Microsoft Azure Administrator AZ-104 Exam Questions

Answer : A

When using Azure Container Instances (ACI) that require persistent storage, the recommended and supported storage solution is Azure Files. Azure Files provides a fully managed Server Message Block (SMB) or Network File System (NFS) file share that can be mounted by container instances at runtime.

According to Microsoft Azure Administrator documentation, Azure Files is designed for workloads that require shared, durable storage accessible by multiple compute nodes, including containers. It supports read/write persistence and maintains data durability across restarts of containers.

In this question, since the Docker image contains a Microsoft SQL Server instance, persistent and shared storage is necessary to store the database files (.mdf, .ldf). Blob, Queue, or Table storage cannot provide this functionality because:

Blob storage is for object storage (no file system mount capability).

Queue storage is for message-based communication.

Table storage is for NoSQL key-value structured data.

Azure Files allows containerized SQL Server instances to store their database files securely and persistently between container restarts or failures.

Answer : D

Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.

If you try to create a NIC on a location that does not have any Vnets you will get the following error: 'The currently selected subscription and location lack any existing virtual networks. Create a virtual network first.'

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Answer : D

When configuring a custom domain for an Azure Web App (App Service) such as webapp1, the first prerequisite is to create and configure a corresponding DNS record that maps your custom domain name (www.contoso.com) to the Azure App Service's default domain (webapp1.azurewebsites.net).

According to Microsoft Azure App Service documentation:

''Before you can assign a custom domain name to your web app, you must first create a CNAME record in your DNS provider that maps your custom domain (for example, www.contoso.com) to your app's default domain name (webappname.azurewebsites.net).''

This DNS record ensures that requests to the custom domain are routed correctly to Azure's front-end load balancer hosting your web app. Only after the DNS record has propagated can you validate and bind the domain to the web app in the Azure portal.

Uploading an SSL certificate is only required for HTTPS bindings after the domain is added. Stopping the app or adding connection strings is unrelated to domain configuration.

Therefore, the first step is to create a DNS record at your domain registrar that points to your web app.

Answer : A

You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.

Remove vault dependencies and delete vault

In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.

Answer : A

When a public Azure DNS zone is created, Azure automatically assigns a set of authoritative name servers (NS records) to the zone. However, simply creating the DNS zone in Azure does not make it resolvable from the internet. For external resolution to work, the domain registrar must delegate authority to Azure DNS.

Microsoft Azure documentation clearly states that to make DNS records resolvable publicly, you must update the domain registrar's NS records to point to the Azure-assigned name servers. This action establishes Azure DNS as the authoritative DNS provider for the domain.

Creating NS or SOA records within the Azure DNS zone itself does not affect external resolution unless the registrar delegation is completed. The SOA record is automatically created and managed by Azure DNS and must not be modified at the registrar.

Answer : E

Azure role-based access control (RBAC) now supports role assignment conditions for finer-grained access management. Conditions are written using the Azure Resource Manager (ARM) condition language and allow you to enforce specific rules (for example, limit access to particular blobs or queues).

However, conditional access in RBAC is currently available only for data actions in Azure Storage accounts and Azure Key Vault. According to the Microsoft Learn documentation for Azure Storage RBAC with conditions, the following services support conditional role assignments:

Blob storage (containers and blobs)

Queue storage

This means that you can apply conditions on containers (for blobs) and queues, but not on file shares or tables.

Conditions can restrict access to:

Specific container names or blob prefixes.

Specific queue names or messages.

For example, you could allow a user to read blobs only under a given prefix or queue, enhancing least-privilege control.

Supported: Containers (Blob storage), Queues Not supported: File shares, Tables

Microsoft Azure Reference (Conceptual Summary):

'You can add conditions to Azure role assignments for blob and queue data actions. Conditions are not yet supported for Azure Files or Tables.' (Source: Microsoft Learn -- Azure role assignment conditions for storage data actions)

Answer : B

Moving the virtual machine to a different resource group does not change the host that the virtual machine runs on. It only changes the logical grouping of the resources. To move the virtual machine to a different host, you need to redeploy it or use Azure Site Recovery. Then, Reference: [Move resources to new resource group or subscription] [Redeploy Windows VM to new Azure node] [Use Azure Site Recovery to migrate Azure VMs between Azure regions]