AZ-104 : Microsoft Azure Administrator : Part 03

AZ-104 : Microsoft Azure Administrator : Part 03

1. You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.

   VM1 runs services that will be used to deploy resources to RG1.

   You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.

   What should you do first?

   • From the Azure portal, modify the Managed Identity settings of VM1
   • From the Azure portal, modify the Access control (IAM) settings of RG1
   • From the Azure portal, modify the Access control (IAM) settings of VM1
   • From the Azure portal, modify the Policies settings of RG1
   Explanation:
   Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
   You can enable and disable the system-assigned managed identity for VM using the Azure portal.

2. You have an Azure subscription that contains a resource group named TestRG.

   You use TestRG to validate an Azure deployment.

   TestRG contains the following resources:

   

   You need to delete TestRG.

   What should you do first?

   • Modify the backup configurations of VM1 and modify the resource lock type of VNET1
   • Remove the resource lock from VNET1 and delete all data in Vault1
   • Turn off VM1 and remove the resource lock from VNET1
   • Turn off VM1 and delete all data in Vault1
   Explanation:

   When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and currently stored operations.

3. You have an Azure DNS zone named adatum.com.

   You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.

   What should you do?

   • Create an NS record named research in the adatum.com zone.
   • Create an PTR record named research in the adatum.com zone.
   • Modify the SOA record of adatum.com.
   • Create an A record named *.research in the adatum.com zone.
   Explanation:

   You need to create a name server (NS) record for the zone.

4. DRAG DROP

   You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.

   You have a domain name of contoso.com registered at a third-party registrar.

   You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.

   Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

   Explanation:

   1. Add the custom domain name to your directory
   2. Add a DNS entry for the domain name at the domain name registrar
   3. Verify the custom domain name in Azure AD

5. You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.

   You need to view the error event from a table named Event.

   Which query should you run in Workspace1?

   • Get-Event Event | where {$_.EventType == "error"}

   • Event | search "error"

   • select * from Event where EventType == "error"

   • Event | where EventType is "error"

   Explanation:
   The search operator provides a multi-table/multi-column search experience.

   The syntax is:
   Table_name | search “search term”

   Note:
   There are several versions of this question in the exam. The question has three possible correct answers:

   1. search in (Event) "error"
   2. Event | search "error"
   3. Event | where EventType == "error"

   Other incorrect answer options you may see on the exam include the following:

   1. Get-Event Event | where {$_.EventTye –eq "error"}
   2. select * from Event where EventType is "error"
   3. search in (Event) * | where EventType –eq "error"

6. You have a registered DNS domain named contoso.com.

   You create a public Azure DNS zone named contoso.com.

   You need to ensure that records created in the contoso.com zone are resolvable from the internet.

   What should you do?

   • Create NS records in contoso.com.
   • Modify the SOA record in the DNS domain registrar.
   • Create the SOA record in contoso.com.
   • Modify the NS records in the DNS domain registrar.

7. Case study

   This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

   To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

   At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

   To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

   Overview

   Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

   Contoso products are manufactured by using blueprint files that the company authors and maintains.

   Existing Environment

   Currently, Contoso uses multiple types of servers for business operations, including the following:

   – File servers
   – Domain controllers
   – Microsoft SQL Server servers

   Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

   You have a public-facing application named App1. App1 is comprised of the following three tiers:

   – A SQL database
   – A web front end
   – A processing middle tier

   Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

   Requirements

   Planned Changes

   Contoso plans to implement the following changes to the infrastructure:

   – Move all the tiers of App1 to Azure.
   – Move the existing product blueprint files to Azure Blob storage.
   – Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

   Technical Requirements

   Contoso must meet the following technical requirements:

   – Move all the virtual machines for App1 to Azure.
   – Minimize the number of open ports between the App1 tiers.
   – Ensure that all the virtual machines for App1 are protected by backups.
   – Copy the blueprint files to Azure over the Internet.
   – Ensure that the blueprint files are stored in the archive storage tier.
   – Ensure that partner access to the blueprint files is secured and temporary.
   – Prevent user passwords or hashes of passwords from being stored in Azure.
   – Use unmanaged standard storage for the hard disks of the virtual machines.
   – Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
   – Minimize administrative effort whenever possible.

   User Requirements

   Contoso identifies the following requirements for users:

   – Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
   – Designate a new user named Admin1 as the service admin for the Azure subscription.
   – Admin1 must receive email alerts regarding service outages.
   – Ensure that a new user named User3 can create network objects for the Azure subscription.

   1. HOTSPOT

      You need to configure the Device settings to meet the technical requirements and the user requirements.

      Which two settings should you modify? To answer, select the appropriate settings in the answer area.

      

      

      Explanation:

      Box 1: Selected
      Only selected users should be able to join devices

      Box 2: Yes
      Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

   2. You need to meet the user requirement for Admin1.

      What should you do?

      • From the Azure Active Directory blade, modify the Groups
      • From the Azure Active Directory blade, modify the Properties
      • From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings
      • From the Subscriptions blade, select the subscription, and then modify the Properties

      Explanation:

      Scenario:
      – Designate a new user named Admin1 as the service admin for the Azure subscription.
      – Admin1 must receive email alerts regarding service outages.

      Follow these steps to change the Service Administrator in the Azure portal.
      1. Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
      2. Sign in to the Azure portal as the Account Administrator.
      3. Open Cost Management + Billing and select a subscription.
      4. In the left navigation, click Properties.
      5. Click Service Admin.

8. You have an on-premises server that contains a folder named D:\Folder1.

   You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.

   Which command should you run?

   • https://contosodata.blob.core.windows.net/public

   • azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot

   • azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive

   • az storage blob copy start-batch D:\Folder1 https://contosodata.blob.core.windows.net/public

   Explanation:
   The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.

   Incorrect Answers:
   B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the destination is more recent.

   D: The az storage blob copy start-batch command copies multiple blobs to a blob container.

9. You have an Azure subscription.

   In the Azure portal, you plan to create a storage account named storage1 that will have the following settings:

   – Performance: Standard
   – Replication: Zone-redundant storage (ZRS)
   – Access tier (default): Cool
   – Hierarchical namespace: Disabled

   You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.

   Which setting should you modify first?

   • Performance 
   • Replication
   • Access tier (default)
   • Hierarchical namespace

10. You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:

    

    You plan to use the Azure Import/Export service to export data from Subscription1.

    You need to identify which storage account can be used to export the data.

    What should you identify?

    • storage1
    • storage2
    • storage3
    • storage4
    Explanation:
    Azure Import/Export service supports the following of storage accounts:
    – Standard General Purpose v2 storage accounts (recommended for most scenarios)
    – Blob Storage accounts
    – General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

    Azure Import/Export service supports the following storage types:
    – Import supports Azure Blob storage and Azure File storage
    – Export supports Azure Blob storage

11. HOTSPOT

    You have Azure Storage accounts as shown in the following exhibit.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: storageaccount1 and storageaccount2 only

    Box 2: All the storage accounts

    Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
    General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
    Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
    General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.

12. You have Azure subscription that includes data in following locations:

    

    You plan to export data by using Azure import/export job named Export1.

    You need to identify the data that can be exported by using Export1.

    Which data should you identify?

    • DB1
    • container1
    • Share1
    • Table1

13. HOTSPOT

    You have an Azure Storage account named storage1.

    You have an Azure App Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.

    You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:

    – Minimize the number of secrets used.
    – Ensure that App2 can only read from storage1 for the next 30 days.

    What should you configure in storage1 for each app? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    App1: Access keys

    App2: Shared access signature (SAS)
    A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.

14. HOTSPOT

    You need to create an Azure Storage account that meets the following requirements:

    – Minimizes costs
    – Supports hot, cool, and archive blob tiers
    – Provides fault tolerance if a disaster affects the Azure region where the account resides

    How should you complete the command? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: StorageV2
    You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.

    General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.

    Box 2: Standard_GRS
    Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.

    Incorrect Answers:
    Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.

    Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.

15. You have an Azure subscription that contains the resources in the following table.

    

    Store1 contains a file share named data. Data contains 5,000 files.

    You need to synchronize the files in the file share named data to an on-premises server named Server1.

    Which three actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Create a container instance
    • Register Server1
    • Install the Azure File Sync agent on Server1
    • Download an automation script
    • Create a sync group
    Explanation:
    Step 1 (C): Install the Azure File Sync agent on Server1
    The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share

    Step 2 (B): Register Server1.
    Register Windows Server with Storage Sync Service
    Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.

    Step 3 (E): Create a sync group and a cloud endpoint.
    A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.

16. HOTSPOT

    You have an Azure subscription that contains the resources shown in the following table.

    

    The status of VM1 is Running.

    You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)

    

    You assign the policy by using the following parameters:

    Microsoft.ClassicNetwork/virtualNetworks
    Microsoft.Network/virtualNetworks
    Microsoft.Compute/virtualMachines

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

17. DRAG DROP

    You have an Azure subscription that contains a storage account.

    You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.

    You need to transfer the data to the storage account by using the Azure Import/Export service.

    In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.

    NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

    

    

    Explanation:

    At a high level, an import job involves the following steps:

    Step 1: Attach an external disk to Server1 and then run waimportexport.exe
    Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.
    Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.

    Step 2: From the Azure portal, create an import job.
    Create an import job in your target storage account in Azure portal. Upload the drive journal files.

    Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
    Provide the return address and carrier account number for shipping the drives back to you.
    Ship the disk drives to the shipping address provided during job creation.

    Step 4: From the Azure portal, update the import job
    Update the delivery tracking number in the import job details and submit the import job.
    The drives are received and processed at the Azure data center.
    The drives are shipped using your carrier account to the return address provided in the import job.

18. HOTSPOT

    You have Azure subscription that includes following Azure file shares:

    

    You have the following on-premises servers:

    

    You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.

    You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No
    Group1 already has a cloud endpoint named Share1.
    A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.

    Box 2: Yes
    Yes, one or more server endpoints can be added to the sync group.

    Box 3: Yes
    Yes, one or more server endpoints can be added to the sync group.

19. DRAG DROP

    You have an Azure subscription named Subscription1.

    You create an Azure Storage account named contosostorage, and then you create a file share named data.

    Which UNC path should you include in a script that references files from the data file share? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: contosostorage
    The name of account

    Box 2: file.core.windows.net

    Box 3: data
    The name of the file share is data.

    Example:

    

20. HOTSPOT

    You have an Azure subscription that contains an Azure Storage account.

    You plan to copy an on-premises virtual machine image to a container named vmimages.

    You need to create the container for the planned image.

    Which command should you run? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.