Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-104

Free Microsoft AZ-104 Exam Questions

You have an Azure App Services web app named App1. You plan to deploy App1 by using Web Deploy.
You need to ensure that the developers of App1 can use their Microsoft Entra credentials to deploy content to App1. The solution must use the principle of least privilege.
What should you do?

  1. Assign the Owner role to the developers
  2. Configure app-level credentials for FTPS
  3. Assign the Website Contributor role to the developers
  4. Configure user-level credentials for FTPS

Answer(s): C



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft Entra tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: From Microsoft Entra ID in the Azure portal, you use the Bulk invite users operation. Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory. Reference:
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains the custom role- based access control (RBAC) roles shown in the following table.


From the Azure portal, you need to create two custom roles named Role3 and Role4. Role3 will be an Azure subscription role. Role4 will be a Microsoft Entra role.
Which roles can you clone to create the new roles? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Role1 and built-in Azure subscription roles only. Role3 will be an Azure subscription role.
Note: Clone a role
If an existing role does not quite have the permissions you need, you can clone it and then modify the permissions. Follow these steps to start cloning a role.
In the Azure portal, open a subscription or resource group where you want the custom role to be assignable and then open Access control (IAM).
The following screenshot shows the Access control (IAM) page opened for a subscription.


Click the Roles tab to see a list of all the built-in and custom roles.
Search for a role you want to clone such as the Billing Reader role.
4. At the end of the row, click the ellipsis (...) and then click Clone.


This opens the custom roles editor with the Clone a role option selected. Box 2: Built-in Microsoft Entra roles only
Role4 will be a Microsoft Entra role.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal



DRAG DROP (Drag and Drop is not supported)
You have an Azure subscription named Sub1 that contains two users named User1 and User2.
You need to assign role-based access control (RBAC) roles to User1 and User2. The users must be able to perform the following tasks in Sub1:
• User1 must view the data in any storage account.
• User2 must assign users the Contributor role for storage accounts.
The solution must use the principle of least privilege.
Which RBAC role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Reader and Data Access
User1 must view the data in any storage account.
RBAC Reader and Data Access
Let’s you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
Box 2: Owner
User2 must assign users the Contributor role for storage accounts.
Owner - Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. Incorrect:
Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Storage Account Contributor
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account- contributor



You have an Azure subscription that contains 10 virtual machines, a key vault named Vault1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region.
The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet.
You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort.
What should you configure as the destination of the outbound security rule for NSG1?

  1. an application security group
  2. a service tag
  3. an IP address range

Answer(s): B

Explanation:

Virtual network service tags
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
Available service tags
The following table includes all the service tags available for use in network security group rules. The columns indicate whether the tag:
Is suitable for rules that cover inbound or outbound traffic. Supports regional scope.
Is usable in Azure Firewall rules as a destination rule only for inbound or outbound traffic.
Service Tag AzureKeyVault Purpose Azure Key Vault.
Suitable for Outbound traffic Can be regional
Can use Azure Firewall
Etc. Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview



You have a Microsoft Entra tenant named adatum.com that contains the groups shown in the following table.


Adatum.com contains the users shown in the following table.


You assign the Microsoft Entra ID P2 license to Group1 and User4. Which users are assigned the Microsoft Entra ID P2 license?

  1. User4 only
  2. User1 and User4 only
  3. User1, User2, and User4 only
  4. User1, User2, User3, and User4

Answer(s): B

Explanation:

* User1 is member of Group1, which has Microsoft Entra ID P2 license directly assigned to it.
* User4 has license directly assigned to it.
Note: Assign licenses to users or groups
Make sure that anyone needing to use a licensed Microsoft Entra service has the appropriate license. You can add the licensing rights to users or to an entire group.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups



HOTSPOT (Drag and Drop is not supported)
You have a Microsoft Entra tenant named contoso.com.
You have two external partner organizations named fabrikam.com and litwareinc.com. Fabrikam.com is configured as a connected organization.
You create an access package as shown in the Access package exhibit. (Click the Access package tab.)


You configure the external user lifecycle settings as shown in the Lifecycle exhibit. (Click the Lifecycle tab.)


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
Access package include the setting: Users who can request access: All configured connected organizations This allow users in connected organizations (other directories and domains) to request this access package.
Box 2: No
From the first exhibit we see that Access package assignments expires after 365 days.
From the second exhibit, however, we see that there is a further delay of 30 days before users are removed from Group1.
Box 3: Yes
365+30 days is 395 days. Users will be removed after 395 days.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access- package-first



You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Assign User1 the Network Contributor role for VNet1.
  2. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  3. Assign User1 the Owner role for VNet1.
  4. Assign User1 the Network Contributor role for RG1.

Answer(s): C

Explanation:

Owner role - Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Incorrect:
Not A, Not D:
Network Contributor
Lets you manage networks, but not access to them. Actions:
Microsoft.Authorization/*/read - Read roles and role assignments Microsoft.Insights/alertRules/*- Create and manage a classic metric alert Microsoft.Network/* - Create and manage networks
Microsoft.ResourceHealth/availabilityStatuses/read - Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* - Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read - Gets or lists resource groups. Microsoft.Support/*- Create and update a support ticket
Not B:
Contributor role - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles



Viewing page 10 of 69



Post your Comments and Discuss Microsoft AZ-104 exam prep with other Community members:

AZ-104 Exam Discussions & Posts