Microsoft Azure Administrator AZ-104 Exam Questions

Page: 1 / 14
Total 429 questions
Question 1

You have an Azure virtual machine named VM1.

Azure collects events from VM1.

You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.

You need to specify which resource type to monitor.

What should you specify?



Answer : B

Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.

Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.


https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm

Question 2

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Owner role at the subscription level to Admin1.

Does this meet the goal?



Answer : A

To enable Traffic Analytics for an Azure subscription, the user must have sufficient privileges to configure Network Watcher, NSG flow logs, and the associated Log Analytics workspace.

As per Microsoft Azure documentation, the following built-in roles can enable Traffic Analytics:

Owner

Contributor

Reader

Network Contributor

The Owner role provides full access to all resources, including the right to delegate permissions and modify configurations. Since the Owner role includes complete management capabilities for all Azure resources at the subscription level, this role absolutely meets the requirements for enabling Traffic Analytics.

The Azure Network Watcher documentation clearly states:

''To enable Traffic Analytics, your account must have any one of the following roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.''

Therefore, assigning the Owner role to Admin1 at the subscription level ensures Admin1 has the required permissions to enable Traffic Analytics.


Question 3

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.

Does this meet the goal?



Answer : B

The Logic App Operator role only grants the ability to read, enable, disable, and run logic apps. It does not grant the ability to create logic apps. To create logic apps, you need to assign the Logic App Contributor role or a higher-level role such as Owner or Contributor. Then, Reference: [Built-in roles for Azure resources] [Azure Logic Apps permissions and access control]


Question 4

You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.

Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.

Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.

You need to connect VNet1 to VNet2.

What should you do first?



Answer : C

Azure VNet peering is the most common way to connect virtual networks, but in this scenario, VNet1 and VNet2 exist in different Azure AD tenants. Global or cross-tenant peering requires that both VNets be within the same Azure Active Directory tenant.

Because the question specifies that each subscription is associated with a different Azure AD tenant, VNet peering is not supported across tenants.

To establish connectivity between VNets in different tenants, the correct solution is to configure VPN gateways in both virtual networks and create a VNet-to-VNet VPN connection.

This type of connection uses the Azure VPN Gateway service to securely tunnel traffic between the VNets using IPsec/IKE protocols over the Internet.

Changing IP address spaces or moving VNets/subscriptions does not solve the cross-tenant issue securely or efficiently.

Hence, before connecting VNet1 and VNet2, you must provision virtual network gateways in both VNets.


Question 5

You have an Azure subscription that contains two virtual machines named VM1 and VM2

You create an Azure load balancer.

You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.

Which two additional load balance resources should you create before you can create the load balancing rule? Each correct answer presents part of the solution

MOTL Each correct selection 5 worth one point.



Answer : A, C

To create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2, you need to create two additional load balance resources: a frontend IP address and a health probe.

A frontend IP address is the IP address that the clients use to access the load balancer. It can be either public or private, depending on the type of load balancer.A frontend IP address is required for any load balancing rule1.

A health probe is used to monitor the health and availability of the backend instances. It can be either TCP, HTTP, or HTTPS, depending on the protocol of the load balancing rule.A health probe is required for any load balancing rule1.

A backend pool is a group of backend instances that receive the traffic from the load balancer. You already have a backend pool that contains VM1 and VM2, so you don't need to create another one.

An inbound NAT rule is used to forward traffic from a specific port on the frontend IP address to a specific port on a backend instance.It's not required for a load balancing rule, but it can be used to access individual instances for troubleshooting or maintenance purposes1.

A virtual network is a logical isolation of Azure resources within a region.It's not a load balance resource, but it's required for creating an internal load balancer or connecting virtual machines to a load balancer2.


Question 6

You have an Azure subscription that contains a storage account named storage 1.

You need to ensure that the access keys for storage! rotate automatically.

What should you configure?



Answer : D

In Azure, a storage account access key provides full access to all data within the account. To reduce risk and follow security best practices, these keys should be rotated (regenerated) periodically.

According to the Microsoft Azure Storage and Security documentation, Azure Key Vault can be used to automate access key rotation for storage accounts.

Azure Key Vault allows you to:

Store and manage secrets, keys, and certificates securely.

Integrate directly with Azure Storage to manage account keys and Shared Access Signatures (SAS).

Enable automated key rotation when using Azure Key Vault managed storage account keys.

Here's how it works:

In Azure Key Vault, add the storage account (storage1) as a managed storage account.

Key Vault periodically regenerates (rotates) the storage access keys automatically.

Applications can retrieve updated keys via Key Vault APIs or managed identities without manual key updates.

This process ensures consistent security and reduces the administrative effort required for key rotation.

Other options such as backup vaults, redundancy, or lifecycle management do not handle access key rotation---they serve data protection or retention purposes, not key management.

Final Verified Answe r: D. an Azure key vault


Question 7

You have an Azure subscription that hat Traffic Analytics configured.

You deploy a new virtual machine named VM1 that has the following settings:

* Region- East US

* Virtual network: VNet1

* NIC network security group: NSG1

You need to monitor VM1 traffic by using Traffic Analytics.

Which settings should you configure?



Answer : C

Traffic Analytics analyzes the network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud1.NSG flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG2.To use Traffic Analytics, you need to enable NSG flow logs for the network security groups you want to monitor1.

Diagnostic settings for VM1 or NSG1 are not required for Traffic Analytics.Diagnostic settings are used to stream log data from an Azure resource to different destinations such as Log Analytics workspace, Event Hubs, or Storage account3. Insights for VM1 are also not required for Traffic Analytics.Insights are a feature of Azure Monitor that provide analysis of the performance and health of an Azure resource4.


Page:    1 / 14   
Total 429 questions