AZ 104 Exam 2023

You need to define a custom domain name for Azure AD to support the planned infrastructure. Which domain name should you use? A. ad.humongousinsurance.com B. humongousinsurance.onmicrosoft.com C. humongousinsuran ...

You need to define a custom domain name for Azure AD to support the planned infrastructure. Which domain name should you use? A. ad.humongousinsurance.com B. humongousinsurance.onmicrosoft.com C. humongousinsurance.local D. humongousinsurance.com Ans- Answer: D Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed of deleted, but you can add your corporate domain name to AAD as well. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as '[email protected].' instead of 'alice@domain name.onmicrosoft.com'. You need to prepare the environment to meet the authentication requirements. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Allow inbound TCP port 8080 to the domain controllers in the Miami office. B. Add http://autogon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office. C. Join the client computers in the Miami office to Azure AD. D. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami Questions & Answers PDF P-16 www.dumpskey.com office. E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication. AnsAnswer: BE B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Passthrough Authentication, and can be enabled via Azure AD Connect. Scenario: Licensing Issue 1. You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." 2. You verify that the Azure subscription has the available licenses. You need to resolve the licensing issue before you attempt to assign the license again. What should you do? A. From the Groups blade, invite the user accounts to a new group. B. From the Profile blade, modify the usage location. C. From the Directory role blade, modify the directory role. Ans- Answer: B Explanation: Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Settings section in the Azure portal. You have an azure subscription named Subscription that contains the resource groups shown in the following table. RG1 - East Asia RG2 - East US In RG1, you create a virtual machine named VM1 in the East Asia location. You plan to create a virtual network named VNET1. You need to create VNET, and then connect VM1 to VNET1. What are two possible ways to achieve this goal? Each correct answer presents a complete a solution. NOTE: Each correct selection is worth one point. A. Create VNET1 in RG2, and then set East Asia as the location. B. Create VNET1 in a new resource group in the West US location, and then set West US as the location. C. Create VNET1 in RG1, and then set East Asia as the location D. Create VNET1 in RG1, and then set East US as the location. E. Create VNET1 in RG2, and then set East US as the location. Ans- Answer: AC A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network you connect it to. The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, also referred to as a region. Note, Resource groups can span multiple Regions, but VNets only can hold resources (VMs, Network Adapters) that exists in the same region. So in this scenario, you need to create VNET1 in any RG and set location as East Asia. You have an Azure subscription that contains a storage account named account1. You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of 131.107.1.0/24. You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24. You need to configure account1 to meet the following requirements: Ensure that you can upload the disk files to account1. Ensure that you can attach the disks to VM1. Prevent all other access to account1. Which two actions should you perform? Each correct selection presents part of the solution. NOTE: Each correct selection is worth one point. A. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range. B. From the Firewalls and virtual networks blade of account1, select Selected networks. C. From the Firewalls and virtual networks blade of acount1, add VNet1. D. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account. E. From the Service endpoints blade of VNet1, add a service endpoint. Ans- Answer: AB By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. Azure portal 1. Navigate to the storage account you want to secure. 2. Click on the settings menu called Firewalls and virtual networks. 3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'. 4. Click Save to apply your changes. Grant access from a Virtual Network Storage accounts can be configured to allow access only from specific Azure Virtual Networks. By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request. You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create? A. PTR B. MX C. NSEC3 D. RRSIG Ans- Answer: B TXT or MX : Correct You can use either a TXT or MX record to verify the custom domain in the Azure AD. MX records can serve the purpose of TXT records Questions & Answers PDF P-56 www.dumpskey.com SRV : Incorrect SRV records are used by various services to specify server locations. When specifying an SRV record in Azure DNS DNSKEY : Incorrect Choice This will verify that the records are originating from an authorized sender. NSEC : Incorrect Choice This is Part of DNSSEC. This is used for explicit denial-of-existence of a DNS record. It is used to prove a name does not exist. You have an Azure virtual machine named VM1. Azure collects events from VM1. You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1. You need to specify which resource type to monitor. What should you specify? A. metric alert B. Azure Log Analytics workspace C. virtual machine D. virtual machine extension Ans- Answer: B Explanation: Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs. Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager. You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2. VM2 is protected by RSV1. You need to use RSV2 to protect VM2. What should you do first? A. From the RSV1 blade, click Backup items and stop the VM2 backup. B. From the RSV1 blade, click Backup Jobs and export the VM2 backup. C. From the RSV1 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup. D. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault Ans- Answer: D The Azure Site Recovery service contributes to your disaster recovery strategy by managing and orchestrating replication, failover, and failback of on-premises machines and Azure virtual machines (VMs). You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1. What should you do first? A. Upload a certificate. B. Add a connection string. C. Stop webapp1. D. Create a DNS record. Ans- Answer: B You create an App Service plan named App1 and an Azure web app named webapp1. You discover that the option to create a staging slot is unavailable. You need to create a staging slot for App1. What should you do first? A. From webapp1, modify the Application settings. B. From webapp1, add a custom domain. C. From App1, scale up the App Service plan. D. From App1, scale out the App Service plan. Ans- Answer: C Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots, autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app belongs to. You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password? Questions & Answers PDF P-73 www.dumpskey.com A. Azure Active Directory (AD) Identity Protection and an Azure policy B. a Recovery Services vault and a backup policy C. an Azure Key Vault and an access policy D. an Azure Storage account and an access policy Ans- Answer: C Explanation: You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file You plan to use the Azure Import/Export service to copy files to a storage account. Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. an XML manifest file B. a driveset CSV file C. a dataset CSV file D. a PowerShell PS1 file E. a JSON configuration file Ans- Answer: BC Explanation: B: Modify the driveset.csv file in the roo