AZ-104 - Practice Exam Answers

[Llulian]

Estoy tomando un examen de práctica para la certificación AZ-104 de Azure. Les voy a dejar aquí las preguntas, las respuestas y tal vez la documentación que respalda cada respuesta.

El tema estará cerrado por el momento mientras organizo todo.

 

[Llulian]

You have an Azure subscription.
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details:

• Id: 8755b347-3545-3876-3987-999999999999
• DisplayName: Ben Smith
• Mail: [email protected]
• UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com

Which statement accurately describes the user?
Select only one answer.

• The user account is disabled.
• The user is a guest in the tenant.
• The user is assigned an administrative role.
• The user is deleted.

Spoiler: Answer

The user is a guest in the tenant.

For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a format of [email protected].

• B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
• Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn

 

[Llulian]

Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.

You need to configure self-service password reset (SSPR) password writeback functionality. The solution must minimize costs.

Which Microsoft Entra ID edition should you use?
Select only one answer.

• Microsoft Entra ID Free
• Microsoft Entra ID P1
• Microsoft Entra ID P2

Spoiler: Answer

Microsoft Entra ID P1


Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower-cost option.

• Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
• What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains multiple users and administrators.

You are creating a new custom role by using the following JSON.

{

  "Name": "Custom Role",
  "Id": null,
  "IsCustom": true,
  "Description": "Custom Role description",

  "Actions": [
    "Microsoft.Compute/*/read",
    “Microsoft.Compute/snapshots/write”,
    “Microsoft.Compute/snapshots/read”,
    "Microsoft.Support/*"
  ],

  "NotActions": [
  “Microsoft.Compute/snapshots/delete”
  ],

  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000",
    "/subscriptions/11111111-1111-1111-1111-111111111111"
  ]

}

Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a complete solution.

• Call Microsoft Support.
• Create and delete a snapshot.
• Create and read a snapshot.
• Create virtual machines.
• Read all virtual machine settings.

Spoiler: Answer

• Call Microsoft Support.
• Create and read a snapshot.
• Read all virtual machine settings.

The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a snapshot.

• Azure custom roles - Azure RBAC | Microsoft Learn
• Configure role-based access control - Training | Microsoft Learn

 

[Llulian]

You have the following resource groups, management groups, and Azure subscriptions:

• Two resource groups named RG1 and RG2 that are associated with a subscription named 111-222-333 and a management group named MG1
• Two resource groups named RG3 and RG4 that are associated with a subscription named 777-888-999 and a management group named MG1
• Two resource groups named RG5 and RG6 that are associated with a subscription named 444-555-666 and a management group named MG1
• Two resource group named RG10 and RG11 that are associated with a subscription named 222-333-444 and a management group named MG2
• Two resource group named RG11 and RG12 that are associated with a subscription named 555-666-888 and a management group named MG2

You need to assign a role to a user to ensure the user can view all the resources in the subscriptions. The solution must use the principle of least privilege.

Which role should you assign?
Select only one answer.

• The Billing Reader role for all the subscriptions
• The Billing Reader role for MG1 and MG2
• The Contributor role for MG1 and MG2
• The Reader role for MG1 and MG2

Spoiler: Answer

• The Reader role for MG1 and MG2

Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user access to all resources is to assign a role at the management group level.

• Steps to assign an Azure role - Azure RBAC | Microsoft Learn
• Configure role-based access control - Training | Microsoft Learn

 

[Llulian]

You need to create an Azure Storage account that supports the Azure Data Lake Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a complete solution.

• premium block blobs
• premium file shares
• standard general-purpose v2
• premium page blobs

Spoiler: Answer

• premium block blobs
• standard general-purpose v2

To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-purpose v2 and premium block blobs. Additionally, when you create the storage account, you must enable the hierarchical namespace.

• Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage | Microsoft Learn
• Determine storage account types - Training | Microsoft Learn

 

[Llulian]

You have an Azure Storage account named corpimages and an on-premises shared folder named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.

Which two commands can you use? Each correct answer presents a complete solution?
Select all answers that apply.

• Azcopy copy \\server1\images https://corpimages.blob.core.windows.net/public -recursive
• Azcopy sync \\server1\images https://corpimages.blob.core.windows.net/public -recursive
• Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container " corpimages"
• Set-AzStorageBlobContent -Container "ContosoUpload" -File "\\server1\images" -Blob " corporateimages"

Spoiler: Answer

• Azcopy copy \\server1\images https://corpimages.blob.core.windows.net/public -recursive
• Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container " corpimages"

The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.

• Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
• Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
• Upload, download, and manage data with Azure Storage Explorer - Training | Microsoft Learn

 

[Llulian]

You have an Azure Storage account.
You need to copy data to the storage account by using the AzCopy tool.
Which two types of data storage are supported by AzCopy? Each correct answer presents a complete solution.

• blob
• file
• queue
• table

Spoiler: Answer

• blob
• file

You can provide authorization credentials by using Microsoft Entra, or by using a shared access signature (SAS) token. Both storage types, blob and file, are supported in AzCopy.

• Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
• Upload, download, and manage data with Azure Storage Explorer - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains multiple storage accounts.

A storage account named storage1 has a file share that stores marketing videos. Users reported that 99 percent of the assigned storage is used.

You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the solution.

• New-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name share1 -QuotaGiB 100GB
• Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
• Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -Type "Standard_RAGRS"
• Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name share1 -QuotaGiB 102400

Spoiler: Answer

• Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
• Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name share1 -QuotaGiB 102400

You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You do not need to change the type of storage account, and you are updating the existing share.

• Object replication overview - Azure Storage | Microsoft Learn
• Configure Azure Blob Storage - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription.

From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details:

• Id: 8755b347-3545-3876-3987-999999999999
• DisplayName: Ben Smith
• Mail: [email protected]
• UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com

Which statement accurately describes the user?

Spoiler: Answer

• The user is a guest in the tenant.

For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a format of [email protected].

• B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
• Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn

 

[Llulian]

Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.

You need to configure self-service password reset (SSPR) password writeback functionality. The solution must minimize costs.

Which Microsoft Entra ID edition should you use?
Select only one answer.

• Microsoft Entra ID Free
• Microsoft Entra ID P1
• This answer is correct.
• Microsoft Entra ID P2

Spoiler: Answer

• Microsoft Entra ID P1

Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.

• Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
• What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription.

An administrator manages access to resources at the resource group level. The assignment process is automated by running the following PowerShell script nightly.

$rg = "RG1"
$RoleName = "CustomRole1"
$Role = Get-AzRoleDefinition -Name $RoleName
New-AzRoleAssignment -SignInName [email protected] `   
    -RoleDefinitionName $Role.Name `
    -ResourceGroupName $rg

User1 is unable to access the RG1 resource group. You discover that the script fails to complete for new users.

You run Get-AzRoleDefinition | Format-Table -Property Name, Id and receive the following information:

• Name: Custom Role 1, ID: 111-222-333
• Name: Owner, ID: 222-333-444
• Name: Contributor, ID: 333-444-555
• Name: Reader, ID: 666-777-888

You need to modify the script to ensure that it does not fail in the future.

What should you change in the script?

• $Role = Add-AzRoleDefinition -Name $RoleName
• `$Role = Get-AzRoleAssignment -Name $RoleName`
• $Role = Set-AzRoleAssignment -Name $RoleName
• $RoleName = "111-222-333"

Spoiler: Answer

• $RoleName = "111-222-333"

You should use the ID of the role in case the role name was changed to prevent such a change from breaking the script.

• Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
• Configure role-based access control - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains multiple virtual machines.

You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use the principle of least privilege.

Which role should you assign to User1?
Select only one answer.

• Billing Reader
• Contributor
• Reader
• Tag Contributor

Spoiler: Answer

• Reader

The Reader role allows you to view all the resources but does not allow you to make any changes. The Contributor role allows you to manage all the resources, the Billing Reader role provides read access only to billing data, and the Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.

• Azure built-in roles - Azure RBAC | Microsoft Learn
• Configure role-based access control - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains several storage accounts.

You need to provide a user with the ability to perform the following tasks:

• Manage containers within the storage accounts.
• View storage account access keys.

The solution must use the principle of least privilege.

Which role should you assign to the user?
Select only one answer.

• Owner
• Reader
• Storage Account Contributor
• Storage Blob Data Contributor

Spoiler: Answer

• Storage Account Contributor

Storage Account Contributor allows the management of storage accounts. It provides access to the account key, which can be used to access data via Shared Key authorization. Storage Blob Data Contributor grants permissions to read, write, and delete Azure Storage containers and blobs. Reader allows you to view all resources but does not allow you to make any changes. Owner grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

• Azure built-in roles - Azure RBAC | Microsoft Learn
• Configure role-based access control - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription and a user named User1.

You need to assign User1 a role that allows the user to create and manage all types of resources in the subscription. The solution must prevent User1 from assigning roles to other users.

Which Azure role-based access control (RBAC) role should you assign to User1?
Select only one answer.

• API Management Service Contributor
• Contributor
• Owner
• Reader

Spoiler: Answer

• Contributor

Users with the Contributor role can create and manage all types of resources but cannot delegate new access to other users. Users with the Reader role can view existing Azure resources but cannot perform any action against them. Users with the API Management Service Contributor role can only manage API Management services and APIs. Users with the Owner role provides full access to all resources, including the right to delegate access to others.

• Azure built-in roles - Azure RBAC | Microsoft Learn
• Configure role-based access control - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine that runs daily reports.

You need to ensure that the virtual machine shuts down when resource group costs exceed 75 percent of the allocated budget.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

• Create an action group of type Runbook, and then select Scale Up VM.
• Create an action group of type Runbook, and then select **Stop VM** as an action.
• From Cost Management + Billing, create a new cost analysis.
• From Cost Management + Billing, modify the Budgets settings.

Spoiler: Answer

• Create an action group of type Runbook, and then select **Stop VM** as an action.
• From Cost Management + Billing, modify the Budgets settings.

You must go to Cost Management + Billing, and then Budgets to edit the budget associated with the resource group resources. You must also create a new action group of the Runbook type, and then choose Stop VM as an action. The cost analysis will not stop the virtual machine from running and the Scale Up VM action group is not required.

• Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
• Configure subscriptions - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local datacenter.

You need to identify which virtual machines are underutilized.

Which Azure Advisor settings should you use?
Select only one answer.

• Cost
• High Availability
• Operational Excellence
• Performance

Spoiler: Answer

The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency, resource manageability, and deployment best practices.

• Introduction to Azure Advisor - Training | Microsoft Learn

 

[Llulian]

You have several management groups and Azure subscriptions.

You want to prevent the accidental deletion of resources.

To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
Select all answers that apply.

• management groups
• resource groups
• storage account data
• subscriptions
• virtual machines

Spoiler: Answer

• resource groups
• subscriptions
• virtual machines

You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use delete locks on management groups or storage account data.

• Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
• Use Azure Resource Manager - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription.

You plan to create an Azure Policy definition named Policy1.

You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory and Compliance.

To which definition section should you add remediation information for Policy1?
Select only one answer.

• metadata
• mode
• parameters
• policyRule

Spoiler: Answer

• metadata

You must use the RemediationDescription field in the metadata section from properties to specify a custom recommendation. The remaining options are Azure policies, but do not allow specific custom remediation information.

• Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
• Improve incident response with alerting on Azure - Training | Microsoft Learn

 

[Llulian]

You have an Azure subscription that contains the following virtual networks:

• VNet1 has an IP address range of 192.168.0.0/24.
• VNet2 has an IP address range of 10.10.0.0/24.
• VNet3 has an IP address range of 192.168.0.0/16.

You need configure virtual network peering.

Which two peerings can you create? Each correct answer presents complete solution.
Select all answers that apply.

• VNet1 can be peered with VNet2.
• VNet1 can be peered with VNet3.
• VNet2 can be peered with VNet3.
• VNet3 can be peered with VNet1.

Spoiler: Answer

• VNet1 can be peered with VNet2.
• VNet2 can be peered with VNet3.

VNet1 and VNet2 have non-overlapping IP addresses. For virtual network peering, both virtual networks must have non-overlapping IP addresses.

• Azure Virtual Network peering | Microsoft Learn
• Configure virtual network peering - Training | Microsoft Learn