Certified Microsoft AZ-104 Pdf Exam Online

NEW QUESTION 1
HOTSPOT
You manage two Azure subscriptions named Subscription 1 and Subscription2. Subscription! has following virtual networks:

The virtual networks contain the following subnets:

Subscnption2 contains the following virtual network:
- Name: VNETA
• Address space: 10.10.128.0/17
• Region: Canada Central
VNETA contains the following subnets:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 2

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1

• A. Yes
• B. NO

Answer: B

Explanation:
The Traffic Manager Contributor role is not related to Traffic Analytics. Traffic Manager is a service that provides DNS-based load balancing and traffic routing across different regions and endpoints. Traffic Manager Contributor is a role that allows you to create and manage Traffic Manager profiles, endpoints, and geographies1.
Traffic Analytics is a service that provides visibility into user and application activity in your cloud networks. Traffic Analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. With Traffic Analytics, you can visualize network activity, identify hot spots, secure your network, optimize your network deployment, and pinpoint network misconfigurations2.
To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:
✑ Microsoft.Network/applicationGateways/read
✑ Microsoft.Network/connections/read
✑ Microsoft.Network/loadBalancers/read
✑ Microsoft.Network/localNetworkGateways/read
✑ Microsoft.Network/networkInterfaces/read
✑ Microsoft.Network/networkSecurityGroups/read
✑ Microsoft.Network/publicIPAddresses/read
✑ Microsoft.Network/routeTables/read
✑ Microsoft.Network/virtualNetworkGateways/read
✑ Microsoft.Network/virtualNetworks/read
✑ Microsoft.OperationalInsights/workspaces/*
Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor3. However, these roles also grant other permissions that may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that only has the required permissionsfor enabling Traffic Analytics4.
Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription, you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.

NEW QUESTION 3

You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. a public load balancer
• B. Traffic Manager
• C. an Azure Content Delivery Network (CDN)
• D. an internal load balancer
• E. an Azure Application Gateway

Answer: DE

Explanation:
Line of Business WebAPP works on VMs need internal load balancer. So D is needed. Then deploy WebAPP on VMs, check the link. https://docs.microsoft.com/en-us/azure/application-gateway/quick-create-portal So B is needed as well. The orignal answer is not accomplished.

NEW QUESTION 4
HOTSPOT
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
•Name: LB1
•Type: Internal
•SKU: Standard
•Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create two Standard public IP addresses and associate a Standard SKU
public IP address to the network interface of each virtual machine. Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 6

You need to move the blueprint files to Azure. What should you do?

• A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
• B. Use the Azure Import/Export service.
• C. Generate an access ke
• D. Map a drive, and then copy the files by using File Explorer.
• E. Use Azure Storage Explorer to copy the files.

Answer: D

Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage. Technical Requirements include: Copy the blueprint files to Azure over the Internet.
References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science- process/move-data-to-azure-blob-using-azure-storage-explorer

NEW QUESTION 7

You have an Azure App Service app named App1 that contains two running instances. You have an autoscale rule configured as shown in the following exhibit.


For the Instance limits scale condition setting, you set Maximum to 5. During a 30-minute period, App1 uses 80 percent of the available memory.
What is the maximum number of instances for App1 during the 30-minute period?

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 8

Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources: A web app named webapp1
A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1. What should you deploy?

• A. an Azure Application Gateway
• B. an Azure Active Directory (Azure AD) Application Proxy
• C. an Azure Virtual Network Gateway

Answer: C

Explanation:
A Site-to-Site VPN gateway connection can be used to connect your on- premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on- premises that has an externally facing public IP address assigned to it.
A: Application Gateway is for http, https and Websocket - Not SMB
B: Application Proxy is also for accessing web applications on-prem - Not SMB. Application Proxy is a feature of Azure AD that enables users to access on-premises web applicationsfrom a remote client.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

NEW QUESTION 9
HOTSPOT
You have an Azure subscription.
You deploy a virtual machine scale set that is configure as shown in the following exhibit.


Use the drop-down menus to select the answer choice that answers each questions based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 10

You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 11

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation:
The Contributor role grants the ability to create and manage all types of Azure resources, including logic apps. Assigning this role to the Developers group on the Dev resource group will allow them to create logic apps in that scope. Then, References: [Built-in roles for Azure resources] [Azure Logic Apps permissions and access control]

NEW QUESTION 12

You have an Azure subscription that contains a storage account named storage. You have the devices shown in the following table.

From which devices can you use AzCopy to copy data to storage1?

• A. Device1 and Device2 only
• B. Device1, Device2 and Device3
• C. Device’ only
• D. Device and Device3 only

Answer: B

Explanation:
https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy- v10#download-azcopy

NEW QUESTION 13

You are configuring Azure AD authentication for an Azure Storage account named storage1.
You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. The solution must use the principle of least privilege.
Which two roles should you assign to Group1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Storage Blob Data Contributor
• B. Reader
• C. Storage Blob Data Reader
• D. Contributor
• E. Storage Account Contributor

Answer: AB

Explanation:
To ensure that the members of Group1 can upload files by using the Azure portal, they need to have both data access and management access to the storage account. Data access refers to the ability to read, write, or delete blob data in the storage account. Management access refers to the ability to view the storage account resources in the Azure portal, but not modify them. The Azure role-based access control (Azure RBAC) system provides built-in roles that encompass common sets of permissions for data access and management access. The Storage Blob Data Contributor role grants read, write, and delete access to blob data in the storage account. The Reader role grants view access to the storage account resources in the Azure portal. Therefore, by assigning both roles to Group1, the members of the group can upload files by using the Azure portal. This solution also follows the principle of least privilege, as the group members are only granted the minimum permissions required to perform the task. References:
✑ Assign an Azure role for access to blob data
✑ Data access from the Azure portal

NEW QUESTION 14

You need to implement a backup solution for App1 after the application is moved. What should you create first?

• A. a recovery plan
• B. an Azure Backup Server
• C. a backup policy
• D. a Recovery Services vault

Answer: D

Explanation:
A Recovery Services vault is a logical container that stores the backup data for each
protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines. Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups. References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

NEW QUESTION 15

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2. Which Azure Network Watcher feature should you use?

• A. NSG flow logs
• B. Connection troubleshoot
• C. IP flow verify
• D. Connection monitor

Answer: D

Explanation:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.
Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a connection, you may find that you can decrease the latency by moving your Azure resources to different Azure regions.

NEW QUESTION 16

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user user1@outlook.com – Generic authorization exception.” You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?

• A. From the Roles and administrators blade, assign the Security administrator role to Admin1.
• B. From the Organizational relationships blade, add an identity provider.
• C. From the Custom domain names blade, add a custom domain.
• D. From the Users settings blade, modify the External collaboration settings.

Answer: D

Explanation:
You can adjust the guest user settings, their access, who can invite them from "External collaboration settings" check this link https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations

NEW QUESTION 17

You have an Azure subscription that contains a storage account named storage1. The storage 1 account contains a container named container! You need to configure access to container 1. The solution must meet the following requirements:
• Only allow read access
• Allow both HTTP and HTTPS protocols.
• Apply access permissions to all the content in the container What should you use?

• A. an access policy
• B. a shared access signature (SAS)
• C. Azure Content Delivery Network (CDN)
• D. access keys

Answer: B

Explanation:
✑ According to the Microsoft documentation, a shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a SAS to clients who don’t otherwise have access to your storage account, and delegate access to them for a specified time period and with a specified set of permissions.
✑ A SAS can be used to grant read-only access to a container and its blobs, as well as specify the allowed protocols (HTTP or HTTPS) and the start and expiry time of the access. For more information about creating and using SAS, see Using shared access signatures (SAS).
✑ An access policy is not the correct answer because it is used to define a set of permissions and a time period for a container or a queue, but it does not grant access by itself. An access policy must be associated with a SAS to take effect.
For more information about access policies, see Manage stored access policies for containers and queues.
✑ Azure Content Delivery Network (CDN) is not the correct answer because it is used to cache and deliver content from Azure Storage or other sources, but it does not control the access permissions to the content. For more information about Azure CDN, see [What is Azure Content Delivery Network?].
✑ Access keys are not the correct answer because they are used to authenticate
requests to Azure Storage from any client, but they do not limit the access permissions or the protocols. Using access keys also exposes your storage account to potential unauthorized access if the keys are compromised. For more information about access keys, see [Manage storage account access keys].

NEW QUESTION 18
......