Free Azure Administrator Questions and Answers | AZ-104 Study Guide

A cloud team at HarborTech has an Azure subscription that contains these resources inside a single virtual network named secure-vnet2. AppServer01 is a virtual machine. WebApp-Service1 is an App Service. example.com is configured in Azure AD Domain Services. You plan to deploy a Bastion host called Bastion-Gateway2 into secure-vnet2. Which of these resources can Bastion-Gateway2 provide secure connectivity to?

• ❏ A. All listed resources

• ❏ B. App Service and virtual machine instances together

• ❏ C. Only Azure AD Domain Services for example.com

• ❏ D. Only the virtual machines deployed in secure-vnet2

A company named Northwind has an Azure subscription with a virtual network called ProdNet. The network contains four subnets named VPNGateway Perimeter Firewall and AppTier. The Firewall subnet hosts two network virtual appliances that inspect traffic between the Perimeter subnet and the AppTier subnet. You must deploy an Azure load balancer for the appliances so that the appliances operate in an active active configuration with automatic failover and the load balancer distributes traffic to two services in the AppTier subnet that use distinct IP addresses. What three actions should you perform? (Choose 3)

• ❏ A. Add a frontend IP configuration a single backend pool and a health probe

• ❏ B. Deploy a Standard SKU load balancer

• ❏ C. Add a frontend IP configuration two backend address pools and a health probe

• ❏ D. Create two load balancing rules with HA Ports enabled and Floating IP set to enabled

• ❏ E. Create two load balancing rules with HA Ports enabled and Floating IP set to disabled

• ❏ F. Deploy a Basic SKU load balancer

You manage an Azure subscription named SubscriptionAlpha that contains two virtual machines called WebVM and DataVM. Both VMs run Windows Server 2019 and WebVM is protected nightly by Azure Backup without using the Microsoft Azure Recovery Services agent. WebVM becomes infected by ransomware that encrypts its volumes. To which location can you restore the most recent backup?

• ❏ A. Any Windows computer with Internet access

• ❏ B. Both WebVM and DataVM

• ❏ C. WebVM only

• ❏ D. WebVM or a newly created Azure virtual machine

Your team at HarborTech manages an Azure subscription for a small services firm and you must define a custom role that allows assigned users to execute every operation on virtual networks while adhering to least privilege principles. What permission string should you include in the role definition to meet this requirement?

• ❏ A. “Microsoft.Network/virtualNetworks/write”

• ❏ B. “Microsoft.Network/virtualNetworks/*”

• ❏ C. “Microsoft.Network/virtualNetworks/delete”

MeridianApps is configuring alerts that are based on log entries in Azure Monitor for its cloud services and infrastructure, and which of the following statements about log alerts and action groups is correct? (Choose 2)

• ❏ A. Metric alerts cannot be created from log queries

• ❏ B. Log alerts execute the configured query on a repeating schedule and fire when results satisfy the rule

• ❏ C. Action groups specify the set of notification channels and recipients

• ❏ D. Log alerts only operate for virtual machines

Open the Northwind Systems case study in a new tab using this link https://example.com/documents/northwind-case-study-002 and use the details to fulfill the Admin1 requirement. What action should you take?

• ❏ A. Assign Admin1 the Global Administrator role in Microsoft Entra ID

• ❏ B. Open the Subscriptions blade, select the subscription, and then edit the Properties

• ❏ C. Open the Subscriptions blade, select the subscription, and then configure Access control (IAM) to grant Admin1 the necessary role

• ❏ D. Add Admin1 to an Entra ID group and rely on group based role assignments for the subscription

Your Azure subscription contains an availability set named Web-Avail-Set that is configured with five update domains and a team deploys twenty-seven virtual machines into that availability set. After a planned platform update what is the minimum number of virtual machines that will remain available?

• ❏ A. 22

• ❏ B. 14

• ❏ C. 26

• ❏ D. 21

At Northwind Technologies you must improve redundancy for Azure Files NFSv4.1 shares that live in a storage account currently using Locally Redundant Storage and you plan to move the data to Zone Redundant Storage. What supported method should you use to perform this migration?

• ❏ A. Use the storage account conversion feature in the Azure portal

• ❏ B. Request a live conversion to be performed by Microsoft Support

• ❏ C. Perform a manual migration to a new storage account configured for ZRS

• ❏ D. Attempt a redundancy change using Azure CLI conversion commands

You must deploy a custom ASP.NET application that will run on Internet Information Services on five Azure virtual machines. The virtual machines will be located in the same virtual network and subnet and will only have private IP addresses. The application will use a Microsoft SQL Server database for content storage. You must implement load balancing for the web tier and ensure the application is protected from attacks such as SQL injection and cross site scripting XSS attacks. What should you configure?

• ❏ A. Azure Front Door

• ❏ B. Azure Load Balancer (internal)

• ❏ C. Network Security Group

• ❏ D. Azure Application Gateway

This problem is part of a set that uses the same environment. A company named StratusWorks has three Azure subscriptions called SubA SubB and SubC that are connected to a Microsoft Entra tenant. The tenant contains a user named Alice a security group named Devs and a management group named MGRoot. Alice is a member of Devs. SubA and SubB are placed under MGRoot. SubA contains a resource group named AppsRG. AppsRG hosts six Azure Functions. You create these role assignments on MGRoot Devs is assigned the Reader role and Alice is assigned the User Access Administrator role. You also assign Alice the Virtual Machine Contributor role on SubA and SubB and the Contributor role on AppsRG. Can members of Devs view the configurations of the Azure Functions?

• ❏ A. No

• ❏ B. Yes

A cloud operations team manages a virtual machine named AppServer01 in an Azure subscription and the VM was provisioned from a custom Resource Manager template called template-app.json. You receive an alert that AppServer01 will be impacted by host maintenance and you must move AppServer01 to another physical host immediately. You open the Redeploy blade and select Redeploy. Will that action achieve the requirement?

• ❏ A. No

• ❏ B. Yes

You have Prod VM 01 running in Azure and you must create six additional virtual machines that match Prod VM 01 exactly while ensuring Prod VM 01 stays online at all times. You navigate to the Prod VM 01 details page in the Azure portal. What should you do next?

• ❏ A. Capture

• ❏ B. Redeploy the virtual machine

• ❏ C. Convert to a virtual machine scale set

• ❏ D. Export template

Your operations group must relocate several blueprint package files from an on premise server into Azure blob storage. Which method should you use to transfer these files to Azure storage?

• ❏ A. Order an Azure Data Box to ship data to Azure

• ❏ B. Azure Storage Explorer

• ❏ C. Generate a storage account access key and map a network drive to copy the files with File Explorer

• ❏ D. Use the Azure Import Export service

You manage an Azure subscription that contains an Azure Active Directory tenant named scrumtuous.com and an Azure Kubernetes Service cluster named AKSProduction. An administrator cannot grant AKSProduction access to users from the scrumtuous.com tenant. What should you do first?

• ❏ A. Recreate the AKSProduction cluster

• ❏ B. Create a new namespace inside the AKSProduction cluster

• ❏ C. Register an OAuth 2.0 authorization endpoint in the scrumtuous.com tenant

• ❏ D. Enable OpenID Connect based Azure AD authentication for the AKS cluster

Review the Northbridge Systems case study by opening the following document at https://example.com/documents/7G4f2H. You must propose a design for ServiceA that meets the technical constraints. How many subnets should be created within each virtual network for ServiceA?

• ❏ A. Three subnets per virtual network

• ❏ B. One subnet per virtual network

• ❏ C. Two subnets per virtual network

A cloud engineering team at HarborTech will deploy four Azure virtual machines named WebVM1 WebVM2 WebVM3 and WebVM4 to run a web service called SiteAlpha. You need to guarantee that at least two virtual machines remain available if a single datacenter in the region fails. What should you deploy?

• ❏ A. Distribute the virtual machines across two paired regions

• ❏ B. Place all virtual machines in the same Availability Zone

• ❏ C. Place each virtual machine in a different Availability Zone

• ❏ D. Put all virtual machines into one Availability Set

A technology firm has an Azure Active Directory tenant named example.com that is configured for hybrid coexistence with its on-premises Active Directory. A server named SyncServer01 is running a DirSync synchronization service. After creating a new user in the on-premises directory you need that user to appear in Azure AD immediately. The proposed step is to use Active Directory Sites and Services to force Global Catalog replication on a domain controller. Will this accomplish the immediate synchronization to Azure AD?

• ❏ A. Yes

• ❏ B. No

You provision virtual machines across four Azure regions. Each region hosts a virtual network with multiple subnets and all virtual networks are peered in a full mesh arrangement. A user reports that they cannot connect to port 33250 from a virtual machine in one region to a virtual machine in another region. Which options can you use to diagnose this connectivity problem? (Choose 2)

• ❏ A. Effective security rules

• ❏ B. Connection troubleshoot

• ❏ C. Azure Monitor Network Insights

• ❏ D. IP flow verify

• ❏ E. Network Watcher topology

While provisioning a Microsoft Storage account for a boutique payments company named Cobalt Ledger which redundancy choices does Azure Storage provide? (Choose 3)

• ❏ A. Read-Access Geo-Redundant Storage (RA-GRS)

• ❏ B. Object-Level Redundancy (OLR)

• ❏ C. Read-Access Geo-Zone-Redundant Storage (RA-GZRS)

• ❏ D. Locally Redundant Storage (LRS)

• ❏ E. Distributed Redundancy Storage (DRS)

A subnet named NetA hosts several Azure virtual machines and an NSG named RuleSetA is attached to that subnet. The NSG only contains the default entries. You need to add a rule that stops machines in NetA from accessing the Azure portal while allowing them to reach other internet addresses. Which destination type should you configure in the NSG rule?

• ❏ A. IP Addresses

• ❏ B. Any

• ❏ C. Application security group

• ❏ D. Service Tag

A startup named Kestrel has an Azure Active Directory tenant called KestrelAD and an Azure subscription called WestSub. KestrelAD contains a security group named DevelopersTeam and WestSub contains a resource group named DevelopmentRG. You need to permit DevelopersTeam to create Azure logic apps in DevelopmentRG. Solution On DevelopmentRG you assign the Logic App Contributor role to the DevelopersTeam group. Does this meet the requirement?

• ❏ A. No the role assignment does not satisfy the requirement

• ❏ B. Yes the role assignment satisfies the requirement

You administer an Azure virtual machine named SRV01 that runs Windows Server 2022 and it was created with the default disk configuration. You sign in to SRV01 as AdminUser and then you create files on drive C and on drive D and you change the screen saver timeout and you update the desktop background. You plan to redeploy SRV01. Which of these changes will be removed after the redeploy?

• ❏ A. New desktop wallpaper

• ❏ B. Files created on the operating system drive C

• ❏ C. Files written to the temporary D drive

• ❏ D. Changed screen saver timeout setting

Your organization manages an Azure subscription and operates data centers in Seattle and Miami. You are setting up the two sites as geo clustered locations for disaster resilience. You must choose an Azure storage redundancy model. Data must be replicated across multiple nodes. Data must be placed on nodes in distinct geographic regions. Data must be readable from the secondary region as well as from the primary region. Which storage redundancy option should you recommend?

• ❏ A. Geo redundant storage

• ❏ B. Zone redundant storage

• ❏ C. Locally redundant storage

• ❏ D. Read access geo redundant storage

The IT team at Northbridge Systems has enabled Microsoft Entra self service password reset for employees so they can recover forgotten credentials. Which security settings can administrators require for users when they perform a self service password reset? (Choose 2)

• ❏ A. Apply a minimum password age policy

• ❏ B. Require smart card authentication during reset

• ❏ C. Require multi factor authentication as part of the reset process

• ❏ D. Mandate a verified mobile phone number for authentication

Refer to the Northwind Solutions case study by opening the following link in a new tab and answer based on that document https://example.com/documents/alpha123. You must configure alerts for VM-A and VM-B to meet the technical requirements. The tasks are 1 Create a Log Analytics workspace 2 Create an Azure SQL database 3 Collect Windows performance counters from the Log Analytics agents 4 Create an alert rule 5 Configure the Diagnostic settings. Which three tasks should you perform in sequence?

• ❏ A. 3 then 2 then 4

• ❏ B. 5 then 2 then 1

• ❏ C. 1 then 4 then 5

• ❏ D. 1 then 3 then 4

• ❏ E. 5 then 2 then 3

• ❏ F. 2 then 4 then 1

A cloud operations team has two peered virtual networks named HubVNet and SpokeVNet in the same subscription and a network virtual appliance named NVAInspect01 is deployed in HubVNet. How can the team ensure that traffic originating in HubVNet and sent to SpokeVNet is inspected by NVAInspect01 before it arrives in SpokeVNet?

• ❏ A. Azure Firewall

• ❏ B. Service endpoint

• ❏ C. Route table containing user defined routes

• ❏ D. Local network gateway

Your team plans to move 30 virtual machines from a VMware vCenter environment into an Azure subscription and you have already provisioned a Recovery Services vault. What should you do next?

• ❏ A. Create a replication policy for Azure Site Recovery

• ❏ B. Create and configure an Azure virtual network for the migrated VMs

• ❏ C. Deploy the Azure Migrate appliance OVA to the vCenter environment

• ❏ D. Prepare a recovery plan in the Recovery Services vault

A cloud engineering team at Fabrikam needs an Azure Active Directory user named CloudAdmin to have the permissions required to enable Traffic Analytics for an Azure subscription. You grant the Reader role at the subscription scope to CloudAdmin. Does that satisfy the requirement?

• ❏ A. Assign Log Analytics Contributor role to CloudAdmin

• ❏ B. Assign Network Contributor role at the subscription to CloudAdmin

• ❏ C. No this does not satisfy the requirement

• ❏ D. Yes the Reader role is sufficient

A cloud engineering team at Contoso Labs uses a Bicep template named template.bicep to deploy resources into an Azure subscription. The team intends to create a storage account named storageacct2 inside the resource group RG2. You must update template.bicep so that it can directly deploy resources into RG2. Which file property should be changed?

• ❏ A. sku

• ❏ B. location

• ❏ C. targetScope

• ❏ D. kind

A cloud team at AzureWave has a subscription named SubscriptionA that contains a virtual network named VNetEastUS. The virtual network is in a resource group named ResourceGroupProd. SubscriptionA has a user named Carol who currently holds the Reader role, the Security Admin role and the Security Reader role. You need to make sure Carol can grant the Reader role for VNetEastUS to other users. What should you do?

• ❏ A. Assign Carol the Network Contributor role for VNetEastUS

• ❏ B. Remove Carol from the Security Reader role and assign her the Contributor role for ResourceGroupProd

• ❏ C. Assign Carol the Owner role for VNetEastUS

• ❏ D. Assign Carol the Contributor role for VNetEastUS

A small cloud team at Meridian Solutions committed an ARM template called infrav2.json to a public repository and they have a direct URL to that file. Which PowerShell cmdlet and parameter let you deploy the template directly from the remote URL to the resource group “RG02”?

• ❏ A. New-AzResourceGroupDeployment -ResourceGroupName “RG02” -TemplateFile C:\Templates\infrav2.json

• ❏ B. New-AzDeployment -Location “eastus” -TemplateUri https://example.com/repos/infrav2.json

• ❏ C. New-AzResourceGroupDeployment -ResourceGroupName “RG02” -TemplateUri https://example.com/repos/infrav2.json

A retail startup named NovaRetail has a virtual machine called webserver01 that connects to a virtual network named corpVNet. The VM resides in a subnet 10.1.5.0/24 and is part of an availability set named AVGroup. No network security group is associated. The VM has a dynamic private IP address 10.1.5.12 and a dynamic public IP 52.160.10.4. You create a Standard Internet facing load balancer named lb-external and you must modify webserver01 as you configure lb-external. Before lb-external can forward traffic to webserver01 what must you do?

• ❏ A. Remove the public IP address from webserver01

• ❏ B. Attach a network security group to the VM network interface or subnet

• ❏ C. Add the VM network interface to the load balancer backend address pool

• ❏ D. Configure the VM to use a static private IP address

Your Azure subscription named SubProd02 contains a Log Analytics workspace named OpsWorkspace and you need to show only error events from the table named Event. Which query should you run in OpsWorkspace?

• ❏ A. search in (Event) “error”

• ❏ B. select * from Event where EventType == “error”

• ❏ C. Event | where EventType == “error”

• ❏ D. Get-Event Event | where $_.EventType == “error”

Atlas Retail runs datacenters in Seattle and Chicago and it is setting up those facilities as a geo clustered pair for site resilience. The storage must reside on multiple nodes and it must be located in separate geographic regions and systems must be able to read data from the secondary site as well as from the primary site. Which Azure storage redundancy option should you choose?

• ❏ A. ZRS

• ❏ B. GRS

• ❏ C. LRS

• ❏ D. RA-GRS

What is Azure Policy mainly used for when controlling resource configurations and checking compliance across an organization?

• ❏ A. Controlling resource spend by setting budget thresholds and alerts

• ❏ B. Assigning roles to users and groups for resource access control

• ❏ C. Applying and enforcing organizational standards and checking compliance across resources

• ❏ D. Packaging resource templates role assignments and policies for consistent deployments

The correct answer is Only the virtual machines deployed in secure-vnet2.

Azure Bastion provides secure RDP and SSH access to virtual machines that are deployed inside a virtual network. It is deployed into an AzureBastionSubnet and allows administrators to connect to VMs without assigning public IP addresses to those VMs and without exposing RDP or SSH ports to the internet. This is why Only the virtual machines deployed in secure-vnet2 is the correct choice.

Bastion can also support connections to virtual machines in peered virtual networks when peering and routing are configured to allow it, but it is built specifically to provide remote desktop and shell access to VM instances. It is not a general purpose gateway for platform services or managed domain endpoints.

All listed resources is incorrect because Bastion cannot provide secure connectivity to all of the listed resource types. It supports VM RDP and SSH but it does not directly connect to App Service or act as a remote access gateway for managed domain services.

App Service and virtual machine instances together is incorrect because App Service is a platform service that is accessed through its own endpoints and features and it does not accept RDP or SSH connections via Bastion like a VM does.

Only Azure AD Domain Services for example.com is incorrect because Azure Bastion is not designed to be a direct access method for managed domain services. Bastion can help administrators manage VMs that are joined to the domain, but it does not provide a direct connectivity channel to Azure AD Domain Services as the sole target.

When you see Bastion in a question remember it is intended for secure RDP and SSH access to virtual machines inside a VNet and not for accessing PaaS offerings or managed domain endpoints.

The correct options are Deploy a Standard SKU load balancer, Add a frontend IP configuration two backend address pools and a health probe, and Create two load balancing rules with HA Ports enabled and Floating IP set to enabled.

Deploy a Standard SKU load balancer is required because the Standard SKU provides the advanced features and predictable performance that network virtual appliances need in production. The Standard SKU supports multiple backend pools, health probes, HA Ports behavior and the floating IP semantics used for active active appliance topologies.

Add a frontend IP configuration two backend address pools and a health probe is required because you need a frontend IP to receive inbound traffic and distinct backend address pools to map traffic to the two separate AppTier service IPs. The health probe allows the load balancer to detect a failed appliance and fail traffic over automatically.

Create two load balancing rules with HA Ports enabled and Floating IP set to enabled is required because there are two services with different target IP addresses so you need separate rules. Enabling HA Ports lets the load balancer forward full port ranges when appliances perform stateful inspection and enabling Floating IP supports direct server return and preserves the original destination IP which is necessary for active active NVA configurations.

Add a frontend IP configuration a single backend pool and a health probe is incorrect because a single backend pool cannot map traffic to two different target IP addresses in the AppTier. The scenario requires separate backend pools so each service can receive traffic independently.

Create two load balancing rules with HA Ports enabled and Floating IP set to disabled is incorrect because disabling Floating IP breaks the direct server return and destination IP preservation that active active appliances commonly rely on. Floating IP must be enabled for this active active inspection pattern.

Deploy a Basic SKU load balancer is incorrect because the Basic SKU lacks many capabilities required for NVAs in production. Basic does not support the advanced features such as multiple backend pools, HA Ports integrations and other availability behaviors that the Standard SKU provides.

When designing active active NVAs choose the Standard SKU and verify support for HA Ports and Floating IP. Those features are commonly required for stateful inspection and direct server return.

The correct option is WebVM or a newly created Azure virtual machine.

Because WebVM is protected nightly by Azure Backup without using the Microsoft Azure Recovery Services agent the backup is an Azure VM level backup stored as recovery points in a Recovery Services vault. You can recover the protected VM from those recovery points back to the original VM or you can create a new Azure virtual machine from the recovery point which is why WebVM or a newly created Azure virtual machine is correct.

The restore process can produce a full VM or restore managed disks that you can use to build a new VM. Restores are performed inside Azure through the Recovery Services vault and they recreate resources in your subscription rather than simply transferring a backup to an arbitrary external computer.

Any Windows computer with Internet access is incorrect because Azure VM backups are stored and restored through the Recovery Services vault in Azure and you cannot perform a supported one step restore to any external Windows machine over the internet.

Both WebVM and DataVM is incorrect because only WebVM is configured and protected by Azure Backup in this scenario so there are no recovery points available for DataVM.

WebVM only is incorrect because although you can restore back to the original WebVM you also have the supported option to restore to a newly created Azure virtual machine from the available recovery points.

When answering restore questions check which backup method was used and whether recoveries are performed inside Azure. Remember that Azure VM backups can restore to the original VM or to a new VM.

“Microsoft.Network/virtualNetworks/“* is correct because it grants every operation on virtual network resources while keeping the permission scope limited to the virtualNetworks resource type.

In an Azure custom role the allowed operations are declared in the actions array and using a trailing /* on the resource type grants all operations such as read write delete and other provider operations for that specific resource type. That matches the requirement to allow every operation on virtual networks and it follows least privilege by not granting broader Microsoft.Network provider permissions.

“Microsoft.Network/virtualNetworks/write” is incorrect because it only allows write operations and does not permit read delete or other actions that are required if the user must execute every operation.

“Microsoft.Network/virtualNetworks/delete” is incorrect because it only allows delete operations and it prevents other necessary actions such as read or update that the requirement includes.

When authoring custom roles prefer scoping to the exact resource type and use resourceType/* to allow all operations on that type. Test the role with a nonprivileged account to verify it grants only the intended permissions.

The correct options are Log alerts execute the configured query on a repeating schedule and fire when results satisfy the rule and Action groups specify the set of notification channels and recipients.

Log alerts execute the configured query on a repeating schedule and fire when results satisfy the rule run queries against a Log Analytics workspace on the cadence you set and then evaluate the query results to determine whether the alert condition is met. This makes them suitable for complex or content based detection where a query result or count is used to trigger an alert.

Action groups specify the set of notification channels and recipients are reusable collections of notification and action settings that Azure Monitor invokes when an alert fires. You include channels such as email and SMS and webhooks and automation runbooks and you can attach the same action group to multiple alerts.

Metric alerts cannot be created from log queries is incorrect because metric alerts are intended for numeric metric series while you can also create metrics that originate from logs and then alert on those metrics. The distinction is that metric alerts evaluate time series metrics and log alerts evaluate query results.

Log alerts only operate for virtual machines is incorrect because log alerts apply to any resource that sends logs to a Log Analytics workspace. They are not limited to virtual machines and can monitor applications and platform services when their telemetry is collected.

When deciding between alert types remember that metric alerts evaluate numeric time series and log alerts run queries, and that action groups define who to notify and how to do it.

The correct option is Open the Subscriptions blade, select the subscription, and then configure Access control (IAM) to grant Admin1 the necessary role.

This approach uses Azure role based access control at the subscription scope so you can grant the specific permissions Admin1 needs without giving excess privileges. Configuring Access control (IAM) lets you choose an appropriate built in or custom role and assign it directly to the user at the subscription level so the requirement is met precisely.

In practice you would open the Subscriptions blade, pick the target subscription, open Access control (IAM), and create a role assignment for Admin1 with the least privilege role that fulfills the Admin1 requirement.

Assign Admin1 the Global Administrator role in Microsoft Entra ID is incorrect because that is a directory wide role and it does not grant subscription level permissions and it would give far more privileges than needed.

Open the Subscriptions blade, select the subscription, and then edit the Properties is incorrect because subscription properties do not control role based access and there is no mechanism in properties to assign RBAC roles.

Add Admin1 to an Entra ID group and rely on group based role assignments for the subscription is incorrect as written because simply adding a user to a group does not grant subscription access unless that group has already been assigned the appropriate role at the subscription via Access control (IAM). You still must configure the role assignment at the subscription scope.

When you need to grant access to an Azure subscription focus on Access control (IAM) and Azure RBAC and assign the least privilege role at the correct scope rather than using directory wide administrator roles.

The correct answer is 21.

An availability set with five update domains means a planned platform update will affect at most one update domain at a time. With twenty-seven virtual machines Azure distributes them as evenly as possible across the five update domains and the largest domain will contain six VMs because 27 divided by 5 rounded up equals 6. Therefore at most six VMs can be unavailable during the update and that leaves 21 VMs available.

The choice 22 is incorrect because it implies only five VMs would be unavailable. With 27 VMs and five update domains at least one domain will have six VMs so more than five could be impacted during an update.

The choice 26 is incorrect because it implies only one VM would be unavailable. Distributing 27 VMs across five update domains cannot produce a domain with only one VM when Azure balances VMs across domains.

The choice 14 is incorrect because it implies thirteen VMs would be unavailable in a single update domain. That is not possible given the even distribution which yields a maximum of six VMs in one domain for this scenario.

When asked about minimum available VMs divide the total VMs by the number of update domains and round up to find the largest possible number of VMs that could be down in one domain. Remember Azure balances VMs across update domains.

Perform a manual migration to a new storage account configured for ZRS is correct.

This approach is required because Azure does not support an in place redundancy conversion for Azure Files NFSv4.1 shares in a storage account that is using LRS. You must create a new storage account configured for Zone Redundant Storage and move the data into that account. The move can be done with supported copy tools such as AzCopy or other data transfer options depending on your data size and downtime tolerance.

Use the storage account conversion feature in the Azure portal is not correct because the portal does not provide a one click conversion for Azure Files NFSv4.1 shares from LRS to ZRS. That portal feature is limited in scope and does not apply to all account types and services.

Request a live conversion to be performed by Microsoft Support is not correct because Microsoft Support does not perform live conversions of replication for NFS file shares. There is no supported service where support will convert an existing NFS file share in place to ZRS.

Attempt a redundancy change using Azure CLI conversion commands is not correct because there are no Azure CLI commands that will change replication in place for Azure Files NFSv4.1 shares. The recommended and supported method is to copy the data to a new account that is provisioned with the desired redundancy.

When an exam asks about changing redundancy for Azure Files, think about resource limitations and migration. If the service does not support in place conversion then plan to create a new account with the target redundancy and copy the data.

The correct option is Azure Application Gateway.

Azure Application Gateway provides layer 7 load balancing and includes an integrated Web Application Firewall that enforces OWASP rules and can block SQL injection and cross site scripting attacks. It can be deployed with an internal frontend using a private IP in the same virtual network and subnet so it can load balance the five private VMs without exposing them to the public internet.

Azure Application Gateway also supports SSL termination, cookie based session affinity, and path based routing which helps when hosting ASP.NET applications and integrating with a backend SQL Server. The WAF focuses on application payload inspection so it is the appropriate choice when you need protection against injection and XSS threats.

Azure Front Door is not appropriate because it is a global, edge optimized service intended for internet facing traffic and for accelerating and protecting public endpoints. It is not the right fit when the web tier and VMs must remain private and only have private IP addresses.

Azure Load Balancer (internal) provides internal layer 4 load balancing for TCP and UDP but it does not inspect HTTP payloads and it does not include a web application firewall. It cannot protect against SQL injection or XSS so it does not meet the application security requirement.

Network Security Group is useful for network level access control by allowing or denying traffic on ports and IP ranges but it operates at the packet level and cannot perform deep inspection of HTTP requests. It cannot provide WAF capabilities and so it cannot mitigate SQL injection or cross site scripting attacks.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

When a scenario requires internal layer 7 load balancing and protection against application threats choose a service with an integrated WAF such as Application Gateway WAF rather than relying only on network level controls.

Yes is correct and members of Devs can view the configurations of the Azure Functions.

The Reader role assigned on the management group MGRoot grants read access across all subscriptions and child resources under that management group and that includes SubA and the AppsRG that hosts the functions. Role assignments at a management group scope inherit down to subscriptions resource groups and individual resources so the Reader permission on MGRoot applies to the Azure Functions.

Alice’s individual assignments do not change the fact that Devs members already have read access. The Reader role allows viewing of configuration and settings but not changes so Devs can see the function configurations without having permission to modify them.

No is incorrect because the Devs group was explicitly given the Reader role at the management group level and those read permissions flow down to the subscriptions and resources that contain the Azure Functions.

Remember that role assignments at a management group level inherit down to subscriptions and resources so check effective permissions and the Reader role when deciding if a group can view resource configurations.

Yes is correct. Selecting Redeploy for AppServer01 will move the virtual machine to a different physical host immediately while keeping the VM resource and its managed disks intact.

Redeploy instructs the Azure fabric to recreate the VM on a new host node so the OS disk and any attached data disks and the VM configuration created by the Resource Manager template remain unchanged. The temporary local disk is reset during redeploy so any ephemeral data on that disk will be lost. Because the VM was provisioned from a custom Resource Manager template it is still a normal Azure VM resource and can be redeployed in this way.

No is incorrect because Redeploy is explicitly the portal action used to move a VM off a problematic host for maintenance or hardware issues and it accomplishes the requirement to move AppServer01 to another physical host.

When asked about moving a VM off its host remember that Redeploy moves the VM to a new host and preserves managed disks and VM configuration while it clears the temporary disk.

The correct option is Export template.

Export template creates an Azure Resource Manager template that captures the virtual machine and its dependent resources so you can redeploy identical instances. Exporting does not require generalizing or deallocating the source VM so Prod VM 01 can remain online while you prepare six additional VMs from the template. You can parameterize names and networking settings in the template and then deploy it multiple times to produce matching virtual machines.

Capture is not correct because capturing a VM often requires generalizing the operating system and deallocating or shutting down the VM which would cause downtime. Capture is intended to create an image from a VM rather than to export a deployable ARM template while keeping the source online.

Redeploy the virtual machine is not correct because redeploy moves the VM to a new Azure host to fix infrastructure issues and does not create copies or templates for additional VMs. It is an operational action rather than a cloning or templating workflow.

Convert to a virtual machine scale set is not correct because scale sets are designed for autoscaling and their conversion workflows differ from simply cloning a single VM. Converting or creating a scale set often requires an image and extra configuration and it is not the straightforward way to produce six identical standalone VMs while keeping the original online.

Export the ARM template and parameterize VM names and network resources before deploying multiple instances so you can clone a running VM without downtime.

The correct option is Azure Storage Explorer.

Azure Storage Explorer provides a simple graphical interface that lets you connect to a storage account and upload or download blobs directly from your on premise machine. It supports drag and drop and bulk transfers, so it is the fastest and lowest overhead way to move a few blueprint package files into Azure Blob Storage without ordering hardware or reconfiguring network file shares.

Order an Azure Data Box to ship data to Azure is incorrect because Azure Data Box is intended for very large datasets and it requires ordering, shipping, and ingest procedures that are unnecessary for moving just a few files.

Generate a storage account access key and map a network drive to copy the files with File Explorer is incorrect because mapping a network drive with File Explorer applies to Azure File Shares over SMB and not to Blob storage. Copying directly to blob containers from File Explorer is not supported without additional tooling, so this approach will not work for blob uploads.

Use the Azure Import Export service is incorrect because the Import Export service is an older, disk shipment based method for bulk import and it has been largely superseded by Azure Data Box for large scale imports. It is not the practical choice for transferring a small set of files.

When the payload is small use Azure Storage Explorer or the Azure portal for direct uploads and reserve physical appliance or disk shipment solutions for very large data transfers.

Enable OpenID Connect based Azure AD authentication for the AKS cluster is correct. This is the first step to let the AKS cluster trust identities from the scrumtuous.com Azure AD tenant and to accept Azure AD tokens for user authentication.

Enabling the cluster to use Azure AD via OpenID Connect configures the Kubernetes API server to validate tokens and to map Azure AD users and groups to Kubernetes RBAC roles. Once this authentication is enabled you can grant access to users or groups from the scrumtuous.com tenant without changing namespaces or rebuilding the cluster.

Recreate the AKSProduction cluster is incorrect because you do not need to delete and recreate the cluster just to enable Azure AD based authentication. The authentication configuration can be applied without rebuilding the entire cluster.

Create a new namespace inside the AKSProduction cluster is incorrect because namespaces control resource isolation inside Kubernetes and do not configure authentication or trust between AKS and an Azure AD tenant.

Register an OAuth 2.0 authorization endpoint in the scrumtuous.com tenant is incorrect because Azure AD already exposes the required OAuth and OpenID Connect endpoints. The proper first action is to enable OIDC based Azure AD authentication on the AKS cluster so the cluster uses those endpoints for user sign in and token validation.

When a question asks how to allow Azure AD users to access AKS think about enabling Azure AD integration or OpenID Connect first because those features establish trust and token validation between the cluster and the tenant.

The correct option is Three subnets per virtual network.

This arrangement supports a common three tier architecture with separate subnets for public facing endpoints, application services, and data stores. It allows distinct firewall rules and routing per tier which improves isolation and security and it makes it easier to scale and manage each tier independently.

One subnet per virtual network is incorrect because a single subnet forces public and private workloads to share the same layer which prevents fine grained network policies and reduces security isolation.

Two subnets per virtual network is incorrect because combining two tiers into shared subnets still limits traffic segmentation and policy separation and it does not provide the clear isolation between application and data layers that a three subnet design offers.

When a question asks about number of subnets count the logical tiers you need to isolate and the distinct network policies you must enforce. Use separate subnets when you need different firewall rules, routing, or scaling for each tier.

The correct option is Place each virtual machine in a different Availability Zone.

This choice works because Availability Zones are physically separate datacenters inside the same Azure region that provide independent power, cooling, and networking. Distributing virtual machines across Availability Zones ensures that a failure in one datacenter impacts only the resources hosted in that zone so the remaining machines in other zones stay available.

With four VMs spread across separate Availability Zones a single datacenter failure will not take down more than the VMs in that zone and at least two other VMs remain running in the other zones, which meets the requirement.

Distribute the virtual machines across two paired regions is not the best answer because paired regions span separate geographic regions and address region level outages. The question asks specifically about a datacenter failure inside the same region and cross region deployment adds complexity like replication and higher latency that is not required here.

Place all virtual machines in the same Availability Zone is incorrect because putting every VM into one zone means a single datacenter failure could take down all instances and you would not meet the availability requirement.

Put all virtual machines into one Availability Set is incorrect because availability sets protect against hardware and rack failures inside a single datacenter but they do not protect against an entire datacenter outage.

When a question mentions surviving a datacenter failure think about using Availability Zones first and compare them to Availability Sets which only provide protection within the same datacenter.

The correct answer is No. Forcing Global Catalog replication on a domain controller will not cause the DirSync synchronization service on SyncServer01 to run and will not immediately push the new user to Azure Active Directory.

Azure AD synchronization is handled by the DirSync or Azure AD Connect process that runs on the synchronization server and it follows its own import and export cycles. The synchronization service must detect and export the change to Azure AD before the user appears in the cloud. For an immediate update you must trigger a sync on SyncServer01 by running the synchronization service or the appropriate sync command or tool on that server to perform a delta or full synchronization.

Note that DirSync is a retired tool and has been replaced by Azure AD Connect. Newer exams are more likely to reference Azure AD Connect and its tooling, but the core point remains that AD replication alone does not invoke the cloud sync process.

Yes is wrong because forcing Global Catalog replication only makes the change available within the on premises Active Directory and does not start the DirSync or Azure AD Connect export that sends changes to Azure Active Directory.

When a question asks about immediate directory changes think about which system performs the export to Azure AD. If you need an immediate result you must trigger the sync on the synchronization server rather than relying only on AD replication.

The correct options are Connection troubleshoot and IP flow verify.

The Connection troubleshoot tool in Azure Network Watcher performs an end to end connectivity test from a chosen source to a destination IP and port and it returns reachability results. It reports the path and any hops or network security group or route entries that block traffic and it is appropriate for testing cross region connectivity across peered virtual networks and specific ports such as 33250.

The IP flow verify feature checks whether a packet from a VM’s network interface to a specified destination IP and port would be allowed or denied by the effective Network Security Group rules and it identifies the rule that made the decision. This lets you confirm whether an NSG is blocking port 33250 without having to generate application traffic.

The Effective security rules view shows the aggregated network security group rules applied to a NIC or subnet and it helps you inspect which rules exist. It does not run an active connectivity test or simulate packet flow across regions so it cannot by itself prove end to end reachability for a specific port.

The Azure Monitor Network Insights capability provides monitoring, diagnostics and visualizations for network resources and it is useful for telemetry and long term analysis. It does not perform targeted, on demand connection tests between two VMs for a single TCP port and it is not the primary tool for immediate port reachability troubleshooting.

The Network Watcher topology feature draws a visual map of resources and their connections within a region and it helps you understand the network layout. It does not execute connectivity checks or validate per port reachability across peered VNets so it will not directly tell you why port 33250 is blocked.

When the question asks about diagnosing a blocked port prefer tools that perform active tests. Use Connection troubleshoot for end to end checks and IP flow verify to see which NSG rule allowed or denied the flow.

The correct answers are Read-Access Geo-Redundant Storage (RA-GRS), Read-Access Geo-Zone-Redundant Storage (RA-GZRS) and Locally Redundant Storage (LRS).

Read-Access Geo-Redundant Storage (RA-GRS) replicates your data within the primary region and asynchronously to a paired secondary region and it also provides read access to the secondary location which improves availability during a regional outage.

Read-Access Geo-Zone-Redundant Storage (RA-GZRS) adds zone redundancy in the primary region and it also geo-replicates to a secondary region while providing read access to the secondary so it protects against both zone and regional failures.

Locally Redundant Storage (LRS) keeps three copies of your data within a single region to protect against hardware failures but it does not protect against a full datacenter or regional outage.

Object-Level Redundancy (OLR) is not an Azure Storage redundancy option and it appears to be a made up term so it is not correct.

Distributed Redundancy Storage (DRS) is not an Azure Storage redundancy option and it is not recognized in Azure documentation so it is not correct.

Read the option names carefully and focus on whether the question asks for read access to the secondary region or zone level protection because those phrases map directly to RA-GRS and RA-GZRS.

The correct option is Service Tag.

Service Tag lets you match traffic that is destined for a Microsoft service by using a maintained tag rather than individual IP addresses. You can create a deny NSG rule that targets the service tag used by the Azure portal so machines in NetA are prevented from reaching the portal while other outbound traffic to the internet remains allowed by other rules.

IP Addresses is not the right choice because you would have to enumerate the portal IP ranges yourself and those ranges can change. Manually maintaining a long list of addresses is error prone and hard to keep up to date.

Any is not correct because it would match all destinations and that would block access to other internet addresses as well. The requirement is to block only the Azure portal so this would be too broad.

Application security group is not applicable because application security groups are for grouping virtual machines within your virtual network and they do not represent external service endpoints like the Azure portal.

When an NSG needs to target Azure services prefer using service tags because Azure maintains the underlying IP ranges and you avoid keeping long lists of addresses yourself.

The correct answer is Yes the role assignment satisfies the requirement.

Assigning the built in Logic App Contributor role to the DevelopersTeam group on DevelopmentRG gives the group the permissions required to create and manage logic apps in that resource group. Azure role based access control evaluates the role at the scope it is assigned and a resource group scope allows creating resources inside that group.

Azure role assignments can target Azure Active Directory security groups so members of DevelopersTeam inherit the Logic App Contributor permissions. This assumes the DevelopersTeam group exists in the same Azure AD tenant that the subscription trusts and that no additional, tenant specific restrictions apply.

No the role assignment does not satisfy the requirement is incorrect because the Logic App Contributor role at the DevelopmentRG scope does provide the ability to create logic apps in that resource group and there is no other built in role required just to create logic apps at that scope.

When you see RBAC questions focus on the exact role name and the scope of the assignment. If the role name clearly grants create rights and it is assigned at the resource group scope then it usually meets the requirement. Also verify the group is in the same Azure AD tenant.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

The correct answer is Files written to the temporary D drive.

The temporary D drive is ephemeral and is intended for temporary files and the page file. Redeploying the virtual machine can move it to a different host and that drive is not preserved so any files stored there are removed.

New desktop wallpaper is stored in the user profile or registry on the operating system disk and the OS disk is persistent so the wallpaper remains after a redeploy.

Files created on the operating system drive C are written to the persistent OS disk which is not cleared by a redeploy so those files are retained.

Changed screen saver timeout setting is a user or system setting that is stored on the OS disk and in the registry so a redeploy does not remove that configuration.

Remember that the Azure temporary drive is ephemeral and can be cleared when a VM is redeployed. Keep important data on the OS disk or on Azure managed storage.

The correct option is Read access geo redundant storage.

Read access geo redundant storage asynchronously replicates your data to a secondary region and maintains multiple copies on nodes in each region so the data is placed on nodes in distinct geographic regions and is readable from both the primary and the secondary region.

Geo redundant storage does replicate data to a paired region and keeps multiple copies on nodes, but it does not provide read access from the secondary region so it does not meet the requirement for readable secondary-region data.

Zone redundant storage replicates data across availability zones inside a single region and does not place copies in distinct geographic regions, so it cannot provide the cross-region redundancy the question requires.

Locally redundant storage keeps multiple copies within a single data center or within a single region only and it does not replicate data to a secondary geographic region or provide read access from another region.

Focus on keywords like geo and read access in the scenario to distinguish between simple geo replication and read-enabled geo replication.

The correct options are Mandate a verified mobile phone number for authentication and Require multi factor authentication as part of the reset process.

Administrators can require users to register and verify authentication methods and one common option is a phone number. When you Mandate a verified mobile phone number for authentication the phone becomes a confirmed method that can be used to prove identity during the self service password reset flow.

Administrators can also enforce additional verification steps during the reset and that is why Require multi factor authentication as part of the reset process is correct. Requiring MFA increases assurance that the person resetting the password is the account owner by forcing a second factor such as an authenticator app, SMS, or phone call.

Apply a minimum password age policy is incorrect because minimum password age is part of a password policy and not a verification requirement that administrators can force users to perform during the reset process. The SSPR controls focus on verifying identity and on password complexity rules rather than enforcing a minimum age at the moment of reset.

Require smart card authentication during reset is incorrect because smart cards are a sign in method for interactive authentication and they are not offered as a verification method in the SSPR verification options. Self service password reset relies on supported verification methods like phone, authenticator apps, email, or other registered methods.

When a question asks what can be required during self service password reset focus on verification methods and MFA settings rather than on general password policy entries like minimum password age.

The correct option is 1 then 3 then 4.

You must create the Log Analytics workspace first because it is the destination for the data that the agents and diagnostic settings will send. The workspace needs to exist before you configure collection so that the agents have a target to send performance counters to.

After the workspace exists you collect Windows performance counters from the Log Analytics agents on VM-A and VM-B. The agents must be set to collect the specific performance counters that the alert will evaluate so that the workspace receives the required telemetry.

Only after the workspace is populated with the performance counter data do you create the alert rule. The alert rule evaluates the collected data or log queries and triggers when the configured thresholds are met.

3 then 2 then 4 is wrong because collecting performance counters before the workspace exists would have no place to send data. Including the Azure SQL database is also not required for VM performance alerts.

5 then 2 then 1 is wrong because configuring diagnostic settings before creating the workspace is ineffective since diagnostics need a destination. Creating an Azure SQL database is not needed for collecting VM performance counters or for basic alerting on those counters.

1 then 4 then 5 is wrong because creating an alert before you have configured data collection or diagnostics means the alert has no data to evaluate. Alerts should be created after the data flow is established.

5 then 2 then 3 is wrong because diagnostic settings require a target workspace and should not be configured before the workspace exists. The Azure SQL database is extraneous for this VM performance monitoring scenario.

2 then 4 then 1 is wrong because creating an Azure SQL database first and then an alert before the workspace is created reverses the necessary order for collecting and evaluating VM performance data.

When ordering tasks for monitoring and alerting think about where data must go first. Create the Log Analytics workspace before configuring agents or diagnostic settings and then create alerts only after you are receiving the expected telemetry.

The correct answer is Route table containing user defined routes.

A Route table containing user defined routes lets you create custom routes that override Azure system routes and send traffic destined for the SpokeVNet to the network virtual appliance by specifying the NVAInspect01 IP as the virtual appliance next hop. You apply the route table to the HubVNet subnets where the traffic originates so packets are routed to NVAInspect01 first and then the NVA can forward inspected traffic to the peered SpokeVNet. User defined routes have higher priority than default peering routes so this forces inspection before the traffic reaches SpokeVNet.

The option Azure Firewall is incorrect because Azure Firewall is a separate managed firewall service and using it would require deploying and routing traffic to that service rather than to the existing NVAInspect01. The scenario asks how to ensure inspection by the deployed NVA so Azure Firewall does not meet the requirement.

The option Service endpoint is incorrect because service endpoints extend virtual network identity to specific Azure services and they do not control routing between virtual networks or direct traffic to an NVA.

The option Local network gateway is incorrect because a local network gateway represents an on premises VPN device for VPN connections and it is not used to route traffic between peered virtual networks or to an NVA.

When you need to force traffic through an NVA look for answers that mention user defined routes or route tables and remember that UDRs override system routes and can point to a virtual appliance next hop.

The correct answer is Create and configure an Azure virtual network for the migrated VMs.

You must create and configure a Azure virtual network for the migrated VMs because target networking is required before you can place migrated or replicated machines in Azure. The virtual network provides subnets, IP addressing, and connectivity to other Azure resources and to on premises sites, and it is needed for test failovers and final cutover.

Create a replication policy for Azure Site Recovery is not the immediate next step because replication policies are configured as part of enabling replication and after the target environment including networking is in place. You should prepare the network and complete any necessary discovery before tuning replication settings.

Deploy the Azure Migrate appliance OVA to the vCenter environment is not the correct next action in this scenario because the appliance is used for discovery and assessment. If discovery has already been performed or if the migration path is using the Recovery Services vault you still need a ready target network for the migrated machines.

Prepare a recovery plan in the Recovery Services vault is premature because recovery plans are used to orchestrate failover after replication has been configured and tested. You prepare recovery plans once replication is established and you know the target network and resources.

When a question mentions moving VMs think about the order of operations. First prepare the target environment and networking, then enable discovery and replication, and finally create recovery plans.

The correct answer is No this does not satisfy the requirement.

Enabling Traffic Analytics requires write permissions to configure Network Watcher flow logs and to send data to a Log Analytics workspace. The Reader role grants only read access and cannot create or modify the diagnostic settings or flow logs that Traffic Analytics depends on, so granting Reader at the subscription scope does not allow CloudAdmin to enable Traffic Analytics.

Assign Log Analytics Contributor role to CloudAdmin is incorrect because that role only provides permissions to manage the Log Analytics workspace and does not allow configuring network resources or enabling NSG flow logs which are required to capture traffic for analysis.

Assign Network Contributor role at the subscription to CloudAdmin is incorrect because that role allows creating and modifying network resources and flow logs but does not grant permission to write to or manage the Log Analytics workspace where Traffic Analytics stores its data. Each capability is needed to enable the feature.

Yes the Reader role is sufficient is incorrect because Reader is read only and cannot change resource configurations or enable diagnostic settings or flow logs that Traffic Analytics requires.

In practice you need permissions that cover both the network and Log Analytics sides. You can grant both the Network Contributor and Log Analytics Contributor roles together or assign a higher level role such as Contributor or Owner at the appropriate scope to allow enabling Traffic Analytics.

Verify whether the task requires write access or permissions across multiple resource types. If it does then a read only role will not be enough and you may need combined roles or a higher level role.

targetScope is correct because the Bicep file must have its deployment scope set to the resource group so it can directly deploy resources into RG2.

The targetScope property in a Bicep file controls whether the template targets a resource group subscription or tenant. Setting targetScope to resourceGroup causes the template to deploy resources into the specified resource group and that is why changing this property lets you create storageacct2 inside RG2.

sku is incorrect because that property specifies the pricing tier or performance characteristics of a resource such as a storage account and it does not control which resource group a template deploys to.

location is incorrect because location sets the Azure region for a resource and it does not determine the deployment scope or the resource group that the template targets.

kind is incorrect because that property defines a resource type variation such as a storage account kind and it does not affect whether the Bicep file deploys to RG2 or another scope.

When a question asks about where a template deploys look for properties that control scope and pay special attention to targetScope rather than resource properties like location or sku.

Assign Carol the Owner role for VNetEastUS is correct.

Assign Carol the Owner role for VNetEastUS grants Carol the permissions to manage access on that virtual network including the ability to create role assignments. The Owner role includes the Microsoft.Authorization permissions required to assign the Reader role at the VNet scope so she can grant Reader to other users without needing subscription level privileges.

Assign Carol the Network Contributor role for VNetEastUS is incorrect because the Network Contributor role manages networking resources but does not include permissions to create role assignments. It cannot be used to grant the Reader role to other users.

Remove Carol from the Security Reader role and assign her the Contributor role for ResourceGroupProd is incorrect because the Contributor role at the resource group scope still does not allow managing access or creating role assignments. Removing Security Reader is unnecessary for this task and the proposed change does not give the required authorization to grant roles.

Assign Carol the Contributor role for VNetEastUS is incorrect because the Contributor role allows resource management but it does not include the authorization to create role assignments. To let Carol grant the Reader role she needs Owner or a role that includes the Microsoft.Authorization role assignment permissions.

When you need a user to grant roles at a scope check for permissions that include Microsoft.Authorization/roleAssignments and remember that the Owner or User Access Administrator role is required to create role assignments at that scope.

New-AzResourceGroupDeployment -ResourceGroupName “RG02” -TemplateUri https://example.com/repos/infrav2.json is correct.

The New-AzResourceGroupDeployment -ResourceGroupName “RG02” -TemplateUri https://example.com/repos/infrav2.json cmdlet deploys an ARM template directly to the named resource group and the -TemplateUri parameter instructs PowerShell to fetch the template from the provided remote URL. This lets you point to a publicly accessible repository file and deploy it into RG02 without saving the template locally.

New-AzResourceGroupDeployment -ResourceGroupName “RG02” -TemplateFile C:\Templates\infrav2.json is incorrect because it uses the -TemplateFile parameter which requires a local file path on the machine running PowerShell rather than a remote URL.

New-AzDeployment -Location “eastus” -TemplateUri https://example.com/repos/infrav2.json is incorrect because that cmdlet targets a subscription or location scoped deployment and it does not accept a -ResourceGroupName parameter to place resources directly into RG02.

When a template is hosted at a URL look for the -TemplateUri parameter and confirm the cmdlet scope matches the target such as resource group versus subscription.

All Azure questions are from my AZ-104 Udemy Course and certificationexams.pro

The correct answer is: Attach a network security group to the VM network interface or subnet.

You must attach a network security group so you can explicitly allow the load balancer health probes and the inbound application ports to reach the VM. For a Standard internet facing load balancer you need NSG rules that permit the load balancer probe source and the service ports. Attach the NSG to the VM network interface or to the subnet and add rules that allow the probe using the AzureLoadBalancer service tag and the required TCP or HTTP ports for your workload.

Remove the public IP address from webserver01 is not required. A VM can retain a public IP while it is a backend member and removing the public IP is not a prerequisite for traffic to be forwarded through the load balancer.

Add the VM network interface to the load balancer backend address pool is a configuration step you might perform when building the load balancer but it is not the missing action called out in this scenario. The question indicates the absence of an NSG as the blocker, so adding the NIC to a backend pool alone will not allow traffic if probes and inbound flows are blocked.

Configure the VM to use a static private IP address is unnecessary for the load balancer to forward traffic. Dynamic private IP addresses work with Azure load balancer backend pools unless you have a specific design requirement that mandates a static address.

When a load balancer scenario appears check whether network security group rules or health probes are being blocked. Allow the AzureLoadBalancer service tag in your NSG to permit probes and backend traffic.

The correct answer is Event | where EventType == “error”.

The Event | where EventType == “error” query uses the Kusto Query Language that Log Analytics uses and it starts with the Event table then pipes the results to a where operator that filters rows where the EventType column equals the string “error”. This returns only records that match that exact column value.

search in (Event) “error” is incorrect because the search operator performs a full text search across columns and it will match any record that contains the word error anywhere rather than filtering only the EventType column.

select * from Event where EventType == “error” is incorrect because that is SQL style syntax and Log Analytics uses the Kusto Query Language which does not use select from syntax.

Get-Event Event | where $.EventType == “error”_ is incorrect because that is PowerShell pipeline syntax and it is not valid in Log Analytics queries.

Remember that Log Analytics uses the Kusto Query Language and queries typically start with the table name followed by a pipe and then filters with where. Practice simple table | where patterns to gain speed on the exam.

The correct option is RA-GRS.

RA-GRS stands for Read Access Geo Redundant Storage and it replicates your data to a secondary, paired geographic region while also keeping multiple copies within the primary region. This option provides read access to the replicated data in the secondary region so systems can read from both primary and secondary sites for resilience and for read scaling. That behavior matches the requirement for storage on multiple nodes in separate geographic regions with the ability to read from the secondary site.

ZRS replicates data across availability zones within a single Azure region and it does not provide cross region replication so it cannot meet the requirement to place storage in separate geographic regions.

GRS does replicate data to a secondary region but it does not provide read access to the secondary region unless a failover is initiated. It therefore does not satisfy the requirement to allow reads from both primary and secondary sites.

LRS keeps multiple copies but they are all within a single data center or within a single region. It does not provide geographic redundancy so it cannot meet the cross region resilience requirement.

When a question asks for readable replicas in another region look for keywords like read access or the initials RA in the option name since those indicate the secondary copy can be read without failover.

The correct answer is: Applying and enforcing organizational standards and checking compliance across resources.

Azure Policy is the service that lets you define and enforce rules for resource properties so that deployments follow your organization standards. It evaluates resources continuously and reports compliance state, and it can also enforce rules with effects like Audit, Deny, and Modify while you can group policies into initiatives for consistent governance across subscriptions and management groups.

Controlling resource spend by setting budget thresholds and alerts is not correct because cost control and budget alerts are handled by Azure Cost Management and Budgets rather than by Azure Policy.

Assigning roles to users and groups for resource access control is not correct because access control is the responsibility of Azure role based access control and not of Azure Policy.

Packaging resource templates role assignments and policies for consistent deployments is not correct because that describes Azure Blueprints which is used to compose templates role assignments and policies into a single artifact and it complements Azure Policy rather than replacing it.

When the question focuses on enforcing configuration standards and checking compliance choose Azure Policy and not services that primarily manage costs or user access.