AZ104 微软云认证备考题库

SCQA结构

情境(Situation)

在当前云计算快速发展的时代，Azure作为全球领先的云平台之一，其管理员认证(AZ104)已成为DevOps、SRE和云工程师必备的专业资质。持有AZ104认证不仅能证明个人的Azure技术能力，还能提升职业竞争力和薪资水平。

冲突(Conflict)

然而，AZ104考试涵盖内容广泛，包括Azure资源管理、安全、网络、存储等多个领域，考生往往面临知识点分散、难以系统复习的挑战。传统的学习方式效率低下，缺乏针对性的练习和反馈。

问题(Question)

如何高效备考AZ104认证考试？如何系统掌握考试知识点并通过大量练习巩固记忆？

答案(Answer)

本博客提供一份结构化的AZ104备考题库，包含精选题目、详细解析和正确答案，帮助考生系统复习、针对性练习，提高备考效率和考试通过率。

题库结构

本题库按照AZ104考试的主要知识点进行分类，便于考生根据学习进度选择相应部分进行练习。每个题目包含题目描述、选项、正确答案和详细解析。

题目模板

题目分类

资源管理
安全与合规
网络
存储
计算
监控与故障排除

题目格式示例

You want to associate each VM with its respective department – Assign tags to the virtual machines.
You access the multi-factor authentication page to alter the user settings – No
You access the Azure portal to alter the session control of the Azure AD conditional access policy. – No
You access the Azure portal to alter the grant control of the Azure AD conditional access policy. – Yes
You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA). Which of the following should you use to create the virtual machine? – The az vm create command.
You reconfigure the existing usage model via the Azure portal – No
You reconfigure the existing usage model via the Azure CLI – No
You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data – No
You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet. – No
You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller. – No
You restart the NetLogon service on a domain controller. – No
Which of the following Azure stored redundancy options should you recommend – Read-only geo-redundant storage
You want to review the ARM template that was used by Jon Ross. You access the Virtual Machine blade – No
You want to review the ARM template that was used by Jon Ross. You access the Resource Group blade - Yes
You want to review the ARM template that was used by Jon Ross. You access the Container blade. – No
You try to resize one of the VMs, which returns an allocation failure message.It is imperative that the VM is resized – You should stop all three VMs.
You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible. Which of the following is the action you should take FIRST? – Detach the data disk.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance. Which of the following is the value that you should configure for the platformFaultDomainCount property? – Max Value
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance. Which of the following is the value that you should configure for the platformUpdateDomainCount property? – 20
You need to make sure that the password cannot be stored in plain text. You are preparing to create the necessary components to achieve your goal. Which of the following should you create to achieve your goal? – An Azure Key Vault, An Access key
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs. You need a solution that ensures the scripts are run on the new VMs – Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image. You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs. Which PowerShell cmdlets should you use? – Add-AzVhd
Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network. Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure – Hyper-V site, Azure Recovery Services Vault, Replication policy
You choose the Allow gateway transit setting on VirtualNetworkA. – No
You choose the Allow gateway transit setting on VirtualNetworkB. – No
You download and re-install the VPN client configuration package on the Windows 10 workstation. – Yes
The company has users that work remotely. The remote workers require access to the VMs on VNet1. You need to provide access for the remote workers. – Configure a Point-to-Site (P2S) VPN.
You create an HTTP health probe on port 1433. – No
You set Session persistence to Client IP – No
You enable Floating IP. – Yes
You need to configure the two VMs with static internal IP addresses. – Modify the VM properties in the Azure Management Portal
Which of the following is the least amount of network interfaces needed for this configuration? – 5
Which of the following is the least amount of security groups needed for this configuration? – 1
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM’s files. – You can recover the files to any VM within the company’s subscription.
When the VM becomes infected with data encrypting ransomware, you are required to restore the VM. – You should restore the VM to a new Azure VM
You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure. – Azure Monitor

You want to use Azure Backup to schedule a backup of your company’s virtual machines (VMs) to the Recovery Services vault. Which of the following VMs can you back up? – ABCDE

A. VMs that run Windows 10. 
B. VMs that run Windows Server 2012 or higher. 
C. VMs that have NOT been shut down.
D. VMs that run Debian 8.2+.
E. VMs that have been shut down.

You create a PowerShell script that runs the New-AzureADUser cmdlet for each user – No
From Azure AD in the Azure portal, you use the Bulk create user operation. – No
You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user. – Yes
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege. Which role should you assign to Admin1 for each task? – Box 1. Network Contributor on RG1 , Box 2. Network Contributor on RG1
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the contoso.com users. – From contoso.com, create an OAuth 2.0 authorization endpoint.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. – a Microsoft 365 group that uses the Assigned membership type, a Microsoft 365 group that uses the Dynamic User membership type
User3 can perform an access review of User1 = No User3 can perform an access review of UserA = No User3 can perform an access review of UserB = No
What is the effect of the policy? – You can create Azure SQL servers in ContosoRG1 only
VNET1 will only have Department: D1 tag & VNET 2 will only have Label : Value1 tag
You need to identify which resources can be moved to AZPT2 – VM1, storage1, VNET1, VM1Managed, and RVAULT1
You need to ensure that Admin1 can deploy the Marketplace resource successfully – From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
You need to assign the User administrator administrative role to AdminUser1 – From the Directory role blade, modify the directory role
You need to ensure that 10 users can use all the Azure AD Premium features – From the Licenses blade of Azure AD, assign a license
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent – Deploy the IT Service Management Connector (ITSM)
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain – Device settings from the Devices blade
User1 can add Device2 to Group1: No User2 can add Device1 to Group1: Yes User2 can add Device2 to Group2: No
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails. You need to delete RG26. – Stop the backup of SQLDB01
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: ? Reader ? Security Admin ? Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. – Assign User1 the User Access Administrator role for VNet1.
You need to ensure that Azure can verify the domain name, Which type of DNS record should you create? – MX
On Subscription1, you assign the DevTest Labs User role to the Developers group – No
On Subscription1, you assign the Logic App Operator role to the Developers group – No
On Dev, you assign the Contributor role to the Developers group. – YES
You need to send a report to the finance department. The report must detail the costs for each department. Which three actions should you perform in sequence?
```
Box 1: Assign a tag to each resource
Box 2: From the Cost analysis blade, filter the view by tag
Box 3: Download the usage report
```
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1， You need to view the error events from a table named Event – search in (Event) “error”
RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG2. What is the effect of the move? – The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1
You need to ensure that the connections to App1 are spread across all the virtual machines – an internal load balancer，an Azure Application Gateway
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering. Which blade should you use? – Advisor
The Answer is correct .
- Select Users & Groups : Where you have to choose all users.
- Select Cloud apps or actions: to specify the Azure portal
- Grant: to grant the MFA
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant – From the Users settings blade, modify the External collaboration settings
You need to ensure that User1 can assign a policy to the tenant root management group – Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources
User 1: Group 1 only User 2: Group 1 & 2
Box 1:User1 and User3 only You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. Box 2: User1, User2, and User3 Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure AD Connect)
You assign the Network Contributor role at the subscription level to Admin1 – Yes
You assign the Owner role at the subscription level to Admin1 – Yes
You assign the Reader role at the subscription level to Admin1 – No
Which role-based access control (RBAC) role should you assign to User1 – Contributor
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. What should you do first? – From the Azure portal, modify the Managed Identity settings of VM1
You need to delete TestRG – Remove the resource lock from VNET1 and delete all data in Vault1
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure – Create an NS record named research in the adatum.com zone
Add the custom domain name to your directory，Add a DNS entry for the domain name at the domain name registrar，Verify the custom domain name in Azure AD
You need to ensure that records created in the contoso.com zone are resolvable from the internet – Modify the NS records in the DNS domain registrar

Box 1: User1 and User3 only. User1: The Owner Role lets you manage everything, including access to resources. User3: The Network Contributor role lets you manage networks, including creating subnets. Box 2: User1 only. The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations

Box 1: Sub1, RG1, and VM1 only - You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. Box 2: Sub1, RG1, and VM1 only - You apply tags to your Azure resources, resource groups, and subscriptions

You need to create and upload a file for the bulk delete – The user principal name of each user only

Box 1: No - The Azure Policy will add Tag4 to RG1. Box 2: No - Tags applied to the resource group or subscription aren’t inherited by the resources although you can enable inheritance with Azure Policy. Storage1 has Tag3: Value1 and the Azure Policy will add Tag4. Box 3: No - Tags applied to the resource group or subscription aren’t inherited by the resources so VNET1 does not have Tag2. VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET1

You assign the Traffic Manager Contributor role at the subscription level to Admin1 – No
You need to grant user management permissions to a local administrator in each office – administrative units
you assign the Logic App Contributor role to the Developers group – YES

1) User1 can “assign access to other users for” LB1. 2) User1 can “delete a virtual machine from” the resource group

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: ? Reader ? Security Admin ? Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

-- **Assign User1 the Owner role for VNet1**  or **Assign User1 the User Access Administrator role for VNet1** or **Assign User1 the Access Administrator role for VNet1**

correct answer is dataActions and assignableScopes

You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1 – Enable Active Directory Domain Service (AD DS) authentication for storage1
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions – Assign Group1 the User Access Administrator role for the root management group
You need to create new user accounts in external.contoso.onmicrosoft.com ，You instruct User2 to create the user accounts – No
You need to create new user accounts in external.contoso.onmicrosoft.com. Solution: You instruct User4 to create the user accounts – No
You need to create new user accounts in external.contoso.onmicrosoft.com. Solution: You instruct User3 to create the user accounts. – No
You need to ensure that you can apply the custom role to any resource group in Sub1 and Sub2. The solution must minimize administrative effort – Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes.

Upload blob data to storageacct1234， View blob data in storageacct1234

You need to ensure that the developers of App1 can use their Azure AD credentials to deploy content to App1 – Assign the Website Contributor role to the developers
From Azure AD in the Azure portal, you use the Bulk invite users operation – No

Role3: Role1 and built-in Azure subscription roles only Role4: Role2 only

Answer is correct. “Reader and Data Access”: “Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys

You need to ensure that the virtual machines can access Vault1 – a service tag
Which users are assigned the Azure Active Directory Premium Plan 2 license – User1 and User4 only

N - Because not Connected Y - Because when it expires it is removed from the group. Proof to follow Y - Because..math

You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. – private endpoints or service endpoints

Correct Answers. YES, No, Yes (YES)User1 can create a storage account in RG1, since User1 has Storage Account Contribute Role inherited from Resource Group. (NO) User1 can modify the DNS settings of networkinterface1, since it requires Network Contribute role referring to the following link. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface- portal#permissions (YES) User1 can create an inbound security rule to filter inbound traffic to networkinterface1, since User1 has Contributor role for NSG1

You need to assign User1 the Storage File Data SMB Share Contributor role for share1 – Configure Access control (IAM) for share1
You create a PowerShell script that runs the New-MgUser cmdlet for each external user – No
You create a PowerShell script that runs the New-MgInvitation cmdlet for each external user – Yes
You need to assign Workspace1 a role to allow read, write, and delete operations for the data stored in the containers of storage1. – Storage Blob Data Contributor
You purchase Azure Active Directory Premium P2 licenses. To which groups can you assign a license? – Group1 and Group3 only

1- User 1 can read Blob2 - No, because he is reading, then the condition a. applies, and he is not reading cont1 2- User 1 can read Blob3 - No, because he is reading, then the condition a. applies, and he is not reading cont1 3- User 2 can read blob 1 - Yes. He is not writing, so the condition b. does not apply. He has permissions granted by the role on the scope he is reading - Storage Blob Data Owner on storage1, which contains blob

You create a PowerShell script that runs the New-MgUser cmdlet for each user – No
To what can you add Admin1 as a co-administrator – Sub1
You need to ensure that imported user objects are added automatically as the members of a specific group based on each user’s department. The solution must minimize administrative effort – Create groups that use the Dynamic User membership type， Create a CSV file that contains user information and the appropriate attributes
You need to ensure that the access keys for storage1 rotate automatically – an Azure key vault
You need to enable self-service password reset (SSPR) – Group1 and Group2 only
You need to ensure that invitations can be sent only to fabrikam.com users – From External collaboration settings, configure the Collaboration restrictions settings
You need to assign a role to a user named User1 to ensure that the user can access the blob data in storage1. The role assignment must support conditions – Storage Blob Data Contributor，Storage Blob Data Owner
You purchase a Microsoft Fabric license，To which identities can you assign the license? --User1 only
You need to ensure that users receive a warning message when they generate a SAS that exceeds a seven-day time period. What should you do for storage? – Set Allow recommended upper limit for shared access signature (SAS) expiry interval to Enabled
You plan to use the Azure Import/Export service to export data from Subscription1 –storage4
You plan to export data by using Azure import/export job named Export1 –container1
You need to synchronize the files in the file share named data to an on-premises server named Server1 –Register Server1 ，Install the Azure File Sync agent on Server1，Create a sync group
You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support — storage2
You plan to use the disk files to provision an Azure virtual machine named VM1 – From the Networking blade of account1, select Selected networks.，From the Networking blade of account1, add the 131.107.1.0/24 IP address range.
Which two files should you create before you prepare the drives for the import job – a dataset CSV file，a driveset CSV file
You need to delete the Recovery Services vault – From the Recovery Service vault, stop the backup of each backup item.
You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data? – *Azure File Storage，Azure Blob storage
You plan to use AzCopy to copy data to storage1 – blob and file only
You need to configure a storage service for Container1 – Azure Files
What should you include in the Availability Set – two update domains
You need to back up VM2 to RSV2 – From the RSV1 blade, click Backup items and stop the VM2 backup
You need to ensure that the data in the storage account is protected if a zone fails – Upgrade the account to general-purpose v2
You plan to manage the data stored in the accounts by using lifecycle management rules. – storage1, storage2, and storage3 only
Which outbound port should you open between the home computers and the data file share –445
From which devices can you use AzCopy to copy data to storage1 – Device1, Device2 and Device3
You need to prevent new content added to container1 from being modified for one year – an access policy
You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. The solution must use the principle of least privilege – Storage Blob Data Contributor，Reader
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata – azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public –recursive
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage – Performance
For one of the containers, you need to use a different key to encrypt data at rest – Create an encryption scope
Which tasks can you perform by using Azure Storage Explorer – Task2, Task3, and Task4 only
You need to use customer-managed key encryption for container1 –an RSA key type with a key size of 2048, 3072, or 4096 only
What is the state of File1 on June 7 – deleted
You need to ensure that share1 can support SMB Multichannel，The solution must minimize costs. – Premium performance with locally-redundant storage (LRS)
You plan to use conditions when assigning role-based access control (RBAC) roles to storage1 – containers and queues only
You assign the Storage Account Encryption Scope Contributor Role to User1 – No
You need to ensure that the users can view only specific blobs based on blob index tags – a role assignment condition
Which storage types can you encrypt by using Scope – containers only
You need to prepare Vault1 for Azure Disk Encryption – Create a new key.， Select Azure Disk Encryption for volume encryption
Store and use the encryption key in KV1. – Azure Disk Encryption
Apply access permissions to all the content in the container – a shared access signature (SAS)
Automatically replicate data to a secondary Azure region – the Cool access tire，geo-redundant storage (GRS)，hierarchical namespace
Which storage account can be converted to zone-redundant storage (ZRS) replication

– Storage2

On which devices can you install Azure Storage Explorer
Device1, Device2, and Device3 only
You assign the Storage Account Key Operator Service Role to User1 – Yes
You assign the Reader and Data Access role to User1 – No
What should you do first for ContReg1 – Upgrade the SKU
You need to configure encryption for the virtual machines. – VM2 and VM3
You need to implement the planned changes for the storage account content – cont1, share1, and share2 only
From Azure CLI, you run az aks – No
From Azure CLI, you run the kubectl client – Yes
From Azure CLI, you run azcopy – No
You create an Azure storage account and configure shared access signatures (SASs) – No
What should you create to store the password –an Azure Key Vault and an access policy
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image. – Upload a configuration script，Modify the extensionProfile section of the Azure Resource Manager template
You need to deploy the virtual machine to the West US location by using Template1 – Modify the location in the resources section to westus
You need to create a staging slot for Plan1 – From Plan1, scale up the App Service plan
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance. – one virtual machine scale set that has 10 virtual machines instances
You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source Does this meet the goal –No
From the Overview blade, you move the virtual machine to a different subscription – No
From the Redeploy blade, you click Redeploy – Yes
From the Update management blade, you click Enable – No
You need to add a custom domain named www.contoso.com to webapp1 – Create a DNS record
You move VM1 to RG2, and then you add a new network interface to VM1 –No
You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2. Does this meet the goal? – Yes
You turn off VM1, and then you add a new network interface to VM1 – No
You need to provide internet users with access to the applications that run in Cluster1. Which IP address should you include in the DNS record for Cluster1?

– 131.107.2.1

You need to identify what to deploy before you deploy Template1 – one App Service plan
Which change will cause downtime for VM1 – Change the size to D8s v3
You need to ensure that the App1 update is tested before the update is made available to users – Swap the slots， Deploy the App1 update to webapp1-test, and then test the update
You need to record all the successful and failed connection attempts to VM1 – Create an Azure Storage account，Register the Microsoft.Insights resource provider.Enable Azure Network Watcher flow logs.
You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible – Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode
What is the minimum number of App Service plans you should create for the web apps? – 2
From the Subscriptions blade, you select the subscription, and then click Programmatic deployment – No
You create a new network interface, and then you add the network interface to VM1 – No
Which users are members of the local Administrators group?

– User1 and User2 only

You plan to use Vault1 for the backup of as many virtual machines as possible – VM1, VM3, VMA, and VMC only
You need to configure cluster autoscaler for AKS1 – the az aks command，the Azure portal
You create a container image named App1 on your administrative workstation – Run the docker push command.
Which proximity placement groups should you use? –Proximity2 only
From the Subscriptions blade, you select the subscription, and then click Resource providers. – No
From the RG1 blade, you click Automation script. – No
From the RG1 blade, you click Deployments. – yes
You need to monitor the metrics and the logs of VM1 – Linux Diagnostic Extension (LAD) 3.0
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable – each virtual machine in a separate Availability Zone
You plan to deploy a virtual machine named VM2 from Template1. – resource group
What task should you include in the runbook? – Modify the VM size property of VM1
You need to ensure that NGINX is available on all the virtual machines after they are deployed – A Desired State Configuration (DSC) extension， Azure Custom Script Extension
Which changes will be lost after you redeploy VM1 – the new files on drive D
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines. What should you modify on VM1? – the hard drive
From which blade can you view the template that was used for the deployment – RG1
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues. You need to revert to the previous version of App1 as quickly as possible. –Swap the slots
What is a possible cause of the Warning status – VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed
From the Overview blade, you move the virtual machine to a different resource group. – No
You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source. –Yes
You need to identify in which of the currently used locations you can deploy ASP5. – West US, Central US, or East US
From Azure Cloud Shell, you run az aks. – No
You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.– No
You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
– Yes
You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
– No
You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
–Yes
You plan to restore the backup to a different virtual machine. – From VM2, install the Microsoft Azure Recovery Services Agent
You create NIC2 in RG1 and West US. – Yes
You create NIC2 in RG2 and Central US. – No
You create NIC2 in RG2 and West US. – Yes
You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the resource group – New-AzDeployment
You need to scale up VM1 to a new virtual machine size, but the intended size is unavailable. –Deallocate VM1
You set Admin user to Enable for Registry1. – No
You create a private endpoint connection for Registry1– No
You need to ensure that Plan1 will scale automatically when the CPU usage of the web app exceeds 80 percent – Rules Based in the Scale out method settings
Which certificate can you use from Vault1 – Cert1 or Cert2 only
From the resource group blade, move VM1 to another subscription –No
From the VM1 Redeploy + reapply blade, you select Redeploy –yes
From the VM1 Updates blade, select One-time update.–No
You need to meet the technical requirements for the KEK –Set-AzVMDiskEncryptionExtension and Key1.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters. – three virtual hubs and one virtual WAN
What should you create on LB1 before you can create the new inbound NAT rules – a frontend IP address
To which virtual networks can you establish a peering connection from VNet1
–VNet3 and VNet4 only

327.You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements: ? The NVAs must run in an active-active configuration that uses automatic failover. ? The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses. Which three actions should you perform —Deploy a standard load balancer，Add two load balancing rules that have HA Ports and Floating IP enabled，Add a frontend IP configuration, two backend pools, and a health probe

328.You need to ensure that you can connect Client1 to VNet2. –Download and re-install the VPN client configuration package on Client1

To which subnets can you apply NSG1?

– the subnets on VNet3 only

You need to ensure that webapp1 can access the data hosted on VM1 – Connect webapp1 to VNET1
You need to enable Desired State Configuration for VM1 – Start VM1
You need to ensure that visitors are serviced by the same web server for each request – Session persistence to Client IP and protocol ** or **Session persistence to Client IP
You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
–yes You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol.
– no
You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. –yes
What is the minimum number of NSGs you should create? – 1
in RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1 –Remove Microsoft.Compute/virtualMachines from the policy
You need to move the adatum.com zone to an Azure DNS zone in Subscription1 – Azure CLI
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only – an inbound NAT rule
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80 –Associate the NSG to Subnet1
You need to connect VNet1 to VNet2 – Provision virtual network gateways
You need to ensure that VM1 can be created in an Availability Zone. – Use managed disks，Availability options
You modify the Azure Active Directory (Azure AD) authentication policies – No
You join Computer2 to Azure Active Directory (Azure AD) – No
You create a resource lock, and then you assign the lock to the subscription – No
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1 – Configure peering between VNET1, VNET2, and VNET3
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network – Create a deny rule in a network security group (NSG) that is linked to Subnet1
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1. – Associate NIC1 to ASG1
You need to connect VNet1 to the on-premises network by using a site-to-site VPN – Create a connection， Create a local site VPN gateway，Create a VPN gateway that uses the VpnGw1 SKU
You need to create a network interface named NIC1 – East US only
You need to ensure that VM1 can resolve host names in adatum.com –Configure the name servers for adatum.com at the domain registrar
You create a Basic SKU public IP address, associate the address to the network interface of VM1 –No
You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.–No
You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine –yes
You export the client certificate from Computer1 and install the certificate on Computer2 –yes
You need to ensure that users can connect to the website from the Internet. –For Rule5, change the Action to Allow and change the priority to 401
From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. –No
You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999. –No
You delete the BlockAllOther443 inbound security rule –No
You modify the priority of the Allow_131.107.100.50 inbound security rule. –No
You assign a built-in policy definition to the subscription. –No
For the AKS cluster, you need to choose a network type that will support App1 – Azure Container Networking Interface (CNI)
You disassociate the public IP address from the network interface of VM2. – Yes
You configure a custom policy definition, and then you assign the policy to the subscription.– Yes
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2 –Connection monitor
You perform a reverse DNS lookup for 10.0.0.4 from VM2. Which FQDN will be returned? – vm1.internal.cloudapp.net
You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. –No
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1. – Create a route-based virtual network gateway，Delete GW1
From Azure Network Watcher, you create a packet capture. –Yes
From Azure Network Watcher, you create a connection monitor. –No
From Performance Monitor, you create a Data Collector Set (DCS). –No
From Azure Monitor, you create a metric on Network In and Network Out –No
You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999. –No
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16. –Modify the address space of VNet1
Which DNS names can you use to ping VM2? – comp2.contoso.com only
On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic. --No
Which public IP addresses can you use

-- IP3 only

You need to restrict network traffic between the pods – the Calico network policy
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2 –a backend pool，a health probe
Which type of public IP address SKU and assignment should you use for the gateway – a standard SKU and a static IP address assignment
Which SKU should you deploy – ErGw3AZ
You need to ensure that webapp1 can connect to Share1. –an Azure Virtual Network Gateway
Which two resources can you associate to IP1? Each correct answer presents a complete solution. – LB1，NIC1
You need to allow access to storage1 from selected networks and your home office. The solution must minimize administrative effort. –Modify the Public network access settings.
Which tunneling protocol should you use – IKEv2
You perform a test failover of VM1 and specify VNET2 as the target virtual network. –DemoSubnet1
You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1. – 443
You need to deploy an Azure firewall named AF1 to RG1 in the West US Azure region. – VNET1 only
You need to monitor connectivity between the virtual machines and the on-premises network by using Connection Monitor.

What is the minimum number of connection monitors you should deploy?

– 2

You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user’s location. – Routing preference
You need to prevent VM1 from accessing VM2 on port 3389 – Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1
You need to manage outbound traffic from VNET1 by using Firewall1 –Create a route table
You plan to deploy an Azure Bastion host named Bastion1 to VNet1 – VM1 only
You need to ensure that Bastion1 can support 100 concurrent SSH users. –Upgrade Bastion1 to the Standard SKU
You plan to deploy an Azure Bastion Basic SKU host named Bastion1
– IP1 only
You need to move VM1 to Sub2. – VM1, Disk1, NetInt1, and VNet1
You need to add a route to RT1 that specifies the next hop IP address –Virtual appliance
You have the virtual networks shown in the following table,Which virtual networks can you peer with VNet1
– VNet2, VNet3, VNet4, and VNet5
You need to enable multi-user authorization (MAU) for Vault1 – a resource guard
You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150
– Yes You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. – No
You create a route table named RT1 in the East US Azure region – Subnet1 only
You need to configure secure RDP connections to the virtual machines by using Azure Bastion
What is the minimum number of Bastion hosts required? – 1
What is the maximum number of virtual machines that can connect to Subnet1 – 123
What should you configure for container1 – the public networking type
You need to ensure that cont1 can be configured to use private networking – Networking type
To which virtual machines can you connect through Bastion1 – VM1 and VM2 only
Which virtual networks can you peer with VNet1
–VNet3 and VNet4 only
You create a Recovery Services vault – Configure a virtual network.
You need to ensure that all the traffic between VNet1 and VNet2 traverses the Microsoft backbone network. –peering
You need to configure access for users on the on-premises network to connect to a virtual machine on VNet2. The solution must minimize costs. –service chaining and user-defined routes (UDRs)
You need to ensure that the traffic from VNet1 to VNet2 is inspected by using NetVA1 –a route table that has custom routes
You plan to schedule backups to occur every night at 23:00

–VM1, VM2, VM3 and VM4

What should you create for Azure Monitor –an action group
You need to protect VM3 and VM4 by using Recovery Services –Create a new Recovery Services vault
You need to identity who will receive an email notification when Alert1 is triggered –User1 and User2 only
You need to ensure that all the changes to VM1 are restored –Copy Budget.xls to Data
You need to ensure that User1 can join the device to Azure AD –From the Device settings blade, modify the Maximum number of devices per user setting
You instruct User1 to create the user accounts. – Yes
You need to monitor the latency between your on-premises network and the virtual machines – Network Performance Monitor
Which target resource should you monitor in the alert rule – Azure Log Analytics workspace
You need to identify unattached disks that can be deleted –From Azure Cost Management, view Advisor Recommendations
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details – From webapp1, enable Web server logging
You need to monitor the availability of App1 by using a multi-step web test – Azure Application Insights
You need to recover VM1 to a point eight days ago. The solution must minimize downtime. –Restore VM1 by using the Create new restore configuration option
You need to centrally monitor user activity across all the subscriptions – a Log Analytics workspace
To what should you set Destination in the rule –Service Tag
You need to collect performance traces for App1 –Azure Application Insights Profiler
You need to back up App1. The solution must minimize costs. –storage2
You need to use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic. –a Log Analytics workspace,a storage account
What is the minimum number of service endpoints you should add to VNET1 –2
You need to configure an Azure web app named contoso.azurewebsites.net to host www.contoso.com. – Create a TXT record named asuid that contains the domain verification ID.
You need to configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected. – Configure NSG flow logs.
You need to ensure that when blob data is added to storage1, a secondary copy is created in the East US region. The solution must minimize administrative effort. – object replication
You need to collect performance data and events from the virtual machines. The solution must meet the following requirements: • Logs must be sent to Workspace1 and Workspace 2. • All Windows events must be captured. • All security events must be captured. What should you install and configure on each virtual machine?

– the Azure Monitor agent

You need to create an alert rule that will run App1 if VM1 stops –an action group
You need to create a dashboard to display detailed metrics and a visual representation of the network topology – Azure Monitor Network Insights
A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region. Which two options can you use to diagnose the issue? –IP flow verify,Connection troubleshoot
You need to receive an email alert when a resource lock is removed from any resource in the subscription. --a resource, a condition, and an action group
You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1 –an Azure Monitor Private Link Scope (AMPLS)
You need to monitor input events for Job1 to identify the number of events that were NOT processed –Backlogged Input Events
You plan to use Azure Monitor to monitor the performance of DB1. You must be able to run queries to analyze log data – Send to a Log Analytics workspace
You plan to use the Azure Monitor Agent to collect events from Windows System event logs. You only need to collect system events that have an ID of 1001. Which type of query should you use for the data source in Rule1?

– XPath

You need to use Connection Monitor to identify network latency between VM1 and DC1. What should you install on DC1? – an Azure Monitor agent extension
You need to monitor VM1 traffic by using Traffic Analytics. –NSG flow logs for NSG1
You need to collect the IIS logs from each virtual machine and store them in a Log Analytics workspace. –Diagnostic settings
You need to meet the user requirement for Admin1 – From the Subscriptions blade, select the subscription, and then modify the Properties
You need to ensure that you can grant Group4 Azure RBAC read only permissions to all the Azure file shares. What should you do? –On storage2, enable identity-based access for the file shares.
You need to implement a backup solution for App1 after the application is moved. What should you create first? –a Recovery Services vault
You need to move the blueprint files to Azure –Use Azure Storage Explorer to copy the files.
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements. Which storage account should you identify? –storage2
You discover that VM3 does NOT meet the technical requirements. You need to verify whether the issue relates to the NSGs. What should you use? –IP flow verify in Azure Network Watcher
You need to ensure that VM1 can communicate with VM4. The solution must minimize the administrative effort. What should you do? –Establish peering between VNET1 and VNET3.
You are planning the move of App1 to Azure. You create a network security group (NSG). You need to recommend a solution to provide users with access to App1. What should you recommend? –Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
You need to add VM1 and VM2 to the backend pool of LB1 –Redeploy VM1 and VM2 to the same availability set.
You need to ensure that VM1 can communicate with VM4. The solution must minimize administrative effort –Establish peering between VNET1 and VNET3.
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements. What should you include in the recommendation? –dynamic groups and conditional access policies