Microsoft AZ-104 Dumps

A screenshot of a computer Description automatically generated

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

From scenario:

• Ensure that only users who are part of a group named Pilot can join devices to Azure AD
• Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Change the Service administrator for an Azure subscription

• Sign in to Account Center as the Account administrator.
• Select a subscription.
• On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.

References:

A screenshot of a computer Description automatically generated

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

A diagram of a computer network Description automatically generated with medium confidence

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

• A SQL database
• A web front end
• A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

• Technical requirements include:
• Move all the virtual machines for App1 to Azure.
• Minimize the number of open ports between the App1 tiers.

References:

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

References:

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don't require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

Scenario:

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

References:

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

References: h og/active-directory-federation-services/

Routing preference is a feature that allows you to configure how network traffic is routed to your storage account from clients over the internet. By default, traffic from the internet is routed to the public endpoint of your storage account over the Microsoft global network, which is optimized for low-latency path selection and high reliability. Both inbound and outbound traffic are routed through the point of presence (POP) that is closest to the client. This ensures that traffic to and from your storage account traverses over the Microsoft global network for the bulk of its path, maximizing network performance. You can also change the routing preference to use internet routing, which minimizes the traversal of your traffic over the Microsoft global network, handing it off to the transit ISP at the earliest opportunity. This lowers networking costs, but may compromise network performance. Therefore, to ensure that inbound user traffic uses the Microsoft POP closest to the user’s location, you should configure routing preference to use the Microsoft global network as the default routing option for your storage account.

References:

• Network routing preference for Azure Storage
• Configure network routing preference for Azure Storage

Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.

Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.

A virtual machine scale set is a group of identical virtual machines that are automatically distributed across fault domains and update domains in one or more placement groups1. A fault domain is a logical group of underlying hardware that share a common power source and network switch, and a failure in one fault domain will not affect virtual machines in other fault domains2. An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time3.

By creating a virtual machine scale set with 12 instances, you can ensure that App1 has high availability and scalability. You can configure the scale set to have a minimum number of instances that must always be running, and a maximum number of instances that can be scaled up or down based on demand or a schedule. You can also configure the scale set to use automatic OS image upgrades, which will apply updates to the virtual machines in batches, ensuring that at least one instance is always running during the upgrade process.

• Option A (Create an Azure Resource Manager template): This wouldn't circumvent the policy enforcement. Even with a template, you cannot create resources that the policy explicitly denies.
• Option B (Add a subnet to VNET1): Adding a subnet does not address the policy restriction on creating virtual machines. Also, the existing VNET1 can already have multiple subnets.
• Option C (Remove Microsoft.Network/virtualNetworks from the policy): This isn't necessary because you're not trying to create a new virtual network; you are connecting to an existing one, VNET1.
• Option D (Remove Microsoft.Compute/virtualMachines from the policy): This is the correct action because it directly addresses the restriction that is preventing you from creating a new virtual machine in RG1. Removing the virtual machine resource type from the not allowed list in the policy will enable you to create VM2.

Remember, changes to policies might take a few minutes to propagate. After updating the policy, you should be able to create the new virtual machine VM2 and connect it to VNET1.

NET Core 3.0: Windows and Linux ASP .NET V4.7: Windows only PHP 7.3: Windows and Linux Ruby 2.6: Linux only Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs. Reference:

"Group nesting isn't supported. A group can't be added as a member of a role-assignable group."

For the second question:

"We currently don't support:

Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.

"

For the third question, although it appears truncated in the screenshot (ending with "for...") there is a reference about Microsoft 365 groups support for roles assignment here:

"To assign a role to a group, you must create a new security or Microsoft 365 group with the isAssignableToRole property set to true. "

Redeploying the virtual machine moves it to a new host within the same region and availability set. This can help resolve any underlying issues with the current host. Redeploying the virtual machine does not affect the configuration or data on the virtual machine. Then, References: [Redeploy Windows VM to new Azure node]

Based on the lifecycle management policy you created and the information from the web search results, here are the answers to your statements:

• A blob snapshot automatically moves to the Cool access tier after 15 days. = Yes
• A blob version in container2 automatically moves to the Archive access tier after 30 days. = No
• A rehydrated version automatically moves to the Archive access tier after 30 days. = No

• The lifecycle management policy you created has two rules: one for container1 and one for container2. The rule for container1 has an action that moves blob snapshots to the Cool access tier if they are older than 15 days. Therefore, a blob snapshot in container1 will automatically move to the Cool access tier after 15 days, regardless of the access tier of the base blob.
• The rule for container2 has an action that moves blob versions to the Archive access tier if they are older than 30 days and have a prefix match of “archive/”. Therefore, a blob version in container2 will only automatically move to the Archive access tier after 30 days if its name starts with “archive/”. Otherwise, it will remain in its current access tier.
• A rehydrated version is a blob version that was previously in the Archive access tier and was restored to an online access tier (Hot or Cool) by using the rehydrate priority option1. A rehydrated version does not automatically move to the Archive access tier after 30 days, unless there is a lifecycle management policy rule that explicitly specifies this action. In your case, neither of the rules applies to rehydrated versions, so they will stay in their online access tiers until you manually change them or delete them.

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

References:

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

A white paper with black text Description automatically generated

A screenshot of a computer Description automatically generated

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

• Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
• Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
• Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
• Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

A diagram of a computer network Description automatically generated

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.

References:

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user's OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

nditional-access/overview

ure/active-directory/authentication/howto-mfa-userstates

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

References:

A close-up of a book Description automatically generated

role-powershell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

osoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

om/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

onvertto-json?view=powershell-7.1

s/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Table Description automatically generated

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:

Cost analysis: Correct Option

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span:  last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn't bound to the calendar month, like the current billing period or last invoice. Use the <PREVIOUS and NEXT> links at the top of the menu to jump to the previous or next period, respectively. For example, <PREVIOUS will switch from the Last 7 days to 8-14 days ago or 15-21 days ago.

A screenshot of a calendar Description automatically generated

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week's cost then that also not filled by invoices because Azure  generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:

A screenshot of a computer screen Description automatically generated

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

References:

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

References: