Microsoft AZ-104 Exam Dumps & Practice Test Questions
Question No 1:
Your organization currently operates two on-premises servers, SRV01 and SRV02. A custom-built application hosted on SRV01 communicates with a service on SRV02 using its IP address. As part of your migration plan to the cloud, you intend to move this application to Microsoft Azure. Two virtual machines (VMs) have been created in the same subnet of an Azure Virtual Network (VNet). To ensure that communication between the VMs remains consistent after reboots or redeployments, both VMs must retain static internal IP addresses.
What is the correct method to assign static private IP addresses to these Azure VMs?
A. Execute the New-AzureRMVMConfig PowerShell cmdlet
B. Execute the Set-AzureSubnet PowerShell cmdlet
C. Modify the VM properties through the Azure Management Portal
D. Modify IP settings in the Windows Network and Sharing Center
E. Execute the Set-AzureStaticVNetIP PowerShell cmdlet
Correct Answer: E. Execute the Set-AzureStaticVNetIP PowerShell cmdlet
Explanation:
In Azure, virtual machines are assigned dynamic private IP addresses by default. However, for scenarios where consistent IP addresses are required—such as for applications that rely on hardcoded IPs or static routing—static IP addresses must be configured.
Azure allows static private IP assignments through two methods: the Azure portal and PowerShell/CLI tools. To set a static IP for a VM's network interface (NIC), the Set-AzureStaticVNetIP PowerShell cmdlet should be used. This ensures that the IP address assigned to the VM's NIC remains fixed, even after reboots or redeployments, which is essential for maintaining compatibility with services dependent on a specific IP address.
A. New-AzureRMVMConfig: This cmdlet is used for VM configuration tasks but not for assigning IP addresses.
B. Set-AzureSubnet: This cmdlet is used for configuring subnet properties, not individual IPs for VMs.
C. Azure Management Portal: While the portal can also assign static IPs, this question asks for a command-line solution, which is achieved through PowerShell.
D. Windows Network and Sharing Center: This is a local operating system setting, not suitable for managing Azure VM IP configurations.
Therefore, E is the correct choice as it specifically sets the static internal IP addresses required for consistent communication.
Question No 2:
Your organization uses Azure Active Directory (Azure AD) and plans to deploy five virtual machines (VMs) within an existing virtual network (VNet) subnet in Azure. Each VM must be accessible via both a private IP (for internal communication within the VNet) and a public IP (for internet communication). Additionally, identical network security rules must apply to all five VMs.
What is the minimum number of network interface cards (NICs) you must provision for this configuration?
A. 5
B. 10
C. 20
D. 40
Correct Answer: B. 10
Explanation:
In Azure, a Network Interface Card (NIC) connects a virtual machine (VM) to a virtual network. Each NIC typically has a private IP address, and a public IP can be assigned either directly to the NIC or via a load balancer.
For this scenario, where each VM needs both a private and a public IP address:
Each VM requires only one NIC to handle both internal (private) and external (public) IPs.
Azure allows a single NIC to be associated with both a private IP (internal communication) and a public IP (for internet access).
However, the security rules must be identical across all VMs, which can be managed either by associating them with a shared Network Security Group (NSG) or applying individual NSGs to each VM. Azure best practices often suggest assigning one NIC per VM for private IP and another NIC for public IP, ensuring both types of traffic are handled separately.
Here’s the breakdown:
If each VM uses 2 NICs (one for private and one for public traffic), you would need:
2 NICs per VM × 5 VMs = 10 NICs
Thus, the minimum number of NICs needed is 10, which corresponds to B. Although a single NIC could technically support both IPs, the best practice involves separating them for security and traffic management, resulting in 10 NICs for the configuration.
Question No 3:
Your organization is planning to deploy five Virtual Machines (VMs) within a virtual network and subnet in Azure Active Directory (Azure AD). Each VM will be assigned both a public and a private IP address. The network security requirements specify that inbound and outbound traffic rules must be consistent across all VMs.
What is the minimum number of Network Security Groups (NSGs) needed to meet these security requirements?
A. 4
B. 3
C. 2
D. 1
Correct Answer: D
Explanation:
In an Azure environment, Network Security Groups (NSGs) are essential for controlling inbound and outbound traffic to and from network interfaces, subnets, or both. NSGs contain rules that allow or deny network traffic based on specific parameters like source, destination, port, and protocol.
In this scenario, you're deploying five Virtual Machines (VMs) within the same subnet, with each VM requiring both public and private IP addresses. The primary requirement is that all five VMs should follow identical network security rules.
The key consideration here is that you do not need separate NSGs for each individual VM. Since the rules for inbound and outbound traffic are the same across all five VMs, you can apply a single NSG to the entire subnet. Once an NSG is associated with a subnet, all network interfaces (NICs) within that subnet inherit the NSG's rules, unless a specific NSG is attached to a NIC.
Therefore, the most efficient way to meet the security requirements is to create one NSG, configure the desired rules, and associate it with the subnet. This approach is not only easier to manage, but it also reduces complexity and potential configuration errors, aligning with best practices for scalability and operational simplicity.
Thus, the minimum number of NSGs required is 1.
Question No 4:
Your organization has an Azure subscription, and several Virtual Machines (VMs) are running Windows Server 2016. These VMs are protected using Azure Backup Instant Restore, which takes daily backups. One day, a critical VM becomes infected with ransomware that encrypts data, making files inaccessible. You decide to use the File Recovery feature of Azure Backup to recover important files without restoring the entire VM.
Which of the following statements about recovering individual files is TRUE?
A. Files can only be recovered to the infected VM.
B. Files can be recovered to any VM within the organization’s subscription.
C. Files can only be recovered to a new VM.
D. Files cannot be recovered at all.
Correct Answer: B
Explanation:
Azure Backup offers robust solutions to protect virtual machines, including capabilities like Instant Restore and File-Level Recovery. These features enable you to restore either the entire virtual machine or specific files, based on the situation.
In the event of a ransomware attack, where only the files on a virtual machine are encrypted but the VM itself is still functional, Azure Backup’s File Recovery functionality allows you to mount a recovery point as a virtual drive. This virtual drive reflects the file structure from the time of the backup, allowing you to browse and selectively restore files.
The key flexibility here is that you are not limited to recovering files to the infected VM. Instead, you can mount the recovery point on any VM within the same subscription, whether it's the original infected machine or a clean VM. This feature is critical because restoring files to an uninfected machine eliminates the risk of the ransomware impacting the recovery process.
If you were to mount the recovery point on the infected VM, there's a chance that the ransomware could still interfere with the recovery, potentially corrupting or blocking the restoration process. Mounting the recovery point on a clean VM mitigates that risk, ensuring a smoother and more secure file recovery process.
Therefore, Option B is correct — you can recover files to any VM within the same subscription, providing greater flexibility and improving the overall disaster recovery strategy.
This flexibility in file-level recovery is a major advantage of Azure Backup, helping organizations quickly recover from malware incidents while minimizing downtime and maintaining data integrity.
Question No 5:
Your organization has a Microsoft Azure subscription with multiple virtual machines (VMs) running Windows Server 2016. Azure Backup with Instant Restore is configured for daily backups of one of the VMs.
After a ransomware attack encrypts all data on the VM, your task is to restore the VM to a functional state using Azure Backup, ensuring that there is no risk of reinfection or data loss.
What is the safest and most appropriate way to restore this virtual machine using Azure Backup?
A. Restore the VM after deleting the infected virtual machine
B. Restore the backup to any existing VM within the company’s Azure subscription
C. Restore the VM as a new Azure virtual machine
D. Restore the backup to an on-premises Windows Server
Correct Answer: C
Explanation:
When dealing with a ransomware attack, the main priority is to prevent the reintroduction of malware during the recovery process. Azure Backup’s Instant Restore feature allows for the rapid restoration of virtual machines (VMs) from backup data, which is stored securely in the Recovery Services Vault.
The most secure and efficient option is to restore the backup to a new Azure VM (Option C). This approach guarantees:
Isolation from the infected VM, ensuring that no malware is carried over. The new VM will be clean, and any residual infections from the old VM, which may be hidden in system files or memory, will be avoided.
A clean restore based on the last known good backup, free from ransomware or other malicious changes.
Azure’s automated configuration process for the new VM, including disk setup and network interface assignments, which are done in a controlled manner, avoiding manual errors.
Other options present more risks:
Option A (delete the infected VM first) is risky, as you could lose important logs or configuration details if the restore fails, leaving you with no backup information.
Option B (restore to an existing VM) is dangerous because it might spread malware to other systems within the environment, contaminating clean machines.
Option D (restore to an on-premises server) may be feasible in hybrid cloud scenarios but is unnecessary if the workloads are entirely in Azure, as it would complicate recovery and add more steps to the process.
By restoring to a new Azure VM, you ensure a secure and effective recovery, reducing downtime and preventing recontamination. This practice also aligns with cloud disaster recovery best practices.
Question No 6:
You manage an Azure-based cloud solution that is experiencing unexpected performance issues. The degradation seems to be related to resource metrics like CPU usage, memory consumption, disk I/O, and network latency.To identify and resolve the root cause of these performance issues,
Which Azure tool provides the most detailed metrics and real-time telemetry data to help monitor the health and performance of your infrastructure?
A. Azure Traffic Analytics
B. Azure Monitor
C. Azure Activity Log
D. Azure Advisor
Correct Answer: B
Explanation:
To effectively monitor and diagnose performance-related issues in your Azure environment, Azure Monitor is the most suitable tool. Azure Monitor is a robust service designed to provide full-stack observability across your resources, applications, and on-premises systems. It collects and analyzes telemetry data, offering critical metrics such as CPU usage, memory utilization, disk I/O, and network performance.
Azure Monitor allows you to:
Track key performance indicators and identify potential bottlenecks.
Set up alerts for real-time notifications of performance degradation.
Visualize trends and create dashboards for a clear overview of system health.
Automate troubleshooting processes by defining conditions for actions based on specific events.
Let’s review why the other tools aren’t suitable for diagnosing performance issues:
A (Azure Traffic Analytics) is primarily focused on network traffic analysis and security monitoring, not on tracking system performance metrics like CPU or memory usage.
C (Azure Activity Log) records management activities, such as resource creation or modification, but does not offer performance data or metrics regarding the health of your infrastructure.
D (Azure Advisor) provides general recommendations for cost optimization, security, and reliability. While useful for high-level suggestions, it does not offer the real-time metrics needed to resolve specific performance problems.
In summary, Azure Monitor stands out as the comprehensive monitoring tool that provides the insights needed to diagnose performance issues and ensure the stability of your infrastructure. It empowers administrators to respond to issues quickly and resolve them effectively with real-time, actionable data.
Question No 7:
Your organization is managing virtual machines (VMs) in an active Microsoft Azure subscription, and a Recovery Services vault has been configured. You are tasked with setting up Azure Backup to schedule regular backups of these virtual machines to the Recovery Services vault.Considering the supported operating systems and VM states for Azure Backup,
Which of the following virtual machines are eligible for backup using Azure Backup? Select all that apply:
A. Virtual machines running Windows 10
B. Virtual machines running Windows Server 2012 or higher
C. Virtual machines that have not been shut down
D. Virtual machines running Debian version 8.2 or later
E. Virtual machines that have been shut down
Correct Answers:
B. Virtual machines running Windows Server 2012 or higher
D. Virtual machines running Debian version 8.2 or later
E. Virtual machines that have been shut down
Explanation:
Azure Backup is a comprehensive, cloud-based service designed to safeguard data in both Azure and on-premises environments. When configuring backups for Azure virtual machines to a Recovery Services vault, it's important to understand which operating systems and VM states are supported.
Azure Backup does not support client operating systems like Windows 10 for VM-level backups. It only supports server-class operating systems, such as Windows Server 2012 and later. Therefore, Option B is correct.
For Linux-based virtual machines, Azure Backup supports several distributions, including Debian 8.2 or later, as long as certain configuration requirements are met. This makes Option D valid.
As for VM power states, Azure Backup can back up virtual machines whether they are running or shut down (deallocated). However, the backup process may be impacted by the VM's state. Hence, Option E is correct. Contrary to common belief, the VM does not need to be running for Azure Backup to perform a backup, so Option C is incorrect.
In summary, Azure Backup supports a variety of VM configurations, but with some limitations. Client operating systems like Windows 10 are not supported for VM-level backups, though file-level backups using the Azure Backup agent are possible for such systems.
Understanding these details helps IT administrators plan and execute an effective backup strategy using Azure services.
Question No 8:
You are an administrator for an organization using Azure Active Directory (Azure AD) under the domain contoso.com. The organization plans to collaborate with 500 external partners and wants to grant them access to internal resources. These 500 external users are listed in a CSV file containing their full names and email addresses.
The goal is to provision guest user accounts in the Azure AD tenant so that each external user can securely access shared resources. These users should be invited as B2B guest users, which is the recommended approach in Azure AD for external collaboration.
Proposed Solution:
You create a PowerShell script that processes the CSV file and uses the New-AzureADUser cmdlet to create an Azure AD user account for each entry.
Does this solution meet the goal of provisioning guest user accounts for external users?
A. Yes
B. No
Correct Answer: B. No
Explanation:
The proposed solution does not achieve the intended goal, and here’s why:
The New-AzureADUser cmdlet is used to create internal (member) users, not guest users. When working with external partners, the goal is to register them as Azure AD B2B guest users. Guest users are managed differently from internal users in Azure AD, as they are subject to a different access control model and require an invitation process to ensure proper access permissions and compliance.
To correctly provision guest accounts, the New-AzureADMSInvitation cmdlet should be used instead. This cmdlet sends an invitation to the external user’s email address. Upon acceptance, a guest user account is created within the Azure AD tenant. This process ensures the user is classified as an external guest, which is important for security and collaboration management.
Here is an example of how to automate this process using PowerShell:
This solution ensures that Azure AD properly handles the invitation workflow, registering users as guest accounts.
In conclusion, New-AzureADUser creates an internal user account rather than a guest user. Thus, the proposed solution does not meet the goal of provisioning guest user accounts for external users.
Question No 9:
You are managing an Azure subscription for your organization. You have a virtual network (VNet) that contains several virtual machines (VMs) in a subnet. The VMs need to be able to communicate with each other, but you want to restrict their communication with external networks.
Which of the following actions will achieve this goal?
A. Apply a Network Security Group (NSG) to the VMs that denies all outbound traffic.
B. Create a custom route that redirects all outbound traffic to a Network Virtual Appliance (NVA).
C. Create a Network Security Group (NSG) with a rule that denies outbound traffic, then associate it with the subnet.
D. Disable the Network Security Group (NSG) on the subnet.
Correct Answer: C
Explanation:
To meet the requirement of allowing internal communication between the virtual machines (VMs) in the subnet while restricting communication with external networks, we need to adjust the outbound traffic rules using Azure's Network Security Groups (NSGs).
Let’s break down each option to understand why Option C is the correct choice:
Option A: Apply a Network Security Group (NSG) to the VMs that denies all outbound traffic.
Explanation: While this option might seem reasonable, it does not fully align with the goal of allowing internal communication. Applying an NSG directly to the VMs will block all outbound traffic from the individual VMs, which includes internal communication between VMs in the same subnet. This would result in complete isolation of the VMs, which is not the desired behavior.
Why it’s incorrect: You want to restrict external traffic but still allow VMs to communicate within the same subnet. Applying the NSG directly to the VMs would block internal traffic as well.
Option B: Create a custom route that redirects all outbound traffic to a Network Virtual Appliance (NVA).
Explanation: This option involves redirecting all outbound traffic through an NVA, which could be used for traffic inspection, logging, or applying additional security measures. While this method can provide greater control over traffic flow, it doesn’t achieve the goal of restricting communication with external networks unless the NVA itself is configured to block external traffic.
Why it’s incorrect: This solution is more complex than necessary. It introduces additional components (the NVA) that are not required for simply restricting external communication.
Option C: Create a Network Security Group (NSG) with a rule that denies outbound traffic, then associate it with the subnet.
Explanation: This is the correct answer. By applying an NSG to the subnet and configuring a rule that denies outbound traffic, you effectively block communication with external networks while allowing internal traffic within the subnet. In Azure, when an NSG is applied to a subnet, all network interfaces (NICs) within that subnet inherit the rules of the NSG unless a more specific rule is applied to a particular NIC.
Why it’s correct: This solution directly meets the requirement. It ensures that communication with external networks is restricted, while still allowing internal communication between the VMs in the same subnet.
Option D: Disable the Network Security Group (NSG) on the subnet.
Explanation: Disabling the NSG on the subnet means that no security rules would be applied, and both inbound and outbound traffic would be allowed without restriction. This would not restrict external communication as required by the scenario.
Why it’s incorrect: Disabling the NSG would allow all traffic (including external) to flow freely, which is the opposite of the desired outcome.
The best way to restrict outbound traffic to external networks while allowing internal communication between VMs within the same subnet is to apply an NSG to the subnet that denies all outbound traffic. Option C provides the simplest and most effective solution for this scenario.
This question tests your understanding of Network Security Groups (NSGs) and how they control network traffic in Azure. Being familiar with NSG configurations is crucial for managing traffic flow and securing Azure resources, which is a key skill tested in the Microsoft AZ-104 exam.
Would you like more questions or explanations related to the AZ-104 exam?
Question No 10:
You are tasked with managing an Azure virtual network (VNet) that spans multiple regions. You need to ensure that two virtual machines (VMs) in different regions can communicate securely over the internet.
Which of the following Azure services would you use to meet this requirement?
A. Azure Virtual Network Peering
B. Azure ExpressRoute
C. Azure VPN Gateway
D. Azure Application Gateway
Correct Answer: A
Explanation:
To enable secure communication between virtual machines (VMs) in different Azure regions, we need to look at the available networking services in Azure. Here's an explanation of each option:
Option A: Azure Virtual Network Peering
Explanation: Azure Virtual Network Peering allows you to connect virtual networks (VNets) in the same or different Azure regions. Once peered, the VMs in the connected VNets can communicate with each other as if they were part of the same network. Peering is established over the Azure backbone, which ensures secure communication between the VNets without exposing traffic to the public internet. Peering does not require VPN or dedicated connections like ExpressRoute and provides low-latency communication between the VNets.
Why it’s correct: This is the most appropriate solution for securely connecting VMs in different regions over the Azure backbone network. Virtual network peering allows seamless and secure communication between VMs, and it's designed specifically for this use case.
Option B: Azure ExpressRoute
Explanation: Azure ExpressRoute is a service that allows you to establish a private, dedicated connection between your on-premises infrastructure and Azure. It is used to create a high-throughput, low-latency connection between on-premises networks and Azure, and it does not rely on the public internet. While ExpressRoute can provide secure communication, it is not designed for connecting VMs in different Azure regions.
Why it’s incorrect: While ExpressRoute offers a dedicated, private connection, it is typically used for connecting on-premises data centers to Azure rather than for peering Azure VNets across regions. It’s a more complex and costly option than peering, making it less suitable for VMs in different regions that need to communicate over the internet.
Option C: Azure VPN Gateway
Explanation: Azure VPN Gateway allows you to create a secure VPN tunnel between your on-premises network and Azure or between different Azure VNets. While VPN gateways are commonly used for connecting on-premises networks to Azure or for VNet-to-VNet connections, they require more configuration and can introduce more latency compared to Virtual Network Peering. A VPN Gateway uses the internet to create a secure connection, and while it is secure, it may not be as optimal or efficient as peering for Azure-to-Azure communication.
Why it’s incorrect: While VPN Gateway can securely connect VNets across regions, it introduces more complexity and latency compared to Virtual Network Peering. Peering is a simpler, more direct solution for this use case.
Option D: Azure Application Gateway
Explanation: Azure Application Gateway is a web traffic load balancer designed to manage web applications' traffic. It provides features such as SSL termination, web application firewall (WAF), and application-level load balancing. While useful for distributing traffic to backend web servers, it does not facilitate direct VNet-to-VNet communication between VMs in different regions.
Why it’s incorrect: Azure Application Gateway is not designed for VNet-to-VNet communication. It is more focused on managing and optimizing web application traffic, making it an unsuitable option for this scenario.
The correct solution for enabling secure communication between virtual machines (VMs) in different Azure regions is to use Azure Virtual Network Peering. It allows you to connect VNets across regions with low latency and high security, without relying on public internet traffic.
This question tests your knowledge of Azure networking services and how to choose the appropriate service based on specific use cases like cross-region communication. Understanding the differences between services like VPN Gateway, ExpressRoute, and Peering is essential for the Microsoft AZ-104 exam.
