AZ-104 : Microsoft Azure Administrator : Part 13

AZ-104 : Microsoft Azure Administrator : Part 13

1. DRAG DROP

   You have an Azure subscription that contains the resources shown in the following table.

   

   You need to load balance HTTPS connections to vm1 and vm2 by using lb1.

   Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

2. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage a virtual network named VNet1 that is hosted in the West US Azure region.

   VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

   You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

   Solution: From Azure Monitor, you create a metric on Network In and Network Out.

   Does this meet the goal?

   • Yes
   • No
3. Case studyThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.OverviewLitware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.All the resources used by Litware are hosted on-premises.Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The tenant uses the Premium P1 pricing tier.Existing EnvironmentThe network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the litware.com DNS zone.Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.Litware.com contains a user named User1.All the offices connect by using private connections.Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
   

   

   Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.

   The Azure subscription contains the resources in the following table.

   

   The network security team implements several network security groups (NSGs)

   Requirements

   Planned Changes

   Litware plans to implement the following changes:

   – Deploy Azure ExpressRoute to the Montreal office.
   – Migrate the virtual machines hosted on Server1 and Server2 to Azure.
   – Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
   – Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

   Technical Requirements

   Litware must meet the following technical requirements:

   – Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
   – Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
   – Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
   – Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
   – Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
   – Connect the New York office to VNet1 over the Internet by using an encrypted connection.
   – Create a workflow to send an email message when the settings of VM4 are modified.
   – Create a custom Azure role named Role1 that is based on the Reader role.
   – Minimize costs whenever possible.

   1. HOTSPOT

      You need to meet the connection requirements for the New York office.

      What should you do? To answer, select the appropriate options in the answer area.

      NOTE: Each correct selection is worth one point.

      

      

      Explanation:

      Box 1: Create a virtual network gateway and a local network gateway.
      Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
      – Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
      – Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
      – Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
      – Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

      Box 2: Configure a site-to-site VPN connection
      On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

      

      Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

      Incorrect Answers:
      Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet.

4. Case studyThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains. Existing Environment Currently, Contoso uses multiple types of servers for business operations, including the following:- File servers
   – Domain controllers
   – Microsoft SQL Server servers Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory. You have a public-facing application named App1. App1 is comprised of the following three tiers:- A SQL database
   – A web front end
   – A processing middle tierEach tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements Planned Changes Contoso plans to implement the following changes to the infrastructure:

   – Move all the tiers of App1 to Azure.
   – Move the existing product blueprint files to Azure Blob storage.
   – Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

   Technical Requirements

   Contoso must meet the following technical requirements:

   – Move all the virtual machines for App1 to Azure.
   – Minimize the number of open ports between the App1 tiers.
   – Ensure that all the virtual machines for App1 are protected by backups.
   – Copy the blueprint files to Azure over the Internet.
   – Ensure that the blueprint files are stored in the archive storage tier.
   – Ensure that partner access to the blueprint files is secured and temporary.
   – Prevent user passwords or hashes of passwords from being stored in Azure.
   – Use unmanaged standard storage for the hard disks of the virtual machines.
   – Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
   – Minimize administrative effort whenever possible.

   User Requirements

   Contoso identifies the following requirements for users:

   – Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
   – Designate a new user named Admin1 as the service admin for the Azure subscription.
   – Admin1 must receive email alerts regarding service outages.
   – Ensure that a new user named User3 can create network objects for the Azure subscription.

   1. HOTSPOT

      You need to recommend a solution for App1. The solution must meet the technical requirements.

      What should you include in the recommendation? To answer, select the appropriate options in the answer area.

      NOTE: Each correct selection is worth one point.

      

      

      Explanation:

      This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

      

      Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

      – A SQL database
      – A web front end
      – A processing middle tier

      Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

      Technical requirements include:
      – Move all the virtual machines for App1 to Azure.
      – Minimize the number of open ports between the App1 tiers.

   2. You are planning the move of App1 to Azure.

      You create a network security group (NSG).

      You need to recommend a solution to provide users with access to App1.

      What should you recommend?

      • Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
      • Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
      • Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
      • Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
      Explanation:
      Incoming and the web server subnet only, as users access the web front end by using HTTPS only.

      Note Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
      – A SQL database
      – A web front end
      – A processing middle tier

      Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

5. HOTSPOT

   You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.

   

   You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)

   

   You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods tab.)

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: No
   Two methods are required.

   Box 2: No
   Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

   Box 3: Yes
   As a User Administrator, User3 can add security questions to the reset process.

6. Your company has a main office in London that contains 100 client computers.

   Three years ago, you migrated to Azure Active Directory (Azure AD).

   The company’s security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.

   A remote user named User1 is unable to join a personal device to Azure AD from a home network.

   You verify that User1 was able to join devices to Azure AD in the past.

   You need to ensure that User1 can join the device to Azure AD.

   What should you do?

   • Assign the User administrator role to User1.
   • From the Device settings blade, modify the Maximum number of devices per user setting.
   • Create a point-to-site VPN from the home network of User1 to Azure.
   • From the Device settings blade, modify the Users may join devices to Azure AD setting.
   Explanation:
   The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.

   Incorrect Answers:
   C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.

   D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and None. The default is All.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

   

   User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

   You need to create new user accounts in external.contoso.onmicrosoft.com.

   Solution: You instruct User1 to create the user accounts.

   Does that meet the goal?

   •  Yes
   • No
   Explanation:

   Only a global administrator can add users to this tenant.

8. You have an existing Azure subscription that contains 10 virtual machines.

   You need to monitor the latency between your on-premises network and the virtual machines.

   What should you use?

   • Service Map
   • Connection troubleshoot
   • Network Performance Monitor
   • Effective routes
   Explanation:
   Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.

   You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.

9. DRAG DROP

   You have an Azure Linux virtual machine that is protected by Azure Backup.

   One week ago, two files were deleted from the virtual machine.

   You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.

   Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

   Explanation:

   Step 1: From the Azure portal, click File Recovery from the vault

   Step 2. Select a restore point that contains the deleted files

   Step 3: Download and run the script to mount a drive on the local computer
   Generate and download script to browse and recover files:

   Step 4: Copy the files using File Explorer!
   After the disks are attached, use Windows File Explorer to browse the new volumes and files. The restore files functionality provides access to all files in a recovery point. Manage the files via File Explorer as you would for normal files.

   Step 1-3 below:
   To restore files or folders from the recovery point, go to the virtual machine and perform the following steps:
   1. Sign in to the Azure portal and in the left pane, select Virtual machines. From the list of virtual machines, select the virtual machine to open that virtual machine’s dashboard.
   2. In the virtual machine’s menu, select Backup to open the Backup dashboard.
   3. In the Backup dashboard menu, select File Recovery.

   

   The File Recovery menu opens.

   

   4. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is already selected.
   5. Select Download Executable (for Windows Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to download the software used to copy files from the recovery point.

   Running the script and identifying volumes:
   For Linux machines, a python script is generated. Download the script and copy it to the relevant/compatible Linux server.

10. HOTSPOT

    You purchase a new Azure subscription named Subscription1.

    You create a virtual machine named VM1 in Subscription1. VM1 is not protected by Azure Backup.

    You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.

    What should you do? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: A Recovery Services vault
    You can set up a Recovery Services vault and configure backup for multiple Azure VMs.

    Box 2: A backup policy
    In Choose backup policy, do one of the following:
    – Leave the default policy. This backs up the VM once a day at the time specified, and retains backups in the vault for 30 days.
    – Select an existing backup policy if you have one.
    – Create a new policy, and define the policy settings.

11. You have an Azure virtual machine named VM1.

    Azure collects events from VM1.

    You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.

    Which target resource should you monitor in the alert rule?

    • virtual machine extension
    • virtual machine
    • metric alert
    • Azure Log Analytics workspace
    Explanation:

    For the first step to create the new alert tule, under the Create Alert section, you are going to select your Log Analytics workspace as the resource, since this is a log based alert signal.

12. You have an Azure subscription that contains 100 virtual machines.

    You regularly create and delete virtual machines.

    You need to identify unattached disks that can be deleted.

    What should you do?

    • From Azure Cost Management, view Cost Analysis
    • From Azure Advisor, modify the Advisor configuration
    • From Microsoft Azure Storage Explorer, view the Account Management properties
    • From Azure Cost Management, view Advisor Recommendations
    Explanation:
    From Home –> Cost Management + Billing –> Cost Management, scroll down on the options and select View Recommendations:
    

    

    Azure Cost Management / Advisor
    From here you will see the recommendations for your subscription, if you have orphaned disks, they will be listed.

13. You have an Azure web app named webapp1.

    Users report that they often experience HTTP 500 errors when they connect to webapp1.

    You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details.

    What should you do first?

    • From webapp1, enable Web server logging
    • From Azure Monitor, create a workbook
    • From Azure Monitor, create a Service Health alert
    • From webapp1, turn on Application Logging

14. You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the following table:

    

    You plan to schedule backups to occur every night at 23:00.

    Which virtual machines can you back up by using Azure Backup?

    • VM1 and VM3 only
    • VM1, VM2, VM3 and VM4
    • VM1 and VM2 only
    • VM1 only
    Explanation:
    Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
    Azure Backup supports backup of 64-bit Windows 10 operating system.
    Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.

    Azure Backup supports backup of VM that are shutdown or offline.

15. HOTSPOT

    You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    Explanation:

    Box 1: 10 years
    The yearly backup point occurs to 1 March and its retention period is 10 years.

    Box 2: 36 months
    The monthly backup point occurs on the 1st of every month and its retention period is 36 months.

16. You have the Azure virtual machines shown in the following table:

    

    You have a Recovery Services vault that protects VM1 and VM2.

    You need to protect VM3 and VM4 by using Recovery Services.

    What should you do first?

    •  Create a new Recovery Services vault
    • Create a storage account
    • Configure the extensions for VM3 and VM4
    • Create a new backup policy
    Explanation:

    A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services

17. HOTSPOT

    You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.

    

    You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.

    

    You need to identify the minimum number of alert rules and action groups required for the planned monitoring.

    How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

18. You have an Azure subscription that contains the identities shown in the following table.

    

    User1, Principal1, and Group1 are assigned the Monitoring Reader role.

    An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role.

    You create an alert rule named Alert1 that uses AG1.

    You need to identity who will receive an email notification when Alert1 is triggered.

    Who should you identify?

    • User1 and Principal1 only
    • User1, User2, Principal1, and Principal2
    • User1 only
    • User1 and User2 only
    Explanation:

    Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.

19. HOTSPOT

    You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.

    You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)

    

    You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.

    You need to identify the number of available recovery points for VM1.

    How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: 6
    5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.

    Box 2: 8
    5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.

20. Case studyThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

    The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.

    All the resources used by Litware are hosted on-premises.

    Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The tenant uses the Premium P1 pricing tier.

    Existing Environment

    The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the litware.com DNS zone.

    Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.

    Litware.com contains a user named User1.

    All the offices connect by using private connections.

    Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.

    All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

    

    Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.

    The Azure subscription contains the resources in the following table.

    

    The network security team implements several network security groups (NSGs)

    Requirements

    Planned Changes

    Litware plans to implement the following changes:

    – Deploy Azure ExpressRoute to the Montreal office.
    – Migrate the virtual machines hosted on Server1 and Server2 to Azure.
    – Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
    – Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

    Technical Requirements

    Litware must meet the following technical requirements:

    – Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
    – Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
    – Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
    – Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
    – Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
    – Connect the New York office to VNet1 over the Internet by using an encrypted connection.
    – Create a workflow to send an email message when the settings of VM4 are modified.
    – Create a custom Azure role named Role1 that is based on the Reader role.
    – Minimize costs whenever possible.

    1. HOTSPOT

       You need to implement Role1.

       Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.

       NOTE: Each correct selection is worth one point.

       

       

    2. You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.

       What should you include in the recommendation?

       • Azure AD B2C
       • dynamic groups and conditional access policies
       • Azure AD Identity Protection
       • an Azure logic app and the Microsoft Identity Management (MIM) client
       Explanation:
       Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.

       The recommendation is to use conditional access policies that can then be targeted to groups of users, specific applications, or other conditions.