Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-104

Free Microsoft AZ-104 Exam Questions (page: 9)

Page 9 of 69
PDF with 553 Questions

You have 15 Azure subscriptions.
You have a Microsoft Entra tenant that contains a security group named Group1. You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements:
Use the principle of least privilege. Minimize administrative effort.
What should you do?

  1. Assign Group1 the Owner role for the root management group.
  2. Assign Group1 the User Access Administrator role for the root management group.
  3. Create a new management group and assign Group1 the User Access Administrator role for the group.
  4. Create a new management group and assign Group1 the Owner role for the group.

Answer(s): B

Explanation:

The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have.
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Incorrect:
Not C: A few directories that started using management groups early in the preview before June 25 2018 could see an issue where not all the subscriptions were within the hierarchy. The process to have all subscriptions in the hierarchy was put in place after a role or policy assignment was done on the root management group in the directory.


Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles https://docs.microsoft.com/en-us/azure/governance/management-groups/overview



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains the hierarchy shown in the following exhibit.


You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
Note: Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers.


Box 2: ManagementGroup1, Subscription1, RG1, and VM1 You can exclude a subscope from the assignment.


Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in a Microsoft Entra tenant named contoso.onmicrosoft.com:


User1 creates a new Microsoft Entra tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts. Does that meet the goal?

  1. Yes
  2. No

Answer(s): B



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in a Microsoft Entra tenant named contoso.onmicrosoft.com:


User1 creates a new Microsoft Entra tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts. Does that meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Only a global administrator can add users to this tenant.


Reference:

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in a Microsoft Entra tenant named contoso.onmicrosoft.com:


User1 creates a new Microsoft Entra tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts. Does that meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Only a global administrator can add users to this tenant.


Reference:

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad



You have two Azure subscriptions named Sub1 and Sub2 that are linked to the same Microsoft Entra tenant.
An administrator creates a custom role that has an assignable scope to a resource group named RG1 in Sub1.
You need to ensure that you can apply the custom role to any resource group in Sub1 and Sub2. The solution must minimize administrative effort.
What should you do?

  1. Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes.
  2. Create a new custom role for Sub1. Create a new custom role for Sub2. Remove the role from RG1.
  3. Create a new custom role for Sub1 and add Sub2 to the assignable scopes. Remove the role from RG1.
  4. Select the custom role and add Sub1 to the assignable scopes. Remove RG1 from the assignable scopes. Create a new custom role for Sub2.

Answer(s): A

Explanation:

Can be used as:
"AssignableScopes": [ "/subscriptions/{Sub1}", "/subscriptions/{Sub2}",
Note: Custom role example:
The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. This custom role can be used for monitoring and restarting virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.", "Actions": [
"Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}


Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles



You have an Azure Subscription that contains a storage account named storageacct1234 and two users named User1 and User2.
You assign User1 the roles shown in the following exhibit.


Which two actions can User1 perform? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

  1. Assign roles to User2 for storageacct1234.
  2. Upload blob data to storageacct1234.
  3. Modify the firewall of storageacct1234.
  4. View blob data in storageacct1234.
  5. List files in file shares in storageacct1234.

Answer(s): B,D



You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

  1. select * from Event where EventType == "error"
  2. Event | search "error"
  3. Event | where EventType is "error"
  4. Get-Event Event | where {$_.EventType == "error"}

Answer(s): B

Explanation:

The search operator provides a multi-table/multi-column search experience.
The syntax is:
Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
1. search in (Event) "error"
2. Event | search "error"
3. Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye –eq "error"}
2. Event | where EventType is "error"
3. select * from Event where EventType is "error"
4. search in (Event) * | where EventType –eq "error"


Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries



Viewing page 9 of 69



Post your Comments and Discuss Microsoft AZ-104 exam prep with other Community members:

AZ-104 Exam Discussions & Posts