Accurate AZ-104 Practice 2021

NEW QUESTION 1

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?

• A. Azure Active Directory (AD) Identity Protection and an Azure policy
• B. a Recovery Services vault and a backup policy
• C. an Azure Key Vault and an access policy
• D. an Azure Storage account and an access policy

Answer: C

Explanation:
You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.
References: https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/

NEW QUESTION 2

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1:
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are added.
Box 2:
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus cannot be reduced to 0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns

NEW QUESTION 3

Your on-premises network contains an Active Directory domain named adatum.com that is synced to Azure Active Directory (Azure AD). Password writeback is disabled.
In adatum.com, you create the users shown in the following table.

Which users must sign in from a computer joined to adatum.com?

• A. User2 only
• B. User1 and User3 only
• C. User1, User2, and User3
• D. User2 and User3 only
• E. User1 only

Answer: E

Explanation:
Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

NEW QUESTION 4

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

NEW QUESTION 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
A virtual network that has a subnet named Subnet1
Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
Priority: 100
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: UDP
Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 6

You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

To which groups do User1 and User2 belong? To answer. select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Group 1 only First rule applies
Box 2: Group1 and Group2 only Both membership rules apply.
References: https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

NEW QUESTION 7

You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2021.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. a public load balancer
• B. Traffic Manager
• C. an Azure Content Delivery Network (CDN)
• D. an internal load balancer
• E. an Azure Application Gateway

Answer: DE

NEW QUESTION 8

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.com.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.

• A. Yes
• B. No

Answer: B

Explanation:
Only a global administrator can add users to this tenant.
References:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

NEW QUESTION 9

You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:
Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted
by malicious attacks that exploit commonly known vulnerabilities. References:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

NEW QUESTION 10

You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?

• A. Azure Data Lake Store
• B. a virtual machine
• C. the Azure File Sync Storage Sync Service
• D. Azure Blob storage

Answer: D

Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

NEW QUESTION 11

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
A virtual network that has a subnet named Subnet1
Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
Priority: 100
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: UDP
Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default. References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

NEW QUESTION 12

You have an Azure subscription that contains the resource groups shown in the following table.

RG1 contains the resources shown in the following table.

RG2 contains the resources shown in the following table.

You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking

NEW QUESTION 13

You have an Azure subscription that contains the storage accounts shown in the following table.

You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support.
What should you identify?

• A. Storage1
• B. Storage2
• C. Storage3
• D. Storage4

Answer: B

Explanation:
ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.

NEW QUESTION 14

You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 15

You have an Azure subscription named Subcription1 that contains a resource group named RG1. In RG1. you create an internal load balancer named LB1 and a public load balancer named 162.
You need to ensure that an administrator named Admin 1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Caen correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 16

You have an Azure subscription that contains an Azure Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
Number of methods required to reset: 2
Methods available to users: Mobile phone, Security questions
Number of questions required to register: 3
Number of questions required to reset: 3 You select the following security questions:
What is your favorite food?
In what city was your first job?
What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: No
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through
Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.
An administrator cannot use secret Questions & Answers as a method to reset password. Box 2: Yes
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.
Box 3: Yes References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment

NEW QUESTION 17

You have an Azure subscription that contains the resources shown in the following table.

You need to create a network interface named NIC1. In which location can you create NIC1?

• A. East US and North Europe only.
• B. East US and West Europe only.
• C. East US, West Europe, and North Europe.
• D. East US only.

Answer: D

Explanation:
A virtual network is required when you create a NIC. Select the virtual network for the network interface. You can only assign a network interface to a virtual network that exists in the same subscription and location as the network interface. Once a network interface is created, you cannot change the virtual network it is assigned to. The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

NEW QUESTION 18

You have a sync group that has the endpoints shown in the following table.

Cloud tiering is enabled for Endpoint3.
You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.
You need to identify on which endpoints File1 and File2 will be available within 24 hours of adding the files. What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
File1: Endpoint3 only
Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier files to your Azure file shares. This converts on-premises file shares into a cache, rather than a complete copy of the dataset, to help you manage space efficiency on your server. With cloud tiering, infrequently used or accessed files can be tiered to Azure Files.
File2: Endpoint1, Endpoint2, and Endpoint3 References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-cloud-tiering

NEW QUESTION 19

You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 20

You need to meet the technical requirement for VM4. What should you create and configure?

• A. an Azure Notification Hub
• B. an Azure Event Hub
• C. an Azure Logic App
• D. an Azure services Bus

Answer: B

Explanation:
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app

NEW QUESTION 21
......