AZ-104 Practice Tests on Azure Administrator Exam Topics

You have an on premise Windows server that contains a directory named D:\DataArchive and you must transfer all of its files to the public container in an Azure Storage account called mcnzdata. Which command should you run?

• ❏ A. az storage blob upload-batch D:\DataArchive https://mcnzdata.blob.core.windows.net/public

• ❏ B. azcopy copy D:\DataArchive https://mcnzdata.blob.core.windows.net/public –recursive

• ❏ C. az storage blob copy start https://mcnzdata.blob.core.windows.net/public D:\DataArchive

• ❏ D. azcopy sync D:\DataArchive https://mcnzdata.blob.core.windows.net/public –snapshot

An account appears in your Azure AD directory as john_marketing_com#EXT#@example.com. Which statement best describes this account?

• ❏ A. The user account has been removed from the directory

• ❏ B. The account represents a guest or external user in the directory

• ❏ C. The account is a regular member of the tenant

• ❏ D. The account has been disabled to prevent sign in

A software vendor called Meridian Freight hosts a SQL Server Always On availability group on Azure virtual machines and they want to use an internal Azure load balancer as the listener for the availability group. If they configure session persistence to Client IP does this meet the deployment requirement?

• ❏ A. Yes the Client IP session persistence meets the requirement

• ❏ B. No the Client IP session persistence does not meet the requirement

Your organization manages an Azure Active Directory tenant that contains 6,400 user accounts and you create a new account named SupportAdmin2. You need to grant the User Administrator administrative role to SupportAdmin2. Which action should you perform within the user account settings?

• ❏ A. Assign a role to the account in the Subscription access control IAM pane

• ❏ B. Modify the user’s Directory role setting on the Directory role blade

• ❏ C. Place the account into an administrative group from the Groups pane

Aurora Systems maintains an Azure Resource Manager template that will provision eight virtual machines and the operations team wants to automate the rollout using both Azure CLI and PowerShell. Which two commands should they run to deploy the ARM template? (Choose 2)

• ❏ A. az vm list

• ❏ B. New-AzResourceGroupDeployment

• ❏ C. New-AzVM

• ❏ D. az deployment group create

A retail firm named Meridian Systems maintains an Azure virtual machine called AppServer02. The operations team created an Azure Backup recovery point named SnapshotA. After SnapshotA was created they changed the VM size copied a file named Report.xlsx into a Docs folder reset the built in administrator password and attached a new data disk. An engineer restored the VM by choosing the Replace existing option and used SnapshotA. Which change needs to be performed again after the restore?

• ❏ A. Reattach the added data disk

• ❏ B. Reapply the new VM size

• ❏ C. Recopy Report.xlsx into the Docs folder

• ❏ D. Reset the built in administrator password

A technology startup named CloudMart runs twelve virtual machines in its Azure tenant and the operations crew needs notifications if any virtual machine restarts stops or becomes deallocated by Azure. Notifications must be sent to three administrators by email and by Azure mobile app push messages. You plan to configure alert rules action groups and notification actions in the Azure portal. What is the minimum number of alert rules action groups and actions you must create?

• ❏ A. Two alert rules three action groups and one action

• ❏ B. One alert rule one action group and one action

• ❏ C. Three alert rules one action group and three actions

• ❏ D. Three alert rules one action group and one action

A cloud team at Aurora Tech uses Azure Active Directory and they need a conditional access rule that forces members of the Global Administrators group to use multi factor authentication and to sign in from an Azure AD joined device when they connect from untrusted networks. The suggested change is to open the multi factor authentication user settings page and modify per user options. Will this approach satisfy the requirement?

• ❏ A. Yes

• ❏ B. No

Open the Fabrikam Inc. scenario at https://example.com/doc/2aBcdEfG in a new tab and answer using that scenario. For the statement below select Yes if it is true otherwise select No. “From AppVM you can establish a Remote Desktop session to DBVM”?

• ❏ A. No

• ❏ B. Yes

Review the NovaTech case study in the exam materials and implement the planned container updates for the new deployment images. Which Azure services can host Image2?

• ❏ A. Azure Container Apps only

• ❏ B. Azure App Service or Azure Container Instances only

• ❏ C. Azure App Service, Azure Container Apps, or Azure Container Instances

• ❏ D. Azure Kubernetes Service only

• ❏ E. Azure Container Instances only

• ❏ F. Azure App Service or Azure Container Apps only

Your cloud operations team needs to configure a storage account firewall to limit which clients can reach storage resources for a retail application at HarborTech. Which methods can you use to permit only specific sources to access the storage account? (Choose 2)

• ❏ A. Whitelist resource group names

• ❏ B. Permit traffic from designated public IP addresses or IP ranges

• ❏ C. Set the firewall to allow all networks

• ❏ D. Grant access to selected Azure virtual networks and subnets

Your organization has an Azure subscription and an Entra ID P1 plan. You must enable self service password reset for every user and require users to provide five security questions when they enroll for SSPR. Which settings should you configure? (Choose 2)

• ❏ A. Registration

• ❏ B. Cloud Identity

• ❏ C. Authentication methods

• ❏ D. Notifications

• ❏ E. Customization

• ❏ F. Properties

Your team manages an Azure subscription that hosts several Windows Server virtual machines, and you created a data collection rule named DataRuleA to use with the Azure Monitor Agent, and you only want to gather System log entries that have an event ID of 1007, which query type should you specify for the data source in DataRuleA?

• ❏ A. Kusto Query Language

• ❏ B. SQL

• ❏ C. XPath

Review the case study for Meridian Tech by opening the linked document in a new tab at https://example.com/docs/meridian-network-design What initial action should you take in order to add VM01 and VM02 to the backend pool of LBFront?

• ❏ A. Redeploy VM01 and VM02 into the same availability zone

• ❏ B. Migrate VM01 and VM02 into a virtual machine scale set

• ❏ C. Redeploy VM01 and VM02 into the same availability set

• ❏ D. Create a new network security group and associate it to VNetProd/SubnetApp

A regional fintech firm named Meridian Analytics plans to tag its Azure resources to improve organization and billing. Which statements about Azure resource tags are accurate? (Choose 3)

• ❏ A. Tags can be used to allocate costs and generate billing reports

• ❏ B. Tags applied at a resource group level automatically propagate to each resource in that group

• ❏ C. All Azure resource types accept tags

• ❏ D. Not every Azure resource type supports tagging

• ❏ E. Tag values are treated as case sensitive when stored

• ❏ F. Tag values are compared without regard to letter case

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

Your organization NovaApps has an Azure subscription and you created an Azure Container Registry named novaacr and a local container image. You have already authenticated to the registry with the Azure CLI. What step should you perform next to upload the image to the registry?

• ❏ A. Deploy a container group with Azure Container Instances

• ❏ B. List the images stored in the container registry

• ❏ C. Tag the local container image with the registry login server and repository name

• ❏ D. Enable the registry administrator account on the registry

Your team at Meridian Logistics relies on Azure Blob Storage for archival data. You must ensure that data which is seldom accessed is moved automatically to a lower cost storage tier, that prior blob versions are retained for up to 90 days, and that deleted blobs can be restored within 45 days. Which Azure Blob Storage features should you enable to satisfy these requirements? (Choose 3)

• ❏ A. Blob lifecycle management policy

• ❏ B. Immutable blob storage

• ❏ C. Blob versioning

• ❏ D. Soft delete for blobs

AlderTech LLC manages an Azure Active Directory tenant and the help desk plans to remove a batch of user accounts by using the Bulk delete feature in the Azure Active Directory admin center, and you must prepare the file that will be uploaded for the bulk deletion. Which user attributes does the upload file need to contain?

• ❏ A. Display name and usage location only

• ❏ B. User principal name for each account only

• ❏ C. Display name only

• ❏ D. User principal name and usage location only

• ❏ E. Display name and user principal name only

Your organization has an Azure subscription that contains a storage account a resource group a blob container and a file share and an engineer named Maya Chen used a single Azure Resource Manager template to deploy a virtual machine and an additional storage account. You want to examine the ARM template that Maya used. If you open the Virtual Machines pane can you view the original ARM template?

• ❏ A. Yes

• ❏ B. No

Refer to the BlueWave Systems case study at https://example.com/bluewave-case and answer based on that document. From VM-B2 can you initiate a Remote Desktop session to VM-B3?

• ❏ A. Yes

• ❏ B. No

A small technology firm named NimbusCloud maintains a subscription called SubAlpha. The subscription contains two Azure virtual machines named AppServerA and AppServerB. Both virtual machines are running Windows Server 2019. AppServerA is backed up every 12 hours by Azure Backup using snapshot-based backups and the Azure Backup agent was not installed. AppServerA has been hit by ransomware that encrypted files. You must restore files from the most recent backup of AppServerA. To which target can you perform a file level recovery?

• ❏ A. Any other existing Azure virtual machine in the subscription

• ❏ B. An Azure Files share mounted to a Windows server

• ❏ C. The original virtual machine or a newly created Azure virtual machine

• ❏ D. The original virtual machine only

• ❏ E. Any Windows computer that has Internet connectivity

Open the Northbridge Systems case study at docs.example.com and base your response on that document. You must enable disk encryption for the virtual machines while meeting the stated technical constraints. Which virtual machines are eligible for encryption?

• ❏ A. VM4 and VM5

• ❏ B. VM1 and VM3

• ❏ C. VM2 and VM3

• ❏ D. VM2 and VM4

Your organization has an Azure subscription named DevSub45 and you provisioned a Linux virtual machine named vm-web02 in that subscription. You must collect performance metrics and diagnostic logs from vm-web02. Which extension or agent should you install on the virtual machine?

• ❏ A. Azure Monitor agent

• ❏ B. Linux Diagnostic Extension (LAD) 3.0

• ❏ C. Azure Performance Diagnostics extension

• ❏ D. Azure HDInsight

A regional retailer called HarborPoint must deploy a fleet of Azure virtual machines by using an ARM template and place them in a single availability set. You need to set the template so that during platform maintenance or hardware faults the greatest possible number of virtual machines stays available. What value should be assigned to the platformUpdateDomainCount property?

• ❏ A. 12

• ❏ B. 40

• ❏ C. 20

• ❏ D. 30

A regional IT services firm called HarborTech has an Azure subscription named Subscription Alpha that contains two users named Alice and Ben. You must assign role based access control roles so Alice can view the actual data inside any storage account and Ben can grant other users the Contributor role on storage accounts while following the principle of least privilege. Which RBAC role should you assign to Alice?

• ❏ A. Contributor

• ❏ B. Reader and Data Access

• ❏ C. User Access Administrator

• ❏ D. Owner

• ❏ E. Storage Account Contributor

Your Azure subscription contains eight virtual machines a Key Vault called KeyStoreA and a network security group named NSG-App. All resources are deployed to the West US 2 region and the virtual machines are protected by NSG-App which currently blocks all outbound internet traffic. You must allow the virtual machines to reach KeyStoreA while applying least privilege and keeping administrative effort minimal. What destination should you configure for the outbound rule on NSG-App?

• ❏ A. Azure Private Endpoint

• ❏ B. An application security group

• ❏ C. An IP address range

• ❏ D. A service tag

Refer to the Fabrikam Technologies case study by opening the following link in a new tab https://example.com/document/d/2yca6F7b9X/edit?usp=sharing You must provision a storage account named storage7 and the design must accommodate the planned expansions and future feature additions Which storage account type should you provision?

• ❏ A. BlockBlobStorage

• ❏ B. StorageV2 (general purpose v2)

• ❏ C. BlobStorage

Your organization manages an Microsoft Entra tenant named northwind.onmicrosoft.com and a User administrator called AdminA tries to invite an external collaborator with the address [email protected] but receives the message “Unable to invite user [email protected]. Generic authorization exception”. You must ensure that AdminA can send the guest invitation. What change should you make?

• ❏ A. Create an external identity provider in the Organizational relationships area

• ❏ B. Modify the External collaboration settings on the Users page

• ❏ C. Register a custom domain for the directory from the Custom domain names page

• ❏ D. Assign the Security administrator role to AdminA from Roles and administrators

Your team at NovaSystems recently created a fresh Azure subscription that contains a user named Admin1. Admin1 attempts to deploy a Marketplace item with an Azure Resource Manager template by using Azure PowerShell and receives an error that states legal terms have not been accepted for the item on the subscription and that programmatic deployment must be configured in the Azure portal at http://example.com or the item must be created there first. What should you do to allow Admin1 to deploy the Marketplace item successfully?

• ❏ A. Enable programmatic deployment for the Marketplace item in the Azure portal

• ❏ B. Register the Microsoft.Marketplace resource provider in the Azure portal

• ❏ C. Run the Set-AzMarketplaceTerms cmdlet in Azure PowerShell

• ❏ D. Assign the Billing administrator role to Admin1 at the subscription scope

A fintech startup called Meridian Labs monitors its cloud resources. What is the default interval at which platform metrics are collected?

• ❏ A. 2 minutes

• ❏ B. 60 seconds

• ❏ C. 5 minutes

• ❏ D. 30 seconds

You manage an Azure storage account named archiveacct2 that contains a blob container named monthlybackups. You need to ensure that any new blobs added to monthlybackups cannot be changed or deleted for 12 months. What should you configure?

• ❏ A. A stored access policy for SAS tokens

• ❏ B. Access tier

• ❏ C. A time based immutability policy on the container

• ❏ D. Access control and role assignments (IAM)

You migrated services from one subscription to another by using PowerShell and afterwards you observed that role assignments applied directly to virtual machines are now orphaned while the assignments at the resource group level remain intact. What should you identify as the root cause?

• ❏ A. You used the classic deployment model rather than Azure Resource Manager for the migration

• ❏ B. Your user account did not have Microsoft.Authorization permissions required to migrate role assignments

• ❏ C. When a resource that has a role assigned directly to it or to a nested resource is moved the role assignment does not transfer and becomes orphaned

Your organization manages two Azure subscriptions named SubA and SubB and each subscription is associated with a separate Microsoft Entra tenant. SubA has a virtual network named CorporateVNet that contains an Azure virtual machine named AppServer and the network uses the address range 10.20.0.0/16. SubB has a virtual network named PartnerVNet that contains an Azure virtual machine named DBServer and the network uses the address range 10.120.0.0/24. You need to enable network connectivity between CorporateVNet and PartnerVNet. What should you do first?

• ❏ A. Move CorporateVNet into SubB

• ❏ B. Provision virtual network gateways

• ❏ C. Migrate AppServer virtual machine to SubB

• ❏ D. Change the address space of PartnerVNet

Your organization called Solvex maintains an Azure subscription that includes a storage account a resource group a blob container and a file share. A coworker named Maya Singh used a single Azure Resource Manager template to deploy a virtual machine and an extra storage account. You need to inspect the ARM template that Maya deployed. The proposed solution is to open the Containers blade. Does this solution meet the requirement?

• ❏ A. Yes

• ❏ B. No

A nonprofit named Meridian Solutions manages an Azure Active Directory tenant. They must create a conditional access rule that forces members of the Tenant Administrators group to use multi factor authentication and to sign in from an Azure AD joined device when they connect from unknown networks. A network engineer updates the per user multi factor authentication settings on the MFA page to change user properties. Does this method satisfy the requirement?

• ❏ A. It meets the requirement

• ❏ B. It does not meet the requirement

The correct option is azcopy copy D:\DataArchive https://mcnzdata.blob.core.windows.net/public –recursive.

azcopy copy is the right choice because AzCopy is the high performance tool designed for moving large sets of files from a local path to Azure Storage and the –recursive flag instructs it to transfer all files and subfolders under D:\DataArchive. The command accepts a local directory as the source and a container URL as the destination which matches the requirement to upload everything to the public container.

az storage blob upload-batch D:\DataArchive https://mcnzdata.blob.core.windows.net/public is incorrect because the Azure CLI batch upload command expects parameters like –source and –destination or a container name and account details rather than a bare URL in that position. The shown syntax would not be valid and the Azure CLI upload-batch is generally less optimized for very large high performance transfers than AzCopy.

az storage blob copy start https://mcnzdata.blob.core.windows.net/public D:\DataArchive is incorrect because the copy start command performs a server side copy from a source URL to a specific blob in storage and it cannot read directly from a local file path. The command also expects a destination blob name rather than a local directory.

azcopy sync D:\DataArchive https://mcnzdata.blob.core.windows.net/public –snapshot is incorrect because sync is intended to mirror differences between source and destination and the presented flag is not appropriate for a simple full upload. To copy an entire local directory tree the recommended and explicit command is the AzCopy copy form with the recursive option.

When the question involves moving an entire local directory to a blob container look for AzCopy commands and the –recursive flag as strong indicators of the correct choice.

The account represents a guest or external user in the directory.

Azure Active Directory appends EXT in the user principal name when an external or B2B user is invited into a tenant. The sample UPN john_marketing_com#EXT#@example.com shows that the original external address was transformed and the account was created as a guest or external user in the directory.

The user account has been removed from the directory is incorrect because a removed or deleted account is represented by a deletion state and not by the EXT marker in the UPN.

The account is a regular member of the tenant is incorrect because regular member accounts do not contain the EXT string and they have the userType set to Member rather than Guest.

The account has been disabled to prevent sign in is incorrect because disabled accounts are indicated by the accountEnabled property being false and not by including EXT in the UPN. The EXT marker only denotes an invited external guest identity.

When you see EXT in a user principal name think guest or B2B and verify the userType attribute to confirm the account type.

The correct answer is No the Client IP session persistence does not meet the requirement.

Client IP session persistence causes the internal load balancer to maintain affinity based on the client IP and that can send a client to the same backend even after the primary role has moved. For SQL Server Always On availability groups the listener must direct client connections to the current primary replica and connections must reach the primary after failover. Using client IP affinity can prevent clients from being routed to the new primary which breaks connectivity. Azure best practice for an ILB used as an AG listener is to avoid session affinity and rely on the ILB health probe and floating IP configuration so that flows are forwarded to the current primary.

Yes the Client IP session persistence meets the requirement is incorrect because enabling client IP affinity creates sticky sessions that can map a client to a replica that is no longer primary after failover. That sticky mapping can cause both new and existing connections to fail to reach the primary and so it does not meet the deployment requirement.

When questions mention load balancer persistence or affinity for Always On listeners favor settings that avoid client stickiness. Verify the ILB health probe and prefer None session persistence when configuring an internal load balancer for an AG listener.

The correct answer is Modify the user’s Directory role setting on the Directory role blade.

This is correct because the User Administrator is an Azure Active Directory administrative role and Azure AD roles are assigned on the user’s Directory role settings in the Azure Active Directory user profile rather than at the subscription level.

To grant the role you open the Azure portal, go to Azure Active Directory, open Users, select the SupportAdmin2 account, choose the Directory role option on that user’s page and then add the User Administrator role to the account.

Assign a role to the account in the Subscription access control IAM pane is incorrect because the IAM pane manages Azure RBAC for subscriptions and resources and it does not assign Azure Active Directory administrative roles.

Place the account into an administrative group from the Groups pane is not the right action in this context because the question asks you to change the individual user’s administrative role setting and group membership alone does not modify the user’s Directory role there. Group based role assignments are a separate configuration and are not the action described by the user account Directory role blade.

When asked to grant an Azure AD administrative role to a user focus on the user’s Directory role setting in their Azure Active Directory profile and do not confuse that with subscription Azure RBAC permissions in IAM.

The correct answers are az deployment group create and New-AzResourceGroupDeployment.

az deployment group create is the Azure CLI command that deploys an ARM template at the resource group scope. It is the CLI way to perform a template based deployment and it accepts parameters such as –resource-group and –template-file so you can provision eight virtual machines from the ARM template.

New-AzResourceGroupDeployment is the PowerShell cmdlet that performs a resource group scoped ARM template deployment. You run it with parameters like -ResourceGroupName and -TemplateFile to automate the rollout from PowerShell and to pass parameter values for multiple VM instances.

az vm list is incorrect because it only lists existing virtual machines and does not deploy an ARM template. It is a read operation and cannot create resources.

New-AzVM is incorrect because it creates a single VM directly with PowerShell and is not the cmdlet used to deploy an ARM template that provisions multiple VMs from a template. For template driven rollouts use the resource group deployment cmdlet instead.

When a question asks for both a CLI and a PowerShell solution look for the commands that explicitly perform ARM template deployments. Remember that az deployment group create is the CLI deployment command and New-AzResourceGroupDeployment is the PowerShell equivalent.

Recopy Report.xlsx into the Docs folder is correct.

A recovery point captures the VM disks as they existed when the snapshot was taken. When the engineer used the Replace existing option with SnapshotA the VM’s disks were reverted to that snapshot state. Any files copied after the snapshot are not part of the recovery point and therefore will not be present after the restore, so Report.xlsx must be recopied into the Docs folder.

Reattach the added data disk is incorrect because the additional disk is a separate managed disk resource and a Replace existing restore does not remove or destroy unrelated disk resources. The extra disk remains available in the subscription and does not normally need to be reattached as part of this restore flow.

Reapply the new VM size is incorrect because the VM size is a configuration property of the VM rather than a file on the disk. Restoring disks from a recovery point does not inherently revert the VM SKU that was set after the snapshot and the size change is preserved or can be managed independently during restore.

Reset the built in administrator password is incorrect because VM configuration and credentials managed through the VM agent or Azure extensions are preserved or can be applied during the restore process. The common impact of a disk-level snapshot is missing file data rather than losing Azure level configuration that is managed outside the disk image.

When you see a question about a recovery point think about what it captures. Disk contents at the time of the snapshot are restored and files added later will not be present after a replace existing restore.

The correct answer is Three alert rules one action group and three actions.

You need Three alert rules one action group and three actions because there are three distinct VM states to detect when Azure restarts, stops, or deallocates a virtual machine, and each condition requires its own alert rule. A single action group can be reused by all rules, and the action group must include separate notification actions so each administrator receives both email and an Azure mobile app push message.

Two alert rules three action groups and one action is incorrect because two alert rules do not cover the three separate conditions, multiple action groups are unnecessary since one group can be shared, and one action cannot reliably deliver push notifications to three different administrators.

One alert rule one action group and one action is incorrect because a single alert rule cannot monitor three distinct signal types at the required granularity, and one action cannot provide individual push notifications to each administrator.

Three alert rules one action group and one action is incorrect because although three rules are correct, a single action cannot send Azure mobile app push messages to three separate administrators so you need three actions in the action group.

Remember that push notifications are user specific so plan for one notification action per user when the Azure mobile app must receive the alert, and reuse a single action group across multiple alert rules.

The correct option is No.

The suggested change to open the Multi Factor Authentication user settings page and modify per user options will not satisfy the requirement because per-user MFA cannot enforce device state or be combined with network location conditions in the way Conditional Access can. To require Global Administrators to use MFA and to sign in from an Azure AD joined device when they connect from untrusted networks you must create a Conditional Access policy that targets the Global Administrators group and that requires multi factor authentication and device join or compliance under the appropriate location conditions.

Per-user MFA settings are a legacy method that do not support granular conditions such as named locations or device state checks. Conditional Access is the Azure AD feature designed to evaluate group membership, network location, and device state together and to enforce requirements like MFA plus Azure AD joined devices.

The option Yes is incorrect because changing per-user MFA options alone cannot require sign ins from an Azure AD joined device nor can it apply the combination of controls only when users connect from untrusted networks. Per-user settings do not provide the conditional logic needed for this scenario so the correct approach is a Conditional Access policy.

When a question involves requiring MFA plus a device property or network condition think of Conditional Access first and treat per-user MFA as a legacy setting that will not meet combined conditional requirements.

The correct answer is Yes.

In the Fabrikam scenario AppVM and DBVM are placed on the same VPC network and DBVM is configured to accept Remote Desktop connections so AppVM can establish an RDP session over the internal network. The VPC and VM firewall settings in the scenario allow the RDP port 3389 and the appropriate credentials are available to initiate the session.

No is incorrect because the scenario shows that network connectivity and RDP access exist between AppVM and DBVM. Choosing No would contradict the scenario configuration that permits Remote Desktop from AppVM to DBVM.

When you evaluate VM to VM connectivity verify the network path and the firewall rules and confirm the target VM has the RDP service enabled and the RDP port 3389 is allowed.

Azure App Service, Azure Container Apps, or Azure Container Instances is the correct option.

Azure App Service, Azure Container Apps, and Azure Container Instances all support deploying and running container images from registries, so any of them can host Image2 for the planned container updates. App Service can run single or multi container web apps from a registry. Container Apps provides a serverless container hosting environment that pulls images from registries. Container Instances runs containers directly without provisioning VMs and can also pull images from registries.

Azure Container Apps only is incorrect because it excludes the other services that can also host container images.

Azure App Service or Azure Container Instances only is incorrect because that choice omits Azure Container Apps which is also capable of hosting container images.

Azure Kubernetes Service only is incorrect because AKS can host containers but it is not the only option and the correct answer includes additional managed container hosting services.

Azure Container Instances only is incorrect because ACI is not the only service that can run container images for deployments like Image2.

Azure App Service or Azure Container Apps only is incorrect because that option leaves out Azure Container Instances which can also host container images.

Read each option and focus on which services explicitly support running container images. Note that App Service, Container Apps, and Container Instances are all valid hosting choices for container images.

The correct options are Permit traffic from designated public IP addresses or IP ranges and Grant access to selected Azure virtual networks and subnets.

The Permit traffic from designated public IP addresses or IP ranges choice is valid because Azure Storage firewalls support IP network rules. You can list specific public IP addresses or CIDR ranges to allow only those sources to reach the storage account while blocking other public traffic.

The Grant access to selected Azure virtual networks and subnets choice is valid because you can create virtual network rules or use private endpoints to allow traffic from particular virtual networks and subnets. This lets you restrict access to resources that reside inside specified VNets and subnets rather than allowing broad public access.

Whitelist resource group names is incorrect because resource groups are a management construct and are not a network source. Firewall rules for storage evaluate network addresses and virtual network identities, not the name of a resource group.

Set the firewall to allow all networks is incorrect because that setting removes network restrictions and does not limit access to specific sources. Allowing all networks is the opposite of restricting access to particular IPs or virtual networks.

When deciding between options think about whether the control applies at the network level. Focus on IP network rules and virtual network rules as the mechanisms that limit which clients can reach a storage account.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

The correct answers are Properties and Authentication methods.

Properties is the place in the Azure AD password reset settings where you enable self service password reset for users and you choose whether the feature applies to all users or only selected groups. Enabling SSPR for every user is done by configuring Properties and setting the scope to all users.

Authentication methods is where you control which verification methods are allowed and how many are required during password reset enrollment. The setting to require security questions and to specify the number of questions is part of the Authentication methods configuration, which is why this option is needed to require five security questions.

Registration is incorrect because it governs how and when users register their authentication methods and related registration behavior, and it does not enable SSPR for all users nor set the number of security questions.

Cloud Identity is incorrect because it is not an Azure AD setting for SSPR and is not relevant to configuring password reset in an Entra ID environment.

Notifications is incorrect because it only controls email notifications related to password resets and alerts, and it does not enable SSPR or configure the number of security questions.

Customization is incorrect because it deals with the branding and helpdesk information shown on the password reset pages, and it does not enable SSPR or enforce how many security questions users must set.

When a question asks you to enable SSPR for all users look under Properties and when it asks about the number or type of verification methods check Authentication methods.

The correct option is XPath.

When you configure a Windows event log data source in a data collection rule you use XPath to filter which events are collected. An XPath filter can target the System log and match a specific event ID for example XPath queries commonly use expressions like *[System/EventID=1007] to collect only events with ID 1007.

Kusto Query Language is incorrect because Kusto is the query language used to analyze logs after they are ingested into a Log Analytics workspace and it is not the filter syntax used inside a data collection rule for Windows event logs.

SQL is incorrect because data collection rules do not accept SQL for filtering Windows event logs and SQL is not used for event selection in the Azure Monitor Agent configuration.

Remember that event log selection in a data collection rule uses XPath expressions to match EventIDs and other XML fields and that Kusto is for post ingestion queries in Log Analytics.

Redeploy VM01 and VM02 into the same availability set is correct.

This is the appropriate initial action because Azure Load Balancer backend pools that target individual virtual machines require the VMs to be in the same availability set or to be part of a virtual machine scale set so that the load balancer can manage probes and distribute traffic across fault and update domains. Redeploying the two VMs into the same availability set ensures they can be added to LBFront with proper health probes and predictable fault domain placement.

Redeploy VM01 and VM02 into the same availability zone is incorrect because availability zones describe physical locations and do not satisfy the load balancer requirement for grouping individual VMs into a single backend set in this scenario. Zone placement is not the same as an availability set for backend pool membership.

Migrate VM01 and VM02 into a virtual machine scale set is incorrect as the best initial action because while a scale set can serve as a backend, migrating existing standalone VMs into a VM scale set is a larger change and is not the minimal step to allow LBFront to include the VMs. The question asks for the initial action and redeploying into an availability set is the simpler solution.

Create a new network security group and associate it to VNetProd/SubnetApp is incorrect because network security groups control traffic flow and may affect health probes but they do not determine load balancer backend pool membership. The backend membership is based on the VMs placement and configuration rather than simply attaching an NSG to the subnet.

When a question involves adding VMs to an Azure Load Balancer backend pool check VM placement first. Confirm whether the VMs need to be in the same availability set or in a VM scale set before making network or security changes.

Tags can be used to allocate costs and generate billing reports, Not every Azure resource type supports tagging, and Tag values are treated as case sensitive when stored are correct.

Tags can be used to allocate costs and generate billing reports is correct because Azure Cost Management and billing tools let you filter and group costs by tags so you can attribute spending to teams projects or cost centers. Using tags consistently enables more accurate cost reporting and automated chargeback or showback workflows.

Not every Azure resource type supports tagging is correct because some resource providers and specific resource types do not implement tag support. Tags are widely supported for most resource types but you must verify support for particular services and child resources before relying on tags for organization.

Tag values are treated as case sensitive when stored is correct because Azure preserves the letter case you provide for tag values in the resource metadata. That means stored values retain their case and can be distinct when case differs.

Tags applied at a resource group level automatically propagate to each resource in that group is incorrect because tags do not automatically inherit from a resource group to its contained resources. You can apply tags at the resource group level for convenience but propagation requires manual application automation or an Azure Policy to copy tags to resources.

All Azure resource types accept tags is incorrect because not every resource type accepts tags. Some services or older resource types do not support tagging and you should consult the documentation for each resource provider.

Tag values are compared without regard to letter case is incorrect because comparisons can be affected by case since Azure stores tag values with their original letter case. You should not assume case insensitive comparison for tag values when you build filtering or automation logic.

Define a clear tagging taxonomy and enforce it with Azure Policy or automation so that tags remain consistent for reliable cost allocation and reporting.

Tag the local container image with the registry login server and repository name is the correct step to perform next when you have authenticated to the registry and want to upload a local image.

Tagging the image assigns it a name that includes your registry login server and the repository so the push command knows the destination. After you tag the image you can run the push command using Docker or the Azure CLI to upload the image into the registry. Authentication alone does not specify the target repository so tagging is the required next step.

Deploy a container group with Azure Container Instances is incorrect because deploying a container group runs a container and does not upload your local image to the registry.

List the images stored in the container registry is incorrect because listing only shows what is already in the registry and does not perform an upload. You would list images after pushing to verify the image is present.

Enable the registry administrator account on the registry is incorrect because enabling the admin account is not required when you authenticate with the Azure CLI and it is less secure to rely on the admin account. It is not the necessary next step after logging in.

Remember the sequence when pushing an image. First login then tag and finally push. Make sure the tag includes the registry login server and the repository name so the push targets the correct registry.

The correct options are Blob lifecycle management policy, Blob versioning, and Soft delete for blobs.

The Blob lifecycle management policy lets you define rules that automatically transition blobs to lower cost tiers such as Cool or Archive based on age or access patterns and it can also clean up older snapshots or versions. Using lifecycle rules is the mechanism to move seldom accessed archival data to a cheaper tier automatically.

The Blob versioning feature preserves prior versions of blobs when they are overwritten or changed so that historical copies are available. To retain prior versions for up to 90 days you enable versioning and then combine it with a lifecycle rule that expires versions after the desired retention period.

The Soft delete for blobs feature retains deleted blobs for a configurable retention window so they can be restored if needed. Set the soft delete retention to 45 days to ensure deleted blobs can be recovered within that timeframe.

The Immutable blob storage option is used to enforce write once and read many retention for compliance and legal holds and it prevents modification or deletion during the retention period. It does not provide automatic tiering or the recoverable deletion and version retention workflow required in this scenario and so it is not the right choice.

When requirements mention tiering retention and recoverability think about mapping each need to a specific feature and then combine them. For example use lifecycle management for automatic tiering and expiry, versioning for historical copies, and soft delete for recovery.

The correct option is User principal name for each account only.

Azure Active Directory matches and removes accounts in a bulk delete operation by using the user principal name. The upload file only needs that unique identifier so the admin center can locate each account and perform the deletion.

Display name and usage location only is incorrect because display names are not guaranteed to be unique and usage location is not used to identify accounts for deletion.

Display name only is incorrect because a display name cannot uniquely identify which account to delete.

User principal name and usage location only is incorrect because usage location is unnecessary for deleting accounts and the presence of user principal name alone is sufficient.

Display name and user principal name only is incorrect because including the display name is redundant and the bulk delete process requires only the unique user principal name to identify accounts.

When a question asks about bulk operations look for the attribute that uniquely identifies existing resources. In Azure AD that is often the user principal name.

No is correct because the Virtual Machines pane does not show the original Azure Resource Manager template that was used to deploy the VM and the additional resources.

To examine the template that Maya used you must view the deployment record for the resource group. Open the Resource groups pane, select the specific resource group, then open Deployments and select the deployment that created the VM to view the template. You can also use the Export template feature on the resource group to get a template that represents the deployed resources.

Yes is incorrect because the VM blade only shows the VM configuration and management actions and it does not surface the original ARM template. The template is stored with the deployment metadata in the resource group and is accessible from Deployments or Export template rather than from the Virtual Machines pane.

When a question asks where to find the original deployment template think of the resource group and its Deployments or the Export template option rather than individual resource blades.

No is correct according to the BlueWave Systems case study because the document shows that VM-B2 cannot establish a Remote Desktop connection to VM-B3.

The case study indicates that network isolation and firewall rules prevent RDP traffic between the two instances. Remote Desktop uses TCP port 3389 and the topology described in the case study does not include an allowed ingress rule or route that would permit VM-B2 to reach VM-B3 on that port, so a session cannot be initiated.

Yes is incorrect because it assumes direct network connectivity and permissive firewall settings between VM-B2 and VM-B3. The case study does not show those conditions, so the answer Yes is not supported by the provided document.

When an exam question hinges on connectivity refer to the case study for network topology and firewall rules and check the specific port used by the protocol such as TCP 3389 for Remote Desktop.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

The correct answer is Any Windows computer that has Internet connectivity.

You can restore files from the snapshot based backup by using Azure Backup file recovery features and by mounting the recovery point to a client. This lets you download files over the network to Any Windows computer that has Internet connectivity without requiring the Azure Backup agent to be installed on the backed up VM.

Any other existing Azure virtual machine in the subscription is incorrect because file level recovery is not limited to other VMs in the same subscription. You can restore files to external Windows clients using the file recovery tool instead of restoring only to another existing VM.

An Azure Files share mounted to a Windows server is incorrect because the built in file recovery process provides a mount or download to a Windows client and not a direct push to an Azure Files share. You can copy files to Azure Files after you restore them to a client but the Files share is not a direct restore target.

The original virtual machine or a newly created Azure virtual machine is incorrect because although you can restore entire disks or create a new VM from a recovery point you are not limited to those targets for file level recoveries. The file recovery tool supports downloading files to external Windows machines as well.

The original virtual machine only is incorrect because file level restore does not require restoring back only to the original VM. Azure Backup supports extracting individual files and placing them on other Windows machines with network access.

When you see a question about file level restore from Azure VM snapshots remember that the file recovery feature can mount a recovery point and allow downloads to any Windows client that has Internet access.

The correct option is VM2 and VM3.

VM2 and VM3 are eligible because they meet the case study constraints for disk encryption. Both VMs use persistent boot and data disks that can be protected with customer managed keys or Google managed keys and they do not rely on local SSDs or other disk types that block standard disk encryption workflows.

VM4 and VM5 is incorrect because those machines do not meet the technical constraints for enabling disk encryption in the case study. One or both of those VMs use disk types or configurations that are not eligible for the required encryption method.

VM1 and VM3 is incorrect because VM1 and VM3 includes VM1 which does not satisfy the encryption prerequisites even though VM3 does. The pair therefore fails the requirement to have both VMs eligible.

VM2 and VM4 is incorrect because VM4 is not eligible under the stated constraints while VM2 is. The combination fails because one member does not support the required disk encryption configuration.

When you must identify which VMs can be encrypted check the disk type and whether the boot disk is persistent, verify that required KMS keys and IAM roles are available, and exclude VMs using local SSDs or unsupported images as those are commonly ineligible.

The correct answer is Linux Diagnostic Extension (LAD) 3.0.

Linux Diagnostic Extension (LAD) 3.0 is the VM extension designed to collect performance metrics and diagnostic logs from Linux virtual machines. It can gather metrics, syslog entries, and performance counters and deliver those diagnostics to configured storage or monitoring endpoints when it is installed on the VM.

Note that Microsoft is moving to a newer unified agent and tooling. The legacy extension may still be the expected answer for scenarios that specifically name the extension, but customers are being encouraged to migrate to modern agents for long term use.

Azure Monitor agent is incorrect for this question because it is the newer unified agent that Microsoft recommends for collecting telemetry across resources. The exam scenario specifically expects the Linux diagnostic extension and older course material and labs often reference LAD instead of the newer agent.

Azure Performance Diagnostics extension is incorrect because it is not the standard VM extension used to collect general performance metrics and diagnostic logs from Linux virtual machines. It is not the agent that configures continuous metric and log collection in the way that the diagnostics extension does.

Azure HDInsight is incorrect because it is a managed big data service and not an extension or agent for collecting VM performance metrics or diagnostic logs.

When a question asks about collecting metrics and diagnostics from a Linux VM confirm whether the exam expects the legacy Linux Diagnostic Extension or the newer Azure Monitor agent. The newer agent is preferred in practice so pay attention to wording and exam objectives.

The correct option is 20.

Update domains determine which virtual machines are rebooted together during planned platform maintenance and they reduce the blast radius of updates by ensuring that not all VMs are updated at once. Setting the platformUpdateDomainCount to 20 uses the largest number of update domains that Azure supports and therefore maximizes the number of virtual machines that can remain available during maintenance or hardware faults.

12 is not correct because it configures fewer update domains than the platform maximum and it therefore groups more VMs per update domain which reduces availability during updates.

40 is not correct because Azure does not support 40 update domains and a value that high would be invalid for the platformUpdateDomainCount property.

30 is not correct because it also exceeds the supported limit and it cannot increase availability beyond the supported maximum of 20 update domains.

When a question asks to maximize uptime choose the highest supported configuration and remember that Azure availability sets allow up to 20 update domains.

The correct option is Reader and Data Access.

The Reader and Data Access role combines read only management permissions with data plane read permissions so Alice can view the actual contents of blobs and files inside storage accounts. It grants the ability to read resource configuration as well as the stored data without giving write or role assignment rights so it aligns with the principle of least privilege for a user who only needs to view data.

The Contributor role provides broad management write permissions on resources but it does not include storage data plane read rights and it grants more privileges than required for simply viewing stored data.

The User Access Administrator role allows assigning and managing role assignments but it does not grant access to storage data so it cannot be used to let Alice view blobs or files.

The Owner role grants full control including management and role assignment permissions so it is excessively privileged for a user who only needs read access to storage data.

The Storage Account Contributor role lets a user manage storage account settings and configuration but it does not include data plane read permissions for blob or file contents so it will not allow Alice to view the actual data.

When a question distinguishes resource management from actual data access look for roles that explicitly include data access for reading blobs or files and choose the smallest role that provides the needed data plane permissions.

The correct option is A service tag.

A service tag lets you create an outbound NSG rule that targets the Azure Key Vault service without enumerating IP addresses. Microsoft maintains the underlying IP ranges for the service tag so the rule enforces least privilege while keeping administrative effort minimal.

Azure Private Endpoint is incorrect because a private endpoint requires provisioning and different network configuration to bring the service into your virtual network and it is not the simple NSG destination the question asks for.

An application security group is incorrect because application security groups group virtual machine network interfaces and they do not represent external platform services like Key Vault as a destination.

An IP address range is incorrect because Key Vault uses many and changing IP ranges and maintaining explicit IP blocks would be high effort and not least privilege when a service tag already represents the service.

When a question asks for least privilege and low management overhead, prefer using service tags for Azure PaaS services. Use private endpoints when you need full VNet isolation and are prepared for extra configuration.

The correct option is StorageV2 (general purpose v2).

The StorageV2 (general purpose v2) account type provides the broadest feature set and the most flexibility for planned expansions and future feature additions. It supports blobs files queues and tables while also providing access tiers lifecycle management advanced replication options and the latest storage features that new workloads often require.

The BlobStorage option is a legacy blob only account and it lacks many general purpose features that support future extensions and additional services. This legacy status also makes BlobStorage less likely to be the correct choice on newer exams.

The BlockBlobStorage option is a premium block blob account that is optimized for high performance block blob workloads and it does not provide the full set of general purpose features. It is not appropriate when you need a flexible account to support multiple storage services and future features.

When a question highlights future expansions or new features favor the general purpose v2 account type. Look for clues like the need for multiple services or the newest feature set and prioritize flexibility and feature support.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

The correct option is Modify the External collaboration settings on the Users page.

When an administrator sees a “Generic authorization exception” while inviting a guest it usually means the tenant’s guest invitation policy is blocking the action. Changing the Modify the External collaboration settings on the Users page lets you allow the appropriate roles or users to invite external collaborators and resolves that authorization error.

You can also use the guest inviter role or adjust who is allowed to invite guests in those collaboration settings if you want to limit invitations to specific users rather than broad admin roles. Updating the Modify the External collaboration settings on the Users page is the correct place to change that behavior.

Create an external identity provider in the Organizational relationships area is incorrect because external identity providers are for letting external users sign in with federated or social identities and they do not control who in your tenant can send guest invitations.

Register a custom domain for the directory from the Custom domain names page is incorrect because adding a custom domain affects identity and email verification for your organization and it does not grant permission to invite guests or override external collaboration policies.

Assign the Security administrator role to AdminA from Roles and administrators is incorrect because the Security administrator role does not inherently grant guest invitation rights. The ability to invite guests is governed by external collaboration settings and specific guest invitation roles rather than the Security administrator role.

When guest invitations fail first check the External collaboration settings to see who is allowed to invite guests before changing user roles.

Run the Set-AzMarketplaceTerms cmdlet in Azure PowerShell is the correct action.

The error indicates that the Marketplace offer legal terms have not been accepted for the subscription and Set-AzMarketplaceTerms accepts those publisher terms programmatically so that ARM template and PowerShell deployments can proceed. Running the cmdlet records acceptance for the subscription and removes the need to create the item first in the portal.

Enable programmatic deployment for the Marketplace item in the Azure portal is not the best choice because while you can accept terms or enable programmatic deployment through the portal, the question describes a PowerShell deployment and the appropriate programmatic way to accept the legal terms is to run the cmdlet.

Register the Microsoft.Marketplace resource provider in the Azure portal is incorrect because registering a resource provider addresses resource registration issues and does not accept Marketplace legal terms. The acceptance of offer terms is handled through the Marketplace ordering APIs and the marketplace terms cmdlet.

Assign the Billing administrator role to Admin1 at the subscription scope is incorrect because the billing administrator role does not grant the specific permission to accept Marketplace terms. Accepting terms requires the appropriate Marketplace ordering permission which is typically handled by Owner or Contributor roles or by running the marketplace terms acceptance cmdlet.

When you encounter errors about Marketplace legal terms during scripted deployments remember that you can accept offers programmatically with Set-AzMarketplaceTerms so deployments from PowerShell or templates succeed without manual portal interaction.

60 seconds is correct.

Google Cloud Monitoring collects most platform metrics at a default interval of 60 seconds. This one minute granularity is the standard for built in service and system metrics so you get timely data without excessive ingestion rates.

There are exceptions where collection frequency can differ, for example metrics created by agents or custom metrics can be configured to report at different intervals. Those cases are configurable and do not change the default platform metric resolution of 60 seconds.

2 minutes is incorrect because the default interval is shorter at one minute. A two minute default would reduce the temporal resolution that Cloud Monitoring provides by default for platform metrics.

5 minutes is incorrect because that interval is much longer than the default. Five minute sampling is not the standard for Google Cloud platform metrics and would miss finer changes in resource behavior.

30 seconds is incorrect because the default is not that frequent. Some agents or custom setups can collect faster, but the platform default for built in metrics is one minute.

When a question asks about default metric granularity remember that Google Cloud platform metrics use a default of 1 minute unless an agent or custom metric explicitly changes it.

The correct option is A time based immutability policy on the container.

A time based immutability policy on the container enforces a retention period at the container level and prevents blobs from being modified or deleted for the configured time. You can set the policy to 12 months and lock it so that any new blobs added to the container remain immutable for that retention window.

A stored access policy for SAS tokens is used to manage and revoke SAS tokens and to control delegated access windows and permissions but it does not make blobs immutable or prevent deletion for a set retention period.

Access tier only affects storage performance and cost by classifying blobs as hot cool or archive and it does not provide any mechanism to lock blobs against modification or deletion.

Access control and role assignments (IAM) control who has permissions to perform actions but they do not enforce a time based retention that prevents changes or deletions regardless of identity and they cannot replace an immutability policy.

When a question asks to prevent changes or deletion for a specific time frame think of immutable storage and time based immutability policies rather than SAS or IAM controls.

When a resource that has a role assigned directly to it or to a nested resource is moved the role assignment does not transfer and becomes orphaned is the correct answer.

When a resource that has a role assigned directly to it or to a nested resource is moved the role assignment does not transfer and becomes orphaned describes a known behavior of Azure role based access control and resource moves. Role assignments that are scoped at the resource or nested resource level do not automatically get remapped when the resource is moved between subscriptions. Resource group level assignments remain intact because they are applied at a different scope and those bindings move with the group or subscription in supported move operations.

You used the classic deployment model rather than Azure Resource Manager for the migration is incorrect because the issue described is about scoped role assignments and how they behave during moves in the Azure Resource Manager model. The classic deployment model relates to an older platform and would not explain why resource scoped role assignments became orphaned after a supported move.

Your user account did not have Microsoft.Authorization permissions required to migrate role assignments is incorrect because insufficient permissions would typically block the move or return explicit authorization errors. The fact that resource group level assignments remained intact indicates that the migration proceeded and that the observed orphaning matches the documented behavior of role assignments at resource scope rather than a permissions failure.

When a question asks about moving resources remember that role assignments scoped directly to a resource often do not move. It helps to think in terms of scope and to plan to reassign roles on moved resources if needed.

Provision virtual network gateways is correct.

Provision virtual network gateways is required to create a VNet to VNet VPN connection that can span separate subscriptions and Microsoft Entra tenants. A virtual network gateway is deployed in each virtual network to terminate the VPN tunnels and to provide encrypted connectivity between CorporateVNet and PartnerVNet without moving resources.

Move CorporateVNet into SubB is unnecessary and often not possible across tenants. Moving a virtual network between subscriptions that belong to different Microsoft Entra tenants is not a simple operation and it is not required to enable network connectivity.

Migrate AppServer virtual machine to SubB is not required because network connectivity is established at the virtual network level and you can connect the VNets without migrating the virtual machine.

Change the address space of PartnerVNet is not needed because the address ranges 10.20.0.0/16 and 10.120.0.0/24 do not overlap so there is no IP conflict preventing connectivity.

When you are asked to connect VNets across subscriptions or tenants first check for overlapping IP address ranges and then decide if virtual network peering is possible or if a virtual network gateway based VPN is required.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

No is correct.

The Containers blade in a storage account shows blob containers and file shares and it does not provide access to the ARM template that was used to deploy resources. ARM templates are part of deployment metadata managed by Azure Resource Manager and are not stored where you browse storage data.

To inspect the template that Maya deployed you would open the Resource Group or the subscription in the Azure portal and view the Deployments or open the Template for the specific deployment. You can also retrieve the template with the Azure CLI or PowerShell by querying resource group deployments and downloading the JSON template.

Yes is incorrect because opening the Containers blade only lets you view storage objects and it will not show the deployment template or deployment history.

When asked where to find an ARM template open the resource group or subscription Deployments and view the Template for the deployment. You can also use the Azure CLI or PowerShell to export the template.

It does not meet the requirement is the correct answer.

Changing per user multi factor authentication settings on the MFA page only sets a user level MFA state and it does not create conditional rules that depend on network location or on device join state. Per user MFA cannot require sign in from an Azure AD joined device and it cannot evaluate whether the connection is coming from an unknown network.

You need an Azure AD Conditional Access policy that targets the Tenant Administrators group and that applies a location condition for unknown networks and a device state condition for Azure AD joined devices and that requires multi factor authentication as a grant control. Conditional Access can evaluate group membership device state and network conditions together and enforce both MFA and device requirements at sign in.

The per user MFA control is considered a legacy mechanism and Microsoft recommends Conditional Access for these scenarios so per user MFA is less likely to be the correct solution on newer exams.

It meets the requirement is incorrect because toggling per user MFA does not enforce device join state or conditional behavior based on unknown networks and therefore cannot satisfy the stated requirement.

When a question combines group membership device state and network location think Conditional Access rather than per user MFA because Conditional Access can enforce both MFA and device requirements together.