AZ-104 Questions and Answers

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that's linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

Change the Service administrator for an Azure subscription

• Sign in to Account Center as the Account administrator.
• Select a subscription.
• On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.

References: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

• A SQL database
• A web front end
• A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

• Technical requirements include:
• Move all the virtual machines for App1 to Azure.
• Minimize the number of open ports between the App1 tiers.

References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

Box 1: storage3 only

Vault1 and storage3 are both in West Europe.

Box 2: Analytics1, Analytics2, Analytics3

https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-va ult

https://docs.microsoft .com/de-de/azure/backup/configure-reports

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

References: https://docs.micros oft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

From scenario:

• Ensure that only users who are part of a group named Pilot can join devices to Azure AD
• Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

HTTPS uses port 443.

Rule2, with priority 500, denies HTTPS traffic.

Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.

Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.

The scenario mentioned in the question, we are using the replace option. So in this case we would lose the existing data written to the disk after the backup was taken. The file was copied to the disk after the backup was taken. Hence, we would need to copy the file once again.

References:

https://docs.microsoft.com/en -us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks

Box 1: 5

A public and a private IP address can be assigned to a single network interface.

Box 2: 1

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.

Box 1: vNET6 only

Peering status to both VNet1 and Vnet2 are disconnected.

Box 2: delete peering1

Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.

User3 requires a user account in Azure AD.

Note: Your Azure AD password is considered an authentication method. It is the one method that cannot be disabled.

References:

https://d ocs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

Box 1: No

Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:

On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.

An administrator cannot use secret Questions & Answers as a method to reset password.

Box 2: Yes

Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.

Box 3: Yes

References:

https://docs.mi crosoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment

Explanation

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage.

Only the Blob service is supported with the Export job feature

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements

Box 1 :  4

As there are 4 distinct set of resource types (Ingress, Egress, Delete storage account, Restore blob ranges), so you need 4 alert rules. In one alert rule you can't specify different type of resources to monitor. So you need 4 alert rules.

Box 2 : 3

There are 3 distinct set of "Users to notify" as (User 1 and User 3), (User1 only), and (User1, User2, and User3). You can't set the action group based on existing group (Group1 and  Group2) as there is no specific group for User1 only. So you need to create 3 action group.

Before you can delegate your DNS zone to Azure DNS, you need to know the name servers for your zone.

The NS record set contains the names of the Azure DNS name servers assigned to the zone.

References:

https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

There is a limit of 100 VMs that can be associated to the same backup policy from portal. We recommend that for more than 100 VMs, create multiple backup policies with same schedule or different schedule.

One policy for VMS, one for SQL databases, and one for the file shares.

References:

https://docs.microsof t.com/en-us/azure/backup/backup-azure-vm-backup-faq

To load balance with basic load balancer backend pool virtual machines has to be in a single availability set or virtual machine scale set.

A health probe is used to determine the health status of the instances in the backend pool. During load balancer creation, configure a health probe for the load balancer to use. This health probe will determine if an instance is healthy and can receive traffic.

A Load Balancer rule is used to define how incoming traffic is distributed to the all the instances within the Backend Pool. So if you delete the rule, load balancing won't happen.

Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network to flow through the gateway.

The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual network.

References:

https://docs.mic rosoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-andconstraints

Box 1: Assign a tag to each resource.

You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.

Box 2: From the Cost analysis blade, filter the view by tag

After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.

• Visit the Subscriptions blade in Azure portal and select a subscription.
• You should see the cost breakdown and burn rate in the popup blade.
• Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to populate.
• You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to export the view to a Comma-Separated Values (.csv) file.

Box 3: Download the usage report

References:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags

https://docs.microsoft.com/en-us/azure/billing/billing-getting-started

A PFX file contains the public key file (SSL Certificate) and its unique private key file. This is required for HTTPS access. The web app will distribute the public key (in a CER file) to clients that connect to the web app.

The CER file is an SSL Certificate which has the public key of the external service. The external service will have the private key associated with the public key contained in the CER file.

Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.

Box 1: "*/read",

*/read lets you view everything, but not make any changes.

Box 2: " Microsoft.Support/*"

The action Microsoft.Support/* enables creating and management of support tickets.

References:

https://docs.microsoft.com/en-us/azure/ role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Besides swapping, deployment slots offer another killer feature: testing in production. Just like the name suggests, using this, you can actually test in production. This means that you can route a specific percentage of user traffic to one or more of your deployment slots.

Example:

References:

https://stackify.com/azure-deployment-slots/

When moving a virtual network, you must also move its dependent resources. For example, you must move gateways with the virtual network. VM W10, which is in Vnet1, is not a dependent resource.

Statement 1 : Basic load balancer supports Virtual machine in a single Availability set or virtual machine scale set (VMSS) only . Hence this statement is correct.

Statement 2 : Basic load balancer supports Virtual machine in a single Availability set or virtual scale set only or one standalone VM. VM3 and VM4 are not part of any availability set or VMSS .Hence this statement is incorrect.

Statement 3 :  Basic load balancer supports Virtual machine in a single Availability set or virtual scale set only or one standalone VM. VM5 and VM6 are not part of any availability set or VMSS .Hence this statement is incorrect.

References:

https://docs.microsoft.com/en-us/azure/load-balancer/load -balancer-overview

From the exhibit we see that the disk is in the VHDX format.

Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json

The Logic App Operator role only lets you read, enable and disable logic app. With it you can view the logic app and run history, and enable/disable. Cannot edit or update the definition.

You would need the Logic App Contributor role.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

It is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account.

Box 1 = max value

Box 2 = 20

Explanation

Use max for platformFaultDomainCount

2 or 3 is max value, depending on which region you are in.

Use 20 for platformUpdateDomainCount

Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.

References:

https://www.i tprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks

https://github.com/Azure/acs-engine/issues/1030

1. Select the resource group (Here RG1)  you want to examine.

2. Select the link under Deployments.

3. Select one of the deployments from the deployment history.

4. You will see a history of deployment for the resource group, including the correlation ID.

How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to do this with both ASM and ARM resources using Azure resource lock.

References: https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azure-lock-to-control-your-azure-resources/

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface.

The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks.

Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) connectivity.

Virtual WAN offers the following advantages:

Integrated connectivity solutions in hub and spoke: Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub.

Automated spoke setup and configuration: Connect your virtual networks and workloads to the Azure hub seamlessly.

Intuitive troubleshooting: You can see the end-to-end flow within Azure, and then use this information to take required actions.

The Connection Monitor feature in Azure Network Watcher is now generally available in all public regions. Connection Monitor provides you RTT values on a per-minute granularity. You can monitor a direct TCP connection from a virtual machine to a virtual machine, FQDN, URI, or IPv4 address.

References:

https://azure.m icrosoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

he Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.

Box 1: 0

The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.

Box 2: 1

Below is clearly mentioned in the official Website

"The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total instance count, subject to a minimum batch size of one virtual machine."

So, 20% from 4 ~1

With cluster auto-scaling, the actual load of your worker-nodes will be monitored actively. By adding and removing worker-nodes from the cluster, it ensures that enough resources are available to keep your application healthy and responsive. In contrast, it removes worker-nodes from the AKS cluster, to optimize resource utilization and be as cost-effective as possible

The Set-AzMarketplaceTerms cmdlet saves the terms object for given publisher id(Publisher), offer id(Product) and plan id(Name) tuple.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

References:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

• Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.
• Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

References: https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

References:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/co nditional-access/overview

https://docs.microsoft.com/en-us/az ure/active-directory/authentication/howto-mfa-userstates

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.

References:

https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom- role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

https://docs.micr osoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

https://docs.microsoft.c om/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json?view=power shell-7.1

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddirectoryro le?view=azureadps-2.0

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

• Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
• Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
• Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
• Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

References:

https://docs.microsoft.c om/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure