• ❏ B. Yes

Which Network Watcher feature permits technicians to measure round trip latency between an Azure virtual network and an on site corporate data center?

• ❏ A. IP Flow Verify

• ❏ B. VPN Troubleshoot

• ❏ C. Connection Monitor

Which Azure storage service provides persistent mountable file storage for a container instance running a SQL Server image?

• ❏ A. Azure Disks

• ❏ B. Azure Files

• ❏ C. Azure Blob storage

Northwind Technologies runs an Azure Kubernetes Service cluster called cluster-02 and they must enable the cluster autoscaler for cluster-02. Which tools can be used to configure the cluster autoscaler? (Choose 2)

• ❏ A. kubectl command

• ❏ B. Set-AzAks PowerShell cmdlet

• ❏ C. Azure Resource Manager template

• ❏ D. az aks command

• ❏ E. Azure portal

Summit Dynamics operates an Azure Active Directory tenant and needs a conditional access rule that forces members of the Global Administrators role to sign in with multi factor authentication and from Azure AD joined devices when they connect from unfamiliar networks. The proposed change is to open the Azure portal and adjust the policy session controls. Will that approach satisfy the requirement?

• ❏ A. Modify the conditional access policy session controls in the Azure portal

• ❏ B. Require device compliance through Microsoft Intune policies only

• ❏ C. Edit the policy grant controls to require multi factor authentication and Azure AD joined devices

• ❏ D. Use Azure AD Identity Protection sign in risk policies to enforce additional verification

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

An infrastructure engineer at CloudHarbor is investigating why two Linux virtual machines in the same virtual network cannot communicate while using Azure Network Watcher. Which Network Watcher feature should the engineer use to determine whether user defined routes or network security groups are preventing the traffic?

• ❏ A. Packet Capture

• ❏ B. Network Performance Monitor

• ❏ C. IP Flow Verify

• ❏ D. Connection Troubleshoot

Your Azure subscription contains a storage account named datastore2. You plan to use conditional rules when you assign role based access control roles to datastore2. Which of the storage services support conditional role assignments?

• ❏ A. Azure Files only

• ❏ B. Azure Data Lake Storage Gen2 only

• ❏ C. Blob containers only

• ❏ D. File shares and Table storage only

• ❏ E. Table storage only

• ❏ F. Blob containers and queue storage only

What methods can you use to connect two Azure virtual networks that are in different subscriptions and belong to different Azure Active Directory tenants?

• ❏ A. Azure Virtual WAN hub

• ❏ B. Virtual network peering across tenants

• ❏ C. VNet to VNet VPN using virtual network gateways

A regional retailer named Northfield Logistics registered the domain example.com and created a public Azure DNS zone called example.com. You need the entries you add to the Azure DNS zone to be reachable from the public internet. What action should you take?

• ❏ A. Create the SOA record inside the example.com Azure DNS zone

• ❏ B. Add NS records to the example.com zone within Azure DNS

• ❏ C. Update the name server records at the domain registrar to point to the Azure DNS name servers

• ❏ D. Edit the SOA record at the domain registrar to reference Azure

Your cloud platform team at Everleaf Technologies must build a container deployment pipeline and ensure the service can scale automatically on Microsoft Azure. What steps are necessary to deploy and scale a containerized application in Azure? (Choose 3)

• ❏ A. Enable autoscaling and configure scaling rules in Azure Container Apps

• ❏ B. Use Azure Container Instances for quick single container deployments

• ❏ C. Deploy the application to Azure Kubernetes Service for orchestration and cluster management

• ❏ D. Create an Azure Container Registry and push your Docker images there

A cloud engineering team at Meridian Cloud Services uses Azure and needs to grant permissions at different organizational boundaries. Which of the following are valid scopes for assigning roles in Azure? (Choose 3)

• ❏ A. Subscription

• ❏ B. Azure region

• ❏ C. Management group

• ❏ D. Resource group

A cloud team at Meridian Finance wants to tighten who can reach its Azure storage accounts. What methods can the team apply to restrict access to those storage accounts? (Choose 3)

• ❏ A. Require Entra ID authentication for Azure Files

• ❏ B. Configure the storage account firewall to allow requests only from specific IP ranges

• ❏ C. Use a virtual network with private endpoints so only traffic from the VNet can reach the storage

• ❏ D. Move the storage account to a different subscription

Which feature of Azure Network Watcher identifies the security rule that is blocking traffic to a virtual machine?

• ❏ A. Packet capture

• ❏ B. IP flow verify

• ❏ C. Next hop

You manage a subscription that contains eight virtual machines, a key vault named CredStore, and a network security group named SecGroupA. All resources are deployed to the West US Azure region. The virtual machines are associated with SecGroupA. SecGroupA currently blocks all outbound internet traffic. You need to allow the virtual machines to reach CredStore while following least privilege and reducing administrative overhead. What should you set as the destination for the outbound rule on SecGroupA?

• ❏ A. a specific IP address range

• ❏ B. an application security group

• ❏ C. a service tag

A boutique software company plans to use an ARM template to provision eight instances of a web application in West Europe and they must meet the deployment prerequisites while minimizing Azure costs. What must they provision before executing the template?

• ❏ A. Deploy Azure Front Door

• ❏ B. Create separate App Service Plans for each web app instance

• ❏ C. Provision a single App Service Plan to host all eight web app instances

• ❏ D. Set up an Application Gateway

This item is part of a scenario set that uses the same baseline. Your organization has a Microsoft Entra tenant named northwind.example.com and an Azure subscription named SubscriptionAlpha. The tenant contains a group named AppBuilders and the subscription contains a resource group named DevelopmentRG. You need to give the AppBuilders group the ability to create Azure Logic Apps in DevelopmentRG. The proposed solution assigns the Logic App Operator role to the AppBuilders group on DevelopmentRG. Does this achieve the requirement?

• ❏ A. Yes assigning the Logic App Operator role to AppBuilders on DevelopmentRG grants the required permissions

• ❏ B. No assigning the Logic App Operator role to AppBuilders on DevelopmentRG does not provide creation rights

A logistics startup named Harbor Analytics must create an Azure storage account called dataplane02. The design must support Azure Data Lake Storage and keep costs low for data that is rarely accessed. The storage must also automatically replicate data to a secondary Azure region. Which configuration settings should be applied to dataplane02? (Choose 3)

• ❏ A. Cool access tier

• ❏ B. Zone-redundant storage (ZRS)

• ❏ C. Geo-redundant storage (GRS)

• ❏ D. Hierarchical namespace

• ❏ E. Hot access tier

If you enable Update settings on an Azure virtual machine, will the VM be moved to a different physical host to avoid scheduled host maintenance?

• ❏ A. No enabling Update settings will not move the VM

• ❏ B. Yes enabling Update settings will move the VM

A regional retailer named Apex Retail plans to bulk upload new employee accounts and they want each imported account to be automatically placed into the correct department group based on the user department attribute while reducing manual work. What steps should they take? (Choose 2)

• ❏ A. Microsoft Graph API

• ❏ B. Create a CSV file containing user details and the required attribute columns

• ❏ C. Create groups that use Assigned membership

• ❏ D. Create groups configured for Dynamic User membership

• ❏ E. Write a PowerShell script to parse the import and set group membership

• ❏ F. Generate an XML file with the user records and attributes

A regional tech studio named RiverStone is assigning a custom host name to its Azure App Service and it will manage the domain using Azure DNS. Which DNS record type should RiverStone create in Azure DNS so the record points to the App Service default hostname?

• ❏ A. A Record

• ❏ B. TXT Record

• ❏ C. CNAME Record

• ❏ D. Alias record

The ContosoTech subscription contains multiple virtual machines that run Windows Server and it includes a data collection rule named DataCollectorA. You plan to use the Azure Monitor Agent to collect entries from the Windows System event log and you only need events with an event ID of 1201. Which type of query should you configure for the data source in DataCollectorA?

• ❏ A. KQL

• ❏ B. XPath

• ❏ C. SQL

Acme Cloud Services recently hired a new cloud engineer who must also be able to manage other engineers access while the team follows the principle of least privilege and subscription governance. Which role should you assign to the new engineer?

• ❏ A. Owner

• ❏ B. Privileged Role Administrator

• ❏ C. Contributor

• ❏ D. User Access Administrator

Which Azure storage resource types in the storageSecondary account can an encryption scope encrypt?

• ❏ A. Containers blobs and file shares in storageSecondary

• ❏ B. Containers and blobs in storageSecondary only

• ❏ C. Containers and blobs in storagePrimary and storageSecondary

After moving our on premises web service to an Azure App Service named live-finapp the site at https://www.accountingdashboard.scrumtuous.com no longer resolves using the original domain. You must update DNS so the custom hostname points to the new App Service. Which DNS records will allow the domain to resolve to the Azure App Service? (Choose 2)

• ❏ A. Create a CNAME record that points to live-finapp.azurewebsites.net

• ❏ B. Create a TXT record to verify domain ownership with the registrar

• ❏ C. Create an A record that maps the root domain to the public IPv4 address used by the App Service

• ❏ D. Create an ALIAS record that points the apex domain to live-finapp.azurewebsites.net

A regional retailer named Northwind Systems operates a Microsoft SQL Server Always On availability group across Azure virtual machines. You need to set up an internal Azure load balancer to serve as the availability group listener. The proposed change is to enable the load balancer’s floating IP. Does this configuration meet the requirement?

• ❏ A. No

• ❏ B. Yes

An operations group at MapleTech is creating a new Azure Policy definition for their environment and they must pick a mode that governs how resources are evaluated. Which of the following entries is not a supported mode for Azure Policy definitions?

• ❏ A. Microsoft.KeyVault.Data

• ❏ B. DoNotAllow

• ❏ C. Indexed

• ❏ D. All

When you create a static threshold metric alert for a monitoring service what is the name of the lookback interval over which the metric values are evaluated?

• ❏ A. Cloud Monitoring alignment period

• ❏ B. Timeslice

• ❏ C. Evaluation period

• ❏ D. Aggregation window

How can developers publish to an App Service using Web Deploy with their Azure AD accounts while ensuring least privilege access?

• ❏ A. Use App Service publish profile credentials

• ❏ B. Assign Website Contributor role

• ❏ C. Assign Contributor role

The correct answer is 27 virtual machines.

With an availability set that has 6 update domains the platform reboots one update domain at a time. If you place 33 virtual machines into those 6 update domains the VMs will be distributed so that some domains hold 6 VMs and others hold 5 VMs. When the largest update domain is rebooted the number of VMs unavailable will be 6, which leaves 27 virtual machines available.

30 virtual machines is incorrect because that answer assumes only 3 VMs would be affected by the rebooted update domain which does not represent the worst case distribution across 6 update domains.

22 virtual machines is incorrect because that implies 11 VMs are taken down in a single update domain and that cannot occur when 33 VMs are spread across 6 update domains.

28 virtual machines is incorrect because it uses the lower per-domain count of 5 VMs rather than the correct worst case of 6 VMs in a single update domain, and the exam asks for the minimum number that remain available.

When a question asks for the minimum number of VMs available during update domains divide the total VMs by the number of update domains and use the ceiling of that result to find how many can be down in one domain, then subtract from the total.

The correct answer is Disable staging mode in Azure AD Connect and rerun the configuration.

Staging mode makes the Azure AD Connect server passive so it does not perform imports, exports, or synchronization. Disabling staging mode returns the server to active operation and rerunning the configuration ensures the scheduler and connectors are started so synchronization jobs appear in the Synchronization Service Manager and can complete successfully.

Start a full synchronization from Azure PowerShell using Start-ADSyncSyncCycle with PolicyType Initial is incorrect because the PowerShell cmdlet can only trigger sync cycles on an active server. If the server is in staging mode the scheduler and connector operations are effectively disabled so running the cmdlet will not enable imports or exports.

Reconfigure Azure AD Connect to use pass through authentication instead of password hash synchronization is incorrect because changing the authentication method does not affect whether the sync engine runs. The underlying problem is that staging mode prevents synchronization from occurring and switching authentication options will not enable the disabled sync operations.

Check whether Azure AD Connect is in staging mode before proposing sync commands or configuration changes. Staging mode prevents actual synchronization so it must be disabled to allow imports and exports to run.

The correct answer is Yes. This indicates that VMB can successfully ping VMC according to the case study.

The reason Yes is correct is that the instances have network reachability and the network configuration permits ICMP between them. In GCP this normally means the VMs are in a VPC or have appropriate routing and the firewall rules allow ICMP, so a ping from VMB to VMC will succeed.

No is incorrect because the case study describes a configuration where inter‑VM connectivity is possible and there are no firewall or routing restrictions that would block ICMP between VMB and VMC.

When a question asks about connectivity check both the network topology and the firewall rules and confirm whether ICMP is permitted between the instances.

The correct option is Soft delete for Azure Files.

This feature retains deleted files and directories for a configurable retention period so a deleted file can be restored without needing a point in time snapshot or a backup. When a file is deleted it is retained by the service and you can undelete it through the portal PowerShell or CLI as long as the retention period has not expired.

Azure File Sync is incorrect because it synchronizes and tiers files between on premises servers and Azure and it does not provide the immediate soft delete retention that allows simple undelete at the file level in the storage account.

Azure Files snapshots is incorrect because snapshots are point in time copies of a share that must exist before a deletion to be useful for recovery and they are not the same as the automatic retention that soft delete provides.

Azure File share backup is incorrect because Azure Backup can restore files from backups under backup policies but it is a separate backup solution and not the lightweight soft delete retention that directly enables quick undelete of a deleted file.

If the question asks about quick recovery of an accidentally deleted file look for soft delete options and check the retention setting on the storage account.

The correct answer is Storage Blob Data Reader to Alice and User Access Administrator to Ben.

The Storage Blob Data Reader role grants data plane read access to blob storage so Alice can read storage data across storage accounts when the role is assigned at the appropriate scope. The User Access Administrator role allows Ben to manage role assignments so he can grant the Contributor role for storage accounts without receiving full ownership and this follows least privilege.

Storage Account Contributor to Alice and Owner to Ben is incorrect because the Storage Account Contributor to Alice and Owner to Ben pairing gives Alice a management role that does not allow reading blob contents at the data plane and it gives Ben owner level permissions which are excessive for the task.

Reader to Alice and Owner to Ben is incorrect because the Reader to Alice and Owner to Ben pairing gives Alice only management read access and not data plane read access to storage objects and it again grants Ben overly broad ownership rather than least privilege.

When a question involves accessing storage objects check for data plane roles like Storage Blob Data Reader and use User Access Administrator to delegate role assignments without granting full ownership.

The correct option is an Azure Monitor Private Link scope resource (AMPLS).

The an Azure Monitor Private Link scope resource (AMPLS) is the control plane resource that lets you bring Azure Monitor endpoints into your private network. By creating a AMPLS you can map Log Analytics workspaces and other monitor resources to that scope and then create private endpoints in the ProdVNet so that VM telemetry flows only over the VNet and Private Link instead of the public internet.

a data collection rule (DCR) is incorrect because data collection rules define what data is collected and where it is sent. They do not provide the Private Link boundary or the private endpoint infrastructure that forces traffic to flow exclusively through a specific virtual network.

a private endpoint is incorrect as the first step because private endpoints target an existing resource endpoint. You must first create the Private Link scope that exposes Azure Monitor over Private Link and then provision a private endpoint in the ProdVNet to connect to that scope.

a Log Analytics workspace is incorrect because a workspace receives telemetry but by itself it does not enforce that traffic uses only the ProdVNet. Workspaces can be mapped into a Private Link scope, but you still need to create the AMPLS resource first to enable the private connectivity model.

When a question asks about forcing Azure Monitor traffic through a virtual network look for creating a Private Link scope first. After the scope exists you add private endpoints in the target VNet and map workspaces or resources to that scope.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

Files created on the D drive is the correct choice.

When you redeploy an Azure virtual machine the OS disk and any attached managed data disks are preserved and the temporary disk is reset. In the default Windows Server layout Azure exposes the temporary disk as D drive and its contents are ephemeral and will be lost when the VM is redeployed.

New files placed on the C drive are not removed because the C drive is the OS disk which remains intact across redeploy operations and stores the operating system and user profiles.

The updated desktop wallpaper is not removed because desktop and user settings are stored on the OS disk or in the user profile and they persist when the VM is redeployed.

The modified screen saver timeout is not removed because this setting lives in the user profile or registry which resides on the OS disk and survives a redeploy of the VM.

When you decide what will be lost on redeploy think about whether data lives on the persistent OS or data disks or on the temporary disk. Files on the temporary disk will be cleared when a VM is redeployed.

The correct option is Yes.

Assigning the Logic App Contributor role to the AppDevelopers group at the DevRG scope meets the requirement because that built in role grants the permissions needed to create and manage Azure Logic Apps within the assigned scope.

Granting the role at the resource group level limits the permissions to DevRG so members of the AppDevelopers group can create Logic Apps only inside that resource group and Azure role based access control supports assigning roles to Azure Active Directory groups so the assignment is valid.

Ensure that AppDevelopers is an Azure AD group in the same tenant and that members sign in with identities from that tenant otherwise the assignment will not take effect. Also note that the Logic App Contributor role does not allow granting role assignments or managing unrelated resource types.

No is incorrect because assigning the Logic App Contributor role at the resource group scope does satisfy the requirement to allow the group to create Logic Apps inside DevRG.

When you are asked about enabling resource creation check the specific Azure built in role and the assignment scope because granting a role at the resource group level is often sufficient and it is more secure than assigning at subscription or management group levels.

The correct answer is Connection Monitor.

The Connection Monitor feature in Network Watcher measures end to end network connectivity and reports metrics such as round trip latency and packet loss between Azure resources and an on site corporate data center. It can run tests from virtual machines or other endpoints in the virtual network to on site endpoints so technicians can see round trip time graphs and configure alerts.

The IP Flow Verify tool checks whether a specific packet is allowed or denied by network security group rules and effective routes. It does not perform continuous connectivity tests or measure round trip latency.

The VPN Troubleshoot feature helps diagnose VPN gateway and tunnel configuration problems and shows tunnel health and negotiation details. It is useful for tunnel diagnostics but it does not provide the ongoing latency measurements that Connection Monitor provides.

When a question asks about measuring latency or packet loss between Azure and an on site data center think Connection Monitor. Use IP Flow Verify for rule level checks and VPN Troubleshoot for tunnel diagnostics.

The correct option is Azure Files.

Azure Files provides fully managed file shares that support SMB and NFS and can be mounted directly by container instances so they deliver persistent, mountable storage suitable for a SQL Server container image.

Azure Disks are block level managed disks intended to attach to virtual machines and they are not supported as a directly mountable persistent volume for Azure Container Instances.

Azure Blob storage is object storage optimized for unstructured data and it is not a native POSIX file share so it cannot be mounted as a regular persistent filesystem by containers without additional drivers or tools.

When a question asks about mountable file storage for containers think Azure Files and remember that managed disks attach to VMs while blob storage is object storage.

The correct options are Set-AzAks PowerShell cmdlet and az aks command.

Both the Set-AzAks PowerShell cmdlet and the az aks command operate in the Azure management plane and allow you to enable and configure the AKS cluster autoscaler by updating the managed cluster or node pool settings. These tools provide parameters to turn on the autoscaler and to set the minimum and maximum node counts so you can control scaling behavior.

For example the az aks command exposes parameters such as –enable-cluster-autoscaler and parameters for minimum and maximum counts when updating a node pool or cluster and the PowerShell cmdlet provides equivalent options for scripting and automation.

The option kubectl command is incorrect because kubectl manages Kubernetes resources inside the cluster and it does not change Azure managed node pool autoscaling settings that are controlled through the Azure management plane.

The option Azure Resource Manager template is incorrect because templates declare and deploy Azure resources but enabling the AKS cluster autoscaler is typically performed by updating the managed cluster or node pool properties with CLI or PowerShell rather than by a template alone.

The option Azure portal is incorrect because the portal does not always expose the full set of autoscaler configuration options and the recommended and precise method for enabling and tuning the autoscaler is to use the CLI or PowerShell.

When you see questions about enabling AKS autoscaling look for answers that mention the Azure management plane tools and remember parameters like –enable-cluster-autoscaler or equivalent PowerShell options.

Edit the policy grant controls to require multi factor authentication and Azure AD joined devices is correct.

The Conditional Access Edit the policy grant controls to require multi factor authentication and Azure AD joined devices approach allows you to require multi factor authentication at sign in and to require that devices be Azure AD joined as a grant condition. You can scope the policy to the Global Administrators role and add a location condition that represents unfamiliar networks so the combined grant controls block access unless the user completes MFA and uses an Azure AD joined device.

Modify the conditional access policy session controls in the Azure portal is incorrect because session controls apply after access is granted and they control session behavior such as sign in frequency or app enforced restrictions. Session controls do not enforce initial grant requirements like MFA and device join at authentication.

Require device compliance through Microsoft Intune policies only is incorrect because Intune compliance settings mark devices as compliant but they do not on their own enforce MFA at sign in. You still need Conditional Access grant controls to require MFA and to block access from non compliant or non joined devices based on location.

Use Azure AD Identity Protection sign in risk policies to enforce additional verification is incorrect because Identity Protection focuses on risk based signals and can prompt for additional verification on risky sign ins. It does not provide a direct way to require Azure AD joined devices for sign ins from unfamiliar networks and it is not the primary mechanism for combining MFA and device join requirements targeted at an administrative role.

When a question asks about enforcing MFA and device state at sign in remember that these are set under Conditional Access grant controls rather than session controls. Also check whether the policy can be scoped to administrative roles and to location conditions for unfamiliar networks.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

Connection Troubleshoot is correct because it performs an end to end connectivity check between the two endpoints and reports whether user defined routes or network security groups are preventing the traffic.

The Connection Troubleshoot feature initiates a simulated connection from the source to the destination and traces the network path. It returns the result and indicates the hop where traffic is dropped and whether an NSG rule or a user defined route is the cause. This direct path analysis is why Connection Troubleshoot is the right choice to diagnose why two Linux virtual machines in the same virtual network cannot communicate.

Packet Capture is incorrect because it only captures packets on a VM for later analysis and it does not perform an end to end connectivity test that will explicitly show which route or security rule blocked the traffic.

Network Performance Monitor is incorrect because it focuses on ongoing performance and latency monitoring across networks and it is not the interactive diagnostic that shows the path and the specific rule or route that denies a connection.

IP Flow Verify is incorrect because it checks whether a specific flow is allowed or denied on a VM network interface based on NSG rules. While IP Flow Verify is useful for validating NSG rule effects at the NIC level it does not perform the broader multi-hop path trace that reveals route table impacts across the path in the same way as Connection Troubleshoot.

When you must determine whether a route or a security rule is blocking communication choose the tool that runs an end to end path check rather than a packet capture or a performance monitor.

The correct option is Blob containers and queue storage only.

This answer is correct because Azure role assignments with conditions currently support scoping to the storage resource types that represent containers and queues. The Blob containers and queue storage only option reflects that conditional role assignments can be applied to the resource types Microsoft.Storage/storageAccounts/blobServices/containers and Microsoft.Storage/storageAccounts/queueServices/queues so you can grant fine grained access at the container and queue level.

Azure Files only is incorrect because file shares are not among the storage resource types that support conditional role assignments at this time. Conditional assignments do not target file share resources in the storage resource provider.

Azure Data Lake Storage Gen2 only is incorrect because although ADLS Gen2 builds on Blob Storage, conditional role assignments are expressed against blob container and queue resource types rather than a separate ADLS Gen2 resource type. The ADLS Gen2 interface is not listed as a distinct conditional target.

Blob containers only is incorrect because it omits queue storage which is also supported. Conditional assignments cover both containers and queues so selecting only containers is not complete.

File shares and Table storage only is incorrect because neither file shares nor Table storage are supported targets for conditional role assignments. Those endpoints are not listed as resource types that accept RBAC conditions.

Table storage only is incorrect because Table storage is not supported for conditional role assignments and the correct answer must include queues rather than tables.

When a question asks about conditional role assignments look for the specific resource types named in Azure documentation and remember that support is often expressed at the resource provider path such as the blob container and queue paths.

VNet to VNet VPN using virtual network gateways is the correct option.

The VNet to VNet VPN using virtual network gateways establishes an IPsec/IKE tunnel between two virtual network gateways so you can connect virtual networks that reside in different subscriptions and different Azure AD tenants. This approach operates at the network layer and does not require the VNets to share the same directory or subscription, so it is a reliable and widely supported way to connect VNets across tenant boundaries.

The VNet to VNet VPN using virtual network gateways also supports cross region and hybrid scenarios and it lets you control routing and security at the gateway level which makes it suitable when direct peering is not possible or not desired.

Azure Virtual WAN hub is not the chosen answer because Virtual WAN is a managed hub and spoke service that introduces a centralized architecture and additional deployment and administrative requirements. It can provide cross subscription connectivity but it is a different pattern and is not the simple VNet to VNet gateway tunnel the question targets.

Virtual network peering across tenants is not selected because peering typically depends on establishing a direct peering relationship which can require tenant level permissions and extra consent and configuration. While some cross subscription and cross tenant peering scenarios exist they are not as universally applicable as a gateway based VPN when tenants are separate.

When you see a question about connecting VNets in different subscriptions and different Azure AD tenants think about network layer solutions such as VNet to VNet VPN that work independently of directory boundaries.

Update the name server records at the domain registrar to point to the Azure DNS name servers is correct.

When you create a public DNS zone in Azure you are given a set of Azure DNS name servers that must be registered at the domain registrar so that the parent zone delegates the domain to Azure. Updating the registrar name server records delegates the domain to Azure and makes the records you add in the Azure zone reachable from the public internet.

Create the SOA record inside the example.com Azure DNS zone is incorrect. The SOA record is part of the zone data and Azure creates a valid SOA for the hosted zone, but adding or editing an SOA inside the hosted zone does not cause the parent zone to delegate the domain to Azure.

Add NS records to the example.com zone within Azure DNS is incorrect. NS records inside the hosted zone describe the authoritative servers but they do not perform the delegation at the parent registrar. The registrar must be updated so that the parent zone points to the Azure name servers.

Edit the SOA record at the domain registrar to reference Azure is incorrect. Delegation is performed by updating name server records at the registrar and not by changing an SOA at the registrar, and registrars generally publish NS records rather than using an SOA for delegation.

For public DNS questions focus on delegation and whether the parent registrar needs to be updated. If the hosted zone is not reachable from the internet the registrar name servers are usually the place to check.

The correct options are Create an Azure Container Registry and push your Docker images there, Deploy the application to Azure Kubernetes Service for orchestration and cluster management, and Enable autoscaling and configure scaling rules in Azure Container Apps.

Create an Azure Container Registry and push your Docker images there is required because a private registry stores the built images so deployment targets can pull them reliably and securely. Using a registry also allows integration with CI and CD pipelines and access control through Azure RBAC.

Deploy the application to Azure Kubernetes Service for orchestration and cluster management is correct when you need advanced orchestration features such as rolling updates, service discovery, persistent volumes, and fine grained control over pods and nodes. AKS provides the cluster management and Kubernetes APIs that production grade container workloads typically require.

Enable autoscaling and configure scaling rules in Azure Container Apps is correct for platform managed container scaling when you want a simpler serverless container model that supports automatic scaling based on HTTP traffic, CPU or custom metrics through KEDA. Container Apps gives a managed way to define scaling rules without operating the underlying cluster.

Use Azure Container Instances for quick single container deployments is incorrect because Azure Container Instances are intended for simple or short lived single container scenarios and they do not provide the same orchestration, replica management, or advanced autoscaling controls that AKS or Container Apps offer.

When an exam question mentions a registry orchestration and autoscaling first identify whether you need full cluster orchestration or a managed serverless container model. Pick AKS for comprehensive orchestration and Container Apps for platform managed autoscaling. Use a registry like ACR to store and deploy images.

The correct options are Subscription, Management group, and Resource group.

Subscription is a primary billing and access boundary in Azure and you can assign roles at the subscription level to grant permissions across all resources within that subscription.

Management group lets you group subscriptions together and assign roles at that higher level so policies and access can be applied consistently across multiple subscriptions.

Resource group is a logical container for related resources and assigning roles at the resource group level scopes permissions to only the resources in that group.

Azure region is not a valid scope for role assignments because regions denote physical locations and Azure RBAC does not operate at the region level. Roles are assigned at the Management group, Subscription, Resource group, or individual resource level instead.

When answering scope questions remember that Azure RBAC supports assignment at the management group, subscription, resource group, and resource levels and not at the region level.

The correct options are Require Entra ID authentication for Azure Files, Configure the storage account firewall to allow requests only from specific IP ranges, and Use a virtual network with private endpoints so only traffic from the VNet can reach the storage.

Require Entra ID authentication for Azure Files enforces identity based access so users and services must present Azure AD credentials and you can apply Azure RBAC and directory based controls to limit who can mount or access file shares.

Configure the storage account firewall to allow requests only from specific IP ranges lets you create network rules that permit only trusted client IP addresses or service tags and you can block public network access to reduce exposure.

Use a virtual network with private endpoints so only traffic from the VNet can reach the storage assigns a private IP in your VNet for the storage account so traffic flows over the Azure backbone and you can combine this with firewall and identity controls for strong isolation.

Move the storage account to a different subscription will not by itself restrict network or identity access because subscription boundaries govern management and billing scope and do not change the storage account network or authentication configuration.

When you evaluate access control questions focus on both network restrictions and identity based controls and remember that moving a resource between subscriptions does not change its network or authentication settings.

IP flow verify is the correct feature for identifying the security rule that is blocking traffic to a virtual machine.

IP flow verify validates a specified packet flow and reports whether the traffic is allowed or denied and which network security group rule or other element caused the denial. It examines source and destination IPs and ports against effective security rules so you can see the exact rule that blocked the traffic.

Packet capture is incorrect because packet capture captures packet data for analysis and troubleshooting but it does not determine or report which security rule blocked a flow.

Next hop is incorrect because next hop identifies the routing hop that traffic will take from a virtual machine and helps with route troubleshooting but it does not show which security rule denied the traffic.

When a question asks which Network Watcher tool identifies the blocking rule choose IP flow verify and remember that packet capture is for capturing traffic and next hop is for routing.

The correct option is a service tag.

a service tag lets you target the Azure Key Vault service itself rather than opening general internet access. This meets the requirement for least privilege because you grant outbound access only to the service and not to arbitrary addresses, and it reduces administrative overhead because Azure maintains the underlying IP ranges for the service tag.

In practice you would use a service tag such as the Key Vault service tag as the destination in the outbound rule so the virtual machines can reach CredStore without exposing other endpoints. Azure updates the tag as the service scales so you do not need to update rules manually.

a specific IP address range is not ideal because Key Vault is a managed PaaS service and its addresses can change. Relying on fixed IP ranges requires frequent manual updates and increases the chance of accidentally blocking access, so it does not minimize administrative overhead.

an application security group is designed to group NICs within your virtual network and it cannot represent an external Azure platform service like Key Vault. ASGs are not suitable as a destination to allow access to CredStore from your VMs.

When the exam scenario asks to allow outbound access to an Azure platform service choose a service tag when it is available because it gives least privilege and avoids manual IP management.

The correct answer is Provision a single App Service Plan to host all eight web app instances.

You should provision a single App Service Plan in West Europe because an App Service Plan defines the compute resources and pricing and it can host multiple web apps. Using one App Service Plan lets you scale the compute at the plan level and minimizes cost compared with creating separate plans for each app.

Deploy Azure Front Door is incorrect because Azure Front Door is a global application delivery and load balancing service and it is not required to provide the App Service compute resources for the web apps. It is an optional networking component and it would add cost rather than satisfy the deployment prerequisite.

Create separate App Service Plans for each web app instance is incorrect because provisioning eight separate plans increases compute and licensing costs and is unnecessary when a single App Service Plan can host multiple web apps and handle scale.

Set up an Application Gateway is incorrect because Application Gateway is a regional traffic manager and web application firewall and it is not a prerequisite for deploying App Service instances. It is a networking option that adds features and cost but does not replace the need for an App Service Plan.

When a question asks about minimizing cost for multiple web apps remember that an App Service Plan defines compute and pricing and can host several apps so using one plan is usually the most cost effective choice.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

No assigning the Logic App Operator role to AppBuilders on DevelopmentRG does not provide creation rights

The Logic App Operator role is intended for operational and monitoring tasks and it does not include the permissions required to create new Logic App workflows. Creating Logic Apps requires write level permissions on Microsoft.Logic resources which are provided by roles that include the write action such as Contributor or the Logic App Contributor role.

Yes assigning the Logic App Operator role to AppBuilders on DevelopmentRG grants the required permissions is incorrect because the operator role lacks the write permission on Logic App resources and so cannot create or update workflows. To grant creation rights assign a role that includes Microsoft.Logic/workflows/write or use a custom role that adds that action.

When a question focuses on resource creation look specifically for roles that include the write action and check the role definition in the documentation to confirm which operations are allowed.

The correct options are Cool access tier, Geo-redundant storage (GRS), and Hierarchical namespace.

Cool access tier is intended for data that is infrequently accessed and it offers lower storage costs while trading off slightly higher access charges, so it keeps costs low for rarely accessed data.

Geo-redundant storage (GRS) asynchronously replicates data to a secondary Azure region and it therefore satisfies the requirement to automatically replicate data to a geographically separate region.

Hierarchical namespace enables Azure Data Lake Storage Gen2 capabilities on the storage account and it provides filesystem semantics and performance characteristics needed for Data Lake workloads.

Zone-redundant storage (ZRS) is incorrect because it replicates data across availability zones within a single region and it does not provide automatic replication to a secondary geographic region.

Hot access tier is incorrect because it is optimized for frequently accessed data and it would increase storage costs for data that is rarely accessed.

Look for keywords in the question such as rarely accessed to choose the Cool tier and look for replicate to a secondary region to choose a geo redundant option like GRS. Also watch for the phrase Data Lake or filesystem semantics to know you need the Hierarchical namespace.

No enabling Update settings will not move the VM is correct.

Enabling the Update settings on an Azure virtual machine controls how the platform applies OS and host updates and whether those updates are applied automatically or require manual approval. It does not cause the platform to relocate the VM to a different physical host as part of normal update configuration. Azure will attempt live migration or will reboot a VM when required by platform maintenance but changing the Update settings alone does not perform a host move.

Yes enabling Update settings will move the VM is incorrect because there is no automatic host relocation triggered simply by turning on or off update preferences. Moving a VM to another physical host is an explicit operation such as using the Redeploy action or other migration tools, and it is not the same as adjusting maintenance or update settings.

When you see questions about moving a VM look for actions named Redeploy or migration tools. Settings about updates usually control maintenance behavior and not host relocation.

The correct answers are Create a CSV file containing user details and the required attribute columns and Create groups configured for Dynamic User membership.

For the bulk import step, Create a CSV file containing user details and the required attribute columns is correct because Azure Active Directory supports CSV bulk creation and the file lets you include the department attribute for each user. Including the department attribute in the import ensures the data that drives automation is present from the start.

For group automation, Create groups configured for Dynamic User membership is correct because dynamic membership rules can evaluate a user attribute such as department and automatically add imported accounts to the appropriate group. This approach reduces manual assignment work and keeps group membership in sync with user attributes.

Microsoft Graph API is not the best choice here because it is an API approach that requires custom development and is more complex than using the built in CSV bulk import and dynamic groups for this use case.

Create groups that use Assigned membership is incorrect because assigned membership requires manually adding users to groups and does not automatically place new accounts into groups based on attributes.

Write a PowerShell script to parse the import and set group membership is incorrect for this scenario because scripting can accomplish the goal but it is an unnecessary manual solution when dynamic groups can apply rules automatically without custom code.

Generate an XML file with the user records and attributes is incorrect because Azure AD bulk user creation expects CSV format and does not use a generic XML import as the supported bulk upload method.

When preparing for the exam or a real deployment make sure to include the exact attribute names such as department in your CSV and test dynamic group rules with a small batch before importing a large number of users.

The correct answer is CNAME Record.

CNAME Record is correct because a CNAME maps an alias name to a canonical host name and it is the standard way to point a custom host name or subdomain to the App Service default host name such as myapp.azurewebsites.net. App Service verifies the mapping to the platform provided host name so using a CNAME ensures the DNS name resolves to that canonical name.

A Record is incorrect because an A record maps a name to an IP address and does not point to another host name. Using an A record would require an IP address which is not the same as pointing to the App Service default host name.

TXT Record is incorrect because TXT records are used for carrying arbitrary text and verification data and they do not create an alias to the App Service hostname.

Alias record is incorrect for this question because although Azure DNS supports alias records for mapping apex domains to Azure resources, the standard and expected method to point a custom host name to the App Service default host name is to use a CNAME. Alias records are more commonly used when you must map a root domain and cannot create a CNAME at the apex.

When you need to point a subdomain to an Azure App Service remember to use a CNAME to map to the service default host name and reserve A or Alias records for situations where you must map the root domain.

The correct option is XPath.

You should configure an XPath query because Windows event logs are filtered at collection time using XPath expressions and the Azure Monitor Agent data collection rule for event logs accepts an XPath filter to select specific event IDs. Using an XPath filter lets you target the System event log and return only events where the event ID equals 1201 so less data is collected and sent to the workspace.

KQL is incorrect because Kusto Query Language is used to query data after it has been ingested into Log Analytics and it is not used as the collection time filter for Windows event logs in a data collection rule.

SQL is incorrect because SQL is not supported for filtering Windows event logs in Azure Monitor Agent data collection rules and it is not the mechanism used to select events by event ID.

When a question asks how to filter Windows event logs at collection time remember to choose XPath for event ID based filters and use KQL only for queries after ingestion.

The correct answer is User Access Administrator.

User Access Administrator allows the engineer to create and manage role assignments at the subscription and resource scopes so they can grant or revoke access without being given broad resource management permissions. This supports the principle of least privilege and fits subscription governance because the engineer can control who has access while not being able to change the actual resources.

Owner is incorrect because that role grants full control of resources and access and it is far more permissive than needed for managing other engineers access.

Privileged Role Administrator is incorrect because it is an Azure Active Directory privileged role for managing directory elevated roles and it does not provide the scoped ability to assign subscription level RBAC roles for resource access.

Contributor is incorrect because it allows managing resources but it cannot manage role assignments so the engineer could not use it to control other engineers access.

When a question focuses on managing permissions rather than resources look for role names that include Access or mention role assignments.

The correct option is Containers and blobs in storageSecondary only.

Encryption scopes are a Blob service feature that let you select which encryption key is used for a container or for an individual blob. They are created and applied within a single storage account so when you configure an encryption scope on storageSecondary it affects the containers and blobs that belong to that account.

Containers blobs and file shares in storageSecondary is incorrect because encryption scopes do not apply to Azure file shares. File shares use a different encryption mechanism and are not covered by blob encryption scopes.

Containers and blobs in storagePrimary and storageSecondary is incorrect because encryption scopes are scoped to a single storage account and they do not automatically span multiple accounts.

When answering questions about encryption scopes remember they apply to the Blob service and are set at the storage account level for containers and blobs rather than for file shares or across multiple accounts.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

The correct options are Create a CNAME record that points to live-finapp.azurewebsites.net and Create an A record that maps the root domain to the public IPv4 address used by the App Service.

Create a CNAME record that points to live-finapp.azurewebsites.net is correct because a CNAME maps a subdomain such as www to the App Service default host name and it causes DNS to resolve the alias to the Azure hosted app name rather than to a static IP. This is the usual approach for non apex host names because it keeps the DNS entry pointing at the service name which can change.

Create an A record that maps the root domain to the public IPv4 address used by the App Service is correct because DNS does not allow a CNAME on the apex or root domain and the root must point to an IP address. Azure provides the App Service IP to use for the apex and you must create the A record to map the naked domain to that IP and then add the hostname binding in the App Service.

Create a TXT record to verify domain ownership with the registrar is incorrect because a TXT record only proves ownership or provides metadata and it does not cause the domain to resolve to the App Service by itself. Verification may be required during setup but the TXT does not replace the A or CNAME records needed for resolution.

Create an ALIAS record that points the apex domain to live-finapp.azurewebsites.net is incorrect in the context of standard Azure DNS configuration because the common and supported method is an A record for the apex. Some DNS providers offer ALIAS or ANAME flattening but that is not the standard Azure App Service workflow and the exam expects the A record approach for the root.

When mapping a custom domain use CNAME for subdomains like www and use an A record for the apex after you add the custom hostname in App Service and complete any required verification.

The correct answer is Yes. Enabling the internal load balancer’s floating IP is the required configuration to present an Always On availability group listener behind an Azure internal load balancer.

When you use an internal Azure Load Balancer for an Always On listener the load balancer must allow direct server return so that the replica owning the listener IP can reply using the listener address. Enabling the load balancer’s floating IP achieves this behavior. You also need a frontend IP that matches the listener address, a health probe that targets the listener port, and a load balancing rule with Floating IP enabled so traffic is directed to the primary replica while the health probe determines the active node.

No is incorrect because leaving the floating IP disabled prevents the backend SQL Server instance from responding with the listener IP. Without Floating IP the return traffic would not preserve the listener address and the Always On listener would not function correctly behind the internal load balancer.

When a question mentions an Always On listener behind an internal load balancer remember to check that Floating IP is enabled and that a proper health probe and load balancing rule are configured.

The correct option is DoNotAllow.

DoNotAllow is not a valid Azure Policy mode. Policy modes determine how resources and types are evaluated during policy enforcement and the documented modes are All, Indexed, and Microsoft.KeyVault.Data. Since DoNotAllow is not one of the supported modes it is the correct choice for this question.

Microsoft.KeyVault.Data is an actual policy mode that targets Key Vault data plane operations and it is used when policies must evaluate secrets and keys at the data layer. That is why this option is not the correct answer to the question.

Indexed is a supported mode that evaluates resource properties that are indexed by the resource manager and it is commonly used for standard ARM resource policies. That makes this option a valid mode and therefore not the right answer here.

All is a supported mode that allows evaluation across a broader set of resource types including those that are not indexed. This option is valid as a mode so it is also not the correct choice for this question.

When a question asks about Azure Policy modes remember the documented modes are All Indexed and Microsoft.KeyVault.Data and any other term is likely not a mode but an effect or a distractor.

The correct option is Evaluation period.

The Evaluation period is the lookback window that a static threshold alert uses to examine past metric values and decide whether the threshold condition has been satisfied for long enough to open an incident. When you configure a threshold alert you set how long the metric must remain above or below the threshold and that duration is the evaluation period.

The Cloud Monitoring alignment period refers to the interval used when raw metric points are aligned or resampled into fixed time buckets and it governs how individual data points are produced rather than how long an alert looks back.

The Timeslice concept usually denotes an individual aligned interval or a single slice of data within a larger series and it is not the total lookback duration used by the alert policy.

The Aggregation window describes how metric data is aggregated or reduced over time for visualization or processing and it does not represent the alert evaluation duration that determines when an incident is triggered.

When a question asks about the alert lookback duration focus on terms that describe how long a condition must hold. The UI and docs use the phrase evaluation period for that duration.

Assign Website Contributor role is correct.

The Website Contributor role grants permissions scoped to App Service resources so developers can publish with Web Deploy while using their Azure AD accounts. This role allows management and deployment operations for web apps without giving full subscription level access which supports the principle of least privilege.

Use App Service publish profile credentials is incorrect because publish profile credentials are static deployment secrets that are not tied to Azure AD and they do not enforce RBAC or centralized access control. They are harder to audit and rotate and so do not meet the requirement to use Azure AD accounts while enforcing least privilege.

Assign Contributor role is incorrect because Contributor grants broad permissions across many resource types and it is more permissive than needed for publishing web apps. Assigning Contributor would violate least privilege when a narrower built in role such as the Website Contributor role is available.

When you see “least privilege” on the exam think about assigning the narrowest built in role that is scoped to the resource. Avoid broad roles such as Contributor when a role that targets App Service exists.