Az 104 Part1

10/21/21, 5:55 PM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
-
Expert Verified, Online, Free.
 Custom View Settings
Topic 1 - Question Set 1
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 1/342
Question #1 Topic 1
Your company has serval departments. Each department has a number of virtual machines (VMs).
The company has an Azure subscription that contains a resource group named RG1.
All VMs are located in RG1.
You want to associate each VM with its respective department.
What should you do?
A.
Create Azure Management Groups for each department.
B.
Create a resource group for each department.
C.
Assign tags to the virtual machines.
D.
Modify the settings of the virtual machines.
Correct Answer:
C
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
 
green_arrow
Highly Voted 
3 months, 2 weeks ago
C is correct, the tags ASSOCIATE the vms to each deparment, then for example it can be charged to each department.
upvoted 20 times
 
specialdil
Most Recent 
1 day, 20 hours ago
Guys, anyone recently passed ? Whether you got the same questions from the dumps for the exam ?
upvoted 1 times
 
DevOpposite
4 days, 8 hours ago
just passed with 911 score with no previous IT experience. only 2 questions were outside of these listed questions. Many many thanks to
Examtopics. Don't go by answer listed on main page, review comments and resource links to verify and understand answers. Follow mlantonis and
fedztedz for correct answers. Good luck everyone.
upvoted 2 times
 
tbalaji2001
2 days, 22 hours ago
Congrats... contributor access required to pass the exam?
upvoted 1 times
 
Rodcr1
1 week ago
Question came in today's test 10/13/21
upvoted 1 times
 
Ask_anand
1 week, 4 days ago
Is the course good enough to pass the test?
upvoted 1 times
 
Dingaan
1 week, 6 days ago
came up in exam 08 October 2021 passes: 8XX
upvoted 1 times
 
Annjy
2 weeks, 2 days ago
Can anyone please help me understand How Contributor access work? Will I get access across all the exams or for any individual course exam
paper? Please respond.
upvoted 1 times
 
Eltooth
1 week, 5 days ago
Just for one exam.
upvoted 1 times
 
omaro
2 weeks, 5 days ago
Hi everyone, Today October 1st (2021) I passed the exam for AZ-104. Almost 90% of the questions were from examtopics.com. Thank you exam
topics. Please follow the answers of ZUMY, fedztedz and mlantonis and READ the discussions carefully. Good luck to all.
upvoted 2 times
 
azuin
2 weeks, 1 day ago
which one is ZUMY, fedztedz and mlantonis?
upvoted 1 times
 
Genshin
3 weeks, 1 day ago
Passed my exam today. got 900/1000
There were 2-3 new questions. Used this sites dump only. Follow mlantonis and fedz answers.
upvoted 4 times
 
Quantigo
3 weeks, 3 days ago
C
According to this article, tagging can be used for departmental Identification.
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs
upvoted 2 times
 
Steve1983
Thats the signal part, missing the decision part. Its selecting the group in the user part and then choose to do "something", when its met, like
enforce MFA. The last part is missing. So NO is the answer.
upvoted 2 times
 
Vlako
Answer to wrong question.
upvoted 7 times
Question #2 Topic 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result.
Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.

The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined
device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?
A.
Yes
B.
No
Correct Answer:
B
 
rzv
Highly Voted 
1 month, 1 week ago
brooo we lost mlantonis and tedz
upvoted 18 times
 
omw2wealth
3 weeks, 1 day ago
i sit for the exam this saturday, and i really apreciate this dudes a lot!
upvoted 1 times
 
green_arrow
Highly Voted 
B is correct,
1- the best way to enforce MFA is by Conditional Access
2- the device has to be identified by azure AD as A AD joined Device.
3- the trusted ip must be configured.

upvoted 16 times
 
specialdil
Most Recent 
1 day, 20 hours ago
Guys, anyone recently passed ? Whether you got the same questions for the exam ?
upvoted 1 times
 
Omshanti
2 weeks, 3 days ago
Yesterday October 4th (2021) I passed the exam for AZ-104. Almost 95% of the questions were from examtopics.com. Thank you exam topics.
Please follow the answers of fedztedz and mlantonis. Exam includes case study as well, we can find case study at the end of the dumps.
upvoted 3 times
 
Divyanshaz
2 weeks ago
how many questions did you reffered for this dump?
upvoted 1 times
 
yogendracloudguy
2 weeks, 1 day ago
Hi Om, congrats on your certification!!!! i am about to sit for an exam could you please help me in confirming apart from the names you
mentioned above for reference can i rely on the admin answers? if the above two guys are not in the discussions for any questions? Thnk you.
upvoted 1 times
 
yogendracloudguy
2 weeks, 1 day ago
cz i am seeing minor contradictions with the admin answers. i am getting confused and worried what if i choose incorrect answers.
upvoted 2 times
 
Fonternez
2 weeks, 1 day ago
how do I find their answers? I'm new to the site. And should I study all 300 questions?
upvoted 1 times
 
villanz
2 weeks, 4 days ago
Going to attend exam's today 03/10/2021 half an hour to go
upvoted 1 times
 
villanz
2 weeks, 4 days ago
Passed on 03/10/2021 735 score I found 30% questions were new..!!
upvoted 1 times
 
sk1803
2 weeks, 3 days ago
did you purchase contributor access?
upvoted 1 times
 
villanz
2 weeks, 1 day ago
no bro..!! this is fine
upvoted 1 times
 
a4andrew
He might have said a greater percentage came from examtopics if he bought contributor access :-). 5% to spare is a kind of narrow
margin.
upvoted 1 times
 
YooOY
3 weeks, 5 days ago
Ans: No.
To achieve the goal, we need 2 policy:
Conditional Access: Require MFA for administrators
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa#create-a-conditional-
access-policy
A custom condition policy for joined device, existing common policy Conditional Access: Require compliant devices seems not working in this case
out of box.
upvoted 2 times
 
YooOY
3 weeks, 5 days ago
Hmmm, Instead of the MFA page mentioned above, you have to go the route of Conditional Access Policy-->Grant Control mentioned here for
this question. Under Grant Control you are given the option of setting MFA and requiring AD joined devices in the exact same window.
upvoted 1 times
 
Ben_CAP
1 month ago
Lools like Answer is no according to this link : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
I couldn't test in my free lab since I have no AZ AD.

upvoted 2 times
 
Micah7
2 months ago
The answer is B here and A on the other version of this question you will see later where it mentions under Grant Control. There is a MFA page in
Azure portal but you cant do the conditional MFA/device requirement from there......You must go the route of Conditional Access Policy--->Grant
Control
I did this in lab step by step. The settings for "MFA" and "joined devices" requirement is EXACTLY on the same subpage pop out when configuring
the Conditional Access policy. Here is the page with the walkthrough steps: https://portal.azure.com/?
quickstart=True#blade/Microsoft_AAD_IAM/PolicyBlade
upvoted 2 times
 
Micah7
2 months ago
The answer is A.
I did this in lab step by step. The settings for "MFA" and "joined devices" requirement is EXACTLY on the same subpage pop out when configuring
the policy. Here is the page with the walkthrough steps: https://portal.azure.com/?quickstart=True#blade/Microsoft_AAD_IAM/PolicyBlade
upvoted 1 times
 
Loi2525
3 months, 1 week ago
I believe it is B - NO:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
upvoted 3 times
Question #3 Topic 1

Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
A.
Yes
B.
No
Correct Answer:
B
 
lyx
Highly Voted 
2 months ago
Ans: No.
You alter the grant control, not session control

upvoted 8 times
 
YooOY
3 weeks, 5 days ago
Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select. https://docs.microsoft.com/en-
us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
upvoted 2 times
 
epic13131
Highly Voted 
3 months ago
Was on my exam.
upvoted 5 times
 
powerpro
Most Recent 
3 months ago
No is correct bc Access Controls is how you get to mfa as stated in https://docs.microsoft.com/en-us/azure/active-directory/conditional-
access/howto-conditional-access-policy-all-users-mfa:
Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
upvoted 4 times
 
BenStokes
Answer should be A
Ref # https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
upvoted 3 times
 
BenStokes
Sorry its B - NO
We need to use Grant Control and NOT the Session Control

upvoted 9 times
Question #4 Topic 1

Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.
A.
Yes
B.
No
Correct Answer:
A
 
ppp131176
Highly Voted 
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
upvoted 15 times
 
Prashant103
2 weeks, 5 days ago
Thanks for the information
upvoted 1 times
 
Loi2525
This link shows it all.
upvoted 1 times
 
Micah7
Highly Voted 
2 months ago
Answer is A. There is another copy of this question that mentions going to the MFA page in Azure Portal as the solution = incorrect. On that page
you cant make a Conditional Access Policy.
I did this in lab step by step:
- The Answer "A" is correct
- Instead of the MFA page mentioned above, you have to go the route of Conditional Access Policy-->Grant Control mentioned here for this
question. Under Grant Control you are given the option of setting MFA and requiring AD joined devices in the exact same window.
Answer is correct.
upvoted 8 times
 
Steve1983
Most Recent 
Thats not all you need to do. Missing the signal and decision part of the CA policy.
upvoted 2 times
Question #5 Topic 1
You are planning to deploy an Ubuntu Server virtual machine to your company‫ג‬€™s Azure subscription.
You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA).
Which of the following should you use to create the virtual machine?
A.
The New-AzureRmVm cmdlet.
B.
The New-AzVM cmdlet.
C.
The Create-AzVM cmdlet.
D.
The az vm create command.
Correct Answer:
C
Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet, using the --custom-data parameter to provide the full
path to the cloud- init.txt file.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment
 
theOldOne
Highly Voted 
2 weeks, 2 days ago
It specifically mentions clout-init.txt. This link
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init

Seems to indicate that answer D is correct. Use Az VM create.

upvoted 5 times
 
jasontot
Most Recent 
2 days, 4 hours ago
It should be D
upvoted 1 times
 
Eltooth
5 days, 7 hours ago
D - correct answer
upvoted 2 times
 
PRM
Good if you have a place to fix the wrong question
upvoted 1 times
 
wolverinc
1 week, 1 day ago
why does the answer keeps showing C? its obvious from discussion/comments below its D.
upvoted 2 times
 
a4andrew
1 week, 5 days ago
D. There is no such cmdlet as Create-azVM (search for yourself). Not A or B only because though both are valid cmdlets (new-AzureRMvm is
legacy) there is no way to choose both options.
upvoted 1 times
 
Verdural
2 weeks, 3 days ago
Answer B could also be a good answer with some additional options.
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvmsecret?view=azps-6.4.0
upvoted 1 times
 
JNeedsCerts
2 weeks, 5 days ago
The question is assuming that were are using PowerShell. So the answer is correct. But if we are in CLI then it would be D.
upvoted 2 times
 
angelocjs
3 weeks, 2 days ago
This should have been D.
upvoted 2 times
 
Renstar99
3 weeks, 2 days ago
Correct answer should be D. Link for help -->
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-cli
upvoted 1 times
 
anoj_cha
3 weeks, 2 days ago
Right description but wrong answer? Should be "D: az vm ..." as per the link provided.
upvoted 1 times
 
brakonda
2 weeks, 5 days ago
admin given correct ans in description az vm create only
upvoted 1 times
 
serenity404
3 weeks, 2 days ago
The answer is "D. The az vm create command".
Using CLI, this allows you to create a VM and inject the certificate using the "--secrets" option.
The selected answer and description are wrong, but the and reference link is correct. In Powershell I think you would need to use "Add-
AzVMSecret" after "New-AzVM".
upvoted 2 times
 
ech
3 weeks, 2 days ago
Correct answer is D
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment
upvoted 1 times
 
js_indore
3 weeks, 2 days ago
D
Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet, sing the –custom-data parameter to provide the full path
to the cloud-init.txt file.
upvoted 1 times
 
rigonet
3 weeks, 2 days ago
ANSWER: D
Reference https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment
upvoted 1 times
 
zaaaaaak
3 weeks, 2 days ago
Wrong, Answer is D
upvoted 1 times
Question #6 Topic 1
Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured
as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and
adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor
Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
A.
Yes
B.
No
Correct Answer:
B
Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your
existing server with activation credentials from the new provider.
Reference:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
 
S_Steve
Highly Voted 
3 months ago
answer is correct
upvoted 8 times
 
pakman
3 weeks ago
No it is not.
"You cannot change the usage model (per enabled user or per authentication) after an MFA provider is created."
upvoted 1 times
 
pakman
Most Recent 
3 weeks, 2 days ago
You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
upvoted 2 times
 
Rahul72
The answer is correct
upvoted 1 times
Question #7 Topic 1
Your company‫ג‬€™s Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option
has been configured as the usage model.
Authentication.
Solution: You reconfigure the existing usage model via the Azure CLI.
A.
Yes
B.
No
Correct Answer:
B
Reference:
 
pakman
3 weeks, 2 days ago
You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
upvoted 1 times
 
rigonet
3 weeks, 2 days ago
ANSWER: B - No
You cannot change the usage model after creating the provider.
upvoted 3 times
 
Quantigo
3 weeks, 3 days ago
Answer B - No
can't find any references confirming the azure CLI method, the only CLI method found was for PowerShell.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
upvoted 2 times
 
Mohtasham
correct
upvoted 3 times
Question #8 Topic 1
Your company‫ג‬€™s Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option
has been configured as the usage model.
Authentication.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
A.
Yes
B.
No
Correct Answer:
A
Reference:
 
ppp131176
Highly Voted 
Yes Is correct as explained with the given link: https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
upvoted 8 times
 
Snownoodles
Most Recent 
2 months ago
"You cannot change the usage model (per enabled user or per authentication) after an MFA provider is created."
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
upvoted 4 times
Question #9 Topic 1
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises
Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
A.
Yes
B.
No
Correct Answer:
A
Reference:
https://blog.kloud.com.au/2016/03/08/azure-ad-connect-manual-sync-cycle-with-powershell-start-adsyncsynccycle/
 
imartinez
Highly Voted 
Answer is B ( No )
Initial will perform a full sync and add the user account created but it will take time,
Delta, will kick off a delta sync and bring only the last change, so it will be "immediately" and will fulfill the requirements.
upvoted 12 times
 
maxmarco71
Highly Voted 
Answer is A YES
delta:synchronize changes since last full synchronization
Start-ADSyncSyncCycle -policy initial
PS C:\Users\Administrator> Start-ADSyncSyncCycle
Result
------
Success
https://geekdudes.wordpress.com/2018/06/05/office-365-configuring-ad-synchronization/
upvoted 8 times
 
SilverFox22
4 weeks ago
Yes, this technically works, but as per the question, you want the change to be immediate. If the Initial was run against a large directory, that
could take some time. Instead, run a Delta to just capture the change made and sync it immediately: Start-ADSyncSyncCycle -PolicyType Delta.
Thus answer is B, NO.
upvoted 9 times
 
Mikeyo
Most Recent 
1 week, 2 days ago
For Immediate sync use -> Start-ADSyncSyncCycle -PolicyType Delta.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler
Full sync cycle
A full sync cycle includes the following steps:
Full Import on all Connectors
Full Sync on all Connectors
Export on all Connectors
It could be that you have an urgent change that must be synchronized immediately, which is why you need to manually run a cycle.
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.
To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
Running a full sync cycle can be very time consuming, read the next section to read how to optimize this process.
upvoted 3 times
 
theOldOne
1 week, 5 days ago
When I read the question as "immediately" I think of it as not waiting for the automatic sync that would occur at a set interval and possibly delay
someone logging in. By running the command I am forcing an "immediate" sync of the info. Sometimes it is difficult to tell what they are looking
for as sometimes they want you to be as literal as possible and other times they expect you to understand what they are asking. In this case it does
meet the objective that we do not have to wait for the auto sync but running the delta option may have been faster. So strange a question.
upvoted 2 times
 
dupakonia
"You now need to replicate the user information to Azure AD immediately."
Based on the work "immediately" I would say the answer is NO.
If we want to make this happen asap then we should go for Delsa sync
upvoted 3 times
 
Vlako
Answer is still yes. Though only Delta is required - the initial sync still meets the Goal.
upvoted 2 times
 
BenStokes
Wrong answer. It is B.
Delta sync should be used since initial will do full sync.
To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
Ref # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler
upvoted 6 times
 
GabeCanada
"Initial" will force a full Sync while "Delta" just the changes since last sync. With the wording "Immediately" delta would be the correct option as the
full sync depending on directory size could take hours... and the delta sync default is every hour. I still count as correct but this is a badly
formulated question.
upvoted 3 times
 
spektrum1988
Why would you do an initial sync if it's already set up? A Delta sync is enough.
upvoted 3 times
Question #10 Topic 1
Active
Directory domain.
Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.
A.
Yes
B.
No
Correct Answer:
B
 
j5y
Highly Voted 
Ans: NO
On a server with Azure AD Connect installed, navigate to the Start menu and select AD Connect, then Synchronization Service.
1. Go to CONNECTORS tab.
2. Select RUN on the ACTIONS pane.

upvoted 20 times
 
SilverFox22
4 weeks ago
Or, you could run
Start-ADSyncSyncCycle -PolicyType Delta

upvoted 7 times
 
Marietto76
Most Recent 
1 day, 17 hours ago
very thanks j5y for explanation
upvoted 1 times
 
Adebowale
2 months ago
Hello j5y, Thanks for the explanation
upvoted 2 times
 
green_arrow
Definitely nooo. B is the correct Answer
upvoted 3 times
Active
Directory domain.
Solution: You restart the NetLogon service on a domain controller.
A.
Yes
B.
No
Correct Answer:
B
 
Steve1983
Highly Voted 
NO
Please dont restart 'Netlogon' ever, in test or production... Rather reboot the whole DC, wich wont help for starting a sync i guess. If it does, its
kinda a retarted way to force a sync to start.
upvoted 8 times
 
green_arrow
Most Recent 
B is the correct Answ
upvoted 3 times
Your company has a Microsoft Azure subscription.
The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?
A.
Geo-redundant storage
B.
Read-only geo-redundant storage
C.
Zone-redundant storage
D.
Locally redundant storage
Correct Answer:
B
RA-GRS allows you to have higher read availability for your storage account by providing ‫ג‬€read only‫ג‬€ access to the data replicated to the
secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not
available in the primary region. This is an
‫ג‬€opt-in‫ג‬€ feature which requires the storage account be geo-replicated.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
 
Steve1983
Highly Voted 
B
(A: "data will be available to be read-only if Microsoft initiates a failure", so its not RO if its not failed-over)
Geo-redundant storage (GRS)

As I explained above it helps us in replicating our data to another region which is far away hundreds of miles away from the primary region. It
provides at least 99.99999999999999% (16 9's) durability of objects over a given year. GRS replicates our data to another region, but data will be
available to be read-only if Microsoft initiates a failure from primary to the secondary region.

Read-access geo-redundant storage (RA-GRS)
It is based on the GRS, but it also provides an option to read from the secondary region, regardless of whether Microsoft initiates a failover from
the primary to the secondary region.
upvoted 18 times
 
thesagarlee
1 week, 6 days ago
Supporting article - https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#read-access-to-data-in-the-secondary-
region
upvoted 1 times
 
Saravana12g
Highly Voted 
1 month, 1 week ago
Answer B.
Read-access geo-redundant storage (RA-GRS)
It is based on the GRS, but it also provides an option to read from the secondary region, regardless of whether Microsoft initiates a failover from
the primary to the secondary region.
upvoted 6 times
 
Rodcr1
Most Recent 
1 week ago
upvoted 2 times
 
ghfalcon7
1 week ago
There is no storage option called read only geo redundant storage, answer should be A, you just enable the Read-access geo-redundant storage
(RA-GRS) after you select the GRS option.
upvoted 1 times
 
pkazemei
This is a trick question.
I thought A, but then the question says at the end "Data can be read from the secondary location as well as from the primary location".
This means the answer is B, because only RA-GRS can do this.

upvoted 4 times
 
maxmarco71
Answer is C
Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications
requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.
With ZRS, your data is still accessible for both read and write operations even if a zone becomes unavailable
upvoted 2 times
 
chaudha4
Wrong Answer. availability zones will not provide geo redundancy. You need RA-GRS.
upvoted 3 times
 
WillHayes
With GRS or GZRS, the data in the secondary region isn't available for read or write access unless there is a failover to the secondary region. For
read access to the secondary region, configure your storage account to use read-access geo-redundant storage (RA-GRS) or read-access geo-
zone-redundant storage (RA-GZRS). For more information, see Read access to data in the secondary region.
upvoted 2 times
 
jackr76
A?
Data must be stored on multiple nodes.
Data must be stored on nodes in separate geographic locations.

upvoted 1 times
 
TTTTT88888
Its B because only RA-GRS allow read-only even when Primary is alive
upvoted 2 times
 
neemz
I think A too. Questions says "Data can be read" it does not say not indicated it must only be read
upvoted 1 times
 
jecawi9630
The question does not mention data should be read-only from the secondary location. Just says you should be able to read from either location. A
can also be the answer.
upvoted 1 times
 
pkazemei
The question does mention read-only.
Data can be read from the secondary location as well as from the primary location
Answer: B
upvoted 1 times
 
rawrkadia
You don't have any access to the redundant data live/without failover in GRS.
People need to stop just guessing. Either look it up or lab it.

upvoted 6 times
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional
Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.

A.
Yes
B.
No
Correct Answer:
B
You should use the Resource Group blade
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
 
d0bermannn
Highly Voted 
it is so easy =B. No ))
upvoted 7 times
 
thesagarlee
Most Recent 
1 week, 6 days ago
here are two ways to export a template:
Export from resource group or resource: This option generates a new template from existing resources. The exported template is a "snapshot" of
the current state of the resource group. You can export an entire resource group or specific resources within that resource group.
Save from history: This option retrieves an exact copy of a template used for deployment. You specify the deployment from the deployment history.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal#choose-the-right-export-option
upvoted 2 times
 
Snownoodles
2 months ago
There is also an "export template" link on VM blade, why cannot we use it?
So the answer should be "Yes"

upvoted 2 times
 
khengoolman
1 month, 1 week ago
Because you want to review the template that Jon used, not export the current configuration of the VM, which will not include the template for
the storage, for example, additionally, the VM may have been changed, we don't know.
upvoted 7 times
 
d0bermannn
rg blade, as for one hundred q ago
upvoted 3 times
Solution: You access the Resource Group blade.
A.
Yes
B.
No
Correct Answer:
A
To view a template from deployment history:
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that
you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:
 
green_arrow
Highly Voted 
A is correct
upvoted 13 times
 
Omar_Aladdin
Most Recent 
3 weeks, 1 day ago
A is correct:
from Resource Group choose ----> Deployments blade

upvoted 2 times
Solution: You access the Container blade.
A.
Yes
B.
No
Correct Answer:
B
You should use the Resource Group blade
Reference:
 
d0bermannn
Highly Voted 
B. No, as all of us know)
upvoted 5 times
Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?
A.
You should only stop one of the VMs.
B.
You should stop two of the VMs.
C.
You should stop all three VMs.
D.
You should remove the necessary VM from the availability set.
Correct Answer:
C
If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in
the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is
that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster
is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.
Reference:
https://azure.microsoft.com/es-es/blog/resize-virtual-machines/
 
CLagnuts
Highly Voted 
C. Looks Correct
Stop all the VMs in the availability set. Click Resource groups > your resource group > Resources > your availability set > Virtual Machines > your
virtual machine > Stop.
After all the VMs stop, resize the desired VM to a larger size.
Select the resized VM and click Start, and then start each of the stopped VMs.
upvoted 14 times
 
Rodcr1
Most Recent 
1 week ago
upvoted 2 times
 
MrJR
3 weeks, 6 days ago
This question is deprecated. I tested and I was able to change the size of a VM, which is in an availability set with two other VMs, without stopping
any other VM. With the three VMs up you can resize any of them.
upvoted 4 times
 
SulSulEi
2 months ago
Answer is correct based on,
https://www.examtopics.com/discussions/microsoft/view/20714-exam-az-103-topic-3-question-11-discussion/
upvoted 1 times
 
Bloodwar
Correct, C, you need stop all VMs to change the size in your availability set.
upvoted 1 times
 
marcusaurelius124
I believe the answer, C, is correct.
"When you try to start a stopped Azure Virtual Machine (VM), or resize an existing Azure VM, the common error you encounter is an allocation
failure."
"After all the VMs stop, resize the desired VM to a larger size."
Source:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/restart-resize-error-troubleshooting
upvoted 3 times
 
YooOY
3 weeks, 5 days ago
Cause
The request to resize the VM has to be attempted at the original cluster that hosts the cloud service. However, the cluster does not support the
requested VM size.
upvoted 1 times
 
korben_dallas
I believe the answer is A under the assumption that the size check was already performed on the VM
If the new size for a VM in an availability set is not available on the hardware cluster currently hosting the VM, then all VMs in the availability set
will need to be deallocated to resize the VM.
You can check which sizes are available on the hardware cluster where the VM is hosted prior to resizing. If the desired size is listed , then you don't
have to deallocate all three.
If the size you want is not listed, you have to deallocate all VMs in the availability set, resize VMs, and restart them.
upvoted 2 times
 
Veerabhadra_reddy
I think the options should be rephrased, and you are correct, as per the MS DOCs -> If the new size for a VM in an availability set is not available
on the hardware cluster currently hosting the VM, then all VMs in the availability set will need to be deallocated to resize the VM. You also
might need to update the size of other VMs in the availability set after one VM has been resized
upvoted 1 times
 
jellybiscuit
1 month, 2 weeks ago
Perhaps it depends on the age of the question.
Currently, M$ is currently encouraging people to initiate a resize without first deallocating.
- if a resize is not possible in this way, the requested size isn't available in the current cluster
- if the size isn't available in the current cluster, all the servers in the AS will need to be deallocated.
upvoted 2 times
You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM.
You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible.
Which of the following is the action you should take FIRST?
A.
Stop the VM that includes the data disk.
B.
Stop the VM that the data disk must be attached to.
C.
Detach the data disk.
D.
Delete the VM that includes the data disk.
Correct Answer:
A
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk https://docs.microsoft.com/en-us/azure/lab-services/devtest-
lab-attach-detach-data-disk
 
jecawi9630
Highly Voted 
Wrong. You can simply detach a data disk from one VM and attach it to the other VM without stopping either of the VMs.
upvoted 34 times
 
imartinez
Right. the correct answer is C: detach the disk is the first action.

And Also:
You can only attach a data disk to a VM that is running-
https://docs.microsoft.com/en-us/azure/devtest-labs/devtest-lab-attach-detach-data-disk
upvoted 3 times
 
FrostyD
Correct, tested in lab
upvoted 1 times
 
jjnelo
Correct. Just tested in lab.
upvoted 1 times
 
EKTan
Correct. Just tested in lab. Didn't have to stop the VM the detach and attach to the other.
upvoted 5 times
 
Eltooth
Most Recent 
5 days, 7 hours ago
C - correct answer.
upvoted 1 times
 
SM22
1 week, 5 days ago
option c is the right answer i feel
upvoted 1 times
 
luxaflow
2 weeks, 6 days ago
Answer is C:
You can hot remove a data disk using PowerShell, but make sure nothing is actively using the disk before detaching it from the VM.
See: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk
upvoted 1 times
 
theOldOne
3 weeks, 2 days ago
Seems like there is some confusion on what "a single data disk" is in this question. As an engineer I read that to mean the VM only has one disk as I
consider the OS to also be data. In this case I see it as a single data disk that is being used by the operating system, thus the reference to it being
offline for as short a time as possible. I can also see valid reason for someone to interpret it as it representing a disk that contains only data, which
would be an entirely different answer. For questions like this how do we know what they are looking for on the test?
upvoted 2 times
 
KFM2020
2 weeks, 4 days ago
Microsoft make a distinction between an OS disk and a data disk throughout their documentation and the portal. You will see this when you a
view the disks blade for a VM. The top will show the attached OS disk and the bottom will show the data disks attached (if any).
The offline reference is simply a trick or to see if you understand that you don't have to stop (offline) the VM first.
Therefore, the answer to this question is C.

upvoted 5 times
 
theOldOne
2 weeks, 2 days ago
Thanks for your folowup/input on this.
upvoted 1 times
 
GuyForget
1 month ago
It specifically says the VM should be offline for the least amount of time as possible. You can detach a data disk from a running VM, so the answer
should be C. I understand that best practices say that you should make sure nothing is running on the data disk, but the question specifically states
that the VM should be offline for as little time as possible. In a scenario like this, I'd say best practice would be to make sure nothing is running
from within the guest OS, then detaching the data disk while the VM continues to run.
upvoted 1 times
 
silver_bullet666
1 month ago
Just throwing this out there, you should offline the disk in windows before detaching it.
upvoted 1 times
 
asmi3342344
1 month ago
you 1st need to stop the VM, you can detach the disk which is connected to the running VM. 1st stop the VM and then detach. The question says
what you will do 1st. so 1st you need to stop the VM.
upvoted 2 times
 
fellware
1 month, 1 week ago
It should be answer C: Detach the Datadisk
Lines from docs:
Powershell: You can hot remove a data disk using PowerShell, but make sure nothing is actively using the disk before detaching it from the VM.
Portal : You can hot remove a data disk, but make sure nothing is actively using the disk before detaching it from the VM.
upvoted 3 times
 
Micah7
2 months ago
Correct answer is C based on the included articles and excerpts here:
* You can hot remove a data disk using PowerShell, but make sure nothing is actively using the disk before detaching it from the VM.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk
• You can only attach a data disk to a VM that is running. Make sure the VM is running before you try to attach a data disk.
From <https://docs.microsoft.com/en-us/azure/devtest-labs/devtest-lab-attach-detach-data-disk>
upvoted 2 times
 
Bloodwar
Correct answer is C, easy...
upvoted 1 times
 
annageor
A. Though you can hot detach, the VM has single hard disk, so it must be turned off so it is not actively using the disk
upvoted 2 times
 
Kopy
2 months ago
Because also it says "virtual machines to be offline for the least amount of time possible"!
upvoted 1 times
 
johanc68
3 months ago
It's a data disk, not the OS disk, that must be moved so it's safe to remove it from the VM.
upvoted 2 times
 
CloudyTech
A is correct
upvoted 4 times
 
neemz
I agree, It cannot be A because you can hot detach a data-disk. It cannot be B either because the VM must be running for you to attach a data disk.
so would be C
upvoted 2 times
 
rawrkadia
You're wrong:
You can hot remove a data disk, but make sure nothing is actively using the disk before detaching it from the VM.
upvoted 3 times
 
marcusaurelius124
Per YOUR article: "You CAN hot remove a data disk using PowerShell, but make sure nothing is actively using the disk before detaching it
from the VM."
upvoted 1 times
 
Mbom
Why not answer C ?
upvoted 1 times
 
ppp131176
I would say C is correct
You can hot remove a data disk
upvoted 4 times
 
Aresbuddy
2 weeks, 6 days ago
C is correct. The confusion is between OS Disk and Data Disk. The question is about the single data disk, which should be able to hot detach as
long as nothing is using it actively.
upvoted 2 times
 
Pascal1
I think A is correct. from that website they say:
"You can hot remove a data disk using PowerShell, but make sure nothing is actively using the disk before detaching it from the VM."
So the VM has to be stopped to make sure the disk is not in use

upvoted 1 times
Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the
VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric
failure or maintenance.
Which of the following is the value that you should configure for the platformFaultDomainCount property?
A.
10
B.
30
C.
Min Value
D.
Max Value
Correct Answer:
D
The number of fault domains for managed availability sets varies by region - either two or three per region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
 
Kopy
2 months ago
https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-
overview#:~:text=Each%20availability%20set%20can%20be,domains%20and%20twenty%20update%20domains.
3 fault domains and 20 update domains.

upvoted 2 times
 
Kopy
2 months ago
So MaX
upvoted 1 times
 
Kopy
2 months ago
"up to three fault domains for Resource Manager deployments (two fault domains for Classic)."
The questions states "You plan to use Azure Resource Manager templates " Therefore if 3 fault domains are available in your region the
answer should be 3.
"“The number of fault domains for managed availability sets varies by region - either two or three per region"
upvoted 1 times
 
chaudha4
The question does not say that the max and min values are defined anywhere. Is this question missing some additional information regarding the
ARM templates ? Based on the information provided, none of the options are correct.
upvoted 2 times
 
ppp131176
D is correct. 2 or 3 is max for a region so answer should be Max.
https://stackoverflow.com/questions/49779604/how-to-find-maximum-update-domains-fault-domains-available-in-an-azure-region
upvoted 3 times
 
Kopy
2 months ago
Wrong. The link highlights Update Domain not fault domain.
upvoted 1 times
 
Rohithalkt
Correct.
Should be D
upvoted 3 times
Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the
VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric
failure or maintenance.
Which of the following is the value that you should configure for the platformUpdateDomainCount property?
A.
10
B.
20
C.
30
D.
40
Correct Answer:
D
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. For a given
availability set, five non-user-configurable update domains are assigned by default (Resource Manager deployments can then be increased to
provide up to 20 update domains) to indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same
time.
Reference:
 
tubby04
Highly Voted 
3 weeks, 1 day ago
Correct answer is B. 20
'Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each availability
set can be configured with up to three fault domains and twenty update domains.'
https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
upvoted 12 times
 
Eltooth
Most Recent 
5 days, 7 hours ago
B - correct answer
upvoted 1 times
 
Chi1987
3 weeks, 2 days ago
Am I missing something? why not 20 ?
upvoted 2 times
 
pakman
3 weeks, 2 days ago
Incorrect.
The correct answer here is B (20)

upvoted 2 times
 
Omar_Aladdin
3 weeks, 1 day ago
Yeah 20 Update Domain is the maximum value provided by Azure for a single availability-set
upvoted 1 times
 
serenity404
3 weeks, 2 days ago
The answer is "B. 20", as this is the maximum Update domains.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 2 times
 
zaaaaaak
3 weeks, 2 days ago
Wrong, Answer is B - 20
upvoted 2 times
 
Littlenoob
3 weeks, 2 days ago
why not 20?
upvoted 1 times
DRAG DROP -
You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a
current VM, but must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Correct Answer:

You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the
password is never put in plain text in the template parameter file.
 
pakman
Highly Voted 
3 weeks, 2 days ago
Key vault + access policy
upvoted 5 times
 
kaloszertest
Most Recent 
1 day, 20 hours ago
Just key vault:
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
Access policy does not support Key Vaults

upvoted 1 times
 
ohana
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out: Key vault + access policy
upvoted 2 times
 
pakman
3 weeks, 2 days ago
You'd use a Key Vault to avoid plain text passwords
upvoted 3 times
 
ech
3 weeks, 2 days ago
Answer is correct
upvoted 3 times
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory
domain.
The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?
A.
Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
B.
Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
C.
Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
D.
Place the scripts in a new virtual hard disk (VHD).
Correct Answer:
A
After you deploy a Virtual Machine you typically need to make some changes before it‫ג‬€™s ready to use. This is something you can do manually
or you could use
Remote PowerShell to automate the configuration of your VM after deployment for example.
But now there‫ג‬€™s a third alternative available allowing you customize your VM: the CustomScriptextension.
This CustomScript extension is executed by the VM Agent and it‫ג‬€™s very straightforward: you specify which files it needs to download from
your storage account and which file it needs to execute. You can even specify arguments that need to be passed to the script. The only
requirement is that you execute a .ps1 file.
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup
https://azure.microsoft.com/en-us/blog/automating-vm-customization-tasks-using-custom-script-extension/
 
j5y
Highly Voted 
Ans: A
After Windows is installed but before the logon screen appears, Windows Setup searches for the SetupComplete.cmd file in the
%WINDIR%\Setup\Scripts\ directory
upvoted 13 times
 
NZure
Highly Voted 
2 weeks, 4 days ago
Is this really on the AZ-104? It has nothing to do with Azure.
upvoted 7 times
 
Chi1987
1 week, 3 days ago
Dude you might get a question about how you prepare omelette using VMs and LB and still you have to answer it if u want to be MS expert
upvoted 18 times
 
1Deen
1 week, 1 day ago
brilliant answer
upvoted 2 times
 
Adebowale
Most Recent 
2 months ago
Thank you for the confirmation
upvoted 4 times
 
ppp131176
A is correct
upvoted 4 times
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory
domain.
You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software
requirements.
You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image.
You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs.
Which PowerShell cmdlets should you use?
A.
Add-AzVM
B.
Add-AzVhd
C.
Add-AzImage
D.
Add-AzImageDataDisk
Correct Answer:
B
The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/upload-generalized-managed
 
Chi1987
Highly Voted 
3 weeks, 2 days ago
Correct answer.
Example for how you do this:
Add-AzVhd -ResourceGroupName $resourceGroup -Destination $urlOfUploadedImageVhd `
-LocalFilePath $localPath
upvoted 6 times
 
PRM
Most Recent 
why isn't the letter C?
upvoted 1 times
 
JohnPhan
1 week, 2 days ago
Answer: B
Add-AzVhd -ResourceGroupName $resourceGroup -Destination $urlOfUploadedImageVhd `
-LocalFilePath $localPath
https://docs.microsoft.com/en-us/previous-versions/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-generalized-
script
upvoted 2 times
 
y_dev
1 week, 6 days ago
example command :
Add-AzVhd -Destination "http://contosoaccount.blob.core.windows.net/vhdstore/win7baseimage.vhd?st=2013-01
-09T22%3A15%3A49Z&se=2013-01-09T23%3A10%3A49Z&sr=b&sp=w&sig=13T9Ow%2FRJAMmhfO%2FaP3HhKKJ6AY093SmveO
SIV4%2FR7w%3D" -LocalFilePath "C:\vhd\win7baseimage.vhd"
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-6.4.0
upvoted 2 times
 
sk1803
3 weeks ago
Answer: B
I would like to answer New-AzImage, but that is not an option.
In order to create the image, I do have to have my VHD uploaded to azure though. I would use Add-AzVhd for that.
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azimage
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd
upvoted 4 times
 
Rocky007
3 weeks, 2 days ago
B is the correct answer
upvoted 1 times
 
serenity404
3 weeks, 2 days ago
Answer B is correct, but reference link has no mention of this command.
Look here instead: https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-6.4.0

upvoted 3 times
 
ech
3 weeks, 2 days ago
Answer is correct.
upvoted 1 times
DRAG DROP -
Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network.
Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.
Which of the following objects that must be created to achieve this goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Correct Answer:

 
weqr23wrefs
Highly Voted 
3 weeks, 1 day ago
For physical servers
- Storage Account
- Azure Recovery Services Vault
- Replication policy
https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-disaster-recovery
For Hyper-v server
- Hyper-V site
https://docs.microsoft.com/en-nz/azure/site-recovery/hyper-v-prepare-on-premises-tutorial
upvoted 6 times
 
Omar_Aladdin
3 weeks, 1 day ago
When you create a Recovery Services Vault, a storage account is created automatically. So I think storage account is a trick, you don't need it
upvoted 2 times
 
NarenderSingh
Most Recent 
2 weeks, 5 days ago
1. Hyper-V site
2. Azure Recovery Services Vault
3. Replication policy
https://docs.microsoft.com/nl-nl/azure/site-recovery/hyper-v-azure-tutorial
upvoted 4 times
 
sk1803
3 weeks ago
A,B,D is correct since storage account is already present "Azure File share named share1."
upvoted 1 times
 
sk1803
3 weeks ago
sorry wrong question. Admin please delete this.
upvoted 1 times
 
theOldOne
2 weeks, 2 days ago
It is the same question. Its just put into a different format on this exam.
upvoted 1 times
 
pakman
3 weeks, 2 days ago
I'm not sure whether we're select multiple options here or just one; but in this case we'd need the following 3: Hyper-V site, A recovery service vault
and a replication policy.
upvoted 2 times
 
rigonet
3 weeks, 2 days ago
ANSWER:
- Storage Account
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-disaster-recovery
upvoted 2 times
 
Quantigo
3 weeks, 2 days ago
1. Hyper-V site
2. Azure Recovery Services Vault
3. Replication policy
https://docs.microsoft.com/nl-nl/azure/site-recovery/hyper-v-azure-tutorial
upvoted 2 times
 
Quantigo
3 weeks, 2 days ago
upvoted 1 times
 
ech
3 weeks, 2 days ago
correct
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
upvoted 1 times
Your company‫ג‬€™s Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your
company‫ג‬€™s on- premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network
peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company‫ג‬€™s on-premises network.
However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.
Solution: You choose the Allow gateway transit setting on VirtualNetworkA.
A.
Yes
B.
No
Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
 
d0bermannn
Highly Voted 
After reconfiguring \ creating peering existing point-to-site VPN connections need to be recreated
upvoted 12 times
 
Quantigo
Highly Voted 
3 weeks, 3 days ago
Answer B - No
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again in order for the changes to be applied to the client.
Thanks for indicating Yes or NO!

upvoted 5 times
 
orion1024
Most Recent 
4 weeks, 1 day ago
After changing topology the azure vpn client must be reinstalled to include the new topology information.
upvoted 1 times
 
mdmdmdmd
1 month ago
If you **make a change to the topology** of your network and have **Windows VPN clients**, the VPN client package for Windows clients must be
**downloaded and installed again**"
upvoted 3 times
peering between
Solution: You choose the Allow gateway transit setting on VirtualNetworkB.
A.
Yes
B.
No
Correct Answer:
B
Reference:
 
Quantigo
3 weeks, 3 days ago
Answer B - No
upvoted 2 times
 
hoangton
2 months ago
NO
You download and re-install the VPN client configuration package on the Windows 10 workstation.
upvoted 3 times
 
d0bermannn
recreate point-to-site VPN
upvoted 3 times
peering between
Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation.
A.
Yes
B.
No
Correct Answer:
A
Reference:
 
Quantigo
Highly Voted 
3 weeks, 3 days ago
Answer A - Yes
upvoted 6 times
 
mdmdmdmd
Highly Voted 
1 month ago
If you **make a change to the topology** of your network and have **Windows VPN clients**, the VPN client package for Windows clients must be
**downloaded and installed again**"
upvoted 5 times
 
JohnPhan
Most Recent 
1 week ago
Yes
upvoted 1 times
 
SilverFox22
4 weeks ago
Answer is correct. "Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made
to VNet peering or the network topology."
upvoted 4 times
 
GodfreyMbizo
1 month ago
correct
upvoted 1 times
 
manojb_72
1 month, 1 week ago
Correct
upvoted 1 times
 
Kopy
2 months ago
You can configure your virtual network to use both Site-to-Site and Point-to-Site concurrently, as long as you create your Site-to-Site connection
using a route-based VPN type for your gateway. Route-based VPN types are called dynamic gateways in the classic deployment model.
upvoted 2 times
 
Rex2021
Correct
upvoted 1 times
 
Regg
incorrect - point-to-site isn't supported for static (policy-based) VPN connections
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-have-site-to-site-and-point-to-site-configurations-coexist-for-
the-same-virtual-network
upvoted 5 times
 
orion1024
4 weeks, 1 day ago
This is not relevant to this question I believe.
upvoted 1 times
 
Kopy
2 months ago
right, but where did they mentioned anything about the routing type in the question?
upvoted 1 times
 
d0bermannn
correct
upvoted 2 times
Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1.
The company has users that work remotely. The remote workers require access to the VMs on VNet1.
You need to provide access for the remote workers.
What should you do?
A.
Configure a Site-to-Site (S2S) VPN.
B.
Configure a VNet-toVNet VPN.
C.
Configure a Point-to-Site (P2S) VPN.
D.
Configure DirectAccess on a Windows Server 2012 server VM.
E.
Configure a Multi-Site VPN
Correct Answer:
C
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
 
StudyNerd123
Highly Voted 
1 month ago
Answer C: is correct - https://docs.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support
upvoted 8 times
 
JohnPhan
Most Recent 
1 week ago
Answer C
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A
P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets
from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few
clients that need to connect to a VNet
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
upvoted 3 times
 
lglars
Correct, S2S would be better if you know that the remote workers work from one location, but we don't know that. They could be working from
different locations(like home) that's why P2S is better.
upvoted 3 times
 
Ateeyah
i guess the S2S is better in this case , because maybe there are many users works remotly at the same time
who confirm ????
if not , please till us why ?

upvoted 1 times
 
Ateeyah
ignore my answer above
because I'm not sure

upvoted 1 times
 
MrJR
A S2S VPN also would work but they say that "the company has users that work remotely" so I guess that not all company users work remotely in
which case a S2S VPN would fit. For only some remote workers fits better a P2S VPN. But's a tricky question.
upvoted 3 times
 
Jotess
the question was on Jul 23, 2021 exam
upvoted 2 times
 
dupakonia
Looks correct to me
upvoted 4 times
 
d0bermannn
seems az900 q
upvoted 1 times
Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You create an HTTP health probe on port 1433.
A.
Yes
B.
No
Correct Answer:
B
 
d0bermannn
Highly Voted 
HTTP(!) health probe on port 1433 sounds ugly, assume NO
upvoted 11 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: No
upvoted 2 times
 
JohnPhan
1 week ago
NO
Port: The port you created in the firewall for the health probe when preparing the VM. In this article, the example uses TCP port 59999.
upvoted 2 times
 
a4andrew
1 week, 5 days ago
TCP 1433 is the standard SQL port. "The availability group listener health probe port has to be different from the cluster core IP address health
probe port. In these examples, the listener port is 59999 and the cluster core IP address health probe port is 58888. Both ports require an allow
inbound firewall rule." https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-
configure
upvoted 2 times
 
Amonurius_Diabio
2 weeks ago
I think answer should be C
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
upvoted 2 times
 
Insanewhip
1 week, 1 day ago
Wrong question, hermano
upvoted 1 times
 
Mercator
2 months ago
B - No
You need to configure a TCP health probe on port 1433 to check if the SQL service responds
upvoted 3 times
 
Mercator
2 months ago
After reading more it seems the cluster service has a port of it's own for health probes which is usually configured to tcp/59999.
So a tcp health probe to tcp/59999 would be the solution.

upvoted 1 times
 
silver_bullet666
1 month ago
indeed you are correct however in the example below we create several health probes, TCP1433 is still one of them.
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-manually-configure-tutorial
upvoted 1 times
 
silver_bullet666
1 month ago
oh wait no this uses a LB rule on TCP1433 and a health probe on TCP59999 and TCP58888... https://docs.microsoft.com/en-
us/azure/azure-sql/virtual-machines/windows/availability-group-manually-configure-tutorial
upvoted 1 times
 
jasonoubre
What is the answer?
upvoted 1 times
 
jimmyli
Answer is No. The link provided in the explanation is valid. Under Step 3: Create a probe, you will find: "Port You can use any available port. For
example, 59999." You cannot use 1433, as maxmarco71 explained below TCP port 1433 is the port used by SQL server so it cannot be reused for
health probe
upvoted 6 times
 
ctyng
3 months ago
Yes, when setting up the load balancing rules, the SQL TCP Port is port 1433 by default.
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-vnn-azure-load-balancer-configure?tabs=ilb
upvoted 1 times
 
maxmarco71
3 months ago
Answer is B NO
Health probe require TCP port 1433 is port used by SQL Server
upvoted 3 times
 
epic13131
Yes
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-vnn-azure-load-balancer-configure?tabs=ilb
upvoted 1 times
Solution: You set Session persistence to Client IP.
A.
Yes
B.
No
Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-listener
 
pankyhun
Highly Voted 
Answer is B. Session persistence should be set to "None"
upvoted 5 times
 
Quantigo
Most Recent 
3 weeks, 3 days ago
Correct Answer: B - No
Session persistence should be none
Reference:
upvoted 2 times
Solution: You enable Floating IP.
A.
Yes
B.
No
Correct Answer:
A
 
Bloodwar
Highly Voted 
3 months ago
The load balancing rules configure how the load balancer routes traffic to the SQL Server instances. For this load balancer, you enable direct server
return because only one of the two SQL Server instances owns the availability group listener resource at a time.
>> Floating IP (direct server return) Enabled

upvoted 9 times
 
ppp131176
Highly Voted 
Yes floating ip is correct ? as discussed in: https://www.examtopics.com/discussions/microsoft/view/12295-exam-az-300-topic-2-question-11-
discussion/
upvoted 8 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: Yes! Floating IP!
upvoted 2 times
 
JohnPhan
1 week ago
Yes
Floating IP (direct server return) Enabled
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure
upvoted 2 times
 
Quantigo
3 weeks, 3 days ago
Correct Answer A – Yes
Float IP Enabled
Reference:
upvoted 3 times
 
rdsserrao
According to the link, they're using floating IP, on the LB rule.
upvoted 4 times
 
GabeCanada
Enabling floating IP is listed in the KB but that alone does provide a full solution for it as this is just a config in a rule. But in this series that's the
correct answer.
upvoted 1 times
 
GabeCanada
Not sure how a floating IP helps with this. From the series it should be something like a TCP 1433 health probe...
upvoted 3 times
 
Neowarp
In the articule it's "... 1433. This value is ignored because this rule uses Floating IP (direct server return). ..." in Step 4: Set the load-balancing rules
...
upvoted 2 times
Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The
application calls a service on SRV02 by IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?
A.
Run the New-AzureRMVMConfig PowerShell cmdlet.
B.
Run the Set-AzureSubnet PowerShell cmdlet.
C.
Modify the VM properties in the Azure Management Portal.
D.
Modify the IP properties in Windows Network and Sharing Center.
E.
Run the Set-AzureStaticVNetIP PowerShell cmdlet.
Correct Answer:
E
Specify a static internal IP for a previously created VM
If you want to set a static IP address for a VM that you previously created, you can do so by using the following cmdlets. If you already set an IP
address for the
VM and you want to change it to a different IP address, you‫ג‬€™ll need to remove the existing static IP address before running these cmdlets.
See the instructions below to remove a static IP.
For this procedure, you‫ג‬€™ll use the Update-AzureVM cmdlet. The Update-AzureVM cmdlet restarts the VM as part of the update process. The
DIP that you specify will be assigned after the VM restarts. In this example, we set the IP address for VM2, which is located in cloud service
StaticDemo.
Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM
 
rhanielcb23
1 day, 10 hours ago
Set-AzureStaticVNetIP PowerShell cmdlet
Correct answer E.
upvoted 1 times
 
Fulforce
1 week, 6 days ago
Correct answer E.
FYI: For the new PowerShell cmdlets you would use: Set-AzNetworkInterface
upvoted 3 times
 
SanjSL
1 day, 13 hours ago
$Nic = Get-AzNetworkInterface -ResourceGroupName "ResourceGroup1" -Name "NetworkInterface1"
$Nic.IpConfigurations[0].PrivateIpAddress = "10.0.1.20"
$Nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
$Nic.Tag = @{Name = "Name"; Value = "Value"}
Set-AzNetworkInterface -NetworkInterface $Nic
https://docs.microsoft.com/en-us/powershell/module/az.network/set-aznetworkinterface?view=azps-6.5.0
upvoted 1 times
 
Quantigo
3 weeks, 3 days ago
Correct Answer E:
Run the Set-AzureStaticVNetIP PowerShell cmdlet.
https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/set-azurestaticvnetip?view=azuresmps-4.0.0
upvoted 4 times
 
Saravana12g
Test-AzureStaticVNetIP –VNetName xxx –IPAddress xxx
and then
Set-AzureStaticVNetIP
upvoted 3 times
 
Adebowale
2 months ago
What if the ip properties in the Network and Sharing center of the VM is changed
upvoted 1 times
 
jellybiscuit
1 month ago
It would work to start with.
The problem is that the network interface in Azure would still be set to DHCP. If anything ever causes that IP to change, the server will be
completely inaccessible (because you don't have console access).
upvoted 2 times
 
Kopy
why not Modify the VM properties in the Azure Management Portal?
upvoted 1 times
 
jellybiscuit
You could use the portal, but static IP settings are on the network interface, not the virtual machine.
upvoted 4 times
 
CloudyTech
E is correct
upvoted 2 times
 
rawrkadia
Are the pre AZ/ARM cmdlets and management paradigm even on the exam?
upvoted 3 times
 
ppp131176
E is correct:
https://docs.microsoft.com/bs-latn-ba/powershell/module/servicemanagement/azure.service/set-azurestaticvnetip?view=azuresmps-4.0.0
upvoted 4 times
You need to deploy five virtual machines (VMs) to your company‫ג‬€™s virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be
identical.
Which of the following is the least amount of network interfaces needed for this configuration?
A.
5
B.
10
C.
20
D.
40
Correct Answer:
A
 
CloudyTech
Highly Voted 
5 is correct
upvoted 12 times
 
samshir
Most Recent 
2 weeks, 2 days ago
5 VM so 5 NIC Cards .we have public and private ip address set to them .however they needs same inbound and outbound rule so create NSG and
attach to NIC and this req can be fulfilled 5 NIC hence 5 is right ans
upvoted 2 times
 
Quantigo
3 weeks, 3 days ago
Correct Answer: A
You can add as many private and public IPv4 addresses as necessary to a network interface, within the limits listed in the Azure limits article
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-
network/toc.json#azure-resource-manager-virtual-networking-limits
upvoted 1 times
 
pakman
3 weeks, 3 days ago
shouldn't the answer be 10 since the VMs require both a private and public IP address?
upvoted 1 times
 
KFM2020
2 weeks, 3 days ago
It sounds like it should have 10 but the answer is correct, i.e. 5 interfaces—one NIC with a private IP only, per VM.
While you can assign a public IP to a VM, it is always associated with a network interface with a private IP. The guest OS within the VM never
sees a second interface configured with the public IP address. The Azure platform then performs NAT (in the background and transparent to the
user) between the public IP and the private IP address assigned to that interface.
Hope that explanation helps!

upvoted 7 times
 
Exam_khan
5 Virtual machines each need a network interface to communicate
upvoted 2 times
 
Doksy
3 months ago
network interface can have multiple ip addresses.
upvoted 3 times
 
mdmdmdmd
1 month ago
To expand on this, it they can also have pub and priv IPs on the same NIC.
upvoted 3 times
 
lazz77
Answer is correct
upvoted 2 times
You need to deploy five virtual machines (VMs) to your company‫ג‬€™s virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be
identical.
Which of the following is the least amount of security groups needed for this configuration?
A.
4
B.
3
C.
2
D.
1
Correct Answer:
D
 
Biju1
Highly Voted 
correct Answer D
upvoted 10 times
 
Exam_khan
Highly Voted 
all identical security groups so you will only require 1 security group as all the settings are the same
upvoted 7 times
 
iqlal
Most Recent 
if identic, just 1 NSG
upvoted 4 times
 
Bloodwar
3 months ago
1 NSG for all network interfaces, indentical config.
upvoted 3 times
Your company‫ג‬€™s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM‫ג‬€™s files.
Which of the following is TRUE in this scenario?
A.
You can only recover the files to the infected VM.
B.
You can recover the files to any VM within the company‫ג‬€™s subscription.
C.
You can only recover the files to a new VM.
D.
You will not be able to recover the files.
Correct Answer:
A
 
rdsserrao
Highly Voted 
After reading the link provided by rawrkadia, and testing for myself, it's clear that Azure Backup Instant Restore is available for all Azure Backup
VM's.
Even the OS compatibility doesn't apply, like some links say.
Test:
- I created a Windows Server 2019 VM in Azure
- Activated Backup and did Backup Now
- Did File Recovery, downloaded the script and installed it in my Windows 10 On-Prem, Azure Windows Server 2016 and 2012.
Everything worked, the drives were mounted in every OS, no problem.
Note: The script downloaded will only work for the same OS as the original VM:
Windows - Windows
Linux - Linux
upvoted 15 times
 
rdsserrao
I forgot to give the answer.
Having said what i wrote above and considering the possible answers, i would agree with the answer given A.
Incorrect answers:
B: there could be Linux VM's in the subscription, we don't know:"Your company‫ג‬€™s Azure subscription includes Azure virtual machines (VMs)
that run Windows Server 2016"
C: Same reason as B
D: of course you can recover the files

upvoted 11 times
 
MichalGr
`B: there could be Linux VM's in the subscription, we don't know:"Your company‫ג‬€™s Azure subscription includes Azure virtual machines
(VMs) that run Windows Server 2016"` - in this scenario (all) VMs run Windows, yes?
upvoted 4 times
 
Larry23
1 week, 6 days ago
All you need to do is google the definition of Includes to understand why A is the correct answer... Includes does not mean all
encompassing. It means in short, part of a whole.
upvoted 1 times
 
lazz77
Highly Voted 
According to below, we can restore the files to an alternate VM too
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server
Therefore the answer should be B

upvoted 10 times
 
TDS_sada
1 month ago
As I understand Here the catch is new VM,any VM, means it can be any non windows OS. So in this scenario the effected os is Windows and
only the Answer A related to the windows OS.
upvoted 2 times
 
rawrkadia
This is a different feature.
https://docs.microsoft.com/en-us/azure/backup/backup-instant-restore-capability
Backup instant restore is snapshotting. In order to be 'instant' tier you have to be restoring from a stored snapshot vs from the vault. I do not
believe you are correct.
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore
upvoted 1 times
 
rawrkadia
In fact, I don't even know if you *can* recover files from a snapshot. You have to convert the snapshot to a managed disk then attach that to
a VM.
upvoted 2 times
 
SanjSL
Most Recent 
1 day, 13 hours ago
Answer is B (as per link below)
https://azure.microsoft.com/en-gb/blog/instantly-restore-your-azure-virtual-machines-using-azure-backup/
upvoted 1 times
 
theOldOne
2 weeks, 2 days ago
The link here:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#step-3-os-requirements-to-successfully-run-the-script
Has some interesting information that seems to go along with some of the other links in this discussion.
upvoted 1 times
 
theOldOne
2 weeks, 2 days ago
also I would go with option B. Any VM in the companies subscription given we are told they are Server 2016 VM's.
upvoted 1 times
 
NarenderSingh
2 weeks, 5 days ago
Should be B
upvoted 1 times
 
rigonet
3 weeks, 2 days ago
Correct Answer: B - you can recover files to any VM in subscription.
Reference:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore
upvoted 1 times
 
Orel123
1 month, 1 week ago
IMO, The correct answer is A since we can only recover the file to a machine that runs the same OS and we don't know the OS on the other
machines are running the same OS.
upvoted 1 times
 
Elazari
1 month, 1 week ago
The correct answer is - B
All the virtual machines in the subscription run WIN Server 2016-
"Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016."
We can restore to every virtual machine with the same os.

upvoted 1 times
 
maylevi
1 month, 1 week ago
"Your company‫ג‬€™s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016."
they all have the same os

upvoted 1 times
 
abs19
1 month, 1 week ago
Answer : A
With instant restore, users also get a capability to perform in-place restore, thus, overwriting the data in the original disk rather than creating a
copy of the disk at an alternate location. It is particularly useful in scenarios where there is a need to rollback a patch. Once the snapshot phase is
done, users can go ahead and use the local snapshot to restore if the patch goes bad.
From https://azure.microsoft.com/en-us/blog/instantly-restore-your-azure-virtual-machines-using-azure-backup/
upvoted 2 times
 
Saravana12g
RECOVERY:
Any Windows computer that has Internet connectivity
For files recovery, you download and run a windows executable to map a network drive. It can only run when the OS meets the requirements. Any
computer running Windows Server 2016 or Windows 10 is suitable. File recovery can be done from any machine on the Internet.
Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.
RESTORE:
VM1 or a new Azure virtual machine only
For restoring a VM, you can choose 'Create new' or 'Replace existing'.
upvoted 2 times
 
jellybiscuit
Answer: B
Technically, you can recover to files to any machine, anywhere. B is the most inclusive answer.
Instant restore changes nothing about the recovery process. It only means that the data is sitting with the VM and does not have to be recovered
from the vault.
https://docs.microsoft.com/en-us/azure/backup/backup-instant-restore-capability
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 1 times
 
imartinez
Correct Answer:
Same Question than:
https://www.examtopics.com/exams/microsoft/az-104/view/15/
Question #67:
upvoted 2 times
 
user789
similar question as Topic-3 Q67
upvoted 1 times
 
Mercator
2 months ago
My understanding of file restore is:
Go to the portal, download the script, copy it to the hosts where you want to do the file restore and run it there. It will mount the snapshot and you
can copy the files in the running OS.
So this should work on any VM inside your subscription => B

upvoted 3 times
 
tim_fr
Hi guys, source VM is infected with ransomware so if we restore files on it, we will have the same issue, right ? Because they don't mention that
source VM was fixed after ransomware attack. That's why I would reply "Restore to a new VM"
upvoted 2 times
 
cosine
Technically, the files can be restored in any of the VM (Infected VM, VM within subscription or new VM).
Infected VM - No. file restored here will be encrypted.
Any VM within subscription - No. Ransomware usually move laterally and would have infected other VMs as well
New VM- I would say this is the best choice.

upvoted 1 times
 
wangyun0429
which one right？？
upvoted 1 times
 
logusta
Answer is B, you can recover to any VM, presuming that they're all Windows Servers (as stated).
https://youtu.be/vR6vyU4tP9E?t=365
upvoted 5 times
 
dupakonia
Looks like this is only 1 of the options "With instant restore, users also get a capability to perform in-place restore, thus, overwriting the data in the
original disk rather than creating a copy of the disk at an alternate location."
So based on that seems A but not sure if there are any other methods to restore
upvoted 3 times
 
dupakonia
Still with that info this make us to choose between A or B
upvoted 1 times
Your company‫ג‬€™s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you are required to restore the VM.
Which of the following actions should you take?
A.
You should restore the VM after deleting the infected VM.
B.
You should restore the VM to any VM within the company‫ג‬€™s subscription.
C.
You should restore the VM to a new Azure VM.
D.
You should restore the VM to an on-premise Windows device.
Correct Answer:
B
 
shamst
Highly Voted 
It should be C
upvoted 18 times
 
Zokko
Highly Voted 
I belive it is the C option
A - If you delete the VM you cannot recover to that vm it must exist
B - You do not know the other VMs
C - Creating a New VM you can recover the VM
D - You can recover from the backup
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 9 times
 
J4U
Yes, VM can be restored by replacing the existing disk or in a new VM.
upvoted 2 times
 
aqslatewala
Most Recent 
1 week, 5 days ago
C right answer
upvoted 1 times
 
Karl2guru
2 weeks, 5 days ago
Answer is B... This inmplies you should restore the VM to any VM so implies even create and restore to a new one too!!
upvoted 2 times
 
NarenderSingh
2 weeks, 5 days ago
Should be C as you can either create new VM or restore the existing disks only.
upvoted 2 times
 
NarenderSingh
2 weeks, 5 days ago
Should be C as you can either create new VM or restore the existing disks only.
upvoted 1 times
 
Saravana12g
RECOVERY:
Any Windows computer that has Internet connectivity
For files recovery, you download and run a windows executable to map a network drive. It can only run when the OS meets the requirements. Any
computer running Windows Server 2016 or Windows 10 is suitable. File recovery can be done from any machine on the Internet.
Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.
RESTORE:
For restoring a VM, you can choose 'Create new' or 'Replace existing'.
upvoted 1 times
 
Saravana12g
1 month, 1 week ago
Answer should be B.
For restoring a VM, you can choose 'Create new' or 'Replace existing' options. Hence the nearest answer would be B.
It can't be C. because in C, it just infers we need to use NEW VM and doesn't tell about using existing VM.
upvoted 2 times
 
jellybiscuit
Answer: C
You can restore and overwrite the existing machine, M$ calls this "replace existing" (not an option given) or restore to a new VM.
upvoted 2 times
 
Saravana12g
1 month, 1 week ago
So its B. as per your answer?
upvoted 1 times
 
jellybiscuit
1 month ago
No, I typed what I meant.
upvoted 1 times
 
user789
similar question as Topic-3 Q67
upvoted 1 times
 
anand_3555
B is wrong. you can only backup to the same VM (restore) or to a new VM. answer should be C
upvoted 4 times
 
dupakonia
B and C both looks correct but seems that it is better to restore under company subscription and not somwhere else. Stupid I know but based on
that B makes more sense than C
upvoted 1 times
 
rdsserrao
An Azure VM can be restored to the same VM or to a new one, in Azure only.
So the most correct answer should be B.

upvoted 3 times
 
shamst
B should be correct
upvoted 1 times
 
barremans
Same as Q41?
upvoted 1 times
 
MikeRodriguez
Q41 is about recovering files, not the vm
upvoted 2 times
You administer a solution in Azure that is currently having performance issues.
You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure.
Which of the following is the tool you should use?
A.
Azure Traffic Analytics
B.
Azure Monitor
C.
Azure Activity Log
D.
Azure Advisor
Correct Answer:
B
Metrics in Azure Monitor are stored in a time-series database which is optimized for analyzing time-stamped data. This makes metrics
particularly suited for alerting and fast detection of issues.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform
 
kerker
Highly Voted 
Yes Correct
https://docs.microsoft.com/en-us/azure/architecture/framework/scalability/monitor-infrastructure
upvoted 9 times
 
Quantigo
Most Recent 
3 weeks, 3 days ago
Correct Answer B
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
upvoted 2 times
Your company has an Azure subscription that includes a Recovery Services vault.
You want to use Azure Backup to schedule a backup of your company's virtual machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.
A.
VMs that run Windows 10.
B.
VMs that run Windows Server 2012 or higher.
C.
VMs that have NOT been shut down.
D.
VMs that run Debian 8.2+.
E.
VMs that have been shut down.
Correct Answer:
ABCDE
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.
Azure Backup supports backup of VM that are shutdown or offline.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-
machines/linux/endorsed-distros
 
CloudyTech
Highly Voted 
All..................................
upvoted 13 times
 
khengoolman
Highly Voted 
1 week, 3 days ago
Passed today with 947. This question appeared, correct Answer is All
upvoted 8 times
 
dodeen
congrats budy
is this website enough to clear the exam ?

upvoted 1 times
 
JohnPhan
1 week ago
thank you!
upvoted 1 times
 
SanjSL
Most Recent 
1 day, 13 hours ago
All..
Azure Backup doesn't support 32-bit operating systems.
For Azure VM Linux backups, Azure Backup supports the list of distributions endorsed by Azure, except Core OS Linux and 32-bit operating system.
Other bring-your-own Linux distributions might work as long as the VM agent is available on the VM, and support for Python exists.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq
upvoted 1 times
 
ohana
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: ALL!!!!
upvoted 3 times
 
medk2021
2 weeks, 2 days ago
all true:
https://docs.microsoft.com/fr-fr/azure/backup/backup-azure-backup-faq
https://docs.microsoft.com/fr-fr/azure/virtual-machines/linux/endorsed-distros
upvoted 1 times
 
asmi3342344
1 month ago
B and E are contradictory
to each other, whats the point considering these options? ABE are the right options because VM not shut down or shut down will be backed up
anyways. correct?
upvoted 1 times
 
MrJR
I bet for ABD. Vms that has been shutdown or not is not specific enough those vms could have an incompatible OS. Not all the running or stopped
VMs can be backed up only those with a compatible OS.
upvoted 2 times
 
hosseny
answer errors
upvoted 1 times
 
lemist
3 months ago
My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Backups run when a machine is shut down. The recovery point is marked as crash consistent.
upvoted 2 times
 
Spandrop
3 months ago
Not sure about C, can't I have a VM not been shutdown running an unsupported OS version for the backup service?
upvoted 1 times
 
dupakonia
lol what is this?
upvoted 3 times
 
d0bermannn
az900 q
upvoted 1 times
Question #1 Topic 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?
A.
Yes
B.
No
Correct Answer:
A
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
 
Matkes
Highly Voted 
No, as user3 is user admin in contoso.onmicrosoft.com tenant and has no rights in external.contoso.onmicrosoft.com
upvoted 67 times
 
JamesP
Highly Voted 
From the referenced Microsoft doc: To add or delete users you must be a User administrator or Global administrator.
Answer should be A
upvoted 20 times
 
denislp
A resposta seria A, se ele estivesse se referindo ao tenant contoso.onmicrosoft.com. Mas ele faz referência ao tenant
external.contoso.onmicrosoft.com, ou seja, somente o USER1 que criou esse tenant que tem privilégios para realizar essa ação.
upvoted 2 times
 
ArgiDio
10 months ago
external.contoso... is another tenant.
Since it is referring to ANOTHER tenant that only the creator has permissions (unless he assigns to others -there is no such statement) the
answer is "No".
upvoted 23 times
 
Miles19
The user3 is the user admin, but for another tenant - contoso.onmicrosoft.com. Therefore, he can't add users to the new tenant, because he
doesn't have access to that tenant.
upvoted 10 times
 
Sandroal29
8 months ago
Incorrect, your answer would be true if we've been talking about the same tenant, but it's a new one, so user3 won't even see this new tenant.
The right answer is B.
upvoted 14 times
 
Eltooth
Most Recent 
1 week, 4 days ago
No no no no no
upvoted 2 times
 
Pradyumn
1 week, 5 days ago
answer is no
upvoted 1 times
 
omw2wealth
2 weeks, 5 days ago
ONLY THE CREATOR OF THE AAD TENANT: USR1.
upvoted 2 times
 
RoboRobo
2 weeks, 6 days ago
Answer > NO
Of course, they can't. If you give a user the AAD Global Administrator role in an AAD tenant, he is the global admin in the only one tenant, never
relate to other tenants
upvoted 1 times
 
tikytaka
3 weeks, 1 day ago
No, question was also 'No' in a now deleted practice paper in Udemy - only User1 has admin rights to the new tenant
upvoted 1 times
 
angelocjs
3 weeks, 2 days ago
Answer is B. User 2 did not create external.contoso.onmicrosoft.com, but User1.
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Answer is NO (B)
upvoted 1 times
 
muk_neha_ahana
3 weeks, 5 days ago
Answer is NO (B)
upvoted 1 times
 
Osmanly
3 weeks, 6 days ago
RBAC roles are different from the Azure AD administrative. RBAC roles are used to manage access and allow or restrict users to Azure resources,
while Azure AD administrative roles are used to allow or restrict admins to perform identity tasks, such as creating new users, resetting the users’
passwords, and so on. For example, a user who is granted Global Administrator rights in Azure AD does not have permissions to create resources in
Azure, but he or she can perform all the identity tasks for an Azure AD tenant.
upvoted 1 times
 
ShyamPV
1 month ago
The answer to this question is NO. The domain name "external.contoso.onmicrosoft.com" cannot be created as a new tenant. It can only be added
as a custom domain under contoso.onmicrosoft.com. So the user administrator on the tenant contoso.onmicrosoft.com can create user on the new
tenant external.contoso.onmicrosoft.com. BTW, I just went through the whole process on my trail subscription and the above point was proved
beyond doubt.
upvoted 1 times
 
Sadiqsanadi
Am able to access this questions till 180 or page number 18.Further if I try to access it's asking to pay some dollars. Will it be ok to prepare only
with 18 pages or 180 questions for exam? Need suggestions. Plz help I have schedule my exam on 13th September.
upvoted 1 times
 
theOldOne
2 weeks, 2 days ago
You are not required to pay money to see the questions. If someone is trying to charge you money you are not looking at the original page. Go
to the examtopics.com home page and navigate to the questions from there. The subscription is offered to allow you to configure some things
that can make it more useful to study. I paid the subscription to help offset the cost to run the site.
upvoted 1 times
 
sk1803
1 month ago
Did you clear your exam?
upvoted 1 times
 
gical
The answer is NO because according https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence
"In Azure Active Directory (Azure AD), each Azure AD organization is fully independent: a peer that is logically independent from the other Azure
AD organizations that you manage. This independence between organizations includes resource independence, administrative independence, and
synchronization independence. There is no parent-child relationship between organizations."
Hence global or user admin in one tenant cannot manage users in another tenant
upvoted 1 times
 
piya161
2 months ago
yes ,user administrator can create and delete user accounts .
upvoted 1 times
 
piya161
1 month, 1 week ago
yes my bad the answer is no ,as there are two different tenants.
upvoted 1 times
 
rodrigueslp
It's correct, but user3 is only "user administrator' on tenant 'contoso.onmicrosoft.com'. He couldn't add an user on another tenant.
upvoted 1 times
 
ankit0506
2 months ago
Answer is A
upvoted 1 times
 
thuylevn
B, they as for external.contoso.onmicrosoft.com not for contoso.onmicrosoft.com.
upvoted 1 times
Question #2 Topic 2
A.
Yes
B.
No
Correct Answer:
B
Reference:
 
fedztedz
Highly Voted 
Answer is correct . NO
Only user admin or global admin can add users

upvoted 34 times
 
Miles19
I think you are right. The subscription owner role doesn't have anything to do when it comes to users and groups. This role can by default
access all resources under the subscription, or give access to others to any resource, but definitely can't add users to Azure AD tenant.
upvoted 7 times
 
mlantonis
Highly Voted 
5 months ago
User4 doesn’t have access to the new directory. Only User1 has access to the new Tenant, because User1 created the Tenant and became GA
automatically. Also, User4 is not a GA or User Administrator. User4 has RBAC Role permission and not Azure AD Role permission.
upvoted 15 times
 
Eltooth
Most Recent 
1 week, 4 days ago
No no no no no
upvoted 2 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Answer is NO (B)
upvoted 1 times
 
muk_neha_ahana
3 weeks, 5 days ago
answer is B (NO)
upvoted 1 times
 
silver_bullet666
4 weeks ago
Thank you exam topics and most importantly everyone in the discussion! passed the AZ104 today!! 90% of questions are from this site. The others
are still based on the topics covered on this site. Exam content changes tomorrow FYI :(
upvoted 2 times
 
Tyler2021
2 weeks, 5 days ago
Congrats, hope we have the questions updated.
upvoted 1 times
 
Dingaan
passed 27 August 2021, just do your self a favor and listen to just MLANTONIS and fedztedz otherwise people will confuse here
upvoted 1 times
 
HariHaran25
1 week, 2 days ago
i can't see MLANTONIS and fedztedz in the threads
upvoted 1 times
 
thuylevn
No, so B is correct answer
upvoted 1 times
 
Exam_khan
4 months ago
Only a Global Admin can create users
upvoted 2 times
 
Deyvessh
4 months ago
What about User Administrator?
upvoted 4 times
 
Tranquillo1811
The correct answer here would be B. No!
No other user than User1 has the required rights in the NEW tenant!
User1 is "Global administrator" of the NEWLY CREATED tenant, since she created it...
upvoted 6 times
 
BENISSE
Azure Subscription doesn't have tenant permission
upvoted 2 times
 
Bedmed
7 months ago
Anwer is No,
User2 is not global admin in external.contoso.onmicrosoft.com

upvoted 5 times
 
ZUMY
Answer is No. Because there is no permission called 'OWNER' under Roles assignment for AD User. "Global Administrator & User Administrator can
perform this job"
upvoted 2 times
 
Sandroal29
8 months ago
No, because user 4 has RBAC permissions that is totally different from Azure AD permissions.
upvoted 2 times
 
toniiv
No. Azure subscription owner doesn't have tenant permissions
upvoted 1 times
 
NickyDee
User 1 is a GA of the Azure Active Directory Tenant which involves full permissions to manage users
User 2 is the Owner of the Azure Tenant which involves full permissions to manage virtual resources
They are both two different tenants off the root tenant of the organization and the roles do not integrate.
This is also true the other way around. If user 1 is a GA of the AAD tenant only, user 1 can only see AAD in the Azure tenant and not any of the
subscriptions and it will appear greenfield.
User 2 being an owner of the Azure tenant, but not a GA in AAD, cannot add users, only Azure resources.
In order for User 2 to add users to AAD, he would need to be a GA or user administrator of AAD
In order for User 1 to add resources to AZ, he would need to be an owner, or contributor.
any user that needs to have full access to both the AZ and AAD tenants, the user would need elevated roles in each tenant.
upvoted 6 times
 
ms70743
10 months ago
Answer is No. To add or delete users you must be a User administrator or Global administrator.
upvoted 1 times
Question #3 Topic 2
A.
Yes
B.
No
Correct Answer:
B
Reference:
 
asdf12345a
Highly Voted 
Previous discussions were wiped from an update to the question set.
From previous discussions, answer is wrong - should be No.

upvoted 52 times
 
wewewewewe
Testtttt
upvoted 1 times
 
pravith
Highly Voted 
No...As user 2 doesn't have access to the new directory...Ans is "no"...Same Q in Whizlabs
upvoted 21 times
 
Eltooth
Most Recent 
1 week, 4 days ago
No no no no no
upvoted 2 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Correct answer is NO (B)
upvoted 1 times
 
muk_neha_ahana
3 weeks, 5 days ago
Answer is definitely NO
upvoted 1 times
 
cedie
4 weeks ago
im gonna take my exam in an hour, wish me luck
upvoted 2 times
 
cedie
3 weeks, 6 days ago
i passed a score of 748 i believe. i only studied questions from 1-180 here since im dont have contributer access and there is a case study which
is 5 questions (which is i dont know what the heck and how to answer it). I receive 44 questions overall. It felt like 20 questions from the exam is
something new to me and very difficult in my end since i only studied for 2 days.Lastly, you can go guys and give it a shot.Goodluck everyone.
Follow melantonis and fedztez, and read the discussion. They are credible.
upvoted 3 times
 
girideshi
3 weeks ago
Did 180 questions helped you to sail through, i have exam next monday only depending on these 180 questions. Lets see how it goes.
upvoted 2 times
 
JNeedsCerts
4 weeks ago
Answer is NOOOO. I tested this setup in my lab and it does not work.
upvoted 1 times
 
GataullinRN
4 weeks, 1 day ago
Please read the role description carefully.
Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities
like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online.
Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. This allows Global
Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD
organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset
the password for any user and all other administrators.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator
upvoted 1 times
 
ShyamPV
1 month ago
The answer is YES!. The "fine detail"(trick) in the question is that the second tenant created is a custom domain and not a new tenant. The domain
name "external.contoso.onmicrosoft.com" cannot be created as a new tenant. It can only be added as a custom domain under
contoso.onmicrosoft.com. So the Global Administrators on contoso.onmicrosoft.com has full access on the custom domain
external.contoso.onmicrosoft.com
upvoted 6 times
 
fchahin
1 month ago
Global Admin who has full Power, then User 1 and User 2 can perform the work in Full,
upvoted 1 times
 
vashe
1 month, 1 week ago
Passed today 918. If you know everything that's going on in this dump, then you're good to go. There are about 4 or 5 questions I didn't find in this
dump. Nothing that should be too difficult and it shouldn't stop you from failing the test. This dump has what you need. Mlantonis, FedTedz are
the main comments to follow as mentioned.
upvoted 4 times
 
junior14371
1 month, 1 week ago
Passed the exam on Sept. 4th. This forum is awesome. Mlantonis and FedTedz provide good quality advise in the discussions. A few questions
were not in the exam, but if you study and practice these questions consistently you will have more than a fighting chance.
upvoted 1 times
 
Risto83
Ans is No.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator
This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the
Azure AD organization becomes a Global Administrator.
upvoted 1 times
 
AubinBakana
I passed my exam 2 days ago. I only completed 80% of the questions here as I discovered this site late. My main source was MSFT Learn; but upon
discovering this site and others, I soon realized that it was far, far, from what I needed to pass the test. I have used YouTube videos, this site, and
MSFT Learn. MSFT does not have enough practice for you to pass.
Important: You will notice that there's a lot of false answers here for some odd reason, which I really hope they get to correct sooner than later.
My advice: Go through the discussion and participate.
Wishing you all success.

upvoted 3 times
 
p_taya
Cleared my exam most questions were from the dumps. Thanks to all the good people who provided correct answers with explanation. I mostly
followed the answers of mlantonis and fedztedz.
upvoted 2 times
 
Dingaan
passed 27 August 2021, just do your self a favor and listen to just MLANTONIS and fedztedz otherwise people will confuse here
upvoted 1 times
 
Agoodstudent
Thanks to ZUMY, Fedtez, Mlatonis and others who helped, corrected and validated the questions which were wrong and have given reference links.
I passed the AZ-104 exam yesterday and now I am a Microsoft Administrator. This website is very good for learning and I suggest seeing the
discussions and also use this website for Cloud Exam
upvoted 1 times
 
harshitsingh04121998
Thanks examtopics websites for actual exam questions. Please contact me if need more dumps harshitsingh04121998@gmail.com
upvoted 5 times
Question #4 Topic 2
HOTSPOT -
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

The Network Contributor role lets you manage networks, but not access them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
 
Aghora
Highly Voted 
10 months ago
I have seen to many opinions regarding this, so I decided to test it in my azure account . with Network C on LB1 or LB2 , you can not do any of the
tasks and your get a permission error, you can not even see the Vnets to add the pool from !!!.
when using Contributor access on LB1,LB2 ...same issue . the Only option from the given choices that worked is
- Network Contributor on RG1 for LB1 to add a backend pool (vms must be in place)
- Network Contributor on RG1 for LB2 to add health probe
I hope this resolves the disagreement , all of the links about Network Contributor access on Microsoft are correct but they do not work at the LB
level, they have to be at the resource group level or at every resource that you need to get the pool in place(ie. Vnet,VMs..).
upvoted 138 times
 
Bursuc03
Within RG1 you have the two LBs. You can have the rest of the resources (vNets, VMs) in a different RG, with different access rights. There is
nowhere stated you cannot have access to the other resources, that may be placed within other RGs, on which you have different access rights.
So the answer is YES.
upvoted 3 times
 
comin
Wrong. It says it has to follow the principle of least privilege to accomplish the tasks. If taken your approach then the principle is not met.
Aghora replied ok.

upvoted 2 times
 
Praveen66
I did try the same test these things, however when the NC role is assigned to the user for the resource group , you still get an error that you
don't have permission to perform does not have authorization to perform action 'Microsoft.Network/register/action' over scope
'/subscriptions/feacddd7-6e93-4445-8**** , The only way I could perform the action was to provide the NC access to subscription as well. has
anyone has any idea as to why ?
Failed to start deployment
Registering the resource providers has failed.
Additional details from the underlying API that might be helpful: The client 'Admin1@crazypavi66gmail.onmicrosoft.com' with object id
'9ebc2924-ade9-42fa-9a3c-4eae436c589b' does not have authorization to perform action 'Microsoft.Network/register/action' over scope
'/subscriptions/feacddd7-6e93-4445-8a92-e' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code:
AuthorizationFailed)
upvoted 1 times
 
rsamant
1 month, 1 week ago
may be your vnet and vm were in different resource group ? hence you had to give this at subscription level ?
upvoted 1 times
 
vince60370
Thanks for trying it, as you said, too much divergent answers and explanations.
Clearer like this.

upvoted 6 times
 
Andersonalm
Highly Voted 
On another website, the answer is Network Contributor in RG.
Explanation: To add the backend pool to the load balancer resource, the user needs to have permissions to be able to read the virtual network and
virtual machine resources that need to be associated to the backend pool. Hence permissions need to be given at the resource group level.
upvoted 30 times
 
Nickus
But this doesn`t ask to add backends pools.. Only request that Admin1 CAN MANAGE LB1 and LB2 and with the leasrt privilege.
upvoted 4 times
 
SubbuTeja
7 months ago
If you look at the images it clearly questions about adding Backend pool
upvoted 4 times
 
Mukesh_Aggarwal_07
Most Recent 
3 weeks, 5 days ago
correct answer,N/W contributor on RG1 for both,
upvoted 2 times
 
Michael_ATB
3 weeks, 5 days ago
The answer is :
-Network Contributor on RG1
-Network Contributor on RG1

upvoted 3 times
 
COOLKIDZ
1 month ago
It came on Sep 17 exam.
upvoted 3 times
 
julioglez88
1 month ago
The key point of the question is:
"You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege."
Considering that and the Network contributor role which has:
Microsoft.Resources/subscriptions/resourceGroups/read -> Gets or lists resource groups.
In case is required to see the VMs, or any other resources, with this role you are allowed to see them, but this is not the scope of the question.
Correct answer is assign the Network Contributor role at the scope of each LB in both questions. We don't know which other resources are in the
RG, and within this we ensure that the least privilege is accomplish and the Admin1 can manage LB1 and LB2
upvoted 1 times
 
rt_85
1 month ago
Is there a way to have all of the wrong answers removed?
upvoted 3 times
 
khismail
2 months ago
In Exam 21/08/2021 Network Contributor on RG1 for both questions
upvoted 5 times
 
thuylevn
N.C for RG1 both case LB1 and LB2
upvoted 1 times
 
Jotess
the question was on Jul 23, 2021 exam
upvoted 2 times
 
NigHtHunter2000
3 months ago
Pls dont post answers here without testing in labs becaz logical reasoning and practical situations are different. So dont bother about people who
just give reference documents only without testing it in labs.
upvoted 3 times
 
javiersilva2344
This is a bit discouraging, not the first question I find here that is wrong, can the moderator make the necessary changes maybe so we can sleep
better at night? :)
Please
upvoted 6 times
 
ShikshaGarg
YES PLEASEE!!! PLEASE MAKE THE CHANGES AND CORRECT THE ANSWERS!!!
upvoted 4 times
 
lucky_18
came in exam on June 28 2021
upvoted 2 times
 
rblyellOG
4 months ago
I think the key here is "least priviledge", so you add the net contrib role to each load balancer. If you add role to RG the user could alter any other
net resources in RG. If it said "least administration" i would go with role to RG not load individual balancers
upvoted 2 times
 
Delanase
4 months ago
Correct answer should be network contributor NG-01, because when you need some write permissions like
Microsoft.Network/virtualNetworks/subnets/join/action to join the VMs to the backend pool.
upvoted 1 times
 
db12345
Ans : Network Contributor on RG1 for LB1 . without this vm's are not getting listed under vnet in backendpool
upvoted 2 times
 
Gautam123
Network Contributor in RG1. for both
upvoted 1 times
Question #5 Topic 2
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service
(AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
A.
From contoso.com, modify the Organization relationships settings.
B.
From contoso.com, create an OAuth 2.0 authorization endpoint.
C.
Recreate AKS1.
D.
From AKS1, create a namespace.
Correct Answer:
B
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
 
ketan05
Highly Voted 
Correct! The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
https://docs.microsoft.com/en-us/azure/aks/concepts-identity
upvoted 27 times
 
waterzhong
Highly Voted 
The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
Azure AD provides an access_token, id_token, and a refresh_token.
The user makes a request to kubectl with an access_token from kubeconfig.
Kubectl sends the access_token to API Server.
The API Server is configured with the Auth WebHook Server to perform validation.
The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.
The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.
A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group
membership of the user based on the object ID.
The API performs an authorization decision based on the Kubernetes Role/RoleBinding.
Once authorized, the API server returns a response to kubectl.
Kubectl provides feedback to the user.

upvoted 15 times
 
JohnPhan
Most Recent 
6 days, 8 hours ago
B
kubectl uses the Azure AD client application to sign in users with OAuth 2.0 device authorization grant flow.
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Correct Answer: B
upvoted 1 times
 
melatocaroca
1 month, 1 week ago
IMHO correct answer must be D.
Roles
Before assigning permissions to users with Kubernetes RBAC, you'll define user permissions as a Role. Grant permissions within a namespace using
roles.
Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a RoleBinding. RoleBindings
Assign roles to users for a given namespace using RoleBindings. With RoleBindings, you can logically segregate a single AKS cluster, only enabling
users to access the application resources in their assigned namespace.
upvoted 1 times
 
thuylevn
yes, B is correct answer
upvoted 1 times
 
Rohithalkt
This was an exam question on 4th July 2021. I pass with 904 mrks
upvoted 6 times
 
BenStokes
4 months ago
Answer is correct as per - https://docs.microsoft.com/en-us/azure/aks/concepts-identity
Excerpts from article as 1st step -
As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:
1. kubectl uses the Azure AD client application to sign in users with OAuth 2.0 device authorization grant flow.
upvoted 2 times
 
db12345
Ans : B
upvoted 1 times
 
mlantonis
5 months ago
Correct Answer: B
The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
Reference:
upvoted 14 times
 
Keerthana2020
you answers are really correct, please help me for az-220 i got failed twice after reading all the materials
upvoted 1 times
 
armandolubaba
All the answer are corrects
upvoted 1 times
 
Snownoodles
7 months ago
Is it correct to say "You have an Azure subscription that contains an Azure Active Directory ...".
According to: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory?

amp;clcid=0x9
subscription should be under a tenant

upvoted 2 times
 
chaudha4
You are correct. Azure subscription has a trust relationship with Azure Active Directory tenant not a containment relationship.
upvoted 1 times
 
mg
From contoso.com, create an OAuth 2.0 authorization endpoint.
upvoted 2 times
 
ms70743
Answer B is correct
upvoted 1 times
 
fedztedz
Answer is correct. B
upvoted 3 times
 
I
8 months ago
The answer is correct and desplay link is also correct. Here the key words under below.
To identify the user, the authenticator uses the id_token (not the access_token) from the OAuth2 token response as a bearer token. See above for
how the token is included in a request.
upvoted 1 times
 
toniiv
B. is correct
upvoted 1 times
Question #6 Topic 2
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
A.
a Microsoft 365 group that uses the Assigned membership type
B.
a Security group that uses the Assigned membership type
C.
a Microsoft 365 group that uses the Dynamic User membership type
D.
a Security group that uses the Dynamic User membership type
E.
a Security group that uses the Dynamic Device membership type
Correct Answer:
AC
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can
help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A and C
Only O365 groups support automatic deletion after 180 days.
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365
Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and
make things cleaner. When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted. You can set up
a rule for dynamic membership on security groups or Office 365 groups. Incorrect Answers: B, D, E: You can set expiration policy only for Office 365
groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide
upvoted 33 times
 
asdf12345a
Highly Voted 
Answer is correct - Only O365 groups support automatic deletion after 180 days.
upvoted 29 times
 
imran_mohd
Most Recent 
4 days, 3 hours ago
In exam 16/10/21
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Correct Answer: A and C
upvoted 2 times
 
Jananishree
4 weeks, 1 day ago
in exam 17/9/2021. Most of the questions are in this question bank. You should have to search for correct answers for each question
upvoted 1 times
 
khismail
2 months ago
In Exam 21/08/2021, Correct Answer: A & C
upvoted 2 times
 
thuylevn
A,C are corrects
upvoted 1 times
 
Meko
3 months ago
was in exam 23/7/2021
upvoted 3 times
 
Rohithalkt
This was an exam question on 4th July 2021. I pass with 904 marks
upvoted 1 times
 
achmadirvanp
Answer is correct, Appear On Exam July 1 2021
upvoted 1 times
 
Kiano
5 months ago
Whay have they changed the question and call the groups Microsoft 365 instead of Office 365. Are they really called so nowadays? Condusing.
upvoted 2 times
 
s9p3r7
I think Microsoft officially changed the product name to Microsoft 365
upvoted 1 times
 
xMilkyMan123
4 months ago
Yes. One internet search will confirm this to you.
upvoted 1 times
 
armandolubaba
A & C are correct
upvoted 1 times
 
Huggins
A & C are correct!
upvoted 2 times
 
xiaoyan
what is difference between assigned group type versus dynamic group type?
upvoted 1 times
 
dcalvo
Assigned groups use a list of users while dynamic groups use a query to select members
upvoted 3 times
 
mg
A C - Only O365 groups support automatic deletion after 180 days.
upvoted 1 times
 
ZUMY
A C
Answer is correct - Only O365 groups support automatic deletion after 180 days.
upvoted 2 times
 
toniiv
Correct. A. including the three users, then B. Including the Library
upvoted 1 times
Question #7 Topic 2
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
 
asdf12345a
Highly Voted 
Answer is correct -
The scope is set to GUEST users only. So User3 cannot perform an access review of User1 and UserA as they are Members.
Group2 is a member of Group1 so the access review is inherited.

upvoted 86 times
 
mlantonis
Highly Voted 
5 months ago
Box 1: No
User 3 can only review guest users, and User1 is a member user.
Box 2: No
Box 3: Yes
Group2 is a member of Group1 and User3 is the owner of this group, therefore everyting included in Group2 can be reviewed by User3.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 31 times
 
LOOTF
Most Recent 
4 days, 1 hour ago
Since the user3 is the owner I think he can perform access review to all users?
May I right?
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
No,No,Yes - correct ans
upvoted 2 times
 
julioglez88
1 month ago
I just tested in lab,
Answer is correct, No, No, Yes
The users to be reviewed are the guest accounts only based on the configuration set. Additionally the guest users from group 2 are inherited to
group 1, so by default User3 can review user2 and userB
upvoted 1 times
 
thuylevn
correct answer, Scope Guest users only
upvoted 1 times
 
CloudyTech
It should be NO NO NO , User B is in Group 2 and review is for Group 1
upvoted 1 times
 
Teing
No No Yes is correct. User B is in Group 2, while Group 2 is member of Group 1, so it is inherited.
upvoted 4 times
 
BenStokes
4 months ago
Answer is - No, No, Yes.
Explanation -
Box 1: No
Box 2: No
Box 3: Yes
Group2 is a member of Group1 and User3 is the owner of this group, therefore everyting included in Group2 can be reviewed by User3.
upvoted 11 times
 
flash007
User 3 is not part of any groups so Box 1 is defo NO
upvoted 1 times
 
Didib
Why is User 3 able to review User B, when user B belongs to Group 2, and User 3 is the owner of only Group 1. Not to mention, the policy applies
to Group 1 only?
upvoted 1 times
 
coders1234
because group 1 contains group 2 (users) also
upvoted 1 times
 
HassanSarhan
No No Yes Correct answers!
upvoted 1 times
 
iamkl00t
typo in 'advanced' at the bottom of the screenshot
upvoted 1 times
 
mg
NO NO YES
upvoted 2 times
 
ZUMY
N N Y is the answer
upvoted 1 times
 
Sandroal29
8 months ago
Correct answers are, NO NO YES. User 3 can only review guest users, and User1 and User2 are member users. So NO and NO for the first two
questions. The last one is YES, group 2 is in group 1 and user 3 is the owner of this group, therefore everyting included in group 2 can be reviewed
by user 3.
upvoted 3 times
 
DeepanAeon
Answer
No, No, Yes

upvoted 2 times
 
vijaysmail84
Access review is not inherited. Tested on portal
upvoted 2 times
Question #8 Topic 2
HOTSPOT -
You have the Azure management groups shown in the following table:
You add Azure subscriptions to the management groups as shown in the following table:
You create the Azure policies shown in the following table:
Hot Area:
Correct Answer:
Box 1: No -
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.
Box 2: Yes -
Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.
Box 3: Yes -
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-
us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions
 
fedztedz
Highly Voted 
Answer is Wrong : It should Be NO NO NO
- subscription should be moved by can't be added to 2 groups.

upvoted 70 times
 
Ikrom
Agree.
- NO: Subscription 1: is not allowed to create a VNET.
- NO: Subscription 2: Allowed to create a VNET which restricts anything else.
- NO: Subscription 1: already in one Management group called 21, so cannot add into another. A Subscription can be assigned to 1
Management Group.
upvoted 63 times
 
azuremarco2021
Im sorry but why is the 2nd false? All that was forbiden at the root level is lifted on Subscription 2
upvoted 1 times
 
jimmyli
because subscription 2 is under management group 12. The only allowed resource type is VirtualNetworks per the table in the question,
therefore VM creation is not allowed
upvoted 4 times
 
imartinez
2 months ago
I think this is wrong, it should be No YES NO.
The first policy only restrict to create VNets not VMs, So VMs are allowed to be created if you can attach a VNET and the 2nd policy
allows you to create the VNET, So.. yes
upvoted 2 times
 
imartinez
My bad, the whitelist will allow you to create the VNET but prevent's you to create the VM, that's the issue. second is NO, thx
upvoted 3 times
 
irosh412
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
This clearly states,
"Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined
list."
Therefore, only allowed resource type is virtual nerwork.
SO the answer for the second question is NO.
but third is Yes, because adding subscrition and moving subscription is the same in MS docs. :)
upvoted 12 times
 
vamshidhara
Azure Policy is an explicit deny.
So the root management group deny the virtual network resource type to the child management groups/subscriptions/resources groups
and the policy in the question does not have any thing excluded so it will deny
upvoted 3 times
 
tita_tovenaar
not agreed for answer 2.
Only virtual networks are mentioned in the policy. Nothing is said about virtual machines.
Result: NO - YES - NO
upvoted 1 times
 
tita_tovenaar
sorry, my bad. answer 2 is No.By allowing metworks, you deny all the rest.
upvoted 3 times
 
pieronegri
you are right, "move" is the right verb.
upvoted 1 times
 
Andersonalm
Highly Voted 
Answer is correct. The deny policy is only for virtual networks, not for virtual machines. NO, Yes, Yes
upvoted 31 times
 
raph90fr
i agree. for the seconds question you can not create a virtual network but you can create a vm as long as a virtual network already exist .
upvoted 1 times
 
Rain521
Agree.
upvoted 1 times
 
ArgiDio
10 months ago
The only objection that i have is that, you cannot create an Azure VM without a VNet, so second option is No too.
Final answer that i will give in case of exam, N,N,Y

upvoted 9 times
 
Penagache
You can. You can use a vnet created by other user.
upvoted 9 times
 
uellington
but this possibility is not informed, so you have to consider the standard creation of the VM with all the minimum resources.
upvoted 5 times
 
habit
It doesn't matter because with "Allow resources" policy, you actually deny all remaining resources.
upvoted 2 times
 
Ikrom
You missed something:
- One says Restricted
- Another says Allowed
So, one restricts VNETs and the other allows VNETs.

upvoted 3 times
 
fabylande
Most Recent 
1 day, 18 hours ago
In exam October 16, 2021
upvoted 1 times
 
a4andrew
1 week, 5 days ago
No
YES(maybe), It will probably provision/create the vm but the policy will block the provisioning of the VNET. The creation process can allow other
resources to be created, but can/will error others.
YES..Adding sadly is the same as moving : https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-

management-groups-and-subscriptions
upvoted 1 times
 
a4andrew
4 days, 8 hours ago
Self correct.#2 is NO: Subscription 2: Allowed to create a VNET which restricts anything else.
upvoted 1 times
 
DevOpposite
2 weeks, 4 days ago
These questions will be a lot easier if they are represented diagrammatically like you would do in real life but MS is too lazy to do something like
that...
upvoted 3 times
 
sniper83
2 weeks, 6 days ago
Right answer and tested in my lab:
- No: because the policy on the Root Management level
-No: same above reason, because the influence of the previous policy
-Yes: Add subscription = move and yes you can move it from MG21 to MG11
upvoted 1 times
 
sniper83
2 weeks, 6 days ago
The error message from the policy says that resource "VM0123" was disallowed by policy "Allow resource type", which means that this policy is
disallowing any other resource beyond the Vnets.
upvoted 2 times
 
Michael_ATB
3 weeks, 5 days ago
the answer is :
No
No
No
upvoted 2 times
 
theOldOne
3 weeks, 6 days ago
Then question is in need of attention from a moderator. It seems there is no agreement on what is correct.
upvoted 1 times
 
vekmbeplvgihxdnxab
4 weeks, 1 day ago
I'd to look this up since there's a massive different answers.
Apparently the few people saying B should be a "NO" is correct.
Since its a explicite system it means allowing 1 resource denies everything else.
Example a easy way to test it is by - creating a policy that allows creating resources XXXX regions will cause a deny on creating outside the selected
regions.
upvoted 1 times
 
julioglez88
1 month ago
Answer is correct: NO, YES, YES
1st Network resources are not allowed under the subject subscription. So NO
2nd VM is not restricted and by default this is allowd. So YES
3rd You can have subscription with the same name, it could be confusing, but the thing that is always different is the object ID. I have currently in
the same group manager 3 subscription with the default pay-as-you-go name, if this is not allowed, then those should have a name with a number
to be adding an identifier to each subscription, but is not, so the answer is YES. Also is important to highlight that question is saying "ADD" Which
implies to create, and even if it says to move, this is also allowed, so in both cases, move or create a subscription with the same name, the answer
must be YES.
upvoted 3 times
 
Xzs29
1 month ago
Correct Answer is No, Yes, No.
upvoted 1 times
 
PoolDead
1 month ago
Saw the same question in one of the Udemy practice exams..there the answer was NO NO YES..in a real dilemma here
upvoted 1 times
 
Kamex009
This question was asked on exam taken on 08/22/2021
upvoted 4 times
 
AubinBakana
Creating a Virtual Machine alone still requires that you create a virtual network Essentially, a virtual machine is a virtual network with 1 PC.
Meaning, you cannot create a VM if this action is denied.
If however, the VM existed before the policy was created, which is stated nowhere, by the way, that'd be something entirely different. The question
doesn't state anything about there being an existing VNet.
This means the answer to question 2 should be NO.
As for question 3, Subscriptions can be moved, I am not sure what they mean by Add. So this one also isn't quite clear.
If by "add" they mean "move", then the answer is Yes.
So it should be: NO, NO, YES

upvoted 3 times
 
thuylevn
1. No
2. Yes (VM not Vnet)
3. No (add -> No if move -> YES)

upvoted 2 times
 
Acai
3 months ago
The answer is NO, NO, YES
Tenant Root Group or Root Management Group is the highest level Management Group, if you have a policy denying access to resources at that
level, all subscriptions, resource groups, management groups, and resources will be affected.
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
You guys are worrying me :(

upvoted 3 times
 
Acai
3 months ago
Forgot to add Management Group 12 which is above Sub 2 allows only Vnets which are denied by the Root Group so no VM's
upvoted 2 times
 
Teing
Agree.
1. Management Group is member of root tenant, so couldn't add VNET by policy
2. By allowing VNET only in policy2, means you couldn't add any other type of resource
3. You couldn't have 1 subscription under 2 management groups (you can move it, but in this case, the question ask about "adding")
upvoted 4 times
Question #9 Topic 2
You have an Azure policy as shown in the following exhibit:
What is the effect of the policy?
A.
You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B.
You can create Azure SQL servers in ContosoRG1 only.
C.
You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D.
You can create Azure SQL servers in any resource group within Subscription 1.
Correct Answer:
B
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1
 
Nalex9ja
Highly Voted 
The Picked Option (B) is the correct option
upvoted 39 times
 
Ikrom
Agree.
It says: Exclusions and RG1 is there.

upvoted 3 times
 
fedztedz
Highly Voted 
Answer is Correct. B
upvoted 21 times
 
bornonthird
Most Recent 
3 weeks ago
Looks B
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Answer is Correct. B
upvoted 2 times
 
xxxxx85xx
1 month ago
In exam 09/20/2021
upvoted 1 times
 
Fayaman
1 month, 1 week ago
Question was asked on exam taken 09/10/2021
upvoted 2 times
 
Kamex009
upvoted 2 times
 
waris010
2 months ago
A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
answer is A from the above option right, can someone please confirm ?
upvoted 1 times
 
RazanT
2 months ago
this was in my test today 8/15/21
answered B
upvoted 3 times
 
thuylevn
yes, B. You can create Azure SQL servers in ContosoRG1 only.
upvoted 2 times
 
Acai
3 months ago
The provided answer is Correct!
upvoted 1 times
 
CloudyTech
THIS QUESTION WAS IN THE EXAM TODAY 7TH JULY 2021
upvoted 5 times
 
Shiven12
This question came in exam on 29/6/2021 - Passed the exam
upvoted 2 times
 
BenStokes
Correct answer is B - You can create Azure SQL servers in ContosoRG1 only.
Note - View the exclusion parameter

upvoted 2 times
 
McRowdy
Agree. Correct answer is B. Be mindful for the exclusions
upvoted 1 times
 
mlantonis
5 months ago
Correct Answer: B
You are prevented from creating Azure SQL servers anywhere in Subscription 1, except from ContosoRG1. There’s an Exclusion on ContosoRG1.
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
upvoted 12 times
 
ms70743
B is correct
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table:
You assign a policy to RG6 as shown in the following table:
To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

VNET1: Department: D1, and Label:Value1 only.
Tags applied to the resource group or subscription are not inherited by the resources.
Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or
across a whole
Azure subscription.
VNET2: Label:Value1 only.
Incorrect Answers:
RGROUP: RG6 -
Tags applied to the resource group or subscription are not inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
 
aymennn
Highly Voted 
not correct vnet1 is created before assignng the policy so it doesn't heritate teh tag.
vnet1 : departement D tag only

upvoted 119 times
 
Acai
3 months ago
I agree as well
upvoted 1 times
 
itsmchina
3 months ago
Agreed. vnet1 only has tag Department: D1 only because it was created before assigning the policy.
upvoted 1 times
 
OmarMac
VNET1 - Department: D1 only
VNET2 - Label: Value1 only

upvoted 160 times
 
GataullinRN
4 weeks ago
This is the right answer. Tested.
upvoted 2 times
 
Hibs2016
Agreed!
upvoted 6 times
 
raph90fr
yes, i think you are right.
upvoted 2 times
 
pazza112
Highly Voted 
Answer is wrong. Tested in MSDN lab in the order set out in the question.
After I created the policy and assigned it to the RG the existing vnet still only had the tag of Department:D1. New vnet had the tag label:value1
only.
So the answer is Department:D1 only and Label:value1 only

upvoted 68 times
 
kavg13
Instead of manually applying tags or searching for resources that aren't compliant, you create a policy that automatically applies the needed
tags during deployment. Tags can also now be applied to existing resources with the new Modify effect and a remediation task.
Found in link provided by question. So it would depend if they used the "Modify" option or not.
upvoted 8 times
 
Gumer
Most Recent 
3 days, 2 hours ago
I dont understand where is Vnet2 getting its tag assigned since it should not inherited from RG6
upvoted 1 times
 
nsknexus478
2 weeks, 4 days ago
There are two types of policies for tags now, Require tag and append tag.
anyways answer for this question is
Box 1: Department: D1 only
Box 2: Label: Value1 only

upvoted 1 times
 
ScoutP
2 weeks, 4 days ago
This question was asked on exam taken on Sept 30, 2021
upvoted 1 times
 
sniper83
2 weeks, 6 days ago
Correct Answer(Test in my lab)
Vnet1
Department: D1
Vnet2
Label1: Value1
upvoted 2 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
vnet1 : departement D tag only
VNET2 - Label: Value1 only

upvoted 1 times
 
vekmbeplvgihxdnxab
4 weeks, 1 day ago
Outdated Question which makes no sense anymore with the Modify feature being added to Azure (Allowing to tag already created resources ) then
the following question is correct in both cases without more specification
upvoted 2 times
 
theOldOne
1 month ago
I could not help but notice the lively discussion on this one. The real issue here is not which answer is actually correct. The real issue is which
answer will they accept as being correct when you take the test. I have seen many times over the years where people mark answers that are actually
correct but have the system not accept it.
upvoted 2 times
 
AubinBakana
Honestly, the question is poorly worded. What they are trying to establish is if you know that the tags applied to the RG do not apply to the
resources inside. Basically, if you do not specify a label and a name for anything that's inside the RG you will be prompted with the policy
enforcement: Deny|Audit etc.
I guess this is why we prepare huh!

upvoted 2 times
 
pai1234
Came today in exam 31/07/2021. Passed the exam with 796 marks . 70% questions comes from these dumps . Follow mlantonis, fedztedz and zumy
for correct answers
upvoted 6 times
 
Mayurk
Answer is correct.
Add a tag to resources Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be
remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource
groups.
upvoted 1 times
 
Leo2019
3 months ago
VNET1 was created before assigning policy and therefore it won't be tagged with Label: Value1 by default. If the remediation task is enabled while
assigning policy then it will be tagged with Value1. Here , it's not mentioned whether remediation task is enabled or not . So, the answer will be
VNET1- Department : D only and VNET2- Label: Value1 .
upvoted 3 times
 
kishore300
Wat is that on below policy Rgroup:R6 can anyone clear that??
upvoted 1 times
 
raph90fr
Resources does not inherit tags from Resource group. Moreover, policy is applied after vnet has been created. As a consequence vnet1 has
Department D tag only and Vnet2 has Label tag only.
upvoted 3 times
 
Harryboy
You use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of resources being deployed to your
subscription that don't have the expected tags for your organization. Instead of manually applying tags or searching for resources that aren't
compliant, you create a policy that automatically applies the needed tags during deployment. Tags can also now be applied to existing resources
with the new Modify effect and a remediation task. The following section shows example policies for tags.
upvoted 1 times
 
acmaws
VNET1 - Department: D1 only why: Assigned before deploying policy
VNET2 - Label: Value1 only why: the policy apply Value1 Tag and cannot two tags be applyed
upvoted 1 times
You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
A.
VM1, storage1, VNET1, and VM1Managed only
B.
VM1 and VM1Managed only
C.
VM1, storage1, VNET1, VM1Managed, and RVAULT1
D.
RVAULT1 only
Correct Answer:
C
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new
subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
 
JustMe84
Highly Voted 
Test today (12/10/2020), Passed, answered "C" for this question in exam
upvoted 43 times
 
rubas50
2 weeks, 2 days ago
my exam is scheduled tomorrow, did you find all your questions here?
upvoted 1 times
 
Fulforce
1 week, 5 days ago
How did you get on with your exam?
upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
All of them. Moving a resource only moves it to a new Resource Group or Subscription. It doesn't change the location of the resource.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftcompute
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftnetwork
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftstorage
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftrecoveryservices
upvoted 35 times
 
Mukesh_Aggarwal_07
Most Recent 
3 weeks, 5 days ago
Correct Answer: C
upvoted 1 times
 
Omar_Aladdin
1 month ago
kind reminder
a Resource that cannot be removed is Azure Disks,
Even though it is moved as part of Azure VMs
Ref:
https://docs.microsoft.com/en-us/azure/resource-mover/common-questions#can-i-move-disks-across-regions
upvoted 2 times
 
ERV
1 month, 1 week ago
Correct C
upvoted 1 times
 
thuylevn
correct answer C
upvoted 1 times
 
Acai
3 months ago
upvoted 1 times
 
ahos
Is this still a valid answer in the exam?
upvoted 1 times
 
valente_sven1
3 months ago
Yes, why not?
upvoted 1 times
 
Rohithalkt
upvoted 3 times
 
armandolubaba
C correct
upvoted 1 times
 
sidharthwader
6 months ago
Correct answer. But if its moving the region of the resource then i think azure vault could not be moved. Similarly few more resource's region cant
be changed
upvoted 5 times
 
shnz03
Good one! Thank you.
upvoted 1 times
 
ddb116
C is correct as long as we assume they are in the same tenant.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault?toc=/azure/azure-resource-manager/toc.json
upvoted 2 times
 
jam7272
7 months ago
If you are not sure about Recovery Services Vaults - https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault?
toc=/azure/azure-resource-manager/toc.json - you can move them.
upvoted 3 times
 
ms70743
C is correct
upvoted 2 times
 
mg
Answer C is correct
upvoted 2 times
 
bacana
Correct
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftcompute
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftnetwork
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftstorage
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftrecoveryservices
upvoted 3 times
 
fedztedz
Answer is correct. C.
upvoted 3 times
You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using
Azure
PowerShell and receives the following error message: ‫ג‬€User failed validation to purchase resources. Error message: ‫ג‬€Legal terms have not been
accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873)
and configure programmatic deployment for the Marketplace item or create it there for the first time.‫ג‬€
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?
A.
From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
B.
From the Azure portal, register the Microsoft.Marketplace resource provider
C.
From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
D.
From the Azure portal, assign the Billing administrator role to Admin1
Correct Answer:
C
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-4.1.0
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
Set-AzMarketplaceTerms -Publisher <String> -Product <String> -Name <String> [-Accept] [-Terms <PSAgreementTerms>] [-DefaultProfile
<IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
Reference:
https://docs.microsoft.com/en-us/powershell/module/Az.MarketplaceOrdering/Set-AzMarketplaceTerms?view=azps-4.6.0
upvoted 40 times
 
lingxian
I found mlantonis's answers are the most credible.
upvoted 7 times
 
xclusivetp3
Highly Voted 
1 year, 2 months ago
answer is correct
upvoted 26 times
 
Mukesh_Aggarwal_07
Most Recent 
3 weeks, 5 days ago
C seems correct
upvoted 1 times
 
AubinBakana
I have been doing the Azure Learn course and many of these questions are not even covered there. I am glad I took the time to go through these
questions. The answer is correct.
upvoted 4 times
 
thuylevn
agree C
upvoted 1 times
 
Acai
3 months ago
upvoted 1 times
 
flash007
Right away the billing administrator is not correct as the question mentions powershell so you are left with 3 choices. It doesn't mention API so
again that one appears to be wrong too.
Leaving just 2 choices B & C. again it is mentioning Powershell so answer B mentions the azure portal which is no powershell. So that leaves C
because it does indeed mention powershell and mentions Marketplace which is used in the question too.
upvoted 10 times
 
subhadeep_sen
thanks
upvoted 1 times
 
NigHtHunter2000
3 months ago
Lol. This kind of answering is best when you are facing it in the exam but here i dont think its suitable becaz we want to know the process.
upvoted 5 times
 
AubinBakana
Haha! exactly what I was think :)
upvoted 1 times
 
armandolubaba
C is correct
upvoted 1 times
 
ms70743
C. Set-AzMarketplaceTerms
upvoted 2 times
 
mg
Answer C is correct
upvoted 1 times
 
ZUMY
Answer is correct
upvoted 2 times
 
Anil_203
25/02/2021 exam question
upvoted 2 times
 
Sandroal29
8 months ago
the provided answer is correct.
upvoted 2 times
 
toniiv
C. is correct (use Set-AzureRmMarketplaceTerms before deployment (one time for any new non-standard Azure product))
upvoted 2 times
 
mikl
Is this question still on the exam after 27/1-2021?
C seems correct - "Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name). Please use Get-
AzMarketplaceTerms to get the agreement terms."
upvoted 2 times
 
kashi1983
Answer is correct
upvoted 1 times
 
waterzhong
Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name). Please use Get-AzMarketplaceTerms to get the
agreement terms.
upvoted 4 times
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A.
From the Licenses blade, assign a new license
B.
From the Directory role blade, modify the directory role
C.
From the Groups blade, invite the user account to a new group
Correct Answer:
B
Assign a role to a user -
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as
Conditional access administrator.
4. Press Select to save.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
 
dan7777
Highly Voted 
This is the correct answer( select Active directory --> Users--> select the username --> Assigned roles --> click on +add Assignments --> select
User administrator role
upvoted 44 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B
Active Directory -> Manage Section -> Roles and administrators-> Search for Admin and assign a user to it.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
upvoted 21 times
 
ik96
1 month ago
B is correct.
upvoted 2 times
 
bornonthird
Most Recent 
3 weeks ago
B is correct
upvoted 1 times
 
RazanT
2 months ago
this was in test 8/15/21
upvoted 2 times
 
thuylevn
agrees, B
upvoted 1 times
 
Jotess
answer is B.the question was on Jul 23, 2021 exam
upvoted 3 times
 
drexciya28
The formulation of the answers is confusing. Under User Properties, there's the Assigned roles blade, and that's the option to use, there you can
assign both Azure AD as well as regular RBAC roles.
upvoted 3 times
 
Shiven12
This question came in the exam on 29/6/2021 - Passed the exam
upvoted 2 times
 
ms70743
B is correct
upvoted 1 times
 
mg
From the Directory role blade, modify the directory role
B is correct
upvoted 2 times
 
ZUMY
B is correct
upvoted 2 times
 
ZUMY
B is correct
upvoted 1 times
 
Merma
8 months ago
B is Correct https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/AdministrativeRole/userId/
Home>Tenant>Users>AdminUser1 + Add assignments

upvoted 2 times
 
Sandroal29
8 months ago
Without discussion, the provided answer is correct.
upvoted 1 times
 
toniiv
B. is correct (AD uses RBAC, role-based access control)
upvoted 1 times
 
aMiPL
Active Directory -> Manage Section -> Roles and administrators-> Search for Admin and assign a user to it
Correct Answer is: B

upvoted 1 times
 
QiangQiang
there is no "Directory role" blade, I guess C is the correct answer, you can add the user account to a group which has the required directory role.
upvoted 1 times
 
SScott
B is right, the answer is incomplete and Azure Active Directory is Directory role blade, selection choice poorly worded. Only guests or vendor
accounts would be invited. Administrator assigned roles are explicit and are directly modified.
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator
upvoted 3 times
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
A.
From the Licenses blade of Azure AD, assign a license
B.
From the Groups blade of each user, invite the users to a group
C.
From the Azure AD domain, add an enterprise application
D.
From the Directory role blade of each user, modify the directory role
Correct Answer:
A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
 
zyta
Highly Voted 
that's true - licences need to be assigned
upvoted 42 times
 
kentarn
That answer made me lol
upvoted 11 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
upvoted 36 times
 
sreekan
yes its true!!! apart from this we need to add location of User also
upvoted 4 times
 
Naig
Most Recent 
2 months ago
correct A
upvoted 2 times
 
mspositivityy
2 months ago
On 8/19 exam
upvoted 1 times
 
AubinBakana
Sweet. I would create a group and add all the 10 users then apply the license to the group for management. Answer A is correct
upvoted 1 times
 
MD9
that correct - need to assign license
upvoted 1 times
 
thuylevn
agree A
upvoted 1 times
 
SeanOGD
This question is stupidly formed.
Isn't best practise RBAC and therefore licences and access should be assigned to roles or groups of which users become a member via dynamic
membership rules?
So why would you assign 'a' (as in one) license via the license tab?
You assign the licenses to a group to which you need to add the required members.
None of the answers are actually 100% correct.

upvoted 2 times
 
Acai
3 months ago
B is like invite user to a group...and then what? haha

upvoted 2 times
 
BenStokes
The answer is without doubt and quite obvious is option A.
Licence is the only way the features will be available for user.
upvoted 1 times
 
Abhi1984
A is correct
upvoted 1 times
 
armandolubaba
A is correct
upvoted 1 times
 
ms70743
A. Licence need to be assigned
upvoted 1 times
 
mg
assign license.
A is correct
upvoted 2 times
 
fedztedz
Answer is correct A. Assign license
upvoted 3 times
 
ZUMY
A is correct. Go to Azure active directory->License->All Product->Azure AD Premium P2 (Assign the user). Tested in azure (100 Trail License
available)
upvoted 2 times
 
toniiv
A. is correct
upvoted 2 times
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
A.
Create an automation runbook
B.
Deploy a function app
C.
Deploy the IT Service Management Connector (ITSM)
D.
Create a notification
Correct Answer:
C
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service,
such as the
Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. Azure
services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure
resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between
Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools: ServiceNow, System Center
Service Manager, Provance, Cherwell.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-overview
upvoted 30 times
 
OmegaGeneral
Highly Voted 
Correct, you can use the connector to bridge them together
upvoted 23 times
 
tita_tovenaar
Agreed. But interesting to reflect why the rest is wrong.
A and B are technically possible too, but the question is what to do *first*. In both cases you'd need to create a trigger first (runbooks and
function apps don't run by themselves) eg. with a rule and webhook.
D is fairly obviously nonsense, that won't do anything to get you to Service Manager.
upvoted 2 times
 
imran_mohd
Most Recent 
4 days, 3 hours ago
In exam 16/10/21
upvoted 2 times
 
ohana
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: C
upvoted 2 times
 
khengoolman
1 week, 3 days ago
Passed today with 947. This question appeared, correct Answer is C
upvoted 3 times
 
iamnivas
1 week, 2 days ago
Are these questions still relevant as exam changed recently?
upvoted 1 times
 
Insanewhip
1 week ago
Yes they are, there was a very minor change to the exam
upvoted 1 times
 
perrito_css
1 month, 1 week ago
exam 10/09/21
upvoted 2 times
 
Ashokkumarvnt
1 month, 1 week ago
correct Answer
upvoted 1 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 1 times
 
AubinBakana
I noted that the ITSM has 2 stars. Anybody else has experience using it in the real environment? What are the problems you might have
encountered. Thank you
upvoted 1 times
 
thuylevn
agree C
upvoted 1 times
 
Acai
3 months ago
The provided answer is correct, however, I think this link provides a better clarification.
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-definition
upvoted 1 times
 
Rohithalkt
upvoted 3 times
 
wsscool
in exam 7/3/2021
upvoted 3 times
 
lucky_18
upvoted 4 times
 
armandolubaba
C is correct
upvoted 1 times
 
londonboy
C is correct
upvoted 3 times
 
mg
C
Deploy the IT Service Management Connector (ITSM)

upvoted 3 times
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A.
Device settings from the Devices blade
B.
Providers from the MFA Server blade
C.
User settings from the Users blade
D.
General settings from the Groups blade
Correct Answer:
A
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
 
prashantjoge
Highly Voted 
I studied from Microsoft learn for az-104. So far all the questions look alien to me. Dont know the answer to most of them. I wonder if its the same
with others. They say that you shouldn't use dumps. But It seems like dumps is the only way to go, if they make the exams so tough
upvoted 108 times
 
barry08
1 day, 3 hours ago
Right? I got such a shock when reading these questions. I had done video course and all labs twice on udemy, then read MS learn, then whizlabs
practice tests feeling like i was prepared and now feel like i know hardly anything, its crazy.
upvoted 1 times
 
chity
you just have to grind hard.most people here do no know anything
upvoted 1 times
 
VVR141
4 months ago
I would say you are not alone, most of us do face this, coz these exams best suite to level of an experienced persons, and for others best way is
to gain the knowledge of the Azure and then use the dumps to crack the exam, as we all know exam is different from to be able to perform
azure jobs. So in simple, use combo for any exam.
upvoted 13 times
 
ajoh
1 month, 1 week ago
correct
upvoted 1 times
 
Dizzu
5 months ago
this is quite true. I've been studying for the exam for weeks now without looking at dumps (per advice from a Youtube tutor), now it's 2 days to
my exam, I'm finally checking out dumps & I immediately regret wasting all that time studying. I could have done this exam weeks ago with
dumps alone, now I went through like 200 questions & can't boast of 10 correct answers from all that study. Such a waste. Absolutely hate that
I'm having to rush through these dumps now.
upvoted 27 times
 
DevOpposite
2 weeks, 4 days ago
yes I made that mistake in AZ900, never again returning MS learning modules. study these questions, understand logic behind them, refer to
links. there will probably be 10% useful stuff from these exams in real life. dumps to pass exams. YT, Google, GIT etc. in real life . this is my
guess, never worked in IT
upvoted 3 times
 
GodfreyMbizo
1 month, 1 week ago
your situation is like mine,i am having exams in 2 days.i started studying today.Hope i will pass
upvoted 2 times
 
ik96
4 weeks, 1 day ago
did you pass
upvoted 2 times
 
rockhound
3 weeks, 6 days ago
lol if he passed he's not returning to this site anymore :) he is done :)
upvoted 8 times
 
hbadger25
Did you pass the exam?
upvoted 8 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
upvoted 44 times
 
Gde360
3 months ago
Good to know the steps.
However, please be aware that the option of "Additional local administrators on Azure AD joined devices." requires an Azure AD Premium
tenant.
upvoted 2 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: A
upvoted 1 times
 
afathy
Correct, From AZ AD > Devices > Device settings > chose selected > then add member that will be administrator of all the machines also members
allowed to join devices
upvoted 2 times
 
AubinBakana
For some odd reasons, I initially thought it was Users' settings. Of course, it's device settings.
upvoted 1 times
 
thuylevn
agree A
upvoted 2 times
 
villanz
Can Anyone tell me do we have live lab sessions?
upvoted 3 times
 
Acai
3 months ago
https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/
Note: You'll need to have an Azure subscription, if this is your 1st time you can try the free trial with a Microsoft acc
upvoted 1 times
 
achmadirvanp
upvoted 3 times
 
J4U
I couldn't see this option in device settings blade now. probably it's moved to some other place although the docs have the screenshot with this
option.
upvoted 2 times
 
alisyech
4 months ago
A is correct answer
upvoted 1 times
 
londonboy
A is correct. Just tried it!
upvoted 1 times
 
mg
A is correct. Device settings from the devices blade
upvoted 1 times
 
fedztedz
Answer is correct A. Device Settings
upvoted 6 times
 
Richy_money
hello fedztedz, please what material did you use to prepare. you are very knowledgeable on this. please reply
upvoted 1 times
 
ZUMY
A is correct!
upvoted 2 times
 
StixxNSnares
Correct
upvoted 1 times
 
ss911
8 months ago
Correct, see in my AD
upvoted 1 times
 
toniiv
A. is correct
upvoted 1 times
 
ss911
Correct
Check in my Azure subscription

upvoted 1 times
HOTSPOT -
You have Azure Active Directory tenant named Contoso.com that includes following users:
Contoso.com includes following Windows 10 devices:
You create following security groups in Contoso.com:
Hot Area:
Correct Answer:
Box 1: Yes -
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD
Box 2: No -
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally
managed credential.
Box 3: Yes -
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
 
OmarMac
Highly Voted 
This is totally wrong. If both groups are owned by user2 then user1 cannot add device2 to group1. User1 can only delete, disable, & enable devices.
User2 is able to create/delete and add/remove group membership. Dynamic Device: Administrators create dynamic group rules to automatically
add and remove devices.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-device-administrator-permissions
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions
https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add
Owner of all groups - User2
User1 can add Device2 to Group1 - No
User2 can add Device1 to Group1 - Yes
Owner of groups - User1 (Group1) & User2 (Group2)

upvoted 145 times
 
AubinBakana
2 months ago
The answer is correct:
t's No, Yes, No.
Although User2 owns the group, he is not allowed to add a registered device because that device is linked to an account that is not part of the
directory. The device is not joined, it is registered. To add that device he'd need access to the user account with which the Device is registered.
upvoted 3 times
 
AubinBakana
2 months ago
Please delete the above comment. I meant Yes, No, Yes
upvoted 1 times
 
juniorccs
Thanks for this
upvoted 2 times
 
ph4nt0m01
This answer is correct.
Adding additional notes that Cloud Administrator cannot add devices to groups, unless Cloud Administrator has additional permissions through
other groups or Cloud Administrator is owner of the group.
Here is what Cloud Admin can do:
- Read all properties on audit logs, including privileged properties
- Read bitlocker metadata and key on devices
- Delete devices from Azure AD
- Disable devices in Azure AD
- Enable devices in Azure AD
- Read standard properties on device management application policies
- Update basic properties on device management application policies
- Read standard properties on device registration policies
- Update basic properties on device registration policies
- Read all properties on sign-in reports, including privileged properties
- Read and configure Azure Service Health
- Read and configure Service Health in the Microsoft 365 admin center
- Read all properties on audit logs, including privileged properties

upvoted 8 times
 
ph4nt0m01
I meant OmarMac's answer is correct.
upvoted 6 times
 
Alimister
in the second scenario of Owner of groups - User1 (Group1) & User2 (Group2) how user 2 can add device 1 to group 1...user 2 is not the owner
of group 1
upvoted 4 times
 
YooOY
1 month ago
Although in the second scenario user2 is not the owner of group1, user2 is still user administrator who can update group members, so
adding device/user to group 1 is okay.
upvoted 1 times
 
Giannis8
Highly Voted 
Correct answer is:
No (Cloud administrators can manage devices, not group membership)
Yes (User administrators can manage all aspects of security groups)
No (Dynamic membership)
Tested in lab
upvoted 72 times
 
rgullini
I trust this one just because you say "Tested" in lab.
upvoted 6 times
 
yoelalan14
If we consider that 'User 2' is the owner of Group 1, then your answer is correct; but on the explanation, it clearly states that 'User 1' is the owner
of Group 1, hence, "User 1 CAN add a device to Group 1"
upvoted 1 times
 
kantzy
10 months ago
I agree with this answer.
upvoted 1 times
 
aaa112
10 months ago
User1 (cloud device admin) can add DEVICE2 (it's a device) to Group1, hence it's YES
upvoted 2 times
 
Eltooth
Most Recent 
5 days, 6 hours ago
No Yes No.
upvoted 1 times
 
ScoutP
2 weeks, 4 days ago
upvoted 2 times
 
omw2wealth
2 weeks, 5 days ago
NO YES NO IS SUPER CORRECT FOR THIS CASE.
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
No, Yes, No
upvoted 2 times
 
Michael_ATB
3 weeks, 5 days ago
Answer:
No
Yes
No
upvoted 1 times
 
theOldOne
3 weeks, 6 days ago
How is it that the verified answer seems to be exactly backwards and seems to have been that way for a while now? At what point does the "Expert
answer" get checked for accuracy and updated?
upvoted 1 times
 
hoangton
2 months ago
No/yes/no
upvoted 1 times
 
AubinBakana
2 months ago
(correcting a previous post I posted - please delete the previous submission. I meant: Yes, No, Yes)
It's Yes, No, Yes.
Although User2 owns Group2, he is not allowed to add a registered device because that device is linked to an account that is not part of the
directory. The device is not joined, it is registered. To add that device he'd need access to the user account with which the device is registered;
something that has not been stated here.
upvoted 1 times
 
AubinBakana
2 months ago
t's No, Yes, No.
upvoted 1 times
 
AubinBakana
2 months ago
t's No, Yes, No.
upvoted 1 times
 
TKhan2021
it should be all 'No'. User Administrator cannot add devices.
upvoted 2 times
 
lenco
1 month ago
I agree, description of User Administrator role here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-
administrator
upvoted 1 times
 
Srd
3 months ago
No, Yes, No
Why don’t you update the wrong answers?

upvoted 1 times
 
lemist
You can't manually add or remove a member of a dynamic group.
upvoted 2 times
 
CloudyTech
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
Cloud admin can enable and disable not add

upvoted 1 times
 
Delanase
4 months ago
NYN
User1 is not the owner of Group1 and the Devices can not be added in dynamic group
upvoted 2 times
You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the
following table.
SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
A.
Delete VM1
B.
Stop VM1
C.
Stop the backup of SQLDB01
D.
Delete sa001
Correct Answer:
C
 
chrisNC
Highly Voted 
Took my exam a few days ago and passed with a 925. All but about 4 or 5 question are covered in these dumps. Always check the discussion for
best answer.
upvoted 20 times
 
karan3090
hey ChrisNC...what percentage of questions we can expect from these dumps....70, 80 % plz confirm. It will be really helpful
upvoted 1 times
 
juniorccs
Thanks for that, I'll take the exam on 31st August, I hope the questions remain the same
upvoted 1 times
 
AlooyDaBoss
1 month, 1 week ago
my exam is soon and Im studying from this dump, how's ur exam went? many questions were from the dumps?
upvoted 1 times
 
thuylevn
I do that time too
upvoted 1 times
 
Vjabhishek
Hey all the questions came from dump? if not what percentage we can expect it to be come from these dumps?
upvoted 1 times
 
achmadirvanp
Highly Voted 
upvoted 5 times
 
fabylande
Most Recent 
1 day, 18 hours ago
upvoted 2 times
 
kashi1983
Answer is C
upvoted 2 times
 
Kamex009
upvoted 4 times
 
eduhazard
3 months ago
C - answer is correct
upvoted 1 times
 
BenStokes
Answer is correct - C
Ref # https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
upvoted 5 times
 
villanz
Yes correct - c
upvoted 1 times
 
dupakonia
C is correct
upvoted 2 times
 
ahatem
answer is correct
upvoted 1 times
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A.
Remove User1 from the Security Reader and Reader roles for Subscription1.
B.
Assign User1 the User Access Administrator role for VNet1.
C.
Assign User1 the Network Contributor role for VNet1.
D.
Assign User1 the Network Contributor role for RG1.
Correct Answer:
B
Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Name Server (NS)
2. Assign User1 the Contributor role for VNet1.
3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
 
js_indore
3 weeks, 2 days ago
agree, its B
upvoted 4 times
 
pakman
3 weeks, 2 days ago
This answer is correct.
upvoted 2 times
 
ech
3 weeks, 2 days ago
Answer is correct.
upvoted 2 times
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
A.
MX
B.
NSEC
C.
PTR
D.
RRSIG
Correct Answer:
A
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or
the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct answers:
1. MX
2. TXT
The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
 
ms70743
Highly Voted 
10 months ago
TXT and MX are valid answers.
upvoted 30 times
 
sidharthwader
Highly Voted 
So guys i will try to give an expiation to this question.
When you add a custom domain in azure u are not allowed to use that unless u prove its your domain.So once u add the custom domain name
azure asks u to verify and you have to provide some inputs to verify that its your these inputs can be provided in TXT or MX. So its MX in this case
upvoted 19 times
 
JayBee65
Thank you - the process is covered here where you can see either TXT or MX can be chosen: https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/add-custom-domain
upvoted 6 times
 
Balram7
5 months ago
Thank you
upvoted 1 times
 
Exam_khan
Most Recent 
mx is a mail exchange record for registering different domains
upvoted 1 times
 
Deyvessh
Once you added your Unverified Domain (According to Azure) you need to create a TXT or MX Record to Configure DNS then you copy all the
information provided and Add your DNS Information to the Domain Registrar, Generally It takes an hour to verify domain Status, you can go ahead
in the Custom Domain Names Setting and click verify and Information will be refreshed once its Verified.
upvoted 1 times
 
Deyvessh
TXT - TXT Records is a type of Domain Name System that contains Text Information for Sources outside of your Domain. Generally Companies
uses it to verify Custom Domain Ownership
MX - Mail Exchanger Record specifies the Mail Server responsible for email messages on behalf of Domain Name.
upvoted 3 times
 
CARIOCA
Will the variations of these questions always fall into the TXT or MX options, or is there any variation of the question that the answer goes to both
options or between the two, will any prevail in the final answer?
In this specific debate, the answer is MX and does not even have the TXT option in the answer, so it is correct.
upvoted 2 times
 
mlantonis
5 months ago
Correct Answer: A
TXT and MX can be both correct answers.

upvoted 9 times
 
Kmesa
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
upvoted 1 times
 
armandolubaba
Mx is correct answer
upvoted 2 times
 
nikhilmehra
TXT in exam list
upvoted 5 times
 
shnz03
Good one! Thanks
upvoted 1 times
 
farhad090
6 months ago
In the exam there is not any answer with MX record.
upvoted 1 times
 
londonboy
It should be TXT record in dns.
upvoted 1 times
 
ZUMY
TXT or MX . In this answer list it's MX
upvoted 3 times
 
I
8 months ago
The answer is correct. And here is the right reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#add-your-custom-domain-name-to-azure-ad
upvoted 2 times
 
toniiv
A. is correct (either TXT or MX record in your DNS server will be ok)
upvoted 1 times
 
Azurite
On the custom domain name window, the record type options are TXT and MX. TXT is preferred but since it is not provided as an answer, the
closest answer is MX
upvoted 2 times
 
mikl
I cant find anywhere it says MX - MX is for email servers.
https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
upvoted 2 times
 
AZ764
TXT record is the correct answer. MX record would ONLY be if you were setting up email configurations. This question does not specify email is
required, thus a TXT record is the correct answer
upvoted 2 times
 
shnz03
I disagree. Both TXT and MX records are supported for custom domain name.
upvoted 1 times
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
A.
Yes
B.
No
Correct Answer:
B
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-
apps-securing-a-logic-app
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B
The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
upvoted 19 times
 
Lilyli
What does "let you manage logic app ,but not access to them" mean? if you can manage them ,why can't you access to them?
upvoted 3 times
 
asd1234asd
Highly Voted 
12 months ago
Clearly No, Azure DevTest Labs is a service that has nothing to do with Logic App
upvoted 18 times
 
chaudha4
Trick question. Too much use of "dev" keyword to trick people into thinking that somehow DevTest Labs is related to all these "dev" resources !!
upvoted 6 times
 
imran_mohd
Most Recent 
4 days, 3 hours ago
In exam 16/10/21
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
acmaws
The answer is B:
DevTest Labs User: Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.
upvoted 1 times
 
inemumoren

upvoted 1 times
 
nfett
Its no. Verified it from the link provided.
upvoted 1 times
 
ms70743
Answer is B
upvoted 2 times
 
mg
B is correct
DevTest Labs is a role used for Azure DevTest Labs not Logic App.
upvoted 1 times
 
ZUMY
B is correct
upvoted 1 times
 
Sandroal29
8 months ago
The provided answer is correct. AD group needs to be granted a contributor role to be able to create resources in the RG.
upvoted 1 times
 
toniiv
B. is correct (DevTest Labs is an environment which provides a service, not related to Logic Apps)
upvoted 1 times
 
waterzhong
Logic App Contributor: Lets you manage logic apps, but you can't change access to them.
Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or update them.
upvoted 1 times
 
fedztedz
Answer is correct . NO (B).
The Azure DevTest Labs is a role used with Azure DevTest Labs not Logic App.
upvoted 3 times
 
Raakezz
Cum 12/05/2020
upvoted 2 times
 
SSTan
It will need LogicApp contributor role.
upvoted 4 times
Developers.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
A.
Yes
B.
No
Correct Answer:
B
You would need the Logic App Contributor role.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-
apps-securing-a-logic-app
 
OmarMac
Highly Voted 
Logic App Operator Role - Lets you read, enable, and disable logic apps, but not edit or update them.
upvoted 27 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B
You would need the Logic App Contributor role.
Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.
Logic App Contributor - Lets you create, manage logic apps, but not access to them.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-operator
upvoted 19 times
 
eduhazard
Most Recent 
3 months ago
Operator is not Contributor
upvoted 1 times
 
wsscool
in exam 7/3/2021, solution was something different
upvoted 2 times
 
armandolubaba
Correct answer is B
upvoted 1 times
 
nfett
B is correct. OmarMac provided the correct properties of this user.
upvoted 1 times
 
ms70743
B is correct.
To be able to create logic apps, you need Logic App Contributor

upvoted 1 times
 
mg
B Answer is correct
Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.
Logic App Contributor - Lets you create, manage logic apps, but not access to them.
upvoted 1 times
 
ZUMY
B is correct
upvoted 2 times
 
Sandroal29
8 months ago
The operator role is not enough. The proper role is the contributor role.
upvoted 1 times
 
toniiv
B. is correct (Logic App operator has no rights to add new Logic Apps)
upvoted 1 times
 
mikl
Answer is no.
You need to be Contributor to Create - Operator cannot do that.
Logic App Contributor Lets you manage logic apps, but not change access to them.
Logic App Operator Lets you read, enable, and disable logic apps, but not edit or update them.
upvoted 1 times
 
fedztedz
Answer is correct . NO (B).
Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or update them.
To be able to create logic apps, you need Logic App Contributor

upvoted 3 times
 
Raakezz
Cum 12/05/2020
upvoted 3 times
Developers.
Solution: On Dev, you assign the Contributor role to the Developers group.
A.
Yes
B.
No
Correct Answer:
A
The Contributor role can manage all resources (and add resources) in a Resource Group.
 
fedztedz
Highly Voted 
Answer is Correct. YES (A)
Contributor role can create logic apps

upvoted 26 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
The Contributor role can manage all resources (and add resources) in a Resource Group. Contributor role can create logic apps.
Alternatively, we can use the Logic App Contributor role, which lets you manage logic app, but not access to them. It provides access to view, edit,
and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor
upvoted 16 times
 
wsscool
Most Recent 
in exam 7/3/2021
upvoted 4 times
 
leonmflai4exam
Answer should be No (B). In case Contributor Role is assigned to RG => Dev. It will prompts subscription has no permission during resource
creation. We can only create the Logic Apps when Contributor role is assigned in Subsription
upvoted 1 times
 
nfett
A is correct answer.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share
image galleries.
upvoted 2 times
 
MrRom25
7 months ago
I think is NO since it should be "Logic App Contributor Role" and not only "Contributor Role"
upvoted 2 times
 
ZUMY
Sorry moderator pls rm my pre. Commt. Mistake
A is correct
upvoted 4 times
 
ZUMY
B is correct
upvoted 2 times
 
Sandroal29
8 months ago
The contributor role set for this group is sufficient for the group to create new resources in the resource group. So, the provided answer is correct.
upvoted 4 times
 
toniiv
A. is correct
upvoted 1 times
 
TheOne1
Correct. The only thing the contributor role couldn't do is change user permissions on the resource group, only the owner can do this. But all that is
required is the contributor role for this question.
upvoted 3 times
 
Raakezz
Cum 12/05/2020
upvoted 4 times
 
KarryD
BOT with spell mistake?
upvoted 5 times
DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each
department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:

Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the
resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs.
Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to
populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to
export the view to a
Comma-Separated Values (.csv) file.
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags https://docs.microsoft.com/en-
us/azure/billing/billing-getting-started
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: Assign a tag to each resource
Box 2: From the Cost analysis blade, filter the view by tag
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
upvoted 24 times
 
DevOpposite
1 week, 4 days ago
thank you m'lord
upvoted 2 times
 
moekyisin
Highly Voted 
Ans is correct
upvoted 17 times
 
Kamex009
Most Recent 
upvoted 6 times
 
flash007
You tag individual resources not groups
upvoted 2 times
 
y_dev
This question came in exam Jul 30, 21. I failed the exam. My score was 675 :(
upvoted 4 times
 
Jotess
the question was on Jul 23, 2021 - passed the exam
upvoted 3 times
 
Shiven12
upvoted 6 times
 
Natoc
its correct
upvoted 1 times
 
Paul74
6-Jun-21 exam question
upvoted 11 times
 
PrawinG
Paul74 - 104 dump here alone sufficient to pass the exam ? Please confirm.
upvoted 3 times
 
Paul74
4 months ago
It covers around 50 to 60% of the Questions. if we know the concept we can manage the remaining questions
upvoted 9 times
 
ScreamingHand
Confirmed in lab - answer is correct
upvoted 2 times
 
londonboy
answer is correct
upvoted 5 times
 
mg
Answer is correct
upvoted 4 times
 
ZUMY
Given answers is okay
upvoted 5 times
 
Sandroal29
8 months ago
Although the question is kind of ambiguous, the most rational option and sequence are the ones are suggested.
upvoted 1 times
 
Romancc
8 months ago
Ans is approved
upvoted 2 times
 
ciscogeek
Thanks for your approval
upvoted 5 times
 
toniiv
Answer is correct, you need to add tag to the resources, not to the resource groups since each department uses resources in different RG)
upvoted 5 times
 
mikl
Seems ok.
Tags applied to the resource group are not inherited by the resources in that resource group.
upvoted 1 times
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A.
Get-Event Event | where {$_.EventType == "error"}
B.
search in (Event) "error"
C.
select * from Event where EventType == "error"
D.
search in (Event) * | where EventType -eq "error"
Correct Answer:
B
To search a term in a specific table, add the table-name just after the search operator
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Event | search "error"
2. Event | where EventType == "error"
3. search in (Event) "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. search in (Event) * | where EventType ‫ג‬€"eq "error"
4. select * from Event where EventType is "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-
query/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer
 
GepeNova
Highly Voted 
2 weeks, 5 days ago
Correct B
Tested in lab Home>>Monitor>>Logs
All command queries return syntax error except Search in (Event) "error"
upvoted 5 times
 
sat128
Most Recent 
3 weeks, 1 day ago
Wrong answer
upvoted 1 times
 
pakman
3 weeks, 2 days ago
Correct.
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is
connected to
VNET1.
You successfully deploy the following Azure Resource Manager template.
Hot Area:
Correct Answer:
Box 1: Yes -
Box 2: Yes -
VM1 is in Zone1, while VM2 is on Zone2.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region
 
pakman
Highly Voted 
3 weeks, 2 days ago
YES
YES
NO
upvoted 7 times
 
rigonet
3 weeks, 1 day ago
How do you know VM2-NI is connected to VNET1?
upvoted 2 times
 
alex_p
2 weeks, 5 days ago
the question actualy is - "VM1 and VM2 can connect VNET1 ? - Yes, they can because both are in tha same region where VNET1 is.
upvoted 8 times
 
Philly_cheese_steak
2 days, 6 hours ago
NO YES NO
There is no mention of VM2NI connected to VNET1??

upvoted 1 times
 
aqslatewala
Most Recent 
1 week, 5 days ago
No because VM2NI is not connected to VNET1
Yes
No
upvoted 2 times
 
a4andrew
1 week, 2 days ago
There is only one VNET mentioned. By default VM2NI is connected to VNET1. According to the template there is no explicit indication that
either NIC is assigned to the VNET1, thus my conclusion is that both are assigned to VNET1. My answer for #1 is YES
upvoted 1 times
 
HoanLac
2 weeks, 6 days ago
No Yes No
upvoted 2 times
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
A.
The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B.
The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C.
The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D.
The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
Correct Answer:
A
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and
geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
 
Cluster007
Highly Voted 
A is correct
upvoted 36 times
 
Veronika1989
Highly Voted 
tested 4/15/2021. The answer A is correct.
upvoted 22 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: A
upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed today with 947. This question appeared, correct Answer is A
upvoted 4 times
 
YooOY
4 weeks, 1 day ago
So WebApp1 is actually not moved to another App Service Plan but only changing RG? because move app requires same RG.
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage#move-an-app-to-another-app-service-plan requires
upvoted 1 times
 
Snownoodles
A is correct, C is incorrect: policy applies to both newly created resources and moved resources
upvoted 2 times
 
Omar_Aladdin
3 weeks ago
well said
upvoted 1 times
 
HankYY
you cannot change an App Service plan's region
A is correct
upvoted 1 times
 
Kamex009
upvoted 3 times
 
thuylevn
A, because cannot change an App Service plan's region
upvoted 1 times
 
juniorccs
I didn't rememver that the App Service plan can't be changed, but also, I thought that answer B was correct, cause when you move a resource from
Region A to B, all their dependencies are not moved together, you must move them one by one manually, this was my first hing why A was correct!
Good to be part of the discussion, thank you guys!
upvoted 3 times
 
AubinBakana
2 months ago
I thought exactly the same thing. Ha...
upvoted 1 times
 
mousomgogoi
highly voted a
upvoted 1 times
 
korben_dallas
3 months ago
The answer is A. Delete my previous comment
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 4 times
 
achmadirvanp
upvoted 4 times
 
lucky_18
upvoted 4 times
 
Deyvessh
When Resource Group is changed so Regions doesn't change and Policy will be applied according to the New Resource Group.
upvoted 2 times
 
Rambogan12
Answer C ? Policy1 "applies to WebApp1"
upvoted 2 times
 
VVR141
4 months ago
Policy is applied on RG level here, so when the app is moved to RG2 the policy of RG2 is applied.
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1

✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options
in the answer area.
Hot Area:
Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/resource-provider-operations#microsoftresources
 
fedztedz
Highly Voted 
The Answer is Wrong.
First part should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" . You can specify
either a subscription, specific resource group, management group or specific resource. for example it should
"/subcription/subcription_id/resourceGroups/resource_group_name"
Check https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-structure
For second box. It is correct but missing "*". It should be "Microsoft.Authorization/*" . if you try this on az cli without "*". you will get an error
upvoted 78 times
 
Acai
3 months ago
I don't know how you said there's no 'resourceGroups' and then put 'resourceGroups' in your example, also an asterisk/wildcard meaning
denotes "all" this could imply there are multiple other fields the could be added in place of the wildcard. Regardless, I tested it, you can go to
Subscriptions > [Your Subscription] > IAM > Custom Roles. You are correct but the explanation was quite confusing.
upvoted 4 times
 
JayBee65
This link https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions gives an example of
"/subscriptions/{subscriptionId1}/resourceGroups/Network"
upvoted 6 times
 
tf444
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
"name": "{resourceGroupName}",
"type":"Microsoft.Resources/resourceGroups",
"location": "{resourceGroupLocation}",
"managedBy": "{identifier-of-managing-resource}",
"tags": {
},
"properties": {
"provisioningState": "{status}"
}
upvoted 2 times
 
tf444
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{extensionResourceProviderNamespace}/{extensionResourceTy
pe}/{extensionResourceName}
upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e”
“Microsoft.Authorization/”
upvoted 38 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
Note that the options listed here reflect how they are on the actual exam
upvoted 3 times
 
Kamex009
upvoted 3 times
 
AubinBakana
2 months ago
the answer is correct:
The scope is "/subscription/subcription_id/resourceGroups/resource_group_name"
Unfortunately the screenshot does not capture the name of the resource. I guess that is why many people think it's wrong. You'd have to scroll to
the right to see the name of the resource group. The top option is definitely wrong because it would reduce to scope to the Subscripton only
notActions ["Microsoft.Authorisation/*"]
upvoted 3 times
 
Krishore
/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e is the correct answer for assignable scope,.
Condition- "Can be assigned only to the resource groups in Subscription1"
In condition it was said to assign for resources groups of the subscription1 but not identified any resources groups name.
upvoted 1 times
 
CloudyTech
Wrong should be id and auth
upvoted 2 times
 
raph90fr
The answer is Wrong. Tested on a lab today. You can not specify "Subscription/Subscription_id/ResourceGroups" only
"Subscription/Subscription_id" or "Subscription/subscription_id/ResourceGroups/{resourcegroup-id}". Moreover, question says "can be assigned to
Resource Group in subscription1" which will be possible with
"Subscription/Subscription_id" . Second part, "Microsoft.Authorization/*" is okay.

upvoted 2 times
 
Deyvessh
It should be ----ResourceGroups/*
upvoted 1 times
 
Deyvessh
Sorry, Above Ans is Wrong
When you are trying to apply RBAC on ResourceGroups so why use resourceGroup/* or resourceGroup, you are directed to create an RBAC on
all Resource Groups, so keep that in mind, there is nothing in command ResourceGroup/* or ResourceGroup
Ans should be Susbcription/--your Subscriptionid
Second - I have tested it - it should be Microsoft.Authorization/* without /* giving an error.
Hope it helps.
upvoted 1 times
 
Delanase
4 months ago
For the assignable scopes, there is not an option for /ResourceGroups.
upvoted 2 times
 
mkoprivnj
1 st "/Subscription/subcription_id"
2 nd "Microsoft.Authorization/*"
upvoted 3 times
 
JayBee65
How does that limit the assignment to only Resource Groups to meet this requirement: Can be assigned only to the resource groups in
Subscription1?
upvoted 2 times
 
rawrkadia
You can infer the question is wrong, because it isn't possible to assign to ~/resourceGroups, thats not a valid scope. You have to also specify
a specific ID.
upvoted 1 times
 
droy89
* doesnot work. The answer is correct.
upvoted 1 times
 
omhari
I get an error is I try to use * in assignableScopes
upvoted 1 times
 
CARIOCA
5 months ago
This question is very divided in the feedback, after all what would be the answer and which justified it?
After a debate of 27 comments, is the final answer to the question the same or not?
My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.
I think the debate is healthy, but a better organization is needed following an established pattern because in some issues they get very confused
and generate more doubts than clarifications.
upvoted 15 times
 
JayBee65
Bananas
upvoted 2 times
 
chaudha4
5 months ago
I was able to create the custom role as below. So answer is right except for the missing * for actions.
"id": "/subscriptions/<<myid>>/providers/Microsoft.Authorization/roleDefinitions/<<id>>",
"properties": {
"roleName": "CR1",
"description": "",
"assignableScopes": [
"/subscriptions/<<myid>>/resourceGroups/free-rg1"
],
"permissions": [
"notactions": [
"Microsoft.Authorization/*"
],
"actions": [],
"dataActions": [],
"notDataActions": []
}
upvoted 3 times
 
chaudha4
5 months ago
I stand corrected. Ignore my previous comment. If I try to do the same at the subscription level it does not work. It seems like you cannot use *
for assignableScopes.
upvoted 1 times
 
darsy2001
You cannot use wildcards (*) in AssignableScopes. This wildcard restriction helps ensure a user can't potentially obtain access to a scope by
updating the role definition.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
upvoted 3 times
 
zvasanth2
You cannot set AssignableScopes to the root scope ("/").
updating the role definition.
upvoted 1 times
 
darko13
6 months ago
updating the role definition, so it's /Subscription/subcription_id
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/custom-roles.md#custom-role-limits
upvoted 2 times
You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to
access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
A.
an internal load balancer
B.
a public load balancer
C.
an Azure Content Delivery Network (CDN)
D.
Traffic Manager
E.
an Azure Application Gateway
Correct Answer:
AE
Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the
front-end subnet of the application.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/application-gateway/overview
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A and E
A: The customer sites are connected through VPNs, so an internal load balancer is enough.
B: The customer sites are connected through VPNs, so there's no need for a public load balancer, an internal load balancer is enough.
C: A CDN does not provide load balancing for applications, so it not relevant for this situation.
D: Traffic manager is a DNS based solution to direct users' requests to the nearest (typically) instance and does not provide load balancing for this
situation.
E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions
upvoted 94 times
 
Vaish310
3 weeks ago
Thanks
upvoted 1 times
 
juniorccs
Very nice and complete explanation, thanks a lot!
upvoted 1 times
 
valente_sven1
3 months ago
I appreciate your explanation . Thanks.
upvoted 1 times
 
mgladh
Highly Voted 
i would say A and E is the correct answer.
upvoted 83 times
 
Babatunde
Agreed
upvoted 3 times
 
JohnCox
Most Recent 
Azure Application Gateway only for web apps. Question doesn’t state what type of app it is. Annoying
upvoted 3 times
 
Kamex009
upvoted 3 times
 
akirashetty
Do the exam had any Labs or any hands on questions?
upvoted 1 times
 
Insanewhip
2 weeks ago
No, the format for the exam does not have any labs or hands-on questions. You can refer to the exam format on the Microsoft website
upvoted 1 times
 
zvasanth2
The first real difference between the Azure Load Balancer and Application Gateway is that an ALB works with traffic at Layer 4, while Application
Gateway handles just Layer 7 traffic, and specifically, within that, HTTP (including HTTPS and WebSockets)
If you are developing a web application, then you need an application gateaway.
if you are developing some classic desktop/console application that involves UDP protocol you may need load balancer
upvoted 2 times
 
hosseny
Correct Answer: A and E
upvoted 1 times
 
mkoprivnj
A & E is correct!
upvoted 1 times
 
BenStokes
A and E for sure :P
upvoted 1 times
 
omhari
A and E. Both can work as an internal load balancer for web app applications.
upvoted 1 times
 
CARIOCA
5 months ago
upvoted 1 times
 
imartinez
2 months ago
i will not say stop using drogs coz you will not do that.. just Stop abusing..
upvoted 1 times
 
RamanAgarwal
Can you stop putting same comment on every discussion. Moderator please take note and stop approving these comments
upvoted 17 times
 
maffoo
Its not divided, you must not have even read this before posting this.
upvoted 11 times
 
xoe123
4 months ago
I think they are using a bot
upvoted 3 times
 
viking1
A and E. The customer sites are connected through VPNs, so there's no need for a public load balancer, an internal load balancer is enough.
A CDN does not provide load balancing for applications, so it not relevant for this situation.
Traffic manager is a DNS based solution to direct users' requests to the nearest (typically) instance and does not provide load balancing for this
situation.
Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions.
upvoted 21 times
 
BraveOkafor
Thanks
upvoted 1 times
 
ms70743
A and E
upvoted 1 times


Vole51
Admin: this Q (question) has 2 answers as stated in Q description. Hence it highlight's just 1 answer. Please fix it, as its confusing. And I would say A
and E are correct
upvoted 2 times
 
marvinconejo
This is A and E
upvoted 1 times
 
Vole51
Answers should be 2, highlighted is just 1. I would say A and E
upvoted 1 times
 
mg
A and E
upvoted 1 times
 
bacana
The question is: "What are two possible Azure services that you can use?"
A and E
upvoted 1 times
 
ZUMY
A & E are correct!
upvoted 3 times
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A.
Monitor
B.
Advisor
C.
Metrics
D.
Customer insights
Correct Answer:
B
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
recommendations from the Cost tab on the Advisor dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
 
waterzhong
Highly Voted 
The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for
specific subscriptions and resource types. The recommendations are divided into five categories:
Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications. For more information, see
Advisor Reliability recommendations.
Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security recommendations.
Performance: To improve the speed of your applications. For more information, see Advisor Performance recommendations.
Cost: To optimize and reduce your overall Azure spending. For more information, see Advisor Cost recommendations.
Operational Excellence: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more
information, see Advisor Operational Excellence recommendations.
upvoted 34 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
Reference:
upvoted 21 times
 
VKChaudhary
Most Recent 
3 weeks, 3 days ago
Correct
upvoted 1 times
 
afathy
Answer is correct
upvoted 1 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 2 times
 
akirashetty
Do the exam had any Labs or any hands on?
upvoted 1 times
 
flash007
Advisor will be used to advise on cost savings and utiliization
upvoted 1 times
 
aman824985
Advisor is related to cost management so correct ans is advisior
upvoted 1 times
 
BenStokes
Answer is correct - B
Azure Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
upvoted 1 times
 
mkoprivnj
Advisor!
upvoted 2 times
 
armandolubaba
B is correct answer
upvoted 1 times
 
armandolubaba
B is correct answer
upvoted 1 times
 
whynotguru
Advisor --Cost --select VMs--select Quick Fix (Preview) and it will change to recommended actions config
upvoted 1 times
 
mg
B is correct
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources
upvoted 1 times
 
ZUMY
B is correct
upvoted 3 times
 
Sandroal29
Advisor provides recommendations to improve the management of Azure resources.
So, the correct answer is B.

upvoted 1 times
 
toniiv
B. is correct
upvoted 1 times
 
ms70743
10 months ago
Answer is B Advisor
upvoted 2 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
 
fedztedz
Highly Voted 
The Answer is correct .
- Select Users & Groups : Where you have to choose all users.
- Select Cloud apps or actions: to specify the Azure portal
- Grant: to grant the MFA.
Those are the minimum requirements to create MFA policy. No conditions are required in the question.
Also check this link beside the one provided in the answer
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
upvoted 95 times
 
redbeardbeer
Thanks for the great description. Very helpful.
upvoted 7 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
- Select Cloud apps or actions: To specify the Azure portal
- Select Grant: To grant the MFA.

upvoted 26 times
 
bogard
Most Recent 
3 days, 9 hours ago
This was ask during my AZ-500 exam.
upvoted 1 times
 
JamesChan0620
The answer is correct?
upvoted 3 times
 
omw2wealth
3 weeks, 4 days ago
Yes it is correct
upvoted 1 times
 
Jotess
the question was on Jul 23, 2021 - passed the exam. I followed most of the answers given by fedztedz and mlantonis. They know this stuff.
upvoted 5 times
 
Shiven12
The question was bit modified though

upvoted 4 times
 
juniorccs
Thanks!
upvoted 1 times
 
valente_sven1
how far from the real?
upvoted 1 times
 
mkoprivnj
- Select Cloud apps or actions: to specify the Azure portal
- Grant: to grant the MFA.

upvoted 3 times
 
saddamakhtar
Answer is correct
upvoted 1 times
 
mg
Answer is correct
upvoted 1 times
 
ZUMY
Given answer is correct
1.user or groups
2.apps
3.grant or deny
upvoted 2 times
 
taka_hawk
The Answer is correct .Please check. "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-
cloud-apps " "Cloud apps or actions" - "Microsoft Azure Management" - "Azure portal"
upvoted 1 times
 
alessioferrario
Just test on my MSDN subscription.
Only onwer can assign policy on root management group. A user with qlobal admin role can't
upvoted 2 times
 
toniiv
Solution provided is correct
upvoted 1 times
 
mikl
Seems correct.
New Policy.
Assignments:
Users and Groups - Select Users.
Cloud Apps - Microsoft Azure Management.
Access:
Grant - Require multi-factor authentication.
Source : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
upvoted 2 times
 
QiangQiang
Simple policies
A Conditional Access policy must contain at minimum the following to be enforced:
Name of the policy.
Assignments
Users and/or groups to apply the policy to.
Cloud apps or actions to apply the policy to.
Access controls
Grant or Block controls
So the answer is correct
upvoted 1 times
 
jim85
According to the link given by the explanation these answers seem to be correct. At the second step, Conditions, has 'Cloud apps or actions' to be
selected.
upvoted 1 times
 
waterzhong
Select Cloud apps or actions. You can choose to apply the Conditional Access policy to All cloud apps or Select apps. To provide flexibility, you can
also exclude certain apps from the policy.
For this tutorial, on the Include page, choose the Select apps radio button.
upvoted 1 times
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: ‫ג‬€Unable to invite user
user1@outlook.com ‫ג‬€" Generic authorization exception.‫ג‬€
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A.
From the Users blade, modify the External collaboration settings.
B.
From the Custom domain names blade, add a custom domain.
C.
From the Organizational relationships blade, add an identity provider.
D.
From the Roles and administrators blade, assign the Security administrator role to Admin1.
Correct Answer:
A
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742
 
moekyisin
Highly Voted 
correct answer checked in portal .
Go to Azure AD--users--user settings --scroll down.--External users
Manage external collaboration settings

upvoted 62 times
 
Acai
3 months ago
Yep Yep Yep
upvoted 1 times
 
Gorl12
4 weeks ago
Your excitement is awesome!
upvoted 2 times
 
fedztedz
Highly Voted 
Answer is correct. You can adjust the guest user settings, their access, who can invite them from "External collaboration settings"
check this link https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations

upvoted 35 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
upvoted 2 times
 
Beng_ali
2 weeks, 4 days ago
Came up on my exam on 02/10/21, Answer A is correct.
upvoted 2 times
 
anonza_dumps
2 months ago
in the exam 20-08-2021
upvoted 2 times
 
flash007
Both C and D are wrong, External user is the clue here
upvoted 2 times
 
tita_tovenaar
answer is C, by deduction:
A and B don’t apply because that only solves acces s to the subscription. we need root tenant level
D doesn’t apply because a new management group can’t be at root either (only one group).
So C is the only valid option

upvoted 1 times
 
mkoprivnj
A is correct!
upvoted 2 times
 
ZN
I am trying to reproduce the given error in portal for Admin1 but unable to do so.
Kindly post the steps to get the given error.

upvoted 1 times
 
mlantonis
5 months ago
Correct Answer: A
Azure AD -> User Settings -> External Users -> Manage external collaboration settings.
Azure AD -> External Identities -> External Collaboration Settings
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742
upvoted 19 times
 
armandolubaba
Answer is correct
upvoted 1 times
 
saddamakhtar
Tested, Answer is Correct
upvoted 2 times
 
FemFem
7 months ago
Users>External Identities|External Collaboration settings
Good idea to always cross-check as Microsoft update and change frequently

upvoted 3 times
 
Vole51
Tested, correct
upvoted 1 times
 
MadMarc
I'm not sure if this is because of a new update, but I went to the Azure Portal and External Collaboration Settings is under External Identities, not
under Users. AAD --> External Identities --> External Collaboration Settings.
In any case, answer A seems to be the more accurate one.

upvoted 1 times
 
mg
Answer is correct
upvoted 2 times
 
stepient
"User settings" blade s directly under Az AD, not under Users blade., other than that correct.
upvoted 2 times
You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?
A.
Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B.
Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C.
Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D.
Create a new management group and delegate User1 as the owner of the new management group.
Correct Answer:
B
The following chart shows the list of roles and the supported actions on management groups.
Note:
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the
hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role
assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access
Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or
groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
Reference:
 
Rajash
Highly Voted 
Ans C:
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to
gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage
it.
upvoted 40 times
 
brainmind
The answer is C, the user should be a GA and then elevate themselves to gain access.
upvoted 2 times
 
PersonT
True. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 1 times
 
Negrinho
No, the correctly answer is B.
C is to control Azure AD (Global Administrators), not to control Management group.
If you need to control Management group, use: Access control (IAM)> Add role assignment> Role> Owner or Contributor (in this case you will
use Owner). Don't exist "Global Administrators" inside of Access control (IAM)> Add role assignment.
The link between Azure AD and Management group will allow that you choose an user of your Azure AD, but not will inherit Azure AD role.
upvoted 29 times
 
RamanAgarwal
B cant be right because the owner access is given at subscription level only.
upvoted 2 times
 
shnz03
I agree. Basically there are 3 RBAC methods. They are for
1) Azure AD
2) Azure resources including Management group
3) Classic (used by Subscription)

upvoted 1 times
 
mdyck
5 months ago
This is right. Check the chart in this link. Owners assign policy.
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access
upvoted 3 times
 
rawrkadia
How can it be right when the question specifies the root management group and B specifies a child subscription? The only way to ensure
they can make changes to the root management group is to make them a GA on the tenant and then they can assign themselves the
owner permissions to that group.
upvoted 2 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to
gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage
it.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group
upvoted 35 times
 
ayushbisht
Most Recent 
answer B is correct ,because assign the owner role to user1 can access the root management group. Global admin can do anything, but the
question here asked is who can make changes in root management group ,owner only 👍
upvoted 1 times
 
julioglez88
1 month ago
This answer is wrong, correct answer is C.
The root management groups is the highest parent at the directory/tenant. Only a global administrator has the possibility to elevate its access to
manage the root management group.
There is no other role/account that could have this kind of permission because this could impact all the resources in azure.
In another hand, each directory has a root management group, and a GA has access in case it required to regain access to a subscription (if the
owner leaves the company) or somehow the resources are compromise.
In both cases is only the GA who can manage the root management group.
CORRECT ANSWER MUST BE OPTION C.
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
upvoted 1 times
 
goonking
1 month ago
Ans should be C:
Answer B is wrong since you won't have access to Root management group from the subscription level (even as owner)
answer C: Would be correct because as a global admin you have the highest admin level. Also as mentioned in the question you need to only do
this action one time and then remove this uplifted access. Since this is best practice.
For better understanding check out https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

upvoted 1 times
 
CzRepublic1
1 month, 1 week ago
Ans: C
Root management group for each directory
assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator
role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the
hierarchy. As administrator, you can assign your own account as owner of the root management group.
upvoted 1 times
 
afathy
The answer is C:
upvoted 1 times
 
prepper666
I think it has to be C. A & B are related to "Subscription level" which is below Management Group level.
upvoted 1 times
 
zvasanth2
upvoted 1 times
 
Vazza98
Answer : C
As per below article, you need to assign the Global Administrator role to User 1 who can then Edit the 'Access Management for Azure Resources'
option within Azure AD
Tested in Lab.
upvoted 2 times
 
thuylevn
I think C
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group
upvoted 1 times
 
chapdast
Tested with my Azure account and C is correct. You need to be a global administrator and enable "Access management for Azure resources". Then
you will get the RBAC role "User Access Administrator" assigned to your account and if you visit the "management Groups" you will be able to
access Tenant Root Group.
upvoted 1 times
 
juniorccs
Again I am confused, answer C or B ?
since everyone makes a comment, don't know which one is the right one
upvoted 8 times
 
Spandrop
"You have an Azure subscription" imo means that I'm the GA, so I don't need to make user1 another GA, I just need to give the user1 the proper
rights to do the job, which I believe making it as owner should be enough.
So, I would w/ B
upvoted 2 times
 
MrJR
Answer is C. Tested.
With my suscription owner and global administrator account I was not able to assign a role to the root managment group until I activated Access
Managment for Azure resources.
Take a look at https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
It says: "When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you
permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available
to users who are assigned the Global Administrator role in Azure AD."
upvoted 2 times
 
rdsserrao
I think it is also C.
The policy has to be given at the MG Root level.
Besides the justification for the answer also points that way.
upvoted 1 times
 
CloudyTech
B should be fine
upvoted 1 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.
You create two user accounts that are configured as shown in the following table.
Of which groups are User1 and User2 members? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: Group 1 only -
First rule applies -
Box 2: Group1 and Group2 only -
Both membership rules apply.
Reference:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections
 
pakman
Highly Voted 
3 weeks, 2 days ago
Correct answer.
User 1: Group 1 only
User 2: Group 1 & 2

upvoted 12 times
 
DevOpposite
2 weeks, 4 days ago
why cant user 1 not be in grp 3 plz?
upvoted 1 times
 
nsknexus478
2 weeks, 3 days ago
Someone has to assign users to Group3 if they have to be part of it and there is no mention of manual assignment in the question.
upvoted 3 times
 
DevOpposite
1 week, 4 days ago
thank you
upvoted 1 times
 
Chi1987
3 weeks, 1 day ago
I dont agree, User 1 is Office licensed, he can not be in Gr1. and user 2 is not with office license
Correct answer
User1 Group 3
User2 Group 1
upvoted 1 times
 
sk1803
3 weeks ago
license has nothing to do with it.
upvoted 4 times
 
sk1803
3 weeks ago
upvoted 2 times
 
GepeNova
Highly Voted 
2 weeks, 5 days ago
Tested in lab.
User 1: Group 1 only
User 2: Group 1 & 2

upvoted 5 times
HOTSPOT -
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.
You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: User1 and User3 only -
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows
Server Active
Directory.
Box 2: User1, User2, and User3 -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1:User1 and User3 only

Server Active Directory.
Box 2: User1, User2, and User3
Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure AD
Connect).
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
upvoted 37 times
 
hakanbaba
Highly Voted 
I've checked on my AAD, answer is correct
upvoted 36 times
 
Kiano
I have also checked but I can see that you can change both job title and usagelacation for all type of identities. even the ones that have been
synchronized from on-prem AD.
Maybe this is an update since you published your comment, but anayways I think both answers should be User1, 2 and 3.
upvoted 3 times
 
Kiano
5 months ago
The answer is actually right. Although both usagelocation and jobtitle can directly be updated in Azure AD for all type of users, jobtitle can
probably be overwritten by the synchronization process, although usagelocation is more an Azure AD type of attribute. But the question is
tricky. it asks: "For which users can you modify the attributes from Azure AD? ". Both can b updated directly in Azure AD, although Jobtitle
could be overwritten by the sync.
upvoted 2 times
 
Somewhatbusy
Yes its correct. 100% agreed
upvoted 6 times
 
ayushbisht
Most Recent 
correct answer :
jobtitle :user1 and user 3
usage location : 1,2 and 3

upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer
upvoted 1 times
 
silver_bullet666
1 month, 1 week ago
I have tested this on 14/09/2021
JobTitle can be modified in AzureAD for;
User1 (AzureAD)
User3 (Guest)
JobTitle CANNOT be modified for User2 (Windows Server AD synced account)
Usage Location can be modified for;
User1 (AzureAD)
User2 (Windows Server AD synced account)
User3 (Guest)
tldr; the answer in the image is correct.

upvoted 6 times
 
Nilz76
I've just sync'd 2 users from On-Prem AD (via AAD Connect) and I cannot amend/edit/modify the Job title attribute (it's greyed out). I can however,
modify the Usage Location (for the On-prem sync'd user)
I also created 2 Azure AD Users including one guest user, and I can edit both job title and usage location.
upvoted 3 times
 
CloudyTech
correct
upvoted 1 times
 
mkoprivnj
User1 & User 3
User1, User2 & User3
User2 - job info can't be modified via AAD. Option grayed out on edit.
upvoted 3 times
 
omhari
Provided answer is correct as per documention.
upvoted 1 times
 
ajaz
Provided answer is correct.
In the following link - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal under
"Note:' section it is very clearly mentioned that Windows AD users should be modified from source and wait for sync to AAD.
Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the
changes.
upvoted 3 times
 
CARIOCA
5 months ago
upvoted 2 times
 
Raj_Rock
I think this is a BOT or just creating SPAM messages in the discussion forum.
upvoted 5 times
 
JayBee65
A bot or somebody very lazy
upvoted 5 times
 
saddamakhtar
Tested, Answer is Correct
upvoted 2 times
 
codingsam
the answer should be User1 and User3 for both as in a hybrid environment where the user is on Windows Server AD then the synchronization is
only one way i.e. from on-prem AD to the AAD so changes to the job info or the usage location for User 2 should be done through on-prem AD
only.
upvoted 1 times
 
Kiano
you actually have a point. I can see we can change both attributes for the synched identities, but I guess you are right. Both can be overwitten
by the sync progress.
upvoted 1 times
 
ZUMY
upvoted 2 times
 
ZUMY
AAD is answer
upvoted 1 times
 
Neonlight8
8 months ago
JobTitle: i think the keyword here is "...modify from Azure", you can't modify Windows Server AD (on-premise attribute) from Azure under a hybrid
deployment. Therefore User 1 and User 3 only. Job Title attribute does exist for Guest account so this covers MS Account under User 3
Usage Location: User 1, User 2, User 3. Because this attribute is an Azure AD not onpremise therefore you can modify "From Azure"
upvoted 12 times
 
codingsam
Usage Location is there on on-prem AD under attributes.
upvoted 1 times
 
toniiv
Responses are correct:
- Job Title: for all but not Windows Server AD users
- Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure
AD Connect
upvoted 6 times
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an
Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
A.
Yes
B.
No
Correct Answer:
A
Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A - Yes
Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.
Network Contributor role - Lets you manage networks, but not access to them.
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes
Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements
upvoted 28 times
 
twambala
how can yu
upvoted 2 times
 
twambala
how can one manage something if he does not have access to it
upvoted 2 times
 
rsharma007
1 month ago
they are two different permissions- a NC role can manage the resources, but he/she can't grant access to those resources to anyone else.
That can be done by roles with 'access' permissions such as 'owner'
upvoted 1 times
 
RithuNethra
Highly Voted 
correct answer
upvoted 21 times
 
CraigB83
Most Recent 
User access requirements
Your account must be a member of one of the following Azure built-in roles:
USER ACCESS REQUIREMENTS
Deployment model Role
Resource Manager Owner
Contributor
Reader
Network Contributor
upvoted 1 times
 
jvincent
If you provide only network contributor to admin1 then try to enable Traffic Analytics, the Storage Account and Log Analytics Workspace value
required to enable it will not be present. Hence, you cannot enable with Network Contributor.
Answer is No.
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
Radhaghosh
4 months ago
To enable traffic analytics, your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or
network contributor.
So Answer is Correct
upvoted 1 times
 
mkoprivnj
A is correct! Contributor role!
upvoted 1 times
 
Mich132
So normally a Contributor is not allowed to assign a role "Grants full access to manage all resources, but does not allow you to assign roles in
Azure RBAC, manage assignments in Azure Blueprints, or share image galleries." But this is an exception?
upvoted 1 times
 
armandolubaba
Correct Answer
upvoted 1 times
 
saddamakhtar
Answer is Correct
upvoted 1 times
 
ZUMY
A is correct!
upvoted 3 times
 
Sandroal29
Given answer is correct.
upvoted 1 times
 
StixxNSnares
A!
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-
faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.
upvoted 1 times
 
toniiv
A. is correct (network contributor at subscription scope)
upvoted 2 times
 
waterzhong
Traffic Analytics requires the following prerequisites:
A Network Watcher enabled subscription.
Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.
An Azure Storage account, to store raw flow logs.
An Azure Log Analytics workspace, with read and write access.

upvoted 1 times
 
ms70743
10 months ago
Answer is Yes.
upvoted 1 times
 
waterzhong
User access requirements
Your account must be a member of one of the following Azure built-in roles:
USER ACCESS REQUIREMENTS
Deployment model Role
Resource Manager Owner
Contributor
Reader
Network Contributor
upvoted 1 times
Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
A.
Yes
B.
No
Correct Answer:
A
Reference:
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.
Network Contributor role - Lets you manage networks, but not access to them.
Reference:
upvoted 17 times
 
RithuNethra
Highly Voted 
correct answer
upvoted 12 times
 
wsscool
Most Recent 
in exam 7/3/2021
upvoted 2 times
 
moota
Bad practice because not doing LAC
upvoted 1 times
 
mkoprivnj
A is correct. Contributor or Owner role.
upvoted 1 times
 
saddamakhtar
Answer is Correct
upvoted 1 times
 
ZUMY
A is correct!
upvoted 2 times
 
Horhe
8 months ago
Answer is correct
upvoted 1 times
 
toniiv
A. is correct (owner at subscription scope)
upvoted 1 times
 
ar_vinoth
Correct answer A
upvoted 1 times
 
kashi1983
Answer is A
upvoted 1 times
 
ms70743
10 months ago
A is correct
upvoted 2 times
 
fedztedz
Answer is correct "Yes"
upvoted 8 times
 
Nalex9ja
the given answer is the correct answrer
upvoted 3 times
Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
A.
Yes
B.
No
Correct Answer:
A
Reference:
 
asmodeus
Highly Voted 
Traffic Analytics requires the following prerequisites:
A Network Watcher enabled subscription.
Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.
An Azure Storage account, to store raw flow logs.
An Azure Log Analytics workspace, with read and write access.
upvoted 30 times
 
visave
got it.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-
faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.
upvoted 4 times
 
MountainW
The key is to enable, not to use. The article is about to use. The answer is not correct.
upvoted 5 times
 
JayBee65
The requirements above state..
Your account must meet one of the following to ***enable**** traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, ***reader***, or network
contributor.
So it is correct
upvoted 3 times
 
xMilkyMan123
https://github.com/MicrosoftDocs/azure-docs/issues/77499 Dont believe everything you read on the internet. Go and test things for yourself.
Even Microsoft official articles can misword things sometimes
upvoted 5 times
 
juniorccs
I agree with you
upvoted 2 times
 
nNeo
Although the article specified, but reader role can't change (or enable) "Traffic Analytics status" setting in NSG flow log settings. IMO, that article
should be edited.
upvoted 3 times
 
visave
As per your description the answer is A. could you please paste the source of the information.
upvoted 1 times
 
Nicodebian
upvoted 3 times
 
mlantonis
Highly Voted 
5 months ago
Reader role - View all resources, but does not allow you to make any changes.
Reference:
upvoted 19 times
 
xupiter
"Reader role - View all resources, but does not allow you to make any changes."
So that means this role doesn't allow you to enable traffic analytics.
So it cannot be "Yes".
upvoted 2 times
 
hercu
I think the answer is correct as it's assumed that the prerequisites to use traffic analytics are already met. Refering to:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-
As a result, as stated just few lines below, all following roles: Owner, Contributor, Reader, or Network Contributor are sufficient to enable Traffic
Analytics.
upvoted 1 times
 
julioglez88
Most Recent 
1 month ago
Answer must be B.
Reader role is not allowed to perform any action, and the question is clearly to enable the traffict analytics.
There is no sense to make a case question where all the options are yes, plus there is a miss conception of reader access.
Everyone could interpret this question at their own understanding, however the answer is clear.
upvoted 2 times
 
AubinBakana
2 months ago
A little counterintuitive but a reader has the right to enable traffic analytics. Hint: How are you going to read it if you can't enable it? Is there any
security hazard if you do?
upvoted 1 times
 
juniorccs
I am still confused, how come a Reader make changes ? has anybody tested it ? which is the correct ? is A or B ? can someone confirm ? thank!
upvoted 2 times
 
Spandrop
I'm seeing people justifying the answer based on the following article:
But the article is about "to use" and the question is to "enable", so I would go with a NO.
upvoted 1 times
 
Praveen66
The answer is yes. if you carefully read the faq , you would see its written as to enable traffic analytics .
****Your account must meet one of the following to enable traffic analytics:***
upvoted 1 times
 
Gyanshukla
2 months ago
Recheck the article. It clearly says and same tested in lab.
upvoted 1 times
 
Spandrop
please, disregard my comment ...
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 4 times
 
EderAprigio
1 month ago
tks to reply
upvoted 1 times
 
xMilkyMan123
How is this A? How can you read your way to enabling anything
upvoted 2 times
 
VRK2999
Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the
subscription scope: owner, contributor, reader, or network contributor.
upvoted 1 times
 
alisyech
4 months ago
answer is yes (A) for sure
upvoted 2 times
 
JoeRogersHi
Tested—
Reader: Can select “On” and choose Log Analytics workspace and click “Save”...but does not have rights to save (it errors due to permissions).

Network Contributor: Can select “On” but cannot choose a Log Analytics workspace, and therefore cannot “Save”.
Contributor: YES, it works.
Owner: YES it works.

upvoted 6 times
 
mkoprivnj
A is correct! Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network
contributor.
upvoted 1 times
 
CARIOCA
5 months ago
upvoted 3 times
 
xMilkyMan123
Come on this is a very easy question
upvoted 1 times
 
JayBee65
What do you think?
upvoted 1 times
 
Cippunk
5 months ago
Just tested and answer is no. Reader does not have authorisation to perform action Microsoft.Network/networkwatchers/flowlogs/write. This
question needs to be edited.
upvoted 4 times
 
Acrophat
I have attempted to enable traffic analytics for an NSG and reader role does not allow enabling traffic analytics without first having
owner/contributor role to the log analytics workspace that the logs will be sent to.
upvoted 5 times
 
Acrophat
Edit** asmodeus explained the user needs to have read/write access to the log analytics workspace. However, even after that, it fails to enable
traffic analytics for a user with reader role only.
upvoted 5 times
 
moota
One of those questions where Microsoft doesn't care to re-check
upvoted 1 times
 
besha
The reader role can't edit, create, enable, disable or delete any resources! The correct answer is NO. B
upvoted 4 times
 
MountainW
B is correct. The key is to enable, not to use.
upvoted 1 times
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A.
Owner
B.
Virtual Machine Contributor
C.
Contributor
D.
Virtual Machine Administrator Login
Correct Answer:
B
Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're
connected to.
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
C: Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.
Reference:
 
wooyourdaddy
Highly Voted 
Should the answer be C. Contributor? Answer B, only allows the managing of the VM's and not the Virtual Networks as stated in the question.
upvoted 117 times
 
brakonda
2 weeks, 3 days ago
Admin given answer in description is B but if yo read description carefully it says B can only manage VM and not the network
upvoted 1 times
 
Alim786
Tested in lab and "Virtual Machine Contributor" cannot manage VNET. Therefore answer is "Contributor"
upvoted 34 times
 
ciscogeek
Whatever Manage means by Microsoft standards, as per the doc they say, VM Contributor can manage.
Virtual Machine Contributor Lets you "manage" virtual machines, but not access to them, and not the virtual network or storage account they're
connected to.
I would go for B.
upvoted 2 times
 
brico
Can't be B. As you mentioned in your response, "and not the virtual network...". C is the correct answer.
upvoted 3 times
 
Miles19
You are right, definitely, we need to assign a role of contributor, as the virtual machine contributor isn't enough - can't even manage the virtual
networks to which the VM is attached to. See details: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
Only Owner and Contributor can perform the actions, but we need to follow the least privilege principal, so Contributor.
A: Owner- Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor - Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of
the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you
management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in
Azure RBAC.
C: Contributor - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.
D: Virtual Machine Administrator Login - View Virtual Machines in the portal and login as administrator.
Reference:
upvoted 29 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: C. Contributor
upvoted 2 times
 
ayushbisht
6 days, 2 hours ago
according to the question , which role based access control is assigned ?
soo the answer is A . OWNER , only owner can assign RBAC .Vm contributor and contributor ,dont have access to RBAC .
upvoted 1 times
 
ayushbisht
6 days, 2 hours ago
anyone tell me ,what is the right option ?
upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is C
upvoted 2 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
Answer - C is correct
upvoted 2 times
 
julioglez88
1 month ago
This is a tricky question.
In one hand "Deploy VM" in another "Manage Vnets".
The Virtual machine contributor is fulfilling the "Deploy VM", but when you deploy a VM, a VNET is also created within, so this role has by default
limited permissions to manage VNETs. But in my perspective it should not be enough to consider "Manage VNet"
Even if the question is saying: "Least privilege principle", the only possible option to fulfill both requirements is the contributor role, but the
question is still tricky.
upvoted 1 times
 
NarenderSingh
1 month ago
Answer - C
VM Contributor can "Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of the root
user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management
access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC."
upvoted 1 times
 
afathy
The answer must be C:
Virtual Machine Contributor
Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of the root user of the virtual
machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the
virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.
But Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share
image galleries.
upvoted 2 times
 
DarwinJ23
Correct Answer Option C : Contributor
upvoted 1 times
 
AubinBakana
2 months ago
I too thought C is the answer. It even says is in your own explanation that while a VM Contributor allows you to manage a VM, it does not allow
you to manage the network
upvoted 1 times
 
roadman25
Answer is C!
upvoted 2 times
 
Afgan007
Virtual Machine Contributor Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of the
root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you
management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in
Azure RBAC. 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
upvoted 2 times
 
MrJR
C is the correct answer. The description of the role provides that information "Create and manage virtual machines, manage disks and disk
snapshots, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts
using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are
connected to. This role does not allow you to assign roles in Azure RBAC."
upvoted 1 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. answer is contributor.
upvoted 5 times
 
mousomgogoi
i am still confusd for the same
upvoted 1 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click
the Access
Control tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)
Hot Area:
Correct Answer:
Box 1: No -
Only Admin3, the owner, can assign ownership.
Box 2: Yes -
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD.
However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope.
All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC).
Admin1 has elevated access, so he is also User Access Admin (RBAC).
To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner.
Box 1: Yes
Admin1 has elevated access, so he is User Access Admin. This is valid.
Box 2: Yes
Admi3 is Owner of the Subscription. This is valid.
Box 3: No
Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
upvoted 100 times
 
ashish2201
Highly Voted 
Answer is correct, tested in Lab
1. No : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription therefore cannot assign Owner Roles
2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user.
3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription thereofore cannot create resources in it.
upvoted 21 times
 
Praveen66
Even if your a global administrator at the Tenant level you can grant the access of owner to any other user to in tenant for the subscription.
Simple example is the default account through which you have registered is global admin, if you have created another user account you can
very well assign a owner role to him for a sub
upvoted 1 times
 
ashish2201
Kindly ignore my previous comment, below is the correct one
1. Yes : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription but as per exibit it has taken control to
manage access to all Azure subscriptions therefore it now has access to manage subscription therefore can assign role to other users.
2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user.
3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription therefore cannot create resources in it.
upvoted 35 times
 
perrito_css
Most Recent 
1 month, 1 week ago
exam 10/09/21
upvoted 2 times
 
khismail
2 months ago
In Exam 21/08/2021, answer: YYN
upvoted 3 times
 
AubinBakana
2 months ago
It's Yes, Yes, Yes
Admin3 is Owner of the subscription which means he can do anything, virtually, to the subscription
Admin1 has been set as User Access Administrator in that second screenshot. Which gives him the right to manage every single resource in the
subscription
upvoted 1 times
 
barcellos
no, yes, no is a Correct Answer! the answser is based in the in the question scope. the questions don´t make reference how to access for admin1
upvoted 1 times
 
JimBobSquare101
In exam 30 June 2021
upvoted 2 times
 
MrJR
Tested
Yes
Yes
No
upvoted 3 times
 
Meko
3 months ago
was in exam 23/07/2021
upvoted 3 times
 
CloudyTech
YNN should be
upvoted 1 times
 
rawrkadia
YYN. Admin3 is an owner on the scope as per the top, and thus can add additional owners.
upvoted 1 times
 
Rohithalkt
upvoted 4 times
 
bacana
Yes, Yes , No
because this "Elevate access to manage"

upvoted 2 times
 
james1890
4 months ago
By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing
the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role
(an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure
resources. This switch can be helpful to regain access to a subscription. For more information, see Elevate access to manage all Azure subscriptions
and management groups.

Several Azure AD roles span Azure AD and Microsoft 365, such as the Global Administrator and User Administrator roles. For example, if you are a
member of the Global Administrator role, you have global administrator capabilities in Azure AD and Microsoft 365, such as making changes to
Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.
Box 1: YES
Box 2: YES
Box 3: NO
upvoted 2 times
 
mkoprivnj
Box 1: Yes
Admin1 has elevated access, so he is User Access Admin. This is valid.
Box 2: Yes
Admi3 is Owner of the Subscription. This is valid.
Box 3: No
Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.

upvoted 2 times
 
CARIOCA
5 months ago
upvoted 4 times
 
prepper666
can we delete this users comments, this is a bot posting here
upvoted 1 times
 
pkazemei
I love the extra effort you put in after you copy and pasted: you edited the number of comments lol.
upvoted 1 times
 
sheva370
5 months ago
Tested in my lab, the correct answer is
Box 1: Yes - Elevated access
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal
Box 2: Yes - Owner
Box 3: No - Azure AD admin only.

upvoted 2 times
 
ronsav80
5 months ago
So Q1 is if Admin1 can add Admin2 as the owner of the subscription. Only the current owner can change the ownership, and in this case, Admin 3
is the owner. So based on this I think the answer is correct and it should be N/Y/N
upvoted 1 times
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
A.
From the Azure portal, modify the Managed Identity settings of VM1
B.
From the Azure portal, modify the Access control (IAM) settings of RG1
C.
From the Azure portal, modify the Access control (IAM) settings of VM1
D.
From the Azure portal, modify the Policies settings of RG1
Correct Answer:
A
Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use
this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
You can enable and disable the system-assigned managed identity for VM using the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
 
fedztedz
Highly Voted 
Answer is correct "A" Modify Managed Identities.
upvoted 32 times
 
ZUMY
Highly Voted 
Managed identity setting is correct
upvoted 25 times
 
Kamex009
Most Recent 
upvoted 4 times
 
AubinBakana
2 months ago
You could guess what the answer is. Although, in Microsoft Learn, this topic is poorly explained. The answer is A.
upvoted 1 times
 
JimBobSquare101
In exam 30 July 21
.
upvoted 3 times
 
hard2learn
how many questions came from this question bank in your exam?
upvoted 1 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam.Answer A is correct
upvoted 3 times
 
deepu1982
3 months ago
Modify Managed Identities is the right answer
upvoted 3 times
 
Rohithalkt
upvoted 3 times
 
thuylevn
any labs?
upvoted 1 times
 
mkoprivnj
A is correct!
upvoted 2 times
 
Tranquillo1811
Actually this is a tricky question.
However, according to this link https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-

vm-access-arm
where exactly this scenario is described, they go directly to IAM of the RG and select the VM there.
I assume the managed Identity of the VM is then automatically enabled if it is not already enabled.
So the correct answer would be actually B!

upvoted 3 times
 
Shailen
Not correct since system managed identity is not automatically enabled until specify during VM creation through portal or arm template. This
first step is to enable it by going into identity settings so given answer is correct!
upvoted 3 times
 
Tranquillo1811
I stand corrected: Under that link under prereqs they mention: "You also need a Windows Virtual machine that has system assigned managed
identities enabled."
Yes, answer A is correct!

upvoted 4 times
 
Kctaz
In case anyone still has doubt : A is correct.
When you go to VM menu and Identity, you can choose to assign an identity to the VM to register it in Azure AD. Then, you can give the role you
need to this managed identity (you can choose the scope and the role).
Easy, fast, and very practical.

upvoted 4 times
 
CARIOCA
5 months ago
upvoted 3 times
 
mlantonis
5 months ago
Correct Answer: A
Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this
identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable
the system-assigned managed identity for VM using the Azure portal.
RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples of Role
Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group Policies on the other hand focus on resource
properties during deployment and for already existing resources. As an example, a policy can be issued to ensure users can only deploy DS series
VMs within a specified resource
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
upvoted 23 times
 
Biswa1989
Your answers are quiet correct.
upvoted 1 times
 
mdyck
Go to VM > Identity > System Assigned > Status On > Azure role assignments > Scope Resource group > Contributor
"Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC"
I think managed identity is the way to go.

upvoted 5 times
 
MayBe
To answer the question you have to first understand the difference between Managed Identity (a.k.a RBAC) and Access Control policies (IAM)
RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples of Role
Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group
Policies on the other hand focus on resource properties during deployment and for already existing resources. As an example, a policy can be
issued to ensure users can only deploy DS series VMs within a specified resource
(https://techcommunity.microsoft.com/t5/itops-talk-blog/governance-101-the-difference-between-rbac-and-policies/ba-p/1015556?
WT.mc_id=ITOPSTALK-reddit-abartolo)
So the answer is A
upvoted 3 times
 
Moley
7 months ago
Answer A will not achieve the goal. The VM identity will not have rights to the resource group. The question implies the VM has an identity. The
correct answer is B where you use IAM to grant the identity permissions to the resource group.
upvoted 4 times
 
alexandvvvvv
You are right that answer A will not achieve the goal but the question is not about that, it is about the first action you have to do to achieve the
goal. Also for me it does not look like it is said that VM already has an identity. I think they mean just that an identity should be used and to
achieve that you have to configure it. So I think it is A.
upvoted 4 times
 
toniiv
8 months ago
Answer seems to be correct as per URL provided ( Managed Identities )
upvoted 2 times
You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
You need to delete TestRG.
A.
Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B.
Remove the resource lock from VNET1 and delete all data in Vault1
C.
Turn off VM1 and remove the resource lock from VNET1
D.
Turn off VM1 and delete all data in Vault1
Correct Answer:
C
When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and
currently stored operations.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resource-group?tabs=azure-powershell
 
Dips88
Highly Voted 
Answer should be B. A recovery service vault can not deleted unless all its backups are deleted permanently. And along with that definitely resource
lock has to be removed on vnet
upvoted 69 times
 
YooOY
4 weeks, 1 day ago
if backup is still active/VM is running, doing firstly B won't delete all data. Either stop the backup or the VM first must come first. C is making
sense. A could be also next to perfect 1st action.
upvoted 3 times
 
YooOY
4 weeks, 1 day ago
Cloud protected items: Go to the vault dashboard menu > Backup Items. All items listed here must be removed with Stop Backup or Delete
Backup Data along with their backup data. Follow these steps to remove those items.
it looks stop backup or delete backup data has the same effect. https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-
vault#proper-way-to-delete-a-vault
upvoted 2 times
 
imartinez
Wrong, correct answer is C.
Its asking for the first thing you should Do.
If the VM is running it will continues backing up. So that's your first move on the vault.
upvoted 3 times
 
imartinez
1 month, 1 week ago
My bad, it's B.
in the steps listed on the URL below, stop the VM is the second
URL
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud
upvoted 1 times
 
rawrkadia
Disagree. The more I think about this, the less "delete all data" makes sense as step one. Step one is to modify the VM's backup configuration,
but A doesn't make sense either.
I actually think they're correct. Easiest first step is to shut stuff off (not strictly needed) and remove the resource lock. Then disable soft-delete if
on, remove the backup configuration for VM1 and any backups, then you can turn down the RG.
upvoted 3 times
 
poplovic
Tried in the lab, a lot of steps to remove the vault.
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud#permanently-deleting-soft-deleted-backup-items
upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B
When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and
currently stored operations.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting
or modifying critical resources. The lock overrides any permissions the user might have.
You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
So you have to remove the lock on order to delete the VNET and delete the backups in order to delete the vault.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resource-group?tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 48 times
 
monus
2 weeks, 5 days ago
backup can be taken even if vm is powered off. so, I think the answer is A.
upvoted 3 times
 
AubinBakana
2 months ago
No, this is wrong. one of the reasons why resource groups were designed is to facilitate the deletion of resources in Dev environments. You
delete the RG and all its components are gone.
C is the answer.
upvoted 1 times
 
AubinBakana
2 months ago
sorry, I meant Dev/Test environment. Think CI/CD.
upvoted 1 times
 
Gyanshukla
correct
upvoted 2 times
 
rkat
Most Recent 
6 days, 2 hours ago
What is we look at this like the following?
1. We need to remove the lock (modifying would not help). Which takes A out and D is out too.
2. If we take B into consideration, it first removes lock whish is main requirement for deleting everything from RG. Secondly it loosely mentions
"Delete all data in Valut1". Before a vault is deleted its backups needs to go, which also means we will take all steps including disabling backups to
delete data from vault.
so I would go with B
upvoted 2 times
 
theOldOne
1 week, 5 days ago
Can you modify the resource lock on the Vnet without turning the machine off? If so the answer is A. Remove the lock on the Vault by modifying
(removing) the backup of VM1. Then remove the lock on the Vnet.
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 5 days ago
A is 100 % correct, you will need to chnage the config of backup to disable the soft delete
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
upvoted 3 times
 
nsknexus478
2 weeks, 3 days ago
To properly delete a vault, you must follow the steps in this order:
Step 1: Disable the soft delete feature. See here for the steps to disable soft delete.
Step 2: After disabling soft delete, check if there are any items previously remaining in the soft deleted state. If there are items in soft deleted
state, then you need to undelete and delete them again. Follow these steps to find soft delete items and permanently delete them.
It's A.
upvoted 1 times
 
vijesh_shenoy
1 month ago
Answer is C. The question is - What should you do first?

upvoted 1 times
 
JamesChan0620
The answer is B or C?
upvoted 1 times
 
Pradyumn
1 week, 5 days ago
i dont know
upvoted 1 times
 
AubinBakana
2 months ago
The answer is C, but only because of how the question is asked.
- Turn off VM1 and remove the resource lock from VNET1 first.
- The turn off the backup
- Then delete the resource group.

upvoted 1 times
 
Vazza98
Answer B :
Mirrored in lab envrionment. Deleting TestRG to begin with fails due to delete resource lock on VNET1 - changing the resource lock type to read-
only on this has no affect and still prevents TestRG from being deleted, therefore, only way to go around this is to remove the resource lock
entirely.
Once lock has been removed if you try to delete TestRG again it deletes everything but Vault1 due to resources existing in this. Stopping the
backup and then deleting all data puts the data in to a soft deleted state for 14 days as per https://docs.microsoft.com/en-
us/azure/backup/backup-azure-security-feature-cloud
Therefore, the first steps are to " Remove the resource lock from VNET1 and delete all data in Vault1" - the next steps being to either remove the
soft deleted data or wait for it to auto delete and then TestRG can be deleted fully.
upvoted 4 times
 
imartinez
Correct answer: C
Even in your statement you are mentioning that you had to stop the VM first, and it makes sense, if the VM is running it will continues backing
up. So that's your first on the vault.
upvoted 1 times
 
orion1024
4 weeks, 1 day ago
He said stop the backup, not stop the VM.
upvoted 2 times
 
thuylevn
B. Remove the resource lock from VNET1 and delete all data in Vault1 => wrong because delete all data in Valt1 but still have Valt1 and connection
with VM.
So correct is A (if we understand modify here is remove valt1 and remove lock)
upvoted 1 times
 
J4U
I go with A with the testing I did now.
1. Remove the delete lock.
2. Disable soft delete in vault > Security configuration.
3. Stop Backup > Delete data (Don't Retain)
After step 2 and 3, the vault is deleted.
The resource group can be deleted even when VM is running, so C or D isn't an option. Also B says to delete all data, but backup has to be stopped
to delete data, also disable soft delete.
upvoted 3 times
 
J4U
"A" can be tasked because of "modify the resource lock type" which is still locked. So we can safely assume B is correct to delete all vault data
by following step 2 and 3 given above.
upvoted 2 times
 
Mingtanw
The VM is running, have to stop it first prior to remove the backup policy. Answer A is talking about modify (to make changes) not delete or
remove, which is definitely wrong. Go with Answer C.
upvoted 1 times
 
J4U
There is no need to delete the backup policy. Just stop backup and delete the data which can be done while the VM is running. Once the
backup data is deleted, the resource group can be deleted while the VM is running.
upvoted 1 times
 
MrJR
Answer is A.To delete the vault yo have to stop the backup of VM1 first and then remove the lock from the VNET. There is no other way.
upvoted 6 times
 
Mingtanw
3 months ago
The answer is correct, C. The first 3 tasks to do, 1) Stop the running VM, 2) Delete the Backup, 3) Remove the lock. The other answers are not near,
at least it has 2 out of the 3 tasks covered.
upvoted 3 times
 
deepu1982
3 months ago
100% Answer is A
upvoted 4 times
 
valente_sven1
3 months ago
Do you get this question on exam??
upvoted 1 times
 
johanc68
3 months ago
The problem here is with the backups. They must be removed first before the RG can be deleted. Backups can be taken even when VM1 is turned
off. So options C and D can be eliminated. That leaves us with options A and B. I think the correct answer is A: first stop the backups ('Modify the
backup config'). Answer B is not correct because there could be a backup ongoing so deleting the data in the vault is not enough because data
could be flowing in after you've deleted the data.
upvoted 3 times
 
NineballSeraph
You guys are missing the most important part of the question: "What should you do FIRST"
FIRST being the key word here, as in what is the very FIRST step in the process. People answering here are not looking at the bigger picture and are
just looking for upvotes.
Answer is A
Tested in lab.
upvoted 11 times
 
imartinez
Can you modify the BK configs without turning off the VM? if you can't answer is C, if not, it's A as you said.
upvoted 1 times
You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
A.
Create an NS record named research in the adatum.com zone.
B.
Create a PTR record named research in the adatum.com zone.
C.
Modify the SOA record of adatum.com.
D.
Create an A record named *.research in the adatum.com zone.
Correct Answer:
A
You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
 
chaitu1990
Highly Voted 
All the best for your Exam guys:))
upvoted 94 times
 
omw2wealth
3 weeks, 4 days ago
Thank you i guess
upvoted 2 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many NS
records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.
You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
upvoted 39 times
 
suriyaswamy
Nice Explanation. Many Thanks
upvoted 1 times
 
GodfreyMbizo
Most Recent 
1 month ago
I have just started yesterday,i have exam i 2 days time,i dont know if i will master everything
upvoted 1 times
 
ShikshaGarg
Thanks a lot ExamTopics for the questions and also this discussion panel, helps a lot to understand different ways a question can be solved. All the
best everyone!! :)
upvoted 1 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis in the discussion are correct.
upvoted 4 times
 
Md_Shahnawaz
5 months ago
Answer A is correct
upvoted 7 times
 
saddamakhtar
Good Luck! guys for your Exam...............
upvoted 4 times
 
6F
45 mins to go time, good luck all!
upvoted 3 times
 
sopot
Good luck evrybody :)

upvoted 1 times
 
luiz01
6 months ago
All the best for guys:)
upvoted 1 times
 
rishard
6 months ago
Got exam in 1h - Wish me luck ;)
upvoted 5 times
 
jc1738
How did it go? Was the material on here enough to get you a pass? My exam is this week!
upvoted 3 times
 
RealKaiCloud34813
6 months ago
Good luck, I'm attepting tomorrow.
upvoted 4 times
 
UmarQazi
I'm going to attempt this exam in the afternoon.
upvoted 2 times
 
Olijames221
How did it go? Was the question set in here enough to pass? I have mine tomorrow
upvoted 2 times
 
HassanSarhan
How did it go with you? MY exam is next week! Was the question set here enough to pass ?
upvoted 1 times
 
thapp
is there any new questions ?
upvoted 1 times
 
SScott
Name Server is the correct Answer, not an A Record.
I am signed up for the exam today 4/4. Microsoft tag on the registration site says content changed 3/26. Probably just a few questions added
and/or removed.
upvoted 2 times
 
SScott
New scale set questions, specific to % to minute and policy effects. Know kubectl commands and syntax reference to VM resources. New
variations of app service, web apps, and specific to ASP and .NET Core. New NSG firewall rule determinations. Several curve balls but the
current set on examtopics.com will provide the study guide results to pass with success! Research, review and test in lab to fully learn and
grow your Azure field of study.
upvoted 3 times
 
SScott
https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB_09c-
Implement_Azure_Kubernetes_Service.html
upvoted 3 times
 
LexusNX425
Thank You ExamTopics, and thank all of you for your support in the discussions. Best of luck to everyone on the exam!!! :)
upvoted 4 times
 
Techseeker
Reached here! Thanks for the amazing support and good luck on your exam ☺️
upvoted 4 times
 
ZUMY
A:
An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. ... You can have as many NS
records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.
upvoted 11 times
DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Select and Place:
Correct Answer:

1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
 
fene
Highly Voted 
As I'm a smart guy I can confirm this to be the proper answer
upvoted 43 times
 
CBIBEK
Source: Dude trust me
upvoted 22 times
 
Gorl12
4 weeks ago
Lol ;)
upvoted 1 times
 
Iroshan4
Highly Voted 
Answer is correct. But the source is wrong.
Here is the correct docs link.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
upvoted 27 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
upvoted 2 times
 
magnoy
1 month ago
According to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
It should be the following order:
1.ADD AN AZURE AD TENANT
2.ADD A CUSTOM NAME
3.ADD A RECORD TO THE PUBLIC CONTOSO.COM DNS ZONE
(4.VERIFY THE DOMAIN)

upvoted 3 times
 
dumz
2 weeks ago
thank you so much for sharing!
upvoted 1 times
 
Kamex009
upvoted 2 times
 
Cippunk
5 months ago
The question should specify if by "Add a record to the public contoso.com DNS zone" it means adding the text record to the domain registrar's
DNS zone. All that is needed is:
- Add a custom domain
- Create the Txt record (including hostname @, text value and TTL set to 3600 seconds) to DNS record on domain registrar.
- Verify the domain.
Having an Azure Public DNS zone is not required. Just tested this.
upvoted 12 times
 
azlab1win
Agree with this statement!
upvoted 2 times
 
raulgar
The internal domain name is contoso.onmicrosoft.com, the external dns is contoso.com, so the first it would be add a custom name, could be?
upvoted 3 times
 
raulgar
I'm not sure, but with external dns you must have a custom name (contoso.onmicrosoft.com isn't), so the first is create a custom name, later add
the record and verify.I haven't test it
upvoted 2 times
 
crescha
Custom domain already exists. Then you need to create DNS zone, add record and verify
upvoted 4 times
 
Acai
Unfortunately, that is incorrect, onmicrosoft.com indicates there using the default domain name, and they want to change the "Suffix" from
their registered domain to Contoso.com to that domain name in azure so the provided answer is correct.
If asking for a child domain of custom domain you would be correct!

upvoted 1 times
 
Kopy
"You have a domain name of contoso.com registered at a third-party registrar."
So, they have already their own

upvoted 1 times
 
Cepul
If looking at this reference: https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal
The answer is :
Create an Azure DNS zone
Add a record to the public contoso.com DNS zone
Verify the domain

upvoted 11 times
 
bacana
Correct.
upvoted 2 times
 
Devgela
Create an Azure DNS zone
Add a record to the public contoso.com DNS zone
Verify the domain
My Choice
upvoted 7 times
 
jecah
Create a DNS zone in Azure DNS, and delegate the zone in your registrar to Azure DNS. It is a prerequisite and should be the first step.
So I agree with you.

upvoted 3 times
 
mdyck
Would the zone not already be created because they have the existing domain?
upvoted 2 times
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A.
Get-Event Event | where {$_.EventType == "error"}
B.
Event | search "error"
C.
select * from Event where EventType == "error"
D.
Event | where EventType is "error"
Correct Answer:
B
The search operator provides a multi-table/multi-column search experience.
The syntax is:
Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
1. search in (Event) "error"
2. Event | search "error"
3. Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. select * from Event where EventType is "error"
4. search in (Event) * | where EventType ‫ג‬€"eq "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-
query/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer
 
Nilz76
Highly Voted 
"B" is correct
For those who selected "D", the syntax should have been:
Correct:
Event | where EventType == "error"
Incorrect:
Event | where EventType is "error"
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events#log-queries-with-windows-events
upvoted 10 times
 
fatherofexam
B is absolutely correct. Everything else is invalid syntax.
upvoted 2 times
 
fabylande
Most Recent 
1 day, 18 hours ago
upvoted 1 times
 
GepeNova
2 weeks, 4 days ago
Tested in lab B is correct.
Monitor>>logs>>New query
Event | search "error" -->works fine others no.

upvoted 1 times
 
perrito_css
1 month, 1 week ago
exam 10/09/21
upvoted 2 times
 
Kamex009
upvoted 2 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 4 times
 
anonza_dumps
2 months ago
upvoted 3 times
 
AubinBakana
2 months ago
B is the correct answer.
Some here are saying D is the answer but that is false - "error" is not a type. That's why D results in a syntax error.
However, Event| search "error" is more generic because it searches for the string "error" in the Event table. That's why it returns true.
KQL
upvoted 2 times
 
omaro
i think it should be C.
upvoted 2 times
 
jvincent
Answer C is an SQL syntax, Log Analytics use KQL (Kusto Query Language). B should be the Correct answer.
upvoted 2 times
 
adiii123
answer is correct
upvoted 1 times
You have a registered DNS domain named contoso.com.
You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the internet.
What should you do?
A.
Create NS records in contoso.com.
B.
Modify the SOA record in the DNS domain registrar.
C.
Create the SOA record in contoso.com.
D.
Modify the NS records in the DNS domain registrar.
Correct Answer:
D
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
 
js_indore
Highly Voted 
3 weeks, 2 days ago
D. Modify the NS records in the DNS domain registrar.
upvoted 5 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: D
upvoted 2 times
 
Eltooth
1 week ago
Correct answer - D. Registrar “owns” the tld and will have their NS registered against the domain by default. By changing the registrar NS records
to point to your Azure DNS NS records you take ownership into your Azure DNS.
upvoted 2 times
 
rrabeya
2 weeks, 2 days ago
SOA: Start of [a zone of] authority record. Specifies authoritative information about a DNS zone, including the primary name server, the email of the
domain administrator, the domain serial number, and several timers relating to refreshing the zone.
NS: Name server record. Delegates a DNS zone to use the given authoritative name servers
which leaves A and D

upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure
AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.
The domain contains the security principals shown in the following table.
In Azure AD, you create a user named User2.
The storage1 account contains a file share named share1 and has the following configurations.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
 
ech
Highly Voted 
3 weeks, 2 days ago
Yo cannot give share-level priviledges to a computer object. Ans is correct.
upvoted 11 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains a virtual network VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: User1 and User3 only.
User1: The Owner Role lets you manage everything, including access to resources.
User3: The Network Contributor role lets you manage networks, including creating subnets.
Box 2: User1 only.
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and
recommendations, dismiss alerts and recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/resource-provider-operations#microsoftnetwork
 
pakman
Highly Voted 
3 weeks, 2 days ago
Correct.
Security admin can't add subnets.
Only owner can assign roles.

upvoted 9 times
 
Beng_ali
Most Recent 
2 weeks, 4 days ago
Came up on my exam today on 02/10/21, answer is correct.
upvoted 1 times
 
Tyler2021
2 weeks, 4 days ago
Thanks for sharing. Have the questions changed a lot after the exam content was updated?
upvoted 2 times
HOTSPOT -
You have the Azure resources shown on the following exhibit.
You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: Sub1, RG1, and VM1 only -
You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying
critical resources.
Box 2: Sub1, RG1, and VM1 only -
You apply tags to your Azure resources, resource groups, and subscriptions.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json https://docs.microsoft.com/en-
us/azure/azure-resource-manager/management/tag-resources?tabs=json
 
GepeNova
2 weeks, 4 days ago
Correct answer.
Only can assign locks and tags to subscriptions, resource groups and resources. Tested in lab
upvoted 3 times
 
Omar_Aladdin
3 weeks ago
Answer is correct, both Tags and Locks are available to Subscriptions, Resource Groups, and Resources..
See FIRST Paragraph in both Refs
Ref Locks:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
Ref Tags:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
Topicupvoted 2 times
Set 3
3 - Question
 
Aymenwerg
3 weeks ago
Locks are applied at subscription, resource group, or resource level to prevent users from accidentally deleting or modifying critical resources.
You can set the lock level to CanNotDelete or ReadOnly.
Also tags, the same "answer correct"

upvoted 2 times
Question #1 Topic 3
You have an Azure Storage account named storage1 that contains a blob container named container1.
You need to prevent new content added to container1 from being modified for one year.
What should you configure?
A.
the access tier
B.
an access policy
C.
the Access control (IAM) settings
D.
the access level
Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-storage-overview?tabs=azure-portal
 
breakerboyz09
Highly Voted 
3 weeks, 2 days ago
B is correct.
Because Access policy can set retention policy.

upvoted 8 times
Question #2 Topic 3
HOTSPOT -
You have an Azure Storage account named storage1 that contains a blob container. The blob container has a default access tier of Hot. Storage1
contains a container named conainer1.
You create lifecycle management rules in storage1 as shown in the following table.
You perform the actions shown in the following table.
Hot Area:
Correct Answer:
 
NZure
Highly Voted 
3 weeks, 1 day ago
I don't think this is correct
Rule1 archives blobs(aka files) after 2 days of inactivity and deletes after 9
Rule2 moves to cool tier after 3 days and archive tier after 9
Of the three files, Rule1 only applies to Dep1File1.docx, while the other files have Rule2 applied.
The question asks if you can read the files on the 10th, not if they still exist. Files in the archive tier CANNOT be read as documented by Microsoft:
"While a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must first
rehydrate it to an online tier."
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Dep1File1.docx was last updated 8 days ago, and would be in archive tier
File2.docx was last updated 5 days ago, and would be in cool tier
File3.docx was last updated 8 days ago and would be in cool tier
Dep1File1 > No cannot be read
File2 > Yes cannot be read
File3 > Yes can be read

upvoted 19 times
 
szutsattila
2 weeks, 2 days ago
Isn't it technically still readable because it still exists. You can read it, but first you have to bring it back online. I totally get your explanation, my
argument is that the question was phrased poorly. If you negate the current question with "On October 10, you can't read Dep1File1.docx" then
the answer would be No, because it implies that the file doesn't exist, thus this answer is Yes.
upvoted 3 times
 
jecaine
3 weeks ago
i'm so sick of this site and their questionable answers. Sigh. i never know who to trust, the site or the forum.
upvoted 4 times
 
omw2wealth
2 weeks, 5 days ago
Why 'sick' lol, you just should trust your logic when it comes to the website answers&the discussions.
upvoted 2 times
 
Quantigo
Highly Voted 
3 weeks, 1 day ago
Correct Answer N Y Y
Dep1File1 is hit by rule 1 which will archive the file by the 10th rendering it unreadable
File 2 and file3 are missed by the first rule and gets hit by the 2nd rule, which will make them still readable by the 10th
https://docs.microsoft.com/en-us/azure/storage/blobs/archive-rehydrate-
overview#:~:text=While%20a%20blob%20is%20in,the%20hot%20or%20cool%20tier.
upvoted 8 times
 
Maggie121
Most Recent 
Answer N,Y,Y
While a blob is in the archive tier, it can't be read or modified. To read or download a blob in the archive tier, you must first rehydrate it to an
online tier, either hot or cool. Data in the archive tier can take up to 15 hours to rehydrate. For more information about blob rehydration, see
Overview of blob rehydration from the archive tier.
An archived blob's metadata remains available for read access, so that you can list the blob and its properties, metadata, and index tags. Metadata
for a blob in the archive tier is read-only, while blob index tags can be read or written. Snapshots are not supported for archived blobs.
Link: https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
upvoted 1 times
 
Invisired
Correct. Yes, Yes and Yes.
Dep1File1 - 8 Days - Archive (can read)
File 3 - 8 Days - Cool (can read)
File 2 - 5 Days - Cool (can read)
https://docs.microsoft.com/en-us/learn/modules/configure-blob-storage/4-create-blob-access-tiers?ns-enrollment-type=LearningPath&ns-
enrollment-id=learn.az-104-manage-storage
upvoted 2 times
 
alex_p
ARHIVE TIER - While a blob is in the archive tier, it can't be read or modified. To read or download a blob in the archive tier, you must first
rehydrate it to an online tier, either hot or
cool. Data in the archive tier can take up to 15 hours to rehydrate. https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
upvoted 1 times
 
theOldOne
1 week, 5 days ago
Dep1File1.docx was last modified on Oct 2. It matches Rule 1. On Oct 4 it gets archived and is unavailable for read unless it gets re-hydrated which
is not in the question. It cannot be read.
File2.docx is edited on Oct 5. It matches Rule2. On Oct 8 it is moved to Cool storage and is still there on Oct 10. It can be read.
File3.docx is edited on Oct 2. It matches Rule2. On Oct 5th it gets moved to Cool storage and is still there on Oct 10. It can be read.
N-Y-Y
upvoted 2 times
 
asdfgh1_qwerty
1 week, 5 days ago
Answer is correct.
On Oct 10th you can read Dep1File1.docx. Answer is Yes.
 Reason, on Oct 1st file was uploaded, Rule 1 & Rule 2 will not get applied, because on Oct 2nd, file was edited. Dep1File1.docx is available to
read as on 10th Oct.
On Oct 10th you can read File2.docx. Answer is Yes.
 Reason, on Oct 1st file was uploaded, Rule 2 gets applied. On Oct 5th, file was edited. File2.docx is available to read as on 10th Oct.
On Oct 10th you can read File3.docx. Answer is Yes.
 Reason, on Oct 1st file was uploaded, Rule 1 & Rule 2 will not get applied, because on Oct 2nd, file was edited. File3.docx is available to read as
on 10th Oct.
upvoted 1 times
 
GepeNova
2 weeks, 4 days ago
Correct answer I tried the scenario.
Rules conditions never applied to those files so were not moved and blob never deleted.
upvoted 4 times
 
js_indore
3 weeks ago
While a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must first
rehydrate it to an online tier. You can't take snapshots of a blob in archive storage.
upvoted 3 times
 
Omar_Aladdin
3 weeks ago
The correct Answer should be:
(First, everything affected by Rule2 is STILL accessible/readable but with a high cost per read
Ref: https://docs.microsoft.com/en-us/learn/modules/configure-blob-storage/4-create-blob-access-tiers?ns-enrollment-type=LearningPath&ns-
enrollment-id=learn.az-104-manage-storage)
YES: Both Dep1File.docx and File3.docx aren't affected by Both Rule1/Rule2 because they're modified on October 2... makes it 8 days on October 10

YES:
File2.docx is edited on October 5, it will escape "Rule1-Deletion" also then it is Accessible/Readable, "Cool/Archive tiers are Readable but with High
Cost"
Yes:
File3.docx isn't affected by Rule1-Deletetion; then regardless of the tier, it is STILL Readable/Accessible
Plz reply if I was wrong, so that others will know

upvoted 2 times
 
alex_p
2 weeks, 3 days ago
Dep1File1 is affected by Rule1. By October 10 it will be in the Archive tier and will not be accessible normally.
upvoted 1 times
 
NZure
3 weeks, 1 day ago
I don't think this is correct
Rule1 archives blobs(aka files) after 2 days of inactivity and deletes after 9
Rule2 moves to cool tier after 3 days and archive tier after 9
Of the three files, Rule1 only applies to Dep1File1.docx, while the other files have Rule2 applied.
The question asks if you can read the files on the 10th, not if they still exist. Files in the archive tier CANNOT be read as documented by Microsoft:
"While a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must first
rehydrate it to an online tier."
Dep1File1.docx was last updated 8 days ago, and would be in archive tier
File2.docx was last updated 9 days ago, and would be in archive tier
File3.docx was last updated 8 days ago and would be in cool tier
Dep1File1 > No cannot be read
File2 > No cannot be read
File3 > Yes can be read

upvoted 3 times
 
jecaine
3 weeks, 2 days ago
crap. this is a new question, and from reading it, I think it should be N.N.N since the rule says if the files aren't edited for 2 days after being
uploaded they should go into the archive tier where they are kept offline and aren't accessible. why is it Y.Y.Y?
upvoted 2 times
 
Omar_Aladdin
3 weeks ago
Archive tier objects are accessible:
Ref:
https://docs.microsoft.com/en-us/learn/modules/configure-blob-storage/4-create-blob-access-tiers?ns-enrollment-type=LearningPath&ns-
But whoever sees this plz see my independent reply

upvoted 1 times
Question #3 Topic 3
You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.
Which command should you run?
A.
https://contosodata.blob.core.windows.net/public
B.
azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot
C.
azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
D.
az storage blob copy start-batch D:\Folder1 https://contosodata.blob.core.windows.net/public
Correct Answer:
C
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container
by the same name.
Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in
the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs https://docs.microsoft.com/en-
us/azure/storage/common/storage-ref-azcopy-copy
 
naveener
Highly Voted 
copies a directory (and all of the files in that directory) to a blob container:-
azcopy copy 'C:\myDirectory' 'https://mystorageaccount.blob.core.windows.net/mycontainer' --recursive
To copy to a directory within the container :-
azcopy copy 'C:\myDirectory' 'https://mystorageaccount.blob.core.windows.net/mycontainer/myBlobDirectory' --recursive

upvoted 33 times
 
Shailen
Basically given answer is correct.
upvoted 3 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
A: URL of the Storage Account.

B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the
destination is more recent.
C: The azcopy copy command copies a directory (and all the files in that directory) to a blob container. The result is a directory in the container by
the same name.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
upvoted 28 times
 
silver_bullet666
Most Recent 
1 month, 1 week ago
C is correct and --snapshot is NOT even a valid switch, version AzCopy 10.12.1
upvoted 1 times
 
kevin9988
azcopy cp instead of azcopy copy
upvoted 2 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis are correct.
upvoted 6 times
 
mkoprivnj
Recursive!
upvoted 2 times
 
mg
Answer is correct
AzCopy recursive
upvoted 5 times
 
ZUMY
C is correct
upvoted 5 times
 
Wizard69
Answer is correct.
az copy with --recursive

upvoted 2 times
 
toniiv
C. is correct. Last command (az storage blob copy) is used only to copy blobs to a blob container. Azcopy should be used with the copy flag.
upvoted 2 times
 
fedztedz
Answer is correct. "C"
Azcopy copy --recursive.

upvoted 7 times
 
Borbz
Answer is correct!
upvoted 2 times
 
KarthikExams
1 year ago
copy with recursive
upvoted 4 times
 
MikeHugeNerd
In Exam August 17th
upvoted 12 times
Question #4 Topic 3
In the Azure portal, you plan to create a storage account named storage1 that will have the following settings:
✑ Performance: Standard
✑ Replication: Zone-redundant storage (ZRS)
✑ Access tier (default): Cool
✑ Hierarchical namespace: Disabled
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.
Which setting should you modify first?
A.
Performance
B.
Replication
C.
Access tier (default)
D.
Hierarchical namespace
Correct Answer:
A
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview https://docs.microsoft.com/en-
us/azure/storage/blobs/storage-blob-performance-tiers
 
sk1803
Highly Voted 
3 weeks ago
Answer is correct
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal
Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most
scenarios. For more information, see Types of storage accounts.
Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following
types of premium storage accounts are available:
Block blobs
File shares
Page blobs
upvoted 6 times
 
rrabeya
Most Recent 
2 weeks, 2 days ago
Answer A - Performance
upvoted 1 times
Question #5 Topic 3
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.
What should you identify?
A.
storage1
B.
storage2
C.
storage3
D.
storage4
Correct Answer:
D
Azure Import/Export service supports the following of storage accounts:

✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)
✑ Blob Storage accounts
✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types:
✑ Import supports Azure Blob storage and Azure File storage
✑ Export supports Azure Blob storage
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: D
✑ Export supports Azure Blob storage. Azure Files not supported.
Only storage4 can be exported.
Reference:
upvoted 45 times
 
suriyaswamy
Very useful Info
upvoted 1 times
 
nfett
Highly Voted 
From the provided link. I assume since they table in the question notes "Storage" its being disregarded as an invalid option. Thus the answer blob
appears to be correct.
Standard General Purpose v2 storage accounts (recommended for most scenarios)
Blob Storage accounts

upvoted 8 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: D
upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is D
q pp
upvoted 1 times
 
iamnivas
1 week, 1 day ago
are these questions in the dump still relevant?
upvoted 1 times
 
Kamex009
upvoted 2 times
 
anonza_dumps
2 months ago
upvoted 3 times
 
AubinBakana
2 months ago
Easy, this one. Think Hard Disk. The files don't have to be in a particular order. It has to BLOB
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
Shiven12
upvoted 2 times
 
mkoprivnj
Blob is correct. #4
upvoted 1 times
Question #6 Topic 3
HOTSPOT -
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: storageaccount1 and storageaccount2 only
Box 2: All the storage accounts -
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob
storage accounts.
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per
gigabyte pricing.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
 
fedztedz
Highly Voted 
Answer is correct.
- Storage account 1 & 2
- All storage accounts.

upvoted 48 times
 
JayBee65
Why do you say that?
upvoted 1 times
 
Shailen
Since question 1 is to store table storage which can't be done in blob storage account (blob storage is the premium storage which is either
block blob, append blob or page blob). refer https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction#blob-
storage-resources
upvoted 4 times
 
Saravana12g
1 month ago
Why do you ask that?
It's correct...
upvoted 1 times
 
Omar_Aladdin
1 month ago
Hey, What's the problem with asking. That's not acceptable
upvoted 6 times
 
joydeep1
Highly Voted 
Exam - Asked today
upvoted 14 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
upvoted 1 times
 
Beng_ali
2 weeks, 4 days ago
Came up on my exam today 02/10/21. Answer is correct.
upvoted 1 times
 
Kamex009
upvoted 2 times
 
AubinBakana
2 months ago
Easy - The whole point of creating a storage account of type BlobStorage is so you maximize on blob service, not Queue, Table or File. Storage type
is a cheaper more basic version of Storage V2.
upvoted 1 times
 
org_sam
Answer Correct.
Standard general-purpose v2 Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files
Standard general-purpose v1 Blob, Queue, and Table storage, Azure Files
Standard Blob storage Blob storage (block blobs and append blobs only)
upvoted 2 times
 
mkoprivnj
Answer is correct.
- Storage account 1 & 2
- All storage accounts.

upvoted 3 times
 
JayBee65
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview shows
Standard general-purpose v2 Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files
Standard general-purpose v1 Blob, Queue, and Table storage, Azure Files
Standard Blob storage Blob storage (block blobs and append blobs only)
So 1 and 2
upvoted 1 times
 
modiallo
Box 2: All the storage accounts
upvoted 2 times
 
JayBee65
upvoted 2 times
 
mlantonis
5 months ago
Correct Answer:
Box 2: All the storage accounts

upvoted 10 times
 
JayBee65
upvoted 1 times
 
mg
answers are correct
upvoted 2 times
 
ZUMY
Answer given is correct!
upvoted 2 times
 
toniiv
Both answers are correct
upvoted 3 times
 
waterzhong
General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure
Storage.
General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible.
upvoted 3 times
 
waterzhong
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per
gigabyte pricing.
upvoted 1 times
 
Ikrom
For the Box1: Storage1 and Storage2 because:
*** Storage1:
- General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible.
*** Storage2:
- General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure
Storage.
upvoted 6 times
Question #7 Topic 3
You have Azure subscription that includes data in following locations:
You plan to export data by using Azure import/export job named Export1.
You need to identify the data that can be exported by using Export1.
Which data should you identify?
A.
DB1
B.
container1
C.
share1
D.
Table1
Correct Answer:
B
 
Anon6969
Highly Voted 
Blobs are only type of storage which can be exported.
upvoted 46 times
 
fedztedz
Highly Voted 
Answer is correct. B - Blob Container.
For Azure file share, it is tricky as it is mentioned Azure Files can be used for export and import. But I tested especially with file share and it doesn't
work. Maybe work for storage account with type file or something. but not Azure file shares.
upvoted 42 times
 
Kamex009
Most Recent 
upvoted 2 times
 
AubinBakana
2 months ago
Binary Large Objects are the simplest for unstructured data. That's why they are the choice for Import/Export
upvoted 1 times
 
Jotess
upvoted 4 times
 
Shiven12
upvoted 3 times
 
mkoprivnj
Container!
upvoted 1 times
 
modiallo
Blobs are only type of storage which can be exported using Azure Import/Export
upvoted 3 times
 
Bon_
Yes, this is right!!
Blobs == import/export
Files == import only

upvoted 2 times
 
ShehuUsman
5 months ago
File share supports only import but not export. While blob supports import and export. So answer is correct
upvoted 4 times
 
mlantonis
5 months ago
Correct Answer: B
✑ Export supports Azure Blob storage. Azure Files not supported.
Only container1 can be exported.
Reference:
upvoted 22 times
 
bacana
7 months ago
"Each app uses a managed identity" it not say what identity is using.
upvoted 1 times
 
marvinconejo
The response Is B
upvoted 1 times
 
mg
Answer is correct.
Blob container
upvoted 1 times
 
examhater
get rid of these false answers, this stuff is unreadable.
upvoted 3 times
 
Wizard69
Answer is B - Container 1. You can only EXPORT blobs
upvoted 2 times
 
Twigs
B
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service#inside-an-export-
job:~:text=The%20service%20only%20supports%20export%20of%20Azure%20Blobs.%20Export%20of%20Azure%20files%20is%20not%20supporte
d.
upvoted 1 times
 
ZUMY
B is correct!
Only Blob type data/Container supported Export/import for now

upvoted 1 times
Question #8 Topic 3
HOTSPOT -
You have an Azure Storage account named storage1.
You have an Azure App Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed
identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
✑ Minimize the number of secrets used.
✑ Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for each app? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

App1: Access keys -
App2: Shared access signature (SAS)
A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of
your data. With a
SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions
they have on those resources, and how long the SAS is valid, among other parameters.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
 
Andersonalm
Highly Voted 
I think App1 should access storage1 over IAM with managed identity. The requirement is minimize the number of secrets used...
upvoted 86 times
 
Micah7
2 months ago
In reference to the first part of this question (App1):
I found this page under "Identity and access management" to be spot on: https://docs.microsoft.com/en-us/azure/storage/blobs/security-
recommendations#identity-and-access-management
App1 answer: IAM
App2 answer: SAS (only way you can implement a time limit)
upvoted 5 times
 
diligent176
Yes, and especially since they say "apps can read blobs from storage1"...
So, IAM is supported in that case and requires no secrets to keep.
App1 = IAM / RBAC and App2 = SAS
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
upvoted 17 times
 
Tranquillo1811
If you use IAM then for each access request a new token is requested by the service account. Hence for each access request a new token (a new
secret) is used.
if you use the access keys though, it is always the very same secret is used.
Hence I'd say that "Access Keys" is the correct choice for App1...
upvoted 6 times
 
RamanAgarwal
You can use managed identity to access storage so this way you dont have to create a token anytime you want to access the storage
account.
upvoted 4 times
 
prashantjoge
That's what I thought too
upvoted 3 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: Access Control (IAM)
Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of
secrets used, so Access keys is not ideal.
Box 2: Shared access signatures (SAS)
We need temp access for App2, so we need to use SAS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
upvoted 47 times
 
Gyanshukla
2 months ago
mlantonis - Your answers are awesome :)
upvoted 1 times
 
sreekan
this is absolute!!!
upvoted 3 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out.
Ans:
App1: IAM,
App2: SAS
upvoted 4 times
 
khengoolman
1 week, 3 days ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is IAM, next is SAS
upvoted 1 times
 
ttakase
2 weeks, 3 days ago
You want to add access to the Azure data plane (Azure Storage, Azure SQL Database, Azure Key Vault, or other services) from your web app. You
could use a shared key, but then you have to worry about operational security of who can create, deploy, and manage the secret. It's also possible
that the key could be checked into GitHub, which hackers know how to scan for. A safer way to give your web app access to data is to use
managed identities.
https：//docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal％2Ccommand-line
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
IAM for App 1
SAS for App2

upvoted 3 times
 
Test1105
Passed this exam by referring these questions. Just read comment section for correct answers.
upvoted 2 times
 
avdevops
was asked in 26/06/2021
upvoted 1 times
 
Kamex009
upvoted 2 times
 
JeeBee
great help !
upvoted 1 times
 
AubinBakana
2 months ago
You use Access Keys & set RBAC for Web App1
SAS token and Access Policy for Web App2.
Answer is correct.
upvoted 3 times
 
barcellos
✑ Minimize the number of secrets used.
✑ Ensure that App2 can only read from storage1 for the next 30 days.
Note
Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can
be more easily compromised. When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials
to create a user delegation SAS when possible for superior security. For more information, see Authorize access to data in Azure Storage.
IAM and SAS
upvoted 2 times
 
ctux
Agree. The key in the question is "Each app uses a managed identity."
upvoted 3 times
 
barcellos
Note
Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can
be more easily compromised. When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials
to create a user delegation SAS when possible for superior security. For more information, see Authorize access to data in Azure Storage.
IAM and SAS the correct Answer

upvoted 1 times
 
Parry11
Access keys is the wrong answer. Should be IAM for App 1 because we have to minimize the number of secrets being used
upvoted 1 times
 
wsscool
in exam 7/3/2021, answered IAM for app1 and SAS for app2. passed with 906
upvoted 7 times
 
Delanase
4 months ago
app1-IAM
upvoted 1 times
 
Delanase
4 months ago
app1>>IAM
upvoted 1 times
 
mkoprivnj
IAM + SAS!
upvoted 2 times
Question #9 Topic 3
HOTSPOT -
You need to create an Azure Storage account that meets the following requirements:
✑ Minimizes costs
✑ Supports hot, cool, and archive blob tiers
✑ Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: StorageV2 -
You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1
(GPv1) accounts do not support tiering.
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction
prices.
Box 2: Standard_GRS -
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.
Incorrect Answers:
Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.
Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to
the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs https://docs.microsoft.com/en-
us/azure/storage/blobs/storage-blob-storage-tiers
 
ihavespoken
Highly Voted 
Keep in mind the question is mentioning the minimize cost, even though Storage v2 and blob both can support the hot, cool, and archive but
Storage V2 is lowest cost. so answer is correct.
upvoted 42 times
 
sidharthwader
Yes GPv2 gives the storage in least price with latest features.
upvoted 1 times
 
JayBee65
This calculator shows the same price for Storage v2 as Blob Storage: https://azure.microsoft.com/en-gb/pricing/calculator/?service=storage
upvoted 1 times
 
Aniruddha_dravyakar
8 months ago
agreed
upvoted 1 times
 
jelly_baby
agreed
upvoted 2 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: StorageV2
Box 2: Standard_GRS
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
upvoted 22 times
 
fabylande
Most Recent 
1 day, 18 hours ago
upvoted 1 times
 
orion1024
4 weeks, 1 day ago
Wouldn't RAGRS be cheaper than GRS, while still providing the requested redundancy ?
upvoted 1 times
 
AubinBakana
2 months ago
I think this question is outdated because Azure does not allow for no other than Storage V2 now. The answer is correct though: Storage V2,
Standard_GRS.
upvoted 3 times
 
Kp9696
StorageV2 and GRS are the correct answers.
upvoted 1 times
 
y_dev
Answers are correct for both questions.
upvoted 1 times
 
achmadirvanp
upvoted 3 times
 
achmadirvanp
upvoted 2 times
 
BenStokes
The question mentioned about minimizing cost, even though Storage v2 and blob both can support the hot, cool, and archive but Storage V2 is at
lower cost.
Also, GPv2 gives the storage in least price with latest features.
upvoted 1 times
 
mkoprivnj
StorageV2 + GRS
upvoted 1 times
 
saddamakhtar
upvoted 1 times
 
StefanDoh
Answer is correct.
upvoted 1 times
 
mg
Answer is correct.
upvoted 2 times
 
ZUMY
Keep in mind the question is mentioning the minimize cost, even though Storage v2 and blob both can support the hot, cool, and archive but
Storage V2 is lowest cost. so answer is correct
upvoted 6 times
 
ZUMY
upvoted 3 times
 
toniiv
Both answers are perfectly correct.
upvoted 3 times
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.
A.
Create a container instance
B.
Register Server1
C.
Install the Azure File Sync agent on Server1
D.
Download an automation script
E.
Create a sync group
Correct Answer:
BCE
Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (B): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.
Step 3 (E): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must
contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B, C and E
Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be
synced with an Azure file share.
Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service
establishes a trust relationship between your server and the Storage Sync Service.
Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept
in sync with each other. A sync group must contain one cloud, which represents an Azure file share and one or more server endpoints. A server
endpoint represents a path on registered server.
Reference:
upvoted 55 times
 
WYLC
Highly Voted 
that's correct!
upvoted 22 times
 
Beng_ali
Most Recent 
2 weeks, 4 days ago
Came up on my exam today 02/10/21, answer is correct.
upvoted 1 times
 
myself222
2 weeks, 5 days ago
all hail mlantonis
upvoted 1 times
 
swapmaverick
1 month, 1 week ago
Correct Answer is B, C and E
To all Azure knowledge seeker - Kindly follow mlantonis user's answer in discussion board, he has nailed all the answers correctly. Thanks
mlantonis.
upvoted 1 times
 
AubinBakana
2 months ago
The answer is a little simplified as you've got to add endpoints, create sync groups, etc., but that's not what they wish to know. I guess they're just
trying to establish if you know the fundamentals of Azure File Sync. The answer is correct.
upvoted 1 times
 
wsscool
in exam 7/3/2021, I think the third choice was to add server1
upvoted 5 times
 
EderAprigio
1 month ago
tks for share
upvoted 1 times
 
mkoprivnj
BCE is correct!
upvoted 2 times
 
modiallo
Correct
upvoted 1 times
 
nfett
verified answer is correct from the provided link.
upvoted 3 times
 
saddamakhtar
Answer Correct!
upvoted 2 times
 
mg
Answer sequence should be CBE
Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be
synced with an Azure file share.
Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service
establishes a trust relationship between your server and the Storage Sync Service.
Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept
in sync with each other. A sync group must contain one cloud , which represents an Azure file share and one or more server endpoints. A server
endpoint represents a path on registered server.
upvoted 4 times
 
ZUMY
upvoted 2 times
 
toniiv
C. B. E. Should be the correct sequence.
upvoted 2 times
 
mikl
Agree!
upvoted 1 times
 
mag1300
CBE IS correct.
upvoted 3 times
 
fedztedz
Answer is correct
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)
You assign the policy by using the following parameters:
Microsoft.ClassicNetwork/virtualNetworks
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
Hot Area:
Correct Answer:

 
bogdan89
Highly Voted 
Y-N-N tested today in a LAB.
upvoted 102 times
 
rawrkadia
Labbed just b/c so many people disagreed, you're right.
Y - Can freely change address space and subnets
N - Does not deallocate, is marked noncompliant
N - Cannot move, fails during validation due to policy restriction

upvoted 7 times
 
rawrkadia
Woof ignore this. I started to second guess on this run through the questions and labbed it.
"Cloud lag" on policies is very high. Tested this at the 15m mark, same results. Tested again at the 1hr mark and can confirm its NNN
N - Once policy fully applies, changes to the address space (addition, deletion, modification) fail. Changes to subnets seem to succeed.
N - Again, VM just marked noncompliant.
N - Movement still fails.

upvoted 15 times
 
signalincode
Lab tested, mother approved. N-N-N
upvoted 5 times
 
zzzzzz12345
Makes sense - thanks
upvoted 1 times
 
zzzzzz12345
Notice this built-in policy has effect "deny", so policy is checked at resource-creation or resource-update (for resources within scope,
RG2). But will never *change* existing resources (that would be remediation probably, not this case)
upvoted 1 times
 
Diego19
Y-N-N is right. I have also tested it in LAB.
upvoted 16 times
 
GDMalled
3 weeks, 2 days ago
Hi,
could you please tell me how to select parameters to assign a policy at subscription/RG scope??
Thank you
upvoted 1 times
 
Acai
You didn't test it right....I mean no offense, my guess is you choose the wrong parameters.
You can not move a virtual network into the another vnet if you apply the policy with the correct parameters.
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic information:
subscription id '1134d0949e-63f2-7b877-8f40b-e445bc202bd6e', request correlation id '8008780447c-6995-4f21-8715-
78164c23454b'.","details":
Change some numbers around because of you cheeky ba...

upvoted 3 times
 
prashantjoge
How can the first be yes... Does not make sense
upvoted 6 times
 
Jovial
at least try in azure before speaking nonsense
upvoted 12 times
 
JayBee65
Maybe explain if you understand why, as it does sound illogical,
upvoted 5 times
 
comin
The answer is wrong.
Just did the test following the same structure as in the question and the answer they give is correct.
Answer: N Y N
Why wouldn't the VM state change to deallocated? You just can't make changes in the Settings section.
upvoted 3 times
 
cnhampule86
For the second point os NO. Tested and the machine is still running and the policy status is Non-compliant.
upvoted 3 times
 
idlir
Highly Voted 
N-N-N
Policy will identify the VM as not compliant but will not put VM in deallocate
upvoted 61 times
 
prashantjoge
I agree. Existing non-compliant resources can be remediated with a remediation task. But no action is taken against them other than to mark
them as non-compliant
upvoted 4 times
 
Somewhatbusy
This is wrong. It is YNN. Moving VNET1 to RG is allowed. I've tested in my tenant.
upvoted 9 times
 
Anon6969
This makes the most sense. Only one I am not sure on is how the policy would modify the change to the address space?
upvoted 3 times
 
Paulohsvieira
Most Recent 
1 week, 1 day ago
Tested now.
N - You can't change address space and subnets
N - VM still UP. Does not deallocate, is marked noncompliant

N - Cannot move, fails during validation due to policy restriction
upvoted 2 times
 
DevOpposite
2 weeks, 3 days ago
I am very new to all this, but when I tested this I got.
N N Y
Created resources as per the table, applied policy as listed.
1. I was not able to move the RG2, it told me policy is in effect
2. State of VM does not change after applying policy
3. I was able to modify the address space of VNET2
I don't know if I have done this correctly or not, please correct me if I am wrong but I will answer N N Y in exam
upvoted 2 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
NO, NO, NO
upvoted 4 times
 
vekmbeplvgihxdnxab
4 weeks, 1 day ago
Resource Manager validates your move request before attempting the move. This validation includes checking policies defined on the resources
involved in the move. For example, if you're attempting to move a key vault but your organization has a policy to deny the creation of a key vault in
the target resource group, validation fails and the move is blocked. The returned error code is RequestDisallowedByPolicy.
upvoted 2 times
 
theOldOne
1 month ago
Regardless of all the back and forth about what really happens in the real world, which answers are they looking for on the test? Everyone should
know by now that the test answer and the real world answer are sometimes not the same thing.
upvoted 1 times
 
julioglez88
1 month ago
Considering the policy created.
Tested on lab, short answer: NO, NO, YES
NO: You should not be able to the VNET1 to RG2, due to policy restriction. You can do it but you must remove the policy first.
NO: The policy will mark the VM as non-compliant but will not change it state, it will not deallocated the VM.
YES: Even if the VNET is in non-compliant state you can still work with the resource.
In the first answer: There was an error moving resources. Resource move policy validation failed. Please see details. Diagnostic information:
Resource 'Vnet1' was disallowed by policy.
upvoted 2 times
 
Saravana12g
1 month, 1 week ago
Box1: No
Question: What does the error code "RequestDisallowedByPolicy" mean?
Resource Manager validates your move request before attempting the move. This validation includes checking policies defined on the resources
involved in the move.
For example, if you're attempting to move a key vault but your organization has a policy to deny the creation of a key vault in the target resource
group, validation fails and the move is blocked. The returned error code is RequestDisallowedByPolicy.
Ref: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
upvoted 1 times
 
anoj_cha
N-N-N. Lab-tested today. Have provided actual errors/messages on attempt:
1. Administrator can’t move VNET to RG2. Error message : “Resource 'VNET1' was disallowed by policy. Reasons: 'AJ Policy non compliant.'. “
2. VM simply gets marked as non compliant. I think everyone gets this right.
3. Administrator can’t modify the address space. Error message: “Failed to save address space changes to virtual network 'VNET2'. Error: Resource
'VNET2' was disallowed by policy. Reasons: 'AJ Policy non compliant.'. “
Note: It's important to choose the correct parameters. There're multiple virtual networks and multiple virtual machine options while setting up the
policy.
upvoted 7 times
 
habit
Tested today in Lab.
N - You cannot move VNET1 to RG2 (disallowed by policy).
N - VM1 state doesn't change.
Y - Can can freely change existing address space, add additional address space, add subnet etc.
upvoted 3 times
 
Kafura
yes, this is correct too, i tested it in the Lab.
upvoted 1 times
 
Ateeyah
are you sure bro ??
upvoted 1 times
 
zvasanth2
2 months ago
The answer will be NO, NO, NO
Resources are evaluated at specific times during the resource lifecycle, the policy assignment life cycle, and for regular ongoing compliance
evaluation. The following are the times or events that cause a resource to be evaluated:
A resource is created, updated, or deleted in a scope with a policy assignment.
A policy or initiative is newly assigned to a scope.
A policy or initiative already assigned to a scope is updated.
During the standard compliance evaluation cycle, which occurs once every 24 hours.
https://docs.microsoft.com/en-us/azure/governance/policy/overview
>> All the three statements will be affected by policy because policy will apply all the situations - A resource is created, updated, or deleted in a
scope with a policy assignment.
upvoted 7 times
 
zvasanth2
2 months ago
Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance
evaluation. The following are the times or events that cause a resource to be evaluated:
A resource is created, updated, or deleted in a scope with a policy assignment.
A policy or initiative is newly assigned to a scope.
A policy or initiative already assigned to a scope is updated.
During the standard compliance evaluation cycle, which occurs once every 24 hours.
https://docs.microsoft.com/en-us/azure/governance/policy/overview
>> All the three statements will be affected by policy because policy will apply all the situations - A resource is created, updated, or deleted in a
scope with a policy assignment.
upvoted 1 times
 
AubinBakana
2 months ago
The answer: is No, No, No.
Policy is: No VNet, No VM in resource RG2.
This policy applies to the existing VNet & VM as follows:
-VM1 will be marked as non-compliant.
- VNet2 being in RG2 will also be affected, which will prevent from doing any further actions on it
upvoted 1 times
 
thuylevn
N,N,N
Cannot move Vnet1 to RG2. error
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. .... }

upvoted 2 times
 
J4U
1. Can't move VNET1 from RG1 to RG2 - Request Disallowed by policy
2. VM is running as usual, but the VM and VNET2 is showing as non complaint in policy.
3. Can't edit or add address space in VNET2

upvoted 2 times
 
J4U
Answer is N N N
upvoted 2 times
 
raph90fr
tested on lab today (i wait 30 minutes to be sure policy is applied) :
- can not change address space of vnet2 (deny by the policy)
- VM is not deallocated.
- can not move VNET 1 to RG2 (deny by the policy)
so for me N-N-N
upvoted 5 times
DRAG DROP -
You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the
correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:

At a high level, an import job involves the following steps:
Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.
Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job.
Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you.
Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job
Update the delivery tracking number in the import job details and submit the import job.
The drives are received and processed at the Azure data center.
The drives are shipped using your carrier account to the return address provided in the import job.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
 
inemumoren
Highly Voted 
i just realised i don't know shit!
upvoted 64 times
 
AubinBakana
2 months ago
Haha... I guess you've been on an MS Learn scheme huh!
I felt the samestart. The MS Learn isn't very practical, it's too much theory and not enough practice.
Going through these questions do put you in a work type of environment and therefore gives you more practical experience. It will settle, don't
give up.
Best wishes
upvoted 11 times
 
GodfreyMbizo
1 month ago
Ms Learn has lots of theory which helps in a way but their knowledge check is not refrective of the actual exam.With Ms learn only you will
fail
upvoted 2 times
 
AubinBakana
2 months ago
correction: *WAimportexport.exe
upvoted 1 times
 
imartinez
Congrats for you.. I realized that in question 1
upvoted 15 times
 
omw2wealth
3 weeks, 3 days ago
Congratz for you , i first realized that in q1 of az-900 !
but u know what that's how we progress, admitting that u know nothing is they way to know much and much more :) best of luck learners
around the globe ♥
upvoted 1 times
 
Ajoelives
hey me too
upvoted 5 times
 
mg
Highly Voted 
Answer is correct
Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Step 2: From the Azure portal, create an import job.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Step 4: From the Azure portal, update the import job
Update the delivery tracking number in the import job details and submit the import job.
upvoted 19 times
 
DevOpposite
Most Recent 
4 weeks ago
this is correct. For export job, it's similar process but you ship them empty drives. only for blobs
upvoted 1 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 4 times
 
AubinBakana
2 months ago
Correct.
Hint: When you are creating the Import/Export job you're going to need details from WAimport/Export.exe experience. Hence, that comes first.
The same applies after the disc has been sent.
Answer is correct.
upvoted 2 times
 
JimBobSquare101
in exam 30 July 2021
upvoted 3 times
 
BenStokes
Answer is correct. Below is the order -
1. Prepare the drive - Attach an external disk to Server1 and then run waimportexport.exe
2. Create an import job - From the Azure portal, create an import job.
3. Ship the drives to the Azure datacenter - Detach the external disks from Server1 and ship the disks to an Azure data center.
4. From the Azure portal, update the import job
Ref # https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 1 times
 
mkoprivnj
1. attach disk
2. create import job
3.detach disk
4. update import job

upvoted 2 times
 
Tamilarasan
upvoted 1 times
 
mlantonis
5 months ago
Correct Answer:
Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe)
Step 2: Create an import job (From the Azure portal, create an import job)
Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center)
Step 4: Update the job with tracking information (From the Azure portal, update the import job)
Reference:
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 18 times
 
ZUMY
upvoted 3 times
 
toniiv
Answer is correct for the Import job sequence
upvoted 1 times
 
mikl
Correct.
Step 1: Prepare the drives
Step 2: Create an import job
Step 3: Ship the drives to the Azure datacenter
Step 4: Update the job with tracking information
Source : https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 4 times
 
waterzhong
upvoted 2 times
 
JustMe84
its correct. see link:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files?tabs=azure-portal
upvoted 2 times
 
jelly_baby
Correct
upvoted 2 times
 
ketan05
Correct!
https://docs.microsoft.com/en-us/azure/storage/common/media/storage-import-export-service/importjob.png
upvoted 3 times
HOTSPOT -
You have Azure subscription that includes following Azure file shares:
You have the following on-premises servers:
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.
Hot Area:
Correct Answer:
Box 1: No -
Group1 already has a cloud endpoint named Share1.
A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.
Box 2: Yes -
Yes, one or more server endpoints can be added to the sync group.
Box 3: Yes -
Yes, one or more server endpoints can be added to the sync group.
Reference:
 
boink
Highly Voted 
NO NO YES
upvoted 104 times
 
Ikrom
That's correct (NO NO YES), because to add another server endpoint from the same server you need to have another sync group...
"Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each
endpoint is syncing to a unique sync group."
upvoted 15 times
 
shnz03
I agree because I had tested it and sync group does not allow me to add the same registered server again in the endpoint.
upvoted 3 times
 
gitsyn
Answer is correct: NO YES YES
The documentation specifies the samve volume, not server. You can't have two server endpoints on the same volume in one sync group, but
in this question, the volumes are D: and E:, so then you can have two server endpoints.
upvoted 5 times
 
JayBee65
"A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server
at any given time. Other server endpoints within the sync group must be on different registered servers." - https://docs.microsoft.com/en-
us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal. This is very specifically about servers not
volumes, so No, No, Yes
upvoted 11 times
 
aaa112
10 months ago
But you cannot extend the existing endpoint, so you need to recreate it. Question is about adding Server 2 as an endpoint, but it is
already an endpoint. "Once you add a server as an endpoint, you can’t add it again."
upvoted 3 times
 
certW1z
Lab tested ... NO NO YES is correct
confirmation of second que: https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-

same.html
"Azure File Sync does not support more than one server endpoint from the same server in the same sync group."
upvoted 22 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: No
A sync group contains one cloud endpoint, or Azure file share, and at least one server endpoint.
Box 2: No
Azure File Sync does not support more than one server endpoint from the same server in the same Sync Group.
Box 3: Yes
Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each
endpoint is syncing to a unique sync group.
Reference:
https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-same.html
upvoted 42 times
 
fabylande
Most Recent 
1 day, 18 hours ago
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
NO NO YES
upvoted 1 times
 
raydel92
1 month ago
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-server-
endpoint
The second statement is false because:
"A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at any
given time. Other server endpoints within the sync group must be on different registered servers."
upvoted 1 times
 
signalincode
2 months ago
Lab'd this one myself. No - No - Yes is the correct answer.
Please, do everyone a favor, and only post answers if you have tested and verified them yourself.
upvoted 4 times
 
AubinBakana
2 months ago
Answer is correct:
(An update to my previous post that was a little unclear)

Hint: You can add many different servers and enpoint to a single Sync Group; however, you can not add 2 different shares to the same synch group.
A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file share syncs, and an Azure file share can be a member of
only one cloud endpoint. Different shares, different endpoints.
That's the whole reason why they had to implement the concept of endpoint and sync groups - to sync files from different
locations/services/servers to the same share.
So, 1 cloud File Share -> 1 cloud endpoint.
And if you wish to separate the share contents, you create another File Share and assign it to a different endpoint.
upvoted 1 times
 
AubinBakana
2 months ago
Additional: An Azure file share can be a member of only one sync group.
upvoted 1 times
 
AubinBakana
2 months ago
Answer is correct:
Hint: You can add many different servers and enpoint to a single Sync Group; however, you can not add 2 different shares to the same synch group.
A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file share syncs, and an Azure file share can be a member of
only one cloud endpoint. Different shares, different endpoints.
That's the whole reason why they had to implement the concept of endpoint and sync groups - to sync files from different
locations/services/servers to the same share. So 1 share - 1 endpoint.
And if you wish to separate the share contents, you create a another File Share and assign it to a different endpoint.
upvoted 1 times
 
AubinBakana
2 months ago
Update: 1 Cloud file share -> 1 cloud endpoint.
upvoted 1 times
 
faysal1612
I lost brain cells while reading this question
upvoted 9 times
 
chamy
A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at any
given time. Other server endpoints within the sync group must be on different registered servers.
upvoted 1 times
 
BenStokes
That's correct (NO NO YES)
NO - Because to add another server endpoint from the same server you need to have another sync group
NO - Because Azure File Sync does not support more than one server endpoint from the same server in the same sync group
YES - Because Azure File Sync does support more than one server endpoint from the different server in the same sync group
upvoted 6 times
 
zvasanth2
2 months ago
2- A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at
any given time. Other server endpoints within the sync group must be on different registered servers.
upvoted 1 times
 
bgi
lot of confusion on this Question, but this is what i found;
1.https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
Server endpoint: The path on the Windows Server that is being synced to an Azure file share. This can be a specific folder on a volume or the root
of the volume. Multiple server endpoints can exist on the same volume if their namespaces do not overlap.
2.https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at any
given time. Other server endpoints within the sync group must be on different registered servers.
so I believe, N,N,Y
upvoted 4 times
 
Anshul174
NO NO YES
upvoted 2 times
 
CloudyTech
4 months ago
100% Tested N N Y
upvoted 3 times
 
xoe123
4 months ago
N Y N
A server endpoint represents a specific location on a registered server, such as a folder on a server volume or the root of the volume. Multiple
server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each endpoint is
syncing to a unique sync group. You can configure cloud tiering policies individually for each server endpoint. If you add a server location with an
existing set of files as a server endpoint to a sync group, those files will be merged with any other files already on other endpoints in the sync
group.
So a syn group can either have D:Folder1 or D:/Data.

upvoted 1 times
 
CloudyTech
How can you get Y in second one, thts wrong, i did a test u can have only 1 server endpoint from one server, you can other from other server.
upvoted 1 times
 
mkoprivnj
NO NO YES
upvoted 2 times
 
Zyo
Definitely No no yes
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
a sync group can only have one server endpoint per registered server at any given time.
upvoted 1 times
DRAG DROP -
You have an Azure subscription named Subscription1.
You create an Azure Storage account named contosostorage, and then you create a file share named data.
Which UNC path should you include in a script that references files from the data file share? To answer, drag the appropriate values to the correct
targets. Each value may be used once, more than once or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: contosostorage -
The name of account -
Box 2: file.core.windows.net -
Box 3: data -
The name of the file share is data.
Example:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
 
Hibs2016
Highly Voted 
Correct Answer - contosostorage.file.core.windows.net\data.
upvoted 26 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
[storageaccountname].file.core.windows.net/[FileShareName]
contosostorage.file.core.windows.net\data
Reference:
upvoted 18 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today, 17 Oct. This question came out. Ans: contosostorage.file.core.windows.net\data
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
Nickmeharshi
1 month, 1 week ago
Correct answer
upvoted 1 times
 
Kamex009
upvoted 2 times
 
AubinBakana
2 months ago
I always confuse / and \ for some reason. They look the same to me; haha...
\\contosostorage.file.windows.net\data
Something good to commit to memory. I feel like I'm dwarfing a doctor with memory with the amount of stuff I've been committing to memory.
Answer is correct
upvoted 1 times
 
mdmdmdmd
1 month, 1 week ago
Your needless comments are tiresome. I know you're probably long gone but having a bunch of wrong comments or duplicate comments on
every page is super annoying and I don't have enough time to report every one.
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 4 times
 
VVR141
From the docs:
Select the drive letter and enter the UNC path, the UNC path format is:
\\<storageAccountName>.file.core.windows.net\<fileShareName>.
For example: \\anexampleaccountname.file.core.windows.net\example-share-name.

upvoted 2 times
 
mkoprivnj
contosostorage.file.core.windows.net\data
upvoted 1 times
 
Tamilarasan
Tested in my subscription.
Correct Answer - contosostorage.file.core.windows.net\data

upvoted 1 times
 
omhari
Answer is correct
upvoted 1 times
 
samratmahe
5 months ago
Answer is correct - Tested on 22-May-2021
UNC Path syntax: \\<storageaccountname>.file.core.windows.net\<filesharename>
As per example given in question: \\contostorage.file.core.windows.net\data

upvoted 2 times
 
samratmahe
5 months ago
Correct Answer: Tested (22-May-20121)
UNC Path:\\<storageaccountname>.file.core.windows.inet\<filesharename>
As per example given in question: \\contostorage.file.core.windows.net\data

upvoted 2 times
 
Elavarasu
Answer is correct
upvoted 3 times
 
mg
Answer is correct
upvoted 2 times
 
ZUMY
Given answer is correct!
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains an Azure Storage account.
You plan to copy an on-premises virtual machine image to a container named vmimages.
You need to create the container for the planned image.
Which command should you run? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

 
Tom900
Highly Voted 
Correct Answer. Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page
blobs in Azure Storage
upvoted 30 times
 
Hibs2016
Agree correct answer - make, blob
upvoted 11 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
azcopy make 'https://mystorageaccount.blob.core.windows.net/vmimages'
Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page blobs in Azure
Storage.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
upvoted 28 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: make, blob
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
[Removed]
in exam 7/26/2021
upvoted 5 times
 
wsscool
in exam 7/3/2021
upvoted 5 times
 
lucky_18
upvoted 6 times
 
lucky_18
upvoted 5 times
 
mkoprivnj
Agree correct answer - make, blob
upvoted 3 times
 
Tamilarasan
Answer is correct make / blob.
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make?toc=/azure/storage/blobs/toc.json
upvoted 2 times
 
Md_Shahnawaz
5 months ago
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-files
upvoted 1 times
 
nfett
answer is correct. Referencing the following URL https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make provided by
miki confirmed the answer.
upvoted 2 times
 
mg
Answer is correct
upvoted 1 times
 
ZUMY
upvoted 2 times
 
Sandroal29
Although I selected the wrong answer at first, I realized through this forum what is the correct answer. Thank you.
upvoted 2 times
 
PBA1211
why create this share in BLOB storage ,not in File Storage..?
upvoted 2 times
 
deenu202
7 months ago
VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page blobs in Azure Storage.
upvoted 2 times
 
toniiv
Answer is correct. Azcopy make is the first step to prepare the blog for the VM image upload
upvoted 1 times
HOTSPOT -
You have an Azure File sync group that has the endpoints shown in the following table.
Cloud tiering is enabled for Endpoint3.
You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.
On which endpoints will File1 and File2 be available within 24 hours of adding the files? To answer, select the appropriate options in the answer
area.
Hot Area:
Correct Answer:

File1: Endpoint3 only -
Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier files to your Azure file shares. This converts on-
premises file shares into a cache, rather than a complete copy of the dataset, to help you manage space efficiency on your server. With cloud
tiering, infrequently used or accessed files can be tiered to Azure Files.
File2: Endpoint1, Endpoint2, and Endpoint3
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-cloud-tiering
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
File1: Endpoint1 only
It is a cloud endpoint, and it is scanned by the detection job every 24 hours.
File2: Endpoint1, Endpoint2 and Endpoint3
With the on-premises servers the file is scanned and synced automatically after it's being added.
Note: They changed the question in Exam from "within 24 hours" to "after 24 hours".
So, the answer is:
Reference:
https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync
upvoted 115 times
 
AubinBakana
2 months ago
Thank you so much. That's something I thought was a little confusing as it would make their revealed answer wrong.
upvoted 2 times
 
Altera2k
1 month ago
In exam 09/20/2021 - As mlantonis mentioned, the question was changed to „After 24 hours“
upvoted 5 times
 
suriyaswamy
Good Info
upvoted 1 times
 
Harshul
Excellent Explaination!
upvoted 3 times
 
juniorccs
Thanks a lot!
upvoted 1 times
 
Skankhunt
Highly Voted 
Should be File 1: Endpoint 1 only File 2: Endpoint 1, Endpoint 2 and Endpoint 3
upvoted 46 times
 
vince60370
Not agree. Please read MLM0607's answer below.
upvoted 1 times
 
JayBee65
LM0607's answer are File 1: Endpoint 1 only File 2: Endpoint 1, Endpoint 2 and Endpoint 3!
upvoted 5 times
 
prashantjoge
This is correct. Confirmed it in labs
upvoted 3 times
 
xMilkyMan123
Tell me what exactly you did in your Lab
upvoted 1 times
 
janshal
you waited 24 hour for the job to be sync?
I think the answer is all endpoints because the syc job run every 24 hour so even if your created the file a second after the sync jobs started it
will be sync within 24 hours
upvoted 9 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
upvoted 1 times
 
Mercator
3 weeks, 1 day ago
What I got wrong here as non native english speaker:
What does it mean within 1 hour?
Google: Within an hour" means "within 60 minutes." " Within the hour" means "before the next hour is reached."
So within 24 hours means the time period before (!) the 24 hours have passed.
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
Within 24hours:
File1: Endpoint 1 only

File2: Endpoints 1, 2 & 3
After 24hour
File1: Endpoint 1, 2 & 3
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago

upvoted 1 times
 
AubinBakana
2 months ago
The answer is wrong.
How can file 1 be in Endpoint3 only when it is already in Endpoint1?
What they are trying to establish is if you know that the online file will not be synchronized until after 24h. The only files that are sync within that
period are the On-Prem files in the sync group.
Since File1 is already in Endpoint 1, within 24 it will only be in Endpoint 1
File 2 is an on-prem file - replicate to the cloud and across all endpoints connected to the sync group
Within 24hours:
File1: Endpoint 1 only

After 24hour
Unfortunately cloud tiering has nothing to do with the answer here. It's just there to confuse you.
Thank You
upvoted 6 times
 
Parry11
In this case the answer is-
1. Endpoints 1,2,3
2. Endpoints 1,2,3
upvoted 3 times
 
RoastChicken
Correct answer:
File 1: Endpoint 2 and Endpoint 3 - When you add a file to the Cloud endpoint it takes 24 hours to be sync with the server endpoints
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-storage-
sync-service and https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq?toc=/azure/storage/filesync/toc.json#afs-change-
detection
File 2: Endpoint 1, 2 and 3

upvoted 1 times
 
tzaroon
Answers are for file1 will be endpoint 1 and 3 because file 1 is already at endpoint 1 and within 24 hours which is the file sync limit. The file will be
available within 24 at endpoint 3 only because of the enabled cloud tier.
upvoted 1 times
 
Shiven12
upvoted 3 times
 
Anshul174
Answer is File1: Enpoint3 and File2: all Endpoints. When you enable cloud teiring you get a cached copy of file1 on Ep3
upvoted 3 times
 
ScreamingHand
Am I right in thinking that; File2, once copied to Endpoint2 will be immediately sync'd to the Cloud endpoint, - from there it may take 24 hours for
it to be replicated to Endpoint3.
Therefore File2:
Endpoint2 and Endpoint3 only.

upvoted 1 times
 
CloudyTech
4 months ago
Tested
File 1- Endpoints 1
File 2 - Endpoints 1, 2, 3
upvoted 4 times
 
mkoprivnj
1) E1, E2, E3
2) E1, E2, E3
upvoted 3 times
 
lockc1811
5 months ago
omg. people.
its endpoint 1 only & second question is endpoints 1, 2 & 3.
microsoft arent trying to trick you with their exam q's

upvoted 6 times
 
PersonT
hahahaha
upvoted 2 times
 
bacana
sorry.
File1 will be at endpoints 1 and 3 (cloud tearing maintains a local copy), but there is no option 1 and 3 in the response, so endpoint1 or endpont3
only.
At endpoints 1, 2 and 3 because it was added to endpoint 2.

upvoted 1 times
HOTSPOT -
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: never -
The 10.2.9.0/24 subnet is not whitelisted.
Box 2: never -
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage
account as an exception to enable Azure Backup service to access the network restricted storage account.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows https://azure.microsoft.com/en-us/blog/azure-
backup-now-supports-storage-accounts-secured-with-azure-storage-firewalls-and-virtual-networks/
 
Leandroalonso
Highly Voted 
VMs from the 10.2.9.0/24 should NEVER access the storage!!!!!
Since wich the selection of the network is segmented by subnets, and not by virtual networks.
upvoted 65 times
 
besha
Technically 10.2.9.0/24 subnet is part of 10.2.0.0/16 subnet which is in the allowed subnet. but should still be Never because it's Endpoint status
is not enabled
upvoted 10 times
 
RamanAgarwal
Allowed access is at the subnet level which is 10.2.0.0/24 which includes Ip range 10.2.0.0-10.2.0.255, this means the VM on 10.2.9.0/24 will
not have access to storage account.
upvoted 8 times
 
shnz03
I disagree. Your subnet mask understanding for network id and host id is wrong.
upvoted 2 times
 
shnz03
@RamanAgarwal. I apologize. I misread. Your statement is correct.
upvoted 5 times
 
Miles19
Yes, that's true. The virtual machine attached to the following virtual network 10.2.9.0/24 will never have access to the storage account, because
of the firewall rules, so the correct answer is:
-Never
-Never
upvoted 13 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
VNet1’s address space is 10.2.0.0/16.
The VNet1 has only 1 Subnet associated: 10.2.0.0/24. The address space of a VNet is irrelevant if there isn’t a corresponding Subnet from, which
VMs can be assigned IP addresses.
Box1: Never
VMs from 10.2.9.0/24 (10.2.9.0 - 10.2.9.255) are out of Subnet.
Subnet IP range 10.2.0.0 - 10.2.0. 255.
Box2: Never
Since the checkbox to allow trusted Microsoft services is not checked. After you configure firewall and virtual network settings for your storage
account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the
network restricted storage account.
upvoted 59 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
upvoted 1 times
 
Beng_ali
2 weeks, 4 days ago
Came up on my exam today 02/10/21. Correct answer.
upvoted 1 times
 
mojtabaeshkevar
1 month ago
Only one subnet (prod=10.2.0.0/24) of Vnet (range=10.2.0.0/16) has access to the storage and no any other subnets can access to the storage,
including 10.2.9.0/24 (dont be confused with Subnet and net in the picture)- So Never Never
upvoted 1 times
 
AubinBakana
2 months ago
The answer is correct.
upvoted 1 times
 
hosseny
Correct Answer:
VNet1’s address space is 10.2.0.0/16.
The VNet1 has only 1 Subnet associated: 10.2.0.0/24. The address space of a VNet is irrelevant if there isn’t a corresponding Subnet from, which
VMs can be assigned IP addresses.
Box1: Never
VMs from 10.2.9.0/24 (10.2.9.0 - 10.2.9.255) are out of Subnet.
Subnet IP range 10.2.0.0 - 10.2.0. 255.
Box2: Never
Since the checkbox to allow trusted Microsoft services is not checked. After you configure firewall and virtual network settings for your storage
account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the
network restricted storage account
upvoted 2 times
 
mkoprivnj
Never Never!
upvoted 1 times
 
JayBee65
This link shows that Azure Backup requires "Allow Trusted Microsoft...", https://docs.microsoft.com/en-gb/azure/storage/common/storage-
network-security?tabs=azure-portal#exceptions
upvoted 1 times
 
modiallo
Never for both
upvoted 1 times
 
TinaSkilled
If virtual machine was on subnet 10.2.0.0/24 , would it get access to storage ? I think NO because the checkbox below is not enabled for storage
account. Can someone confirm this
upvoted 2 times
 
gladi
7 months ago
1) Never
2) Never
upvoted 4 times
 
ms70743
never
never
upvoted 1 times
 
ZUMY
- Never: VMs from 10.2.9.0/24 are out of subnet. Subnet IP range 10.2.0.0 - 10.2.0. 255
- Never: Since the checkbox to allow Microsoft trusted services is not checked
upvoted 9 times
 
ZUMY
Never , Never
upvoted 2 times
 
toniiv
Vnet1 10.2.0.0/16 is the Address space. The Vnet has only one subnet defined on it: 10.2.0.0/24. Answer should be:
- Never: VMs from 10.2.9.0/24
- Never: Since the checkbox to allow Microsoft trusted services is not checked
upvoted 6 times
 
polpum
come in 15/01/2021
upvoted 2 times
HOTSPOT -
You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt.
Your on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.
You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1.
Hot Area:
Correct Answer:
Box 1: Yes -
If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other
files that are already on other endpoints in the sync group.
Box 2: No -
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning
 
boink
Highly Voted 
NO NO YES
upvoted 79 times
 
allray15
7 months ago
came in exam today 3/24/21, passed 850+ score always check discussion for correct answers. answered n,n,y
upvoted 32 times
 
cdc_jr3150
5 months ago
what else did you use to study? having a hard time passing.
upvoted 2 times
 
jjj554
Did most of the questions come from this list?

upvoted 2 times
 
prashantjoge
Agreed... tested it myself
upvoted 4 times
 
Constantinos
tested on LAB and agree
upvoted 7 times
 
sprons77
Highly Voted 
Agree, files are never overwritten. If the file exists, it will get a new name on the endpoint (file1(1).txt)
upvoted 38 times
 
imartinez
ok then, if your statement is correct, the 3rd is ambiguous, since you will have file1.txt and file1(1).txt on the cloud endpoint and after 24 hours,
you will have both on Share2, true, but the one named file1.txt it's the original one we had on the cloud endpoint
upvoted 1 times
 
Mukesh_Aggarwal_07
Most Recent 
3 weeks, 4 days ago
NO NO YES
upvoted 2 times
 
AubinBakana
2 months ago
Files are not overwritten. So No, No.
For the last one, I think it's No. Why? because when you connect the second share as an endpoint to the same file after an hour, that file is
essentially seen as a cloud file for the Share. This means it will be sync after 24 hours.
I have not done the lab on this but I've seen a lot of people respond: No, No, Yes. So my question is: Did you wait an hour before you connect the
second share(Share2) to an endpoint in the Sync Group? Because if you didn't, of course, it would replicate to Share2. Anyone who does a lab is
encouraged to help out here. I will look to test this if I have time.
The lesson is: be very careful with naming files when using File Shares. Because you end up with many copies of the same documents.
upvoted 2 times
 
barcellos
NO NO YES - ( we consider the time line "1 hour", it should be NO.)
The question is " if to replicate or no" else Correct Answer is N N Y
upvoted 2 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. Answers given by zumy is correct
upvoted 2 times
 
rdsserrao
First 2 boxes are NO. There is no file overwriting. Azure keeps both files, but with different names.
Box 3, if we consider the time line "1 hour", it should be NO.
Even though syncing from Share 1 to Sync1 is very quick, files from Azure to On-prem take 24 hours to sync. So syncing from Sync1 to Share2 will
happen 24 hours later.
upvoted 5 times
 
Shiven12
upvoted 4 times
 
juniorccs
what was the right answer?
upvoted 1 times
 
tkt7744
4 months ago
file1.txt overwritten by file1.txt true right?....even though they renamed the old file
upvoted 1 times
 
mkoprivnj
NO NO YES
upvoted 2 times
 
JayBee65
If the same file is changed on two servers at approximately the same time, what happens?
Azure File Sync uses a simple conflict-resolution strategy: we keep both changes to files that are changed in two endpoints at the same time. The
most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict
number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name is
Cloud.
So we know that files WILL NOT be overwritten, so first 2 and No, No

upvoted 1 times
 
vharsh16
Azure File Sync uses a simple conflict-resolution strategy: we keep both changes to files that are changed in two endpoints at the same time. The
most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict
number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name is
Cloud. The name follows this taxonomy:
<FileNameWithoutExtension>-<endpointName>[-#].<ext>
For example, the first conflict of CompanyReport.docx would become CompanyReport-CentralServer.docx if CentralServer is where the older write
occurred. The second conflict would be named CompanyReport-CentralServer-1.docx. Azure File Sync supports 100 conflict files per file. Once the
maximum number of conflict files has been reached, the file will fail to sync until the number of conflict files is less than 100.
I think its: NO NO Yes

upvoted 1 times
 
samratmahe
5 months ago
Tested on 22-May-2021
Correct Answer is: NO, NO, NO
NO (New file will create in share1 with the extension of File1-Cloud.txt) so there wont be any chance of owerriten
NO (on server1 also File1-Cloud.txt got added) so there is no chance of overwritten
NO (share1 & share2 both are different Fileshares) so there is no chance to replicates
upvoted 3 times
 
JayBee65
You are wrong I think...
Sync group: The object that defines the sync relationship between a cloud endpoint, or Azure file share, and a server endpoint. Endpoints within
a sync group are kept in sync with each other. If for example, you have two distinct sets of files that you want to manage with Azure File Sync,
you would create two sync groups and add different endpoints to each sync group.
upvoted 2 times
 
Kiano
5 months ago
Thanks for testing, But regarding the last one, the question is mentioning that "you add Share2 as an endpoint for Sync1", so it is going to be
part of the sync group. So I think it will show up on the container on cloud endpoint. Unless another container is specified in cloud. So I think
the answer is No, No, Yes.
upvoted 5 times
 
hgdlyl
I read all the discussion. I found nobody really did the test.
The answer should be NO YES YES.
The File2.txt on cloud point (File Share) is written by File2.txt from Server2 when Server2 is added to the Sync group.
What I found is there are two three files on Server1, File1.txt, File2.txt and File2-Server1.txt.
File2.txt on Server1 is the same as File2.txt on Server2.
File2-Server1.txt is the same as the original File2.txt.
Please stop guess and trying to give a reason to let you believe the "answers".
upvoted 6 times
 
hgdlyl
Sorry. There is a typo. NO NO YES
upvoted 7 times
 
Veronika1989
6 months ago
Tested 4/23/2021
Correct answer NO NO YES

upvoted 4 times
 
director47
I dont know if anyone has thought about this but we honestly learn lot from these. Why, because we know that more often there will be a wrong
answer. It gets us questioning it. Then we help each other out and provide the proper documentation from Microsoft on the subject of the
question. Its literally like a classroom environment.
upvoted 20 times
 
rgullini
7 months ago
No, No, Yes
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-
faq#:~:text=Azure%20File%20Sync%20supports%20100,files%20is%20less%20than%20100.
upvoted 1 times
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from
Azure support.
What should you identify?
A.
storage1
B.
storage2
C.
storage3
D.
storage4
Correct Answer:
B
ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.
Incorrect Answers:
A, not C: Live migration is supported only for storage accounts that use LRS replication. If your account uses GRS or RA-GRS, then you need to
first change your account's replication type to LRS before proceeding. This intermediary step removes the secondary endpoint provided by
GRS/RA-GRS.
Also, only standard storage account types support live migration. Premium storage accounts must be migrated manually.
D: ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
 
diligent176
Highly Voted 
This is one of those ridiculous questions that would imply we should memorize the 50 different combinations of storage type, replication type,
versus live migration support. Useless info to keep in your head, why would they test for this. The support rules around live migration support are
horrendous. Bleh.
upvoted 76 times
 
AubinBakana
2 months ago
Exactly. It's like a memory exercise. Totally pointless. Because you easily google it in a work environment. Even the expert will have to google this
stuff.
upvoted 4 times
 
Omar_Aladdin
4 weeks, 1 day ago
That's what I hate the most, I'm not studying literature for god sake!!
upvoted 2 times
 
juniorccs
100% agree
upvoted 1 times
 
moota
I agree. Most Azure certification exams are ridiculous.
upvoted 6 times
 
balflearchen
Complain here is useless. And from your point of view, all certificate exams should be ridiculous.
Back to the question, answer B is correct.
"Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS, then you need to first
change your account's replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only
endpoint provided by RA-GRS before migration."
"ZRS supports general-purpose v2 accounts only"
upvoted 30 times
 
rawrkadia
Most certificate exams *are* ridiculous. Hardly an extreme take.
upvoted 7 times
 
fedztedz
Highly Voted 
10 months ago
Answer is correct. It is storage2.
The key to the answer in this question is "Live migration"
- You can do Live migration to ZRS from LRS or GRS only.
- Also this only applies on General Purpose v2 storage.

upvoted 53 times
 
Kamex009
Most Recent 
upvoted 5 times
 
AubinBakana
2 months ago
I'm glad I've had to get to see this in practice as it prepares not just for the exam but also helps refresh the memory, putting me in a work
environment mode. Although, it's just a memory exercise. You can just Google. But if you know it, it makes you a little more of an expert. Let's go
upvoted 2 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. Answer is B
upvoted 1 times
 
Shiven12
upvoted 2 times
 
CLagnuts
What did you put for the answer ?
upvoted 1 times
 
mkoprivnj
Back to the question, answer B is correct.
upvoted 2 times
 
Tranquillo1811
Answer B is correct!
https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal#request-a-live-migration-to-zrs-gzrs-or-ra-gzrs
(see 3rd section...)

upvoted 1 times
 
modiallo
B is correct!

upvoted 2 times
 
vamshidhara
5 months ago
If you need to migrate your storage account from LRS to ZRS in the primary region with no application downtime, you can request a live migration
from Microsoft. To migrate from LRS to GZRS or RA-GZRS, first switch to GRS or RA-GRS and then request a live migration. Similarly, you can
request a live migration from GRS or RA-GRS to GZRS or RA-GZRS. To migrate from GRS or RA-GRS to ZRS, first switch to LRS, then request a live
migration.
upvoted 1 times
 
mlantonis
5 months ago
Correct Answer:
Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS, then you need to first change
your account's replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only endpoint provided
by RA-GRS before migration. ZRS supports general-purpose v2 accounts only.
A: Incorrect - General purpose v1.
B: Correct - General purpose v2 + LRS.
C: Incorrect - RA-GRS needs to be converted to LRS before Live migration request to ZRS.
D: Incorrect - Only premium blob blocks are supported by ZRS.
Reference:
https://docs.microsoft.com/en-us/learn/modules/provide-disaster-recovery-replicate-storage-data/2-evaluate-data-redundancy-options
upvoted 18 times
 
director47
As explained only Standard is supported for live not premium. Those would be manual.
upvoted 5 times
 
mg
Answer is correct
upvoted 1 times
 
Sandroal29
Hands down provided answer is correct.
upvoted 1 times
 
ZUMY
B is correct!

upvoted 3 times
 
Merma
Correct
"You can switch your replication strategy for any storage account. The process you use depends on the current replication strategy for your
account. For example, if you want to migrate from a storage account with LRS, you have two options:
Manually move or copy your data to a new account with GZRS.
Switch the replication type to GRS/RA-GRS first and then create a request with Azure Support for a live migration to GZRS."
https://docs.microsoft.com/en-us/learn/modules/provide-disaster-recovery-replicate-storage-data/2-evaluate-data-redundancy-options
upvoted 1 times
 
toniiv
Answer is correct. Live migration to ZRS can come from LRS or GRS and only available to General Purpose v2 storage account type.
upvoted 2 times
You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP
address space of
131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1
uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
✑ Ensure that you can upload the disk files to account1.
✑ Ensure that you can attach the disks to VM1.
✑ Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
From the Firewalls and virtual networks blade of account1, select Selected networks.
B.
From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account.
C.
From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.
D.
From the Firewalls and virtual networks blade of account1, add VNet1.
E.
From the Service endpoints blade of VNet1, add a service endpoint.
Correct Answer:
AE
A: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change
the default action.
Azure portal -
1. Navigate to the storage account you want to secure.
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from
'All networks'.
4. Click Save to apply your changes.
E: Grant access from a Virtual Network
Storage accounts can be configured to allow access only from specific Azure Virtual Networks.
By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service.
The identities of the virtual network and the subnet are also transmitted with each request.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
 
z0ru1
Highly Voted 
I would say AC
upvoted 47 times
 
vince60370
Based on given answers from AZ 103 same question, I would agree :
(A (AZ104) = D (AZ103), C (AZ104) = C (AZ103))
"Chape87 - 9 months ago

Its C and D. If you do D, You don't need to do B, its enabled by default. E isn't related. A won't be necessary for the VMs, as the trusted microsoft
service can grab the drive from the storage account for the VMs in VNet1
dean1984kirsten - 9 months ago
Okay, so we saying in sequence:
D. From the Firewalls and virtual networks balde of account1, select Selected networks.
Then
C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range."
upvoted 4 times
 
Shailen
Yes correct answer is A and C, details as follows:
As per question, You need to configure account1 to meet the following requirements:
✑ Ensure that you can upload the disk files to account1. > Access is now restricted due to below mentioned 3rd requirement so we now need
to open firewall for on premise network range added into allowed list as per option C.
✑ Ensure that you can attach the disks to VM1. > If same VNET is selected using option A below, then SA and file will be accessible from VM1.
✑ Prevent all other access to account1. > Restrict the access by selecting selected network option which is option A.
upvoted 1 times
 
MahmoudJamaah
10 months ago
you will not be able to attach the Disk to VM.
upvoted 3 times
 
ceaser221
9 months ago
I think, its BC
upvoted 8 times
 
fedztedz
Highly Voted 
10 months ago
Answer is not correct.
This question can have 3 answers A,C,D
I will choose A & C but still D is correct
First: - You need to select "Selected Networks" otherwise C & D won't work. , so choose A
Second - you need to allow on-perm access. C
Third - you also need to allow VNET access D
For Answer E, when you enable VNET from storage account, the Endpoint could be enabled also from there automatically. check this
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#azure-portal-1
upvoted 45 times
 
oooMooo
10 months ago
Agree that it's A,C, and D.
upvoted 2 times
 
Mukesh_Aggarwal_07
Most Recent 
3 weeks, 4 days ago
Correct answer should be A,C
upvoted 2 times
 
theOldOne
3 weeks, 6 days ago
Did anyone ever confirm what answer they are looking for on the test?
upvoted 1 times
 
mwhooo
A+C 100% Sure, answer E makes no sense, you have nothing todo with the VNET, that not related to the storage account by any means. Hope this
helps
upvoted 1 times
 
AubinBakana
2 months ago
To understand the question you need to understand what they are trying to establish. And the answer to that is: They want to know if you
understand the concept of Service Endpoint.
You add a Service Endpoint on the VNet that contains the device you wish to connect so that you connect to the Storage account is done via
Microsoft backbone.
Then you select the network in the storage account. You do this by selecting the Selected Network etc.
Thank You.
upvoted 2 times
 
AubinBakana
2 months ago
so that *your connection to the Storage account is done via Microsoft backbone
upvoted 1 times
 
ngamabe
AC answer
upvoted 1 times
 
barcellos
A and E
By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the
default action.
Go to the storage account you want to secure.
Select on the settings menu called Networking.

To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All
networks.
Select Save to apply your changes.
c incorrect = already exist an subnet spaces 192.168.x.x

upvoted 2 times
 
PersonT
3 months ago
B,C on prem access and allow trusted services to use the disks in the stg
upvoted 1 times
 
Spandrop
The question asks about 2 actions:
(1) you change to "selected network" and then (2) you must inform which is the "selected network", so it should be A and C
upvoted 1 times
 
Parry11
Correct answer should be A,C
upvoted 2 times
 
rdsserrao
Looking at the answers it should be ACDE, however since we can only choose 2, it should be AE.
Because when we do A that's when we do C and D.
And E is a must, we need to add the service endpoint.

upvoted 1 times
 
nayte
A - Selected Networks (then add VNET)
E - Add secure endpoint (for on-prem to connect to)

upvoted 1 times
 
rawrkadia
On-prem range is public IP, do you necessarily need E? This will gate access on the public endpoint as well.
upvoted 1 times
 
CloudyTech
A and C is the correct answer folks
upvoted 1 times
 
mkoprivnj
I would say AC
upvoted 1 times
 
slimjago
I think is AE.. I can configure B,C and D from Selected Network in Networking blade from account1 (answer A). Then, I have to enable service
endpoint on VNET1 (answer E)
upvoted 1 times
 
JayBee65
By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the
default action.
Go to the storage account you want to secure.
Select on the settings menu called Networking.

To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All
networks.
Select Save to apply your changes.
You must do A and C. The question is, do you need to do anything else
upvoted 1 times
DRAG DROP -
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Select and Place:
Correct Answer:

Step 1: Install the Azure File Sync agent on Server1
Step 2: Register Server1.
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.
Step 3: Add a server endpoint -
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must
contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
Reference:
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Step 1: Install the Azure File Sync agent on Server1
Step 2: Register Server1
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync
Service.
Step 3: Add a server endpoint
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain
one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered
server.
Reference:
upvoted 35 times
 
fedztedz
Highly Voted 
10 months ago
Answer is correct
upvoted 27 times
 
khengoolman
Most Recent 
1 week, 3 days ago
upvoted 1 times
 
afathy
upvoted 1 times
 
Kamex009
upvoted 3 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 1 times
 
AubinBakana
2 months ago
It's a poorly designed question. What they are trying to establish here is if you are familiar with Azure File Sync service. Answer is correct
upvoted 2 times
 
thuylevn
correct, https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/7-set-up-azure-file-sync-windows-server
upvoted 1 times
 
Jotess
upvoted 5 times
 
juniorccs
Thanks for help us out
upvoted 1 times
 
lucky_18
upvoted 3 times
 
mkoprivnj
1. install
2. register
3. add
upvoted 2 times
 
oriduri
Answer is correct
upvoted 1 times
 
Bharadhi
6 months ago
Answer is correct
upvoted 1 times
 
mg
Answer is correct
upvoted 1 times
 
ZUMY
Given Answer is correct
upvoted 1 times
 
Merma
Correct
1. Evaluate your on-premises system: Run the evaluation cmdlet on your on-premises server to check whether your OS and file system are
supported.
2. Create Azure resources: You need a storage account to contain a file share, a Storage Sync Service, and a sync group. Create the resources in that
order.
3. Install the Azure File Sync agent: Install the agent on each file server that's taking part in replication to the Storage Sync Service.
4. Register the Windows Server computer with the Storage Sync Service: After you install the sync agent, you're prompted to register the server
with the Storage Sync Service.
5. Create the server endpoint: After the server is registered, you add it as an endpoint in the sync group.
https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync
upvoted 1 times
 
toniiv
Answers and order is correct. First to install the Sync agent, then Server becomes available to select and register it, then last point is to create
endpoint on the server into a Sync Group.
upvoted 1 times
HOTSPOT -
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously.
✑ Remains available if a single data center in the region fails.
How should you configure the storage account? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-
us/azure/storage/common/storage-redundancy-zrs
 
MicroJ
Highly Voted 
Answer describes ZRS being correct but marks GRS. From reading the description is seems like ZRS is the correct answer.
upvoted 34 times
 
Shailen
Seems rectified now. It is showing ZRS selected as well in answer description below.
upvoted 3 times
 
JohnAvlakiotis
True. ZRS is correct.
upvoted 12 times
 
Sandroal29
The thing is that ZRG is not Geo-redundant. it merely works within a single region.
upvoted 3 times
 
JayBee65
...and what is your point about this?
upvoted 2 times
 
Omar_Aladdin
3 weeks ago
ZRS means Zone Redundant, the only think to Introduce a G here, is if was asked about "Region Failover"
Whenever you hear a "Datacenter"; It is Z over there

upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single Region.
GRS protects against Zone failure, while ZRS protects against data center failure.
LRS would not remain available if a data center in the region fails.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
upvoted 28 times
 
Kamex009
Most Recent 
upvoted 3 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 1 times
 
AubinBakana
2 months ago
Obvious answer. Although, Microsoft doesn't use the other Storage types anymore from what I know.
StorageV2_LRS had to be the only option

upvoted 1 times
 
AubinBakana
2 months ago
Typo correction. Answer is StorageV2_ZRS
upvoted 1 times
 
JimBobSquare101
in exam 30 July
21
upvoted 4 times
 
raph90fr
Correct.
Just remind that ZRS is started to be available on prenium block blobs also
upvoted 1 times
 
achmadirvanp
upvoted 5 times
 
mkoprivnj
ZRS + StoregeV2
upvoted 3 times
 
HTD
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
ZRS only support GPv2

upvoted 3 times
 
armandolubaba
zrs and v2
upvoted 1 times
 
Bharadhi
6 months ago
ZRS - If single data center fails we would go for it.
GRS- this is for failure
so the answer would be
ZRS
storage V2
upvoted 3 times
 
ms70743
ZRS
V2
upvoted 6 times
 
beupy
7 months ago
Agreed that it's ZRS, but why all chose V2 since ZRS supports any of V2, BlockBlob & File ?
upvoted 1 times
 
thowell
Yes, ZRS supports V2, BlockBlob and File storage. But it DOESN'T support Blob or V1 storage - which are the other 2 options. So StorageV2 is
the right answer.
upvoted 4 times
 
incubutus
In the question, it didn't as for redundancy over geo-locations. It asked if a data centre goes down. So ZRS is ideal "Zone-redundant storage (ZRS)
copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability, Microsoft
recommends using ZRS in the primary region, and also replicating to a secondary region." For the account type, it must be Storage V2 as it is the
only one supported on ZRS.
upvoted 3 times
 
mg
ZRS
Storage v2
upvoted 3 times
 
ZUMY
Replication : ZRS ( Same Region but data avail in different(Zones) Locations)
Account Type : Storage V2

upvoted 4 times
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
A.
an XML manifest file
B.
a dataset CSV file
C.
a JSON configuration file
D.
a PowerShell PS1 file
E.
a driveset CSV file
Correct Answer:
BE
B: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add
entries in the dataset.csv file
E: Modify the driveset.csv file in the root folder where the tool resides.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
 
Lobe
Highly Voted 
It should be B and E. Explanation is right though
upvoted 48 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: B and E
Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries
in the dataset.csv file
Modify the driveset.csv file in the root folder where the tool is.
Reference:
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
upvoted 32 times
 
suriyaswamy
Good Info
upvoted 2 times
 
PPSHREE_123
I find mlantonis's answers are correct and most reliable
upvoted 5 times
 
ScoutP
Most Recent 
2 weeks, 4 days ago
upvoted 1 times
 
Kamex009
upvoted 3 times
 
AubinBakana
2 months ago
Answer is correct.
"Dataset CSV file is the value of /dataset flag is a CSV file that contains a list of directories and/or a list of files to be copied to target drives."
"Dataset CSV file is the value of /dataset flag is a CSV file that contains a list of directories and/or a list of files to be copied to target drives."
Microsoft Doc
https://docs.microsoft.com/en-us/previous-versions/azure/storage/common/storage-import-export-tool-preparing-hard-drives-import
upvoted 2 times
 
mkoprivnj
B & E.
upvoted 1 times
 
Tamilarasan
Correct Answer is B & E
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 3 times
 
CARIOCA
5 months ago
upvoted 3 times
 
JayBee65
The link provides a clear explanation of the answer :)
upvoted 1 times
 
JayBee65
Maybe you should work it out form the comments :)
upvoted 1 times
 
armandolubaba
B and E
upvoted 2 times
 
Skilled_Hawkeye
Correct answer on exam topics AZ-103. Its B and E.
upvoted 1 times
 
oriduri
B and E is correct
upvoted 2 times
 
Bharadhi
6 months ago
It would be B and E
upvoted 1 times
 
Nihar258255
Dear God please help exam topics to correct there answers.
upvoted 14 times
 
allray15
i saw few answers are highlighted wrong but text explanations are right. why cant they just correct it
upvoted 6 times
 
ms70743
B & E is correct
upvoted 1 times
 
mg
B E (Dataset csv file and driveset csv file)
upvoted 1 times
 
Vole51
why there is no admin or anyone from examtopics.com fixing these obvious answers?
upvoted 4 times
 
Lkk51
it's a free site, dear
upvoted 1 times
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
A.
From the Recovery Service vault, delete the backup data.
B.
Modify the disaster recovery properties of each virtual machine.
C.
Modify the locks of each virtual machine.
D.
From the Recovery Service vault, stop the backup of each backup item.
Correct Answer:
D
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is
still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure
File Servers, SQL
Servers in Azure VM, and Azure virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
 
tuta
Highly Voted 
correct
upvoted 23 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud
upvoted 22 times
 
fabylande
Most Recent 
1 day, 18 hours ago
upvoted 1 times
 
ohana
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: D
upvoted 2 times
 
AubinBakana
2 months ago
First, you have to stop the backup
Then unlock & shut down/deallocate the machine.
Then delete the Group
Think: CI/CD & training environment.
One of the purposes of grouping resources is to facilitate the deletion of resources.
Answer is correct.
upvoted 4 times
 
thorppp
correct
upvoted 1 times
 
rdsserrao
First action is D, only then you can do A.
upvoted 4 times
 
McRowdy
The key statement here is "what should you do FIRST?". Answer is "D". Reason why "A" is not correct is because that is the second action. (Trick
question)
upvoted 2 times
 
mkoprivnj
D is correct!
upvoted 2 times
 
Mich132
In an earlier question to remove a RG with a RSV in it the Consensus was to delete the backup data instead of stopping the backup. Here it is
stopping the backup data. Confusing... I think the answer here is correct.
upvoted 3 times
 
theOldOne
1 week, 5 days ago
This answer is correct. This was also the correct answer on the other question. See the comment I posted there.
upvoted 1 times
 
Govindaraj
Correct Answer - "DFrom the Recovery Service vault, stop the backup of each backup item."
You can't delete service that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
Reference :
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 2 times
 
armandolubaba
D is correct
upvoted 1 times
 
cmong2005
correct, you need to stop the backup service 1st, then delete the backup data.after that you can delete the vault
upvoted 3 times
 
Dips88
I think it should be 'A'. To complete recovery service deletion it definitely needs to stop all back ups and then delete back ups. In the question it is
never mentioned that backup is still on and moreover it contains two back ups. So for immediate deletion back up has to be deleted.
upvoted 5 times
 
xMilkyMan123
Its useless to delete backup data if data is continously being backed up. Think about it
upvoted 6 times
 
AAKC
Little confuse on this one. It says protected VMs. So we need to modify the lock first right?
upvoted 1 times
 
AAKC
sorry never mind. I got it
upvoted 2 times
 
briya
why can't A and D both right answers ?
upvoted 4 times
 
JayBee65
From the link (https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud):
Step 3: You must check all of the following three places to verify if there are any protected items:
1. Cloud protected items...
2. SQL Server instance...
3. MARS protected servers...
4. MABS or DPM management servers...
This suggests that the first item should be to stop the backup. (D)
Next you would want to delete (A)
So the first action is D

upvoted 3 times
 
JayBee65
test 123
upvoted 1 times
 
oriduri
correct answer
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
In storage1, you create a blob container named blob1 and a file share named share1.
Which resources can be backed up to Vault1 and Vault2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: VM1 only -
VM1 is in the same region as Vault1.
File1 is not in the same region as Vautl1.
SQL is not in the same region as Vault1.
Blobs cannot be backup up to service vaults.
Note: To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines.
Box 2: Share1 only.
Storage1 is in the same region (West USA) as Vault2. Share1 is in Storage1.
Note: After you select Backup, the Backup pane opens and prompts you to select a storage account from a list of discovered supported storage
accounts. They're either associated with this vault or present in the same region as the vault, but not yet associated to any Recovery Services
vault.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault https://docs.microsoft.com/en-us/azure/backup/backup-afs
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: VM1 only
VM1 is in the same region as Vault1. File1 is not in the same region as Vautl1. SQL is not in the same region as Vault1. Blobs cannot be backup up
to service vaults.
Note: To create a Vault to protect VMs, the Vault must be in the same Region as the VMs.
Box 2: Share1 only
Storage1 is in the same region as Vault2. Share1 is in Storage1.
Note: Only VM and Fileshare is allowed to Backup.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
https://docs.microsoft.com/en-us/azure/backup/backup-afs
https://feedback.azure.com/forums/217298-storage/suggestions/37096837-possibility-to-backup-blob-data-in-the-recovery-se
upvoted 47 times
 
Omar_Aladdin
4 weeks ago
good talk
upvoted 1 times
 
Hibs2016
Highly Voted 
Answer looks correct it is only share1 within storage1 that can be backed up as you can't back up blobs
See: https://feedback.azure.com/forums/217298-storage/suggestions/37096837-possibility-to-backup-blob-data-in-the-recovery-se
upvoted 29 times
 
FitObelix
it says nothing about blobs, it talks about a blob container
upvoted 1 times
 
Borbz
Answer is correct. Storage1 is not valid because it contains a Blob inside, so only Share1 can be backup.
upvoted 9 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans:
Box 1: VM1 only
Box 2: Share 1 only

upvoted 1 times
 
zvasanth2
2 months ago
the first difference between an Azure Recovery Services Vault (ARSV) and an Azure Backup Vault (ABV) is are the available data sources of each
vault.
Blob backup is supported by Azure Backup not a Recovery service vault
https://docs.microsoft.com/en-us/answers/questions/405915/what-is-difference-between-recovery-services-
vault.html#:~:text=the%20first%20difference%20between%20an,available%20datasources%20of%20each%20vault.&text=The%20second%20differ
ence%20is%3A%20In,for%20Azure%20Backup%20data%20only.
upvoted 3 times
 
AubinBakana
2 months ago
Think like Microsoft: Why back up to a different region if they can offer you (RA-/)GRS? or (RA-)ZRS.
That leaves you to only remember that Azure does not back up blobs - Use snapshots instead.
Now it's no longer a memory exercise, you have a strategy to get to the answer.
Answer is correct
upvoted 1 times
 
barcellos
Answer Vm1 only and share only - Storage1 is not valid because it contains a Blob inside, so only Share1 can be backup.
upvoted 1 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. Answers given by mlantonis in this dump are correct.
upvoted 2 times
 
Shiven12
upvoted 2 times
 
mkoprivnj
1. VM1 only
2. share1 only
upvoted 2 times
 
longtech
The second answer is wrong. The Recovery Services vault is back up in the same region, in the storage 1 (blob and share) so the answer is blob and
share only
upvoted 1 times
 
shnz03
I disagree. If you go thru github az 104 lab, the option in the backup goal that is related to the question is File Share. No blob
upvoted 1 times
 
nfett
verified from provided articles. answer is correct.
upvoted 1 times
 
Sanin
All vaults must be with in the same Region as the Resources that are being backed up
upvoted 3 times
 
ealcober
error in question graphic. No share one!
upvoted 1 times
 
DannyGupta
Read the text
upvoted 3 times
 
Sahir
7 months ago
A. VM1 only, B. Share1 only-
only VM and fileshare is allowed to Backup

upvoted 4 times
 
incubutus
The answer is correct. VM1 Only as it's the only resource in the same Region of Vault1. Share1 Only as with Recovery Services Vault you can only
backup File Shares.
upvoted 4 times
 
mg
VM1 And Share1
upvoted 2 times
 
Sandroal29
The provided answer is correct.
upvoted 3 times
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A.
a virtual machine
B.
an Azure Cosmos DB database
C.
Azure File Storage
D.
the Azure File Sync Storage Sync Service
Correct Answer:
C
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB.
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. Azure File Storage
2. Azure Blob Storage
The question can have other incorrect answer options, including the following:
✑ Azure Data Lake Store
✑ Azure SQL Database
✑ Azure Data Factory
Reference:
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: C
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an
Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data
from one or more disk drives can be imported either to Azure Blob storage or Azure Files. The maximum size of an Azure Files Resource of a file
share is 5 TB.
Note: There are several versions of this question in the exam. The question has two correct answers:
or
Reference:
upvoted 32 times
 
Rodro13
Highly Voted 
Correct
upvoted 17 times
 
AubinBakana
Most Recent 
2 months ago
- Definitely not to a VM.
- Cosmos DB is a database for big data so it's not that either.
- What is Azure file Sync Storage Sync Svce? Never heard of it
Only 2 services supported are Azure File & Blobs.
Answer is correct. You can import the files to Azure File.
Note: Did you notice how Azure considers "importing" your exporting to them? It should be called exporting, shouldn't it?
Thank you
upvoted 1 times
 
mkoprivnj
C is correct!
upvoted 2 times
 
Raj_Rock
If answer is correct then why spamming the discussion forum. This forum is to be used when there is any discrepancy or any mistake in the answer.
upvoted 5 times
 
V1980
2 months ago
Also, it is pretty common for the given answer to be incorrect so the comments are affirmation.
upvoted 1 times
 
V1980
2 months ago
You haven't been here long, have you? If it wasn't necessary to say it is correct, the only comments you would see are 'this is wrong!' so then
you must feel the answer is indeed wrong because nobody says it is correct.
These comments are a LIFESAVER, pls don't abuse their generosity to you.
upvoted 1 times
 
nfett
Confirmed from the provided url , answer is correct.
upvoted 1 times
 
marvinconejo
This is Azure File Storage
upvoted 4 times
 
mg
Azure file storage is the correct answer
upvoted 1 times
 
ZUMY
C. Is correct!
upvoted 1 times
 
toniiv
C. is correct
upvoted 1 times
 
waterzhong
The WAImportExport tool is available in two versions, version 1 and 2. We recommend that you use:
Version 1 for import/export into Azure Blob storage.
Version 2 for importing data into Azure files.

upvoted 4 times
 
waterzhong
from one or more disk drives can be imported either to Azure Blob storage or Azure Files.
upvoted 3 times
 
sicmundus
10 months ago
Qn. came on 12/21/2020
upvoted 4 times
 
fedztedz
10 months ago
Answer is correct
upvoted 13 times
HOTSPOT -
You create the Azure Storage account shown in the following exhibit.
Hot Area:
Correct Answer:

Box 1: 3 -
Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent
of 3 copies
(replicas) of your data within the primary location as described in our SOSP paper; this ensures that we can recover from common failures
(disk, node, rack) without impacting your storage account‫ג‬€™s availability and durability.
Box 2: Access tier -
Change the access tier from Hot to Cool.
Note: Azure storage offers different access tiers, which allow you to store blob object data in the most cost-effective manner. The available
access tiers include:
Hot - Optimized for storing data that is accessed frequently.
Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.
Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of
hours).
Reference:
https://azure.microsoft.com/en-us/blog/data-series-introducing-locally-redundant-storage-for-windows-azure-storage/
 
sk1803
3 weeks ago
Both of them are correct.
- LRS has 3 copies of data
- Access tier has the "cool" option to store infrequently accessed data.
upvoted 3 times
 
Omar_Aladdin
3 weeks ago
Answer is Correct:
in LRS: "Three" Copies in "Three" Racks in a "Single" Datacenter
in ZRS: "Three" Copies in "Three" Datacenters in a "Single" Region
Ref:
ttps://docs.microsoft.com/en-us/learn/modules/configure-blob-storage/4-create-blob-access-tiers?ns-enrollment-type=LearningPath&ns-
upvoted 2 times
You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1.
You need to identify the storage services in storage1 to which you can copy the data.
Which storage services should you identify?
A.
blob, file, table, and queue
B.
blob and file only
C.
file and table only
D.
file only
E.
blob, table, and queue only
Correct Answer:
B
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
Incorrect Answers:
A, C, E: AzCopy does not support table and queue storage services.
D: AzCopy supports file storage services, as well as blob storage services.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
 
rrabeya
2 weeks, 2 days ago
Correct Answer B - blob and file only
Azure Import job supports: Azure Blob Storage, and Azure Files storage
Azure Export job supports: Azure Blob Storage
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-requirements
upvoted 3 times
 
boom666
2 weeks ago
Why do you refer to Import/Export here? I would refer to documentation about azcopy copy command instead - https://docs.microsoft.com/en-
us/azure/storage/common/storage-ref-azcopy-copy
upvoted 1 times
 
sk1803
3 weeks ago
B. is correct (Blobs and Files only)
upvoted 4 times
HOTSPOT -
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the blob storage and file storage in storage1.
Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Box 1:
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2:
Only Shared Access Signature (SAS) token is supported for File storage.
Reference:
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2: Only Shared Access Signature (SAS) token is supported for File storage.
Reference:
upvoted 31 times
 
waterzhong
Highly Voted 
Authorize AzCopy
Use this table as a guide:
AUTHORIZE AZCOPY
Storage type Currently supported method of authorization
Blob storage Azure AD & SAS
Blob storage (hierarchical namespace) Azure AD & SAS
File storage SAS only

upvoted 30 times
 
khengoolman
Most Recent 
1 week, 3 days ago
upvoted 3 times
 
tbalaji2001
5 days, 5 hours ago
How you get access to last topic questions? whether contributor access required to clear the exam?
upvoted 1 times
 
AubinBakana
2 months ago
Here's my way of thinking to help me remember this:
If you are already syncing files, you do not really need to use AzCopy. And thus, the restrictions.
However, for Blob, because you do not have the same privilege as File Sync, there are less restrictions. As long as you have any of the secrets,
you're good.
Training my memory.
Answer is correct
upvoted 3 times
 
AubinBakana
2 months ago
azcopy copy '<local-file-path>' 'https://<storage-account-name>.file.core.windows.net/<file-share-name>/<file-name><SAS-token>'
replace file with blob where appropriate.

upvoted 1 times
 
thuylevn
Answers are correct but
conflict with answers question 6, topic 2 (https://www.examtopics.com/exams/microsoft/az-104/view/6/)

upvoted 1 times
 
Jotess
upvoted 1 times
 
anurag4516
3 months ago
Why not access key
upvoted 2 times
 
achmadirvanp
upvoted 3 times
 
mkoprivnj
AUTHORIZE AZCOPY

upvoted 2 times
 
nfett
Verified from provided url answer is correct
upvoted 1 times
 
Chief
Authorize AzCopy
Use this table as a guide:
Authorize AzCopy

upvoted 3 times
 
mdyck
Correct.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
upvoted 2 times
 
Snownoodles
Azcopy can also use access key to access storage account:
https://microsoft.github.io/AzureTipsAndTricks/blog/tip81.html
upvoted 1 times
 
Snownoodles
why not access key? access key is at storage account level, it can grant full access to both Blob and File share
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage
upvoted 2 times
 
ScreamingHand
We're specifically discussing AZCopy here
upvoted 1 times
 
mg
Answer is correct
upvoted 2 times
 
Adelate
correct answer
upvoted 1 times
 
ZUMY
Az Ad auth & SASig
Shared Acess Sig

upvoted 4 times
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL
Server instance that requires persistent storage.
You need to configure a storage service for Container1.
What should you use?
A.
Azure Files
B.
Azure Blob storage
C.
Azure Queue storage
D.
Azure Table storage
Correct Answer:
D
 
waterzhong
Highly Voted 
Correct answer should be Azure Files
upvoted 88 times
 
abu3lia
Correct, here is the proof: https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/
upvoted 14 times
 
Acai
I agree, Here's another link if you're still skeptical
https://docs.microsoft.com/en-us/azure/aks/concepts-storage#persistent-volumes
upvoted 2 times
 
wooyourdaddy
Where did you validate this from ?
upvoted 1 times
 
RoastChicken
3 months ago
Azure table is unstructured data. Answer should be Azure Files.
upvoted 1 times
 
ngamabe
I agree
upvoted 1 times
 
JimBobSquare101
3 months ago
I would also consider the answer to be A: Files
Reason being the word persistent in the question....

upvoted 1 times
 
fedztedz
Highly Voted 
Answer is not Correct. It should be A "Azure Files"
Azure files are used as persistent disks for docker images. It doesn't matter the type of the image or its functionality.
upvoted 44 times
 
Mukesh_Aggarwal_07
Most Recent 
3 weeks, 4 days ago
Azure Files option A is correct
upvoted 1 times
 
Rkelly141
Any way answers can be changed be confusing if people relied on answers and not viewed discussions
upvoted 1 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 1 times
 
sandipk91
2 months ago
Answer should be option A
upvoted 1 times
 
AubinBakana
2 months ago
The suggested answer is complete, totally wrong. It couldn't be more ridiculous. (Clarifying my previous post)
To persist state beyond the lifetime of the container, you must mount a volume from an external store. As shown in this article, Azure Container
Instances can mount an Azure file share created with Azure Files. Azure Container Instances can mount an Azure file share created with Azure Files.
ref:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files.
Answer is A.
upvoted 1 times
 
AubinBakana
2 months ago
The answer is complete, totally wrong. It couldn't be more ridiculous.
Azure Container Instances can mount an Azure file share created with Azure Files.
ref:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files.
Answer is A.
upvoted 1 times
 
JustCzechin
This is an example of a question where you should not take the number of one specific answer in the discussion or the number of upvotes as a sign
of correctness. Do your own research on storage accounts and containers. The exam question is trying to trick you into considering Docker images
and SQL table data when it is actually very simple, all storage containers are blob storage. Period.
upvoted 1 times
 
NigHtHunter2000
Its really hard to find an answer where everyone agrees when the given answer is wrong...lol
upvoted 3 times
 
Junpeng
Stop struggling, Choose A.
upvoted 1 times
 
CloudyTech
Azure File
upvoted 1 times
 
onincasimiro
Answer:
A. Azure Files
upvoted 1 times
 
ianto14
Answer is wrong. Will admin correct it please?
upvoted 1 times
 
ASIMIS
You're very funny. What admin...Hahahaha
upvoted 7 times
 
McRowdy
The correct answer is "A", due to SQL being a container. "D" would be correct if the actual SQL DB was stored directly.
upvoted 1 times
 
binisho123
Answer is A, tested in lab....lol
upvoted 3 times
 
mkoprivnj
A is correct!
upvoted 2 times
 
mlantonis
5 months ago
Correct Answer:
In Azure container instances, you can mount Azure File shares for persistent storage. Azure files are used as persistent disks for docker images. It
doesn't matter the type of the image or its functionality.
Persistent shared storage for containers. Easily share data between containers using NFS or SMB file shares. Azure Files is tightly integrated with
Azure Kubernetes Service (AKS) for easily storing and managing data.
Reference:
https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage
https://azure.microsoft.com/en-us/services/storage/files/#features
upvoted 32 times
 
Jsaon
absolutely Azure Files, we have persistent volume claims using storageclass: azurefile in our existing AKS environment. Azure files, not blob
storage. This is confirmed when going to Azure Storage Explorer and viewing File Shares
upvoted 2 times
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the
hardware hosting
VM1 and VM2.
What should you include in the Availability Set?
A.
one update domain
B.
two fault domains
C.
one fault domain
D.
two update domains
Correct Answer:
D
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update.
To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
Incorrect Answers:
A: An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
B, C: A fault domain shares common storage as well as a common power source and network switch. It is used to protect against unplanned
system failure.
References:
https://petri.com/understanding-azure-availability-sets
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: D
When you create an Availability Set, the hardware in a location is divided into multiple update domains and fault domains.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
VMs in the same fault domain share common storage as well as a common power source and network switch.
During scheduled maintenance, only one update domain is updated at any given time. Update domains aren't necessarily updated sequentially. So,
we need two update domains.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates
upvoted 40 times
 
Omar_Aladdin
4 weeks ago
Planned Maintenance "FOR THE HARDWARE ((HOSTING))"
I'm SURE "two fault domains" is the correct answer

upvoted 1 times
 
SilverFox22
2 weeks, 3 days ago
"Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the
update." Planned maintenance refers to update domains, not fault domains. We need two update domains, answer is D.
upvoted 1 times
 
Parsec
Highly Voted 
It's "planned maintenance of the HARDWARE" in the question, not OS or software update. Should be 2 fault domains imho.
upvoted 26 times
 
janshal
Hi the answer is D:
the Q talk about the hardware hosting VM1 and VM2.
the hardware, meaning the Server containing the VMs (Called Update domain ).
During a Planed maintenance the update domains are shootdown one at a time. so D is ther right answer
upvoted 33 times
 
HuseinHasan
what will happen if the fault domain crashes, thats why i would go with two fault domains
upvoted 1 times
 
sandipk91
2 months ago
your assumption is wrong as they are talkin about planned maintenance
upvoted 1 times
 
Alir95
The question is specific to "Planned Maint", not outages and redundancy ... D is right.
upvoted 6 times
 
afathy
Most Recent 
Correct Answer: D
upvoted 1 times
 
Kamex009
upvoted 4 times
 
itsimranmalik
D. 2 Update domain is correct
The order of update domains being rebooted may not proceed sequentially during planned maintenance, but only one update domain is rebooted
at a time. A rebooted update domain is given 30 minutes to recover before maintenance is initiated on a different update domain.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
upvoted 2 times
 
khismail
2 months ago
In Exam 21/08/2021, thanks to Mlantonis & Fedztedz
upvoted 2 times
 
CloudyTech
DDDDDDDDDDDDD
upvoted 2 times
 
kbpn
4 months ago
Two update domains can be inside one fault domain. So in this case of planned hardware Maintainance if a fault domain goes down then the app
becomes unavialble. I think the answer should be 2 fault domains.
upvoted 2 times
 
mkoprivnj
i would say D!
upvoted 1 times
 
HTD
Fault is realted to Hardware ..Update is for Pacthing....
upvoted 1 times
 
ScreamingHand
For me, the keyword here is "planned", - so I am going for 'D' Update. Faults are not "planned". MS put the word "hardware" in the question
because they're arseholes.
upvoted 9 times
 
moota
Agree with the A label ;)
upvoted 1 times
 
Voravut
D is correct answer.
I passed exam on 05/24.
80-90 % questions are from this exam. Please read it carefully. Also read in "discussion" in all questions of this website as sometimes they showed
the wrong answer.
Best of luck.
upvoted 9 times
 
BennyWang
Can you share the lab operation questions?
upvoted 1 times
 
msidy2020
I am learning for exam. Do they ask to do practical lab during exam ?
upvoted 1 times
 
vamshidhara
5 months ago
If maintenance requires a reboot, you're notified of the planned maintenance
So answer is right
upvoted 1 times
 
TJay
Planned maintenance could be either for Patching or Hardware replacement. In the question it says "planned maintenance of the HARDWARE"
Therefore VMs would need to be across 2 x racks = Two fault domains.
Correct answer is B = Two fault domains
If the planned maintenance's for patching (Updates) > answer would be "Two update domains" (As only one VM's rebooted at a time)
upvoted 2 times
 
ronsav80
5 months ago
Fault domains are only if/when an entire datacenter goes down (unplanned outage). Update domains are for planned outage (ie, windows
updates)
upvoted 3 times
 
nfett
D is right. confirmed from the provided doc.
upvoted 2 times
 
Davar39
Qs like this one is why I gladly spend my money on Exam Topic Contributor access vs paying M$ another 165$. We are expected to know that :
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update.
This is useless minutia, knowing this information proves nothing.

upvoted 2 times
 
mdyck
Answer is D
upvoted 3 times
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A.
an Azure Cosmos DB database
B.
Azure Blob storage
C.
Azure Data Lake Store
D.
the Azure File Sync Storage Sync Service
Correct Answer:
B
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.
Note:
There are several versions of this question in the exam. The question has two correct answers:
✑ a virtual machine
Reference:
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
from one or more disk drives can be imported either to Azure Blob storage or Azure Files. The maximum size of an Azure Files Resource of a file
share is 5 TB.
Note: There are several versions of this question in the exam. The question has two correct answers:
or
Reference:
upvoted 17 times
 
mkoprivnj
Highly Voted 
B is correct!
upvoted 5 times
 
khengoolman
Most Recent 
1 week, 3 days ago
upvoted 1 times
 
Kamex009
upvoted 2 times
 
Adebowale
Correct one
upvoted 1 times
 
yigido
dublicated
upvoted 1 times
 
Gromble_ziz
Not duplicated. Just a different version.
2 correct answer possible:

upvoted 3 times
 
nfett
confirmed from provided link answer is correct.
upvoted 2 times
 
Manimegha
Correct
upvoted 1 times
 
Alses1970
Correct
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
upvoted 2 times
 
Devgela
Correct Answer: B
upvoted 2 times
DRAG DROP -
You have an Azure subscription that contains an Azure file share.
You have an on-premises server named Server1 that runs Windows Server 2016.
You plan to set up Azure File Sync between Server1 and the Azure file share.
You need to prepare the subscription for the planned Azure File Sync.
Which two actions should you perform in the Azure subscription? To answer, drag the appropriate actions to the correct targets. Each action may
be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:

First action: Create a Storage Sync Service
The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a resource group of your selected subscription.
Second action: Install the Azure File Sync agent
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.
Reference:
 
gujjudesi420
Highly Voted 
I think answer should be Create Storage Sync Service, Create a Sync Group as they are asking for "Which two actions should you perform in the
Azure subscription?"
upvoted 82 times
 
Praveen66
Agree with you, its actions on the subscription/azure portal and does not ask for actions on the server
upvoted 2 times
 
J4U
Yes, that is correct. The steps are given in the URL mlantonis shared.
upvoted 1 times
 
mashk19
Agreed. The question explicitly says which two actions would you perform in the Azure Subscription. You'd install the sync agent on the on
premises server so that would not be a valid choice. And you'd register the server from the server. Which leaves you with only two choices left.
Create a Storage Sync Service. Create a sync group.
upvoted 7 times
 
xupiter
Correct.
Link: https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/5-set-up-azure-file-sync
upvoted 3 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a resource group of your selected subscription.
Second action: Install the Azure File Sync agent
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.
1. Prepare Windows Server to use with Azure File Sync
2. Deploy the Storage Sync Service
3. Install the Azure File Sync agent
4. Register Windows Server with Storage Sync Service
5. Create a sync group and a cloud endpoint
6. Create a server endpoint
7. Configure firewall and virtual network settings
Reference:

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-storage-
sync-service
upvoted 24 times
 
Praveen66
But the question talks about actions on the subscription and not on the servers.
so it should be
Second action:Create a sync group

upvoted 5 times
 
Gyanshukla
2 months ago
steps are listed correctly but they are asking action at Azure side. That should be creating/deploying sync service followed by creation of sync
group.
upvoted 1 times
 
suriyaswamy
Nice explanation
upvoted 1 times
 
J4U
Maybe the link you shared got updated with these steps under Onboarding with Azure File Sync. So answer is as below.
Deploy a Storage Sync Service.
Create a sync group.
Install Azure File Sync agent on the server.
Register that server and create a server endpoint on the share

upvoted 2 times
 
fabylande
Most Recent 
1 day, 18 hours ago
upvoted 1 times
 
vimi003
1 day, 18 hours ago
Which two actions should you perform in the Azure subscription?
Correct Answer : Create a Storage Sync Service and Create a Sync Group
upvoted 2 times
 
theOldOne
3 weeks, 5 days ago
Seems like a lot of people are getting "On the Subscription" and "On the On Premise Server" mixed up. You do not have an on premise server kept
in your Azure subscription
upvoted 2 times
 
azure_104
1 month, 1 week ago
The first step you do is crate storage sync service and then download agent. Notice that you need to download the agent to add a server before
you create a sync group.
Have a look here:
https://youtu.be/nfWLO7F52-s?t=708
upvoted 2 times
 
theOldOne
3 weeks, 5 days ago
Except it does not ask for actions on the Server side. The question ask for steps on the Subscription side.
upvoted 4 times
 
AubinBakana
2 months ago
Totally, completely wrong.
(correcting an error from my previous post)
In Azure:
- You install the File Sync service.
On-prem
- You download and install the File Sync Agent
- You register the Server(s)
In the cloud:
- Then Create a Sync group. This syncs only to 1 single share. (this process also creates a cloud endpoint)
- Then Add a Server Endpoint. At this stage, you can add as many server endpoints to the Sync group as possible. All these files sync to the 1 file
share in the syn group.
So the answer is:
Create a sync service
Create a sync group
100% sure
upvoted 1 times
 
AubinBakana
2 months ago
Totally, completely wrong.
In Azure:
- You install the File Sync Agent.
On-prem
- You download and install the File Sync Agent
- You register the Server(s)
In the cloud:
- Then Create a Sync group. This syncs only to 1 single share. (this process also creates a cloud endpoint)
- Then Add a Server Endpoint. At this stage, you can add as many server endpoints to the Sync group as possible. All these files sync to the 1 file
share in the syn group.
So the answer is:
Create a sync service
Create a sync group
100% sure
upvoted 1 times
 
AubinBakana
2 months ago
Please read :
In Azure:
- You install the File Sync *Service.

upvoted 1 times
 
Micah7
2 months ago
To help everyone out there is confusion on the 2nd step:
- Azure File Syn Agent can be installed on a physical server or a "virtual" server
- The server in this question is on premises = physical
The question clearly ask what 2 steps we would take on the "Azure Subscription"-->cloud side. Therefore, the answer is:
1. Create a Storage Sync Service
2. Install the Azure File Sync agent (However, this server is not virtual/cloud so this is not 2nd step!)
3. Create a sync group (This is the 2nd step)
This is a great page under "Windows file server considerations" section that tells you Azure File Sync agent can be installed on either physical or
virtual server......scroll further down to "Minimum system resources".......read the first line under that title.
upvoted 2 times
 
Micah7
2 months ago
Sorry here is the page: https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
upvoted 1 times
 
achmadirvanp
upvoted 3 times
 
mkoprivnj
Create Storage Sync Service, Create a Sync Group
upvoted 1 times
 
Raj_Rock
Answer is wrong.
The recommended steps to onboard on Azure File Sync for the first time with zero downtime while preserving full file fidelity and access control list
(ACL) are as follows:
Deploy a Storage Sync Service.
Create a sync group.
Install Azure File Sync agent on the server with the full data set.
Register that server and create a server endpoint on the share.
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#onboarding-with-
azure-file-sync
upvoted 2 times
 
rrr
Install the Azure File Sync agent
link:https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
upvoted 1 times
 
jantoniocesargatica
If we do not read carefully, we will not pass the exam. The question says on Azure, it doesn't say On Premise. The answer is obvious, Create Storage
Sync Service and Create a Sync Group
upvoted 8 times
 
hgdlyl
Answer is not correct. The Azure File Synchronization Agent is installed on the on-premise server. The server registration for the storage
synchronization service is also done on-premise. Question is "Which two actions should you perform in the Azure subscription?".
upvoted 2 times
 
MohnR
Answer according to scenarios
Azure Subscription -> 1. Create Storage Sync Service 2. Create Sync Group
On-Prem Server -> 1. Install FS Agent 2. Register Server
General -> 1. Create Storage Sync Service 2. Install FS Agent
According to Question Answer should be from Azure Subscription Scenario

upvoted 22 times
 
nfett
per their provided doc answer appears correct.
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains the file shares shown in the following table.
You have the on-premises file shares shown in the following table.
You create an Azure file sync group named Sync1 and perform the following actions:
✑ Add share1 as the cloud endpoint for Sync1.
✑ Add data1 as a server endpoint for Sync1.
✑ Register Server1 and Server2 to Sync1.
Hot Area:
Correct Answer:
Box 1: No -
Box 2: Yes -
Data2 is located on Server2 which is registered to Sync1.
Box 3: No -
Data3 is located on Server3 which is not registered to Sync1.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-
sync-group-and-a- cloud-endpoint
 
cyna58
Highly Voted 
NO - only one cloud endpoint can be added to sync1
YES - Server2 has been registered to Sync1 but data2 is not added to server endpoint. So we can add data2 as additional server endpoint for Sync1
NO - We have to register Server3 first

upvoted 57 times
 
jecah
Exactly. We cannot add an endpoint to an unregistered server:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
upvoted 1 times
 
tita_tovenaar
wrong, server registration is a required step *during* end[oint creation:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
so answer is yes
upvoted 2 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: No
Box 2: Yes
Data2 is located on Server2 which is registered to Sync1.
Box 3: No
Data3 is located on Server3 which is not registered to Sync1.
Reference:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-sync-
group-and-a-%20cloud-endpoint
upvoted 29 times
 
suriyaswamy
Accurate Info, Thanks
upvoted 1 times
 
silver_bullet666
Most Recent 
1 month ago
Oh I misread the question, Server2 is not on Data1;
No
Yes
No
!
upvoted 2 times
 
silver_bullet666
1 month ago
No - only one cloud endpoint can be added to sync1
No - A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at
any given time. Other server endpoints within the sync group must be on different registered servers.. REF: https://docs.microsoft.com/en-
us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-server-endpoint
No - Data3 is located on Server3 which is not registered to Sync1
:D
upvoted 1 times
 
YooOY
4 weeks ago
Other server endpoints within the sync group must be on different registered servers which means you can not have two endpoints both from
server1, if you have another endpoint from server2 is fine. it's Yes.
upvoted 1 times
 
AubinBakana
2 months ago
(Updating my 2 previous comments - we an edit option)
What they are trying to establish is that you know that before you may a file from a server to a syn group, that sync group, that server must first be
registered.
They're also trying to establish that to 1 file share you can only associate 1 cloud point you and 1 sync group. Where a sync group can contain
multiple server endpoints
All the regions, share3 is just there to get us confused. I guess that helps them to see how well we can remain focus too!
Answer is correct
upvoted 1 times
 
AubinBakana
2 months ago
correction: they also trying to establish that *you know that to 1 file share
upvoted 1 times
 
AubinBakana
2 months ago
*before you may add a file
upvoted 1 times
 
AubinBakana
2 months ago
registered.
They're also trying to establish that to 1 file share you can only associate 1 cloud point you and 1 sync group. Where a sync group can contain
multiple server endpoints
All the regions, share3 is just there to get us confused. I guess that helps them to see how well we can remain focus too!
Answer is correct
upvoted 1 times
 
AubinBakana
2 months ago
registered.
All the regions, share3 is just there to get su confused. I guess that helps them to see how well we can remain focus too!
Answer is correct
upvoted 1 times
 
Jotess
upvoted 1 times
 
tita_tovenaar
Answer should be N/N/Y in my opinion. Critical to read https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
carefully.
- a server registration is indeed required, but that is done while creating the endpoint. It is not a separate step upfront, hence answer 3 is Y
- there are no registered servers without an endpoint, hence server 1 already has an endpoint. We also know that a server can only have one
endpoint to a sync service. So answer 2 should be N
upvoted 1 times
 
raph90fr
you register servers to sync service and not to the sync group isn't it ? i am confused with the order of tasks described in the question
upvoted 2 times
 
mkoprivnj
NO , YES, NO
upvoted 3 times
 
Hit_man
NYN is correct
upvoted 1 times
 
Cippunk
5 months ago
Correct, cyna58 is right
upvoted 1 times
 
raulgar
n - only can be 1 cloud endpoint
y - server2 is added as node and haven't any shared folder added
n - server 3 isn't added as node

upvoted 2 times
 
nfett
verified answers are nyn
upvoted 1 times
 
est3la21
N -already have a cloud endpoint
N - server 2 already set as endpoint
Y - server 3 can be added as additional endpoint

upvoted 2 times
 
Billabongs
My best guess:
You can add Share3 as an additional Cloud endpoint for Sync1? = NO
- You can have only one Cloud endpoint.
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
You can add data2 as an additional server endpoint for Sync1? = YES
- Server1 and Server2 are register to Sync1 (Sync Group).
You can add data3 as an additional server endpoint for Sync1? = NO
- Server3, where the data3 resides, are not register in Sync1 (Sync Group)
upvoted 6 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources shown in the following table:
You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which storage accounts and which Log Analytics workspaces can you use for the Azure Backup reports of Vault1? To answer, select the
appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: storage1, storage2, and storage3
The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your
vaults exist.
Box 2: Analytics3 -
Vault1 and Analytics3 are both in West Europe.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports
 
RithuNethra
Highly Voted 
storage 3
analytics 1,2 & 3
this is correct as analytics are independent of locations!

upvoted 135 times
 
Bapan
1 month ago
This is the correct one.
upvoted 1 times
 
Veronika1989
6 months ago
I agree! Tested on my tenant.
upvoted 8 times
 
Amju
its not recommended due to different government policies in US and Europe and thats why only workspace 3 is correct answer.
upvoted 5 times
 
abu3lia
Here is the proof: https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-
one
upvoted 14 times
 
Ikrom
Confirmed.
Here is a snippet from the link:
"Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription where this Log Analytics
workspace can be created ***is independent of the location and subscription where your vaults exist***."
upvoted 18 times
 
prashantjoge
Thanks for the link. That confirms it
upvoted 2 times
 
ngamabe
Yes, very helpful
upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Storage accounts: Storage 3 only
Storage Account must be in the same Region as the Recovery Services Vault.
Log Analytics workspaces: Analytics1, Analytics2, and Analytics3
Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription where this Log Analytics
workspace can be created is independent of the location and subscription where your Vaults exist.
Reference:
https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one
upvoted 35 times
 
fabylande
Most Recent 
1 day, 17 hours ago
upvoted 1 times
 
KFM2020
1 week, 4 days ago
What do storage accounts have to do with this question? Is this an old question that refers to soon-to-be-deprecated Power BI or V1 schema
functionality which require a storage account?
Reference: https://docs.microsoft.com/en-us/azure/backup/configure-reports#what-happened-to-the-power-bi-reports
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
storage 3
analytics 1,2 & 3

upvoted 2 times
 
YooOY
4 weeks ago
to config AzureBackupReports only needs log analytics workspaces, why it needs storage ?
upvoted 1 times
 
NarenderSingh
1 month ago
Tested in Lab -
Storage3 Only dispite of subscription
Any Log Analytics dispite of region/subscription

upvoted 2 times
 
Kamex009
upvoted 3 times
 
AubinBakana
2 months ago
Revealed answer is partly false:

storage 3 only
Log analytics 1, 2, & 3.
Hint: Think like Microsoft.
Why would they offer back to a different region when they have ZRs & GRS solutions? The logs analytics have a read-only effect on the data, so
they let you create them in different regions.
upvoted 2 times
 
AubinBakana
2 months ago
*back up...
upvoted 1 times
 
rdsserrao
That's right. Just reverse the justifications given.
upvoted 2 times
 
CloudyTech
Storage 3
LA1,2,3
upvoted 1 times
 
achmadirvanp
Appear On Exam July 1 2021
upvoted 4 times
 
fazedenk
I thought only backup vaults could back up storage accounts? Recovery services vault can do file shares i guess
upvoted 1 times
 
madhavikdb
4 months ago
Log Analytics1,2,3
storage 3
tried in my subscription.
upvoted 1 times
 
madhavikdb
4 months ago
tried in my sybscription can add workspace independent of location,while storage account from tyhe same region
Storage3
Log Analytics 1,Log Analytics 2,Log Analytics 3

upvoted 3 times
 
mkoprivnj
storage 3
analytics 1,2 & 3

upvoted 2 times
 
raph90fr
from Microsoft documentation: "The location and subscription where this Log Analytics workspace can be created is independent of the location
and subscription where your vaults exist."
so it log analytics 1,2 and 3 the correct answer
https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains the storage accounts shown in the following exhibit.
Hot Area:
Correct Answer:

Box 1: contoso104 only -
Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.
Box 2: contoso101, contoso102, and contos103 only
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-fileshare?tabs=azure-portal
 
Rajash
Highly Voted 
Box1 - 104 only.
Box2 - 101 and 103 only ( Storage V2 and BLOB storage)
-Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering.
upvoted 62 times
 
Veronika1989
5 months ago
I agreed. Here is the article https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 4 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: contoso104 only
Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.
Box 2: contoso101 and contos103 only
Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering.
The archive tier supports only LRS, GRS, and RA-GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-fileshare?tabs=azure-portal
upvoted 46 times
 
photon99
Most Recent 
2 weeks, 4 days ago
Standard general-purpose v2 ==> Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files
Premium block blobs ==> Premium BLOCK Blob Store only (v1)
Premium page blobs ==> Premium PAGE Blob Store only (v1)
Premium file shares ==> Premium FILE SAHRES (v1)

upvoted 1 times
 
AubinBakana
2 months ago
Answer is correct
upvoted 1 times
 
aquarian999
104 only
101 and 103 only
v1 (GPv1) accounts don't support tiering. You can easily convert your existing GPv1 or Blob Storage accounts to GPv2 accounts through the Azure
portal.
upvoted 1 times
 
Shiven12
upvoted 1 times
 
mkoprivnj
Box1 - 104 only.
Box2 - 101 and 103 only ( Storage V2 and BLOB storage)

upvoted 2 times
 
Ssri
https://azure.microsoft.com/en-gb/pricing/calculator/?service=storage
Box 1 - 104 only
Box 2 - 101 and 103 only.

upvoted 1 times
 
ykmoh
Box 1 - 104 only
Box 2 - 101 and 103 only. It mentioned in this link https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
"Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering"
upvoted 1 times
 
irosh412
Azure supports multiple types of storage accounts for different storage scenarios customers may have, but there are two main types of storage
accounts for Azure Files. Which storage account type you need to create depends on whether you want to create a standard file share or a
premium file share:
General purpose version 2 (GPv2) storage accounts: GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-based
(HDD-based) hardware. In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as blob containers,
queues, or tables. File shares can be deployed into the transaction optimized (default), hot, or cool tiers.
FileStorage storage accounts: FileStorage storage accounts allow you to deploy Azure file shares on premium/solid-state disk-based (SSD-based)
hardware. FileStorage accounts can only be used to store Azure file shares; no other storage resources (blob containers, queues, tables, etc.) can be
deployed in a FileStorage account.
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
upvoted 2 times
 
Ptit_filou
For question 1: https://azure.microsoft.com/en-us/pricing/details/storage/files/
"Premium file shares are available through the FileStorage storage account type"
vs
"Standard file shares are available in general purpose storage accounts"
contoso104 only.
upvoted 1 times
 
RAY2021
Premium file shares are not available from this storage account type. Create a premium file storage account for those
upvoted 1 times
 
Chief
Storage accounts that support tiering
v1 (GPv1) accounts don't support tiering. You can easily convert your existing GPv1 or Blob Storage accounts to GPv2 accounts through the Azure
portal. GPv2 provides new pricing and features for blobs, files, and queues. Some features and price cuts are only offered in GPv2 accounts. Some
workloads can be more expensive on GPv2 than GPv1. For more information, see Azure storage account overview.
upvoted 2 times
 
Dips88
Answer is Box is '101 and 104' - In premium storage with page blob it creates all 4 storage types i.e. container, table, queue and file share with
storage kind as gen v2, hence that storage account can be used as file storage.
Box 2: '101 and 103' - blob storage and gen v2 storage kind includes access tier . Only storage is gen v1 which does not support access tier
upvoted 1 times
 
Devgela
Looks correct to me
upvoted 1 times
 
raulgar
Ther first questions looks correct.Premium file share- contoso 104 only
(Filestorage accounts (FileStorage storage accounts allow you to deploy Azure file shares on premium/solid-state disk-based (SSD-based)
hardware. FileStorage accounts can only be used to store Azure file shares; no other storage resources (blob containers, queues, tables, etc.) can be
deployed in a FileStorage account)
The second questions I'm not sure

upvoted 2 times
 
marko_s
Answer is Wrong!
Archive is only supported in Blob and Gpv2
upvoted 2 times
 
osmantaskiran
https://azure4you.com/2017/12/26/features-of-storage-accountsgeneral-purpose-gpv2-gpv1-and-blob-storage/
upvoted 1 times
 
pkazemei
Is that a link from 2017? lol
upvoted 1 times
HOTSPOT -
In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:
To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Will have no access -
The IP 193.77.134.1 does not have access on the SAS.
Box 2: Will have read, write, and list access
The net use command is used to connect to file shares.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1 https://docs.microsoft.com/en-
us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
 
fedztedz
Highly Voted 
The Answer is not correct.
It should be no access for both cases.
- for first case, cause the IP is not matching the SAS requirements
- for second case, since it is using "net use" where it uses SMB. The SMB (Server Message Broker) protocol does not support SAS. it still asks for
username/password. Accordingly, it will give error wrong username/pass and will not provide access.
upvoted 109 times
 
J4U
Yes, the file share can be mounted using the storage access key as given in https://docs.microsoft.com/en-us/azure/storage/files/storage-how-
to-use-files-windows, however when using SAS key in place of storage access key, it fails. So I agree that file share doesn't support SAS for SMB.
upvoted 1 times
 
rrr
you are savior, netuse dont support SAS ..
upvoted 4 times
 
researched_answer_boi
Authenticating against an Azure File Share using SAS is currently not supported. Only the Storage Account Keys would work.
https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html
upvoted 1 times
 
ravigupta1
6 months ago
I think the provided answer is correct because Blob Storage doesn't support SAS but File Storage support SAS and Net USE both.
Ref: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
upvoted 4 times
 
best_yunus
Highly Voted 
A : Will have no access
Reason : given IP is out range.
B: Will be prompted for credentials
Reason : Share will use SMB.

upvoted 37 times
 
Genshin
3 weeks, 5 days ago
It says it used SAS1 as the password, therefore it already tried providing credentials. It should be No access for both
upvoted 2 times
 
ngamabe
Thank you
upvoted 1 times
 
Hathuguay
How did you know it was SMB rather than REST?
How did you know it was SMB rather than REST?
upvoted 1 times
 
rawrkadia
net use will mount it as smb, it does not support REST.
upvoted 1 times
 
Borbz
That's the correct Answer right here! Thanks Best_yunus
upvoted 2 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans:
No access for both

upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is no access both cases.
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
no access for both cases
upvoted 1 times
 
afathy
Shared access signatures should be performed only over an HTTPS connection!
upvoted 1 times
 
afathy
The answer might be: No access for both;
Shared access signature are keys that grant permissions to storage resources, and should be protected in the same manner as an account key. It's
important to protect a SAS from malicious or unintended use. Use discretion in distributing a SAS, and have a plan in place for revoking a
compromised SAS. Operations that use shared access signatures should be performed only over an HTTPS connection, and shared access signature
URIs should only be distributed on a secure connection such as HTTPS.
upvoted 1 times
 
AubinBakana
2 months ago
(Amending my previous comment)
IP range 193.77.134.(10-50) only.
- 193.77.134.1 does not belong to that range.
The expiry date for SAS1 is 14th Sept and 193.77.134.50 is in the 193.77.134.(10-50) range. The scope is inclusive.
Access will be allowed.

upvoted 1 times
 
AubinBakana
2 months ago
Answer is correct.
II range 193.77.134.(10-50) only.
this IP is outside the allowed range: Access will be denied.
The revealed answer is correct.
II range 193.77.134.(10-50) only.

upvoted 1 times
 
AubinBakana
2 months ago
Sorry about the copy/paste and typo error. I meant *IP range
The revealed answer is correct.
IP range 193.77.134.(10-50) only.

upvoted 1 times
 
Gromble_ziz
Answer is correct: (box 1: no access; box2: access read write list)
TESTED in Lab!
Box 1: IP is not matching the SAS requirements (obvious)
Box 2: Net use CAN mount the share with SAS (even with HTTPS protocol selected)
net use <drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /u:AZURE\<storage-account-name> <storage-account-

key>
example :
net use z: \\samples.file.core.windows.net\logs /u:AZURE\samples <storage-account-key>
Source: https://stackoverflow.com/questions/43218050/map-network-drive-to-azure-blob-storage-using-sas
upvoted 5 times
 
rawrkadia
The link talks about using Access Keys which are different from SAS. Don't believe you actually labbed this :)
upvoted 2 times
 
wsscool
in exam 7/3/2021, answered will have no access for both. passed with 906
upvoted 9 times
 
lucky_18
upvoted 2 times
 
Gautam123
no access for both
upvoted 2 times
 
mkoprivnj
It should be no access for both cases.
upvoted 1 times
 
Silverpro29
The right answer is "Will have no access" to both boxes.
Box 1: Out of the IP Address Range.
Box 2: When we use net use command. It does not support the use of Shared Access Signature. We will not have access to the file share via the
Shared Access Signature. The net use command is a command Prompt that's used to connect to, remove, and configure connections to shared
resources, like mapped drives, and network printers.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows#prerequisites
upvoted 1 times
 
mlantonis
5 months ago
Correct Answer:
Box 1: will have no access
The IP 193.77.134.1 does not have access on the SAS, because it is not matching the SAS requirements. IP is out of range.
Box 2: will have no access
The SAS token is not supported in mounting Azure File share currently, it just supports the Azure storage account key.
Since it is using "net use" where it uses SMB, the SMB (Server Message Broker) protocol does not support SAS. it still asks for username/password.
Accordingly, it will give error wrong username/pass and will not provide access.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html
upvoted 24 times
 
3abmula
Did any of you guys actually test this before suggesting different answer.
I did test it and given answer seems correct. See below snapshot.
https://i.imgur.com/sgNzrEk.png
upvoted 2 times
 
xupiter
Your snapshot seems to be from another question. Not applicable.
upvoted 1 times
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is backed up to RSV1.
You need to back up VM2 to RSV2.
A.
From the RSV1 blade, click Backup items and stop the VM2 backup
B.
From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
C.
From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D.
From the RSV1 blade, click Backup Jobs and export the VM2 job
Correct Answer:
C
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
 
MrRice
Highly Voted 
Answer A.
from the provided reference: VMs can only be backed up in a single vault.
upvoted 32 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
VMs can only be backed up in a single Recovery Services Vault. You have to stop the VM2 backup from the RSV1 first. Otherwise you won't able
find the VM2 in RSV2.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault#must-preserve-previous-backed-up-data
https://docs.microsoft.com/en-in/azure/backup/backup-azure-vms-first-look-arm
upvoted 31 times
 
vimi003
Most Recent 
1 day, 17 hours ago
A is the Correct Answer
upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A
upvoted 1 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago
Answer A
upvoted 1 times
 
wallythebos
1 month ago
Question was in the exam 9/15/2021
upvoted 2 times
 
asmi3342344
1 month ago
A is correct
upvoted 1 times
 
zvasanth2
2 months ago
In Recovery Services vault, do the following:
If you already have a vault, select Select existing, and select a vault.
If you don't have a vault, select Create new. Specify a name for the vault. It's created in the same region and resource group as the VM. You can't
modify these settings when you enable backup directly from the VM settings
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
The answer may not be C because the ms dpc says "You can't modify these settings when you enable backup directly from the VM settings" so the
answer must be A
upvoted 1 times
 
AubinBakana
2 months ago
What they are trying to establish is if you know that you can only back up a VM to a single recovery service.
Revealed answer appears to be wrong.
Corrected answer is A
upvoted 1 times
 
AubinBakana
2 months ago
"A VM can be protected in only one vault at a time. "
https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault
upvoted 1 times
 
JimBobSquare101
3 months ago
A - You need to stop current backup before commencing the change.
upvoted 1 times
 
wsscool
in exam 7/3/2021, answered A
upvoted 2 times
 
CloudyTech
given answer is correct
upvoted 1 times
 
mkoprivnj
A is correct!
upvoted 2 times
 
omhari
A. From the RSV1 blade, click Backup items and stop the VM2 backup
upvoted 2 times
 
NareshNK
Correction from previous post- Answer A is correct, without stopping existing protection you can not change the vault. Data retention and no
retention comes to discussion after you stop the existing backup.
upvoted 2 times
 
Zuls
Questions says: VM2 is BACKED UP to RSV1. why would we stop backed up item it's not
backing up right?
upvoted 1 times
 
tita_tovenaar
the point is not if the actual backup is actively going on. VM2 is tied to be backed up to RSV1. That job has to be stopped first, so answer is A.
upvoted 2 times
 
sris99
Answer is A
https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault#must-preserve-previous-backed-up-data
upvoted 2 times
You have a general-purpose v1 Azure Storage account named storage1 that uses locally-redundant storage (LRS).
You need to ensure that the data in the storage account is protected if a zone fails. The solution must minimize costs and administrative effort.
A.
Create a new storage account.
B.
Configure object replication rules.
C.
Upgrade the account to general-purpose v2.
D.
Modify the Replication setting of storage1.
Correct Answer:
C
Reference:
 
klamar
Highly Voted 
Correct.
v1 supports GRS/RA-GRS but question was about least cost. Least cost is ZRS which is only supported for v2 and premium file/block storage.
Source: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#supported-storage-account-types
upvoted 29 times
 
mwhooo
Highly Voted 
Answer is correct, and this is why :
General-purpose v2 storage accounts support the latest Azure Storage features and incorporate all of the functionality of general-purpose v1 and
Blob storage accounts. General-purpose v2 accounts are recommended for most storage scenarios. General-purpose v2 accounts deliver the lowest
per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices. General-purpose v2 accounts support default
account access tiers of hot or cool and blob level tiering between hot, cool, or archive.
Upgrading to a general-purpose v2 storage account from your general-purpose v1 or Blob storage accounts is straightforward. You can upgrade
using the Azure portal, PowerShell, or Azure CLI. There is no downtime or risk of data loss associated with upgrading to a general-purpose v2
storage account. The account upgrade happens via a simple Azure Resource Manager operation that changes the account type.
Hope this helps

upvoted 5 times
 
Kronnos
Most Recent 
Honestly I wonder if ZRS is the ask here as it clearly says „when a zone fails“. In this case shouldn‘t we look into GRS which can still be provided
with v1 storage?
upvoted 1 times
 
GepeNova
2 weeks, 1 day ago
For your records I tried to test this.
1. Create a kind v1 account is not possible at least from my tenant.
2. Fortunately I had an old storage account v1 under SA blade 》settings 》 you can find upgrade button.
So, for me correct answer is C, because you can upgrade the account to V2 and change it to zrs.
upvoted 1 times
 
AubinBakana
2 months ago
Modifying the replication policy in the storage account ensures you have RA-GRS. Although this is an option, StorageV2 offers ZRS, which is a
much cheaper option. Besides, Microsoft recommends to only use StorageV1 only if you have to. I think they've even discontinued now, it does not
longer appear when you add it with the portal.
Answer is correct
upvoted 1 times
 
kashi1983
Answer is C
upvoted 1 times
 
choskar90
I got 694. The correct is answer.
upvoted 1 times
 
pkazemei
There's no explanation as to why this is correct, just hearing the same response.
Answer is correct.
OK!
upvoted 2 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. answer is correct
upvoted 2 times
 
xMilkyMan123
ZRS is only supported in GPv2 correct?
upvoted 2 times
 
mooncricket
correct
upvoted 2 times
 
CloudyTech
4 months ago
Answer is correct
upvoted 1 times
 
Deevine78
Correct answer is C.
upvoted 1 times
 
mkoprivnj
C is correct!
upvoted 1 times
You have an Azure subscription that contains the storage accounts shown in the following table.
You plan to manage the data stored in the accounts by using lifecycle management rules.
To which storage accounts can you apply lifecycle management rules?
A.
storage1 only
B.
storage1 and storage2 only
C.
storage3 and storage4 only
D.
storage1, storage2, and storage3 only
E.
storage1, storage2, storage3, and storage4
Correct Answer:
D
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal
 
Tamilarasan
Highly Voted 
Answer is correct .
The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts, premium block
blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.
upvoted 18 times
 
GD01
Most Recent 
1 week, 3 days ago
C is correct...
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage
accounts.
https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
upvoted 1 times
 
AubinBakana
2 months ago
Lifecycle management are rules that you set to move files/folders from between tears or even delete them when they meet certain conditions, like
for example: if the file hasn't been used in 30 days move it to cool. After 365days move it to archive.
It applies to all blob types except premium file storage. I am not entirely sure if lifecycle management applies to standard files because Azure files
storage uses tiering and does not have a life cycle management like blob storage. But for all blob storage, you have the Hot, Cold and Archive
options.
The answer provided is correct.

upvoted 3 times
 
Junpeng
A is correct: The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts,
premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.
upvoted 3 times
 
Junpeng
D is correct, sorry for my typo
upvoted 2 times
 
BenStokes
Correct Answer.
blobs storage accounts, and Azure Data Lake Storage Gen2 accounts
Ref # https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-
concepts#:~:text=The%20lifecycle%20management%20feature%20is,account%20to%20a%20GPv2%20account.
upvoted 2 times
 
BenStokes
Sorry. The correct answer is B - Storage 1 and Storage 2 only.
Reason is as mentioned above - The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob
storage accounts, premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts
upvoted 2 times
 
hercu
Your post-comment does not make sense. The statement clearly says "premium block blobs storage accounts" so these are also supported.
The original answer D is correct. Only Premium FileStorage accounts are not suported by lifecycle management rules.
upvoted 3 times
 
xMilkyMan123
Exactly D is correct as stated in MS documentation https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-
management-concepts#:~:text=The%20lifecycle%20management%20feature%20is,account%20to%20a%20GPv2%20account.
upvoted 1 times
 
pelekafitinakwenu
4 months ago
upvoted 1 times
 
mkoprivnj
Storage1, Storage2, Storage 3!
upvoted 1 times
 
JayBee65
This is what I thought but its wrong, and here is why...
Storage 2 uses a Standard Page Blob legacy storage account, and the link above specifically mentions 'blob storage accounts' not premium blob
storage accounts, so the assumption must be that this includes standard blob storage accounts too. This is backed up by the statement at the
end that states 'you can upgrade an existing general purpose (GPv1) account' the only account that does not support Lifecycle Management,
further suggesting that this type of storage account is the only type not to support LM.
upvoted 1 times
 
AVVARU
Answer is correct
upvoted 3 times
 
HTD
i think premium accounts do not support lifecycle management.
upvoted 2 times
 
Kotinga
and also this link says otherwise: https://azure.microsoft.com/en-us/blog/azure-premium-block-blob-storage-is-now-generally-available/
upvoted 1 times
 
anurag4516
3 months ago
Block Blob Storage account ... Not Blob Storage account
upvoted 1 times
 
JayBee65
4 months ago
This link says otherwise https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal
upvoted 1 times
 
Yiannisthe7th
blobs storage accounts, and Azure Data Lake Storage Gen2 accounts
upvoted 4 times
 
CheesusCrust89
from
**Azure Blob Storage lifecycle management offers a rich, rule-based policy for GPv2 and blob storage accounts.**
upvoted 2 times
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
A.
80
B.
443
C.
445
D.
3389
Correct Answer:
C
Server Message Block (SMB) is used to connect to an Azure file share over the internet. The SMB protocol requires TCP port 445 to be open.
Incorrect Answers:
A: Port 80 is required for HTTP to a web server
B: Port 443 is required for HTTPS to a web server
D: Port 3389443 is required for Remote desktop protocol (RDP) connections
Reference:
 
sk1803
Highly Voted 
3 weeks ago
Correct answer is port 445, as this is port for SMB protocol to share files
Incorrect:
Port 80: HTTP, this is for web
Port 443: HTTPS, for web too
Port 3389: Remote desktop protocol (RDP)

upvoted 9 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. Similar question came out. Know the usage for all your ports! Ans:445
upvoted 1 times
Question #1 Topic 4
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to
VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A.
Yes
B.
No
Correct Answer:
B
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring Agent VM extension.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct
1. Log analytics agent - Install in VM.
2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.
Reference:
upvoted 27 times
 
Lapiduse
Highly Voted 
I think the Answer should be - Yes.
You need to click the Add button on Portal-> Settings-> Extensions to Install the Extension on VM.
Azure Monitor currently has multiple agents because of recent consolidation of Azure Monitor and Log Analytics. The Azure Monitor Agent is
implemented as an Azure VM extension.
Windows/Linux name: Microsoft.Azure.Monitor
Windows type: AzureMonitorWindowsAgent
Linix type: AzureMonitorLinuxAgent
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc
upvoted 23 times
 
YooOY
4 weeks ago
The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the Log
Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the Dependency agent on
Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine extensions. You
should use extensions to install and manage the agents whenever possible.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#virtual-machine-extensions
upvoted 1 times
 
YooOY
4 weeks ago
so add extension does not mean the agent is installed, agent can still be missing.
upvoted 1 times
 
QiangQiang
agreed, should be yes
upvoted 3 times
 
silver_bullet666
Most Recent 
1 month ago
I would like to note that adding the MicrosoftMonitoringAgent Extension via the VM > Extensions panel is not a thing afaik, I have done this
recently and it should be done from the LAWS, "Workspace Data Sources" heading "Virtual Machines", then you click the VM where it's not
connected and click Connect... This installs the Extension and software inside the VM.
upvoted 1 times
 
PtOlOmY
the link supplied clearly states use Extensions to manage agents
Yes !! is the correct answer
Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine extensions. You should
use extensions to install and manage the agents whenever possible.
upvoted 1 times
 
YooOY
4 weeks ago
so add extension does not mean the agent is installed, agent can still be missing, extenstion gives a way to manage agents ?
upvoted 1 times
 
AubinBakana
2 months ago
Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This question is
important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you know that the
extension need to be installed first before it appears
It's not a trick.

upvoted 2 times
 
AubinBakana
2 months ago
Such a tricky question to test our attention to details.
To add an extension, you first need to install it. But in real life, attempting to add an extension will lead to a promt for you to add. So you will still
get the job done. But if you answer yes her, they will mark you down. Silly huh!
Answer is correct. You need to install the extension, then add it.
upvoted 2 times
 
AubinBakana
2 months ago
Such a tricky question to test our attention to details.
To add an extension, you first need to install it. But in real life, attempting to add an extension will lead to a *prompt for you to *install it first. So
you will still get the job done.
But if you answer yes *here, they will mark you down. Silly huh!
Answer is correct. You need to install the extension, then add it.
upvoted 1 times
 
AubinBakana
2 months ago
(Update)
Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This
question is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you
know that the extension need to be installed first before it appears
It's not a trick.

upvoted 2 times
 
hoangton
2 months ago
YES
The Azure Monitor agent is only available as a virtual machine extension.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
upvoted 1 times
 
s1inkan
I would think yes because of the following paragraph in the REF below:
"Virtual machine extensions
Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine extensions. You should
use extensions to install and manage the agents whenever possible."
REF:https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
upvoted 1 times
 
s1inkan
Furthermore, not that I can find when but I believe they have rebranded the Microsoft Monitoring Agent to be the Azure Monitor agent.
"Virtual machine extension details
The Azure Monitor Agent is implemented as an Azure VM extension with the details in the following table. It can be installed using any of the
methods to install virtual machine extensions including those described in this article."
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc
upvoted 1 times
 
MrJR
I also think answer should be yes. You might install the agent or add the extension both methods fulfil the objective.
"The Log Analytics agent virtual machine extension for Windows is published and supported by Microsoft. The extension installs the Log Analytics
agent on Azure virtual machines, and enrolls virtual machines into an existing Log Analytics workspace"
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows
"The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the Log
Analytics agent on Azure virtual machines."
"For Windows and Linux virtual machines already deployed in Azure, you install the Log Analytics agent with the Log Analytics VM Extension. Using
the extension simplifies the installation process and automatically configures the agent to send data to the Log Analytics workspace that you
specify."
https://docs.microsoft.com/en-us/azure/azure-monitor/vm/quick-collect-azurevm
upvoted 1 times
 
BenStokes
Answer is correct - NO
Pay attention to bold words in the action- You ADD the Microsoft Monitoring Agent VM EXTENSION to VM1.
Here is the explanation - It should be INSTALL and no mention of EXTENSION respectively.

upvoted 4 times
 
eduhazard
Agree, but why MS do that? Why these tricks? This is only to catch guys without attention but if you are doing an exam, nervous, anxiety could
easily make a mistake and what it proves?
upvoted 6 times
 
Shubham_KP
4 months ago
Tricky One.
When you go and try to add Extension is says in next page that.
Install Extension.
You Install an extension in the VM>Extentions>(+)Add> Install Extension (Shown in Page).

upvoted 3 times
 
JoeRogersHi
4 months ago
I’m guessing this was version 1 of this question and they have since updated it. No way is this in the test.
upvoted 1 times
 
JoeRogersHi
4 months ago
What in the actual uckf. I’m an industry professional, I don’t have time to nitpick over add vs install, or agent vs.extension. Come on, Microsoft.
upvoted 14 times
 
moota
Oh!! I know what you mean https://www.examtopics.com/discussions/microsoft/view/38267-exam-az-104-topic-3-question-2-discussion/. This
is just ridiculous.
upvoted 2 times
 
mkoprivnj
Yes is correct!
upvoted 1 times
 
omhari
upvoted 6 times
 
marcusaurelius124
"The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA)."
So "Microsoft Monitoring Agent" and "Log Analytics agent" are interchangeable.
"The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on-premises machines. It sends data to a Log Analytics workspace."
"The Log Analytics extension for Windows and Linux install the Log Analytics agent on Azure virtual machines."
By adding the extension, you install the agent.
Read it for yourself. Source:
The answer should be A. Yes

upvoted 1 times
 
Bursuc03
Answer B is correct. There is no "Microsoft Monitoring Agent extension" to add to the VM through Azure. There is the Microsoft Monitoring Agent
that you download and install inside the Windows OS.
upvoted 5 times
 
PersonT
There is an extension. Did it yesterday. You can add an extension to the VM or install an agent. .
upvoted 1 times
Question #2 Topic 4
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
A.
Yes
B.
No
Correct Answer:
A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
 
JohnAvlakiotis
Highly Voted 
I mean what's the difference with the above? The words "add" versus "install"? That would be ridiculous...
upvoted 28 times
 
AubinBakana
2 months ago
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This question
is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you know that the
extension need to be installed first, before it appears
It's not a trick.

upvoted 2 times
 
Dizzu
5 months ago
outrageously ridiculous. I won't expect Microsoft to test me for English instead of technical knowledge. In a broad sense, it can even be used
interchangeably. why the confusion?
upvoted 6 times
 
besha
This one is an agent, the previous one is an extension. It should be agent
upvoted 12 times
 
marcusaurelius124
"The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA)."
So "Microsoft Monitoring Agent" and "Log Analytics agent" are interchangeable.
"The Log Analytics extension for Windows and Linux install the Log Analytics agent on Azure virtual machines."
By adding the extension, you install the agent.
Read it for yourself. Source:
upvoted 1 times
 
Davar39
Nice one besha. Thanks for your input.
upvoted 1 times
 
jimmyli
Great catch! However, still it is insane they are testing such subtle stuff..
upvoted 1 times
 
JohnAvlakiotis
I saw the difference in the extension name. Anyway, it's correct.
upvoted 8 times
 
QiangQiang
it's still ridiculous
upvoted 7 times
 
mlantonis
Highly Voted 
5 months ago
1. Log analytics agent - Install in VM.
2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
upvoted 20 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: Yes
upvoted 1 times
 
orion1024
1 month ago
I'm confused. As per https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
"The Azure Monitor agent is only available as a virtual machine extension."
So it should be B right ? Or does Microsoft considers that adding an extension is the same as installing the agent ? They shouldn't since they clearly
differentiate between this question and the previous one.
upvoted 1 times
 
AubinBakana
2 months ago
Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This question is
important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you know that the
extension need to be installed first before it appears
It's not a trick.

upvoted 1 times
 
AubinBakana
2 months ago
If you got the previous answer wrong, you definitely have a chance to get this one right because this question brings to your attention that the
extension is to be installed first.
Answer is correct
upvoted 1 times
 
Jotess
This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis are correct. Correct answer is Yes
upvoted 2 times
 
mkoprivnj
A is correct!
upvoted 1 times
 
omhari
upvoted 2 times
 
denccc
Is only this one correct or also the previous one?
upvoted 3 times
 
ZUMY
YES is the answer.
First u need to install azure monitor agent in vm(each) to collect logs and log analytics workspace will access it where alert also created later
upvoted 3 times
 
toniiv
8 months ago
I would say yes, Although previous one and this one are very dirty and silly worded. https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc#virtual-machine-extension-
details
upvoted 1 times
 
waterzhong
Log Analytics agent
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on-premises machines. It sends data to a Log Analytics workspace. The Log Analytics agent is the same agent used by System
Center Operations Manager, and you can multihome agent computers to communicate with your management group and Azure Monitor
simultaneously. This agent is also required by certain insights in Azure Monitor and other services in Azure.
Note
The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA). The Log Analytics agent for Linux is often referred
to as OMS agent.
upvoted 2 times
 
diligent176
Microsoft has changed the name again... to "Log Analytics agent for Windows".
"The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA). The Log Analytics agent for Linux is often referred
to as OMS agent."
upvoted 5 times
 
SSTan
one said VM extension and the correct should be Microsoft monitoring agent to be specific.
upvoted 2 times
 
fedztedz
Correct. Answer is yes. You must first install the monitor agent on the VM to collect logs. the logs can be accessed by the log analytics workspace
later where alert can be created.
upvoted 14 times
Question #3 Topic 4
You have an Azure subscription that contains the resources shown in the following table.
All virtual machines run Windows Server 2016.
On VM1, you back up a folder named Folder1 as shown in the following exhibit.
You plan to restore the backup to a different virtual machine.
You need to restore the backup to VM2.
A.
From VM1, install the Windows Server Backup feature.
B.
From VM2, install the Microsoft Azure Recovery Services Agent.
C.
From VM1, install the Microsoft Azure Recovery Services Agent.
D.
From VM2, install the Windows Server Backup feature.
Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server
 
Harryboy
Highly Voted 
MARS has to be installed destination machine, in this case it will be VM2. Answer is B
upvoted 12 times
 
JimBobSquare101
Highly Voted 
In exam 30 July 2021
upvoted 5 times
 
Nikhilsr
Most Recent 
1 week ago
Correct Answer is B - From VM2, install the Microsoft Azure Recovery Services Agent.
upvoted 1 times
 
davidworner
1 month, 1 week ago
Correct Answer: C - From VM2, install the Microsoft Azure Recovery Services Agent.
To pass the Microsoft AZ-104 exam you are required to get help from reliable and trusted platform such as JustCerts where you will get AZ-104
exam practice test questions. The JustCerts AZ-104 questions will not only prepare you for the final exam but also ensure your success in the final
exam
upvoted 1 times
 
orion1024
1 month ago
If you're going to grift, at least get something right.
You didn't even referenced an available answer.

upvoted 7 times
 
Rajveers0505
1 month, 1 week ago
The answer is correct, The image is not of Windows Server Backup instead its of MS Azure Backup https://docs.microsoft.com/en-
us/azure/backup/backup-windows-with-mars-agent
upvoted 2 times
 
Kamex009
Took the test on 8/22/2021, I had a much larger Scenario question that had to do with backups and retention policies and how many retention
points/instances or however they are called, would be in a specific amount of time.
upvoted 3 times
 
khismail
2 months ago
In Exam 21/08/2021
upvoted 3 times
 
AubinBakana
2 months ago
correct answer,
upvoted 3 times
 
mousomgogoi
i agree, but did any one get it in exam
upvoted 2 times
 
ppp131176
When install MARS, VM2 is still in a different region. shouldn't that be an issue for a restore?
upvoted 1 times
 
d0bermannn
yes, we can restore from vault to different PAIRED second region (westUS<->eastUS,centralUS<->eastUS2,westCentralUS<->westUS2) It is so
called Cross Region Restore
upvoted 4 times
 
amf
Correct Answer: C - From VM2, install the Microsoft Azure Recovery Services Agent.
VM2 need also to be register in the same Vault as VM1. So the first step is to install MARS agent on VM2.
upvoted 1 times
 
amf
Sorry Correct Answer is B - From VM2, install the Microsoft Azure Recovery Services Agent.
VM2 need also to be register in the same Vault as VM1. So the first step is to install MARS agent on VM2.
upvoted 8 times
 
ahatem
answer is correct
upvoted 4 times
 
GabeCanada
Question is using Windows Native backup not Azure backup. Answer is C install Windows Back from Features (not installed by default).
upvoted 5 times
 
Spandrop
I agree, I think that the question is talking about the Windows backup tool, not Azure backup.
upvoted 1 times
 
AlexBLN
answer is D
upvoted 4 times
 
orion1024
1 month ago
Agreed, answer is D
upvoted 1 times
Question #4 Topic 4
HOTSPOT -
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
 
ppp131176
Highly Voted 
Is correct: https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 12 times
 
chaudha4
2 months ago
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 2 times
 
achmadirvanp
Highly Voted 
upvoted 9 times
 
VVR141
came across any LABS ?
upvoted 2 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: copy, copyIndex
upvoted 1 times
 
ScoutP
2 weeks, 4 days ago
upvoted 1 times
 
NarenderSingh
1 month ago
Correct - https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times
 
Kamex009
upvoted 3 times
 
hoangton
2 months ago
copy
copyindex
Add the copy element to the resources section of your template to set the number of items for a property.
Notice that when using copyIndex inside a property iteration, you must provide the name of the iteration.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 3 times
Question #5 Topic 4
 
Jotess
This question was on Jul 23, 2021 - passed the exam. answer is correct
Note: upvoted
This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
2 times
 
villanz
3 months ago
Is there live lab session?

upvoted 1 times
 
theOldOne
1 week, 5 days ago
No. You have to know this off the top of your head. All Memorization.
upvoted 1 times
VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
A.
Yes
B.
No
Correct Answer:
A
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
also referred to as a region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
 
jojorabbit2021
Highly Voted 
Answer is correct, it's trying to throw you off by bringing the resource group into equation which is in different region, however it is clearly
mentioned the new NIC is created in the same region as VM.
upvoted 14 times
 
Gde360
3 months ago
Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the
same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created, but you cannot change the
VNet.
Meaning that VM <--> VNET <---> NIC. All the three resources MUST be in the same location
https://docs.microsoft.com/en-us/azure/virtual-machines/network-
overview#:~:text=Each%20NIC%20attached%20to%20a,you%20cannot%20change%20the%20VNet.
According to the description....
VM1 (West US) connects to VNET2 with NIC1 ===> VM1 --- VNET2 ---NIC1 all are in West US.
when creating NIC2 to be used for VM1, NIC2 needs to be same location as VM1, which is West US.
(RG1 or RG2 is not mandatory).
So, the answer is A. Yes.

upvoted 4 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: Must be in the same region, doesn't matter if different resource group
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
DevOpposite
2 weeks, 2 days ago
where is VNET2 located?
upvoted 1 times
 
Bapan
1 month ago
Answer is correct here.
"A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network you connect
it to."
upvoted 2 times
 
zvasanth2
2 months ago
A network interface (NIC) is the interconnection between a VM and a virtual network (VNet). A VM must have at least one NIC, but can have more
than one, depending on the size of the VM you create. Learn about how many NICs each VM size supports for Windows or Linux.
You can create a VM with multiple NICs and add or remove NICs through the lifecycle of a VM. Multiple NICs allow a VM to connect to different
subnets and send or receive traffic over the most appropriate interface.
If the VM is added to an availability set, all VMs within the availability set must have one or multiple NICs. VMs with more than one NIC aren’t
required to have the same number of NICs, but they must all have at least two.
VNet. Each NIC attached to a VM is assigned a MAC address that doesn’t change until the VM is deleted.
https://social.msdn.microsoft.com/Forums/en-US/c4a1410c-ca52-4acb-bb1d-d1e0ed90c82a/understanding-azure-nic?
forum=WAVirtualMachinesVirtualNetwork
upvoted 2 times
 
AubinBakana
2 months ago
Answer is correct. However, without checking the next set of questions it's hard to see why they even asked this one.
upvoted 1 times
 
wsscool
in exam 7/3/2021
upvoted 4 times
 
pbf4444
NO
*Resource group - Select an existing resource group or create one. A network interface can exist in the same, or different resource group, than the
virtual machine you attach it to, or the virtual network you connect it to.
*Location - The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, also
referred to as a region.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#create-a-network-interface
upvoted 2 times
 
Steve1983
"You create NIC2 in RG1 and West US.", the same location as the VM, whats your point? The RG location does not matter, its only metadata.
upvoted 8 times
Question #6 Topic 4
Solution: You create NIC2 in RG2 and Central US.
A.
Yes
B.
No
Correct Answer:
B
Reference:
 
khengoolman
1 week, 3 days ago
upvoted 2 times
 
raj_tandon
1 week, 2 days ago
Great! What percentages of question you saw from here ?
upvoted 1 times
 
Bapan
1 month ago
it to."
upvoted 1 times
 
zvasanth2
2 months ago
A network interface (NIC) is the interconnection between a VM and a virtual network (VNet). A VM must have at least one NIC, but can have more
than one, depending on the size of the VM you create. Learn about how many NICs each VM size supports for Windows or Linux.
You can create a VM with multiple NICs and add or remove NICs through the lifecycle of a VM. Multiple NICs allow a VM to connect to different
subnets and send or receive traffic over the most appropriate interface.
If the VM is added to an availability set, all VMs within the availability set must have one or multiple NICs. VMs with more than one NIC aren’t
required to have the same number of NICs, but they must all have at least two.
VNet. Each NIC attached to a VM is assigned a MAC address that doesn’t change until the VM is deleted.
https://social.msdn.microsoft.com/Forums/en-US/c4a1410c-ca52-4acb-bb1d-d1e0ed90c82a/understanding-azure-nic?
forum=WAVirtualMachinesVirtualNetwork
upvoted 3 times
 
DevOpposite
3 weeks, 5 days ago
thank you for this explanation. can the NIC attached to VM exist in different resource group in same location?
upvoted 1 times
 
AubinBakana
2 months ago
This question clarifies why they asked the previous question. Basically, they're trying to establish that you know that the NIC can only be created in
the same region as the machine to which it is attached.
Answer is correct
upvoted 3 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
Steve1983
Correct, VM and NIC are in the same location
upvoted 2 times
 
Steve1983
NOT in the same location.. sorry
upvoted 2 times
Question #7 Topic 4
Solution: You create NIC2 in RG2 and West US.
A.
Yes
B.
No
Correct Answer:
A
Reference:
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
Bapan
1 month ago
it to."
upvoted 2 times
 
AubinBakana
2 months ago
Here they want to establish that you know that it doesn't matter what region the RG is in for the resources inside. Think like Microsoft. :)
upvoted 3 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
rawrkadia
Duplicate of #5
upvoted 2 times
 
dupakonia
Not duplicate, here you have different RG. But RG do not matter and the answer is correct, YES
upvoted 6 times
 
AdiW
No, #5 is "You create NIC2 in RG1 and West US"
upvoted 2 times
Question #8 Topic 4
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure CLI, you run az aks.
A.
Yes
B.
No
Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
 
Quantigo
Highly Voted 
3 weeks ago
Correct Answer B - No
To deploy the YAML file you need to runs kubectl apply -f file_name.yaml
upvoted 6 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: kubectl
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
kunalv9768
1 week, 6 days ago
B-No is the correct answer.
Reason:To deploy the YAML file you need to runs kubectl apply -f file_name.yaml
Refrence: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 2 times
Question #9 Topic 4
Solution: From Azure CLI, you run the kubectl client.
A.
Yes
B.
No
Correct Answer:
A
Reference:
 
fabylande
1 day, 17 hours ago
upvoted 1 times
 
ohana
4 days, 6 hours ago
upvoted 1 times
 
sand5234
1 week, 2 days ago
It should be No .
kubectl apply -f azure-vote.yaml

upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 2 times
 
kunalv9768
1 week, 6 days ago
Reference:
upvoted 1 times
 
Quantigo
3 weeks ago
Correction:
Correct Answer A - Yes
upvoted 3 times
 
oganepa
6 days, 7 hours ago
you're confused....A YES! B YES!
upvoted 1 times
 
Quantigo
3 weeks ago
Correct Answer B - Yes
upvoted 1 times
Solution: From Azure CLI, you run azcopy.
A.
Yes
B.
No
Correct Answer:
B
Reference:
 
j5y
Highly Voted 
Answer: NO
To deploy a YAML file, the command is:
kubectl apply -f example.yaml
Src: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 10 times
 
fabylande
Most Recent 
1 day, 17 hours ago
upvoted 1 times
 
ohana
4 days, 6 hours ago
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
kunalv9768
1 week, 6 days ago
To deploy a YAML file, the command is:
kubectl apply -f example.yaml
Reference:
upvoted 1 times
 
Quantigo
3 weeks ago
Correct Answer B - No
upvoted 1 times
 
AubinBakana
2 months ago
Hahahahahahaha... this cracked me up bad! azcopy? you get this wrong you are in the wrong place :D
upvoted 2 times
 
Khatun
Thank you very much for efforts.
upvoted 2 times
 
achmadirvanp
upvoted 2 times
 
omaro
i think you are a bot
upvoted 5 times
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on
VM1. You create an alert in Azure Monitor and specify the storage account as the source.
A.
Yes
B.
No
Correct Answer:
B
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Reference:
 
pakman
Highly Voted 
3 weeks, 1 day ago
Exam tomorrow. Really hope I pass. Pray for me y'all!
upvoted 8 times
 
ayasalah
1 week, 2 days ago
I hope that you passed
upvoted 1 times
 
plove
1 week, 3 days ago
hi pakman i hope that you pass this exam and please tell us that howmuch questions comes feom here in exam.
upvoted 1 times
 
sk1803
3 weeks ago
Hopefully you passed the exam. If not, Can you please advise how many questions came from this dump and do we have to purchase
contributor access?
upvoted 2 times
 
Gorl12
3 weeks ago
Did you pass?
upvoted 1 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: Yes
upvoted 1 times
 
breakerboyz09
3 weeks, 1 day ago
Answer is correct.
You don't need SAS.

upvoted 3 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1.
Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself while
retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets
 
fedztedz
Highly Voted 
Correct , not possible to migrate from vnet to another vnet. Must delete VM while keeping the disk. then create a new vm using the saved virtual
hard disk
upvoted 52 times
 
tom999
True. "You can change the subnet a VM is connected to after it's created, but you cannot change the VNet." (https://docs.microsoft.com/en-
us/azure/virtual-machines/network-overview)
upvoted 9 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself while
retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
Note: You can change the Subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets
https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview
upvoted 21 times
 
Kamex009
Most Recent 
upvoted 2 times
 
khismail
2 months ago
In Exam 21/08/2021, thanks to Mlantonis & Fedztedz
upvoted 2 times
 
AubinBakana
2 months ago
I haven't come across this situation before. So thank you.
But the truth is, whether it's a custom app or not, think of it like you would on any application on your PC. How would you move MS Word from
your PC to your laptop? The answer, you can't, not without a great deal of hacking anyway. You keep the data and reinstall MS Word on your new
device using App image. Copy or attach that data to your new device.
I imagine that here the sole purpose of this VM is that Application; otherwise, deleting the VM would bit of an overkill. So this answer for me is a
little unsatistactory.
upvoted 1 times
 
AubinBakana
2 months ago
*unsatisfactory
upvoted 1 times
 
JimBobSquare101
In exam 30 July 2021
upvoted 1 times
 
BenStokes
Answer is correct.
You can change the subnet a VM is connected to after it's created, but you cannot change the VNet. "Each NIC attached to a VM is assigned a MAC
address that doesn't change until the VM is deleted."
Ref - https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview
upvoted 1 times
 
mkoprivnj
Delete + create
upvoted 3 times
 
ms70743
7 months ago
both answer correct
1. delete the VM itself while retaining the disk,
2. recreate the VM and then attach the disk to it.

upvoted 2 times
 
mg
Answer is correct. Delete the vm, keep the attached disk, create new vm in vnet2 attaché the disk
upvoted 2 times
 
ZUMY
upvoted 3 times
 
toniiv
8 months ago
Both answers are correct. You keep the VM disk and re-create a new VM in the new RG with target Vnet
upvoted 2 times
 
QiangQiang
t's not possible to switch a VM between subnets/vnets without deallocating/deleting-recreating.
Easiest way:
Delete the VM but keep the OS Disk.
Deploy a new VM in the new subnet and use the still existing OS Disk.
upvoted 14 times
 
waterzhong
Delete the existing Virtual Machine
4- while the virtual machine is still selected in the portal, select Delete in the action bar at the bottom of the screen. ensure that you select “Keep
the attached disks”
upvoted 3 times
 
waterzhong
Delete the existing Virtual Machine
4- while the virtual machine is still selected in the portal, select Delete in the action bar at the bottom of the screen. ensure that you select “Keep
the attached disks”
upvoted 3 times
 
prashantjoge
you cannot do this using the portal (Verified). U have to use the azcli or pwsh to accomplish this.
upvoted 2 times
 
sjccde
Given anwser is correct: Delete VM in VNet1, keep the Disk, Create a VM in VNet2 (and reattach the Disk).
Also all other answers are about the Resourcegroups - changing/moving the vNIC to another RG doesn't meet the requirement of moving into
another VNet!
upvoted 3 times
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual
machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
A.
an Azure Key Vault and an access policy
B.
an Azure Storage account and an access policy
C.
a Recovery Services vault and a backup policy
D.
Azure Active Directory (AD) Identity Protection and an Azure policy
Correct Answer:
A
Reference:
https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/
 
fedztedz
Highly Voted 
Correct. Answer is A using Azure Vault
upvoted 47 times
 
waterzhong
Highly Voted 
"adminPassword": {
"reference": {
"keyVault": {
"id": "GEN-KEYVAULT-RESOURCE-ID"
},
"secretName": "GEN-KEYVAULT-PASSWORD-SECRET-NAME"
}
upvoted 25 times
 
fabylande
Most Recent 
1 day, 17 hours ago
upvoted 1 times
 
fabylande
1 day, 17 hours ago
upvoted 1 times
 
khengoolman
1 week, 3 days ago
Passed today with 947. This question appeared, correct Answer
upvoted 1 times
 
DevOpposite
3 weeks, 5 days ago
everytime I jump to comment section, in the back of my mind...let us see what the experts have to say about this..lol
upvoted 2 times
 
Kamex009
upvoted 2 times
 
AubinBakana
2 months ago
Easy :)
upvoted 1 times
 
atrax
Correct. In exam August 2021
upvoted 5 times
 
wsscool
in exam 7/3/2021
upvoted 3 times
 
villanz
3 months ago
Was there any Labs
upvoted 1 times
 
lucky_18
upvoted 5 times
 
mkoprivnj
A is correct!
upvoted 1 times
 
AVVARU
Correct Answer: A
upvoted 1 times
 
mlantonis
5 months ago
Correct Answer: A
"adminPassword": {
"reference": {
"keyVault": {
"id": "GEN-KEYVAULT-RESOURCE-ID"
},
"secretName": "GEN-KEYVAULT-PASSWORD-SECRET-NAME"
Reference:
https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli%2Cjson
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-template?tabs=CLI
upvoted 16 times
 
marcellov
Finally a straightforward and uncontroversial question.
upvoted 8 times
 
ms70743
7 months ago
Answer is A.
"GEN-KEYVAULT-RESOURCE-ID"
upvoted 1 times
 
mg
Answer is correct. Azure key vault
upvoted 1 times
HOTSPOT -
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Box 1: ASP1 ASP3 -
Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux.
Not ASP2: The region in which your app runs is the region of the App Service plan it's in.
Box 2: ASP1 -
ASP.NET apps can be hosted on Windows only.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-linux https://docs.microsoft.com/en-
us/azure/app-service/app-service-plan-manage#
 
fedztedz
Highly Voted 
Answer Correct. Web App can only created and identified in App Service plan in same region and resource group.
For ASP.NET, it only can be created with Windows App Service Plan
upvoted 52 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: ASP1 and ASP3 only
ASP.NET Core apps can be hosted both on Windows or Linux.
The region in which your app runs is the region of the App Service Plan is in.
ASP2 is in Central US, not the same as WebApp1. Different locations.
Box 2: ASP1 only
ASP.NET apps can be hosted on Windows only. Only ASP1 is in the same Location as the WebApp2 (West US).
Reference:
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-linux
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
upvoted 27 times
 
fabylande
Most Recent 
1 day, 17 hours ago
upvoted 1 times
 
Kamex009
upvoted 4 times
 
AubinBakana
2 months ago
Answer is correct
upvoted 2 times
 
eduhazard
ASP .NET is Windows Only
https://docs.microsoft.com/en-us/dotnet/framework/get-started/system-requirements
upvoted 2 times
 
raph90fr
well... the question is more about basic .NET knowledge that Azure skills. Answer correct. Justification can be found here:
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/choose-aspnet-framework?view=aspnetcore-5.0
upvoted 1 times
 
achmadirvanp
upvoted 2 times
 
mkoprivnj
4+1 is correct!
upvoted 2 times
 
armandolubaba
Answer correct
upvoted 1 times
 
Bckz
6 months ago
4.18.21 exam*
upvoted 2 times
 
KTrout
6 months ago
Did you pass? What answer did you pick?
upvoted 1 times
 
maffoo
I often wonder why someone would come back if they did pass...
upvoted 12 times
 
GodfreyMbizo
1 month ago
sure am also surprised as well
upvoted 1 times
 
CristianoM
Seems the right answer in both cases is ASP1 and ASP 3, ASP.NET can run in both Windws and Linux:
In this quickstart, you'll learn how to create and deploy your first ASP.NET web app to Azure App Service. App Service supports various versions of
.NET apps, and provides a highly scalable, self-patching web hosting service. ASP.NET web apps are cross-platform and can be hosted on Linux or
Windows. When you're finished, you'll have an Azure resource group consisting of an App Service hosting plan and an App Service with a deployed
web application.
In this quickstart, you'll learn how to create and deploy your first ASP.NET web app to Azure App Service. App Service supports various versions of
.NET apps, and provides a highly scalable, self-patching web hosting service. ASP.NET web apps are cross-platform and can be hosted on Linux or
Windows. When you're finished, you'll have an Azure resource group consisting of an App Service hosting plan and an App Service with a deployed
web application.
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=development-environment-vs&tabs=netframework48
upvoted 3 times
 
mg
Answer is correct.
.Net core is for both Windows and Linux
ASP.Net is available for Windows only

upvoted 6 times
 
d0bermannn
yes for .net 4.7 win only, but .net 4.8 on win&lin
upvoted 1 times
 
ZUMY
upvoted 2 times
 
toniiv
8 months ago
Both answers are correct. .Net core is available in both linux and windows, and ASP .NET only windows.
upvoted 3 times
 
macross
9 months ago
Oh man... Had to go through the doc to understand this. Not discussed in Whizlab and Udemy. Thank goodness for this forum
upvoted 10 times
 
Loi2525
It was discussed by Scott Duffy, im enrolled in his AZ104 course.
upvoted 1 times
 
mbravo
Also, it is discussed on Udemy (Alan Rodrigues courses). As per my knowledge, his courses are the only ones worth studying on Udemy (at least
when it comes to AZ track).
upvoted 2 times
 
StixxNSnares
It is included in the az-104 Whizlab questions
upvoted 2 times
 
kaotik169
10 months ago
.net Core is cross-OS (Nix and Windows)
Framework is Windows specific

upvoted 3 times
HOTSPOT -
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: 6 virtual machines -

The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to
6 when the 2 extra instances of VMs are added.
Box 2: 2 virtual machnes -
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus
cannot be reduced to
0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
 
sjccde
Highly Voted 
Scale-out to 6 is correct.
Scale-in to 2 is also correct:
Starting with 4VMs.
Usage (25%) is below threshold, so scale-in happens to the min. of 2 machines.
(Calculate: If 4 VMs have 25%, then 2 VMs will have 50%; this does not trigger the Scale-out, so scale in will be done!)
Then for the next time it stays at 50%, so no changes are made an the set still consists 2 VMs
upvoted 65 times
 
Borbz
correct answer and justification.
upvoted 8 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
Box 1: 6 virtual machines
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to 6
when the 2 extra instances of VMs are added.
Box 2: 2 virtual machnes
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus cannot
be reduced to 0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
upvoted 34 times
 
GodfreyMbizo
1 month ago
Powerful and very clear explanation
upvoted 2 times
 
McRowdy
Clearest explanation so far.
upvoted 4 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: 6, 2
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
AubinBakana
3 weeks, 2 days ago
Correct.
When the VMSS kicks in at 25 it will be running at minimum capacity, which is 2.

upvoted 1 times
 
NarenderSingh
1 month ago
Scale-out to 6 is correct.
Scale-in to 2 is also correct:

upvoted 1 times
 
Olaf187
one of the questions, that everyone who passed school should get :'D
upvoted 1 times
 
Kamex009
upvoted 1 times
 
AubinBakana
2 months ago
And is correct.
It scales up above 80% and then, add 2 machines to the existing 4
Deallocate all the machines at 25%performance if performance if it lasts 6 minutes. Then add 2 machines when the demand increases to 50%.
My only worry is: if all the machines are shut down, isn't that a way to ensure that you can't cope? if no machine is running, how then are you going
to 50% performance. I would leave to at least 1 VM
upvoted 1 times
 
AubinBakana
3 weeks, 2 days ago
Correction.
When the VMSS kicks in at 25 it will be running at minimum capacity, which is 2.

upvoted 1 times
 
Olaf187
simple math
2
upvoted 2 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
lucky_18
came in exam on June 28 2021, with different figures
upvoted 1 times
 
d0bermannn
nice, ms check our calc abilities)
upvoted 1 times
 
mkoprivnj
1. 6
2. 2
upvoted 1 times
 
xayay74894
5 months ago
it's 4 and 4, you are missing cool down, which by default, and as it's not mentioned, it's running with default values is 10 minutes, which means, no
actions (in-out) are taken before 10 min from deployment or last scale in-out action taken.
upvoted 3 times


Veronika1989
5 months ago
Cool down time is 1 minute by default.
upvoted 3 times
 
mdyck
Starting with 4VMs. If usage is above 80% for more than 5 minutes it scales out in an increment of 2, result 6. Starting with 4VMs. If usage is below
30% for more than 5 minutes it scales in at an increment of 2, result 2.
upvoted 1 times
 
ms70743
7 months ago
6 and 2
upvoted 2 times
 
hwathan
Answer is 4 and 4. Auto Scale are based on a 10 minute count
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal
upvoted 3 times
 
airfrog
7 months ago
10 minutes is the duration that article happens to use an an example. It is not a minimum duration.
upvoted 5 times
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Upload a configuration script
B.
Create an automation account
C.
Create an Azure policy
D.
Modify the extensionProfile section of the Azure Resource Manager template
E.
Create a new virtual machine scale set in the Azure portal
Correct Answer:
DE
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide
a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to
configure the VMs as they come online so they are running the production software.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc
 
MisterNobody
Highly Voted 
1 year ago
A and D?
upvoted 46 times
 
marcellov
Yes, because of the word "automate" you can't use the portal. So A and D should be the right answer.
upvoted 10 times
 
juandsanchez666
Agree, the correct answer are A and D.
upvoted 7 times
 
somenick
1 year ago
Agree. Here is the step by step guide how to do that: https://adamtheautomator.com/azure-dsc-arm-template/
upvoted 6 times
 
Dady9
1 year ago
yes, AD works better here
upvoted 8 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A and D
The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software
installation, or any other configuration / management task. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure
portal at extension run-time.
The Custom Script extension integrates with Azure Resource Manager templates, and can also be used with the Azure CLI, Azure PowerShell, Azure
portal, or the REST API
The following Custom Script Extension definition downloads a sample script from GitHub, installs the required packages, then writes the VM
instance hostname to a basic HTML page.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
upvoted 32 times
 
SilverFox22
1 month ago
For the first time, I disagree with @mlantonis answer, but not the explanation. The reference link is spot on, and it has you 1. Create Custom
Script Extension definition, which is editing the extensionProfile section So, D. Then 2. you create the Scale Set. That is E. So answer is D and E.
upvoted 1 times
 
GD01
1 week, 3 days ago
As per question : "You plan to automate the deployment of a virtual machine scale".... so cannot be E and you require configuration script for
post deployment installation of web server components...
upvoted 2 times
 
AubinBakana
2 months ago
I know this is 3 months ago & I gather you must have figured out this is not the correct answer.
You're talking about a custom script extension, NOT a configuration. And you have to actually create the VMSS - your choice misses that part
completely. This option appears to be false
upvoted 2 times
 
boom666
2 weeks ago
Actually I can't see "you have to to actually create the VMSS" in the question. I see "you plan to automate the deployment of the VMSS" and
"you have to ensure..." So if we plan to automate the deployment we need to upload a configuration script and update Resource Manager
Template. Then we can deploy the VMSS using those things today, tomorrow or someday else.
upvoted 1 times
 
plove
Most Recent 
1 week, 3 days ago
hi, please tell me anyone if i purchase Contributor Access then howmany exam i can access?
upvoted 1 times
 
Ad2yy
only 1 (the one you have purchased).
upvoted 1 times
 
TheUltimateHac
thanks for the answer bro, i was planning on getting the contributor access as well.
upvoted 1 times
 
Kamex009
upvoted 3 times
 
AubinBakana
2 months ago
The answer has to be correct. I am not entirely sure how you modify the extensionProfile or what they mean by it, but what I know for certain is
that to add a custom extension to your file you do need to add an extension script at VMSS creation. This I believe is what modifies the
extensionProfile.
You create the machine and you add an extension script. Not a configuration script.
D & E make more sense & the other options aren't very convincing to me.
The answer got to be E, D as revealed.
Need to look into this a little more.

upvoted 2 times
 
YooOY
4 weeks ago
E create a NEW vmss, why need an extra one since the question is already given there's VMSS exists. E does not make sense.
upvoted 1 times
 
AubinBakana
3 weeks, 2 days ago
It does not say that the VMSS is created unfortunately. The question is a little unclear I must admit. I'm still trying to figure out what the
answer is, even though I know perfectly what steps to take to actually do the job.
upvoted 1 times
 
hercu
I would say that the aswer is correct:
D. Modify the extensionProfile section of the Azure Resource Manager template
E. Create a new virtual machine scale set in the Azure portal
When you deploy a scale set, VM extensions can provide post-deployment configuration and automation tasks, such as installing an app. Scripts
can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run-time. To apply an extension to your scale set,
you add the extensionProfile section to the ARM template.
Note: Configuration script alone is useless without the ARM template. Thus, you need to create the virtual machine scale set in Azure which
provides you with the ARM template. You can then modify its extensionProfile section to add custom adds/features via reference to scripts (i.e.
Powershell code in GitHub to install some features).
Reference: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-template-windows
upvoted 4 times
 
Shiven12
A and D are correct
Verified with other exam sources

upvoted 2 times
 
Shiven12
APOLOGIES TYPO - D & E are correct
Verified with other exam sources

upvoted 4 times
 
imartinez
Could you mention which ones?
upvoted 1 times
 
onincasimiro
Answer:
A. Upload a configuration script
D. Modify the extensionProfile section of the Azure Resource Manager template

upvoted 1 times
 
Delanase
4 months ago
DE is correct
upvoted 1 times
 
Delanase
4 months ago
DE is correct
upvoted 1 times
 
mkoprivnj
A & D!
upvoted 1 times
 
cmong2005
Question asking plan to deploy automate vm scale set, those select A/D, where is your vm scale set?
upvoted 3 times
 
Bharadhi
6 months ago
A and D
upvoted 1 times
 
bacana
I agree with Skankhunt. D and E
upvoted 1 times
 
glen101
From Udemy :
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide a
way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to configure the
VMs as they come online so they are running the production software.
upvoted 4 times
 
ms70743
7 months ago
Answer is A and D
A - Upload a configuration script
D - Modify the extensionProfile section of the Azure Resource Manager template

upvoted 3 times
 
mg
A and D
A - Upload a configuration script
D - Modify the extensionProfile section of the Azure Resource Manager template

upvoted 4 times
HOTSPOT -
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has
the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

To install kubectl locally, use the az aks install-cli command: az aks install-cli
Reference:
 
mlantonis
Highly Voted 
5 months ago
Correct Answer:
To install kubectl locally, use the az aks install-cli command.
Note: Azure cli commands start with az. We use Install-Module to install a Powershell module.
Reference:
https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
upvoted 24 times
 
fedztedz
Highly Voted 
Answer correct
upvoted 19 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: az ask
upvoted 1 times
 
AubinBakana
2 months ago
For some reason, it took me a while to notice they did say CLI, not Command prompt or Powershell :)
upvoted 1 times
 
AubinBakana
2 months ago
Thank you.
upvoted 1 times
 
Jotess
upvoted 2 times
 
Shiven12
upvoted 5 times
 
ranajoy97
az aks install-cli
https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az_aks_install_cli
upvoted 2 times
 
mkoprivnj
az + aks
upvoted 3 times
 
sidharthwader
6 months ago
this is using cli to install and as far as i know all cli commands in azure starts with az
https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
upvoted 1 times
 
marvinconejo
AZ AKS INSTLL-CLI
upvoted 2 times
 
mg
answer is correct
az aks install-cli
upvoted 2 times
 
ZUMY
Answer Correct
az aks install-cli
upvoted 2 times
 
toniiv
8 months ago
Answer is correct: az aks install-cli
upvoted 1 times
 
ar_vinoth
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough#connect-to-the-cluster
answer is correct
upvoted 2 times
 
DubDubDub123
9 months ago
correct answer
https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az_aks_install_cli
upvoted 2 times
 
macross
9 months ago
yes- agree
upvoted 2 times
DRAG DROP -
You onboard 10 Azure virtual machines to Azure Automation State Configuration.
You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:

Step 1: Upload a configuration to Azure Automation State Configuration.
Import the configuration into the Automation account.
Step 2: Compile a configuration into a node configuration.
A DSC configuration defining that state must be compiled into one or more node configurations (MOF document), and placed on the Automation
DSC Pull Server.
Step 3: Assign the node configuration
Then: Check the compliance status of the node
Each time Azure Automation State Configuration performs a consistency check on a managed node, the node sends a status report back to the
pull server. You can view these reports on the page for that node.
On the blade for an individual report, you can see the following status information for the corresponding consistency check:
The report status ‫ג‬€" whether the node is "Compliant", the configuration "Failed", or the node is "Not Compliant"
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
 
fedztedz
Highly Voted 
Not correct. The right order is:
1. Upload a configuration to Azure Automation State Configuration
2. Compile a configuration into a node configuration
3. Check the compliance status of the node.

upvoted 105 times
 
cloudasdfghjkl
Highly Voted 
Correct answer:
Step 2: Compiling a configuration into a node configuration
Step 3: Onboard the virtual machines to Azure State Configuration
Step 4: Assign the node configuration.
Step 5: Check the compliance status of the node.
See Question #19 Topic 3: https://www.examtopics.com/exams/microsoft/az-400/view/13/

upvoted 38 times
 
vikki
Thank you for the pithy comment.
upvoted 2 times
 
wacky
Most Recent 
1 week, 3 days ago
Just curious, what if you got all the right answer in the wrong order? how was the pointing system for that?
upvoted 2 times
 
Mukesh_Aggarwal_07
3 weeks, 4 days ago

upvoted 1 times
 
Kamex009
upvoted 3 times
 
AubinBakana
Tags? really? common, is this to mislead people or something? Yes we need to apply tags to every resource but for this question, I don't see why
tags will precede any of the Automation operations. It seems to me like this question is about Automation Account!
The revealed answer is not correct. Most people in the comment section have the correct answer.
upvoted 1 times
 
hosseny
please correct the wrong answer :
Upload a configuration to Azure Automation
Compile a configuration into a node configuration
Assign a node configuration to a managed node

upvoted 1 times
 
jecawi9630
Is this even a topic covered in AZ-104?
upvoted 6 times
 
AubinBakana
Yes! Azure Automation, DSC is absolutely covered
upvoted 1 times
 
mkoprivnj
1. Upload a configuration to Azure Automation State Configuration
2. Compile a configuration into a node configuration
3. Check the compliance status of the node.

upvoted 3 times
 
Raj_Rock
Azure Automation State Configuration allows you to specify configurations for your servers and ensure that those servers are in the specified state
over time.
Onboard a VM to be managed by Azure Automation DSC
Upload a configuration to Azure Automation
Compile a configuration into a node configuration
Assign a node configuration to a managed node
Check the compliance status of a managed node
https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state
upvoted 2 times
 
ravindu123123
is this question under the syllabus. I m sure this is another question which is out of the scope of AZ104
upvoted 2 times
 
mlantonis
5 months ago
Correct Answer:
1: Upload a configuration to Azure Automation State Configuration
2: Compile a configuration into a node configuration
3: Check the compliance status of the node.
Step 1: Create and upload a configuration to Azure Automation
Step 2: Compile a configuration into a node configuration
Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Step 5: Assign a node configuration to a managed node
Step 6: Check the compliance status of a managed node
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
upvoted 21 times
 
nfett
https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state has the right answer.
upvoted 1 times
 
rkuifje
It is clearly document in the followin Micorsoft article, the text behind the arrows correpsonds with the headers in the article,
Upload a configuration to Azure Automation-> zie header Create and upload a configuration to Azure Automation
Compile a configuration into a node configuration->Compile a configuration into a node configuration
Onboard a VM to be managed by Azure Automation DSC->Register a VM to be managed by State Configuration
(In this topic, we cover how to register only Azure Resource Manager VMs.
For information about registering other types of machines,
see Onboarding machines for management by Azure Automation State Configuration.)
Assign a node configuration to a managed node->Assign a node configuration to a managed node
Check the compliance status of a managed node->Check the compliance status of a managed node
upvoted 1 times
 
ealcober
6 months ago
it seems totally blind people works on examtopics.com
upvoted 3 times
 
saddamakhtar
its a great platform to learn mistakes are every ware
upvoted 5 times
 
krisbla
everywhere*
upvoted 1 times
 
Oliver7
He already told, mistakes are everywere..
upvoted 3 times
 
ms70743
7 months ago

upvoted 1 times
 
mg
Step 2: Compile a configuration into a node configuration.
Step 3: Assign the node configuration

upvoted 1 times
You have an Azure Resource Manager template named Template1 that is used to deploy an Azure virtual machine.
Template1 contains the following text:
The variables section in Template1 contains the following text:
"location": "westeurope"
The resources section in Template1 contains the following text:
You need to deploy the virtual machine to the West US location by using Template1.
What should you do?
A.
Modify the location in the resources section to westus
B.
Select West US during the deployment
C.
Modify the location in the variables section to westus
Correct Answer:
A
 
fedztedz
Highly Voted 
Correct Answer A: You can change the location in resources. Parameters used to define the value of some variables to be able to use in different
places in the template resources.
Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not mentioned directly,
then it will check parameters if it is specified in the resources.
Based on this question, the value of location is defined directly in resources. so you change the resources location value
upvoted 49 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
You can change the location in resources. Parameters used to define the value of some variables to be able to use in different places in the
template resources. Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not
mentioned directly, then it will check parameters if it is specified in the resources. Based on this question, the value of location is defined directly in
resources. so you change the resources location value.
Use location parameter. To allow flexibility when deploying your template, use a parameter to specify the location for resources. Set the default
value of the parameter to resourceGroup().location.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-location?tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax#resources
upvoted 19 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: A
upvoted 1 times
 
khengoolman
1 week, 3 days ago
upvoted 1 times
 
Kamex009
upvoted 3 times
 
AubinBakana
Correct answer. Reads like a book.
upvoted 1 times
 
s_aoi
i mean you can change it to B during deployment what kind of question is this?
upvoted 1 times
 
s_aoi
you can change it to west us during deployment so B should also be a valid answer???
upvoted 1 times
 
Spandrop
I believe that the point is that although you have a variable for the location w/ few options, in the template the "location" is hard coded, it is
not using that variable.
upvoted 3 times
 
wsscool
in exam 7/3/2021
upvoted 2 times
 
lucky_18
upvoted 3 times
 
moota
Why would you ask this question :)
upvoted 1 times
 
mkoprivnj
A is correct!
upvoted 1 times
 
tera_baap
5 months ago
Everyone is saying A but we can change it during deployment as well.
upvoted 4 times
 
d0bermannn
indeed we can, particularly deploying by az cli or az posh with parameters
upvoted 1 times
 
xayay74894
5 months ago
it's C, if you have an ARM template and you have also the variable section where you define which values has, this define what it will used at
deployment time, so the change must be done at the variable section
upvoted 2 times
 
Lkk51
At the resource section, location is hardcoed to Westeurope. I guess the only option is to change it there. otherwise it won't work
upvoted 2 times
 
armandolubaba
A is correct answer
upvoted 1 times
 
mg
A - Modify the location in resource section to westus
upvoted 3 times
 
ZUMY
A is correct!
You can change the location in resources. Parameters used to define the value of some variables to be able to use in different places in the
template resources.
Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not mentioned directly,
then it will check parameters if it is specified in the resources.
Based on this question, the value of location is defined directly in resources. so you change the resources location value
upvoted 3 times
 
Merma
A is Correct
"Use location parameter
To allow for flexibility when deploying your template, use a parameter to specify the location for resources. Set the default value of the parameter
to resourceGroup().location."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-location?tabs=azure-powershell
upvoted 2 times
You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
A.
From Plan1, scale up the App Service plan
B.
From webapp1, modify the Application settings
C.
From webapp1, add a custom domain
D.
From Plan1, scale out the App Service plan
Correct Answer:
A
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn't already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged
publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates,
staging slots, autoscaling, and more.
Incorrect:
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-
up
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots. If the app isn't already in
the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you
have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging
slots, autoscaling, and more.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 30 times
 
DA0410
Highly Voted 
1 year ago
correct . For more read https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 19 times
 
JayBee65
Yes A, and this is a better link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-
limits#app-service-limits
upvoted 4 times
 
AubinBakana
Most Recent 
They don't cover this section much in Az 104 Module for Apps. I struggled to understand this particular section. Still do but it's a little clearer now
that I've had to look it up. Answer is correct
upvoted 1 times
 
achmadirvanp
upvoted 2 times
 
kkranthi
whats the percentage of questions from the list appeared in your exam?
upvoted 1 times
 
mkoprivnj
A is correct!
upvoted 1 times
 
armandolubaba
A is correct answer .
Scale up your pricing tier

upvoted 1 times
 
nfett
answer is correct according to https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 1 times
 
mg
A is correct
from plan 1 scale up the service plan

upvoted 3 times
 
ZUMY
A is correct
You can create slots with Standard, Premium or isolated plans tier. However, with Free tier, you can't create other slots.
upvoted 5 times
 
toniiv
8 months ago
Answer A. is correct. Scale-up the Service Plan to get the Staging Slots available. They should use UPGRADE the Service Plan but not Scale-Up the
Service Plan anyway
upvoted 3 times
 
waterzhong
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
upvoted 4 times
 
waterzhong
Scale up your pricing tier
Note
To scale up to PremiumV3 tier, see Configure PremiumV3 tier for App Service.
In your browser, open the Azure portal.
In your App Service app page, from the left menu, select Scale Up (App Service plan).
Choose your tier, and then select Apply. Select the different categories (for example, Production) and also See additional options to show more
tiers.
upvoted 4 times
 
DodgyD
Honestly this is so badly worded by MS. What the customer must in fact do is UPGRADE the service offering...scale up is is just misnaming.....and
misleading....but for the purposes of this, scale up is the answer....
upvoted 4 times
 
waterzhong
When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service, you can use a separate deployment slot
instead of the default production slot when you're running in the Standard, Premium, or Isolated App Service plan tier.
upvoted 3 times
 
abu3lia
What is the difference between A and D? 'scale-out' vs 'scale-up'. Moving to a different plan would be considered as scale-out not scale-up.
upvoted 7 times
 
solarwinds123
See: https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging
slots, autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app belongs to.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances, depending on your pricing tier.
App Service Environments in Isolated tier further increases your scale-out count to 100 instances. For more information about scaling out, see
Scale instance count manually or automatically. There, you find out how to use autoscaling, which is to scale instance count automatically based
on predefined rules and schedules.
upvoted 16 times
 
patricpotter1992
solarwinds123 thank so much for the explanation.
upvoted 1 times
 
Ankigupta
in exam 04/12/2020
upvoted 3 times
 
fedztedz
Answer is correct : A.
You can create slots with Standard, Premium or isolated plans tier. However, with Free tier, you can't create other slots.
upvoted 6 times
You plan to move a distributed on-premises app named App1 to an Azure subscription.
After the planned move, App1 will be hosted on several Azure virtual machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.
What should you create?
A.
one virtual machine scale set that has 10 virtual machines instances
B.
one Availability Set that has three fault domains and one update domain
C.
one Availability Set that has 10 update domains and one fault domain
D.
one virtual machine scale set that has 12 virtual machines instances
Correct Answer:
C
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. As you create VMs
within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at
least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Reference:
http://www.thatlazyadmin.com/azure-fault-update-domains/
 
fedztedz
Highly Voted 
Answer is wrong. The correct Answer is A.
First: in case you created on fault domain, you are limited with one update domain. You can test this.
Second: By default, Azure uses 5 update domains and up to 3 fault domains. So, In case you created 10 vm in scale set. then you will have 2 vm in
each update domain. So once one update domain is not available, then you get 4 domains with 8 vms as required.
upvoted 81 times
 
jsexamprep
fedztedz's answer of A is correct. I wasn't sure at first because A talks about virtual machine scale sets and C talks about availability sets (the
community answer people are referring to is about availability sets). Virtual machine scale sets and availability sets are different, so I wasn't
convinced. However, MS docs (https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#do-scale-
sets-work-with-azure-availability-sets-) say the following about scale sets working with Azure availability sets:
A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update domains.
Scale sets of more than 100 VMs span multiple placement groups. For more information about placement groups, see Working with large
virtual machine scale sets. An availability set of VMs can exist in the same virtual network as a scale set of VMs. A common configuration is to
put control node VMs (which often require unique configuration) in an availability set and put data nodes in the scale set.
This backs up fedztedz's answer as the correct answer.

upvoted 4 times
 
agupt
Answer: C is correct.
By Default 5 update domain but can have up to 20 update domain.
"Within an availability set, individual VMs are spread across up to 20 update domains. During scheduled maintenance, only one update domain
is updated at any given time. Update domains aren't necessarily updated sequentially."
https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates?bc=https%3A%2F%2Fdocs.microsoft.com%2Fen-
us%2Fazure%2Fbread%2Ftoc.json&toc=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machine-scale-sets%2Ftoc.json
upvoted 7 times
 
Shailen
Yes C is correct as per senior member of Microsoft community forum, URL below:
https://techcommunity.microsoft.com/t5/azure/please-could-you-explain-why-the-c-option-is-the-correct-answer/m-p/2097168
upvoted 3 times
 
MicroHead
His explanation essentially says that A is correct though. Azure has 5 update domains per each scale set by default. If one is down for
maintenance, you will have 8 VMs available, given you have 2 VMs per update domain.
upvoted 1 times
 
J4U
Yes, we can have only one update domain if the fault domain is 1. So this negates C and A is correct.
upvoted 3 times
 
valente_sven1
Thank you, now i know why.
upvoted 1 times
 
mlantonis
Highly Voted 
5 months ago
Correct Answer: A
VM Scale Set consists of a set of identically configured VMs.
Availability Set consists of a set of discrete VMs.
No more than 20% of the Scale Set upgrading at any time, then 2 machines out of 10 will have maintenance, the 8 remaining VMs will be up.
Virtual machine scale sets are created with five fault domains by default in Azure regions with no zones. For the regions that support zonal
deployment of virtual machine scale sets and this option is selected, the default value of the fault domain count is 1 for each of the zones. FD=1 in
this case implies that the VM instances belonging to the scale set will be spread across many racks on a best effort basis.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
upvoted 26 times
 
mwhooo
Most Recent 
Its A, C is incorrect because you cannot configure an availability set with 1 FD and 10 UD, the minimum allowed of FD is 2, just checked it in Azure.
Answer C is WRONG!
upvoted 3 times
 
AubinBakana
The most reasonable answer is C.
However, either the choice is terrible or they formulated this answer very bad.
Your VMs are placed in different racks for fault tolerance to avoid downtime due to an entire rack failing as a result of a power drop or anything
that might affect the whole rack. Update Domains are to protect machines against planned maintenance. Update domain protects against routined
scheduled maintenance; meaning, the VMs will be on a different server but on the same rack. VMs in the same Update domain will be restarted
together
upvoted 1 times
 
AubinBakana
3 weeks, 1 day ago
I'm just come back to revise this in preparation for my job interview after I passed the test; it seems like they changed this question or
something. None of the options are a fit. Not even C. 1 fault domain is not an option for availability. It doubt it's even allowed.
upvoted 1 times
 
zvasanth2
2 months ago
The main difference is that Scale Sets have Identical VMs where in Availability Sets does not require them to be identical.
Availability set, in concept, are for enhancing application availability in case one primary VM fails/needs update another VM from Fault/Update
domain can be provisioned
Scale sets on another hand, in concept, are designed for automatic scaling (horizontal) in application where load can vary extensively to fulfill more
compute needs.
Provisioning new VM in Azure when needed is easier for Scale sets as all other VMs are same in all aspects & replica of one golden copy.
https://stackoverflow.com/questions/38112816/difference-in-azure-availability-sets-and-scale-sets
upvoted 1 times
 
zvasanth2
2 months ago
The question are more oriented towards availability, so the closest choice will be C
upvoted 1 times
 
zvasanth2
2 months ago
My previous comments are wrong, fedztedz is correct. The answer will be A. if it is one fault domain then we will get only one update
domain.
upvoted 1 times
 
JimBobSquare101
In exam 30 July 21
upvoted 2 times
 
rdsserrao
Just tested this, it has to be A.
When you try to select just 1 fault domain Azure gives an error:
"The update domain count must be 1 when fault domain count is 1."
upvoted 4 times
 
Gromble_ziz
A is correct IMHO
C is incorrect - one fault domain limit update domain to one also.

upvoted 1 times
 
tf444
4 months ago
https://techcommunity.microsoft.com/t5/azure/please-could-you-explain-why-the-c-option-is-the-correct-answer/m-p/2097168
upvoted 4 times
 
T____T
4 months ago
How can this be "A"
Per https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
When more than five virtual machines are configured within a single availability set, the sixth virtual machine is placed into the same update
domain as the first virtual machine, the seventh in the same update domain as the second virtual machine, and so on.
You would have only 2 update domains. When one of them is is maintenance you would not have 8 available.
upvoted 1 times
 
tita_tovenaar
you have five update domains, leaving 8 machines available if one domain reboots. A is correct
upvoted 1 times
 
Delanase
4 months ago
one Availability Set that has 10 update domains and 2 fault domain
upvoted 1 times
 
tita_tovenaar
not possible. 2 fault domains limits your update domains to 2
upvoted 1 times
 
sjoerdstefma
Correct Answer is C: In a planned maintenance when you have 5 update domains 4 are accessible while the 5th is updated and rebooted . So if you
have 10 UD 2 vms will be rebooted while 8 will be accessible .
0 1 2 3 4 5 --> 5 is Off
0 1 2 3 4 5 --> 5 is Off
upvoted 2 times
 
mkoprivnj
A is correct!
upvoted 1 times
 
Tranquillo1811
definitely A is correct answer.
A new VM scale set is deployed with a default of 5 fault domains.
10 -10/5 = 8
upvoted 2 times
 
Cippunk
5 months ago
Fedztedz is right, you cannot have 10 updated domains and just 1 fault domain. Azure sets the update domain automatically to 1 when fault
domain is 1.
upvoted 5 times
 
xayay74894
5 months ago
planned maintenance ---> update domain, so all fault domain answers are out
upvoted 5 times
 
Tranquillo1811
nope! Azure maintanance = Hardware Maintenance. So fault domains are what actually matters here...
upvoted 1 times
 
dupakonia
not true, xayay74894 is correct
upvoted 4 times
 
nfett
reference this for answer being A. https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-
scale-sets
upvoted 1 times
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source
A.
Yes
B.
No
Correct Answer:
B
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Reference:
 
mlantonis
Highly Voted 
5 months ago
You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.
1. You create an Azure Log Analytics workspace and configure the data settings.
2. You install the Microsoft Monitoring Agent on VM1.
3. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Reference:
upvoted 23 times
 
Pniaq
Highly Voted 
I can confirm, answer is correct.
upvoted 13 times
 
ohana
Most Recent 
4 days, 6 hours ago
Took the exam today on 17 Oct. This question came out. Ans: No
upvoted 1 times
 
AubinBakana
3 weeks, 1 day ago
What's an event subscription? :)
upvoted 1 times
 
AubinBakana
Haha... They should have kept these questions together.
upvoted 1 times
 
mkoprivnj
No is correct!
upvoted 2 times
 
nfett
per https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview answer is correct.
upvoted 1 times
 
ms70743
7 months ago
Answer is correct.
Need to specify the Log Analytics workspace as the source, not VM.
upvoted 2 times
 
ZUMY
No :
You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an
alert in
Azure Monitor and specify the Log Analytics workspace as the source
upvoted 1 times
 
toniiv
8 months ago
Answer B. is correct. You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.
upvoted 1 times
 
TheOne1
Correct - you need log analytics workspace
upvoted 2 times
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
A.
Yes
B.
No
Correct Answer:
B
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
 
mlantonis
Highly Voted 
5 months ago
Changing Subscription won't affect the downtime, it will just you change the billing. You would need to redeploy the VM. After you redeploy a VM,
the temporary disk is lost, and dynamic IP addresses associated with virtual network interface are updated.
From Overview there is no option to move the VM to another hardware to skip the maintenance.
Ideally you need an Availability Set and defining the Update Domains.
Reference:
upvoted 30 times
 
fedztedz
Highly Voted 
Answer is correct . NO (B)
Changing Subscription won't change any change for the downtime, Just you change the billing
upvoted 21 times
 
AubinBakana
Most Recent 
You redeploy the machine. Azure fundamental question
upvoted 1 times
 
mkoprivnj
No is correct!
upvoted 1 times
 
mg
No! changing the subscription is not the solution you need to redeploy the vm
upvoted 2 times
 
ZUMY
No is correct :
Can Redeploy
upvoted 2 times
 
waterzhong
Set-AzVM -Redeploy -ResourceGroupName "myResourceGroup" -Name "myVM"
upvoted 2 times
 
toniiv
8 months ago
Answer B. is correct. From Overview there is no option to move the VM to another hardware to skip the maintenance. Also Re-deploying a new VM
doesnt guaranty you that new VM will be placed in different Update Domain, you can only set this by creating an Availability Set and defining the
Update Domains.
upvoted 3 times
 
toniiv
8 months ago
Sorry, re-deploying the VM will also change the HW host as I am reading on: https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/redeploy-to-new-node
upvoted 2 times
 
prashantjoge
redeploying does not make sense because 1) its a custom template 2) if the notification came from azure, isnt that why we have update domains
upvoted 2 times
 
vikki
According to the question: "You need to move VM1 to a different host immediately."
So the solution will be redeploy the VM.
After you redeploy a VM, the temporary disk is lost and dynamic IP addresses associated with virtual network interface are updated.
upvoted 4 times
 
gekkehenkie84
you actually do a redeploy from the blade, which changes hardware. Happened to me once on our staging environment, works like a charm.
upvoted 4 times
 
prashantjoge
the answer makes no sense. We need to redeploy but the answer is B?
upvoted 2 times
 
aaa112
10 months ago
I do not get what you don't get. "Solution: From the Overview blade, you move the virtual machine to a different subscription." as the real
solution is to redeploy the machine, then the provided solution is false, hence B. Does it make sense?
upvoted 2 times
 
_Jue_13
11 months ago
Exam on 18 nov 2020.
upvoted 3 times
 
DA0410
1 year ago
I mean correct answer is B.
upvoted 8 times
 
DA0410
1 year ago
correct. we need toredeply vm
upvoted 6 times

Az 104 Part1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Az 104 Part1

Uploaded by

Copyright:

Available Formats

10/21/21, 5:55 PM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 Custom View Settings

Topic 1 - Question Set 1

All VMs are located in RG1.

You want to associate each VM with its respective department.

What should you do?

Passed my exam today. got 900/1000

According to this article, tagging can be used for departmental Identification.

Your company has an Azure Active Directory (Azure AD) subscription.

You want to implement an Azure AD conditional access policy.

Does the solution meet the goal?

1- the best way to enforce MFA is by Conditional Access

2- the device has to be identified by azure AD as A AD joined Device.

3- the trusted ip must be configured.

To achieve the goal, we need 2 policy:

Conditional Access: Require MFA for administrators

I couldn't test in my free lab since I have no AZ AD.

Your company has an Azure Active Directory (Azure AD) subscription.

You want to implement an Azure AD conditional access policy.

Does the solution meet the goal?

You alter the grant control, not session control

We need to use Grant Control and NOT the Session Control

Your company has an Azure Active Directory (Azure AD) subscription.

You want to implement an Azure AD conditional access policy.

Does the solution meet the goal?

I did this in lab step by step:

- The Answer "A" is correct

Seems to indicate that answer D is correct. Use Az VM create.

Does the solution meet the goal?

Does the solution meet the goal?

Does the solution meet the goal?

You have a server named DirSync1 that is configured as a DirSync server.

Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.

Does the solution meet the goal?

delta:synchronize changes since last full synchronization

Start-ADSyncSyncCycle -policy initial

Full sync cycle

A full sync cycle includes the following steps:

Full Import on all Connectors

Full Sync on all Connectors

Export on all Connectors

Based on the work "immediately" I would say the answer is NO.

Delta sync should be used since initial will do full sync.

Question #10 Topic 1

You have a server named DirSync1 that is configured as a DirSync server.

Does the solution meet the goal?

2. Select RUN on the ACTIONS pane.

Start-ADSyncSyncCycle -PolicyType Delta

Question #11 Topic 1

You have a server named DirSync1 that is configured as a DirSync server.

Solution: You restart the NetLogon service on a domain controller.

Does the solution meet the goal?

Question #12 Topic 1

Your company has a Microsoft Azure subscription.

The company has datacenters in Los Angeles and New York.

You need to recommend an Azure storage redundancy option.

You have the following data storage requirements:

✑ Data must be stored on multiple nodes.

✑ Data must be stored on nodes in separate geographic locations.

‫ג‬€opt-in‫ג‬€ feature which requires the storage account be geo-replicated.

Geo-redundant storage (GRS)

Read-access geo-redundant storage (RA-GRS)

Read-access geo-redundant storage (RA-GRS)