0% found this document useful (0 votes)

642 views222 pages

Az-104-Part1-New Module

az-104-part1

Uploaded by

Qwerty

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

642 views222 pages

Az-104-Part1-New Module

az-104-part1

Uploaded by

Qwerty

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 222

6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

-
Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Question Set 1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 1/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1 Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User2 to create the user accounts.

Does that meet the goal?

A.
Yes

B.
No

Correct Answer:
A

Only a global administrator can add users to this tenant.

Reference:

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

 
Matkes
Highly Voted 
6 months, 3 weeks ago
No, as user3 is user admin in contoso.onmicrosoft.com tenant and has no rights in external.contoso.onmicrosoft.com
upvoted 35 times

 
JamesP
Highly Voted 
6 months, 3 weeks ago
From the referenced Microsoft doc: To add or delete users you must be a User administrator or Global administrator.

Answer should be A
upvoted 15 times

 
Miles19
2 months, 3 weeks ago
The user3 is the user admin, but for another tenant - contoso.onmicrosoft.com. Therefore, he can't add users to the new tenant, because he
doesn't have access to that tenant.
upvoted 6 times

 
Sandroal29
4 months ago
Incorrect, your answer would be true if we've been talking about the same tenant, but it's a new one, so user3 won't even see this new tenant.
The right answer is B.
upvoted 10 times

 
ArgiDio
6 months ago
external.contoso... is another tenant.

Since it is referring to ANOTHER tenant that only the creator has permissions (unless he assigns to others -there is no such statement) the
answer is "No".
upvoted 13 times

 
rblyellOG
Most Recent 
1 day, 13 hours ago
User 1 is the only Global Admin of the 2nd tenant, User2 us global admin of the main tenant and must be made at least a user admin of the new
tenant to create users in it. User2 can create users in the main tenant but not the new one.
upvoted 1 times

 
Exam_khan
5 days, 19 hours ago
As the User is a global admin he can defo add users global admins have lots of power lol
upvoted 2 times

 
xoe123
1 week ago
NO is the answer

If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:

By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in
that organization.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 2/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test'
specifically grants them these privileges. However, administrators of 'Contoso' can control access to organization 'Test' if they control the user
account that created 'Test.'

If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other
Azure AD organization.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence
upvoted 3 times

 
pulsartecno
1 week, 2 days ago
Tenant as no rights to that domain
upvoted 2 times

 
JoeRogersHi
1 week, 3 days ago
Bad question— you can’t create an Azure tenant with a dot in the name... I tried. Plus, this is a child domain, which is a DNS thing, not a new tenant
thing.
upvoted 1 times

 
Deevine78
1 week, 3 days ago
Answer is: No.

When User1 creates the new Azure Active Directory tenant named external.contoso.onmicrosoft.com, apart from his (Global Administrator) account
no other user account is present in this brand new AD.

Directory roles need to be assigned by User1.

upvoted 2 times

 
Ssri
2 weeks, 3 days ago
Consider contoso.onmicrosoft.com as main domain. User1 created external.contoso.onmicrosoft.com tenant and consider this as sub domain.
User1 used ‘external’ prefix for existing tenant that means, all Global Admins have access to all sub tenants (sub domains). As such, answer for this
is ‘YES’.

If User1 created new tenant which doesn’t belong to contoso.onmicrosoft.com, for example, az.onmicrosoft.com then other users don’t have access
to this tenant.
upvoted 5 times

 
RamanAgarwal
2 weeks, 5 days ago
Right answer will No. If you create a new tenant then only you have access to that. User 2 will not be able to see the new tenant when he tries to
switch his directory. Tested this on my Azure account. Created 2 tenants. Added user 2 as GA on tenant1 and logged in. Tried switching to Tenant 2
but couldnt see the tenant. So unless your added to a tenant you cant that tenant thus cant add users.
upvoted 5 times

 
matteoking14
2 weeks, 5 days ago
Answer should be no

From SkillPipe

By default, the user who creates a tenant is added as an external user in that new tenant, and assigned the global administrator role in that tenant.

The administrators of tenant ‘Contoso’ have no direct administrative privileges to tenant 'Test,' unless an administrator of ‘Test’ specifically grants
them these privileges. However, administrators of 'Contoso' can control access to tenant ‘Test’ if they control the user account that created 'Test.'
upvoted 1 times

 
shnz03
2 weeks, 3 days ago
i agree. User2 is a global administrator in the old tenant NOT in the new tenant. Only user1 is the global administrator of the new tenant.

Besides Skillpipe, from MS website

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence#administrative-independence
upvoted 1 times

 
VVR141
1 week, 4 days ago
all this is ok but have you considered scenario what if the new Tenant is actually created as subdomain of old one ? by the domain in
question it looks that way, if this is correct, then wont all the global admins of old domain extent their privilege scope to subdomain that is
added as external ? is this not a chance ?
upvoted 1 times

 
Tranquillo1811
3 weeks ago
The correct answer here would be B. No!

No other user than User1 has the required rights in the NEW tenant!

User1 is "Global administrator" of the NEWLY CREATED tenant, since she created it...
upvoted 2 times

 
Kanhaiya
3 weeks, 1 day ago
Global Administrator

Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities
like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online.
Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. This allows Global
Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD
organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset
the password for any user and all other administrators.

As per this user 2 should be able to access all AD resources so answer is true
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 3/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Torvalds
3 weeks, 1 day ago
i remark that in the comments, many user talk about User3 Right, but in this question, it is User2 who evaluate. Therefore , for this question i thing
correct answer is "A" because User2 is Global administrator like User1 for this Azure AD.
upvoted 2 times

 
tera_baap
1 month ago
First of all tenant name can only be child of onmicrosoft.com not grand child like external in this case. Who wrote the question must be drunk.
Assuming it is possible, NO is the right answer.
upvoted 4 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B - No

User3 doesn’t have access to the new directory. Only User1 has access to the new Tenant, because User1 created the Tenant and became GA
automatically.
upvoted 2 times

 
nfett
1 month, 3 weeks ago
B is the correct answer. verified from the provided document.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 4/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User4 to create the user accounts.

Does that meet the goal?

A.
Yes

B.
No

Correct Answer:
B

Only a global administrator can add users to this tenant.

Reference:

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
Answer is correct . NO

Only user admin or global admin can add users

upvoted 18 times

 
Miles19
2 months, 3 weeks ago
I think you are right. The subscription owner role doesn't have anything to do when it comes to users and groups. This role can by default
access all resources under the subscription, or give access to others to any resource, but definitely can't add users to Azure AD tenant.
upvoted 6 times

 
desmondfernando
Highly Voted 
6 months, 3 weeks ago
Came in exam 02/12/2020
upvoted 9 times

 
Exam_khan
Most Recent 
5 days, 19 hours ago
Only a Global Admin can create users
upvoted 2 times

 
Deyvessh
1 day, 20 hours ago
What about User Administrator?
upvoted 2 times

 
Tranquillo1811
3 weeks ago
The correct answer here would be B. No!

No other user than User1 has the required rights in the NEW tenant!

User1 is "Global administrator" of the NEWLY CREATED tenant, since she created it...
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B - No

User4 doesn’t have access to the new directory. Only User1 has access to the new Tenant, because User1 created the Tenant and became GA
automatically. Also, User4 is not a GA or User Administrator. User4 has RBAC Role permission and not Azure AD Role permission.
upvoted 1 times

 
BENISSE
1 month, 2 weeks ago
Azure Subscription doesn't have tenant permission
upvoted 2 times

 
Bedmed
3 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 5/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Anwer is No,

User2 is not global admin in external.contoso.onmicrosoft.com

upvoted 5 times

 
ZUMY
3 months, 3 weeks ago
Answer is No. Because there is no permission called 'OWNER' under Roles assignment for AD User. "Global Administrator & User Administrator can
perform this job"
upvoted 2 times

 
Sandroal29
4 months ago
No, because user 4 has RBAC permissions that is totally different from Azure AD permissions.
upvoted 2 times

 
toniiv
4 months, 1 week ago
No. Azure subscription owner doesn't have tenant permissions
upvoted 1 times

 
NickyDee
5 months, 3 weeks ago
User 1 is a GA of the Azure Active Directory Tenant which involves full permissions to manage users

User 2 is the Owner of the Azure Tenant which involves full permissions to manage virtual resources

They are both two different tenants off the root tenant of the organization and the roles do not integrate.

This is also true the other way around. If user 1 is a GA of the AAD tenant only, user 1 can only see AAD in the Azure tenant and not any of the
subscriptions and it will appear greenfield.

User 2 being an owner of the Azure tenant, but not a GA in AAD, cannot add users, only Azure resources.

In order for User 2 to add users to AAD, he would need to be a GA or user administrator of AAD

In order for User 1 to add resources to AZ, he would need to be an owner, or contributor.

any user that needs to have full access to both the AZ and AAD tenants, the user would need elevated roles in each tenant.
upvoted 5 times

 
ms70743
6 months ago
Answer is No. To add or delete users you must be a User administrator or Global administrator.
upvoted 1 times

 
JulienYork
6 months, 1 week ago
It is incorrect, because as the subscription owner, this permission can be taken over. That means if you enable, that action can be taken.
upvoted 1 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, answered No for this question in exam
upvoted 5 times

 
Matkes
6 months, 3 weeks ago
No, as user4 is a subscription owner in contoso.onmicrosoft.com tenant and has no rights in external.contoso.onmicrosoft.com
upvoted 4 times

 
asdf12345a
6 months, 3 weeks ago
Answer is correct.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 6/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User3 to create the user accounts.

Does that meet the goal?

A.
Yes

B.
No

Correct Answer:
B

Only a global administrator can add users to this tenant.

Reference:

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

 
asdf12345a
Highly Voted 
6 months, 3 weeks ago
Previous discussions were wiped from an update to the question set.

From previous discussions, answer is wrong - should be No.

upvoted 35 times

 
pravith
Highly Voted 
6 months, 3 weeks ago
No...As user 2 doesn't have access to the new directory...Ans is "no"...Same Q in Whizlabs
upvoted 18 times

 
BenStokes
Most Recent 
1 day, 10 hours ago
The Answer is NO.

Only Global administrator and User administrator inside an AD tenant are allowed to create users for the tenant. In this case the tenant is different
hence User admin cannot add users.
upvoted 2 times

 
Deyvessh
1 day, 20 hours ago
Can User2 Also Add or Delete users?
upvoted 1 times

 
JoeRogersHi
1 week, 3 days ago
Lots of folks claiming to “test” Questions 1 & 3, but no mention of the issue at hand: The new tenant is a subdomain of the original... this is a
special case. If I own contoso.com, Azure will not allow just anyone to create a subdomain of contoso.com— so, has anyone tested a new
subdomain to see which, if any, types of Azure AD accounts are given automatic permission to it? Perhaps the answer, as given, is correct.
upvoted 1 times

 
Deevine78
1 week, 3 days ago
Answer is: No.

When User1 creates the new Azure Active Directory tenant named external.contoso.onmicrosoft.com, apart from his (Global Administrator) account
no other user account is present in this brand new AD.

Directory roles need to be assigned by User1.

upvoted 2 times

 
jecaine
2 weeks, 1 day ago
Can someone explain why it's no when the first line of the article cited is:

Add new users or delete existing users from your Azure Active Directory (Azure AD) organization. To add or delete users you must be a User
administrator or Global administrator.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory?view=azure-devops
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 7/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
jecaine
2 weeks, 1 day ago
I think I see it. It's a difference between contoso.onmicrosoft.com and external.contoso.onmicrosoft.com
upvoted 1 times

 
VaibhavGKulkarni
2 weeks, 4 days ago
As per link https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory?view=azure-devops , To add
or delete users you must be a User administrator or Global administrator. Here User 3 is User Admin so he/she can create user. Ans should be A for
this
upvoted 2 times

 
Arkadeep
2 weeks, 1 day ago
User3 is user administrator for other tenant. For the newly created tenant he doesn't have access, only user1 can see the tenant.
upvoted 2 times

 
Tranquillo1811
3 weeks ago
The correct answer here would be B. No!

No other user than User1 has the required rights in the NEW tenant!

User1 is "Global administrator" of the NEWLY CREATED tenant, since she created it...
upvoted 1 times

 
vicky007_87
4 weeks, 1 day ago
Correct Answer: No

Justification: User1 & 2 are global administrator on contoso.onmicrosoft.com but on external.contoso.onmicrosoft.com Azure AD tenant only User
1 is global administrator and hence User 2 cannot create user accounts on external.contoso.onmicrosoft.com.
upvoted 2 times

 
Zuls
1 month ago
Answer is NO https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence
upvoted 2 times

 
jpinell
1 month ago
I have passed the exam, I have used this exam only and thanks to it I have passed, thanks to all the comments and support for improving.
upvoted 3 times

 
rblyellOG
1 month ago
did this in a lab to verify because the response here is divided. NO is the answer. User2 is GA of the original tenant but must be added to the new
tenant to have rights to add new users in the new tenant
upvoted 4 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 78 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

I think the debate is healthy, but a better organization is needed following an established pattern because in some issues they get very confused
and generate more doubts than clarifications.
upvoted 3 times

 
tera_baap
1 month ago
User1 created the new directory, so he becomes GA of new tenant not User2. Correct answer is NO.
upvoted 1 times

 
Md_Shahnawaz
1 month ago
clearly mentioned in the table, user2 has Global Administer right then why user2 can not create a new user in said domain ??

Answer is Yes
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B - No

User2 doesn’t have access to the new directory. Only User1 has access to the new Tenant, because User1 created the Tenant and became GA
automatically.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 8/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 1

HOTSPOT -

You have an Azure subscription named Subscription1 that contains a resource group named RG1.

In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.

You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.

Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

The Network Contributor role lets you manage networks, but not access them.
Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

 
Aghora
Highly Voted 
6 months ago
I have seen to many opinions regarding this, so I decided to test it in my azure account . with Network C on LB1 or LB2 , you can not do any of the
tasks and your get a permission error, you can not even see the Vnets to add the pool from !!!.

when using Contributor access on LB1,LB2 ...same issue . the Only option from the given choices that worked is

- Network Contributor on RG1 for LB1 to add a backend pool (vms must be in place)

- Network Contributor on RG1 for LB2 to add health probe

I hope this resolves the disagreement , all of the links about Network Contributor access on Microsoft are correct but they do not work at the LB
level, they have to be at the resource group level or at every resource that you need to get the pool in place(ie. Vnet,VMs..).
upvoted 86 times

 
Bursuc03
1 month, 2 weeks ago
Within RG1 you have the two LBs. You can have the rest of the resources (vNets, VMs) in a different RG, with different access rights. There is
nowhere stated you cannot have access to the other resources, that may be placed within other RGs, on which you have different access rights.
So the answer is YES.
upvoted 2 times

 
vince60370
5 months, 3 weeks ago
Thanks for trying it, as you said, too much divergent answers and explanations.

Clearer like this.

upvoted 5 times

 
Andersonalm
Highly Voted 
6 months, 3 weeks ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 9/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

On another website, the answer is Network Contributor in RG.

Explanation: To add the backend pool to the load balancer resource, the user needs to have permissions to be able to read the virtual network and
virtual machine resources that need to be associated to the backend pool. Hence permissions need to be given at the resource group level.
upvoted 25 times

 
Nickus
3 months, 1 week ago
But this doesn`t ask to add backends pools.. Only request that Admin1 CAN MANAGE LB1 and LB2 and with the leasrt privilege.
upvoted 4 times

 
SubbuTeja
3 months ago
If you look at the images it clearly questions about adding Backend pool
upvoted 1 times

 
rblyellOG
Most Recent 
1 day, 13 hours ago
I think the key here is "least priviledge", so you add the net contrib role to each load balancer. If you add role to RG the user could alter any other
net resources in RG. If it said "least administration" i would go with role to RG not load individual balancers
upvoted 1 times

 
Delanase
4 days, 18 hours ago
Correct answer should be network contributor NG-01, because when you need some write permissions like
Microsoft.Network/virtualNetworks/subnets/join/action to join the VMs to the backend pool.
upvoted 1 times

 
db12345
1 week, 4 days ago
Ans : Network Contributor on RG1 for LB1 . without this vm's are not getting listed under vnet in backendpool
upvoted 2 times

 
Gautam123
1 week, 6 days ago
Network Contributor in RG1. for both
upvoted 1 times

 
Md_Shahnawaz
2 weeks, 4 days ago
Passed the exam AZ-104 on 03/06/2021 with 850 marks.

Thanks, Examtopics.
upvoted 6 times

 
Tranquillo1811
3 weeks ago
The correct answers are: Network Contributor on LB1 and Network Contributor on LB2!

And this is why:

The loadbalancer resource type is located in the Microsoft.Network Provider (https://docs.microsoft.com/en-

us/azure/templates/microsoft.network/loadbalancers?tabs=json).

To ADD a backend pool to an LB (no matter it's public or internal) you need to change the backendpools property of the LB
(Microsoft.Network/loadBalancers/backendAddressPools).

Since the network contributor role contains the action "Microsoft.Network/*" (Create and manage networks) (https://docs.microsoft.com/en-
us/azure/role-based-access-control/built-in-roles#network-contributor), it must be sufficient to assign the Network Contributor role on scope LB1
to admin1 to add a backend pool to LB1.

The same applies for the "probes" property of a "Microsoft.Network/loadBalancers" resource.

The Network Contributor role assigned to admin1 for scope LB2 is sufficient to add a health probe to LB2, because the Network Contributor Role is
allowed to do ANYTHING within the resource provider "Microsoft.Network"...
upvoted 3 times

 
Voravut
1 month ago
Network Contributor in RG1.

I passed exam on 05/24/21.

upvoted 3 times

 
Thyfere
3 weeks, 2 days ago
Thanks. Are you sure, your answer was correct in the exam?
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 60 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
carsa81
1 month ago
So, what on az-104 REAL EXAM is the right answer?
upvoted 1 times

 
mlantonis
1 month, 1 week ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 10/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

1: Network contributor on RG1

2: Network contributor on RG1

upvoted 3 times

 
Alim786
2 months ago
I can't see a role called "Network Contributor", only "Network Administrator" ?
upvoted 1 times

 
Bursuc03
1 month, 2 weeks ago
Try to search "azure network contributor" on Google.You will find the Azure documentation for this predefined RBAC role and details of the
rights it has: Microsoft.Network/*
upvoted 1 times

 
StefanDoh
2 months, 1 week ago
@Aghora and @director47 have the most proper explanations! Thanks for sharing and summarizing!
upvoted 3 times

 
Dizzu
1 month ago
lol but both of them chose different answers ???
upvoted 3 times

 
director47
2 months, 3 weeks ago
TEsted this in my lab. You can create an LB1 and LB2 .

If the user doesn't have any permission in the RG he wont see any resources. BUT if you assigned Network contributor ONLY to the LB1 and LB2
then that user will ONLY see and ONLY have access to the load balancers. The answer is correct since it is asking to perform this with least privilege.
If you do network contributor to RG then the user has access to all network resources in the RG apart from the load balancers.
upvoted 12 times

 
ms70743
2 months, 4 weeks ago
Network contributor in RG1 for both answer
upvoted 2 times

 
Sam_Azure
2 months, 4 weeks ago
The correct answer is Network Contributor on RG1. While creating backend pool it asks for selecting virtual network and at that time there is no
option to select the virtual network even if it is already created since the Network contributor on LB cannot read component of a RG.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 11/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 1

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service
(AKS) cluster named AKS1.

An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.

You need to ensure that access to AKS1 can be granted to the contoso.com users.

What should you do first?

A.
From contoso.com, modify the Organization relationships settings.

B.
From contoso.com, create an OAuth 2.0 authorization endpoint.

C.
Recreate AKS1.

D.
From AKS1, create a namespace.

Correct Answer:
B

Reference:

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

 
ketan05
Highly Voted 
6 months, 3 weeks ago
Correct! The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.

https://docs.microsoft.com/en-us/azure/aks/concepts-identity
upvoted 20 times

 
waterzhong
Highly Voted 
4 months, 3 weeks ago
The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.

Azure AD provides an access_token, id_token, and a refresh_token.

The user makes a request to kubectl with an access_token from kubeconfig.

Kubectl sends the access_token to API Server.

The API Server is configured with the Auth WebHook Server to perform validation.

The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.

The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.

A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group
membership of the user based on the object ID.

The API performs an authorization decision based on the Kubernetes Role/RoleBinding.

Once authorized, the API server returns a response to kubectl.

Kubectl provides feedback to the user.

upvoted 9 times

 
BenStokes
Most Recent 
1 day, 9 hours ago
Answer is correct as per - https://docs.microsoft.com/en-us/azure/aks/concepts-identity
Excerpts from article as 1st step -

As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:

1. kubectl uses the Azure AD client application to sign in users with OAuth 2.0 device authorization grant flow.
upvoted 1 times

 
db12345
1 week, 4 days ago
Ans : B
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B

The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.

Reference:

https://docs.microsoft.com/en-us/azure/aks/concepts-identity
upvoted 2 times

 
Keerthana2020
2 weeks, 2 days ago
you answers are really correct, please help me for az-220 i got failed twice after reading all the materials
upvoted 1 times

 
armandolubaba
1 month, 2 weeks ago
All the answer are corrects
upvoted 1 times

 
Snownoodles
3 months ago
Is it correct to say "You have an Azure subscription that contains an Azure Active Directory ...".

According to: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory?

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 12/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

amp;clcid=0x9

subscription should be under a tenant

upvoted 2 times

 
chaudha4
1 month, 1 week ago
You are correct. Azure subscription has a trust relationship with Azure Active Directory tenant not a containment relationship.
upvoted 1 times

 
mg
3 months, 1 week ago
From contoso.com, create an OAuth 2.0 authorization endpoint.
upvoted 2 times

 
ms70743
3 months, 1 week ago
Answer B is correct
upvoted 1 times

 
fedztedz
3 months, 3 weeks ago
Answer is correct. B
upvoted 2 times

 
I
4 months, 1 week ago
The answer is correct and desplay link is also correct. Here the key words under below.

To identify the user, the authenticator uses the id_token (not the access_token) from the OAuth2 token response as a bearer token. See above for
how the token is included in a request.
upvoted 1 times

 
toniiv
4 months, 1 week ago
B. is correct
upvoted 1 times

 
DeepanAeon
4 months, 1 week ago
Answer is correct.
upvoted 1 times

 
Gigagitabanbang
4 months, 3 weeks ago
I guess the difference is whether we are talking AD legacy or the AKS-managed AD integration. Wasn’t clear in the question. Legacy would require
recreating the cluster but the new one wouldn’t.
upvoted 2 times

 
dadageer
5 months, 1 week ago
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0
protocol. Answer is correct!
upvoted 1 times

 
waterzhong
5 months, 4 weeks ago
OpenID Connect Tokens

OpenID Connect is a flavor of OAuth2 supported by some OAuth2 providers, notably Azure Active Directory, Salesforce, and Google. The protocol's
main extension of OAuth2 is an additional field returned with the access token called an ID Token. This token is a JSON Web Token (JWT) with well
known fields, such as a user's email, signed by the server.

 
MadMax2021
6 months ago
came in the exam on 18-12-2020
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 13/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 1

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.

You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.

You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.

Which two groups should you create? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A.
a Microsoft 365 group that uses the Assigned membership type

B.
a Security group that uses the Assigned membership type

C.
a Microsoft 365 group that uses the Dynamic User membership type

D.
a Security group that uses the Dynamic User membership type

E.
a Security group that uses the Dynamic Device membership type

Correct Answer:
AC

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).

Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can
help remove inactive groups from the system and make things cleaner.

When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.

You can set up a rule for dynamic membership on security groups or Office 365 groups.

Incorrect Answers:

B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).

Reference:

https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide

 
asdf12345a
Highly Voted 
6 months, 3 weeks ago
Answer is correct - Only O365 groups support automatic deletion after 180 days.
upvoted 17 times

 
desmondfernando
Highly Voted 
6 months, 3 weeks ago
Came in exam 02/12/2020
upvoted 5 times

 
amanasr
6 months ago
This is BOT
upvoted 5 times

 
[Removed]
6 months, 2 weeks ago
did you pass the exam?
upvoted 2 times

 
Kiano
Most Recent 
1 month ago
Whay have they changed the question and call the groups Microsoft 365 instead of Office 365. Are they really called so nowadays? Condusing.
upvoted 2 times

 
xMilkyMan123
6 days, 13 hours ago
Yes. One internet search will confirm this to you.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A and C

Only O365 groups support automatic deletion after 180 days.

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365
Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and
make things cleaner. When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted. You can set up
a rule for dynamic membership on security groups or Office 365 groups. Incorrect Answers: B, D, E: You can set expiration policy only for Office 365
groups in Azure Active Directory (Azure AD).

Reference:

https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide
upvoted 4 times

 
armandolubaba
1 month, 1 week ago
A & C are correct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 14/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
Huggins
1 month, 4 weeks ago
A & C are correct!
upvoted 2 times

 
xiaoyan
2 months, 3 weeks ago
what is difference between assigned group type versus dynamic group type?
upvoted 1 times

 
dcalvo
2 months, 1 week ago
Assigned groups use a list of users while dynamic groups use a query to select members
upvoted 3 times

 
mg
3 months, 2 weeks ago
A C - Only O365 groups support automatic deletion after 180 days.
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
A C

Answer is correct - Only O365 groups support automatic deletion after 180 days.
upvoted 2 times

 
toniiv
4 months, 1 week ago
Correct. A. including the three users, then B. Including the Library
upvoted 1 times

 
DeepanAeon
4 months, 1 week ago
answer is correct
upvoted 1 times

 
mikl
4 months, 2 weeks ago
Correct.

"This article tells you how to manage the lifecycle of Microsoft 365 groups by setting an expiration policy for them. You can set expiration policy
only for Microsoft 365 groups in Azure Active Directory (Azure AD)."

Source : https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-lifecycle
upvoted 1 times

 
stargodwin
5 months ago
yeah, this answer is very correct only office 365 groups support that
upvoted 1 times

 
waterzhong
5 months, 4 weeks ago
With the increase in usage of Microsoft 365 groups and Microsoft Teams, administrators and users need a way to clean up unused groups and
teams. A Microsoft 365 groups expiration policy can help remove inactive groups from the system and make things cleaner.
upvoted 2 times

 
fedztedz
6 months, 2 weeks ago
Answer is Correct. A & C
upvoted 2 times

 
ketan05
6 months, 3 weeks ago
Correct Answer! Only Office365 users have the feature.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 15/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7 Topic 1

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:

User3 is the owner of Group1.

Group2 is a member of Group1.

You configure an access review named Review1 as shown in the following exhibit:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 16/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

 
asdf12345a
Highly Voted 
6 months, 3 weeks ago
Answer is correct -

The scope is set to GUEST users only. So User3 cannot perform an access review of User1 and UserA as they are Members.

Group2 is a member of Group1 so the access review is inherited.

upvoted 59 times

 
JustMe84
Highly Voted 
6 months, 2 weeks ago
Test today (12/10/2020), Passed, answered No, No, Yes for this question in exam
upvoted 16 times

 
BenStokes
Most Recent 
1 day, 9 hours ago
Answer is - No, No, Yes.

Explanation -

Box 1: No

User 3 can only review guest users, and User1 is a member user.

Box 2: No

User 3 can only review guest users, and User2 is a member user.

Box 3: Yes

Group2 is a member of Group1 and User3 is the owner of this group, therefore everyting included in Group2 can be reviewed by User3.
upvoted 2 times

 
flash007
2 weeks, 6 days ago
User 3 is not part of any groups so Box 1 is defo NO
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Box 1: No

User 3 can only review guest users, and User1 is a member user.

Box 2: No

User 3 can only review guest users, and User2 is a member user.

Box 3: Yes

Group2 is a member of Group1 and User3 is the owner of this group, therefore everyting included in Group2 can be reviewed by User3.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 17/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Didib
1 month, 2 weeks ago
Why is User 3 able to review User B, when user B belongs to Group 2, and User 3 is the owner of only Group 1. Not to mention, the policy applies
to Group 1 only?
upvoted 1 times

 
coders1234
1 month, 2 weeks ago
because group 1 contains group 2 (users) also
upvoted 1 times

 
HassanSarhan
1 month, 2 weeks ago
No No Yes Correct answers!
upvoted 1 times

 
iamkl00t
2 months, 1 week ago
typo in 'advanced' at the bottom of the screenshot
upvoted 1 times

 
mg
3 months, 2 weeks ago
NO NO YES
upvoted 2 times

 
ZUMY
3 months, 2 weeks ago
N N Y is the answer
upvoted 1 times

 
Sandroal29
4 months ago
Correct answers are, NO NO YES. User 3 can only review guest users, and User1 and User2 are member users. So NO and NO for the first two
questions. The last one is YES, group 2 is in group 1 and user 3 is the owner of this group, therefore everyting included in group 2 can be reviewed
by user 3.
upvoted 3 times

 
DeepanAeon
4 months, 1 week ago
Answer

No, No, Yes

upvoted 2 times

 
vijaysmail84
4 months, 2 weeks ago
Access review is not inherited. Tested on portal
upvoted 1 times

 
waterzhong
4 months, 3 weeks ago
Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments,
administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to
routinely review access, you can also create recurring access reviews. For more information about these scenarios, see Manage user access and
Manage guest access.
upvoted 1 times

 
Paulv82003
4 months, 3 weeks ago
Nested groups are not supported yet. So the answer is NO-NO-NO

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15718164-add-support-for-nested-groups-in-azure-ad-app-acc

ADMIN

Azure AD Team (Admin, Microsoft Azure) responded · Feb 12, 2020

We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds.
We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d
like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

Use case A: nested group in a cloud security group inherits apps assignment

Use case B: nested group in a cloud security group inherits license assignment

Use case C: nesting groups under Office 365 groups

upvoted 3 times

 
Sizz
3 months, 1 week ago
Nested / child groups *are* supported in Azure AD Access reviews, just not in many other areas of Azure AD. Confirmed through testing.
upvoted 1 times

 
emv
4 months, 3 weeks ago
I tested this. Nested groups are working in AR. So it is correct no, no, yes.
upvoted 4 times

 
mikl
4 months, 3 weeks ago
Review can only be done to Guest Users - and only user B is a Guest.

So; NO, NO, YES

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 18/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8 Topic 1

HOTSPOT -

You have the Azure management groups shown in the following table:

You add Azure subscriptions to the management groups as shown in the following table:

You create the Azure policies shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: No -

Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.

Box 2: Yes -

Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.

Box 3: Yes -

Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.

Reference:

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-
us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 19/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
Answer is Wrong : It should Be NO NO NO

- subscription should be moved by can't be added to 2 groups.

upvoted 32 times

 
Ikrom
6 months, 2 weeks ago
Agree.

- NO: Subscription 1: is not allowed to create a VNET.

- NO: Subscription 2: Allowed to create a VNET which restricts anything else.

- NO: Subscription 1: already in one Management group called 21, so cannot add into another. A Subscription can be assigned to 1
Management Group.
upvoted 44 times

 
azuremarco2021
2 months, 1 week ago
Im sorry but why is the 2nd false? All that was forbiden at the root level is lifted on Subscription 2
upvoted 1 times

 
jimmyli
1 month, 2 weeks ago
because subscription 2 is under management group 12. The only allowed resource type is VirtualNetworks per the table in the question,
therefore VM creation is not allowed
upvoted 3 times

 
irosh412
1 month, 1 week ago
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition

This clearly states,

"Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined
list."

Therefore, only allowed resource type is virtual nerwork.

SO the answer for the second question is NO.

but third is Yes, because adding subscrition and moving subscription is the same in MS docs. :)
upvoted 4 times

 
vamshidhara
1 month, 1 week ago
Azure Policy is an explicit deny.

So the root management group deny the virtual network resource type to the child management groups/subscriptions/resources groups
and the policy in the question does not have any thing excluded so it will deny
upvoted 2 times

 
pieronegri
6 months, 2 weeks ago
you are right, "move" is the right verb.
upvoted 1 times

 
Andersonalm
Highly Voted 
6 months, 2 weeks ago
Answer is correct. The deny policy is only for virtual networks, not for virtual machines. NO, Yes, Yes
upvoted 26 times

 
Rain521
1 month, 3 weeks ago
Agree.
upvoted 1 times

 
ArgiDio
6 months ago
The only objection that i have is that, you cannot create an Azure VM without a VNet, so second option is No too.

Final answer that i will give in case of exam, N,N,Y

upvoted 8 times

 
Penagache
5 months, 2 weeks ago
You can. You can use a vnet created by other user.
upvoted 8 times

 
uellington
1 month, 3 weeks ago
but this possibility is not informed, so you have to consider the standard creation of the VM with all the minimum resources.
upvoted 4 times

 
Ikrom
6 months, 2 weeks ago
You missed something:

- One says Restricted

- Another says Allowed

So, one restricts VNETs and the other allows VNETs.

upvoted 3 times

 
Hibs2016
6 months, 2 weeks ago
Many people have missed this. Very good catch. Answer is correct it is NO, YES, YES.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 20/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
moni1
2 months, 2 weeks ago
but that management group is under the same tenant which has a "deny"
upvoted 1 times

 
Delanase
Most Recent 
4 days, 18 hours ago
The correct answer is NO NO YES

You can navigate to ManagementGroup11 and then select Add subscription. Subscription 1 is currently a child resource of ManagementGroup21,
so by adding Subscription 1 to ManagementGroup11, you are actually moving Subscription 1 between the two management groups.
upvoted 5 times

 
Gautam123
1 week, 6 days ago
no no yes 100% sure
upvoted 2 times

 
Mich132
2 weeks ago
Wouldn't the policy on the root tenant overrule the policy for management group 12? "Any assignment of user access or policy assignment on the
root management group applies to all resources within the directory." So no matter what you do, you cannot create a Vnet (and thus a VM) if you
don't remove that rule at the root tenant level. So No, No, don't know for the last one... :-)
upvoted 1 times

 
Ambivert
1 week ago
same thinking, since Management 12 is under the tenant azure policy. The last one seems to have some typo error. If it's "add" then it's a NO if
it's a "move" then it's a YES.
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 62 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
mlantonis
1 month, 1 week ago
Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.

Not allowed resource types (Deny): Prevents a list of resource types from being deployed.

Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in
ManagementGroup12 scope, but you cannot deploy any other resource.

Box 1: No

Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11 is a

member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’.

Box 2: No:

You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12).

Box 3: No

You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to ManagmentGroup11.
Subscriptions can only be a member of ONE ManagementGroup at a time.
upvoted 6 times

 
RamanAgarwal
2 weeks, 5 days ago
Policy doesnt restrict you to create a VM anywhere. It restricts you to create VNet only which is overridden at Management12 and it will be
inherited by Subscription 2. So you can create Vnet hence VM in subscription 2
upvoted 3 times

 
creator
2 months ago
I tested it on Portal. the answers are N,Y,Y.
upvoted 9 times

 
Veronika1989
2 months, 1 week ago
I agree that the first two are "no", third definitely 'yes', the terminology 'add subscription' is used everywhere in the portal instead of 'move'
upvoted 3 times

 
vikram12345
2 months, 1 week ago
I stick onto No,Yes,No if the third sentence has "add"

or else No,Yes,Yes if the third sentence has "move"

upvoted 2 times

 
darko13
2 months, 2 weeks ago
NNY

Deny on root management trumps allow on child management group for vnet, which is required to create a vm in subscription2.

Add subscription to management group is effectively move subscription to management group, so yes.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 21/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
ms70743
3 months, 1 week ago
NO, NO, YES
upvoted 4 times

 
ZUMY
3 months, 2 weeks ago
Moderator please remove my previous answer. I go for

-N-

N - can't add but can move

upvoted 2 times

 
J4U
2 months, 2 weeks ago
We can add using Add subscription option from management group. However it finally moves the subscription and doesn't duplicates it in
multiple management groups.
upvoted 1 times

 
mg
3 months, 2 weeks ago
No No Yes
upvoted 1 times

 
mg
3 months, 2 weeks ago
If its "add" subscription then answer is NO NO NO.

if its "Move" subscription answer is NO NO YES

upvoted 3 times

 
J4U
2 months, 2 weeks ago
Add vs Move does the same Move operation at the backend.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
NO,NO,YES
upvoted 2 times

 
olayin
3 months, 4 weeks ago
Answer should be No, No and Yes.

Not allowed resource types policy blocks deployment of virtual networks in Tenant Root Group

Only allowed resource type is virtual Network. Nothing else should work not even VMs. Recreated the scenario in a sub with the MG hierarchy and
it did not deploy any other resources. Weird thing is that some validations passed but it still did not deploy the resources. The logic is the same as
allowed locations/regions.

Subscription 1 can be added to ManagementGroup11. Only issue here is syntax issue and it should have been changed to move. But this is a
scenario based question, so we should stick to what Subscription1 is
upvoted 1 times

 
immortalstrong
3 months, 4 weeks ago
This is correct.

1. This is obviously no.

2. Yes, VM can be created as long as you have an existing VNET. It's reasonable to assume a VNET already exist. You'll only be prevented to create a
VM is you try to create a new VNET while creating the VM. This is not specified so assume a VNET exists.

3. Yes. I also tried this in lab. "Add to subscription" really means move, not add it again. The "Add to subscription" is misleading but this is how it is
in the lab. It will move the subscription.
upvoted 8 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 22/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 1

You have an Azure policy as shown in the following exhibit:

What is the effect of the policy?

A.
You are prevented from creating Azure SQL servers anywhere in Subscription 1.

B.
You can create Azure SQL servers in ContosoRG1 only.

C.
You are prevented from creating Azure SQL Servers in ContosoRG1 only.

D.
You can create Azure SQL servers in any resource group within Subscription 1.

Correct Answer:
B

You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1

 
Nalex9ja
Highly Voted 
6 months, 2 weeks ago
The Picked Option (B) is the correct option
upvoted 18 times

 
Ikrom
6 months, 2 weeks ago
Agree.

It says: Exclusions and RG1 is there.

upvoted 1 times

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
Answer is Correct. B
upvoted 8 times

 
BenStokes
Most Recent 
10 hours, 18 minutes ago
Correct answer is B - You can create Azure SQL servers in ContosoRG1 only.

Note - View the exclusion parameter

upvoted 1 times

 
McRowdy
2 weeks, 5 days ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 23/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Agree. Correct answer is B. Be mindful for the exclusions

upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B

You are prevented from creating Azure SQL servers anywhere in Subscription 1, except from ContosoRG1. There’s an Exclusion on ContosoRG1.

Not allowed resource types (Deny): Prevents a list of resource types from being deployed.

Reference:

https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
upvoted 2 times

 
ms70743
3 months, 1 week ago
B is correct
upvoted 2 times

 
mg
3 months, 2 weeks ago
Answer B is correct

You are prevented from creating Azure SQL servers anywhere in Subscription 1 except ContosoRG1
upvoted 1 times

 
Jacek_
3 months, 3 weeks ago
Correct
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
B is correct!
upvoted 1 times

 
Sandroal29
4 months ago
The answer to this question is certainly clear. The policy prevents from creating SQL server resources anywhere in the subscription but exempting
those created in the resource group RG1.
upvoted 2 times

 
toniiv
4 months, 1 week ago
B. is correct
upvoted 1 times

 
kashi1983
4 months, 2 weeks ago
answer is correct
upvoted 2 times

 
Hi2ALL
4 months, 2 weeks ago
B is correct answer since its exclusion on RG1 only
upvoted 1 times

 
polpum
5 months, 1 week ago
Come in 15/01/2021
upvoted 3 times

 
rusll
5 months, 1 week ago
answer is b
upvoted 2 times

 
NickyDee
5 months, 3 weeks ago
B is correct because Subscription1/ContosoRG1 is excluded from the policy. The not allowed resource types for Microsoft.sql/servers does not
apply
upvoted 4 times

 
ms70743
6 months ago
Answer is B
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 24/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 25/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 1

HOTSPOT -

You have an Azure subscription that contains the resources shown in the following table:

You assign a policy to RG6 as shown in the following table:

To RG6, you apply the tag: RGroup: RG6.

You deploy a virtual network named VNET2 to RG6.

Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

VNET1: Department: D1, and Label:Value1 only.

Tags applied to the resource group or subscription are not inherited by the resources.

Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or
across a whole

Azure subscription.

VNET2: Label:Value1 only.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 26/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Incorrect Answers:

RGROUP: RG6 -

Tags applied to the resource group or subscription are not inherited by the resources.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies

 
aymennn
Highly Voted 
6 months, 3 weeks ago
not correct vnet1 is created before assignng the policy so it doesn't heritate teh tag.

vnet1 : departement D tag only

upvoted 76 times

 
raph90fr
1 month, 3 weeks ago
yes, i think you are right.
upvoted 2 times

 
J4U
2 months, 2 weeks ago
The policy definition isn't clear in the question, either it's Add, Modify or Append. Only based on these definitions outcome can be defined. If
we assume it's "Add a tag" then existing resources aren't affected and new resources will have the new default tag. You are correct.
upvoted 5 times

 
JamesDC
4 months, 2 weeks ago
Absolutely!... Policy applying doesn't force already existing resources to change it's value according to the policy, it will only show and resource
is non-complient, if it doesn't meet the policy value.
upvoted 4 times

 
OmarMac
6 months, 3 weeks ago
VNET1 - Department: D1 only

VNET2 - Label: Value1 only

upvoted 120 times

 
Hibs2016
6 months, 2 weeks ago
Agreed!
upvoted 5 times

 
pazza112
Highly Voted 
6 months, 3 weeks ago
Answer is wrong. Tested in MSDN lab in the order set out in the question.

After I created the policy and assigned it to the RG the existing vnet still only had the tag of Department:D1. New vnet had the tag label:value1
only.

So the answer is Department:D1 only and Label:value1 only

upvoted 45 times

 
kavg13
6 months, 2 weeks ago
Instead of manually applying tags or searching for resources that aren't compliant, you create a policy that automatically applies the needed
tags during deployment. Tags can also now be applied to existing resources with the new Modify effect and a remediation task.

Found in link provided by question. So it would depend if they used the "Modify" option or not.
upvoted 5 times

 
Deyvessh
Most Recent 
1 day, 18 hours ago
VNET1 - Department: D1 Only

VNET2 - Label: Value1 Only

upvoted 2 times

 
Delanase
4 days, 18 hours ago
Department 1:D1 only
upvoted 1 times

 
madhavikdb
1 week ago
I deployed a policy to add tags at rg scope,rg group tags are neither inherited by newly created resources nor by existing resources.So I think vnet1
will have the tags Department: D1 only and vnet2 will get none.
upvoted 1 times

 
JoeRogersHi
1 week, 2 days ago
Answer is correct. I did this exactly and result was exactly the same.
upvoted 2 times

 
ekascloud2021
1 week ago
so, what is the correct ans ?

pls stat is here

upvoted 2 times

 
xMilkyMan123
6 days, 11 hours ago
go to Azure and test it yourself

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 27/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
Ssri
2 weeks, 3 days ago
Either VNET1 & VNET2 when ever they created, the actual RG6 policy shows ‘Apply tag and its default value”

So, VNET1 already has a tag and now according to RG6 policy, default value also applies.

Then, VNET2 created newly and that doesn’t have any tags, only default value applies.

Therefore, Department and Value1 only for VNET1 & Value1 only for VNET2 is correct.
upvoted 3 times

 
Thyfere
3 weeks, 2 days ago
In my view given answer is correct because:

Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that
resource group.

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

Tags applied to the resource group or subscription aren't inherited by the resources. To apply tags from a subscription or resource group to the
resources, see Azure Policies - tags.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
upvoted 2 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 52 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
xMilkyMan123
6 days, 11 hours ago
Or maybe it just teaches us to do our own research...
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: Department: D1 only

The Policy only affects resources that are created after the policy is enabled. There is a remediation option that can be used for resources created
before the Policy applied. Nothing mentioned about remediation task in this in the question. VNET1 will have its original tag.

Box 2: Label: Value1 only

Tags are not inherited, so VNET2 will have the tag from the Policy.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
upvoted 3 times

 
fabiolira
1 month, 1 week ago
04-10-2021 exam question

VNET1 - Department: D1 only

VNET2 - Label: Value1 only

upvoted 4 times

 
nfett
1 month, 2 weeks ago
VNET1 - Department: D1 only

VNET2 - Label: Value1 only

upvoted 1 times

 
sjhj2423
2 months ago
why making confusion , anyone know where is the actual answer
upvoted 3 times

 
sidharthwader
2 months ago
Answer is right.

For box 1 its tag which is set at resource level and other tag inherited due to azure policy. Tags are not overwritten or replaced. Azure resource can
have up to 50 tags.

Second one also right as it gets the tag due to azure policy .
upvoted 1 times

 
Aniruddha_dravyakar
2 months, 4 weeks ago
Answer is correct, thanks
upvoted 1 times

 
creator
2 months, 1 week ago
No. VNet was created before applying the policy.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 28/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
ms70743
3 months, 1 week ago
VNET1 - Department: D1 only

VNET2 - Label: Value1 only

upvoted 2 times

 
gladi
3 months ago
Agree with ms70743.
upvoted 1 times

 
mg
3 months, 2 weeks ago
why not RGroup: RG6 to VNET2
upvoted 2 times

 
deenu202
3 months ago
Simple : Tags applied to the resource group or subscription are not inherited by the resources.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 29/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11 Topic 1

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

You create a new Azure subscription named AZPT2.

You need to identify which resources can be moved to AZPT2.

Which resources should you identify?

A.
VM1, storage1, VNET1, and VM1Managed only

B.
VM1 and VM1Managed only

C.
VM1, storage1, VNET1, VM1Managed, and RVAULT1

D.
RVAULT1 only

Correct Answer:
C

You can move a VM and its associated resources to a different subscription by using the Azure portal.

You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new
subscription.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

 
JustMe84
Highly Voted 
6 months, 2 weeks ago
Test today (12/10/2020), Passed, answered "C" for this question in exam
upvoted 25 times

 
Nicodebian
Highly Voted 
6 months, 3 weeks ago
Solution seems to be valid :

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
upvoted 6 times

 
mlantonis
Most Recent 
1 month, 1 week ago
Correct Answer: C

All of them. Moving a resource only moves it to a new Resource Group or Subscription. It doesn't change the location of the resource.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftcompute

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftnetwork

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftstorage

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftrecoveryservices
upvoted 5 times

 
armandolubaba
1 month, 2 weeks ago
C correct
upvoted 1 times

 
sidharthwader
2 months ago
Correct answer. But if its moving the region of the resource then i think azure vault could not be moved. Similarly few more resource's region cant
be changed
upvoted 3 times

 
shnz03
1 week, 4 days ago
Good one! Thank you.
upvoted 1 times

 
ddb116
2 months, 3 weeks ago
C is correct as long as we assume they are in the same tenant.

https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault?toc=/azure/azure-resource-manager/toc.json

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 30/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
jam7272
3 months ago
If you are not sure about Recovery Services Vaults - https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault?
toc=/azure/azure-resource-manager/toc.json - you can move them.
upvoted 2 times

 
ms70743
3 months, 1 week ago
C is correct
upvoted 2 times

 
mg
3 months, 2 weeks ago
Answer C is correct
upvoted 2 times

 
bacana
3 months, 3 weeks ago
Correct

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftcompute

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftnetwork

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftstorage

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftrecoveryservices
upvoted 2 times

 
fedztedz
3 months, 3 weeks ago
Answer is correct. C.
upvoted 3 times

 
toniiv
4 months, 1 week ago
C. is correct
upvoted 4 times

 
waterzhong
4 months, 3 weeks ago
Moving a resource only moves it to a new resource group or subscription. It doesn't change the location of the resource.
upvoted 4 times

 
Parvezazure
4 months, 3 weeks ago
C option is correct
upvoted 1 times

 
Hasi123
5 months, 1 week ago
Came in the exam 15/1/21. C
upvoted 3 times

 
polpum
5 months, 1 week ago
Come in 15/01/2021
upvoted 2 times

 
wanman
5 months, 1 week ago
Where are the correct answers, geeez.....
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 31/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 1

You recently created a new Azure subscription that contains a user named Admin1.

Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using
Azure

PowerShell and receives the following error message: ‫ג‬€User failed validation to purchase resources. Error message: ‫ג‬€Legal terms have not been
accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873)
and configure programmatic deployment for the Marketplace item or create it there for the first time.‫ג‬€

You need to ensure that Admin1 can deploy the Marketplace resource successfully.

What should you do?

A.
From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet

B.
From the Azure portal, register the Microsoft.Marketplace resource provider

C.
From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet

D.
From the Azure portal, assign the Billing administrator role to Admin1

Correct Answer:
C

Reference:

https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-4.1.0

 
xclusivetp3
Highly Voted 
11 months ago
answer is correct
upvoted 18 times

 
ExamTopics_Yeti
Highly Voted 
11 months ago
on AZ-104 exam on 7/24/2020
upvoted 13 times

 
flash007
Most Recent 
3 weeks, 3 days ago
Right away the billing administrator is not correct as the question mentions powershell so you are left with 3 choices. It doesn't mention API so
again that one appears to be wrong too.

Leaving just 2 choices B & C. again it is mentioning Powershell so answer B mentions the azure portal which is no powershell. So that leaves C
because it does indeed mention powershell and mentions Marketplace which is used in the question too.
upvoted 3 times

 
mlantonis
1 month, 1 week ago
Correct Answer: C

Set-AzMarketplaceTerms -Publisher <String> -Product <String> -Name <String> [-Accept] [-Terms <PSAgreementTerms>] [-DefaultProfile
<IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]

Reference:

https://docs.microsoft.com/en-us/powershell/module/Az.MarketplaceOrdering/Set-AzMarketplaceTerms?view=azps-4.6.0
upvoted 2 times

 
lingxian
2 weeks ago
I found mlantonis's answers are the most credible.
upvoted 1 times

 
armandolubaba
1 month, 2 weeks ago
C is correct
upvoted 1 times

 
ms70743
3 months, 1 week ago
C. Set-AzMarketplaceTerms
upvoted 2 times

 
mg
3 months, 2 weeks ago
Answer C is correct
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
Answer is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 32/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Anil_203
3 months, 3 weeks ago
25/02/2021 exam question
upvoted 2 times

 
Sandroal29
4 months ago
the provided answer is correct.
upvoted 2 times

 
toniiv
4 months, 1 week ago
C. is correct (use Set-AzureRmMarketplaceTerms before deployment (one time for any new non-standard Azure product))
upvoted 2 times

 
mikl
4 months, 2 weeks ago
Is this question still on the exam after 27/1-2021?

C seems correct - "Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name). Please use Get-
AzMarketplaceTerms to get the agreement terms."
upvoted 2 times

 
kashi1983
4 months, 2 weeks ago
Answer is correct
upvoted 1 times

 
waterzhong
4 months, 3 weeks ago
Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name). Please use Get-AzMarketplaceTerms to get the
agreement terms.
upvoted 4 times

 
SPENDAM
5 months ago
Right answer...as we need to define the terms
upvoted 1 times

 
rusll
5 months, 1 week ago
Correct answer, the get is to see the terms, and the set is to accept or reject the terms
upvoted 1 times

 
ms70743
6 months ago
C. Set-AzMarketplaceTerms
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 33/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 1

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.

You create a new user account named AdminUser1.

You need to assign the User administrator administrative role to AdminUser1.

What should you do from the user account properties?

A.
From the Licenses blade, assign a new license

B.
From the Directory role blade, modify the directory role

C.
From the Groups blade, invite the user account to a new group

Correct Answer:
B

Assign a role to a user -

1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.

2. Select Azure Active Directory, select Users, and then select a specific user from the list.

3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as
Conditional access administrator.

4. Press Select to save.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal

 
dan7777
Highly Voted 
11 months, 1 week ago
This is the correct answer( select Active directory --> Users--> select the username --> Assigned roles --> click on +add Assignments --> select
User administrator role
upvoted 36 times

 
examtakerAZ
Highly Voted 
10 months, 2 weeks ago
Correct Answer given. B
upvoted 9 times

 
needtopassexam
10 months, 2 weeks ago
modify the directory role? I thought we just need to add the user to a proper group?
upvoted 5 times

 
sn0rlaxxx
5 months, 2 weeks ago
AD RBAC role is different from Azure Resources RBAC role.
upvoted 1 times

 
mlantonis
Most Recent 
1 month, 1 week ago
Correct Answer: B

Active Directory -> Manage Section -> Roles and administrators-> Search for Admin and assign a user to it.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
upvoted 1 times

 
ms70743
3 months, 1 week ago
B is correct
upvoted 1 times

 
mg
3 months, 2 weeks ago
From the Directory role blade, modify the directory role

B is correct
upvoted 2 times

 
ZUMY
3 months, 2 weeks ago
B is correct
upvoted 2 times

 
ZUMY
3 months, 2 weeks ago
B is correct
upvoted 1 times

 
Merma
4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 34/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

B is Correct https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/AdministrativeRole/userId/

Home>Tenant>Users>AdminUser1 + Add assignments

upvoted 2 times

 
Sandroal29
4 months ago
Without discussion, the provided answer is correct.
upvoted 1 times

 
toniiv
4 months, 1 week ago
B. is correct (AD uses RBAC, role-based access control)
upvoted 1 times

 
aMiPL
4 months, 2 weeks ago
Active Directory -> Manage Section -> Roles and administrators-> Search for Admin and assign a user to it

Correct Answer is: B

upvoted 1 times

 
QiangQiang
4 months, 4 weeks ago
there is no "Directory role" blade, I guess C is the correct answer, you can add the user account to a group which has the required directory role.
upvoted 1 times

 
SScott
4 months, 2 weeks ago
B is right, the answer is incomplete and Azure Active Directory is Directory role blade, selection choice poorly worded. Only guests or vendor
accounts would be invited. Administrator assigned roles are explicit and are directly modified.

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator
upvoted 2 times

 
ms70743
6 months ago
B is correct
upvoted 1 times

 
ipindado2020
6 months, 2 weeks ago
agree with b
upvoted 1 times

 
syu31svc
7 months, 3 weeks ago
B is correct
upvoted 2 times

 
Vishbsoni
7 months, 3 weeks ago
in the AZ-104 exam on 30/10/2020
upvoted 2 times

 
Paperplane
8 months, 3 weeks ago
B is correct answer
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 35/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 1

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.

You purchase 10 Azure AD Premium P2 licenses for the tenant.

You need to ensure that 10 users can use all the Azure AD Premium features.

What should you do?

A.
From the Licenses blade of Azure AD, assign a license

B.
From the Groups blade of each user, invite the users to a group

C.
From the Azure AD domain, add an enterprise application

D.
From the Directory role blade of each user, modify the directory role

Correct Answer:
A

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

 
zyta
Highly Voted 
11 months ago
that's true - licences need to be assigned
upvoted 30 times

 
kentarn
10 months, 2 weeks ago
That answer made me lol
upvoted 3 times

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer: A

Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
upvoted 7 times

 
BenStokes
Most Recent 
9 hours, 32 minutes ago
The answer is without doubt and quite obvious is option A.

Licence is the only way the features will be available for user.
upvoted 1 times

 
Abhi1984
3 weeks, 4 days ago
A is correct
upvoted 1 times

 
armandolubaba
1 month, 2 weeks ago
A is correct
upvoted 1 times

 
ms70743
3 months, 1 week ago
A. Licence need to be assigned
upvoted 1 times

 
mg
3 months, 2 weeks ago
assign license.

A is correct
upvoted 2 times

 
fedztedz
3 months, 3 weeks ago
Answer is correct A. Assign license
upvoted 2 times

 
ZUMY
3 months, 3 weeks ago
A is correct. Go to Azure active directory->License->All Product->Azure AD Premium P2 (Assign the user). Tested in azure (100 Trail License
available)
upvoted 2 times

 
toniiv
4 months, 1 week ago
A. is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 36/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
aMiPL
4 months, 2 weeks ago
Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it

Correct answer is: A

upvoted 3 times

 
waterzhong
4 months, 3 weeks ago
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service.
Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant
and do not transfer to other tenants.

Available license plans

There are several license plans available for the Azure AD service, including:

Azure AD Free

Azure AD Premium P1

Azure AD Premium P2
upvoted 2 times

 
Naqsh27
5 months, 2 weeks ago
Once a Azure AD Premium P2 license is purchased, it will be listed under the available Licenses in Azure AD.

Click on it and you will have the option of Assigning it to User or an M365 group.

A is the best possible solution

upvoted 1 times

 
ms70743
6 months ago
Answer is correct. Licence need to be assigned
upvoted 1 times

 
desmondfernando
6 months, 3 weeks ago
Came in exam 02/12/2020
upvoted 2 times

 
tuta
6 months, 3 weeks ago
doubt if you guys are real - seem like MS bots
upvoted 3 times

 
Vishbsoni
7 months, 3 weeks ago
in the AZ-104 exam on 30/10/2020
upvoted 2 times

 
bacana
7 months, 4 weeks ago
Correct.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 37/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 1

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.

Subscription1 contains a virtual machine named VM1.

You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.

What should you do first?

A.
Create an automation runbook

B.
Deploy a function app

C.
Deploy the IT Service Management Connector (ITSM)

D.
Create a notification

Correct Answer:
C

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service,
such as the

Microsoft System Center Service Manager.

With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

 
OmegaGeneral
Highly Voted 
10 months, 1 week ago
Correct, you can use the connector to bridge them together
upvoted 15 times

 
superfdawg
Highly Voted 
10 months ago
in exam, august 21st 2020
upvoted 9 times

 
mlantonis
Most Recent 
1 month, 1 week ago
Correct Answer: C

IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. Azure
services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure
resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between
Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools: ServiceNow, System Center
Service Manager, Provance, Cherwell.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-overview
upvoted 3 times

 
armandolubaba
1 month, 2 weeks ago
C is correct
upvoted 1 times

 
londonboy
3 months, 1 week ago
C is correct
upvoted 3 times

 
mg
3 months, 2 weeks ago
C

Deploy the IT Service Management Connector (ITSM)

upvoted 3 times

 
fedztedz
3 months, 3 weeks ago
Answer is Correct C

Deploy the IT Service Management Connector

upvoted 2 times

 
Sandroal29
4 months ago
The provided answer is correct.
upvoted 1 times

 
toniiv
4 months, 1 week ago
C. is correct (ITSM connector deployment)
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 38/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mikl
4 months, 2 weeks ago
Seems correct.

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview
upvoted 1 times

 
waterzhong
4 months, 3 weeks ago
ITSMC supports connections with the following ITSM tools:

ServiceNow

System Center Service Manager

Provance

Cherwell
upvoted 1 times

 
stargodwin
5 months ago
the answer is very correct
upvoted 1 times

 
Meesaw
5 months, 3 weeks ago
Came in exam 01 Jan 2021
upvoted 1 times

 
ms70743
6 months ago
C. Deploy the IT Service Management Connector (ITSM)
upvoted 1 times

 
waterzhong
6 months, 1 week ago
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service.

Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-
Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection
between Azure and ITSM tools to help you resolve issues faster.

ITSMC supports connections with the following ITSM tools:

ServiceNow

System Center Service Manager

Provance

Cherwell
upvoted 3 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, answered "C" for this question in exam
upvoted 1 times

 
ipindado2020
6 months, 2 weeks ago
c is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 39/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 1

You sign up for Azure Active Directory (Azure AD) Premium.

You need to add a user named [email protected] as an administrator on all the computers that will be joined to the Azure AD domain.

What should you configure in Azure AD?

A.
Device settings from the Devices blade

B.
Providers from the MFA Server blade

C.
User settings from the Users blade

D.
General settings from the Groups blade

Correct Answer:
A

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
administrators group on the device:

✑ The Azure AD global administrator role

✑ The Azure AD device administrator role

✑ The user performing the Azure AD join

In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

1. Sign in to your Azure portal as a global administrator or device administrator.

2. On the left navbar, click Azure Active Directory.

3. In the Manage section, click Devices.

4. On the Devices page, click Device settings.

5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

 
prashantjoge
Highly Voted 
6 months, 1 week ago
I studied from Microsoft learn for az-104. So far all the questions look alien to me. Dont know the answer to most of them. I wonder if its the same
with others. They say that you shouldn't use dumps. But It seems like dumps is the only way to go, if they make the exams so tough
upvoted 59 times

 
VVR141
6 days, 23 hours ago
I would say you are not alone, most of us do face this, coz these exams best suite to level of an experienced persons, and for others best way is
to gain the knowledge of the Azure and then use the dumps to crack the exam, as we all know exam is different from to be able to perform
azure jobs. So in simple, use combo for any exam.
upvoted 1 times

 
shnz03
2 weeks, 3 days ago
Please consider Github az-104 labs.
upvoted 1 times

 
Dizzu
1 month ago
this is quite true. I've been studying for the exam for weeks now without looking at dumps (per advice from a Youtube tutor), now it's 2 days to
my exam, I'm finally checking out dumps & I immediately regret wasting all that time studying. I could have done this exam weeks ago with
dumps alone, now I went through like 200 questions & can't boast of 10 correct answers from all that study. Such a waste. Absolutely hate that
I'm having to rush through these dumps now.
upvoted 12 times

 
hbadger25
3 weeks, 1 day ago
Did you pass the exam?
upvoted 2 times

 
Thanu001
1 month ago
totally agree with you. I do the same. But when I refer this site I feel more comfortable in the exam
upvoted 1 times

 
OmegaGeneral
Highly Voted 
10 months, 1 week ago
Correct you can specifically specify administrator roles on the devices through device settings in the Azure portal
upvoted 14 times

 
alisyech
Most Recent 
2 days, 18 hours ago
A is correct answer
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 40/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mlantonis
1 month, 1 week ago
Correct Answer: A

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
administrators group on the device:

✑ The Azure AD global administrator role

✑ The Azure AD device administrator role

✑ The user performing the Azure AD join

In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

1. Sign in to your Azure portal as a global administrator or device administrator.

2. On the left navbar, click Azure Active Directory.

3. In the Manage section, click Devices.

4. On the Devices page, click Device settings.

5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
upvoted 6 times

 
londonboy
3 months, 1 week ago
A is correct. Just tried it!
upvoted 1 times

 
mg
3 months, 2 weeks ago
A is correct. Device settings from the devices blade
upvoted 1 times

 
fedztedz
3 months, 3 weeks ago
Answer is correct A. Device Settings
upvoted 4 times

 
Richy_money
1 month, 3 weeks ago
hello fedztedz, please what material did you use to prepare. you are very knowledgeable on this. please reply
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
A is correct!
upvoted 1 times

 
StixxNSnares
4 months ago
Correct
upvoted 1 times

 
ss911
4 months ago
Correct, see in my AD
upvoted 1 times

 
toniiv
4 months, 1 week ago
A. is correct
upvoted 1 times

 
ss911
4 months, 1 week ago
Correct

Check in my Azure subscription

upvoted 1 times

 
waterzhong
4 months, 3 weeks ago
Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the
device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the
privilege elevation takes place when both the below actions happen:

Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.

User signs out and signs back in, not lock/unlock, to refresh their profile.
upvoted 1 times

 
ms70743
6 months ago
Device - Device Settings
upvoted 1 times

 
waterzhong
6 months, 1 week ago
n the Azure portal, you can manage the device administrator role on the Devices page
upvoted 1 times

 
ipindado2020
6 months, 2 weeks ago
a is correct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 41/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
desmondfernando
6 months, 3 weeks ago
Came in exam 02/12/2020
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 42/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17 Topic 1

HOTSPOT -

You have Azure Active Directory tenant named Contoso.com that includes following users:

Contoso.com includes following Windows 10 devices:

You create following security groups in Contoso.com:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: Yes -

User1 is a Cloud Device Administrator.

Device2 is Azure AD joined.

Group1 has the assigned to join type. User1 is the owner of Group1.

Note: Assigned groups - Manually add users or devices into a static group.

Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD

Box 2: No -

User2 is a User Administrator.

Device1 is Azure AD registered.

Group1 has the assigned join type, and the owner is User1.

Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally
managed credential.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 43/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 3: Yes -

User2 is a User Administrator.

Device2 is Azure AD joined.

Group2 has the Dynamic Device join type, and the owner is User2.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

 
OmarMac
Highly Voted 
6 months, 3 weeks ago
This is totally wrong. If both groups are owned by user2 then user1 cannot add device2 to group1. User1 can only delete, disable, & enable devices.
User2 is able to create/delete and add/remove group membership. Dynamic Device: Administrators create dynamic group rules to automatically
add and remove devices.

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-device-administrator-permissions

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions

https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add

Owner of all groups - User2

User1 can add Device2 to Group1 - No

User2 can add Device1 to Group1 - Yes

User2 can add Device2 to Group2 - No

Owner of groups - User1 (Group1) & User2 (Group2)

User1 can add Device2 to Group1 - Yes

User2 can add Device1 to Group1 - Yes

User2 can add Device2 to Group2 - No

upvoted 114 times

 
Alimister
1 week, 1 day ago
in the second scenario of Owner of groups - User1 (Group1) & User2 (Group2) how user 2 can add device 1 to group 1...user 2 is not the owner
of group 1
upvoted 3 times

 
ph4nt0m01
3 weeks, 1 day ago
This answer is correct.

Adding additional notes that Cloud Administrator cannot add devices to groups, unless Cloud Administrator has additional permissions through
other groups or Cloud Administrator is owner of the group.

Here is what Cloud Admin can do:

- Read all properties on audit logs, including privileged properties

- Read bitlocker metadata and key on devices

- Delete devices from Azure AD

- Disable devices in Azure AD

- Enable devices in Azure AD

- Read standard properties on device management application policies

- Update basic properties on device management application policies

- Read standard properties on device registration policies

- Update basic properties on device registration policies

- Read all properties on sign-in reports, including privileged properties

- Read and configure Azure Service Health

- Read and configure Service Health in the Microsoft 365 admin center

- Read all properties on audit logs, including privileged properties

upvoted 3 times

 
ph4nt0m01
3 weeks, 1 day ago
I meant OmarMac's answer is correct.
upvoted 2 times

 
tera_baap
1 month ago
Agree but for Dynamic Group user2 can update the query to add Device2 to Group2.
upvoted 1 times

 
Kiano
2 months, 1 week ago
Cloud Device Administrator has Full Access to manage devices in Azure AD, so he will be able to add Device 2 to Group 1, so I believe the first
one should be YES.
upvoted 2 times

 
RamanAgarwal
3 weeks ago
He is not a group owner so cant add device to group.
upvoted 1 times

 
lcdr_scl
1 month ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 44/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Hi... please take a look at this https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-device-

administrator

According the MS documentation the Cloud Adminstrator

"Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal.
The role does not grant permissions to manage any other properties on the device."

OmarMac answer is correct..

Regards
upvoted 2 times

 
Kiano
2 months, 1 week ago
Funny, the URL you posted describes the permissions for Cloud Device Administrator as: Limited access to manage devices in Azure AD. But
in Azure AD the description of the role is: Full access to manage devices in Azure AD. I trust Azure AD portal more.

I think the answer might be:

Yes The cloud device admin has full access to manage devices in AAD. And that might mean adding the device to a group.

No: Because device1 is only AAD registered and not joined and User 2 is only User Admin, but he may or may not be owner of Group 1.

Yes, Because User2 i again both the owner of the group and also Cloud Device Admin.
upvoted 1 times

 
r_s880
2 months ago
yes in the Azure portal has mentioned Full access to manage devices in Azure AD

But if you open the role and read the role's description it mentioned this role has limited access so OmarMac answer is valid
upvoted 3 times

 
Giannis8
Highly Voted 
6 months, 1 week ago
Correct answer is:

No (Cloud administrators can manage devices, not group membership)

Yes (User administrators can manage all aspects of security groups)

No (Dynamic membership)

Tested in lab
upvoted 48 times

 
rgullini
3 months, 1 week ago
I trust this one just because you say "Tested" in lab.
upvoted 4 times

 
yoelalan14
5 months, 4 weeks ago
If we consider that 'User 2' is the owner of Group 1, then your answer is correct; but on the explanation, it clearly states that 'User 1' is the owner
of Group 1, hence, "User 1 CAN add a device to Group 1"
upvoted 1 times

 
kantzy
6 months ago
I agree with this answer.
upvoted 1 times

 
aaa112
6 months ago
User1 (cloud device admin) can add DEVICE2 (it's a device) to Group1, hence it's YES
upvoted 2 times

 
Delanase
Most Recent 
4 days, 18 hours ago
NYN

User1 is not the owner of Group1 and the Devices can not be added in dynamic group
upvoted 2 times

 
xoe123
1 week ago
NO

Yes

Users or devices can not be added to dynamic groups only can be added to assigned group
upvoted 1 times

 
Gautam123
1 week, 6 days ago
User1 can add Device2 to Group1 - No

User2 can add Device1 to Group1 - Yes

User2 can add Device2 to Group2 - No

upvoted 2 times

 
Tranquillo1811
2 weeks, 6 days ago
The correct answers here are: No, Yes, No

1. the role "Cloud device administrator" is NOT allowed to edit any group membership (https://docs.microsoft.com/en-us/azure/active-
directory/roles/permissions-reference#cloud-device-administrator)

2. the role "User administrator" has the right on action "microsoft.directory/groups/members/update" (Update members of Security groups and
Microsoft 365 groups, excluding role-assignable groups) (https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-
reference#user-administrator)

3. "You can't manually add or remove a member of a dynamic group." (https://docs.microsoft.com/en-us/azure/active-directory/enterprise-

users/groups-dynamic-membership)
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 45/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
Thyfere
3 weeks, 2 days ago
Btw, as per Hotspot, it's not mentioned the User1 is the owner of Group1. I am not sure why it's mentioned in the Answer section. If we stick with
the Hotspot in the question, first one is No.
upvoted 1 times

 
Thyfere
3 weeks, 2 days ago
First answer is definitely No because it's a cloud device administrator, she has nothing to do with the users.

Second is Yes because User2 is User Administrator that add to the groups. As per hotspot, User2 is also the owner of the Group2

Third is also definitely No because you can't add or delete from the Dynamic Groups.
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 70 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: No

Cloud administrators can manage devices, not group membership. Group1 is also an Assigned Group.

Box 2: Yes

User administrators can manage all aspects of Security Groups. Group1 is also an Assigned Group.

Box 3: No

Dynamic membership. You cannot add Members to Dynamic Groups. Group 2 is a Dynamic Group, so you cannot add devices or users to dynamic
groups. Dynamic groups can only add members by a defined rule.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
upvoted 4 times

 
vamshidhara
1 month, 1 week ago
User1 (Cloud Device administrator) cannot add members to Group1 or Group 2 since he is not the owner of that groups

User 2 (User administrator) can update the membership of any assigned group, regardless of whether he is owner of the group or not because
User administrator role has the permission to update group membership. He can add users, devices, to any assigned group in Azure AD.

But User 2 can't manually add or remove a member of a dynamic group.

No Yes No
upvoted 2 times

 
Kmesa
1 month, 1 week ago
Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners can be users or service principals, and are able
to manage the group including membership. Only existing group owners or group-managing administrators can assign group owners. Group
owners aren't required to be members of the group.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-accessmanagement-managing-group-
owners#:~:text=Azure%20Active%20Directory%20(Azure%20AD,administrators%20can%20assign%20group%20owners.

The answer explanation does not match to the question. the Owner of Group1 is User2

The answers should be yes, yes, yes

upvoted 1 times

 
Highandry
1 month, 1 week ago
So TLDR it is

NO - Because User1 is Cloud Device Manager and not owner of group 1, User1 can add devices to the Azure tenant (If not part of any security
group, unless User1 is owner of said group

YES - User2 is owner of group she he can join.

NO - cannot add to dynamic group period, this goes even if you're owner

Am I getting this right?

upvoted 1 times

 
ashishg2105
1 month, 3 weeks ago
It should be YES, YES, NO
upvoted 2 times

 
MamaliP
1 month, 3 weeks ago
User2 is having user administrator role. How he can add device to group?SO, 3rd answer is No

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 46/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
JackTT
1 month, 3 weeks ago
Thank you
upvoted 1 times

 
Nihar258255
1 month, 4 weeks ago
as per udemy its YYN
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 47/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 1

You have an Azure subscription that contains a resource group named RG26.

RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the
following table.

SQLDB01 is backed up to RGV1.

When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.

You need to delete RG26.

What should you do first?

A.
Delete VM1

B.
Stop VM1

C.
Stop the backup of SQLDB01

D.
Delete sa001

Correct Answer:
C

 
Azurite
Highly Voted 
4 months, 2 weeks ago
Answer C is correct. But this is how I would explain. When you delete a resource group, all resources in the resource group are also deleted but the
Resource group has recovery service vault with active backup. You can’t delete recovery service vault with dependencies. So, First you have to stop
the backup. Then you have to delete the backup in recovery service vault , but backup goes into soft deleted status. The soft deleted items will be
permanently deleted only after 14 days of delete operation Only after permanent deletion, you can delete the recovery service vault or resource
group RG26.

Here are the other possible dependencies for recovery service vault before it can be deleted., which could be used to twist the question.

• You can't delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).

• You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.

• You can't delete a vault that contains backup data in the soft deleted state.

• You can't delete a vault that has registered storage accounts.

upvoted 63 times

 
Highandry
1 month, 1 week ago
What about the storage account? Are you unable to delete because there is data stored in the storage account?
upvoted 1 times

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
Stop the backup. Answer is correct
upvoted 14 times

 
Ajkeshy
4 days, 15 hours ago
I agree
upvoted 1 times

 
omhari
Most Recent 
2 weeks, 6 days ago
First of all to stop Azure SQL backup to release this dependency and be able to remove the RG.

Correct Ans -C
upvoted 1 times

 
Tranquillo1811
2 weeks, 6 days ago
no two opions here: C is correct!
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: C
upvoted 1 times

 
alwaro
1 month, 1 week ago
C is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 48/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
armandolubaba
1 month, 2 weeks ago
C is correct, stop the backup
upvoted 1 times

 
fedztedz
3 months, 3 weeks ago
Answer is correct. C. Stop the backup
upvoted 2 times

 
ZUMY
3 months, 3 weeks ago
C: is correct!
upvoted 3 times

 
toniiv
4 months, 1 week ago
C. is correct
upvoted 1 times

 
toniiv
3 months, 4 weeks ago
Although Azure Services Vault is not used for the Azure SQL backup, it will be required to stop Azure SQL backup to release this dependency
and be able to remove the RG.
upvoted 2 times

 
veponi3975
5 months, 1 week ago
: C

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

You can't delete a Recovery Services vault with any of the following dependencies:

• You can't delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).

• You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.

• You can't delete a vault that contains backup data in the soft deleted state.

• You can't delete a vault that has registered storage accounts.

upvoted 5 times

 
Meesaw
5 months, 3 weeks ago
Came in exam 01 Jan 2021
upvoted 3 times

 
ms70743
6 months ago
C. Stop the Backup
upvoted 1 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, answered "C" for this question in exam
upvoted 3 times

 
Sir_blaze
6 months, 3 weeks ago
SQL DB creates backup automatically, IIRC.
upvoted 2 times

 
jankip
6 months, 3 weeks ago
There is no SQL DB01 backup running under RG6
upvoted 2 times

 
Borbz
6 months, 3 weeks ago
SQLDB01 is backed up to RGV1.

All the resources on the table belong to RG26

upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 49/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 1

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

✑ Reader

✑ Security Admin

Security Reader -

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A.
Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for Subscription1.

B.
Assign User1 the Owner role for VNet1.

C.
Assign User1 the Network Contributor role for VNet1.

D.
Assign User1 the Network Contributor role for RG1.

Correct Answer:
B

Has full access to all resources including the right to delegate access to others.

Note:

There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:

1. Name Server (NS)

2. Assign User1 the Contributor role for VNet1.

3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

 
ScreamingHand
Highly Voted 
3 weeks ago
Reader: View all resources, but does not allow you to make any changes.

Contributer: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.

Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

Scope: VNET1

So answer B must be correct

upvoted 10 times

 
Tshepuna
2 weeks, 2 days ago
thanks ScreamingHand
upvoted 2 times

 
Deyvessh
Most Recent 
17 hours, 26 minutes ago
Owner - Full Access to all resources

Contributor - Create and Manage all of types of Azure resources, Create a New tanant in Azure Active Directory but can't grant access to others

Reader - View Azure resources

User Access Administrator - Manage User access to Azure Resources

upvoted 1 times

 
lingxian
3 weeks ago
The answer is correct, B
upvoted 1 times

 
yigido
3 weeks, 1 day ago
correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 50/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 1

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.

Your company has a public DNS zone for contoso.com.

You add contoso.com as a custom domain name to Azure AD.

You need to ensure that Azure can verify the domain name.

Which type of DNS record should you create?

A.
MX

B.
NSEC

C.
PTR

D.
RRSIG

Correct Answer:
A

To verify your custom domain name (example)

1. Sign in to the Azure portal using a Global administrator account for the directory.

2. Select Azure Active Directory, and then select Custom domain names.

3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.

4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or
the MX record type.

Note:

There are several versions of this question in the exam. The question can have two correct answer:

1. MX

2. TXT

The question can also have other incorrect answer options, including the following:

1. SRV

2. NSEC3

Reference:

https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

 
ms70743
Highly Voted 
6 months ago
TXT and MX are valid answers.
upvoted 16 times

 
sidharthwader
Highly Voted 
1 month, 3 weeks ago
So guys i will try to give an expiation to this question.

When you add a custom domain in azure u are not allowed to use that unless u prove its your domain.So once u add the custom domain name
azure asks u to verify and you have to provide some inputs to verify that its your these inputs can be provided in TXT or MX. So its MX in this case
upvoted 8 times

 
JayBee65
1 week, 6 days ago
Thank you - the process is covered here where you can see either TXT or MX can be chosen: https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/add-custom-domain
upvoted 2 times

 
Balram7
1 month ago
Thank you
upvoted 1 times

 
Deyvessh
Most Recent 
17 hours, 19 minutes ago
Once you added your Unverified Domain (According to Azure) you need to create a TXT or MX Record to Configure DNS then you copy all the
information provided and Add your DNS Information to the Domain Registrar, Generally It takes an hour to verify domain Status, you can go ahead
in the Custom Domain Names Setting and click verify and Information will be refreshed once its Verified.
upvoted 1 times

 
Deyvessh
17 hours, 13 minutes ago
TXT - TXT Records is a type of Domain Name System that contains Text Information for Sources outside of your Domain. Generally Companies
uses it to verify Custom Domain Ownership

MX - Mail Exchanger Record specifies the Mail Server responsible for email messages on behalf of Domain Name.
upvoted 1 times

 
CARIOCA
3 weeks, 5 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 51/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Will the variations of these questions always fall into the TXT or MX options, or is there any variation of the question that the answer goes to both
options or between the two, will any prevail in the final answer?

In this specific debate, the answer is MX and does not even have the TXT option in the answer, so it is correct.
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A

TXT and MX can be both correct answers.

upvoted 1 times

 
Kmesa
1 month, 1 week ago
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
upvoted 1 times

 
armandolubaba
1 month, 1 week ago
Mx is correct answer
upvoted 2 times

 
nikhilmehra
1 month, 4 weeks ago
TXT in exam list
upvoted 4 times

 
shnz03
2 weeks, 3 days ago
Good one! Thanks
upvoted 1 times

 
farhad090
2 months ago
In the exam there is not any answer with MX record.
upvoted 1 times

 
londonboy
3 months, 1 week ago
It should be TXT record in dns.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
TXT or MX . In this answer list it's MX
upvoted 2 times

 
I
4 months ago
The answer is correct. And here is the right reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#add-your-custom-domain-name-to-azure-ad
upvoted 1 times

 
toniiv
4 months, 1 week ago
A. is correct (either TXT or MX record in your DNS server will be ok)
upvoted 1 times

 
Azurite
4 months, 2 weeks ago
On the custom domain name window, the record type options are TXT and MX. TXT is preferred but since it is not provided as an answer, the
closest answer is MX
upvoted 2 times

 
mikl
4 months, 2 weeks ago
I cant find anywhere it says MX - MX is for email servers.

https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
upvoted 2 times

 
AZ764
5 months, 1 week ago
TXT record is the correct answer. MX record would ONLY be if you were setting up email configurations. This question does not specify email is
required, thus a TXT record is the correct answer
upvoted 2 times

 
shnz03
2 weeks, 3 days ago
I disagree. Both TXT and MX records are supported for custom domain name.
upvoted 1 times

 
PBA1211
5 months, 2 weeks ago
it is confusing:

Follwowibng the link with this question it should be A or Txt.

New-AzDnsRecordSet -ZoneName contoso.com -ResourceGroupName MyAzureResourceGroup `

-Name "@" -RecordType "txt" -Ttl 600 `

-DnsRecords (New-AzDnsRecordConfig -Value "contoso.azurewebsites.net")

When you follow the link of @4thehell, TXT and MX is correct...

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 52/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 53/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers.

Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.

Does this meet the goal?

A.
Yes

B.
No

Correct Answer:
B

DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.

The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-
apps-securing-a-logic-app

 
asd1234asd
Highly Voted 
8 months ago
Clearly No, Azure DevTest Labs is a service that has nothing to do with Logic App
upvoted 14 times

 
chaudha4
1 month, 1 week ago
Trick question. Too much use of "dev" keyword to trick people into thinking that somehow DevTest Labs is related to all these "dev" resources !!
upvoted 2 times

 
mlantonis
Most Recent 
1 month, 1 week ago
Correct Answer: B

The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.

DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.

The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
upvoted 3 times

 
Lilyli
1 week, 1 day ago
What does "let you manage logic app ,but not access to them" mean? if you can manage them ,why can't you access to them?
upvoted 1 times

 
nfett
1 month, 4 weeks ago
Its no. Verified it from the link provided.
upvoted 1 times

 
ms70743
3 months, 1 week ago
Answer is B
upvoted 2 times

 
mg
3 months, 2 weeks ago
B is correct

DevTest Labs is a role used for Azure DevTest Labs not Logic App.
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 54/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

B is correct
upvoted 1 times

 
Sandroal29
4 months ago
The provided answer is correct. AD group needs to be granted a contributor role to be able to create resources in the RG.
upvoted 1 times

 
toniiv
4 months, 1 week ago
B. is correct (DevTest Labs is an environment which provides a service, not related to Logic Apps)
upvoted 1 times

 
waterzhong
4 months, 2 weeks ago
Logic App Contributor: Lets you manage logic apps, but you can't change access to them.

Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or update them.
upvoted 1 times

 
fedztedz
6 months, 2 weeks ago
Answer is correct . NO (B).

The Azure DevTest Labs is a role used with Azure DevTest Labs not Logic App.
upvoted 3 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 2 times

 
SSTan
6 months, 3 weeks ago
It will need LogicApp contributor role.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 55/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers.

Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.

Does this meet the goal?

A.
Yes

B.
No

Correct Answer:
B

You would need the Logic App Contributor role.

Reference:

 
OmarMac
Highly Voted 
6 months, 3 weeks ago
Logic App Operator Role - Lets you read, enable, and disable logic apps, but not edit or update them.
upvoted 20 times

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer: B

You would need the Logic App Contributor role.

Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.

Logic App Contributor - Lets you create, manage logic apps, but not access to them.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-operator
upvoted 5 times

 
armandolubaba
Most Recent 
1 month, 2 weeks ago
Correct answer is B
upvoted 1 times

 
nfett
1 month, 4 weeks ago
B is correct. OmarMac provided the correct properties of this user.
upvoted 1 times

 
ms70743
3 months, 1 week ago
B is correct.

To be able to create logic apps, you need Logic App Contributor

upvoted 1 times

 
mg
3 months, 2 weeks ago
B Answer is correct

Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.

Logic App Contributor - Lets you create, manage logic apps, but not access to them.
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
B is correct
upvoted 2 times

 
Sandroal29
4 months ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 56/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The operator role is not enough. The proper role is the contributor role.
upvoted 1 times

 
toniiv
4 months, 1 week ago
B. is correct (Logic App operator has no rights to add new Logic Apps)
upvoted 1 times

 
mikl
4 months, 2 weeks ago
Answer is no.

You need to be Contributor to Create - Operator cannot do that.

Logic App Contributor Lets you manage logic apps, but not change access to them.

Logic App Operator Lets you read, enable, and disable logic apps, but not edit or update them.
upvoted 1 times

 
fedztedz
6 months, 2 weeks ago
Answer is correct . NO (B).

Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or update them.

To be able to create logic apps, you need Logic App Contributor

upvoted 3 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 57/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers.

Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Dev, you assign the Contributor role to the Developers group.

Does this meet the goal?

A.
Yes

B.
No

Correct Answer:
A

The Contributor role can manage all resources (and add resources) in a Resource Group.

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
Answer is Correct. YES (A)

Contributor role can create logic apps

upvoted 13 times

 
mlantonis
Most Recent 
1 month, 1 week ago
Correct Answer: A

The Contributor role can manage all resources (and add resources) in a Resource Group. Contributor role can create logic apps.

Alternatively, we can use the Logic App Contributor role, which lets you manage logic app, but not access to them. It provides access to view, edit,
and update a logic app.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor
upvoted 1 times

 
leonmflai4exam
1 month, 2 weeks ago
Answer should be No (B). In case Contributor Role is assigned to RG => Dev. It will prompts subscription has no permission during resource
creation. We can only create the Logic Apps when Contributor role is assigned in Subsription
upvoted 1 times

 
nfett
1 month, 4 weeks ago
A is correct answer.

Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share
image galleries.
upvoted 2 times

 
MrRom25
3 months ago
I think is NO since it should be "Logic App Contributor Role" and not only "Contributor Role"
upvoted 2 times

 
ZUMY
3 months, 2 weeks ago
Sorry moderator pls rm my pre. Commt. Mistake

A is correct
upvoted 3 times

 
ZUMY
3 months, 2 weeks ago
B is correct
upvoted 2 times

 
Sandroal29
4 months ago
The contributor role set for this group is sufficient for the group to create new resources in the resource group. So, the provided answer is correct.
upvoted 4 times

 
toniiv
4 months, 1 week ago
A. is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 58/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
TheOne1
4 months, 3 weeks ago
Correct. The only thing the contributor role couldn't do is change user permissions on the resource group, only the owner can do this. But all that is
required is the contributor role for this question.
upvoted 3 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 4 times

 
KarryD
4 months, 2 weeks ago
BOT with spell mistake?
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 59/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 1

DRAG DROP -

You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each
department uses resources in several resource groups.

You need to send a report to the finance department. The report must detail the costs for each department.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Select and Place:

Correct Answer:

Box 1: Assign a tag to each resource.

You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the
resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs.
Tags applied to the resource group are not inherited by the resources in that resource group.

Box 2: From the Cost analysis blade, filter the view by tag

After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.

1. Visit the Subscriptions blade in Azure portal and select a subscription.

You should see the cost breakdown and burn rate in the popup blade.

2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to
populate.

3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to
export the view to a

Comma-Separated Values (.csv) file.

Box 3: Download the usage report

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags https://docs.microsoft.com/en-
us/azure/billing/billing-getting-started

 
moekyisin
Highly Voted 
6 months, 3 weeks ago
Ans is correct
upvoted 8 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 60/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Natoc
Most Recent 
2 weeks ago
its correct
upvoted 1 times

 
Paul74
2 weeks, 2 days ago
6-Jun-21 exam question
upvoted 3 times

 
PrawinG
2 weeks ago
Paul74 - 104 dump here alone sufficient to pass the exam ? Please confirm.
upvoted 1 times

 
Paul74
2 days, 23 hours ago
It covers around 50 to 60% of the Questions. if we know the concept we can manage the remaining questions
upvoted 1 times

 
ScreamingHand
3 weeks ago
Confirmed in lab - answer is correct
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: Assign a tag to each resource

Box 2: From the Cost analysis blade, filter the view by tag

Box 3: Download the usage report

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags

https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
upvoted 1 times

 
londonboy
3 months, 1 week ago
answer is correct
upvoted 4 times

 
mg
3 months, 2 weeks ago
Answer is correct
upvoted 3 times

 
ZUMY
3 months, 2 weeks ago
Given answers is okay
upvoted 4 times

 
Sandroal29
4 months ago
Although the question is kind of ambiguous, the most rational option and sequence are the ones are suggested.
upvoted 1 times

 
Romancc
4 months ago
Ans is approved
upvoted 2 times

 
ciscogeek
2 months, 3 weeks ago
Thanks for your approval
upvoted 5 times

 
toniiv
4 months, 1 week ago
Answer is correct, you need to add tag to the resources, not to the resource groups since each department uses resources in different RG)
upvoted 4 times

 
mikl
4 months, 2 weeks ago
Seems ok.

Tags applied to the resource group are not inherited by the resources in that resource group.
upvoted 1 times

 
masonsam
4 months, 4 weeks ago
test to see date stamp
upvoted 1 times

 
AnandRaju
5 months, 3 weeks ago
Yes the Answer is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 61/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
fedztedz
6 months, 2 weeks ago
The Answer is correct. with the right order
upvoted 4 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 3 times

Question #25 Topic 1

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.

You need to view the error from a table named Event.

Which query should you run in Workspace1?

A.
Get-Event Event | where {$_.EventType == "error"}

B.
search in (Event) "error"

C.
select * from Event where EventType == "error"

D.
Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}

Correct Answer:
B

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-
query/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer

 
ScreamingHand
Highly Voted 
3 weeks ago
To work with Log Analytics data, you need to use the Kusto Query Language (KQL) eg: search in (Event) "error"
upvoted 6 times

 
yigido
Most Recent 
3 weeks, 1 day ago
Correct. https://docs.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries#search-queries
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 62/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 1

HOTSPOT -

You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is
connected to

VNET1.

You successfully deploy the following resources in an Azure Resource Manager template.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 63/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 64/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Hot Area:

Correct Answer:

Box 1: Yes -

Box 2: Yes -

VM1 is in Zone1, while VM2 is on Zone2.

Box 3: No -

Reference:

https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region

 
klamar
Highly Voted 
1 month, 3 weeks ago
VM1-NI is connected to vnet1, but who says VM2-NI is as well? so why can vm2 connect to vnet1?
upvoted 21 times

 
Tranquillo1811
2 weeks, 6 days ago
Since both VMs have been deployed from the very same image, they are both supposed to be coonnected to VNET1 as the question does not
mention that the VNET has been changed on VM1... So the correct answers are Yes, Yes, No...
upvoted 4 times

 
RamanAgarwal
3 weeks ago
This is assuming VM2 is created within vnet1 as its not mentioned that vm2 is created in any other vnet
upvoted 1 times

 
itmp
4 weeks ago
1: Yes

There is nothing preventing VM1-NI & VM2-NI to connect if we want, given the details.

(and they are in the same region too)

2: Yes

Both VMs are in different Availability Zones

3: No

Region fails = Region will not be available.

upvoted 4 times

 
tera_baap
1 month ago
Option says it can connect not it will connect. Certainly there is a possibility because VM and VNET are is same region. I would go with YES.
upvoted 2 times

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 65/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 1: Yes

VNET1 is in the same region as VM1 and VM2, so it can connect with both.

Box 2: Yes

Because both VMs are in different Availability Zone, hence either one would be available if one Data Center fails.

Box 3: No

If the Region fails then both VMs, which are present in the Region will not be available.

Reference:

https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region
upvoted 6 times

 
ScreamingHand
18 hours, 50 minutes ago
Nothing to suggest a VNET can connect to another just because it's in the same region. They must be on different VNETs as they are in different
zones. Nothing in the question states that these VNETs are connected.
upvoted 1 times

 
Shashprasad
Most Recent 
5 days, 1 hour ago
Same Vnet cant be used for 2 zones , so 1st would be no
upvoted 2 times

 
Shashprasad
5 days, 1 hour ago
should be no, yes no

1. no --> as to connect two Vnet , vnet peering is required

upvoted 2 times

 
JoeRogersHi
1 week, 2 days ago
Eh, #1 is no. There is nothing here indicating that VM2-NI ever connects to VNET1. Same region is a silly justification, as different vnet is how you
segregate VM traffic.
upvoted 2 times

 
mkoprivnj
1 week, 5 days ago
Y, Y, N
upvoted 1 times

 
Tshepuna
2 weeks, 2 days ago
confused on point 1! I think it should be a No. advice?
upvoted 2 times

 
omhari
2 weeks, 6 days ago
I also not able to decide on point 1 after seeing the below discussion. I would go with No for point 1 as VM2 can't connect to VNET1.
upvoted 1 times

 
ScreamingHand
3 weeks ago
VM2-VM2-NI is not connected to VNET1, - so I would say 1-No. 2-Yes. 3-No.
upvoted 1 times

 
SandytheBeast
3 weeks, 6 days ago
Correct Answer

1) Yes

2) Yes

3) No
upvoted 1 times

 
Slava_bcd81
4 weeks ago
the first is No as to connect two vnets we need to establish vnets peering

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
upvoted 5 times

 
Mukku2019
1 month ago
Still not able to decide on point 1 after seeing the below discussion. I would go with No for point 1 as VM2 can't connect to VNET1.
upvoted 2 times

 
Zuls
3 weeks, 2 days ago
simple answer if the VMs are in same region they can connect to each other.
upvoted 1 times

 
ScreamingHand
4 days, 13 hours ago
Not if they're on different VNETs which are not peered
upvoted 1 times

 
Cippunk
1 month ago
There is no indication that VM2 is connected to Vnet1
upvoted 3 times

 
nfett
1 month ago
I think its YYN. first paragraph provided in the solition answers this.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 66/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

Question #27 Topic 1

 
denccc
1 month, 3 weeks ago
Ans is correct
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.

upvoted 1 times

 
sidharthwader
1 month, 3 weeks ago
Yes Vnet1 is in the same region as VM1 and VM2 so it can connect with both.

Yes Because both vm are in different Availability zone hence either one would be available if one data center fails

No If the region fails then both Vm which are present in the region will not be available
RG1 has a web
upvoted app named WebApp1. WebApp1 is located in West Europe.

4 times

You move WebApp1 to RG2.

 
krisbla
1 month, 3 weeks ago
What is the effect of the move?

Correct.

Y. same Location vnet

Y. Different Zones

A.
The
N. sameApp Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
location.
upvoted
B.
The App2 times

Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.

C.
The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.

D.
The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.

Correct Answer:
A

You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and
geographical region.

The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.

Reference:

https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

 
Cluster007
Highly Voted 
6 months, 3 weeks ago
A is correct
upvoted 23 times

 
Veronika1989
Highly Voted 
2 months, 1 week ago
tested 4/15/2021. The answer A is correct.
upvoted 14 times

 
Rambogan12
Most Recent 
1 week ago
Answer C ? Policy1 "applies to WebApp1"
upvoted 2 times

 
VVR141
1 day, 23 hours ago
Policy is applied on RG level here, so when the app is moved to RG2 the policy of RG2 is applied.
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
A is correct!
upvoted 1 times

 
RamanAgarwal
3 weeks ago
A is correct if we refer to https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region. If you
want to run your app in a different region, one alternative is app cloning. Cloning makes a copy of your app in a new or existing App Service plan
in any region.

This means we will have to clone webapp1 in new region and then copy data from current app to the new app. So for new webapp1 in new region
policy 2 will apply and the service plan specific to new region will apply.
upvoted 2 times

 
ajaz
3 weeks, 2 days ago
"A" is the correct answer.

You cannot move an App Service Plan to a different region - https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage.

However as part of cloning of app, using the New-AzWebApp command, you can create the new app in the North Central US region, and tie it to
an existing App Service Plan. Moreover, you can use the same resource group as the source app, or define a new resource group. \

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-app-cloning.
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 67/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

After a debate of 33 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
ZN
1 month ago
Please confirm the correct answer whether it's A or C.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A

You can only move a resource to a Resource Group or Subscription, but the location stays the same. When you move WebApp1 to RG2, the
resource will be restricted based on the policy of the new Resource Group (Policy2).

Reference:

https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
upvoted 2 times

 
samratmahe
1 month, 1 week ago
I have just tested today (16-May-2021) the same scenario. I could see C is correct

I have selected Policy "Append tag & value to the resources"

I have added a WebApp in RG1 (WestEurope) after successful deployment, could see WebApp, AppServicePlan & AppInsights.

I have tried moving of WebApp from RG1(West Europe) to RG2 (North Europe) - the movement was successful.

Result shows

> WebApp moved to RG2 still points to previous region West Europe

> RG2 policy didnt apply on WebApp (because policy applies only for the non-tag/value resources)

> App Service Plan in RG2 remains same

Concluding the above result - the answer will fit to the option C

C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
upvoted 1 times

 
armandolubaba
1 month, 2 weeks ago
A is correct
upvoted 2 times

 
wuoes
2 months, 1 week ago
I find 2 docs from Microsoft regarding this topic: They differ from moving an app service to a new app service plan to moving the intire app service
with the web service plan all together!

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations

Since the question doesn't explicitly says that only one app service should be moved to another plan, i think B is the correct answer.
upvoted 1 times

 
oshoparsi
2 months, 2 weeks ago
it doesn't show the other RG in other regions at all so you are not able to

move the app somewhere else so the policy 1 on the home Rg1 will continue to apply.

"he dropdown shows only plans that are in the same resource group and geographical region as the current App Service plan. If no such plan
exists, it lets you create a plan by default"
upvoted 1 times

 
codingsam
2 months, 4 weeks ago
As per the article, You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group
and geographical region and as the RGs are in different regions altogether, the answer should be C.

https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-
manage#:~:text=The%20region%20in%20which%20your,Service%20plan%20in%20any%20region.
upvoted 3 times

 
codingsam
2 months, 4 weeks ago
or answer should be B
upvoted 1 times

 
gladi
3 months ago
A is correct answer.
upvoted 1 times

 
mg
3 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 68/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer A is correct
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
A is correct!
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 69/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 1

HOTSPOT -

You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.

You need to create a custom RBAC role named CR1 that meets the following requirements:

✑ Can be assigned only to the resource groups in Subscription1

✑ Prevents the management of the access permissions for the resource groups

✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups

What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options
in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 70/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/resource-provider-operations#microsoftresources

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
The Answer is Wrong.

First part should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" . You can specify
either a subscription, specific resource group, management group or specific resource. for example it should
"/subcription/subcription_id/resourceGroups/resource_group_name"

Check https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-structure

For second box. It is correct but missing "*". It should be "Microsoft.Authorization/*" . if you try this on az cli without "*". you will get an error
upvoted 40 times

 
JayBee65
2 weeks ago
This link https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions gives an example of
"/subscriptions/{subscriptionId1}/resourceGroups/Network"
upvoted 4 times

 
tf444
2 weeks, 4 days ago
{

"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",

"name": "{resourceGroupName}",

"type":"Microsoft.Resources/resourceGroups",

"location": "{resourceGroupLocation}",

"managedBy": "{identifier-of-managing-resource}",

"tags": {

"properties": {

"provisioningState": "{status}"

}
upvoted 1 times

 
tf444
2 weeks, 4 days ago
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{extensionResourceProviderNamespace}/{extensionResourceT
ype}/{extensionResourceName}
upvoted 1 times

 
rrobb
2 months, 2 weeks ago
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-rest#create-a-custom-role

Can /{resourceGroup1} be replaced by name or *?

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 71/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
JustMe84
Highly Voted 
6 months, 2 weeks ago
For the first part, its wrong. This is directly out of the Microsoft Authorized Trainer book:

* /subscriptions/[subscription id]

* /subscriptions/[subscription id]/resourceGroups/[resource group name]

* /subscriptions/[subscription id]/resourceGroups/[resource group name]/

[resource]

The second answer to the first part is incomplete, it is missing the actual resource group name.

This is an example of what it should look like when it is completed:

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network”
upvoted 12 times

 
Delanase
Most Recent 
4 days, 18 hours ago
For the assignable scopes, there is not an option for /ResourceGroups.
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
1 st "/Subscription/subcription_id"

2 nd "Microsoft.Authorization/*"
upvoted 1 times

 
droy89
2 weeks, 3 days ago
* doesnot work. The answer is correct.
upvoted 1 times

 
omhari
2 weeks, 6 days ago
I get an error is I try to use * in assignableScopes
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 27 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
chaudha4
1 month, 1 week ago
I was able to create the custom role as below. So answer is right except for the missing * for actions.

"id": "/subscriptions/<<myid>>/providers/Microsoft.Authorization/roleDefinitions/<<id>>",

"properties": {

"roleName": "CR1",

"description": "",

"assignableScopes": [

"/subscriptions/<<myid>>/resourceGroups/free-rg1"

"permissions": [

"notactions": [

"Microsoft.Authorization/*"

"actions": [],

"dataActions": [],

"notDataActions": []

}
upvoted 2 times

 
chaudha4
1 month, 1 week ago
I stand corrected. Ignore my previous comment. If I try to do the same at the subscription level it does not work. It seems like you cannot use *
for assignableScopes.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e”

“Microsoft.Authorization/”

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 72/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

 
darsy2001
1 month, 1 week ago
You cannot use wildcards (*) in AssignableScopes. This wildcard restriction helps ensure a user can't potentially obtain access to a scope by
updating the role definition.

Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
upvoted 2 times

 
darko13
2 months ago
You cannot use wildcards (*) in AssignableScopes. This wildcard restriction helps ensure a user can't potentially obtain access to a scope by
updating the role definition, so it's /Subscription/subcription_id

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/custom-roles.md#custom-role-limits
upvoted 2 times

 
kimalto452
2 months, 3 weeks ago
The answer is correct... Missing /* its obviously typo error....
upvoted 4 times

 
ms70743
3 months, 1 week ago
Correct Answer:

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e”

“Microsoft.Authorization”
upvoted 6 times

 
ZUMY
3 months, 2 weeks ago
I go for the given answer.

Event there r mistakes

upvoted 3 times

 
Sandroal29
4 months ago
I think, provided answer is correct.
upvoted 2 times

 
toniiv
4 months, 1 week ago
Replies should be correct only if both ends with /*
upvoted 2 times

 
Beitran
4 months, 3 weeks ago
Additional information: https://stackoverflow.com/questions/53290344/azure-custom-rm-role-definition-with-special-assignablescopes
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 73/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 1

You have an Azure subscription.

Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to
access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.

You need to ensure that the connections to App1 are spread across all the virtual machines.

What are two possible Azure services that you can use? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A.
an internal load balancer

B.
a public load balancer

C.
an Azure Content Delivery Network (CDN)

D.
Traffic Manager

E.
an Azure Application Gateway

Correct Answer:
AE

Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the
front-end subnet of the application.

Reference:

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/application-gateway/overview

 
mgladh
Highly Voted 
6 months, 3 weeks ago
i would say A and E is the correct answer.
upvoted 65 times

 
Babatunde
3 months, 2 weeks ago
Agreed
upvoted 2 times

 
RithuNethra
Highly Voted 
6 months, 3 weeks ago
checked in AZ103 questions as well

Answer is A & E
upvoted 24 times

 
binhnguyen4c
6 months, 3 weeks ago
Correct!
upvoted 4 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
A & E is correct!
upvoted 1 times

 
omhari
2 weeks, 6 days ago
A and E. Both can work as an internal load balancer for web app applications.
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 34 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
RamanAgarwal
3 weeks ago
Can you stop putting same comment on every discussion. Moderator please take note and stop approving these comments
upvoted 8 times

 
maffoo
4 weeks, 1 day ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 74/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Its not divided, you must not have even read this before posting this.
upvoted 9 times

 
xoe123
1 week ago
I think they are using a bot
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A and E

A: The customer sites are connected through VPNs, so an internal load balancer is enough.

B: The customer sites are connected through VPNs, so there's no need for a public load balancer, an internal load balancer is enough.

C: A CDN does not provide load balancing for applications, so it not relevant for this situation.

D: Traffic manager is a DNS based solution to direct users' requests to the nearest (typically) instance and does not provide load balancing for this
situation.

E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions
upvoted 18 times

 
viking1
3 months, 1 week ago
A and E. The customer sites are connected through VPNs, so there's no need for a public load balancer, an internal load balancer is enough.

A CDN does not provide load balancing for applications, so it not relevant for this situation.

Traffic manager is a DNS based solution to direct users' requests to the nearest (typically) instance and does not provide load balancing for this
situation.

Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions.
upvoted 21 times

 
BraveOkafor
2 months, 3 weeks ago
Thanks
upvoted 1 times

 
ms70743
3 months, 1 week ago
A and E
upvoted 1 times

 
Vole51
3 months, 1 week ago
Admin: this Q (question) has 2 answers as stated in Q description. Hence it highlight's just 1 answer. Please fix it, as its confusing. And I would say A
and E are correct
upvoted 2 times

 
marvinconejo
3 months, 1 week ago
This is A and E
upvoted 1 times

 
Vole51
3 months, 2 weeks ago
Answers should be 2, highlighted is just 1. I would say A and E
upvoted 1 times

 
mg
3 months, 2 weeks ago
A and E
upvoted 1 times

 
bacana
3 months, 2 weeks ago
The question is: "What are two possible Azure services that you can use?"

A and E
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
A & E are correct!
upvoted 3 times

 
Sandroal29
4 months ago
Easy question and straight answer. A and E. Both can work as an internal load balancer for web app applications.
upvoted 1 times

 
Romancc
4 months ago
can someone please explain why not Public load balancer?
upvoted 2 times

 
JoeRogersHi
1 week, 2 days ago
Public load balancer maps outbound traffic to multiple external-facing nodes. Internal load balancer maps inbound traffic to multiple internal
nodes.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 75/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
toniiv
4 months, 1 week ago
Incomplete response, it should be:

- A (since client connections are done through VPN and not public internet)

- E (since App Gateway could act as LB)

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 76/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 1

You have an Azure subscription.

You have 100 Azure virtual machines.

You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.

Which blade should you use?

A.
Monitor

B.
Advisor

C.
Metrics

D.
Customer insights

Correct Answer:
B

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
recommendations from the Cost tab on the Advisor dashboard.

Reference:

https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

 
waterzhong
Highly Voted 
4 months, 2 weeks ago
The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for
specific subscriptions and resource types. The recommendations are divided into five categories:

Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications. For more information, see
Advisor Reliability recommendations.

Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security recommendations.

Performance: To improve the speed of your applications. For more information, see Advisor Performance recommendations.

Cost: To optimize and reduce your overall Azure spending. For more information, see Advisor Cost recommendations.

Operational Excellence: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more
information, see Advisor Operational Excellence recommendations.
upvoted 14 times

 
RithuNethra
Highly Voted 
6 months, 3 weeks ago
correct answer
upvoted 12 times

 
Abinesh_007
3 months, 1 week ago
Yes if Rithu said it will be correct
upvoted 3 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Advisor!
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
recommendations from the Cost tab on the Advisor dashboard.

Reference:

https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
upvoted 3 times

 
armandolubaba
1 month, 1 week ago
B is correct answer
upvoted 1 times

 
armandolubaba
1 month, 2 weeks ago
B is correct answer
upvoted 1 times

 
whynotguru
1 month, 2 weeks ago
Advisor --Cost --select VMs--select Quick Fix (Preview) and it will change to recommended actions config
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 77/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mg
3 months, 2 weeks ago
B is correct

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
B is correct
upvoted 2 times

 
Sandroal29
3 months, 3 weeks ago
Advisor provides recommendations to improve the management of Azure resources.

So, the correct answer is B.

upvoted 1 times

 
toniiv
4 months, 1 week ago
B. is correct
upvoted 1 times

 
ms70743
6 months ago
Answer is B Advisor
upvoted 2 times

 
jelly_baby
6 months, 1 week ago
Correct. There's a really good explanation on YT about Advisor and the benefits it has for organisations: https://www.youtube.com/watch?
v=oHg5SJYRHA0&ab_channel=cotter548
upvoted 3 times

 
SirPent
6 months ago
Indeed.
upvoted 1 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, answered "B" for this question in exam
upvoted 2 times

 
fedztedz
6 months, 2 weeks ago
Answer is correct. B Advisor
upvoted 1 times

 
SSTan
6 months, 3 weeks ago
yes Advisor feature.
upvoted 1 times

 
Malec
6 months, 3 weeks ago
correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 78/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 1

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant.

You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.

Which three settings should you configure? To answer, select the appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 79/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
The Answer is correct .

- Select Users & Groups : Where you have to choose all users.

- Select Cloud apps or actions: to specify the Azure portal

- Grant: to grant the MFA.

Those are the minimum requirements to create MFA policy. No conditions are required in the question.

Also check this link beside the one provided in the answer

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
upvoted 40 times

 
redbeardbeer
1 month, 1 week ago
Thanks for the great description. Very helpful.
upvoted 2 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
- Select Users & Groups : Where you have to choose all users.

- Select Cloud apps or actions: to specify the Azure portal

- Grant: to grant the MFA.

upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

- Select Users & Groups : Where you have to choose all users.

- Select Cloud apps or actions: To specify the Azure portal

- Select Grant: To grant the MFA.

upvoted 4 times

 
saddamakhtar
1 month, 3 weeks ago
Answer is correct
upvoted 1 times

 
mg
3 months, 2 weeks ago
Answer is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 80/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
ZUMY
3 months, 2 weeks ago
Given answer is correct

1.user or groups

2.apps

3.grant or deny
upvoted 2 times

 
taka_hawk
3 months, 2 weeks ago
The Answer is correct .Please check. "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-
cloud-apps " "Cloud apps or actions" - "Microsoft Azure Management" - "Azure portal"
upvoted 1 times

 
alessioferrario
3 months, 3 weeks ago
Just test on my MSDN subscription.

Only onwer can assign policy on root management group. A user with qlobal admin role can't
upvoted 2 times

 
toniiv
4 months, 1 week ago
Solution provided is correct
upvoted 1 times

 
mikl
4 months, 2 weeks ago
Seems correct.

New Policy.

Assignments:

Users and Groups - Select Users.

Cloud Apps - Microsoft Azure Management.

Access:

Grant - Require multi-factor authentication.

Source : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
upvoted 2 times

 
QiangQiang
4 months, 4 weeks ago
Simple policies

A Conditional Access policy must contain at minimum the following to be enforced:

Name of the policy.

Assignments

Users and/or groups to apply the policy to.

Cloud apps or actions to apply the policy to.

Access controls

Grant or Block controls

So the answer is correct

upvoted 1 times

 
jim85
5 months, 3 weeks ago
According to the link given by the explanation these answers seem to be correct. At the second step, Conditions, has 'Cloud apps or actions' to be
selected.
upvoted 1 times

 
waterzhong
6 months, 1 week ago
Select Cloud apps or actions. You can choose to apply the Conditional Access policy to All cloud apps or Select apps. To provide flexibility, you can
also exclude certain apps from the policy.

For this tutorial, on the Include page, choose the Select apps radio button.
upvoted 1 times

 
MapelCarrot
6 months, 2 weeks ago
In the AZ-103 answers, everyone says, Grant, Conditions, Users.
upvoted 2 times

 
MapelCarrot
6 months, 2 weeks ago
So no I re read it, everyone is agreed it is as stated correct.
upvoted 1 times

 
Nalex9ja
6 months, 2 weeks ago
The given answer is Correct. Read the referenced article for more details
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 81/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 82/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 1

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.

An external partner has a Microsoft account that uses the [email protected] sign in.

Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: ‫ג‬€Unable to invite user
[email protected] ‫ג‬€" Generic authorization exception.‫ג‬€

You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.

What should you do?

A.
From the Users blade, modify the External collaboration settings.

B.
From the Custom domain names blade, add a custom domain.

C.
From the Organizational relationships blade, add an identity provider.

D.
From the Roles and administrators blade, assign the Security administrator role to Admin1.

Correct Answer:
A

Reference:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742

 
moekyisin
Highly Voted 
6 months, 3 weeks ago
correct answer checked in portal .

Go to Azure AD--users--user settings --scroll down.--External users

Manage external collaboration settings

upvoted 34 times

 
fedztedz
Highly Voted 
6 months, 2 weeks ago
Answer is correct. You can adjust the guest user settings, their access, who can invite them from "External collaboration settings"

check this link https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations

upvoted 14 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
A is correct!
upvoted 1 times

 
ZN
4 weeks ago
I am trying to reproduce the given error in portal for Admin1 but unable to do so.

Kindly post the steps to get the given error.

upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A

Azure AD -> User Settings -> External Users -> Manage external collaboration settings.

Azure AD -> External Identities -> External Collaboration Settings

Reference:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742
upvoted 3 times

 
armandolubaba
1 month, 1 week ago
Answer is correct
upvoted 1 times

 
saddamakhtar
1 month, 3 weeks ago
Tested, Answer is Correct
upvoted 2 times

 
FemFem
3 months ago
Users>External Identities|External Collaboration settings

Good idea to always cross-check as Microsoft update and change frequently

upvoted 3 times

 
Vole51
3 months, 1 week ago
Tested, correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 83/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
MadMarc
3 months, 1 week ago
I'm not sure if this is because of a new update, but I went to the Azure Portal and External Collaboration Settings is under External Identities, not
under Users. AAD --> External Identities --> External Collaboration Settings.

In any case, answer A seems to be the more accurate one.

upvoted 1 times

 
mg
3 months, 2 weeks ago
Answer is correct
upvoted 1 times

 
stepient
3 months, 2 weeks ago
"User settings" blade s directly under Az AD, not under Users blade., other than that correct.
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
A is correct
upvoted 3 times

 
toniiv
4 months, 1 week ago
A. is correct
upvoted 1 times

 
aMiPL
4 months, 2 weeks ago
Answer is correct. You will get this error if Invites settings are disabled in the AD->Users->Manage External collaborations settings
upvoted 2 times

 
waterzhong
4 months, 2 weeks ago
Azure AD entitlement management utilizes Azure AD business-to-business (B2B) to collaborate with people outside your organization in another
directory. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation
in your directory enables the user to be assigned access to your resources.
upvoted 1 times

 
DubDubDub123
5 months ago
answer is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 84/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 1

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.

You need to ensure that User1 can assign a policy to the tenant root management group.

What should you do?

A.
Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.

B.
Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.

C.
Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.

D.
Create a new management group and delegate User1 as the owner of the new management group.

Correct Answer:
B

The following chart shows the list of roles and the supported actions on management groups.

Note:

Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the
hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role
assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access
Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or
groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.

Reference:

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

 
Rajash
Highly Voted 
1 month, 3 weeks ago
Ans C:

No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to
gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage

it.
upvoted 15 times

 
Negrinho
1 month, 3 weeks ago
No, the correctly answer is B.

C is to control Azure AD (Global Administrators), not to control Management group.

If you need to control Management group, use: Access control (IAM)> Add role assignment> Role> Owner or Contributor (in this case you will
use Owner). Don't exist "Global Administrators" inside of Access control (IAM)> Add role assignment.

The link between Azure AD and Management group will allow that you choose an user of your Azure AD, but not will inherit Azure AD role.
upvoted 19 times

 
RamanAgarwal
3 weeks ago
B cant be right because the owner access is given at subscription level only.
upvoted 2 times

 
shnz03
2 weeks, 3 days ago
I agree. Basically there are 3 RBAC methods. They are for

1) Azure AD

2) Azure resources including Management group

3) Classic (used by Subscription)

upvoted 1 times

 
mdyck
1 month ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 85/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

This is right. Check the chart in this link. Owners assign policy.

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access
upvoted 2 times

 
mdyck
Highly Voted 
1 month, 2 weeks ago
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group

"No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to
gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage
it."
upvoted 7 times

 
darsy2001
1 month, 1 week ago
so answer is still B?
upvoted 1 times

 
Shashprasad
Most Recent 
5 days ago
Correct answer is C , the explanation provided to B is for RBAC which is applicable for Resource Group/Resources.
upvoted 1 times

 
JoeRogersHi
1 week, 2 days ago
C — answers A & B don’t address permissions at the root management group level, only a (lower) subscription level. C is the only answer that
satisfies this.

“No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to
gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage
it.” — Owner (or Resource Policy Contributor) would also work, but **only at the root management level** for purposes of this question .
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
I'll try B.
upvoted 1 times

 
Natoc
2 weeks ago
I believe it is C

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 1 times

 
darsy2001
3 weeks, 2 days ago
Correct answer is C. With the Global admin role, this admin can elevate his access and assign himself the owner role at the root management group
level, so he can assign the policy at this level. Answer B is not possible because we are giving him access at the subscription level.
upvoted 3 times

 
CARIOCA
3 weeks, 3 days ago
A resposta é B ou C ?
upvoted 1 times

 
hiuzai
4 weeks, 1 day ago
Isn't Owner 1 already a global admin? By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is
made a member of the Global Administrators role. If yes, the the answer is B, since he just need to assign the owner role to himself.
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 15 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
mdyck
1 month ago
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access

"Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the
hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role
assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator
role of this root group initially."

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 86/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times

 
sheva370
1 month ago
My company is using the Azure Management group to manage subscriptions. Only the Global Administrator can access to the root management
group. So the correct answer is C
upvoted 2 times

 
Kascara
1 month ago
It is still unclear ; b or c?
upvoted 1 times

 
Kiano
1 month ago
The root management group is above the subscription layer. you can have multiple subscription below the root management group. So giving the
ownership of the subscription to the user, does not mean he/she can manage permissions/policies on the root management group. Only Global
admins can assign the right permissions to themselves or anyone else to mange the root management group.

So C is the correct answer

upvoted 1 times

 
chaudha4
1 month, 1 week ago
A and B are not even possible. If you are a global administrator and go to Auzre AD. Go to users, pick any user. Go to assigned roles. And try to
assign a role. You will not see owner/contributor etc there. You will only se Azure AD roles like User Admin, Global Admin. So you will have to make
user1 a global admin and then tell user1 to log in, elevate their access to user access admin and then apply the policy at root. Ans is C.
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer: C

Reference:

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 3 times

 
joseph_stone
1 month, 1 week ago
Correct Ans is C

Ref: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 87/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 1

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

To which groups do User1 and User2 belong? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: Group 1 only -

First rule applies -

Box 2: Group1 and Group2 only -

Both membership rules apply.

Reference:

https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 88/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
jelly_baby
Highly Voted 
6 months, 2 weeks ago
Group 3 is a statically assigned group. Unless the question states "user x has been added to group 3" then they WON'T be in group 3. Group 3 can
be removed from the equation for both users.

User 1 - Group 1 ONLY (city starts with M, but their department is excluded for group 2.

User 2 - Group 1 and 2 (city starts with M, no restrictions for group 2)

upvoted 66 times

 
ScreamingHand
3 weeks ago
Confused:

User1: I agree that it won't be in the group unless assigned, however, the question asks "which group does X user BELONG". It might not BE in
the Assigned O365 group, but it does belong there (?).

User2: User2 has NOT got a O365 licence, so theoretically, does not BELONG in Group2?
upvoted 2 times

 
hiddengem
3 months, 2 weeks ago
Fact that User 2 doesn't have Office 365 license assigned wouldn't change anything? Is that not required to be member of Group 2?
upvoted 3 times

 
vince60370
5 months, 3 weeks ago
jelly_baby, I think there is a detail you missed : the group 2 has the assigned dynamicaly criterum [notin "human resource"]. Notice the
RESOURCE whithout an S. User2 is from the "Human ResourceS" department (with an S). Does it a typo ? Based on this detail, User2 can only be
part of group 1.
upvoted 6 times

 
vince60370
5 months, 3 weeks ago
I made a mistake in my own explanation, sorry. I wanted to say that User1 CAN BE part of group 2 since there is a difference between the
Group2's criterum and the User2's department. An "-S" is distinguishing both of them. I don't know if it's a typo, but based on this detail,
User2 is in a department not excluded from the dynamic rule. Am I the only one to have seen this?
upvoted 4 times

 
Easyman
4 months, 1 week ago
you are correct, I tested this is lab and result is user1 is in group2.
upvoted 1 times

 
vikram12345
2 months, 1 week ago
it is group one if the typo is ignored
upvoted 1 times

 
vikram12345
2 months, 1 week ago
I mean if typo is considered then group 1 and group 2 or else just group 1
upvoted 1 times

 
diligent176
6 months ago
THIS. Correct.
upvoted 1 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is correct:

User 1 --> Group 1

User 2 --> Group 1,2

upvoted 24 times

 
Radhaghosh
Most Recent 
4 days, 11 hours ago
Surprise to see all the wrong clarifications.

To participate in Office 365 group user required a license

User 2 doesn't have any assigned license.

So Answer would be

User 1 --> Group 1 (only)

User 2 --> Group 1 (only)

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sharepoint/licensing-requirements-for-office-365-groups/10f294f5-95d8-4603-
bd28-209ee050801b?auth=1
upvoted 3 times

 
Delanase
4 days, 18 hours ago
User2 only belongs to Group1
upvoted 2 times

 
JoeRogersHi
1 week, 1 day ago
As written, presuming O365 license is irrelevant, the answer is:

User1 > group 1 & group 2

User 2 > group 1 & group 2

Both have city that start with “m” and neither department value evaluates to true for matching a value in the list consisting of only “human
resource” (singular).
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 89/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mkoprivnj
1 week, 5 days ago
User 1 - Group 1 ONLY (city starts with M, but their department is excluded for group 2.

User 2 - Group 1 and 2 (city starts with M, no restrictions for group 2)

upvoted 1 times

 
droy89
2 weeks, 2 days ago
User 1 has O365 assigned. So why he cannot be in Group 3? Please help.
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Group 3 is a statically assigned group, so you have to manually add members. Group 3 can be removed from the equation for both users. For all
the groups features, if you have an Azure AD Premium subscription, users can join the group whether or not they have an AAD P1 license assigned
to them. Licensing isn't enforced.

-startsWith is not Case Sensitive.

-notin is Case Sensitive.

User 1: Group1 only - City starts with M, but their department is excluded for Group 2.

User 2: Group1 and Group2 only - City starts with M, no restrictions for Group 2. Also, can belong to O365 Group regardless if user has O365
assigned or not. (Note: there might be a typo in the question about “Human resources” and “human resource”. If there is no typo, then the answer
should be Group1 only)

Reference:

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators
upvoted 5 times

 
mlantonis
1 month ago
Sorry, it's the reverse:

User 1: Group1 only - City starts with M, but their department is excluded for Group 2. (Note: there might be a typo in the question about
“Human resources” and “human resource”. If there is no typo, then the answer should be Group1 only and Group2 only)

User 2: Group1 and Group2 only - City starts with M, no restrictions for Group 2. Also, can belong to O365 Group regardless if user has O365
assigned or not.
upvoted 1 times

 
darsy2001
1 month, 1 week ago
anyone tested this on lab? I tried and group 2 cannot be created. It says Value cannot be applied to the property. If I choose NotEqual operator,
then group is created...
upvoted 1 times

 
armandolubaba
1 month, 1 week ago
The answer is correct
upvoted 1 times

 
raph90fr
1 month, 3 weeks ago
you can add a user in Office365 groups even if it is not licensed . So basically, it's only about dynamic group processes.
upvoted 2 times

 
bacana
1 month, 3 weeks ago
It's correct.
upvoted 1 times

 
eyadman
2 months ago
https://support.microsoft.com/en-us/topic/adding-guests-to-microsoft-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6
upvoted 1 times

 
RBV
2 months, 1 week ago
NotIn operators can be used with numeric parameters as in the example below:

user.department -in ["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]

see: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#operator-precedence
upvoted 1 times

 
Yawnnnnnnnnn
3 months ago
the tricky bit might be to do with case sensitivity. It would need testing in a lab

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators

this link suggestes that -startsWith is not case sensitive

and -notin is case sensitive ( i think that ! is used for not, so shows as !in)

but would be worth testing, as i dont know if this link uses the same logic as the dynamic group queries.
upvoted 1 times

 
bacana
3 months, 1 week ago
If the user has a licence or not, no matter.

For group 3. You have to add the user manually because is assigned and not dynamic. Basically, the question is about dynamic groups.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 90/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Siblark
3 months, 1 week ago
Correct

User1 - Group1

User2 - Group 1 and 2.

I agree with jelly_baby

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 91/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35 Topic 1

HOTSPOT -

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.

You need to modify the JobTitle and UsageLocation attributes for the users.

For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: User1 and User3 only -

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows
Server Active

Directory.

Box 2: User1, User2, and User3 -

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal

 
hakanbaba
Highly Voted 
6 months, 3 weeks ago
I've checked on my AAD, answer is correct
upvoted 29 times

 
Kiano
2 months, 1 week ago
I have also checked but I can see that you can change both job title and usagelacation for all type of identities. even the ones that have been
synchronized from on-prem AD.

Maybe this is an update since you published your comment, but anayways I think both answers should be User1, 2 and 3.
upvoted 3 times

 
Kiano
1 month ago
The answer is actually right. Although both usagelocation and jobtitle can directly be updated in Azure AD for all type of users, jobtitle can
probably be overwritten by the synchronization process, although usagelocation is more an Azure AD type of attribute. But the question is
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 92/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

tricky. it asks: "For which users can you modify the attributes from Azure AD? ". Both can b updated directly in Azure AD, although Jobtitle
could be overwritten by the sync.
upvoted 1 times

 
Somewhatbusy
5 months, 3 weeks ago
Yes its correct. 100% agreed
upvoted 4 times

 
Neonlight8
Highly Voted 
4 months ago
JobTitle: i think the keyword here is "...modify from Azure", you can't modify Windows Server AD (on-premise attribute) from Azure under a hybrid
deployment. Therefore User 1 and User 3 only. Job Title attribute does exist for Guest account so this covers MS Account under User 3

Usage Location: User 1, User 2, User 3. Because this attribute is an Azure AD not onpremise therefore you can modify "From Azure"
upvoted 7 times

 
codingsam
2 months, 4 weeks ago
Usage Location is there on on-prem AD under attributes.
upvoted 1 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
User1 & User 3

User1, User2 & User3

User2 - job info can't be modified via AAD. Option grayed out on edit.
upvoted 1 times

 
omhari
2 weeks, 4 days ago
Provided answer is correct as per documention.
upvoted 1 times

 
ajaz
3 weeks, 2 days ago
Provided answer is correct.
In the following link - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal under
"Note:' section it is very clearly mentioned that Windows AD users should be modified from source and wait for sync to AAD.

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows
Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the
changes.
upvoted 3 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 22 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
Raj_Rock
2 weeks, 2 days ago
I think this is a BOT or just creating SPAM messages in the discussion forum.
upvoted 4 times

 
JayBee65
2 weeks ago
A bot or somebody very lazy
upvoted 3 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1:User1 and User3 only

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows
Server Active Directory.

Box 2: User1, User2, and User3

Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure AD
Connect).

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
upvoted 4 times

 
saddamakhtar
1 month, 3 weeks ago
Tested, Answer is Correct
upvoted 2 times

 
codingsam
2 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 93/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

the answer should be User1 and User3 for both as in a hybrid environment where the user is on Windows Server AD then the synchronization is
only one way i.e. from on-prem AD to the AAD so changes to the job info or the usage location for User 2 should be done through on-prem AD
only.
upvoted 1 times

 
Kiano
2 months, 1 week ago
you actually have a point. I can see we can change both attributes for the synched identities, but I guess you are right. Both can be overwitten
by the sync progress.
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
Given answer is correct
upvoted 2 times

 
ZUMY
3 months, 2 weeks ago
AAD is answer
upvoted 1 times

 
toniiv
4 months, 1 week ago
Responses are correct:

- Job Title: for all but not Windows Server AD users

- Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure
AD Connect
upvoted 6 times

 
networkingcontrol
4 months, 3 weeks ago
INCORRECT! You cannot change the JobTitle attribute for a guest user.

Answer:

A. JobTittle: User1 and User2

B. UsageLocation: User1, User2, User3

Regards,
upvoted 1 times

 
stepient
3 months, 2 weeks ago
Yes, you can, tested in lab
upvoted 1 times

 
mikl
4 months, 2 weeks ago
You sure about that?

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties

It sure looks like there is a property of "Job info" and the blue edit button on the screendumps here.
upvoted 2 times

 
TheOne1
4 months, 3 weeks ago
This doesn't seem correct to me, you can only modify the job title from a windows active directory server, not Azure AD, this means User 2 only. For
the second part, usage location can only be modified in Azure AD, not Windows Server active directory, this implies that the correct answer is user
1 and 3. This is very easy to test if you have access to AZ AD and a windows server......
upvoted 1 times

 
TheOne1
4 months, 3 weeks ago
My mistake, I just realized it's saying FROM Azure AD to make the change
upvoted 1 times

 
Diamondoma
5 months, 3 weeks ago
The explanation is saying something different from the answers selected. for Job title is User 1& User 2 or User1 & User 3?
upvoted 4 times

 
waterzhong
6 months, 1 week ago
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows
Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the
changes.
upvoted 4 times

 
fedztedz
6 months, 1 week ago
Looks like answer is correct
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 94/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an
Azure subscription.

Solution: You assign the Network Contributor role at the subscription level to Admin1.

Does this meet the goal?

A.
Yes

B.
No

Correct Answer:
A

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

 
RithuNethra
Highly Voted 
6 months, 3 weeks ago
correct answer
upvoted 18 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is Correct : "Yes"
upvoted 5 times

 
Radhaghosh
Most Recent 
4 days, 11 hours ago
To enable traffic analytics, your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or
network contributor.

So Answer is Correct
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
A is correct! Contributor role!
upvoted 1 times

 
Mich132
2 weeks ago
So normally a Contributor is not allowed to assign a role "Grants full access to manage all resources, but does not allow you to assign roles in
Azure RBAC, manage assignments in Azure Blueprints, or share image galleries." But this is an exception?
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A - Yes

Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.

Network Contributor role - Lets you manage networks, but not access to them.

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes
Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 4 times

 
armandolubaba
1 month, 1 week ago
Correct Answer
upvoted 1 times

 
saddamakhtar
1 month, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 95/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is Correct
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
A is correct!
upvoted 3 times

 
Sandroal29
3 months, 3 weeks ago
Given answer is correct.
upvoted 1 times

 
StixxNSnares
4 months ago
A!

Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-
faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.
upvoted 1 times

 
toniiv
4 months, 1 week ago
A. is correct (network contributor at subscription scope)
upvoted 2 times

 
waterzhong
4 months, 2 weeks ago
Traffic Analytics requires the following prerequisites:

A Network Watcher enabled subscription.

Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.

An Azure Storage account, to store raw flow logs.

An Azure Log Analytics workspace, with read and write access.

upvoted 1 times

 
ms70743
6 months ago
Answer is Yes.

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
upvoted 1 times

 
waterzhong
6 months, 1 week ago
User access requirements

Your account must be a member of one of the following Azure built-in roles:

USER ACCESS REQUIREMENTS

Deployment model Role

Resource Manager Owner

Contributor

Reader

Network Contributor
upvoted 1 times

 
examWalker
6 months, 2 weeks ago
Answer should be No.

Traffic Manager Contributor <> Contributor

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
upvoted 2 times

 
lodo
6 months, 1 week ago
At the link you provided is stated:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

So answer is Yes
upvoted 7 times

 
smw2020
5 months, 4 weeks ago
Very right. The correct answer is yes.
upvoted 2 times

 
OmarMac
6 months, 2 weeks ago
It's correct - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 96/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an
Azure subscription.

Solution: You assign the Owner role at the subscription level to Admin1.

Does this meet the goal?

A.
Yes

B.
No

Correct Answer:
A

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

 
RithuNethra
Highly Voted 
6 months, 3 weeks ago
correct answer
upvoted 9 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is correct "Yes"
upvoted 6 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
A is correct. Contributor or Owner role.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A

Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.

Network Contributor role - Lets you manage networks, but not access to them.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 2 times

 
saddamakhtar
1 month, 3 weeks ago
Answer is Correct
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
A is correct!
upvoted 2 times

 
Horhe
4 months ago
Answer is correct
upvoted 1 times

 
toniiv
4 months, 1 week ago
A. is correct (owner at subscription scope)
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 97/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
ar_vinoth
4 months, 1 week ago
Correct answer A
upvoted 1 times

 
kashi1983
4 months, 2 weeks ago
Answer is A
upvoted 1 times

 
ms70743
6 months ago
A is correct

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
upvoted 2 times

 
Nalex9ja
6 months, 1 week ago
the given answer is the correct answrer
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 98/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38 Topic 1

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an
Azure subscription.

Solution: You assign the Reader role at the subscription level to Admin1.

Does this meet the goal?

A.
Yes

B.
No

Correct Answer:
A

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

 
asmodeus
Highly Voted 
6 months, 3 weeks ago
Traffic Analytics requires the following prerequisites:

A Network Watcher enabled subscription.

Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.

An Azure Storage account, to store raw flow logs.

An Azure Log Analytics workspace, with read and write access.

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
upvoted 19 times

 
nNeo
1 month, 1 week ago
Although the article specified, but reader role can't change (or enable) "Traffic Analytics status" setting in NSG flow log settings. IMO, that article
should be edited.
upvoted 3 times

 
visave
6 months, 3 weeks ago
got it.

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-
faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.
upvoted 2 times

 
MountainW
2 months, 2 weeks ago
The key is to enable, not to use. The article is about to use. The answer is not correct.
upvoted 5 times

 
JayBee65
2 weeks, 2 days ago
The requirements above state..

Your account must meet one of the following to ***enable**** traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, ***reader***, or network
contributor.

So it is correct
upvoted 2 times

 
visave
6 months, 3 weeks ago
As per your description the answer is A. could you please paste the source of the information.
upvoted 1 times

 
Nicodebian
6 months, 3 weeks ago
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
upvoted 3 times

 
mikl
Highly Voted 
4 months, 1 week ago
Answer is A. Yes.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 99/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Source : https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Your account must meet one of the following to enable traffic analytics:

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
upvoted 6 times

 
alisyech
Most Recent 
2 days, 15 hours ago
answer is yes (A) for sure
upvoted 1 times

 
JoeRogersHi
1 week, 1 day ago
Tested—

Reader: Can select “On” and choose Log Analytics workspace and click “Save”...but does not have rights to save (it errors due to permissions).

Network Contributor: Can select “On” but cannot choose a Log Analytics workspace, and therefore cannot “Save”.

Contributor: YES, it works.

Owner: YES it works.

upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
A is correct! Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network
contributor.
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 20 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
JayBee65
2 weeks, 2 days ago
What do you think?
upvoted 1 times

 
Cippunk
1 month ago
Just tested and answer is no. Reader does not have authorisation to perform action Microsoft.Network/networkwatchers/flowlogs/write. This
question needs to be edited.
upvoted 3 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A - Yes

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reader role - View all resources, but does not allow you to make any changes.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 1 times

 
Acrophat
1 month, 2 weeks ago
I have attempted to enable traffic analytics for an NSG and reader role does not allow enabling traffic analytics without first having
owner/contributor role to the log analytics workspace that the logs will be sent to.
upvoted 4 times

 
Acrophat
1 month, 2 weeks ago
Edit** asmodeus explained the user needs to have read/write access to the log analytics workspace. However, even after that, it fails to enable
traffic analytics for a user with reader role only.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 100/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
besha
2 months, 2 weeks ago
The reader role can't edit, create, enable, disable or delete any resources! The correct answer is NO. B
upvoted 3 times

 
MountainW
2 months, 2 weeks ago
B is correct. The key is to enable, not to use.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
A is correct!
upvoted 1 times

 
toniiv
4 months, 1 week ago
A. is correct (reader at subscription scope)
upvoted 1 times

 
ar_vinoth
4 months, 1 week ago
correct answer
upvoted 1 times

 
Kiookr
5 months, 3 weeks ago
The keyword here is :

"at the subscription level"

Therefore is "A" Yes otherwise will be "B" No

upvoted 3 times

 
fedztedz
6 months, 1 week ago
Answer is correct. "Yes"
upvoted 4 times

 
Galbraj5797
6 months, 3 weeks ago
checked this with Whizlabs..........Reader role can do what is required.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 101/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39 Topic 1

You have an Azure subscription that contains a user named User1.

You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.

Which role-based access control (RBAC) role should you assign to User1?

A.
Owner

B.
Virtual Machine Contributor

C.
Contributor

D.
Virtual Machine Administrator Login

Correct Answer:
B

Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're
connected to.

Incorrect Answers:

A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

C: Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.

D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.
Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

 
wooyourdaddy
Highly Voted 
6 months, 3 weeks ago
Should the answer be C. Contributor? Answer B, only allows the managing of the VM's and not the Virtual Networks as stated in the question.
upvoted 81 times

 
Alim786
2 months ago
Tested in lab and "Virtual Machine Contributor" cannot manage VNET. Therefore answer is "Contributor"
upvoted 15 times

 
ciscogeek
2 months, 3 weeks ago
Whatever Manage means by Microsoft standards, as per the doc they say, VM Contributor can manage.

Virtual Machine Contributor Lets you "manage" virtual machines, but not access to them, and not the virtual network or storage account they're
connected to.

I would go for B.
upvoted 2 times

 
Miles19
2 months, 3 weeks ago
You are right, definitely, we need to assign a role of contributor, as the virtual machine contributor isn't enough - can't even manage the virtual
networks to which the VM is attached to. See details: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 1 times

 
alessioferrario
3 months, 3 weeks ago
I agree
upvoted 1 times

 
Malec
Highly Voted 
6 months, 3 weeks ago
I think correct is C, because Virtual Machine Contributor don't have permission to manage networks
upvoted 16 times

 
karensue
Most Recent 
3 days, 21 hours ago
Answer is C - contributor.

Contributor- Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 1 times

 
Radhaghosh
4 days, 11 hours ago
Virtual Machine Contributor: Lets you manage virtual machines, but not access to tthe virtual network or storage account they're connected to.

And because the requirement is to manage Virtual Machines and Virtual Networks, the unique RBAC Role satisfying the requirement is Contributor.
upvoted 1 times

 
onincasimiro
4 days, 16 hours ago
Keyword is "least privilege" so VM Contributor is correct.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 102/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
jinx9988
6 days, 16 hours ago
C is the correct answer
upvoted 3 times

 
mkoprivnj
1 week, 5 days ago
C is correct!
upvoted 1 times

 
Darkren4eveR
2 weeks ago
Answer C
upvoted 1 times

 
Ssri
2 weeks ago
Virtual Machine Contributor:

Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of the root user of the virtual
machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the
virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

Contributor:

Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share
image galleries.

As per question we need to assign least privilege.

Hence the answer is B.

upvoted 2 times

 
Ssri
2 weeks ago
Sorry, answer should be C. As mentioned in Virtual Machine Contributor, this role doesn’t have access to manage virtual networks. As such,
Contributor would be the least privilege to assign in this case.
upvoted 2 times

 
CLagnuts
2 weeks ago
Answer is C Contributor.

B is wrong because a Virtual Machine Contributor can create and manage virtual machines, manage disks and disk snapshots, install and run
software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This
role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not
allow you to assign roles in Azure RBAC.
upvoted 1 times

 
Tranquillo1811
2 weeks, 6 days ago
C is the only correct answer to this question.

Virtual Machine Contributor role only rights for the following actions with respect to VNETs:

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable.

(https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor)
upvoted 2 times

 
Zuls
3 weeks, 1 day ago
Virtual machine contributor: Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of the
root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. THIS ROLE DOES NOT GRANT YOU
MANAGEMENT ACCESS TO THE VIRTUAL NETWORK or storage account the virtual machines are connected to. This role does not allow you to
assign roles in Azure RBAC.
upvoted 1 times

 
ajaz
3 weeks, 2 days ago
when they say "User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege." I assume as
part of least privilege phrase - manage virtual networks would be adding a new VM to existing VNETs - if that is the case, as per following rule -
Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable (https://docs.microsoft.com/en-us/azure/role-based-
access-control/built-in-roles#virtual-machine-contributor), "B" is the right answer.

If it is about actually managing available VNETs then "C" would be right answer (where least privilege literally will be ignored). I assume and will
choose "B" as right answer.
upvoted 1 times

 
rd_dr
3 weeks, 6 days ago
the correct answer is contributor
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 69 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 103/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
shefk
1 week, 6 days ago
it is a BOT as the same comment been there on almost every answer
upvoted 1 times

 
Cippunk
1 month ago
Answer is C. Virtual Machine Contributor does not have permissions to manage a Virtual Network.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: C

Only Owner and Contributor can perform the actions, but we need to follow the least privilege principal, so Contributor.

A: Owner- Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

B: Virtual Machine Contributor - Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset password of
the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you
management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in
Azure RBAC.

C: Contributor - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.

D: Virtual Machine Administrator Login - View Virtual Machines in the portal and login as administrator.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 104/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40 Topic 1

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.

The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click
the Access

Control tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 105/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: No -

Only Admin3, the owner, can assign ownership.

Box 2: Yes -

Box 3: No -

Reference:

https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer:

Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD.
However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope.

All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC).

Admin1 has elevated access, so he is also User Access Admin (RBAC).

To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner.

Box 1: Yes

Admin1 has elevated access, so he is User Access Admin. This is valid.

Box 2: Yes

Admi3 is Owner of the Subscription. This is valid.

Box 3: No

Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
upvoted 23 times

 
ashish2201
Highly Voted 
4 weeks, 1 day ago
Answer is correct, tested in Lab

1. No : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription therefore cannot assign Owner Roles

2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user.

3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription thereofore cannot create resources in it.
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 106/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
ashish2201
4 weeks, 1 day ago
Kindly ignore my previous comment, below is the correct one

1. Yes : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription but as per exibit it has taken control to
manage access to all Azure subscriptions therefore it now has access to manage subscription therefore can assign role to other users.

2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user.

3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription therefore cannot create resources in it.
upvoted 5 times

 
james1890
Most Recent 
2 days, 3 hours ago
By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing
the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role
(an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure
resources. This switch can be helpful to regain access to a subscription. For more information, see Elevate access to manage all Azure subscriptions
and management groups.

Several Azure AD roles span Azure AD and Microsoft 365, such as the Global Administrator and User Administrator roles. For example, if you are a
member of the Global Administrator role, you have global administrator capabilities in Azure AD and Microsoft 365, such as making changes to
Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.

Box 1: YES

Box 2: YES

Box 3: NO
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
Box 1: Yes

Admin1 has elevated access, so he is User Access Admin. This is valid.

Box 2: Yes

Admi3 is Owner of the Subscription. This is valid.

Box 3: No

Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.

upvoted 2 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 17 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
sheva370
1 month ago
Tested in my lab, the correct answer is

Box 1: Yes - Elevated access

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal

Box 2: Yes - Owner

Box 3: No - Azure AD admin only.

upvoted 2 times

 
ronsav80
1 month ago
So Q1 is if Admin1 can add Admin2 as the owner of the subscription. Only the current owner can change the ownership, and in this case, Admin 3
is the owner. So based on this I think the answer is correct and it should be N/Y/N
upvoted 1 times

 
Veronika1989
1 month, 1 week ago
I have tested this and I won't be able to find a way how to assign a Subscription Owner role for Admin2. As for me, the given answer is correct.
upvoted 1 times

 
MayBe
1 month, 2 weeks ago
Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to AD. However,
a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope
(https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin)

All 3 Admins are GA (AD)

Admin3 (ex1) is owner of the subscription (RBAC)

Admin1 has elevated access (ex2), is also User Access Admin (RBAC)

To assign a user the owner role at the subscription scope you require permissions, such as User Access Admin or Owner

(https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin)

Q1 Admin1, User Access Admin (elevated) can assign owner

Q2 Admin3, Owner can add Owner

Q3 Admin2 "as is" (not elevated), cannot create resources

But he can elevate access and then will be able to.

Is the question "as is" or "theoretically”

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 107/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I would say "no.

yes, yes, no/yes?

upvoted 4 times

 
samratmahe
1 month, 1 week ago
Since all 3 users (Admin1, Admin2, Admin 3) are GA's - i believe all 3 will have elevated access across the tenant (AD) and they will have elevated
access (RBAC) to perform all the actions... In this case i would say answer is

Y
upvoted 3 times

 
chaudha4
1 month, 1 week ago
Agree with you. I think it is a Yes for all the cases.
upvoted 1 times

 
bacana
1 month, 3 weeks ago
Using the screen shown by the question.

1 - Admin3 is the owner of a subscription and can also add any other user as an owner.

2 - Admin1 has created a new subscription and is the owner, so he can add any other user as an owner as well.

3 - The question says nothing about before or after 1 or 2, so admin2 cannot add any resources.
upvoted 5 times

 
tera_baap
1 month ago
Admin1 Created new tenant not new subscription. Tenant is different than subscription. So 2 - NO.
upvoted 1 times

 
Kiano
1 month ago
I agree with you. First of all very confusing question. Especially the third option not mentioning if Admin1 has already assigned the ownership of
the subscription to admin2 or not. In any case, as a global Admin all users can get access to the management root group, which is above the
subscription layer, and then assign themselves the ownership of the subscription and thereby getting access to all the resources. But the
question is how does Microsoft think in the matter? Are they considering that Admin2 is not informed about how he can go about to get access
or Admin1 has not yet assigned ownership permission to him. As mentioned very condusing. My experience is that questions that tend to be
confusing dont show up on the test.
upvoted 2 times

 
raph90fr
1 month, 3 weeks ago
well, in my opinion the first one should be yes. In fact, Admin1, as a global admin has elevated it account according to the screenshot. this
elevation gave it User access administrator on all Management group and subscription. So admin1 can assign admin2 the owner role to the
subscription.

i agree on what jantonio said: i think we must deal with each point without any link. So for me, it would be no/yes/no
upvoted 1 times

 
raph90fr
1 month, 3 weeks ago
sorry it should be YES/YES/NO
upvoted 9 times

 
MrRice
1 month, 3 weeks ago
GA can have access to all resources when elevated.

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
upvoted 2 times

 
MrRice
1 month, 3 weeks ago
sorry. GA can have access to all subscriptions or management groups when elevated.
upvoted 1 times

 
denccc
1 month, 3 weeks ago
I would say N/Y/Y
upvoted 3 times

 
vinmiddha
1 month, 3 weeks ago
I think Admin can also provide owner access . Any comment
upvoted 1 times

 
Devgela
1 month, 3 weeks ago
Wrong

The Admin2 is able to create RG in the Subscription

upvoted 1 times

 
jantoniocesargatica
1 month, 3 weeks ago
I think you must limit the scenerio to the question. From my point of view, there is one question which does not have any relationship with the
previous question (second one), and that is the confusion.
If you take the question, according to the initial scenario:

Can Admin2 create a resource in the subscription?

The answer is No, because Admin2 does not have any role (ownner, contributor...) assigned in the subscription, according to the initial
conditions.

The problem is when you do the question 2, previous to answer question3. As Admin3 can add Admin2 as an Owner of the subscription, now
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 108/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Admin2 is owner and has control of any resources. When you go to question3, the answer would be yes, because is owner in the subscription
and can create resources, but you have to think as an unique question which does not have any relationship with previous. The solution would
have to be the same if you change the order of the questions, and the answer is NO for the third question.

I hope this help.

upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 109/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 1

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.

VM1 runs services that will be used to deploy resources to RG1.

You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.

What should you do first?

A.
From the Azure portal, modify the Managed Identity settings of VM1

B.
From the Azure portal, modify the Access control (IAM) settings of RG1

C.
From the Azure portal, modify the Access control (IAM) settings of VM1

D.
From the Azure portal, modify the Policies settings of RG1

Correct Answer:
A

Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use
this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

You can enable and disable the system-assigned managed identity for VM using the Azure portal.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

 
ZUMY
Highly Voted 
3 months, 2 weeks ago
Managed identity setting is correct
upvoted 15 times

 
fedztedz
Highly Voted 
4 months, 3 weeks ago
Answer is correct "A" Modify Managed Identities.
upvoted 14 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
A is correct!
upvoted 1 times

 
Tranquillo1811
2 weeks, 6 days ago
Actually this is a tricky question.

However, according to this link https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-

vm-access-arm

where exactly this scenario is described, they go directly to IAM of the RG and select the VM there.

I assume the managed Identity of the VM is then automatically enabled if it is not already enabled.

So the correct answer would be actually B!

upvoted 2 times

 
Tranquillo1811
2 weeks, 6 days ago
I stand corrected: Under that link under prereqs they mention: "You also need a Windows Virtual machine that has system assigned managed
identities enabled."

Yes, answer A is correct!

upvoted 2 times

 
Kctaz
3 weeks, 1 day ago
In case anyone still has doubt : A is correct.

When you go to VM menu and Identity, you can choose to assign an identity to the VM to register it in Azure AD. Then, you can give the role you
need to this managed identity (you can choose the scope and the role).

Easy, fast, and very practical.

upvoted 2 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 12 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
mlantonis
1 month, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 110/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: A

Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this
identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable
the system-assigned managed identity for VM using the Azure portal.

RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples of Role
Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group Policies on the other hand focus on resource
properties during deployment and for already existing resources. As an example, a policy can be issued to ensure users can only deploy DS series
VMs within a specified resource

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
upvoted 5 times

 
mdyck
1 month, 2 weeks ago
Go to VM > Identity > System Assigned > Status On > Azure role assignments > Scope Resource group > Contributor

"Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC"

I think managed identity is the way to go.

upvoted 5 times

 
MayBe
1 month, 2 weeks ago
To answer the question you have to first understand the difference between Managed Identity (a.k.a RBAC) and Access Control policies (IAM)

Policies on the other hand focus on resource properties during deployment and for already existing resources. As an example, a policy can be
issued to ensure users can only deploy DS series VMs within a specified resource

(https://techcommunity.microsoft.com/t5/itops-talk-blog/governance-101-the-difference-between-rbac-and-policies/ba-p/1015556?
WT.mc_id=ITOPSTALK-reddit-abartolo)

So the answer is A
upvoted 3 times

 
Moley
3 months, 1 week ago
Answer A will not achieve the goal. The VM identity will not have rights to the resource group. The question implies the VM has an identity. The
correct answer is B where you use IAM to grant the identity permissions to the resource group.
upvoted 4 times

 
alexandvvvvv
2 months, 2 weeks ago
You are right that answer A will not achieve the goal but the question is not about that, it is about the first action you have to do to achieve the
goal. Also for me it does not look like it is said that VM already has an identity. I think they mean just that an identity should be used and to
achieve that you have to configure it. So I think it is A.
upvoted 3 times

 
toniiv
4 months ago
Answer seems to be correct as per URL provided ( Managed Identities )
upvoted 2 times

 
waterzhong
4 months, 3 weeks ago
A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource. You can grant permissions to the
managed identity by using Azure role-based access control (Azure RBAC). The managed identity is authenticated with Azure AD, so you don’t have
to store any credentials in code. Learn more about Managed identities.
upvoted 4 times

 
waterzhong
4 months, 3 weeks ago
User assigned managed identities enable Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in
code. This type of managed identities are created as standalone Azure resources, and have their own lifecycle. A single resource (e.g. Virtual
Machine) can utilize multiple user assigned managed identities. Similarly, a single user assigned managed identity can be shared across multiple
resources (e.g. Virtual Machine). Learn more about Managed identities.
upvoted 5 times

 
vince60370
5 months, 2 weeks ago
I think the answer is good, but VM tab is misspelled. It is just called "Identity". To enable the System-assigned Managed Identity after VM creation -
> https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-
assigned-managed-identity-on-an-existing-vm
upvoted 3 times

 
bartw
5 months, 3 weeks ago
Answer looks strange to me (but of all the answer the only most logical one to me), It states clearly that the VM is running services, which means
it's aready active. The link states that during configuration you Can set the toggle, not after the VM is running and configured.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 111/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42 Topic 1

You have an Azure subscription that contains a resource group named TestRG.

You use TestRG to validate an Azure deployment.

TestRG contains the following resources:

You need to delete TestRG.

What should you do first?

A.
Modify the backup configurations of VM1 and modify the resource lock type of VNET1

B.
Remove the resource lock from VNET1 and delete all data in Vault1

C.
Turn off VM1 and remove the resource lock from VNET1

D.
Turn off VM1 and delete all data in Vault1

Correct Answer:
C

When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and
currently stored operations.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resource-group?tabs=azure-powershell

 
Dips88
Highly Voted 
1 month, 3 weeks ago
Answer should be B. A recovery service vault can not deleted unless all its backups are deleted permanently. And along with that definitely resource
lock has to be removed on vnet
upvoted 39 times

 
poplovic
1 week, 3 days ago
Tried in the lab, a lot of steps to remove the vault.

https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud#permanently-deleting-soft-deleted-backup-items
upvoted 1 times

 
BabiRahul
Highly Voted 
1 month, 3 weeks ago
I will go with A
upvoted 13 times

 
Lkk51
3 weeks, 4 days ago
A is to modify the resource "lock type" of VNET1. it does not resolve the issue
upvoted 1 times

 
yoloserg
3 weeks ago
first steps, not deleting actually
upvoted 2 times

 
azlab1win
Most Recent 
1 week, 1 day ago
Tried in the lab, the corret answer is B!
upvoted 4 times

 
mkoprivnj
1 week, 5 days ago
B is correct!
upvoted 1 times

 
magdoc
2 weeks, 3 days ago
the correct answer is B.
upvoted 1 times

 
SNVVK
2 weeks, 4 days ago
The correct answer is B. You cannot delete the recovery service vault unless all it's containers have been unregistered from the vault and all private
endpoints associated with the vault have been deleted. If you don't delete you will get an error like below.

Please check audit logs for more details. (Code: ResourceGroupDeletionBlocked) Vault cannot be deleted as there are existing resources within the
vault. : ***-***-***

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 112/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Please ensure all containers have been unregistered from the vault and all private endpoints associated with the vault have been deleted, and retry
operation.
upvoted 3 times

 
Tranquillo1811
2 weeks, 6 days ago
A is the correct answer here!

You need to do both: Disable the VM backup (stored in the recovery vault and also you need to remove the delete lock before you can delete the
VNET...
upvoted 2 times

 
Tranquillo1811
2 weeks, 6 days ago
Sorry! Of course B is correct! You need to delete the data in the vault before you can delete it...
upvoted 3 times

 
ScreamingHand
3 weeks ago
"B" seems the best answer as:

"You can't delete a vault that contains backup data"

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

Answer "A" modifies the BU config, but does not delete the data, whereas "B", does.
upvoted 1 times

 
jpons
4 weeks ago
Modifying the lock will not do, there are just 2 options and none allows deleting:

CanNotDelete - the resource can be modified however not deleted.

ReadOnly - the resource can neither be deleted or modified.

Hence the lock must be removed = B

upvoted 1 times

 
Md_Shahnawaz
1 month ago
Answer C is correct
upvoted 1 times

 
ronsav80
1 month ago
I vote A as well... you have to stop a backup before you can delete a RS vault, and you stop the backup from the backup settings.
upvoted 5 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B

When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and
currently stored operations.

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting
or modifying critical resources. The lock overrides any permissions the user might have.

You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.

So you have to remove the lock on order to delete the VNET and delete the backups in order to delete the vault.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resource-group?tabs=azure-powershell

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 10 times

 
nfett
1 month, 1 week ago
If you have the required access, but the delete request fails, it may be because there's a lock on the resource group. this is from their provided
solution document. B is correct.
upvoted 1 times

 
Ptit_filou
1 month, 1 week ago
What should you do FIRST.

I'd go for A: since we cannot delete a RG if there is an active backup, we "modify the backup configuration" by removing it, and then delete all data
as said in B.

But since the question seems to be about the first action, I'd say A.
upvoted 6 times

 
Ptit_filou
1 month, 1 week ago
Sorry, didn't see it was MODIFY the resource lock type in A, has no sense, so I agree with B :)
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 113/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Rajbabu1983
1 month, 1 week ago
Question is what should you do first, we need to trun off before deleting backup
upvoted 6 times

 
jantoniocesargatica
1 month, 1 week ago
Let's try to get the correct answer using the Theorem of reduction to the absurd:

1. First point: Locks must be removed. If you do not remove the locks, this will make imposible to remove the TestRG resource group. Reading the
asnwers, there are only 2 of them which remove the locks ('B' and 'C'). For that reason 'A' and 'D' are eliminated from the final answer, as none of
them removes the lock. If someone is not agree, replies to this and demostrate it please. Please. do not insert comments without an argument.

2. Secondly, with the remaining possible available answers, that is 'B' and 'D', the Vault must be empty before you can remove the TestRG resource
group. To shutdown a Vm, is not going to fix the problem, as the Vault data has not been erased.

Having said this, the correct solution is B.

If someone is not convinced with the argument, please reply with your argument.
upvoted 9 times

 
mdyck
1 month, 2 weeks ago
Says it right here. "You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state."

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 114/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43 Topic 1

You have an Azure DNS zone named adatum.com.

You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.

What should you do?

A.
Create an NS record named research in the adatum.com zone.

B.
Create an PTR record named research in the adatum.com zone.

C.
Modify the SOA record of adatum.com.

D.
Create an A record named *.research in the adatum.com zone.

Correct Answer:
A

You need to create a name server (NS) record for the zone.

Reference:

https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain

 
chaitu1990
Highly Voted 
4 months, 2 weeks ago
All the best for your Exam guys:))
upvoted 74 times

 
Exiri
Highly Voted 
4 months, 1 week ago
good luck!
upvoted 17 times

 
Md_Shahnawaz
Most Recent 
1 month ago
Answer A is correct
upvoted 4 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A

An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many NS
records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.

You need to create a name server (NS) record for the zone.

Reference:

https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
upvoted 7 times

 
saddamakhtar
1 month, 3 weeks ago
Good Luck! guys for your Exam...............
upvoted 3 times

 
6F
1 month, 3 weeks ago
45 mins to go time, good luck all!
upvoted 2 times

 
sopot
1 month, 4 weeks ago
Good luck evrybody :)
upvoted 1 times

 
luiz01
2 months ago
All the best for guys:)
upvoted 1 times

 
rishard
2 months ago
Got exam in 1h - Wish me luck ;)
upvoted 3 times

 
jc1738
1 month, 4 weeks ago
How did it go? Was the material on here enough to get you a pass? My exam is this week!
upvoted 2 times

 
RealKaiCloud34813
2 months ago
Good luck, I'm attepting tomorrow.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 115/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

 
UmarQazi
2 months, 2 weeks ago
I'm going to attempt this exam in the afternoon.
upvoted 2 times

 
Olijames221
2 months, 1 week ago
How did it go? Was the question set in here enough to pass? I have mine tomorrow
upvoted 2 times

 
HassanSarhan
1 month, 2 weeks ago
How did it go with you? MY exam is next week! Was the question set here enough to pass ?
upvoted 1 times

 
thapp
2 months, 3 weeks ago
is there any new questions ?
upvoted 1 times

 
SScott
2 months, 3 weeks ago
Name Server is the correct Answer, not an A Record.

I am signed up for the exam today 4/4. Microsoft tag on the registration site says content changed 3/26. Probably just a few questions added
and/or removed.
upvoted 2 times

 
SScott
2 months, 2 weeks ago
New scale set questions, specific to % to minute and policy effects. Know kubectl commands and syntax reference to VM resources. New
variations of app service, web apps, and specific to ASP and .NET Core. New NSG firewall rule determinations. Several curve balls but the
current set on examtopics.com will provide the study guide results to pass with success! Research, review and test in lab to fully learn and
grow your Azure field of study.
upvoted 3 times

 
SScott
2 months, 2 weeks ago
https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB_09c-
Implement_Azure_Kubernetes_Service.html
upvoted 3 times

 
LexusNX425
2 months, 3 weeks ago
Thank You ExamTopics, and thank all of you for your support in the discussions. Best of luck to everyone on the exam!!! :)
upvoted 3 times

 
Techseeker
3 months ago
Reached here! Thanks for the amazing support and good luck on your exam ☺️
upvoted 3 times

 
ZUMY
3 months, 2 weeks ago
A:

An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. ... You can have as many NS
records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.
upvoted 10 times

 
randomsiht
4 months ago
A lot of effort to correct and review all the answers :) hope it will work
upvoted 8 times

 
aMiPL
4 months, 1 week ago
Well done guys! :) Was it worth it :> ??
upvoted 7 times

 
SScott
2 months, 2 weeks ago
Absolutely! Hopefully everyone did practice hands-on with lab. The only way to fully know the material.
upvoted 1 times

 
phiwanczuk
3 months, 3 weeks ago
Hopefully ;)
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 116/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 1

DRAG DROP -

You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.

You have a domain name of contoso.com registered at a third-party registrar.

You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Select and Place:

Correct Answer:

1. Add the custom domain name to your directory

2. Add a DNS entry for the domain name at the domain name registrar

3. Verify the custom domain name in Azure AD

Reference:

https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

Manage Azure identities and governance

 
fene
Highly Voted 
1 month, 3 weeks ago
As I'm a smart guy I can confirm this to be the proper answer
upvoted 19 times

 
Iroshan4
Highly Voted 
1 month, 1 week ago
Answer is correct. But the source is wrong.

Here is the correct docs link.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
upvoted 9 times

 
Cippunk
Most Recent 
1 month ago
The question should specify if by "Add a record to the public contoso.com DNS zone" it means adding the text record to the domain registrar's
DNS zone. All that is needed is:

- Add a custom domain

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 117/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Create the Txt record (including hostname @, text value and TTL set to 3600 seconds) to DNS record on domain registrar.

- Verify the domain.

Having an Azure Public DNS zone is not required. Just tested this.
upvoted 4 times

 
azlab1win
1 week, 1 day ago
Agree with this statement!
upvoted 1 times

 
raulgar
1 month, 1 week ago
The internal domain name is contoso.onmicrosoft.com, the external dns is contoso.com, so the first it would be add a custom name, could be?
upvoted 2 times

 
raulgar
1 month, 2 weeks ago
I'm not sure, but with external dns you must have a custom name (contoso.onmicrosoft.com isn't), so the first is create a custom name, later add
the record and verify.I haven't test it
upvoted 1 times

 
crescha
1 month, 1 week ago
Custom domain already exists. Then you need to create DNS zone, add record and verify
upvoted 4 times

 
Cepul
1 month, 2 weeks ago
If looking at this reference: https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal

The answer is :

Create an Azure DNS zone

Add a record to the public contoso.com DNS zone

Verify the domain

upvoted 7 times

 
bacana
1 month, 3 weeks ago
Correct.
upvoted 2 times

 
Devgela
1 month, 3 weeks ago
Create an Azure DNS zone

Add a record to the public contoso.com DNS zone

Verify the domain

My Choice
upvoted 6 times

 
jecah
1 month, 2 weeks ago
Create a DNS zone in Azure DNS, and delegate the zone in your registrar to Azure DNS. It is a prerequisite and should be the first step.

So I agree with you.

upvoted 3 times

 
mdyck
1 month, 2 weeks ago
Would the zone not already be created because they have the existing domain?
upvoted 2 times

Topic 2 - Question Set 2

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 118/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1 Topic 2

You have an on-premises server that contains a folder named D:\Folder1.

You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.

Which command should you run?

A.
https://contosodata.blob.core.windows.net/public

B.
azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot

C.
azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive

D.
az storage blob copy start-batch D:\Folder1 https://contosodata.blob.core.windows.net/public

Correct Answer:
C

The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container
by the same name.

Incorrect Answers:

B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in
the destination is more recent.

D: The az storage blob copy start-batch command copies multiple blobs to a blob container.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs https://docs.microsoft.com/en-
us/azure/storage/common/storage-ref-azcopy-copy

 
naveener
Highly Voted 
11 months, 2 weeks ago
copies a directory (and all of the files in that directory) to a blob container:-

azcopy copy 'C:\myDirectory' 'https://mystorageaccount.blob.core.windows.net/mycontainer' --recursive

To copy to a directory within the container :-

azcopy copy 'C:\myDirectory' 'https://mystorageaccount.blob.core.windows.net/mycontainer/myBlobDirectory' --recursive

upvoted 26 times

 
MikeHugeNerd
Highly Voted 
10 months, 1 week ago
In Exam August 17th
upvoted 10 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Recursive!
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: C

A: URL of the Storage Account.

B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the
destination is more recent.

C: The azcopy copy command copies a directory (and all the files in that directory) to a blob container. The result is a directory in the container by
the same name.

D: The az storage blob copy start-batch command copies multiple blobs to a blob container.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs

https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
upvoted 5 times

 
mg
3 months, 1 week ago
Answer is correct

AzCopy recursive
upvoted 4 times

 
ZUMY
3 months, 2 weeks ago
C is correct
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 119/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Wizard69
3 months, 2 weeks ago
Answer is correct.

az copy with --recursive

upvoted 2 times

 
toniiv
4 months, 1 week ago
C. is correct. Last command (az storage blob copy) is used only to copy blobs to a blob container. Azcopy should be used with the copy flag.
upvoted 2 times

 
fedztedz
6 months, 1 week ago
Answer is correct. "C"

Azcopy copy --recursive.

upvoted 6 times

 
Borbz
6 months, 1 week ago
Answer is correct!
upvoted 2 times

 
KarthikExams
8 months, 1 week ago
copy with recursive
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 120/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 2

You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:

You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.

What should you identify?

A.
storage1

B.
storage2

C.
storage3

D.
storage4

Correct Answer:
D

Azure Import/Export service supports the following of storage accounts:

✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)

✑ Blob Storage accounts

✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

Azure Import/Export service supports the following storage types:

✑ Import supports Azure Blob storage and Azure File storage

✑ Export supports Azure Blob storage

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer: D

Azure Import/Export service supports the following of storage accounts:

✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)

✑ Blob Storage accounts

✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

Azure Import/Export service supports the following storage types:

✑ Import supports Azure Blob storage and Azure File storage

✑ Export supports Azure Blob storage. Azure Files not supported.

Only storage4 can be exported.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
upvoted 9 times

 
nfett
Highly Voted 
1 month, 3 weeks ago
From the provided link. I assume since they table in the question notes "Storage" its being disregarded as an invalid option. Thus the answer blob
appears to be correct.

Standard General Purpose v2 storage accounts (recommended for most scenarios)

Blob Storage accounts

upvoted 8 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Blob is correct. #4
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 121/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 2

HOTSPOT -

You have Azure Storage accounts as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: storageaccount1 and storageaccount2 only

Box 2: All the storage accounts -

Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob
storage accounts.

✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.

✑ Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.

✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 122/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

gigabyte pricing.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is correct.

- Storage account 1 & 2

- All storage accounts.

upvoted 28 times

 
JayBee65
2 weeks, 3 days ago
Why do you say that?
upvoted 1 times

 
Ikrom
Highly Voted 
6 months, 1 week ago
For the Box1: Storage1 and Storage2 because:

*** Storage1:

- General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible.

*** Storage2:

- General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure
Storage.
upvoted 6 times

 
joydeep1
Most Recent 
1 week, 1 day ago
Exam - Asked today
upvoted 6 times

 
mkoprivnj
1 week, 5 days ago
Answer is correct.

- Storage account 1 & 2

- All storage accounts.

upvoted 3 times

 
JayBee65
2 weeks, 3 days ago
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview shows

Standard general-purpose v2 Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files

Standard general-purpose v1 Blob, Queue, and Table storage, Azure Files

Standard Blob storage Blob storage (block blobs and append blobs only)

So 1 and 2
upvoted 1 times

 
modiallo
1 month ago
Box 1: storageaccount1 and storageaccount2 only

Box 2: All the storage accounts

upvoted 2 times

 
JayBee65
2 weeks, 3 days ago
Why do you say that?
upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: storageaccount1 and storageaccount2 only

Box 2: All the storage accounts

upvoted 3 times

 
JayBee65
2 weeks, 3 days ago
Why do you say that?
upvoted 1 times

 
mg
3 months, 1 week ago
answers are correct
upvoted 2 times

 
ZUMY
3 months, 3 weeks ago
Answer given is correct!
upvoted 2 times

 
toniiv
4 months, 1 week ago
Both answers are correct
upvoted 3 times

 
waterzhong
4 months, 2 weeks ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 123/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure
Storage.

General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible.
upvoted 2 times

 
waterzhong
6 months, 1 week ago
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.

✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per
gigabyte pricing.
upvoted 1 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, kept the same answers for this question in exam
upvoted 3 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 2 times

 
moooosi
5 months, 1 week ago
Silence
upvoted 31 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 124/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 2

You have Azure subscription that includes data in following locations:

You plan to export data by using Azure import/export job named Export1.

You need to identify the data that can be exported by using Export1.

Which data should you identify?

A.
DB1

B.
container1

C.
Share1

D.
Table1

Correct Answer:
B

 
Anon6969
Highly Voted 
6 months, 2 weeks ago
Blobs are only type of storage which can be exported.
upvoted 32 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is correct. B - Blob Container.

For Azure file share, it is tricky as it is mentioned Azure Files can be used for export and import. But I tested especially with file share and it doesn't
work. Maybe work for storage account with type file or something. but not Azure file shares.
upvoted 22 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Container!
upvoted 1 times

 
modiallo
1 month ago
Blobs are only type of storage which can be exported using Azure Import/Export
upvoted 3 times

 
ShehuUsman
1 month ago
File share supports only import but not export. While blob supports import and export. So answer is correct
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B

Azure Import/Export service supports the following of storage accounts:

✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)

✑ Blob Storage accounts

✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

Azure Import/Export service supports the following storage types:

✑ Import supports Azure Blob storage and Azure File storage

✑ Export supports Azure Blob storage. Azure Files not supported.

Only container1 can be exported.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
upvoted 6 times

 
bacana
3 months ago
"Each app uses a managed identity" it not say what identity is using.
upvoted 1 times

 
marvinconejo
3 months, 1 week ago
The response Is B
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 125/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mg
3 months, 1 week ago
Answer is correct.

Blob container
upvoted 1 times

 
examhater
3 months, 2 weeks ago
get rid of these false answers, this stuff is unreadable.
upvoted 3 times

 
Wizard69
3 months, 2 weeks ago
Answer is B - Container 1. You can only EXPORT blobs
upvoted 2 times

 
Twigs
3 months, 3 weeks ago
B

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service#inside-an-export-
job:~:text=The%20service%20only%20supports%20export%20of%20Azure%20Blobs.%20Export%20of%20Azure%20files%20is%20not%20supporte
d.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
B is correct!

Only Blob type data/Container supported Export/import for now

upvoted 1 times

 
Evette
4 months ago
B is correct
upvoted 2 times

 
toniiv
4 months, 1 week ago
B. container1 is correct (only Blob storage supports data export)
upvoted 2 times

 
mikl
4 months, 2 weeks ago
B is correct.

Source : https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-requirements#supported-storage-types

The following list of storage types is supported with Azure Import/Export service.

Export Azure Blob storage

upvoted 2 times

 
psscloud
5 months, 1 week ago
The correct is B. Container 1 - see: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements#supported-
storage-types
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 126/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 2

HOTSPOT -

You have an Azure Storage account named storage1.

You have an Azure Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.

You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:

✑ Minimize the number of secrets used.

✑ Ensure that App2 can only read from storage1 for the next 30 days.

What should you configure in storage1 for each app? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

App1: Access keys -

App2: Shared access signature (SAS)

A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of
your data. With a

SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions
they have on those resources, and how long the SAS is valid, among other parameters.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

 
Andersonalm
Highly Voted 
6 months, 2 weeks ago
I think App1 should access storage1 over IAM with managed identity. The requirement is minimize the number of secrets used...
upvoted 67 times

 
Tranquillo1811
2 weeks, 6 days ago
If you use IAM then for each access request a new token is requested by the service account. Hence for each access request a new token (a new
secret) is used.

if you use the access keys though, it is always the very same secret is used.

Hence I'd say that "Access Keys" is the correct choice for App1...
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 127/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
RamanAgarwal
2 weeks, 5 days ago
You can use managed identity to access storage so this way you dont have to create a token anytime you want to access the storage
account.
upvoted 1 times

 
diligent176
6 months ago
Yes, and especially since they say "apps can read blobs from storage1"...

So, IAM is supported in that case and requires no secrets to keep.

App1 = IAM / RBAC and App2 = SAS

https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
upvoted 13 times

 
prashantjoge
6 months, 1 week ago
That's what I thought too
upvoted 3 times

 
Abhi92
6 months, 2 weeks ago
Yes Correct
upvoted 3 times

 
pieronegri
6 months, 1 week ago
that was my thought as well.
upvoted 3 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is Correct.

- App1 --> Access Keys

- App2 --> SAS.

By default storage accounts has 2 Access keys. so, basically we will use one of them.

for App2, to limit the usage and maintain expiration of 30 days, we will use SAS.

Check https://docs.microsoft.com/en-us/learn/modules/connect-an-app-to-azure-storage/7-connect-to-your-azure-storage-account?source=learn
upvoted 16 times

 
sidharthwader
1 month, 3 weeks ago
Access key is a very bad option tbh. If it gets leaked the person who has it has very high permissions. I have read that we should try not to use
access keys better to use Sas than access keys. In first case it should be IAM and 2nd is SAS cause we can restrict the SAS key access and revoke
it after 30days
upvoted 2 times

 
jantoniocesargatica
1 month, 3 weeks ago
IAM. Access Keys is not due to this explanation:

Access keys provide unrestricted access to the storage resources, which is not the requirement of the escenario. You need Read access, not full
access.
upvoted 1 times

 
diligent176
6 months ago
Wrong. Access key is a super-secret, all powerful on the storage account.

Managed Identity can use RBAC to grant access, with ZERO secrets needed (App1).

App2 is SAS because of the 30 days limit.

upvoted 12 times

 
diligent176
6 months ago
There is one possibility where Access Key may be required over RBAC. Not all the storage types support RBAC (like Azure Tables in the
storage account).

So for a complete answer the question needs to specify which type of storage is used in the storage account... See:

https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
upvoted 2 times

 
solarwinds123
5 months, 4 weeks ago
You are correct, but please see this line in the question text:

"You need to ensure that App1 and App2 can read blobs from storage1"

It mentions blobs specifically, which is compatible with AAD authentication. Therefore the correct answer is IAM for App1, and SAS for
App2
upvoted 27 times

 
Delanase
Most Recent 
4 days, 18 hours ago
app1-IAM
upvoted 1 times

 
Delanase
4 days, 18 hours ago
app1>>IAM
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 128/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

IAM + SAS!
upvoted 2 times

 
Gautam123
1 week, 6 days ago
IAM and SAS
upvoted 1 times

 
modiallo
1 month ago
For me

IAM/ RBAC - Due to minimize secrete keys

SAS - SAS Token only can define expiration

upvoted 2 times

 
Faizan2991
1 month ago
IAM and SAS
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: Access Control (IAM)

Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of
secrets used, so Access keys is not ideal.

Box 2: Shared access signatures (SAS)

We need temp access for App2, so we need to use SAS.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
upvoted 4 times

 
umradhuma
1 month, 1 week ago
IAM for app1 seems correct.
upvoted 1 times

 
besha
2 months, 2 weeks ago
since the app 1 uses managed identity, App1 is able to access the SA via IAM

We need temp access for app2, so we need to use SAS

Correct answer should be:

App1 : IAM

App2: SAS
upvoted 6 times

 
ms70743
3 months, 1 week ago
App1 uses AIM

App2 uses SAS

upvoted 5 times

 
ms70743
3 months, 1 week ago
App1 should be IAM
upvoted 3 times

 
mg
3 months, 1 week ago
I will go with

1 - IAM/ RBAC - due to minimize secrete keys

2 - SAS - to limit the access period

upvoted 7 times

 
vraviranjan
3 months, 2 weeks ago
You can't use SAS without access keys, so anyways you will need access keys, so we are not minimizing secrets by using IAM, with this reasoning I
will go for Access Keys for App1 and SAS for App2
upvoted 3 times

 
Wizard69
3 months, 2 weeks ago
App1 has a managed identity which is granted access to the storage account with a role. App1 uses AIM and App2 uses SAS.
upvoted 1 times

 
Wizard69
3 months, 2 weeks ago
Sorry, IAM :)
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
I Think

01. IAM/ RBAC - Due to minimize secrete keys

02. SAS - SAS Token only can define expiration

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 129/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 5 times

 
Laurent_Byanjira
3 months, 4 weeks ago
App1 should be IAM, Le link from MS: Once a Managed Application is granted an identity, it can be granted access to existing Azure resources. This
process can be done through the Access control (IAM) interface in the Azure portal. The name of the Managed Application or user-assigned
identity can be searched to add a role assignment.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity#granting-access-to-azure-
resources
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 130/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 2

HOTSPOT -

You need to create an Azure Storage account that meets the following requirements:

✑ Minimizes costs

✑ Supports hot, cool, and archive blob tiers

✑ Provides fault tolerance if a disaster affects the Azure region where the account resides

How should you complete the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: StorageV2 -

You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1
(GPv1) accounts do not support tiering.

General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction
prices.

Box 2: Standard_GRS -

Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.

Incorrect Answers:

Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.

Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to
the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs https://docs.microsoft.com/en-
us/azure/storage/blobs/storage-blob-storage-tiers

 
ihavespoken
Highly Voted 
6 months, 3 weeks ago
Keep in mind the question is mentioning the minimize cost, even though Storage v2 and blob both can support the hot, cool, and archive but
Storage V2 is lowest cost. so answer is correct.
upvoted 28 times

 
sidharthwader
1 month, 3 weeks ago
Yes GPv2 gives the storage in least price with latest features.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 131/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
JayBee65
2 weeks, 3 days ago
This calculator shows the same price for Storage v2 as Blob Storage: https://azure.microsoft.com/en-gb/pricing/calculator/?service=storage
upvoted 1 times

 
Aniruddha_dravyakar
4 months ago
agreed
upvoted 1 times

 
jelly_baby
6 months, 2 weeks ago
agreed
upvoted 2 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is correct.

- GPv2

- GRS
upvoted 10 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
StorageV2 + GRS
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: StorageV2

Box 2: Standard_GRS

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 2 times

 
saddamakhtar
1 month, 3 weeks ago
Answer given is correct!
upvoted 1 times

 
StefanDoh
2 months, 1 week ago
Answer is correct.
upvoted 1 times

 
mg
3 months, 1 week ago
Answer is correct.
upvoted 2 times

 
ZUMY
3 months, 2 weeks ago
Keep in mind the question is mentioning the minimize cost, even though Storage v2 and blob both can support the hot, cool, and archive but
Storage V2 is lowest cost. so answer is correct
upvoted 5 times

 
ZUMY
3 months, 3 weeks ago
Answer given is correct!
upvoted 3 times

 
toniiv
4 months, 1 week ago
Both answers are perfectly correct.
upvoted 3 times

 
waterzhong
4 months, 2 weeks ago
Azure storage offers different access tiers, allowing you to store blob object data in the most cost-effective manner. Available access tiers include:

Hot - Optimized for storing data that is accessed frequently.

Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.

Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of
hours.
upvoted 1 times

 
JamalB
5 months, 3 weeks ago
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?tabs=azure-portal

"FAQ

Should I use Blob Storage or GPv2 accounts if I want to tier my data?

We recommend you use GPv2 instead of Blob Storage accounts for tiering. GPv2 support all the features that Blob Storage accounts support plus a
lot more. Pricing between Blob Storage and GPv2 is almost identical, but some new features and price cuts will only be available on GPv2 accounts.
GPv1 accounts don't support tiering."

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 132/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 5 times

 
JayBee65
2 weeks, 3 days ago
... but some new features and price cuts will only be available on GPv2 accounts...

Finally something that suggest pricing could be lower for StorageV2 :)

upvoted 1 times

 
waterzhong
6 months, 1 week ago
Storage accounts that support tiering

Object storage data tiering between hot, cool, and archive is only supported in Blob Storage and General Purpose v2 (GPv2) accounts. General
Purpose v1 (GPv1) accounts don't support tiering.
upvoted 1 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, kept the same answers for this question, in exam
upvoted 4 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 2 times

 
Nicodebian
6 months, 3 weeks ago
Seems that you can use Blob Storage or GPV2 but Microsoft recommends GPV2, so the solution seems to be valid
upvoted 2 times

 
codingsam
2 months, 4 weeks ago
the reason is blobstorage is for legacy blobs and GPV2 is recommended over it for blobs
upvoted 1 times

 
Leandroalonso
6 months, 3 weeks ago
From the same link tha is on the solution:

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?tabs=azure-portal#storage-accounts-that-support-tiering

"Storage accounts that support tiering"

Object storage data tiering between hot, cool, and archive is only supported in Blob Storage and General Purpose v2 (GPv2) accounts.

Just see what happens on the "Advanced" blade after selecting Standard, BlobStorage and GRS.

Whats doesnt support tier is BlockBlobStorage.

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 133/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7 Topic 2

You have an Azure subscription that contains the resources in the following table.

Store1 contains a file share named data. Data contains 5,000 files.

You need to synchronize the files in the file share named data to an on-premises server named Server1.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A.
Create a container instance

B.
Register Server1

C.
Install the Azure File Sync agent on Server1

D.
Download an automation script

E.
Create a sync group

Correct Answer:
BCE
Step 1 (C): Install the Azure File Sync agent on Server1

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share

Step 2 (B): Register Server1.

Register Windows Server with Storage Sync Service

Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.

Step 3 (E): Create a sync group and a cloud endpoint.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

 
WYLC
Highly Voted 
6 months, 3 weeks ago
that's correct!
upvoted 18 times

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer: B, C and E

Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be
synced with an Azure file share.

Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service
establishes a trust relationship between your server and the Storage Sync Service.

Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept
in sync with each other. A sync group must contain one cloud, which represents an Azure file share and one or more server endpoints. A server
endpoint represents a path on registered server.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
upvoted 5 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
BCE is correct!
upvoted 2 times

 
modiallo
1 month ago
Correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 134/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
nfett
1 month, 3 weeks ago
verified answer is correct from the provided link.
upvoted 3 times

 
saddamakhtar
1 month, 3 weeks ago
Answer Correct!
upvoted 2 times

 
mg
3 months, 1 week ago
Answer sequence should be CBE

Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be
synced with an Azure file share.

Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept
in sync with each other. A sync group must contain one cloud , which represents an Azure file share and one or more server endpoints. A server
endpoint represents a path on registered server.
upvoted 3 times

 
ZUMY
3 months, 3 weeks ago
Answer given is correct!
upvoted 2 times

 
toniiv
4 months, 1 week ago
C. B. E. Should be the correct sequence.
upvoted 2 times

 
mikl
4 months, 1 week ago
Agree!
upvoted 1 times

 
mag1300
4 months, 2 weeks ago
CBE IS correct.
upvoted 3 times

 
fedztedz
6 months, 1 week ago
Answer is correct
upvoted 3 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 1 times

 
Glorious3000
5 months, 3 weeks ago
stop corrupting the discussion section bro. Have some moral etiquettes. You cannot get each and every question on 12/05/2020.
upvoted 16 times

 
TheOne1
4 months, 3 weeks ago
You didn't realize it's a bot....
upvoted 5 times

 
Malec
6 months, 3 weeks ago
correct
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 135/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8 Topic 2

HOTSPOT -

You have an Azure subscription that contains the resources shown in the following table.

The status of VM1 is Running.

You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)

You assign the policy by using the following parameters:

Microsoft.ClassicNetwork/virtualNetworks

Microsoft.Network/virtualNetworks

Microsoft.Compute/virtualMachines

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 136/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

 
bogdan89
Highly Voted 
6 months, 3 weeks ago
Y-N-N tested today in a LAB.
upvoted 72 times

 
Diego19
6 months, 1 week ago
Y-N-N is right. I have also tested it in LAB.
upvoted 12 times

 
prashantjoge
6 months, 1 week ago
How can the first be yes... Does not make sense
upvoted 5 times

 
Jovial
5 months, 1 week ago
at least try in azure before speaking nonsense
upvoted 9 times

 
JayBee65
2 weeks, 3 days ago
Maybe explain if you understand why, as it does sound illogical,
upvoted 2 times

 
idlir
Highly Voted 
6 months, 3 weeks ago
N-N-N

Policy will identify the VM as not compliant but will not put VM in deallocate
upvoted 37 times

 
prashantjoge
6 months, 1 week ago
I agree. Existing non-compliant resources can be remediated with a remediation task. But no action is taken against them other than to mark
them as non-compliant
upvoted 3 times

 
Somewhatbusy
5 months, 3 weeks ago
This is wrong. It is YNN. Moving VNET1 to RG is allowed. I've tested in my tenant.
upvoted 8 times

 
Anon6969
6 months, 2 weeks ago
This makes the most sense. Only one I am not sure on is how the policy would modify the change to the address space?
upvoted 3 times

 
CloudyTech
Most Recent 
1 day, 19 hours ago
Cannot Move VNET1 to RG2, got error in lab

Answer: N N N

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 137/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times

 
Suvoa
5 days, 22 hours ago
N-N-N I confirmed in my lab today (18/06/2021)
upvoted 4 times

 
Thard_Vaner
6 days, 17 hours ago
Confirmed in an AZURE LIVE environment today, 17/06/2021:

a) No - When moving VNET1 I received a validation error that the move was disallowed by policy

b) No - The VM is still in a running state, even after the policy took effect

c) No - Once the policy took effect, I received an error that modification of the address space was blocked by policy
upvoted 8 times

 
azlab1win
1 week ago
N-N-N i confirmed in my LAB
upvoted 3 times

 
nikitaniks
1 week, 4 days ago
The answers are No-Yes-Yes. Tested in LAB. I don't know for the first one how some people are saying yes I got an error saying disallowed-by-the-
policy
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
Y, N, N!
upvoted 2 times

 
zinoxx90
2 weeks, 2 days ago
N, N, N - Just tested in a lab. Not sure what other people are testing tbh.

1) When I try to move it: Resource 'VNET1' was disallowed by policy. (Code: RequestDisallowedByPolicy)

2) VM not compliant but still running.

3) No ofc.
upvoted 4 times

 
SNVVK
2 weeks, 4 days ago
No, No, No

1. The resource type Microsoft.Network/virtualNetworks is notAllowed. So, we can transfer/create a vNet in RG2

2. The new policy assignment won't change the status of existing VM in RG2. Instead it will mark the compliance state as Non-compliant.

3. You cannot change the existing vNet's address space in RG2 since it was protected by disallowed policy.
upvoted 1 times

 
SNVVK
2 weeks, 4 days ago
typo mistake in 1st step. we cannot*
upvoted 2 times

 
RamanAgarwal
2 weeks, 5 days ago
Tested this in Lab. Yes-No-Yes
upvoted 3 times

 
Tranquillo1811
2 weeks, 6 days ago
I think this is why the first statement is actually TRUE:

There are several evualation triggers for Azure Policies (https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-

data#on-demand-evaluation-scan---azure-powershell).

One of them is when a resource is updated within a scope with an policy assignment.

However, since the VNET itself will not be changed in any way (the resource group is actually no attribute of the resource) when MOVNG it, the
policy is not re-evaluated and hence the VNET can be moved to RG2 and will then later be marked as non-compliant at the next Standard
compliance evaluation cycle which occurs once every 24 hours.
upvoted 3 times

 
yfee
3 weeks, 5 days ago
NO NO YES is the correct answer please

E:\Folder2 can not be added as endpoint for group 1 because "A registered server can support multiple server endpoints, however a sync group
can only have one server endpoint per registered server at any given time. Other server endpoints within the sync group must be on different
registered servers."

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
upvoted 2 times

 
JayBee65
2 weeks, 3 days ago
Wrong Q :)
upvoted 2 times

 
MDC70
4 weeks ago
Answer is N-N-N

Tested this in my tenant. For question 1, I got the following error - "Resource 'VNET1' was disallowed by policy. Reasons: 'Resource is non
compliant'." The move failed. VM1 remained running and wasn't deallocated after the policy was implemented, and remained running more than
24 hours later.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 138/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
Julie444
1 month ago
Yes,No,No

1. You can move existing resources to the resource group. The policy is applied only while creating or updating a resource.

2. The state of existing resources will not change, The VM will be identified as non-compliant.

3. You cannot update the existing resources since policy will restrict the update or create operations.
upvoted 2 times

 
Udoyen
1 month ago
It would be nice to know why we are able to move the vnet1 to rg2 even with the policy in place!
upvoted 1 times

 
samratmahe
1 month ago
Tested today (22-May-2021) in lab portal and here is correct answers

Pre-req: Set the policy in RG2 as mentioned in question

Y (system allowed to move VNET1 from RG1 to RG2)

Y (system allowed to STOP (Dellocated) the VM2 which was hosted in RG2)

N (system didnt allow to modify the address space but its allowing to modify the subnets) - Getting below error while modifying the "address
space"

Error Message:

Failed to save address space changes to virtual network 'RG2_VNET2'. Error: Resource 'RG2_VNET2' was disallowed by policy. Policy identifiers:
'[{"policyAssignment":{"name":"Not allowed resource types","id":"/subscriptions/xxx-xxx-
xxx/resourceGroups/RG2/providers/Microsoft.Authorization/policyAssignments/xxxxxx"},"policyDefinition":{"name":"Not allowed resource
types","id":"/providers/Microsoft.Authorization/policyDefinitions/xxxxxx"}}]'.
upvoted 2 times

 
Kiano
1 month ago
Thank you for testing this. Although the results are very different that one could expect.
upvoted 1 times

 
Kronnos
1 month ago
It is Y N N you need to read the question! It Say "The state of VM1 changed to deallocated" that dose not mean you are allowed yes or no it
mean when the policy get applied then the status are changing. In this case it means NO
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 139/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 2

DRAG DROP -

You have an Azure subscription that contains a storage account.

You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.

You need to transfer the data to the storage account by using the Azure Import/Export service.

In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the
correct order.

NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

Select and Place:

Correct Answer:

At a high level, an import job involves the following steps:

Step 1: Attach an external disk to Server1 and then run waimportexport.exe

Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.

Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.

Step 2: From the Azure portal, create an import job.

Create an import job in your target storage account in Azure portal. Upload the drive journal files.

Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.

Provide the return address and carrier account number for shipping the drives back to you.

Ship the disk drives to the shipping address provided during job creation.

Step 4: From the Azure portal, update the import job

Update the delivery tracking number in the import job details and submit the import job.

The drives are received and processed at the Azure data center.

The drives are shipped using your carrier account to the return address provided in the import job.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

 
mg
Highly Voted 
3 months, 1 week ago
Answer is correct

Step 1: Attach an external disk to Server1 and then run waimportexport.exe

Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.

Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.

Step 2: From the Azure portal, create an import job.

Create an import job in your target storage account in Azure portal. Upload the drive journal files.

Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.

Provide the return address and carrier account number for shipping the drives back to you.

Ship the disk drives to the shipping address provided during job creation.

Step 4: From the Azure portal, update the import job

Update the delivery tracking number in the import job details and submit the import job.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 140/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 10 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
1. attach disk

2. create import job

3.detach disk

4. update import job

upvoted 2 times

 
Tamilarasan
2 weeks, 3 days ago
Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.

Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.

Create an import job in your target storage account in Azure portal. Upload the drive journal files.

Provide the return address and carrier account number for shipping the drives back to you.

Ship the disk drives to the shipping address provided during job creation.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe)

Step 2: Create an import job (From the Azure portal, create an import job)

Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center)

Step 4: Update the job with tracking information (From the Azure portal, update the import job)

Reference:

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
upvoted 3 times

 
ZUMY
3 months, 2 weeks ago
Given answer is correct
upvoted 3 times

 
toniiv
4 months, 1 week ago
Answer is correct for the Import job sequence
upvoted 1 times

 
mikl
4 months, 2 weeks ago
Correct.

Step 1: Prepare the drives

Step 2: Create an import job

Step 3: Ship the drives to the Azure datacenter

Step 4: Update the job with tracking information

Source : https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 4 times

 
waterzhong
6 months, 1 week ago
Create an import job in your target storage account in Azure portal. Upload the drive journal files.
upvoted 2 times

 
JustMe84
6 months, 2 weeks ago
its correct. see link:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files?tabs=azure-portal
upvoted 2 times

 
jelly_baby
6 months, 2 weeks ago
Correct
upvoted 2 times

 
ketan05
6 months, 3 weeks ago
Correct!

https://docs.microsoft.com/en-us/azure/storage/common/media/storage-import-export-service/importjob.png
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 141/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 142/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 2

HOTSPOT -

You have Azure subscription that includes following Azure file shares:

You have the following on-premises servers:

You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.

You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: No -

Group1 already has a cloud endpoint named Share1.

A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.

Box 2: Yes -

Yes, one or more server endpoints can be added to the sync group.

Box 3: Yes -

Yes, one or more server endpoints can be added to the sync group.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

 
boink
Highly Voted 
6 months, 2 weeks ago
NO NO YES
upvoted 73 times

 
Ikrom
6 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 143/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

That's correct (NO NO YES), because to add another server endpoint from the same server you need to have another sync group...

"Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each
endpoint is syncing to a unique sync group."
upvoted 8 times

 
shnz03
1 week, 4 days ago
I agree because I had tested it and sync group does not allow me to add the same registered server again in the endpoint.
upvoted 1 times

 
gitsyn
6 months, 1 week ago
Answer is correct: NO YES YES

The documentation specifies the samve volume, not server. You can't have two server endpoints on the same volume in one sync group, but
in this question, the volumes are D: and E:, so then you can have two server endpoints.
upvoted 2 times

 
JayBee65
2 weeks, 3 days ago
"A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server
at any given time. Other server endpoints within the sync group must be on different registered servers." - https://docs.microsoft.com/en-
us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal. This is very specifically about servers not
volumes, so No, No, Yes
upvoted 4 times

 
aaa112
6 months ago
But you cannot extend the existing endpoint, so you need to recreate it. Question is about adding Server 2 as an endpoint, but it is
already an endpoint. "Once you add a server as an endpoint, you can’t add it again."
upvoted 3 times

 
certW1z
5 months, 3 weeks ago
Lab tested ... NO NO YES is correct

confirmation of second que: https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-

same.html

"Azure File Sync does not support more than one server endpoint from the same server in the same sync group."
upvoted 21 times

 
jelly_baby
Highly Voted 
6 months, 2 weeks ago
NO YES YES

Agree with the given explanation, but the reason why the second answer is YES is because you can have multiple endpoints on a single server:

"Server endpoint: The path on the Windows Server that is being synced to an Azure file share. This can be a specific folder on a volume or the root
of the volume. Multiple server endpoints can exist on the same volume if their namespaces do not overlap."

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-
planning#:~:text=Multiple%20server%20endpoints%20can%20exist,in%20sync%20with%20each%20other.
upvoted 16 times

 
JayBee65
2 weeks, 3 days ago
"A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at
any given time. Other server endpoints within the sync group must be on different registered servers." - https://docs.microsoft.com/en-
us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal.
upvoted 1 times

 
as7dfjasdf3
6 months, 1 week ago
True, but you cannot have two endpoints on one server in one sync group.
upvoted 8 times

 
CloudyTech
Most Recent 
1 day, 18 hours ago
100% Tested N N Y
upvoted 1 times

 
xoe123
6 days, 3 hours ago
N Y N

A server endpoint represents a specific location on a registered server, such as a folder on a server volume or the root of the volume. Multiple
server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each endpoint is
syncing to a unique sync group. You can configure cloud tiering policies individually for each server endpoint. If you add a server location with an
existing set of files as a server endpoint to a sync group, those files will be merged with any other files already on other endpoints in the sync
group.

So a syn group can either have D:Folder1 or D:/Data.

upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
NO NO YES
upvoted 2 times

 
Zyo
2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 144/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Definitely No no yes

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal

a sync group can only have one server endpoint per registered server at any given time.
upvoted 1 times

 
omhari
2 weeks, 3 days ago
NO - Only one cloud point

NO - You can not add one more server endpoint from the same server

YES - because it's server endpoint with different server name

upvoted 2 times

 
samratmahe
1 month ago
Tested on 22-May-2021. Below are the answers

Box 1: No

A sync group can only contains one cloud endpoint

Box 2: No

Azure File Sync does not support more than one server endpoint from the same server in the same Sync Group. If we try for the same server within
the same SynchGroup - an Error Message (The specified path is already in use by another server endpoint.) will popup and the synch wont get start

Box 3: Yes

Multiple server endpoints can exist on the same volume and also in same SynchGroup however their namespaces should not overlapping (for
example, D:\smart and D:\hero) and each endpoint is syncing to a unique sync group
upvoted 7 times

 
Shivz0903
1 month ago
A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server at any
given time. Other server endpoints within the sync group must be on different registered servers.

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal

This should help answer the 2nd and 3rd question.

upvoted 1 times

 
Faizan2991
1 month ago
N-N-Y

https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-same.html
upvoted 1 times

 
Faizan2991
1 month ago
N-N-Y

Azure File Sync does not support more than one server endpoint from the same server in the same sync group. That's why you don’t see the server
listed in the drop-down when you create a new server endpoint in the same sync group. We don’t allow multiple server endpoints from the same
server in the sync group because the content in those directories would be the same once sync merged the data.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: No

A sync group contains one cloud endpoint, or Azure file share, and at least one server endpoint.

Box 2: No

Azure File Sync does not support more than one server endpoint from the same server in the same Sync Group.

Box 3: Yes

Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each
endpoint is syncing to a unique sync group.

Reference:

https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-same.html

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
upvoted 4 times

 
Iroshan4
1 month, 1 week ago
No_Yes_No

3rd question is the tricky one.

Read here.

"Azure File Sync does not support more than one server endpoint from the same server in the same sync group. That's why you don’t see the
server listed in the drop-down when you create a new server endpoint in the same sync group. We don’t allow multiple server endpoints from the
same server in the sync group because the content in those directories would be the same once sync merged the data."

https://docs.microsoft.com/answers/answers/111645/view.html
upvoted 2 times

 
Chief
1 month, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 145/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Create a sync group and a cloud endpoint

A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain
one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on a registered
server. A server can have server endpoints in multiple sync groups. You can create as many sync groups as you need to appropriately describe your
desired sync topology.
upvoted 1 times

 
allray15
3 months, 1 week ago
so the bottom-line , can you or can you not add 2 SERVER endpoint in a SINGLE/SAME SYNC GROUP?
upvoted 1 times

 
alen995454
3 months ago
Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each
endpoint is syncing to a unique sync group. You can configure cloud tiering policies individually for each server endpoint.

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-server-endpoint

it seems to me that the namespaces in the question do not overlap.

upvoted 1 times

 
alen995454
3 months ago
after reflection I'm opting for the No answer because of this line: "and each endpoint is syncing to a unique sync group". While the name
spaces are different they are syncing to the same sync group
upvoted 1 times

 
ms70743
3 months, 1 week ago
NO NO YES
upvoted 2 times

 
mg
3 months, 1 week ago
NO - Only one cloud point

NO - You can not add one more server endpoint from the same server

YES - because it's server endpoint with different server name

upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 146/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11 Topic 2

DRAG DROP -

You have an Azure subscription named Subscription1.

You create an Azure Storage account named contosostorage, and then you create a file share named data.

Which UNC path should you include in a script that references files from the data file share? To answer, drag the appropriate values to the correct
targets. Each value may be used once, more than once or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Box 1: contosostorage -

The name of account -

Box 2: file.core.windows.net -

Box 3: data -

The name of the file share is data.

Example:

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

 
Hibs2016
Highly Voted 
6 months, 2 weeks ago
Correct Answer - contosostorage.file.core.windows.net\data.
upvoted 19 times

 
Raakezz
Highly Voted 
6 months, 2 weeks ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 147/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Cum 12/05/2020
upvoted 8 times

 
hbadger25
2 weeks, 5 days ago
This is a bot
upvoted 1 times

 
VVR141
Most Recent 
15 hours, 24 minutes ago
From the docs:

Select the drive letter and enter the UNC path, the UNC path format is:

\\<storageAccountName>.file.core.windows.net\<fileShareName>.

For example: \\anexampleaccountname.file.core.windows.net\example-share-name.

upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
contosostorage.file.core.windows.net\data
upvoted 1 times

 
Tamilarasan
2 weeks, 3 days ago
Tested in my subscription.

Correct Answer - contosostorage.file.core.windows.net\data

upvoted 1 times

 
omhari
2 weeks, 3 days ago
Answer is correct
upvoted 1 times

 
samratmahe
1 month ago
Answer is correct - Tested on 22-May-2021

UNC Path syntax: \\<storageaccountname>.file.core.windows.net\<filesharename>

As per example given in question: \\contostorage.file.core.windows.net\data

upvoted 1 times

 
samratmahe
1 month ago
Correct Answer: Tested (22-May-20121)

UNC Path:\\<storageaccountname>.file.core.windows.inet\<filesharename>

As per example given in question: \\contostorage.file.core.windows.net\data

upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

[storageaccountname].file.core.windows.net/[FileShareName]

contosostorage.file.core.windows.net\data

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
upvoted 1 times

 
Elavarasu
3 months, 1 week ago
Answer is correct
upvoted 3 times

 
mg
3 months, 1 week ago
Answer is correct
upvoted 2 times

 
ZUMY
3 months, 3 weeks ago
Given answer is correct!
upvoted 3 times

 
toniiv
4 months, 1 week ago
Answer is correct. [storageaccountname].file.core.windows.net/[FileShareName]
upvoted 1 times

 
kashi1983
4 months, 2 weeks ago
Answer is correct
upvoted 2 times

 
fedztedz
6 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 148/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is correct
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 149/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 2

HOTSPOT -

You have an Azure subscription that contains an Azure Storage account.

You plan to copy an on-premises virtual machine image to a container named vmimages.

You need to create the container for the planned image.

Which command should you run? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

 
Tom900
Highly Voted 
6 months, 2 weeks ago
Correct Answer. Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page
blobs in Azure Storage
upvoted 22 times

 
Hibs2016
6 months, 2 weeks ago
Agree correct answer - make, blob
upvoted 8 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is correct make / blob
upvoted 10 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Agree correct answer - make, blob
upvoted 1 times

 
Tamilarasan
2 weeks, 3 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 150/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is correct make / blob.

https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make?toc=/azure/storage/blobs/toc.json
upvoted 1 times

 
Md_Shahnawaz
1 month ago
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-files
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

azcopy make 'https://mystorageaccount.blob.core.windows.net/vmimages'

Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page blobs in Azure
Storage.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
upvoted 4 times

 
nfett
1 month, 3 weeks ago
answer is correct. Referencing the following URL https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make provided by
miki confirmed the answer.
upvoted 2 times

 
mg
3 months, 1 week ago
Answer is correct
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
Given answer is correct
upvoted 2 times

 
Sandroal29
3 months, 2 weeks ago
Although I selected the wrong answer at first, I realized through this forum what is the correct answer. Thank you.
upvoted 2 times

 
PBA1211
3 months, 3 weeks ago
why create this share in BLOB storage ,not in File Storage..?
upvoted 2 times

 
deenu202
3 months ago
VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page blobs in Azure Storage.
upvoted 2 times

 
toniiv
4 months, 1 week ago
Answer is correct. Azcopy make is the first step to prepare the blog for the VM image upload
upvoted 1 times

 
mikl
4 months, 2 weeks ago
azcopy make 'https://mystorageaccount.blob.core.windows.net/vmimages'

Source : https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
upvoted 2 times

 
polpum
5 months, 1 week ago
came in 15/01/2021
upvoted 1 times

 
waterzhong
5 months, 2 weeks ago
azcopy make [resourceURL] [flags]

Create a container or file share represented by the given resource URL.

https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
upvoted 3 times

 
Meesaw
5 months, 3 weeks ago
Came in exam 01 Jan 2021.
upvoted 4 times

 
NilsAbrahamsson
4 months, 1 week ago
Would appreciate if you'd say like "Cum 01/01/2021" ;-)
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 151/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
housemac
5 months, 1 week ago
Do you get any lab question in exam?
upvoted 2 times

 
JustMe84
6 months, 2 weeks ago
Test today (12/10/2020), Passed, kept the same asnwers for this question in exam
upvoted 3 times

 
walexkino
1 month, 2 weeks ago
I am just wondering if you passed the test why do you now need to come to this particular exam for revision
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 152/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 2

HOTSPOT -

You have an Azure File sync group that has the endpoints shown in the following table.

Cloud tiering is enabled for Endpoint3.

You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.

On which endpoints will File1 and File2 be available within 24 hours of adding the files? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

File1: Endpoint3 only -

Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier files to your Azure file shares. This converts on-
premises file shares into a cache, rather than a complete copy of the dataset, to help you manage space efficiency on your server. With cloud
tiering, infrequently used or accessed files can be tiered to Azure Files.

File2: Endpoint1, Endpoint2, and Endpoint3

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-cloud-tiering

 
MLM0607
Highly Voted 
5 months, 2 weeks ago
I think the correct answer should be that the both files will be visible on both end points.

Quote from : https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync

"How does it work?

Azure File Sync uses a software-based agent that's installed on the on-premises server that you want to replicate. This agent communicates with
the Storage Sync Service.

Azure File Sync uses Windows USN journaling on the Windows Server computer to automatically start a sync session when files change on the

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 153/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

server endpoint. So changes made to the on-premises file share are immediately detected and replicated to the Azure file share.

Azure Files doesn't yet have change notification or journaling. So Azure File Sync has a scheduled job called a change detection job. This job is
initiated every 24 hours. So if you change a file on the Azure file share, you might not see the change on the on-premises file share for at least 24
hours."
upvoted 38 times

 
vince60370
5 months, 1 week ago
Just THANK YOU. No one seemed to have noticed it: Endpoint1 and 2 are ON PREMISE. So if there is a change ON PREMISE, it is IMMEDIATELY
synchronized. Your link just perfectly explains it.
upvoted 5 times

 
JayBee65
2 weeks, 3 days ago
No, Endpoint 1 is a cloud endpoint, with tiering, so file 1 will not appear on EP2 or EP3 unless the file is requested, so File 1 is EP1 only.
upvoted 2 times

 
Shexo
5 months, 1 week ago
I am getting confused reading all of these comments, could someone be kind enough to state which are the correct answers for each of the
file...
upvoted 8 times

 
Fab10234
4 months, 2 weeks ago
According to what is saying MLM0607 the correct answer for the File1 is Endpoint1 because it is a cloud endpoint and it is scanned by the
detection job every 24 hours and for the File2 the answer is Endpoint1, Endpoint2 and Endpoint3 because with the on-premises servers
the file is scanned and synced automatically after it's being added.
upvoted 19 times

 
Skankhunt
Highly Voted 
6 months, 1 week ago
Should be File 1: Endpoint 1 only File 2: Endpoint 1, Endpoint 2 and Endpoint 3
upvoted 38 times

 
vince60370
5 months, 1 week ago
Not agree. Please read MLM0607's answer below.
upvoted 1 times

 
JayBee65
2 weeks, 3 days ago
LM0607's answer are File 1: Endpoint 1 only File 2: Endpoint 1, Endpoint 2 and Endpoint 3!
upvoted 2 times

 
prashantjoge
6 months, 1 week ago
This is correct. Confirmed it in labs
upvoted 2 times

 
janshal
6 months, 1 week ago
you waited 24 hour for the job to be sync?

I think the answer is all endpoints because the syc job run every 24 hour so even if your created the file a second after the sync jobs started it
will be sync within 24 hours
upvoted 7 times

 
ScreamingHand
Most Recent 
16 hours, 56 minutes ago
Am I right in thinking that; File2, once copied to Endpoint2 will be immediately sync'd to the Cloud endpoint, - from there it may take 24 hours for
it to be replicated to Endpoint3.

Therefore File2:

Endpoint2 and Endpoint3 only.

upvoted 1 times

 
CloudyTech
1 day, 17 hours ago
Tested

File 1- Endpoints 1

File 2 - Endpoints 1, 2, 3
upvoted 2 times

 
mkoprivnj
1 week, 5 days ago
1) E1, E2, E3

2) E1, E2, E3
upvoted 2 times

 
lockc1811
1 month ago
omg. people.

its endpoint 1 only & second question is endpoints 1, 2 & 3.

microsoft arent trying to trick you with their exam q's

upvoted 2 times

 
mlantonis
1 month, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 154/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

File1: Endpoint1 only

It is a cloud endpoint, and it is scanned by the detection job every 24 hours.

File2: Endpoint1, Endpoint2 and Endpoint3

With the on-premises servers the file is scanned and synced automatically after it's being added.

Note: They changed the question in Exam from "within 24 hours" to "after 24 hours".

So, the answer is:

File1: Endpoint1, Endpoint2 and Endpoint3

File2: Endpoint1, Endpoint2 and Endpoint3

Reference:

https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync
upvoted 24 times

 
bacana
1 month, 1 week ago
sorry.

File1 will be at endpoints 1 and 3 (cloud tearing maintains a local copy), but there is no option 1 and 3 in the response, so endpoint1 or endpont3
only.

At endpoints 1, 2 and 3 because it was added to endpoint 2.

upvoted 1 times

 
bacana
1 month, 1 week ago
"On which endpoints will File1 and File2 be available within 24 hours of adding the files?"

File1 will be at endpoints 1 and 3 (cloud tearing keeps a local copy), but there is no option 3 in the response, so server1 only.

At endpoints 1, 2 and 3 because it was added to the local server 2

upvoted 1 times

 
kawsar
1 month, 2 weeks ago
Cloud tiering is enabled for Endpoint3. Which means you need to manually download the files. That is why first answer is Endpint 1 Only, Second
question is right.
upvoted 1 times

 
Lkk51
3 weeks, 4 days ago
Disagree.

"Regardless of whether cloud tiering is enabled, your Azure file share always has a complete copy of the data in the sync group."

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-server-
endpoint
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-cloud-tiering-overview
upvoted 2 times

 
nfett
1 month, 3 weeks ago
Agree with nilf here if the question logic has changed to after 24 hours.
upvoted 1 times

 
ZetaZeti
2 months ago
If within means less than 24 hours:

1) Endpoint 1 only

2) E1, E2, E3

If within means less than or EQUAL TO 24 hours:

1) E1, E2, E3

2) E1, E2, E3
upvoted 13 times

 
Kiano
2 months ago
I think everyone is being confused by the term within 24 hours. If withon 24 hours does not actually mean 24 hours, then there should have been
another opiton for:

File 1: only on Endpoint1 (gets replicated within 24 hours, as we do not know how many minutes have passed since the last schedule was run and
the file was copied.)

File 2: On endpoint2 and endpoint1. As it is instantly gets replicated to the cloud.

Because we do not have the option: Endpoint1 and 2 for file 2, it means that the answer should be:

File1: On all three endpoints

File2: On all three endpoints.

Please see my reasoning regarding "within 24 hours" to understand what I mean.

upvoted 1 times

 
Nilf
2 months, 3 weeks ago
They changed in Exam "within 24 hours" with "after 24 hours"

So the answer is:

- File 1 - Endpoint 1,2,3

- File 2 - Endpoint 1,2,3

upvoted 27 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 155/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Benny4321
2 months ago
Good, because "within" is very confusing, as it leaves several scenarios open. "After" will make sure that all is synced after a period of 24 hours..
no question about that.
upvoted 1 times

 
coders1234
1 month, 3 weeks ago
within is actually quite clear, it means before or up to 24 h
upvoted 1 times

 
mc3
3 months ago
Why would File1 not be available on the drive that it was loaded on to?
upvoted 4 times

 
ms70743
3 months, 1 week ago
File 1- endpoints 1

File 2 - endpoints 1, 2, 3
upvoted 5 times

 
ZUMY
3 months, 2 weeks ago
Important here within or after 24 hours.

If we say within 24 as job already run

Then file 1 and file 2 will be avail in all end points.

If we take within 24 hours as shedular not run yet

Answers are

1. Endpoint 1 only

2. Endpoint 2 and Endpoint 1 only

So based on the answer given we have to assume schedular had alredy been run within 24 hours. Bcz we have not given answer matching shedular
had not run.

So I go for >>> all endpoints have all the files within 24 hours
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 156/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 2

HOTSPOT -

You have several Azure virtual machines on a virtual network named VNet1.

You configure an Azure Storage account as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 157/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: always -

Endpoint status is enabled.

Box 2: Never -

After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage
account as an exception to enable Azure Backup service to access the network restricted storage account.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows https://azure.microsoft.com/en-us/blog/azure-
backup-now-supports-storage-accounts-secured-with-azure-storage-firewalls-and-virtual-networks/

 
Leandroalonso
Highly Voted 
6 months, 3 weeks ago
VMs from the 10.2.9.0/24 should NEVER access the storage!!!!!

Since wich the selection of the network is segmented by subnets, and not by virtual networks.
upvoted 62 times

 
besha
2 months, 2 weeks ago
Technically 10.2.9.0/24 subnet is part of 10.2.0.0/16 subnet which is in the allowed subnet. but should still be Never because it's Endpoint status
is not enabled
upvoted 7 times

 
RamanAgarwal
2 weeks, 5 days ago
Allowed access is at the subnet level which is 10.2.0.0/24 which includes Ip range 10.2.0.0-10.2.0.255, this means the VM on 10.2.9.0/24 will
not have access to storage account.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 158/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 5 times

 
shnz03
1 week, 5 days ago
I disagree. Your subnet mask understanding for network id and host id is wrong.
upvoted 1 times

 
shnz03
1 week, 5 days ago
@RamanAgarwal. I apologize. I misread. Your statement is correct.
upvoted 3 times

 
Miles19
2 months, 3 weeks ago
Yes, that's true. The virtual machine attached to the following virtual network 10.2.9.0/24 will never have access to the storage account, because
of the firewall rules, so the correct answer is:

-Never

-Never
upvoted 11 times

 
boink
Highly Voted 
6 months, 2 weeks ago
Never

Never
upvoted 27 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Never Never!
upvoted 1 times

 
JayBee65
2 weeks, 3 days ago
This link shows that Azure Backup requires "Allow Trusted Microsoft...", https://docs.microsoft.com/en-gb/azure/storage/common/storage-
network-security?tabs=azure-portal#exceptions
upvoted 1 times

 
modiallo
1 month ago
Never for both
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

VNet1’s address space is 10.2.0.0/16.

The VNet1 has only 1 Subnet associated: 10.2.0.0/24. The address space of a VNet is irrelevant if there isn’t a corresponding Subnet from, which
VMs can be assigned IP addresses.

Box1: Never

VMs from 10.2.9.0/24 (10.2.9.0 - 10.2.9.255) are out of Subnet.

Subnet IP range 10.2.0.0 - 10.2.0. 255.

Box2: Never

Since the checkbox to allow trusted Microsoft services is not checked. After you configure firewall and virtual network settings for your storage
account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the
network restricted storage account.
upvoted 11 times

 
TinaSkilled
1 month, 3 weeks ago
If virtual machine was on subnet 10.2.0.0/24 , would it get access to storage ? I think NO because the checkbox below is not enabled for storage
account. Can someone confirm this
upvoted 1 times

 
gladi
3 months ago
1) Never

2) Never
upvoted 4 times

 
ms70743
3 months, 1 week ago
never

never
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
- Never: VMs from 10.2.9.0/24 are out of subnet. Subnet IP range 10.2.0.0 - 10.2.0. 255

- Never: Since the checkbox to allow Microsoft trusted services is not checked
upvoted 8 times

 
ZUMY
3 months, 3 weeks ago
Never , Never
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 159/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
toniiv
4 months, 1 week ago
Vnet1 10.2.0.0/16 is the Address space. The Vnet has only one subnet defined on it: 10.2.0.0/24. Answer should be:

- Never: VMs from 10.2.9.0/24

- Never: Since the checkbox to allow Microsoft trusted services is not checked
upvoted 6 times

 
polpum
5 months, 1 week ago
come in 15/01/2021
upvoted 1 times

 
ms70743
5 months, 2 weeks ago
Never, Never
upvoted 3 times

 
gekkehenkie84
5 months, 3 weeks ago
should be never/never, as it's a different subnet
upvoted 3 times

 
Meesaw
5 months, 3 weeks ago
Came in exam 01 Jan 2021
upvoted 1 times

 
diligent176
6 months ago
The answer is accurate and here is why... 10.2.0.0/16 (shown in the image) is a full class B network covering addresses from 10.2.0.0 through
10.2.255.255.

And since 10.2.9.0/24 falls within this space, it is allowed.

upvoted 2 times

 
solarwinds123
5 months, 4 weeks ago
Clearly not as diligent as your name, that virtual network has only one subnet (see the "1" under the subnet column, on the virtual network row.
The virtual network row is expanded to show its subnets, of which it only has one), which is 10.2.0.0/24, which ranges from 10.2.0.0 to 10.2.0.255.

10.2.9.0/24 falls outside of this range, and thus any virtual machine part of that subnet is not part of the vnet in question, and will have no
access to the storage account.

The address space of a vnet is irrelevant if there isnt a corresponding subnet from which virtual machines can be assigned IP addresses.
upvoted 12 times

 
Sandroal29
3 months, 2 weeks ago
Incorrect, first test it out then state something. I tested it out and only resources that are in the subnet have access to the storage account.
upvoted 2 times

 
KOSACA
6 months ago
So what about the second address 10.2.0.0/24? It will be ignored?
upvoted 1 times

 
diligent176
6 months ago
Oops, never mind I think I am wrong on this... NEVER, NEVER is the answer.

(My rambling about address space is not relevant here since the specified subnet is not selected in the image.)
upvoted 3 times

 
diligent176
6 months ago
This must be a typo in the question. They meant to say 10.2.0.0/24 when the answer states "endpoint status is enabled". 10.2.9.0/24 is a typo.
10.2.0.0/24 is the allowed subnet.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 160/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 2

HOTSPOT -

You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt.

Your on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.

You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: Yes -

If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other
files that are already on other endpoints in the sync group.

Box 2: No -

Box 3: Yes -

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning

 
boink
Highly Voted 
6 months, 2 weeks ago
NO NO YES
upvoted 64 times

 
allray15
3 months ago
came in exam today 3/24/21, passed 850+ score always check discussion for correct answers. answered n,n,y
upvoted 20 times

 
cdc_jr3150
1 month, 1 week ago
what else did you use to study? having a hard time passing.
upvoted 1 times

 
jjj554
3 months ago
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 161/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Did most of the questions come from this list?

upvoted 1 times

 
prashantjoge
6 months, 1 week ago
Agreed... tested it myself
upvoted 4 times

 
Constantinos
6 months, 2 weeks ago
tested on LAB and agree
upvoted 6 times

 
sprons77
Highly Voted 
6 months, 1 week ago
Agree, files are never overwritten. If the file exists, it will get a new name on the endpoint (file1(1).txt)
upvoted 28 times

 
tkt7744
Most Recent 
1 day, 2 hours ago
file1.txt overwritten by file1.txt true right?....even though they renamed the old file
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
NO NO YES
upvoted 1 times

 
JayBee65
2 weeks, 3 days ago
If the same file is changed on two servers at approximately the same time, what happens?

Azure File Sync uses a simple conflict-resolution strategy: we keep both changes to files that are changed in two endpoints at the same time. The
most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict
number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name is
Cloud.

So we know that files WILL NOT be overwritten, so first 2 and No, No

upvoted 1 times

 
vharsh16
2 weeks, 4 days ago
Azure File Sync uses a simple conflict-resolution strategy: we keep both changes to files that are changed in two endpoints at the same time. The
most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict
number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name is
Cloud. The name follows this taxonomy:

For example, the first conflict of CompanyReport.docx would become CompanyReport-CentralServer.docx if CentralServer is where the older write
occurred. The second conflict would be named CompanyReport-CentralServer-1.docx. Azure File Sync supports 100 conflict files per file. Once the
maximum number of conflict files has been reached, the file will fail to sync until the number of conflict files is less than 100.

I think its: NO NO Yes

upvoted 1 times

 
samratmahe
1 month ago
Tested on 22-May-2021

Correct Answer is: NO, NO, NO

NO (New file will create in share1 with the extension of File1-Cloud.txt) so there wont be any chance of owerriten

NO (on server1 also File1-Cloud.txt got added) so there is no chance of overwritten

NO (share1 & share2 both are different Fileshares) so there is no chance to replicates
upvoted 3 times

 
JayBee65
2 weeks, 3 days ago
You are wrong I think...

Sync group: The object that defines the sync relationship between a cloud endpoint, or Azure file share, and a server endpoint. Endpoints within
a sync group are kept in sync with each other. If for example, you have two distinct sets of files that you want to manage with Azure File Sync,
you would create two sync groups and add different endpoints to each sync group.
upvoted 1 times

 
Kiano
1 month ago
Thanks for testing, But regarding the last one, the question is mentioning that "you add Share2 as an endpoint for Sync1", so it is going to be
part of the sync group. So I think it will show up on the container on cloud endpoint. Unless another container is specified in cloud. So I think
the answer is No, No, Yes.
upvoted 5 times

 
hgdlyl
1 month, 2 weeks ago
I read all the discussion. I found nobody really did the test.

The answer should be NO YES YES.

The File2.txt on cloud point (File Share) is written by File2.txt from Server2 when Server2 is added to the Sync group.

What I found is there are two three files on Server1, File1.txt, File2.txt and File2-Server1.txt.

File2.txt on Server1 is the same as File2.txt on Server2.

File2-Server1.txt is the same as the original File2.txt.

Please stop guess and trying to give a reason to let you believe the "answers".
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 162/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
hgdlyl
1 month, 2 weeks ago
Sorry. There is a typo. NO NO YES
upvoted 4 times

 
Veronika1989
2 months ago
Tested 4/23/2021

Correct answer NO NO YES

upvoted 2 times

 
director47
2 months, 3 weeks ago
I dont know if anyone has thought about this but we honestly learn lot from these. Why, because we know that more often there will be a wrong
answer. It gets us questioning it. Then we help each other out and provide the proper documentation from Microsoft on the subject of the
question. Its literally like a classroom environment.
upvoted 14 times

 
rgullini
3 months ago
No, No, Yes

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-
faq#:~:text=Azure%20File%20Sync%20supports%20100,files%20is%20less%20than%20100.
upvoted 1 times

 
sajy2k
3 months ago
why the last one is Yes ?
upvoted 1 times

 
JayBee65
2 weeks, 3 days ago
Sync group: The object that defines the sync relationship between a cloud endpoint, or Azure file share, and a server endpoint. Endpoints within
a sync group are kept in sync with each other. If for example, you have two distinct sets of files that you want to manage with Azure File Sync,
you would create two sync groups and add different endpoints to each sync group.
upvoted 1 times

 
AlexLiourtas
3 months ago
because share1 and share2 sync after 24h
upvoted 1 times

 
Seema_exam
3 months ago
The file gets appended with a new name and not overwritten.

No No Yes
upvoted 2 times

 
elbalin
3 months, 2 weeks ago
Could be right- could be wrong. It seems to depend upon the last modification date of the file. "The most recently written change keeps the
original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict number appended to the filename." Looks
like this info is missing in the question.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
NO,NO,YES
upvoted 5 times

 
Smia
3 months, 4 weeks ago
NO, NO, YES:

<FileNameWithoutExtension>-<endpointName>[-#].<ext>
upvoted 7 times

 
Kemystery
3 months, 4 weeks ago
Should be NO NO NO. The files are in different shares so there is no conflict. Conflict will only happen within the same share.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 163/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 2

You have an Azure subscription that contains the storage accounts shown in the following table.

You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from
Azure support.

What should you identify?

A.
storage1

B.
storage2

C.
storage3

D.
storage4

Correct Answer:
B

ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.

Incorrect Answers:

A, not C: Live migration is supported only for storage accounts that use LRS replication. If your account uses GRS or RA-GRS, then you need to
first change your account's replication type to LRS before proceeding. This intermediary step removes the secondary endpoint provided by
GRS/RA-GRS.

Also, only standard storage account types support live migration. Premium storage accounts must be migrated manually.

D: ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

 
diligent176
Highly Voted 
6 months ago
This is one of those ridiculous questions that would imply we should memorize the 50 different combinations of storage type, replication type,
versus live migration support. Useless info to keep in your head, why would they test for this. The support rules around live migration support are
horrendous. Bleh.
upvoted 42 times

 
balflearchen
5 months, 2 weeks ago
Complain here is useless. And from your point of view, all certificate exams should be ridiculous.

Back to the question, answer B is correct.

"Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS, then you need to first
change your account's replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only
endpoint provided by RA-GRS before migration."

"ZRS supports general-purpose v2 accounts only"

upvoted 16 times

 
fedztedz
Highly Voted 
6 months ago
Answer is correct. It is storage2.

The key to the answer in this question is "Live migration"

- You can do Live migration to ZRS from LRS or GRS only.

- Also this only applies on General Purpose v2 storage.

upvoted 30 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Back to the question, answer B is correct.
upvoted 2 times

 
Tranquillo1811
2 weeks, 5 days ago
Answer B is correct!

https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal#request-a-live-migration-to-zrs-gzrs-or-ra-gzrs

(see 3rd section...)

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 164/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
modiallo
1 month ago
B is correct!

- You can do Live migration to ZRS from LRS or GRS only.

- Also this only applies on General Purpose v2 storage.

upvoted 1 times

 
vamshidhara
1 month, 1 week ago
If you need to migrate your storage account from LRS to ZRS in the primary region with no application downtime, you can request a live migration
from Microsoft. To migrate from LRS to GZRS or RA-GZRS, first switch to GRS or RA-GRS and then request a live migration. Similarly, you can
request a live migration from GRS or RA-GRS to GZRS or RA-GZRS. To migrate from GRS or RA-GRS to ZRS, first switch to LRS, then request a live
migration.
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS, then you need to first change
your account's replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only endpoint provided
by RA-GRS before migration. ZRS supports general-purpose v2 accounts only.

A: Incorrect - General purpose v1.

B: Correct - General purpose v2 + LRS.

C: Incorrect - RA-GRS needs to be converted to LRS before Live migration request to ZRS.

D: Incorrect - Only premium blob blocks are supported by ZRS.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

https://docs.microsoft.com/en-us/learn/modules/provide-disaster-recovery-replicate-storage-data/2-evaluate-data-redundancy-options
upvoted 2 times

 
director47
2 months, 3 weeks ago
As explained only Standard is supported for live not premium. Those would be manual.
upvoted 4 times

 
mg
3 months, 1 week ago
Answer is correct
upvoted 1 times

 
Sandroal29
3 months, 2 weeks ago
Hands down provided answer is correct.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
B is correct!

- You can do Live migration to ZRS from LRS or GRS only.

- Also this only applies on General Purpose v2 storage.

upvoted 3 times

 
Merma
4 months ago
Correct

"You can switch your replication strategy for any storage account. The process you use depends on the current replication strategy for your
account. For example, if you want to migrate from a storage account with LRS, you have two options:

Manually move or copy your data to a new account with GZRS.

Switch the replication type to GRS/RA-GRS first and then create a request with Azure Support for a live migration to GZRS."

https://docs.microsoft.com/en-us/learn/modules/provide-disaster-recovery-replicate-storage-data/2-evaluate-data-redundancy-options
upvoted 1 times

 
toniiv
4 months, 1 week ago
Answer is correct. Live migration to ZRS can come from LRS or GRS and only available to General Purpose v2 storage account type.
upvoted 2 times

 
waterzhong
4 months, 2 weeks ago
Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least
expensive replication option, but is not recommended for applications requiring high availability.

Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications
requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.
upvoted 1 times

 
polpum
5 months, 1 week ago
come in 15/01/2021
upvoted 1 times

 
ms70743
5 months, 2 weeks ago
B. storage2 is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 165/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Somewhatbusy
5 months, 3 weeks ago
Given answer is correct.

A - Incorrect - General purpose v1

B - Correct - General purpose v1 + LRS - Refer KBA for live migration request https://docs.microsoft.com/en-
us/azure/storage/common/redundancy-migration?tabs=portal#request-a-live-migration-to-zrs-gzrs-or-ra-gzrs

C - Incorrect - RA-GRS needs to be converted to LRS before Live migration request to ZRS

D - Incorrect - Only premium blob blocks are supported by ZRS

upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 166/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17 Topic 2

You have an Azure subscription that contains a storage account named account1.

You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP
address space of

131.107.1.0/24.

You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1
uses an IP address space of 192.168.0.0/24.

You need to configure account1 to meet the following requirements:

✑ Ensure that you can upload the disk files to account1.

✑ Ensure that you can attach the disks to VM1.

✑ Prevent all other access to account1.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A.
From the Firewalls and virtual networks blade of account1, select Selected networks.

B.
From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account.

C.
From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.

D.
From the Firewalls and virtual networks blade of account1, add VNet1.

E.
From the Service endpoints blade of VNet1, add a service endpoint.

Correct Answer:
AE

A: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change
the default action.

Azure portal -

1. Navigate to the storage account you want to secure.

2. Click on the settings menu called Firewalls and virtual networks.

3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from
'All networks'.

4. Click Save to apply your changes.

E: Grant access from a Virtual Network

Storage accounts can be configured to allow access only from specific Azure Virtual Networks.

By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service.
The identities of the virtual network and the subnet are also transmitted with each request.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

 
z0ru1
Highly Voted 
6 months, 3 weeks ago
I would say AC
upvoted 33 times

 
vince60370
5 months, 1 week ago
Based on given answers from AZ 103 same question, I would agree :

(A (AZ104) = D (AZ103), C (AZ104) = C (AZ103))

"Chape87 - 9 months ago

Its C and D. If you do D, You don't need to do B, its enabled by default. E isn't related. A won't be necessary for the VMs, as the trusted
microsoft service can grab the drive from the storage account for the VMs in VNet1

dean1984kirsten - 9 months ago

Okay, so we saying in sequence:

D. From the Firewalls and virtual networks balde of account1, select Selected networks.

Then

C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range."
upvoted 3 times

 
MahmoudJamaah
6 months ago
you will not be able to attach the Disk to VM.
upvoted 3 times

 
ceaser221
5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 167/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I think, its BC
upvoted 5 times

 
fedztedz
Highly Voted 
6 months ago
Answer is not correct.

This question can have 3 answers A,C,D

I will choose A & C but still D is correct

First: - You need to select "Selected Networks" otherwise C & D won't work. , so choose A

Second - you need to allow on-perm access. C

Third - you also need to allow VNET access D

For Answer E, when you enable VNET from storage account, the Endpoint could be enabled also from there automatically. check this
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#azure-portal-1
upvoted 21 times

 
oooMooo
6 months ago
Agree that it's A,C, and D.
upvoted 2 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
I would say AC
upvoted 1 times

 
slimjago
2 weeks, 1 day ago
I think is AE.. I can configure B,C and D from Selected Network in Networking blade from account1 (answer A). Then, I have to enable service
endpoint on VNET1 (answer E)
upvoted 1 times

 
JayBee65
2 weeks, 3 days ago
By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the
default action.

Go to the storage account you want to secure.

Select on the settings menu called Networking.

To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All
networks.

Select Save to apply your changes.

You must do A and C. The question is, do you need to do anything else
upvoted 1 times

 
vharsh16
2 weeks, 4 days ago
A and E is correct ,

A: you need to select networks( so you can add "131.107.1.0/24 IP address range" and Vnet1)

E: Storage accounts have a public endpoint that is accessible through the internet. You can also create Private Endpoints for your storage account,
which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a
private link.
upvoted 5 times

 
vharsh16
2 weeks, 4 days ago
A and E is correct ,

A: you need to select networks( so you can add "131.107.1.0/24 IP address range" and Vnet1)

 
cgmaxmax
3 weeks ago
AC - When you choose A then B is enabled by default.
upvoted 1 times

 
Lkk51
3 weeks, 3 days ago
I would go for CD

C <- To allow on-prem to upload disk

D <- To allow VNET 1 to access the disk

A<- it will just prevent other to access storage account but it won't allow access from on-prem + VNET 1 as well. This answer alone does not not
work.

E <- After taking action from D) this will automatically enable

upvoted 1 times

 
CARIOCA
3 weeks, 4 days ago
Vejo muitas discussões sobre a questão informando ter 3 respostas corretas, porém a pergunta solicita apenas 2 respostas corretas., por gentileza,
poderiam explicar melhor ?
upvoted 1 times

 
Annie1210
3 weeks, 5 days ago
AC is apt and more control restrictive, no other machine can access now.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 168/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
jpons
4 weeks ago
https://docs.microsoft.com/en-gb/azure/storage/common/storage-network-security?tabs=azure-portal

Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. REST access to page blobs is
protected by network rules.

You can use IP network rules to allow access from specific public internet IP address ranges by creating IP network rules. Each storage account
supports up to 200 rules. These rules grant access to specific internet-based services and on-premises networks and blocks general internet traffic.

AC
upvoted 1 times

 
chaudha4
1 month ago
Answer is B and C. You need to allow MS Services(VM in this case) to access this storage (option B) and allow onprem network to access the
storage (option c)
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A, C and D

This question can have 3 answers A, C and D.

First: You need to select "Selected Networks", otherwise C & D won't work, so choose A.

Second: You need to allow on-perm access, so choose C.

Third: You also need to allow VNET access, so choose D

I would go for A and C.

upvoted 1 times

 
armandolubaba
1 month, 1 week ago
The correct answer C and D
upvoted 1 times

 
Bursuc03
1 month, 1 week ago
Response: AC. You need to allow VHD upload to the storage account. According to https://docs.microsoft.com/en-
us/azure/storage/common/storage-network-security "Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not
affected by network rules". The objectives are met.
upvoted 3 times

 
gbx077
1 month ago
thanks for finding the correct reference
upvoted 1 times

 
raph90fr
1 month, 2 weeks ago
tested on lab today: AC. First you click on "selected network" (so you switch from All network which is the default for a storage account ). after that
you can add the public IPs.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 169/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 2

DRAG DROP -

You have an on-premises file server named Server1 that runs Windows Server 2016.

You have an Azure subscription that contains an Azure file share.

You deploy an Azure File Sync Storage Sync Service, and you create a sync group.

You need to synchronize files from Server1 to Azure.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Select and Place:

Correct Answer:

Step 1: Install the Azure File Sync agent on Server1

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share

Step 2: Register Server1.

Register Windows Server with Storage Sync Service

Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.

Step 3: Add a server endpoint -

Create a sync group and a cloud endpoint.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 170/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
fedztedz
Highly Voted 
6 months ago
Answer is correct
upvoted 15 times

 
Malec
Highly Voted 
6 months, 3 weeks ago
correct
upvoted 6 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
1. install

2. register

3. add
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Step 1: Install the Azure File Sync agent on Server1

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share

Step 2: Register Server1

Register Windows Server with Storage Sync Service

Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync
Service.

Step 3: Add a server endpoint

Create a sync group and a cloud endpoint.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
upvoted 2 times

 
oriduri
1 month, 4 weeks ago
Answer is correct
upvoted 1 times

 
Bharadhi
2 months ago
Answer is correct
upvoted 1 times

 
mg
3 months, 1 week ago
Answer is correct
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
Given Answer is correct
upvoted 1 times

 
Merma
4 months ago
Correct

1. Evaluate your on-premises system: Run the evaluation cmdlet on your on-premises server to check whether your OS and file system are
supported.

2. Create Azure resources: You need a storage account to contain a file share, a Storage Sync Service, and a sync group. Create the resources in that
order.

3. Install the Azure File Sync agent: Install the agent on each file server that's taking part in replication to the Storage Sync Service.

4. Register the Windows Server computer with the Storage Sync Service: After you install the sync agent, you're prompted to register the server
with the Storage Sync Service.

5. Create the server endpoint: After the server is registered, you add it as an endpoint in the sync group.

https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync
upvoted 1 times

 
toniiv
4 months, 1 week ago
Answers and order is correct. First to install the Sync agent, then Server becomes available to select and register it, then last point is to create
endpoint on the server into a Sync Group.
upvoted 1 times

 
Vgopi
5 months ago
Answer is correct. Verified in UDEMY
upvoted 1 times

 
zewenwu
5 months ago
Indeed, the Windows Server needs to be first registered before you can add as server group in the sync group.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 171/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/8-exercise-configure-file-sync-tools-windows-server
upvoted 1 times

 
samrr
5 months, 3 weeks ago
Topic 2 #13 is cloud endpoint. here is server endpoint? which one is true?
upvoted 1 times

 
Hibs2016
6 months, 2 weeks ago
Correct:

- Install the Azure File sync agent on Server1

- Register Server1

- Add a server endpoint

upvoted 4 times

 
Raakezz
6 months, 2 weeks ago
Cum 12/05/2020
upvoted 4 times

 
mark9999
5 months ago
Raakezz did you fail the exam on 12/5/2020 you little prick? Is that your major malfunction?
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 172/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 2

HOTSPOT -

You plan to create an Azure Storage account in the Azure region of East US 2.

You need to create a storage account that meets the following requirements:

✑ Replicates synchronously.

✑ Remains available if a single data center in the region fails.

How should you configure the storage account? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.

LRS would not remain available if a data center in the region fails

GRS and RA GRS use asynchronous replication.

Box 2: StorageV2 (general purpose V2)

ZRS only support GPv2.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-
us/azure/storage/common/storage-redundancy-zrs

 
MicroJ
Highly Voted 
6 months, 3 weeks ago
Answer describes ZRS being correct but marks GRS. From reading the description is seems like ZRS is the correct answer.
upvoted 30 times

 
JohnAvlakiotis
6 months, 3 weeks ago
True. ZRS is correct.
upvoted 10 times

 
Sandroal29
3 months, 2 weeks ago
The thing is that ZRG is not Geo-redundant. it merely works within a single region.
upvoted 3 times

 
JayBee65
2 weeks, 3 days ago
...and what is your point about this?
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 173/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
Sir_blaze
Highly Voted 
6 months, 3 weeks ago
GRS protects against Zone failure while ZRS protects against data center failure.

ZRS should be selected instead of GRS.

upvoted 15 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
ZRS + StoregeV2
upvoted 1 times

 
HTD
3 weeks, 3 days ago
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.

LRS would not remain available if a data center in the region fails

GRS and RA GRS use asynchronous replication.

ZRS only support GPv2

upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single Region.

GRS protects against Zone failure, while ZRS protects against data center failure.

LRS would not remain available if a data center in the region fails.

GRS and RA GRS use asynchronous replication.

Box 2: StorageV2 (general purpose V2)

ZRS only support GPv2.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
upvoted 5 times

 
armandolubaba
1 month, 1 week ago
zrs and v2
upvoted 1 times

 
Bharadhi
2 months ago
ZRS - If single data center fails we would go for it.

GRS- this is for failure

so the answer would be

ZRS

storage V2
upvoted 3 times

 
ms70743
2 months, 4 weeks ago
ZRS

V2
upvoted 6 times

 
beupy
3 months ago
Agreed that it's ZRS, but why all chose V2 since ZRS supports any of V2, BlockBlob & File ?
upvoted 1 times

 
thowell
2 months, 4 weeks ago
Yes, ZRS supports V2, BlockBlob and File storage. But it DOESN'T support Blob or V1 storage - which are the other 2 options. So StorageV2 is
the right answer.
upvoted 4 times

 
incubutus
3 months, 1 week ago
In the question, it didn't as for redundancy over geo-locations. It asked if a data centre goes down. So ZRS is ideal "Zone-redundant storage (ZRS)
copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability, Microsoft
recommends using ZRS in the primary region, and also replicating to a secondary region." For the account type, it must be Storage V2 as it is the
only one supported on ZRS.

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 174/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mg
3 months, 1 week ago
ZRS

Storage v2
upvoted 3 times

 
ZUMY
3 months, 3 weeks ago
Replication : ZRS ( Same Region but data avail in different(Zones) Locations)

Account Type : Storage V2

upvoted 4 times

 
EdgardoGabriel
3 months, 3 weeks ago
I have doubts. Which's? Is Replication ZRS or GRS?
upvoted 2 times

 
alessioferrario
3 months, 3 weeks ago
ZRS

- Replicates synchronously.

- Remains available if a single data center in the region fails.

upvoted 3 times

 
toniiv
4 months, 1 week ago
Answer in the text is correct, but not the provided screenshot selection:

-ZRS

-Storage v2
upvoted 3 times

 
mikl
4 months, 1 week ago
ZRS and Storage v2.

Source : https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
upvoted 3 times

 
mikl
4 months, 1 week ago
added :

✑ Replicates synchronously.

✑ Remains available if a single data center in the region fails.

 
aMiPL
4 months, 2 weeks ago
It's ZRS / V2. I can't be GRS because it replicated to 2nd region asynchronisly and it needs to be sychnonosuly as per question. only ZRS fulfill this
requirements.

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
upvoted 2 times

 
waterzhong
5 months, 1 week ago
LRS ZRS GRS/RA-GRS GZRS/RA-GZRS

General-purpose v2

General-purpose v1

Block blob storage

Blob storage

File storage General-purpose v2

Block blob storage

File storage General-purpose v2

General-purpose v1

Blob storage General-purpose v2

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 175/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 2

You plan to use the Azure Import/Export service to copy files to a storage account.

Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A.
an XML manifest file

B.
a dataset CSV file

C.
a JSON configuration file

D.
a PowerShell PS1 file

E.
a driveset CSV file

Correct Answer:
DE

D: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add
entries in the dataset.csv file

E: Modify the driveset.csv file in the root folder where the tool resides.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files

 
Lobe
Highly Voted 
6 months, 3 weeks ago
It should be B and E. Explanation is right though
upvoted 39 times

 
kt_tk_2020
Highly Voted 
6 months, 3 weeks ago
Correct answer is B and E. prepare the dataset first, then the driveset . then create the import/export job in azure portal and ship.
upvoted 14 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
B & E.
upvoted 1 times

 
Tamilarasan
2 weeks, 3 days ago
Correct Answer is B & E

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 1 times

 
CARIOCA
1 month ago
This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 25 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

 
JayBee65
2 weeks, 3 days ago
The link provides a clear explanation of the answer :)
upvoted 1 times

 
JayBee65
2 weeks, 3 days ago
Maybe you should work it out form the comments :)
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: B and E

Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries
in the dataset.csv file

Modify the driveset.csv file in the root folder where the tool is.

Reference:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 176/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
upvoted 5 times

 
armandolubaba
1 month, 1 week ago
B and E
upvoted 1 times

 
Skilled_Hawkeye
1 month, 2 weeks ago
Correct answer on exam topics AZ-103. Its B and E.
upvoted 1 times

 
oriduri
1 month, 4 weeks ago
B and E is correct
upvoted 2 times

 
Bharadhi
2 months ago
It would be B and E
upvoted 1 times

 
Nihar258255
2 months, 1 week ago
Dear God please help exam topics to correct there answers.
upvoted 8 times

 
allray15
3 months, 1 week ago
i saw few answers are highlighted wrong but text explanations are right. why cant they just correct it
upvoted 6 times

 
ms70743
3 months, 1 week ago
B & E is correct
upvoted 1 times

 
mg
3 months, 1 week ago
B E (Dataset csv file and driveset csv file)
upvoted 1 times

 
Vole51
3 months, 1 week ago
why there is no admin or anyone from examtopics.com fixing these obvious answers?
upvoted 4 times

 
Lkk51
3 weeks, 3 days ago
it's a free site, dear
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
B. Dataset.csv

E. Driveset.csv
upvoted 2 times

 
toniiv
4 months, 1 week ago
Incorrect selection but correct explanation. It should be:

-B dataset.csv

-E driveset.csv
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 177/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 2

You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.

You need to delete the Recovery Services vault.

What should you do first?

A.
From the Recovery Service vault, delete the backup data.

B.
Modify the disaster recovery properties of each virtual machine.

C.
Modify the locks of each virtual machine.

D.
From the Recovery Service vault, stop the backup of each backup item.

Correct Answer:
D

You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is
still configured to receive backup data.

Remove vault dependencies and delete vault

In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure
File Servers, SQL

Servers in Azure VM, and Azure virtual machines.

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

 
tuta
Highly Voted 
6 months, 2 weeks ago
correct
upvoted 15 times

 
Dips88
Highly Voted 
1 month, 3 weeks ago
I think it should be 'A'. To complete recovery service deletion it definitely needs to stop all back ups and then delete back ups. In the question it is
never mentioned that backup is still on and moreover it contains two back ups. So for immediate deletion back up has to be deleted.
upvoted 5 times

 
McRowdy
Most Recent 
1 week, 1 day ago
The key statement here is "what should you do FIRST?". Answer is "D". Reason why "A" is not correct is because that is the second action. (Trick
question)
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
D is correct!
upvoted 1 times

 
Mich132
2 weeks ago
In an earlier question to remove a RG with a RSV in it the Consensus was to delete the backup data instead of stopping the backup. Here it is
stopping the backup data. Confusing... I think the answer here is correct.
upvoted 1 times

 
Govindaraj
2 weeks, 4 days ago
Correct Answer - "DFrom the Recovery Service vault, stop the backup of each backup item."

You can't delete service that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).

Reference :

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 178/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: D

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud
upvoted 3 times

 
armandolubaba
1 month, 1 week ago
D is correct
upvoted 1 times

 
cmong2005
1 month, 2 weeks ago
correct, you need to stop the backup service 1st, then delete the backup data.after that you can delete the vault
upvoted 3 times

 
AAKC
1 month, 3 weeks ago
Little confuse on this one. It says protected VMs. So we need to modify the lock first right?
upvoted 1 times

 
AAKC
1 month, 3 weeks ago
sorry never mind. I got it
upvoted 2 times

 
briya
1 month, 4 weeks ago
why can't A and D both right answers ?
upvoted 4 times

 
JayBee65
2 weeks, 3 days ago
From the link (https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud):

Step 3: You must check all of the following three places to verify if there are any protected items:

1. Cloud protected items...

2. SQL Server instance...

3. MARS protected servers...

4. MABS or DPM management servers...

This suggests that the first item should be to stop the backup. (D)

Next you would want to delete (A)

So the first action is D

upvoted 2 times

 
JayBee65
2 weeks, 3 days ago
test 123
upvoted 1 times

 
oriduri
1 month, 4 weeks ago
correct answer
upvoted 1 times

 
Bharadhi
2 months ago
yup answer is right
upvoted 1 times

 
Hodicek
2 months, 1 week ago
D is correct answer
upvoted 1 times

 
Princy1187
2 months, 2 weeks ago
Feels good, when you see every response as Correct Answer.
upvoted 3 times

 
JayBee65
2 weeks, 3 days ago
Not really, the answer looks to be A or C but nobody has addressed this, Just saying Correct doesn't really help anyone, its just sheep
upvoted 1 times

 
mg
3 months, 1 week ago
Answer is D
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
D is correct
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 179/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 180/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 2

HOTSPOT -

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

In storage1, you create a blob container named blob1 and a file share named share1.

Which resources can be backed up to Vault1 and Vault2? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: VM1 only -

VM1 is in the same region as Vault1.

File1 is not in the same region as Vautl1.

SQL is not in the same region as Vault1.

Blobs cannot be backup up to service vaults.

Note: To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines.

Box 2: Share1 only.

Storage1 is in the same region (West USA) as Vault2. Share1 is in Storage1.

Note: After you select Backup, the Backup pane opens and prompts you to select a storage account from a list of discovered supported storage
accounts. They're either associated with this vault or present in the same region as the vault, but not yet associated to any Recovery Services

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 181/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

vault.

Reference:

https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault https://docs.microsoft.com/en-us/azure/backup/backup-afs

 
Hibs2016
Highly Voted 
6 months, 2 weeks ago
Answer looks correct it is only share1 within storage1 that can be backed up as you can't back up blobs

See: https://feedback.azure.com/forums/217298-storage/suggestions/37096837-possibility-to-backup-blob-data-in-the-recovery-se
upvoted 20 times

 
FitObelix
1 week, 3 days ago
it says nothing about blobs, it talks about a blob container
upvoted 1 times

 
Borbz
6 months, 1 week ago
Answer is correct. Storage1 is not valid because it contains a Blob inside, so only Share1 can be backup.
upvoted 7 times

 
mlantonis
Highly Voted 
1 month ago
Correct Answer:

Box 1: VM1 only

VM1 is in the same region as Vault1. File1 is not in the same region as Vautl1. SQL is not in the same region as Vault1. Blobs cannot be backup up
to service vaults.

Note: To create a Vault to protect VMs, the Vault must be in the same Region as the VMs.

Box 2: Share1 only

Storage1 is in the same region as Vault2. Share1 is in Storage1.

Note: Only VM and Fileshare is allowed to Backup.

Reference:

https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault

https://docs.microsoft.com/en-us/azure/backup/backup-afs

https://feedback.azure.com/forums/217298-storage/suggestions/37096837-possibility-to-backup-blob-data-in-the-recovery-se
upvoted 7 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
1. VM1 only

2. share1 only
upvoted 2 times

 
longtech
1 month, 1 week ago
The second answer is wrong. The Recovery Services vault is back up in the same region, in the storage 1 (blob and share) so the answer is blob and
share only
upvoted 1 times

 
shnz03
1 week, 5 days ago
I disagree. If you go thru github az 104 lab, the option in the backup goal that is related to the question is File Share. No blob
upvoted 1 times

 
nfett
1 month, 2 weeks ago
verified from provided articles. answer is correct.
upvoted 1 times

 
Sanin
1 month, 2 weeks ago
All vaults must be with in the same Region as the Resources that are being backed up
upvoted 3 times

 
ealcober
2 months, 2 weeks ago
error in question graphic. No share one!
upvoted 1 times

 
DannyGupta
2 months, 1 week ago
Read the text
upvoted 3 times

 
Sahir
3 months ago
A. VM1 only, B. Share1 only-

only VM and fileshare is allowed to Backup

upvoted 4 times

 
incubutus
3 months, 1 week ago
The answer is correct. VM1 Only as it's the only resource in the same Region of Vault1. Share1 Only as with Recovery Services Vault you can only
backup File Shares.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 182/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
mg
3 months, 1 week ago
VM1 And Share1
upvoted 2 times

 
Sandroal29
3 months, 2 weeks ago
The provided answer is correct.
upvoted 3 times

 
ZUMY
3 months, 2 weeks ago
Storage1 is not valid because it contains a Blob inside, so only Share1 can be backup
upvoted 3 times

 
fedztedz
3 months, 3 weeks ago
Answer is Correct. VM1 & Share1
upvoted 3 times

 
ZUMY
3 months, 3 weeks ago
VM1 Only

Share1 Only - Storage1 has blob which is unable to backup for now
upvoted 3 times

 
toniiv
4 months, 1 week ago
Answer is correct: The vault must be in the same region as the data source
upvoted 2 times

 
mikl
4 months, 1 week ago
Storage1 contains blob - which cant be backed up, therefore :

VM1 only

Share1 only
upvoted 4 times

 
waterzhong
5 months, 1 week ago
The Select Storage Account Pane opens on the right, listing a set of discovered supported storage accounts. They're either associated with this
vault or present in the same region as the vault, but not yet associated to any Recovery Services vault.

From the list of discovered storage accounts, select an account, and select OK.

The next step is to select the file shares you want to back up. Select the Add button in the FileShares to Backup section.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 183/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23 Topic 2

You have an Azure subscription named Subscription1.

You have 5 TB of data that you need to transfer to Subscription1.

You plan to use an Azure Import/Export job.

What can you use as the destination of the imported data?

A.
a virtual machine

B.
an Azure Cosmos DB database

C.
Azure File Storage

D.
the Azure File Sync Storage Sync Service

Correct Answer:
C

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.

The maximum size of an Azure Files Resource of a file share is 5 TB.

Note:

There are several versions of this question in the exam. The question has two correct answers:

1. Azure File Storage

2. Azure Blob Storage

The question can have other incorrect answer options, including the following:

✑ Azure Data Lake Store

✑ Azure SQL Database

✑ Azure Data Factory

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

 
Rodro13
Highly Voted 
6 months, 2 weeks ago
Correct
upvoted 13 times

 
fedztedz
Highly Voted 
6 months ago
Answer is correct
upvoted 10 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
C is correct!
upvoted 1 times

 
Raj_Rock
2 weeks, 1 day ago
If answer is correct then why spamming the discussion forum. This forum is to be used when there is any discrepancy or any mistake in the answer.
upvoted 1 times

 
mlantonis
1 month ago
Correct Answer: C

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an
Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data
from one or more disk drives can be imported either to Azure Blob storage or Azure Files. The maximum size of an Azure Files Resource of a file
share is 5 TB.

Note: There are several versions of this question in the exam. The question has two correct answers:

1. Azure File Storage

2. Azure Blob Storage

The question can have other incorrect answer options, including the following:

✑ Azure Data Lake Store

✑ Azure SQL Database

✑ Azure Data Factory

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 184/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

 
nfett
1 month, 2 weeks ago
Confirmed from the provided url , answer is correct.
upvoted 1 times

 
marvinconejo
3 months, 1 week ago
This is Azure File Storage
upvoted 4 times

 
mg
3 months, 1 week ago
Azure file storage is the correct answer
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
C. Is correct!
upvoted 1 times

 
toniiv
4 months, 1 week ago
C. is correct
upvoted 1 times

 
waterzhong
5 months, 1 week ago
The WAImportExport tool is available in two versions, version 1 and 2. We recommend that you use:

Version 1 for import/export into Azure Blob storage.

Version 2 for importing data into Azure files.

upvoted 4 times

 
waterzhong
5 months, 1 week ago
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an
Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data
from one or more disk drives can be imported either to Azure Blob storage or Azure Files.
upvoted 3 times

 
sicmundus
6 months ago
Qn. came on 12/21/2020
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 185/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 2

HOTSPOT -

You have an Azure subscription.

You create the Azure Storage account shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 186/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: 3 -

Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent
of 3 copies

(replicas) of your data within the primary location as described in our SOSP paper; this ensures that we can recover from common failures
(disk, node, rack) without impacting your storage account‫ג‬€™s availability and durability.

Box 2: Access tier -

Change the access tier from Hot to Cool.

Note: Azure storage offers different access tiers, which allow you to store blob object data in the most cost-effective manner. The available
access tiers include:

Hot - Optimized for storing data that is accessed frequently.

Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.

Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of
hours).

Reference:

https://azure.microsoft.com/en-us/blog/data-series-introducing-locally-redundant-storage-for-windows-azure-storage/
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

 
fedztedz
Highly Voted 
6 months ago
Answer is Correct
upvoted 20 times

 
waterzhong
Highly Voted 
6 months, 1 week ago
Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent of 3
copies (replicas) of your data within the primary location as described in our SOSP paper; this ensures that we can recover from common failures
(disk, node, rack) without impacting your storage account’s availability and durability.
upvoted 7 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
1. LRS 3 copies

2. Tier
upvoted 1 times

 
mlantonis
1 month ago
Correct Answer:

Box 1: 3

Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent of 3
copies (replicas) of your data within the primary location.

Box 2: Access tier

Change the access tier from Hot to Cool.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 2 times

 
nfett
1 month, 2 weeks ago
verified from provided url answer is correct.
upvoted 1 times

 
ddb116
2 months, 4 weeks ago
In a round about way they are asking about availability sets in this question.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 187/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
mg
3 months, 1 week ago
Answer is correct

3 copy LRS and Access tier

upvoted 3 times

 
ZUMY
3 months, 2 weeks ago
3 copy, Access Tier
upvoted 3 times

 
toniiv
4 months, 1 week ago
Both answers are correct. Any type of redundancy in Azure Storage accounts will have 3 copies for data.
upvoted 4 times

 
ms70743
5 months, 2 weeks ago
LRS(3) and Access tier
upvoted 1 times

 
ms70743
5 months, 2 weeks ago
LRS and Access Tier(default)
upvoted 2 times

 
sicmundus
6 months ago
Qn. came on 12/21/2020
upvoted 1 times

 
BChani
6 months, 1 week ago
Is this the right answer?
upvoted 1 times

 
Ikrom
6 months, 1 week ago
Yes, both of them are correct.

- LRS has 3 copies of data

- Access tier has the "cool" option to store infrequently accessed data.
upvoted 5 times

 
Ankigupta
6 months, 3 weeks ago
came in exam 04/12/2020
upvoted 3 times

 
tuta
6 months, 2 weeks ago
these comments look like bots , will ignore them for now
upvoted 5 times

 
sicmundus
6 months ago
Ha ha. What's the point in posting using bots? They're already giving 70% questions for free. I have prepared for AZ900 and AZ104 within 5
days (no previous experience of Azure, only worked on AWS for an year) and passed on both (barely with around 750). My preparation was
not complete, I did not even go through half the questions from both the exam pages.
upvoted 8 times

 
greatsparta
5 months ago
Haha, so now you have two exams under your belt but will never remain in a job once they realize you don't know s%$t about Azure. I
make a point of learning the material and using this site to cement my knowledge so I'm not cheating the system and myself.
upvoted 14 times

 
oneteechi
4 months, 2 weeks ago
I do something similar. Used the Microsoft learn sites, it has sandboxed labs you can do. Then go through the questions here and do
the Plurasight course and labs in my own sub at the same time, it sinks in a bit better for me that way.
upvoted 5 times

 
Boluwatife
6 months, 1 week ago
why did you think so?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 188/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 189/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25 Topic 2

You have an Azure Storage account named storage1.

You plan to use AzCopy to copy data to storage1.

You need to identify the storage services in storage1 to which you can copy the data.

What should you identify?

A.
blob, file, table, and queue

B.
blob and file only

C.
file and table only

D.
file only

E.
blob, table, and queue only

Correct Answer:
B

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

Incorrect Answers:

A, C, E: AzCopy does not support table and queue storage services.

D: AzCopy supports file storage services, as well as blob storage services.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

 
VijayMathru
Highly Voted 
10 months, 3 weeks ago
Answer is Correct
upvoted 23 times

 
ExamTopics_Yeti
Highly Voted 
11 months ago
on AZ-104 exam on 7/24/2020
upvoted 19 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
blob and file only!
upvoted 1 times

 
camarlengo
1 month ago
correct!!
upvoted 1 times

 
mlantonis
1 month ago
Correct Answer: B

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

- Blob storage: Azure AD & SAS

- File storage: SAS only

Incorrect Answers:

A, C, E: AzCopy does not support table and queue storage services.

D: AzCopy supports file storage services, as well as blob storage services.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
upvoted 3 times

 
armandolubaba
1 month, 1 week ago
B is correct
upvoted 1 times

 
nfett
1 month, 2 weeks ago
verified from provided url answer is correct.
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
B is correct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 190/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
Sandroal29
3 months, 3 weeks ago
The provided answer is correct.
upvoted 1 times

 
toniiv
4 months, 1 week ago
B. is correct (Blobs and Files only)
upvoted 1 times

 
mikl
4 months, 1 week ago
Easy - its B.

"AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. This article helps you download AzCopy,
connect to your storage account, and then transfer files."

Source : https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
upvoted 2 times

 
ar_vinoth
4 months, 1 week ago
answer is correct
upvoted 1 times

 
waterzhong
4 months, 2 weeks ago
Copies source data to a destination location. The supported directions are:

local <-> Azure Blob (SAS or OAuth authentication)

local <-> Azure Files (Share/directory SAS authentication)

local <-> Azure Data Lake Storage Gen 2 (SAS, OAuth, or shared key authentication)

Azure Blob (SAS or public) -> Azure Blob (SAS or OAuth authentication)

Azure Blob (SAS or public) -> Azure Files (SAS)

Azure Files (SAS) -> Azure Files (SAS)

Azure Files (SAS) -> Azure Blob (SAS or OAuth authentication)

Amazon Web Services (AWS) S3 (Access Key) -> Azure Block Blob (SAS or OAuth authentication)

For more information, see the examples section of this article.

upvoted 3 times

 
anisha
5 months ago
answer is correct
upvoted 1 times

 
solarwinds123
5 months, 4 weeks ago
Keep in mind the latest AzCopy version (v10) does not allow transfers to table storage, but version 7.3 does.
upvoted 2 times

 
ms70743
6 months ago
B.

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account
upvoted 1 times

 
waterzhong
6 months, 1 week ago
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. This article helps you download AzCopy,
connect to your storage account, and then transfer files.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 191/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 2

HOTSPOT -

You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.

You need to use AzCopy to copy data to the blob storage and file storage in storage1.

Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Box 1:

Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.

Box 2:

Only Shared Access Signature (SAS) token is supported for File storage.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

 
waterzhong
Highly Voted 
6 months, 1 week ago
Authorize AzCopy

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Use this table as a guide:

AUTHORIZE AZCOPY

Storage type Currently supported method of authorization

Blob storage Azure AD & SAS

Blob storage (hierarchical namespace) Azure AD & SAS

File storage SAS only

upvoted 17 times

 
RithuNethra
Highly Voted 
6 months, 3 weeks ago
correct answer

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 192/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 13 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
AUTHORIZE AZCOPY

Storage type Currently supported method of authorization

Blob storage Azure AD & SAS

Blob storage (hierarchical namespace) Azure AD & SAS

File storage SAS only

upvoted 1 times

 
mlantonis
1 month ago
Correct Answer:

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Box 1: Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.

Box 2: Only Shared Access Signature (SAS) token is supported for File storage.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
upvoted 5 times

 
nfett
1 month, 2 weeks ago
Verified from provided url answer is correct
upvoted 1 times

 
Chief
1 month, 3 weeks ago
Authorize AzCopy

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Use this table as a guide:

Authorize AzCopy

Storage type Currently supported method of authorization

Blob storage Azure AD & SAS

Blob storage (hierarchical namespace) Azure AD & SAS

File storage SAS only

upvoted 3 times

 
mdyck
2 months, 2 weeks ago
Correct.

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
upvoted 2 times

 
Snownoodles
2 months, 3 weeks ago
Azcopy can also use access key to access storage account:

https://microsoft.github.io/AzureTipsAndTricks/blog/tip81.html
upvoted 1 times

 
Snownoodles
2 months, 3 weeks ago
why not access key? access key is at storage account level, it can grant full access to both Blob and File share

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage
upvoted 2 times

 
ScreamingHand
1 week, 2 days ago
We're specifically discussing AZCopy here
upvoted 1 times

 
mg
3 months, 1 week ago
Answer is correct
upvoted 2 times

 
Adelate
3 months, 2 weeks ago
correct answer
upvoted 1 times

 
ZUMY
3 months, 2 weeks ago
Given answer is correct

Az Ad auth & SASig

Shared Acess Sig

upvoted 4 times

 
ZUMY
3 months, 2 weeks ago
Az Ad auth & SASig

Share Acess Key

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 193/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

 
toniiv
4 months, 1 week ago
Answers are correct from the referenced documentation https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
upvoted 1 times

 
mikl
4 months, 1 week ago
Correct.

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Blob storage Azure AD & SAS

Blob storage (hierarchical namespace) Azure AD & SAS

File storage SAS only

upvoted 1 times

 
ar_vinoth
4 months, 1 week ago
Correct answer

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
upvoted 1 times

 
waterzhong
4 months, 2 weeks ago
Authorize AzCopy

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Use this table as a guide:

AUTHORIZE AZCOPY

Storage type Currently supported method of authorization

Blob storage Azure AD & SAS

Blob storage (hierarchical namespace) Azure AD & SAS

File storage SAS only

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 194/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 2

You have an Azure subscription that contains an Azure Storage account.

You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL
Server instance that requires persistent storage.

You need to configure a storage service for Container1.

What should you use?

A.
Azure Files

B.
Azure Blob storage

C.
Azure Queue storage

D.
Azure Table storage

Correct Answer:
D

 
waterzhong
Highly Voted 
6 months, 3 weeks ago
Correct answer should be Azure Files
upvoted 63 times

 
abu3lia
6 months, 3 weeks ago
Correct, here is the proof: https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/
upvoted 11 times

 
wooyourdaddy
6 months, 3 weeks ago
Where did you validate this from ?
upvoted 1 times

 
fedztedz
Highly Voted 
6 months, 1 week ago
Answer is not Correct. It should be A "Azure Files"

Azure files are used as persistent disks for docker images. It doesn't matter the type of the image or its functionality.
upvoted 26 times

 
McRowdy
Most Recent 
1 week, 1 day ago
The correct answer is "A", due to SQL being a container. "D" would be correct if the actual SQL DB was stored directly.
upvoted 1 times

 
binisho123
1 week, 4 days ago
Answer is A, tested in lab....lol
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
A is correct!
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

In Azure container instances, you can mount Azure File shares for persistent storage. Azure files are used as persistent disks for docker images. It
doesn't matter the type of the image or its functionality.

Persistent shared storage for containers. Easily share data between containers using NFS or SMB file shares. Azure Files is tightly integrated with
Azure Kubernetes Service (AKS) for easily storing and managing data.

Reference:

https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage

https://azure.microsoft.com/en-us/services/storage/files/#features
upvoted 8 times

 
nfett
1 month, 2 weeks ago
A is the right answer.
upvoted 2 times

 
ashishg2105
1 month, 2 weeks ago
Correct answer is A: Azure Files. 100%

Explanation:In Azure container instances, you can mount Azure File shares for persistent storage.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 195/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
p y p g
upvoted 1 times

 
Nihar258255
1 month, 4 weeks ago
Its azure files in udemy.
upvoted 1 times

 
seeven_kathan
3 months ago
Answer should be Azure File storage.

Persistent shared storage for containers

Easily share data between containers using NFS or SMB file shares. Azure Files is tightly integrated with Azure Kubernetes Service (AKS) for easily
storing and managing data.

https://azure.microsoft.com/en-us/services/storage/files/#features
upvoted 4 times

 
bacana
3 months, 1 week ago
"Server instance that requires persistent storage". Azure files.
upvoted 1 times

 
ms70743
3 months, 1 week ago
Answer is A. Azure Files - persistent
upvoted 1 times

 
incubutus
3 months, 1 week ago
The answer is Azure Files. Only Azure Files are persistent as Blob Storage isn't. This question is asking where to keep the image of an SQL Server as
Persistent Storage. Azure Files Are.

Reference: https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/
upvoted 3 times

 
mg
3 months, 2 weeks ago
A Azure files
upvoted 1 times

 
ReginaldoBarreto
3 months, 2 weeks ago
https://docs.microsoft.com/pt-br/azure/container-instances/container-instances-volume-azure-files

Answer A
upvoted 1 times

 
Wizard69
3 months, 2 weeks ago
I agree, Azure Files :)
upvoted 1 times

 
Sandroal29
3 months, 3 weeks ago
I do believe the right answer is azure file share, it is based on Microsoft documentation where is stated that azure file shares can be usedd as
persistent storage for containers.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 196/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 2

You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.

You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the
hardware hosting

VM1 and VM2.

What should you include in the Availability Set?

A.
one update domain

B.
two fault domains

C.
one fault domain

D.
two update domains

Correct Answer:
D

Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update.
To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.

Incorrect Answers:

A: An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.

B, C: A fault domain shares common storage as well as a common power source and network switch. It is used to protect against unplanned
system failure.

References:

https://petri.com/understanding-azure-availability-sets

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

 
Parsec
Highly Voted 
6 months, 2 weeks ago
It's "planned maintenance of the HARDWARE" in the question, not OS or software update. Should be 2 fault domains imho.
upvoted 18 times

 
janshal
6 months, 1 week ago
Hi the answer is D:

the Q talk about the hardware hosting VM1 and VM2.

the hardware, meaning the Server containing the VMs (Called Update domain ).

During a Planed maintenance the update domains are shootdown one at a time. so D is ther right answer
upvoted 20 times

 
HuseinHasan
6 months, 1 week ago
what will happen if the fault domain crashes, thats why i would go with two fault domains
upvoted 1 times

 
Alir95
2 months, 1 week ago
The question is specific to "Planned Maint", not outages and redundancy ... D is right.
upvoted 4 times

 
balflearchen
5 months, 2 weeks ago
He asked about planned hardware maintenance, why you try to misleading everyone here? D is correct.
upvoted 4 times

 
fakhri32
Highly Voted 
6 months, 3 weeks ago
tested !
upvoted 10 times

 
JoeRogersHi
6 days, 10 hours ago
Troll.
upvoted 1 times

 
mikl
4 months, 2 weeks ago
Tested what?

Stop writing useless comments!

upvoted 37 times

 
shnz03
3 weeks, 1 day ago
I agree with you. But it is kind of funny right to claim you can test HW maintenance? ... LOL
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 197/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
az104bd
3 months, 2 weeks ago
oh man !! :D
upvoted 3 times

 
kbpn
Most Recent 
22 hours, 8 minutes ago
Two update domains can be inside one fault domain. So in this case of planned hardware Maintainance if a fault domain goes down then the app
becomes unavialble. I think the answer should be 2 fault domains.
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
i would say D!
upvoted 1 times

 
HTD
2 weeks, 1 day ago
Fault is realted to Hardware ..Update is for Pacthing....
upvoted 1 times

 
ScreamingHand
2 weeks, 6 days ago
For me, the keyword here is "planned", - so I am going for 'D' Update. Faults are not "planned". MS put the word "hardware" in the question
because they're arseholes.
upvoted 3 times

 
Voravut
1 month ago
D is correct answer.

I passed exam on 05/24.

80-90 % questions are from this exam. Please read it carefully. Also read in "discussion" in all questions of this website as sometimes they showed
the wrong answer.

Best of luck.
upvoted 5 times

 
BennyWang
3 weeks, 3 days ago
Can you share the lab operation questions?
upvoted 1 times

 
vamshidhara
1 month, 1 week ago
If maintenance requires a reboot, you're notified of the planned maintenance

So answer is right
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: D

When you create an Availability Set, the hardware in a location is divided into multiple update domains and fault domains.

An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.

VMs in the same fault domain share common storage as well as a common power source and network switch.

During scheduled maintenance, only one update domain is updated at any given time. Update domains aren't necessarily updated sequentially. So,
we need two update domains.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability

https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates
upvoted 6 times

 
TJay
1 month, 1 week ago
Planned maintenance could be either for Patching or Hardware replacement. In the question it says "planned maintenance of the HARDWARE"

Therefore VMs would need to be across 2 x racks = Two fault domains.

Correct answer is B = Two fault domains

If the planned maintenance's for patching (Updates) > answer would be "Two update domains" (As only one VM's rebooted at a time)
upvoted 2 times

 
ronsav80
1 month ago
Fault domains are only if/when an entire datacenter goes down (unplanned outage). Update domains are for planned outage (ie, windows
updates)
upvoted 1 times

 
nfett
1 month, 3 weeks ago
D is right. confirmed from the provided doc.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 198/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Davar39
2 months ago
Qs like this one is why I gladly spend my money on Exam Topic Contributor access vs paying M$ another 165$. We are expected to know that :

Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update.

This is useless minutia, knowing this information proves nothing.

upvoted 2 times

 
mdyck
2 months, 2 weeks ago
Answer is D
upvoted 3 times

 
Nickus
3 months, 1 week ago
App1need to be available during planned maintenance of the hardware hosting.

There is why answer is D

https://www.youtube.com/watch?v=cw5UTSfR4EM
upvoted 3 times

 
trahwija2001
3 months, 1 week ago
Fault domains define the group of virtual machines that share a common power source and network switch. By default, the virtual machines
configured within your availability set are separated across up to three fault domains for Resource Manager deployments. While placing your
virtual machines into an availability set does not protect your application from operating system or application-specific failures, it does limit the
impact of potential physical hardware failures, network outages, or power interruptions.

https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
upvoted 2 times

 
mg
3 months, 1 week ago
Answer D. Update domain
upvoted 1 times

 
cicia198411
3 months, 2 weeks ago
Two fault domain, These maintenance operations that don't require a reboot are applied one fault domain at a time. They stop if they receive any
warning health signals from platform monitoring tools.

From <https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates#maintenance-that-doesnt-require-a-reboot>
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 199/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 2

You have an Azure subscription named Subscription1.

You have 5 TB of data that you need to transfer to Subscription1.

You plan to use an Azure Import/Export job.

What can you use as the destination of the imported data?

A.
an Azure Cosmos DB database

B.
Azure Blob storage

C.
Azure Data Lake Store

D.
the Azure File Sync Storage Sync Service

Correct Answer:
B

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.

Note:

There are several versions of this question in the exam. The question has two correct answers:

1. Azure File Storage

2. Azure Blob Storage

The question can have other incorrect answer options, including the following:

✑ a virtual machine

✑ Azure SQL Database

✑ Azure Data Factory

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

 
mkoprivnj
1 week, 5 days ago
B is correct!
upvoted 1 times

 
yigido
3 weeks ago
dublicated
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Note: There are several versions of this question in the exam. The question has two correct answers:

1. Azure File Storage

2. Azure Blob Storage

The question can have other incorrect answer options, including the following:

✑ Azure Data Lake Store

✑ Azure SQL Database

✑ Azure Data Factory

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
upvoted 2 times

 
nfett
1 month, 2 weeks ago
confirmed from provided link answer is correct.
upvoted 2 times

 
Manimegha
1 month, 3 weeks ago
Correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 200/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Alses1970
1 month, 3 weeks ago
Correct

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
upvoted 2 times

 
Devgela
1 month, 3 weeks ago
Correct Answer: B
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 201/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 2

DRAG DROP -

You have an Azure subscription that contains an Azure file share.

You have an on-premises server named Server1 that runs Windows Server 2016.

You plan to set up Azure File Sync between Server1 and the Azure file share.

You need to prepare the subscription for the planned Azure File Sync.

Which two actions should you perform in the Azure subscription? To answer, drag the appropriate actions to the correct targets. Each action may
be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

First action: Create a Storage Sync Service

The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a resource group of your selected subscription.

Second action: Install the Azure File Sync agent

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

 
gujjudesi420
Highly Voted 
1 month, 3 weeks ago
I think answer should be Create Storage Sync Service, Create a Sync Group as they are asking for "Which two actions should you perform in the
Azure subscription?"
upvoted 32 times

 
mashk19
2 weeks, 1 day ago
Agreed. The question explicitly says which two actions would you perform in the Azure Subscription. You'd install the sync agent on the on
premises server so that would not be a valid choice. And you'd register the server from the server. Which leaves you with only two choices left.
Create a Storage Sync Service. Create a sync group.
upvoted 4 times

 
Alses1970
1 month, 3 weeks ago
and the link provided in answer has teh following:

1. Deploy a Storage Sync Service.

2. Create a sync group.

3. Install Azure File Sync agent on the server with the full data set.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 202/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Agent is installed on the server not in azure so can't be the right answer
upvoted 15 times

 
MohnR
Highly Voted 
1 month, 2 weeks ago
Answer according to scenarios

Azure Subscription -> 1. Create Storage Sync Service 2. Create Sync Group

On-Prem Server -> 1. Install FS Agent 2. Register Server

General -> 1. Create Storage Sync Service 2. Install FS Agent

According to Question Answer should be from Azure Subscription Scenario

upvoted 9 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Create Storage Sync Service, Create a Sync Group
upvoted 1 times

 
Raj_Rock
2 weeks, 1 day ago
Answer is wrong.

The recommended steps to onboard on Azure File Sync for the first time with zero downtime while preserving full file fidelity and access control list
(ACL) are as follows:

Deploy a Storage Sync Service.

Create a sync group.

Install Azure File Sync agent on the server with the full data set.

Register that server and create a server endpoint on the share.

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#onboarding-with-
azure-file-sync
upvoted 1 times

 
rrr
4 weeks ago
Install the Azure File Sync agent

Register Windows Server with Storage Sync Service

link:https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

First action: Create a Storage Sync Service

The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a resource group of your selected subscription.

Second action: Install the Azure File Sync agent

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.

1. Prepare Windows Server to use with Azure File Sync

2. Deploy the Storage Sync Service

3. Install the Azure File Sync agent

4. Register Windows Server with Storage Sync Service

5. Create a sync group and a cloud endpoint

6. Create a server endpoint

7. Configure firewall and virtual network settings

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-storage-
sync-service
upvoted 3 times

 
lingxian
1 week, 6 days ago
Wrong answer, you can't "Install the Azure File Sync agent" in Azure.
upvoted 1 times

 
chaudha4
1 month ago
The question is about what you do in your Azure subscription. The second action that you suggest cannot be done on your subscription. It
needs to be done on the on-prem server.
upvoted 4 times

 
jantoniocesargatica
1 month, 1 week ago
If we do not read carefully, we will not pass the exam. The question says on Azure, it doesn't say On Premise. The answer is obvious, Create Storage
Sync Service and Create a Sync Group
upvoted 5 times

 
hgdlyl
1 month, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 203/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is not correct. The Azure File Synchronization Agent is installed on the on-premise server. The server registration for the storage
synchronization service is also done on-premise. Question is "Which two actions should you perform in the Azure subscription?".
upvoted 2 times

 
nfett
1 month, 2 weeks ago
per their provided doc answer appears correct.
upvoted 1 times

 
kawsar
1 month, 2 weeks ago
1. Prepare Windows Server to use with Azure File Sync

2. Deploy the Storage Sync Service

3. Install the Azure File Sync agent

4. Register Windows Server with Storage Sync Service

5. Create a sync group and a cloud endpoint

6. Create a server endpoint

7. Configure firewall and virtual network settings

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-storage-
sync-service
upvoted 2 times

 
ashishg2105
1 month, 2 weeks ago
Given Answer is correct.

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-storage-
sync-service
upvoted 1 times

 
coders1234
1 month, 3 weeks ago
1. Deploy a Storage Sync Service.

2. Create a sync group.

3. Install Azure File Sync agent on the server with the full data set.

4. Register that server and create a server endpoint on the share.

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
upvoted 2 times

 
Rajash
1 month, 3 weeks ago
Given answer is correct.
upvoted 1 times

 
jantoniocesargatica
1 month, 3 weeks ago
Not correct.
upvoted 1 times

 
cyna58
1 month, 3 weeks ago
Not true. The question is Which two actions should you perform in the Azure subscription?

So it should be

1. Deploy a Storage Sync Service.

2. Create a sync group.

The answer would correct for on-premise side.

upvoted 6 times

 
jantoniocesargatica
1 month, 3 weeks ago
1. Deploy Storage Sync Service.

2. Creat a sync group.

I really do not understand why people is wirtting things without testing. This is creating a very big confusion to everyone. Many questions
like this one.
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 204/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 2

HOTSPOT -

You have an Azure subscription that contains the file shares shown in the following table.

You have the on-premises file shares shown in the following table.

You create an Azure file sync group named Sync1 and perform the following actions:

✑ Add share1 as the cloud endpoint for Sync1.

✑ Add data1 as a server endpoint for Sync1.

✑ Register Server1 and Server2 to Sync1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: No -

A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.

Box 2: Yes -

Data2 is located on Server2 which is registered to Sync1.

Box 3: No -

Data3 is located on Server3 which is not registered to Sync1.

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-
sync-group-and-a- cloud-endpoint
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 205/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
cyna58
Highly Voted 
1 month, 2 weeks ago
NO - only one cloud endpoint can be added to sync1

YES - Server2 has been registered to Sync1 but data2 is not added to server endpoint. So we can add data2 as additional server endpoint for Sync1

NO - We have to register Server3 first

upvoted 28 times

 
jecah
1 month, 2 weeks ago
Exactly. We cannot add an endpoint to an unregistered server:

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
upvoted 1 times

 
Meca
Highly Voted 
1 month, 3 weeks ago
I would say NYY
upvoted 10 times

 
Kiano
1 month ago
The third option i No too, because even if you register server3, you would get a conflict with the paths between server2 and server3. So the
answer is right and should be No, Yes, No
upvoted 2 times

 
jantoniocesargatica
1 month, 1 week ago
When you say NYY, why don't you give an explanation? The answer is NYN. cyna58 has explained it correctly.
upvoted 1 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
NO , YES, NO
upvoted 3 times

 
Hit_man
2 weeks, 5 days ago
NYN is correct
upvoted 1 times

 
Cippunk
1 month ago
Correct, cyna58 is right
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: No

A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.

Box 2: Yes

Data2 is located on Server2 which is registered to Sync1.

Box 3: No

Data3 is located on Server3 which is not registered to Sync1.

Reference:

 
raulgar
1 month, 2 weeks ago
n - only can be 1 cloud endpoint

y - server2 is added as node and haven't any shared folder added

n - server 3 isn't added as node

upvoted 2 times

 
nfett
1 month, 2 weeks ago
verified answers are nyn
upvoted 1 times

 
est3la21
1 month, 3 weeks ago
N -already have a cloud endpoint

N - server 2 already set as endpoint

Y - server 3 can be added as additional endpoint

upvoted 2 times

 
Billabongs
1 month, 3 weeks ago
My best guess:

You can add Share3 as an additional Cloud endpoint for Sync1? = NO

- You can have only one Cloud endpoint.

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 206/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You can add data2 as an additional server endpoint for Sync1? = YES

- Server1 and Server2 are register to Sync1 (Sync Group).

You can add data3 as an additional server endpoint for Sync1? = NO

- Server3, where the data3 resides, are not register in Sync1 (Sync Group)
upvoted 6 times

 
Devgela
1 month, 3 weeks ago
I would say NYN
upvoted 3 times

 
Rajash
1 month, 3 weeks ago
N - One cloud endpoint for Sync1.

Y- additional server endpoint from Server 2.

Y- additional server endpoint from Server 3

upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 207/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 2

HOTSPOT -

You have an Azure subscription named Subscription1 that contains the resources shown in the following table:

You plan to configure Azure Backup reports for Vault1.

You are configuring the Diagnostics settings for the AzureBackupReports log.

Which storage accounts and which Log Analytics workspaces can you use for the Azure Backup reports of Vault1? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: storage3 only -

Vault1 and storage3 are both in West Europe.

Box 2: Analytics3 -

Vault1 and Analytics3 are both in West Europe.

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports

 
RithuNethra
Highly Voted 
6 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 208/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

storage 3

analytics 1,2 & 3

this is correct as analytics are independent of locations!

upvoted 91 times

 
Veronika1989
2 months ago
I agree! Tested on my tenant.
upvoted 2 times

 
Amju
2 months, 2 weeks ago
its not recommended due to different government policies in US and Europe and thats why only workspace 3 is correct answer.
upvoted 4 times

 
abu3lia
6 months, 3 weeks ago
Here is the proof: https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-
one
upvoted 12 times

 
Ikrom
6 months, 1 week ago
Confirmed.

Here is a snippet from the link:

"Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription where this Log Analytics
workspace can be created ***is independent of the location and subscription where your vaults exist***."
upvoted 14 times

 
prashantjoge
6 months, 1 week ago
Thanks for the link. That confirms it
upvoted 2 times

 
wooyourdaddy
6 months, 3 weeks ago
What did you use to verify this ?
upvoted 2 times

 
JustMe84
Highly Voted 
6 months, 2 weeks ago
Test today (12/10/2020), Passed, don't remember what I chose.
upvoted 23 times

 
JayBee65
1 week, 1 day ago
So very helpful. Today I skipped breakfast, hope this helps too,
upvoted 12 times

 
Kinon4
3 months, 2 weeks ago
Nice :D
upvoted 3 times

 
Debil
5 months, 2 weeks ago
This was very helpful information :D
upvoted 54 times

 
fazedenk
Most Recent 
10 hours, 19 minutes ago
I thought only backup vaults could back up storage accounts? Recovery services vault can do file shares i guess
upvoted 1 times

 
madhavikdb
5 days, 5 hours ago
Log Analytics1,2,3

storage 3

tried in my subscription.
upvoted 1 times

 
madhavikdb
5 days, 5 hours ago
tried in my sybscription can add workspace independent of location,while storage account from tyhe same region

Storage3

Log Analytics 1,Log Analytics 2,Log Analytics 3

upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
storage 3

analytics 1,2 & 3

upvoted 2 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Storage accounts: Storage 3 only

Storage Account must be in the same Region as the Recovery Services Vault.

Log Analytics workspaces: Analytics1, Analytics2, and Analytics3

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 209/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription where this Log Analytics
workspace can be created is independent of the location and subscription where your Vaults exist.

Reference:

https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one
upvoted 4 times

 
raph90fr
1 month, 1 week ago
from Microsoft documentation: "The location and subscription where this Log Analytics workspace can be created is independent of the location
and subscription where your vaults exist."

so it log analytics 1,2 and 3 the correct answer

https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one
upvoted 1 times

 
KenDo
1 month, 1 week ago
Answer is incorrect:

The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your vaults
exist.

https://docs.microsoft.com/en-us/azure/backup/configure-reports
upvoted 1 times

 
asingh94
1 month, 1 week ago
Given answers are correct.

https://www.jorgebernhardt.com/key-vault-log-analytics/

Please check this article.

Important: The Log Analytics workspace must be in the same region as your Azure Key Vault.
upvoted 1 times

 
itmp
3 weeks, 4 days ago
There is the official MS documentation and there are some blogs/articles. I think we should stick with MS:

"The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your
vaults exist"

"https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one"
upvoted 1 times

 
nfett
1 month, 2 weeks ago
answer is storage 3 and than anlytics 1, 2, 3 confirmed from https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-
analytics-workspace-or-use-an-existing-one
upvoted 2 times

 
Chief
1 month, 3 weeks ago
1. Create a Log Analytics workspace or use an existing one

 
hehe_24
2 months, 3 weeks ago
Storage is 3

and Analytics can be all 3. Reference (https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings)

upvoted 1 times

 
Aniruddha_dravyakar
3 months ago
Confirmed. Log Analytics are location independent.
upvoted 3 times

 
gladi
3 months ago
I think:

1) Storage3 (In the same region of Vault).

2) analytics1, 2 and 3 because Microsoft documentation says: " Log Analytics workspaces to store your Backup reporting data. The location and
subscription where this Log Analytics workspace can be created is independent of the location and subscription where your vaults exist."
upvoted 4 times

 
ms70743
3 months, 1 week ago
Storage 3

Log Analytics 1,2,3

upvoted 3 times

 
mg
3 months, 2 weeks ago
Storage 3

Log Analytics 1,2,3

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 210/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 211/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 2

HOTSPOT -

You have an Azure subscription that contains the storage accounts shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: contoso104 only -

Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.

Box 2: contoso101, contoso102, and contos103 only

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-fileshare?tabs=azure-portal
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

 
Rajash
Highly Voted 
1 month, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 212/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box1 - 104 only.

Box2 - 101 and 103 only ( Storage V2 and BLOB storage)

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

-Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering.
upvoted 32 times

 
Veronika1989
1 month ago
I agreed. Here is the article https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 2 times

 
mlantonis
Highly Voted 
1 month, 1 week ago
Correct Answer:

Box 1: contoso104 only

Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.

Box 2: contoso101 and contos103 only

Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering.

The archive tier supports only LRS, GRS, and RA-GRS.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-fileshare?tabs=azure-portal

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 9 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
Box1 - 104 only.

Box2 - 101 and 103 only ( Storage V2 and BLOB storage)

upvoted 1 times

 
Ssri
1 week, 6 days ago
https://azure.microsoft.com/en-gb/pricing/calculator/?service=storage

Box 1 - 104 only

Box 2 - 101 and 103 only.

upvoted 1 times

 
ykmoh
2 weeks, 3 days ago
Box 1 - 104 only

Box 2 - 101 and 103 only. It mentioned in this link https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

"Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering"
upvoted 1 times

 
irosh412
1 month, 1 week ago
Azure supports multiple types of storage accounts for different storage scenarios customers may have, but there are two main types of storage
accounts for Azure Files. Which storage account type you need to create depends on whether you want to create a standard file share or a
premium file share:

General purpose version 2 (GPv2) storage accounts: GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-based
(HDD-based) hardware. In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as blob containers,
queues, or tables. File shares can be deployed into the transaction optimized (default), hot, or cool tiers.

FileStorage storage accounts: FileStorage storage accounts allow you to deploy Azure file shares on premium/solid-state disk-based (SSD-based)
hardware. FileStorage accounts can only be used to store Azure file shares; no other storage resources (blob containers, queues, tables, etc.) can be
deployed in a FileStorage account.

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
upvoted 2 times

 
Ptit_filou
1 month, 1 week ago
For question 1: https://azure.microsoft.com/en-us/pricing/details/storage/files/

"Premium file shares are available through the FileStorage storage account type"

"Standard file shares are available in general purpose storage accounts"

contoso104 only.
upvoted 1 times

 
RAY2021
1 month, 1 week ago
Premium file shares are not available from this storage account type. Create a premium file storage account for those
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 213/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

 
Chief
1 month, 3 weeks ago
Storage accounts that support tiering

Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose
v1 (GPv1) accounts don't support tiering. You can easily convert your existing GPv1 or Blob Storage accounts to GPv2 accounts through the Azure
portal. GPv2 provides new pricing and features for blobs, files, and queues. Some features and price cuts are only offered in GPv2 accounts. Some
workloads can be more expensive on GPv2 than GPv1. For more information, see Azure storage account overview.
upvoted 2 times

 
Dips88
1 month, 3 weeks ago
Answer is Box is '101 and 104' - In premium storage with page blob it creates all 4 storage types i.e. container, table, queue and file share with
storage kind as gen v2, hence that storage account can be used as file storage.

Box 2: '101 and 103' - blob storage and gen v2 storage kind includes access tier . Only storage is gen v1 which does not support access tier
upvoted 1 times

 
Devgela
1 month, 3 weeks ago
Looks correct to me
upvoted 1 times

 
raulgar
1 month, 3 weeks ago
Ther first questions looks correct.Premium file share- contoso 104 only

(Filestorage accounts (FileStorage storage accounts allow you to deploy Azure file shares on premium/solid-state disk-based (SSD-based)
hardware. FileStorage accounts can only be used to store Azure file shares; no other storage resources (blob containers, queues, tables, etc.) can be
deployed in a FileStorage account)
The second questions I'm not sure
upvoted 2 times

 
marko_s
1 month, 3 weeks ago
Answer is Wrong!

Archive is only supported in Blob and Gpv2

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 214/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 2

HOTSPOT -

You have an Azure subscription named Subscription1.

In Subscription1, you create an Azure file share named share1.

You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:

To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 215/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: Will have no access -

The IP 193.77.134.1 does not have access on the SAS.

Box 2: Will have read, write, and list access

The net use command is used to connect to file shares.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1 https://docs.microsoft.com/en-
us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

 
fedztedz
Highly Voted 
6 months, 1 week ago
The Answer is not correct.

It should be no access for both cases.

- for first case, cause the IP is not matching the SAS requirements

- for second case, since it is using "net use" where it uses SMB. The SMB (Server Message Broker) protocol does not support SAS. it still asks for
username/password. Accordingly, it will give error wrong username/pass and will not provide access.
upvoted 72 times

 
rrr
4 weeks ago
you are savior, netuse dont support SAS ..
upvoted 2 times

 
researched_answer_boi
1 month ago
Authenticating against an Azure File Share using SAS is currently not supported. Only the Storage Account Keys would work.

https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html
upvoted 1 times

 
ravigupta1
2 months ago
I think the provided answer is correct because Blob Storage doesn't support SAS but File Storage support SAS and Net USE both.

Ref: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
upvoted 2 times

 
mikl
4 months, 1 week ago
Tend to agree here.

1. IP is out of range.

2. Share is SMB - dont know if its just me, but the "Allowed Protocols" also only states HTTPS only - that wont go for a Share as well, or am I
missing the point here?
upvoted 3 times

 
best_yunus
Highly Voted 
6 months ago
A : Will have no access

Reason : given IP is out range.

B: Will be prompted for credentials

Reason : Share will use SMB.

upvoted 27 times

 
Hathuguay
1 month, 1 week ago
How did you know it was SMB rather than REST?
upvoted 1 times

 
Borbz
5 months, 1 week ago
That's the correct Answer right here! Thanks Best_yunus
upvoted 2 times

 
Gautam123
Most Recent 
1 week, 5 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 216/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

no access for both

upvoted 2 times

 
mkoprivnj
1 week, 5 days ago
It should be no access for both cases.
upvoted 1 times

 
Silverpro29
2 weeks, 4 days ago
The right answer is "Will have no access" to both boxes.

Box 1: Out of the IP Address Range.

Box 2: When we use net use command. It does not support the use of Shared Access Signature. We will not have access to the file share via the
Shared Access Signature. The net use command is a command Prompt that's used to connect to, remove, and configure connections to shared
resources, like mapped drives, and network printers.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows#prerequisites
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer:

Box 1: will have no access

The IP 193.77.134.1 does not have access on the SAS, because it is not matching the SAS requirements. IP is out of range.

Box 2: will have no access

The SAS token is not supported in mounting Azure File share currently, it just supports the Azure storage account key.

Since it is using "net use" where it uses SMB, the SMB (Server Message Broker) protocol does not support SAS. it still asks for username/password.
Accordingly, it will give error wrong username/pass and will not provide access.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html
upvoted 4 times

 
3abmula
1 month, 1 week ago
Did any of you guys actually test this before suggesting different answer.

I did test it and given answer seems correct. See below snapshot.

https://i.imgur.com/sgNzrEk.png
upvoted 2 times

 
NareshNK
1 month, 1 week ago
Both Answer are correct:

1. IP is not matching the SAS requirements.

2. Will have access as describe.

How a shared access signature works

A shared access signature is a signed URI that points to one or more storage resources. The URI includes a token that contains a special set of
query parameters. The token indicates how the resources may be accessed by the client. One of the query parameters, the signature, is constructed
from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to
the storage resource.
upvoted 3 times

 
nfett
1 month, 3 weeks ago
A and no access.

confirmed from here. https://stackoverflow.com/questions/65668458/need-azure-files-shares-to-be-mounted-using-sas-signatures

upvoted 1 times

 
gladi
3 months ago
I tested in my lab:

1) NO access

2) Prompted for credentials.

upvoted 7 times

 
biglebowski
1 week, 4 days ago
1. No access

2. No access

Yes, you will be prompted for credentials but when you use "SAS1 as the password" you will have "no access" on the end.
upvoted 1 times

 
bacana
3 months ago
Correct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 217/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
ms70743
3 months, 1 week ago
"No Access" for both
upvoted 2 times

 
Wizard69
3 months, 2 weeks ago
No access and

No access!

1. The IP is out of range

2. Net Use doesn't support SAS

upvoted 3 times

 
Sandroal29
3 months, 3 weeks ago
The question has several and significant details that help to determine that the provided answer is correct.
upvoted 1 times

 
ZUMY
3 months, 3 weeks ago
01.NO ACCESS - IP Address is out of range

02.NO ACCESS - SAS Token doesn't support mounting azure files shares for now.
upvoted 5 times

 
PBA1211
3 months, 3 weeks ago
both times it is "No Acces"

1. IP adres is out of range

2. The SAS token is not supported in mounting Azure File share currently

https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html

Workaround: You can try Azure Files FUSE Driver: https://github.com/microsoft/AzureFilesFUSE

upvoted 3 times

 
StixxNSnares
4 months ago
No access on both. The SAS token is not supported in mounting Azure File share currently so it cannot use the Net use command.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 218/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35 Topic 2

You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.

VM2 is backed up to RSV1.

You need to back up VM2 to RSV2.

What should you do first?

A.
From the RSV1 blade, click Backup items and stop the VM2 backup

B.
From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup

C.
From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault

D.
From the RSV1 blade, click Backup Jobs and export the VM2 job

Correct Answer:
C

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

 
MrRice
Highly Voted 
1 month, 3 weeks ago
Answer A.

from the provided reference: VMs can only be backed up in a single vault.
upvoted 20 times

 
mkoprivnj
Most Recent 
1 week, 5 days ago
A is correct!
upvoted 2 times

 
omhari
2 weeks, 3 days ago
What should you do first?

A. From the RSV1 blade, click Backup items and stop the VM2 backup
upvoted 2 times

 
NareshNK
2 weeks, 6 days ago
Correction from previous post- Answer A is correct, without stopping existing protection you can not change the vault. Data retention and no
retention comes to discussion after you stop the existing backup.
upvoted 1 times

 
Zuls
3 weeks ago
Questions says: VM2 is BACKED UP to RSV1. why would we stop backed up item it's not

backing up right?
upvoted 1 times

 
mlantonis
1 month, 1 week ago
Correct Answer: A

VMs can only be backed up in a single Recovery Services Vault. You have to stop the VM2 backup from the RSV1 first. Otherwise you won't able
find the VM2 in RSV2.

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault#must-preserve-previous-backed-up-data

https://docs.microsoft.com/en-in/azure/backup/backup-azure-vms-first-look-arm
upvoted 2 times

 
sris99
1 month, 1 week ago
Answer is A

https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault#must-preserve-previous-backed-up-data
upvoted 2 times

 
NareshNK
1 month, 1 week ago
Answer A is correct, if the data backed up in the RSV1 does not needs to be retain but if the data retention is needed than changing the recovery
vault directly is the appropriate answer. As an admin general practice is to retain the data until first backup from new vault is completed. Thus
answer C is correct option to choose.
upvoted 2 times

 
nfett
1 month, 2 weeks ago
answer is A from provided url.

https://docs.microsoft.com/en-in/azure/backup/backup-azure-vms-first-look-arm

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 219/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

 
Devgela
1 month, 3 weeks ago
Is A. You have to stop the VM2 backup from the RSV1 first. Otherwise you won't able find the VM2 in RSV2
upvoted 4 times

 
Moyuihftg
1 month, 3 weeks ago
Answer B
upvoted 2 times

 
Titito
1 month, 3 weeks ago
But VM2 backup is still running on RSV1.
upvoted 1 times

 
Moyuihftg
1 month, 2 weeks ago
Yes, you are right.

Answer A
upvoted 2 times

 
Rajash
1 month, 3 weeks ago
what should you do first.
A. From the RSV1 blade, click Backup items and stop the VM2 backup
upvoted 1 times

Question #36 Topic 2

You have a general-purpose v1 Azure Storage account named storage1 that uses locally-redundant storage (LRS).

You need to ensure that the data in the storage account is protected if a zone fails. The solution must minimize costs and administrative effort.

What should you do first?

A.
Create a new storage account.

B.
Configure object replication rules.

C.
Upgrade the account to general-purpose v2.

D.
Modify the Replication setting of storage1.

Correct Answer:
C

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

 
klamar
Highly Voted 
3 weeks, 2 days ago
Correct.

v1 supports GRS/RA-GRS but question was about least cost. Least cost is ZRS which is only supported for v2 and premium file/block storage.

Source: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#supported-storage-account-types
upvoted 12 times

 
CloudyTech
Most Recent 
1 day, 5 hours ago
Answer is correct
upvoted 1 times

 
Deevine78
1 week, 2 days ago
Correct answer is C.
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
C is correct!
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 220/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 2

You have an Azure subscription that contains the storage accounts shown in the following table.

You plan to manage the data stored in the accounts by using lifecycle management rules.
To which storage accounts can you apply lifecycle management rules?

A.
storage1 only

B.
storage1 and storage2 only

C.
storage3 and storage4 only

D.
storage1, storage2, and storage3 only

E.
storage1, storage2, storage3, and storage4

Correct Answer:
D

Reference:

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal

Implement and manage storage

 
pelekafitinakwenu
2 days, 20 hours ago
The answer is correct

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal
upvoted 1 times

 
mkoprivnj
1 week, 5 days ago
Storage1, Storage2, Storage 3!
upvoted 1 times

 
AVVARU
2 weeks, 1 day ago
Answer is correct
upvoted 3 times

 
Tamilarasan
2 weeks, 2 days ago
Answer is correct .

The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts, premium block
blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.
upvoted 2 times

 
HTD
2 weeks, 4 days ago
i think premium accounts do not support lifecycle management.
upvoted 1 times

 
Yiannisthe7th
3 weeks, 1 day ago
The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts, premium block
blobs storage accounts, and Azure Data Lake Storage Gen2 accounts
upvoted 3 times

 
CheesusCrust89
3 weeks, 2 days ago
from

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal

**Azure Blob Storage lifecycle management offers a rich, rule-based policy for GPv2 and blob storage accounts.**
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 221/222
6/24/2021 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 222/222

Microsoft - Az 400.LAB .VMay 2024.by .Ancher.126q
No ratings yet
Microsoft - Az 400.LAB .VMay 2024.by .Ancher.126q
116 pages
Az-104 7
No ratings yet
Az-104 7
40 pages
Examtopics Microsoft's AZ-104 Topic7-16 Use-Case
100% (1)
Examtopics Microsoft's AZ-104 Topic7-16 Use-Case
33 pages
AZ-104 Exam
100% (1)
AZ-104 Exam
587 pages
Exam AZ 104 Microsoft Azure Administrator Mohamed Zohdy 1723551223
No ratings yet
Exam AZ 104 Microsoft Azure Administrator Mohamed Zohdy 1723551223
105 pages
Google - Professional Cloud Security Engineer.v2023!05!10.q124
100% (1)
Google - Professional Cloud Security Engineer.v2023!05!10.q124
47 pages
Az 305
No ratings yet
Az 305
76 pages
MICROSOFT AZURE ADMINISTRATOR EXAM PREP(AZ-104) Part-1: AZ 104 EXAM STUDY GUIDE
From Everand
MICROSOFT AZURE ADMINISTRATOR EXAM PREP(AZ-104) Part-1: AZ 104 EXAM STUDY GUIDE
Devi Prasad
No ratings yet
Az 104
No ratings yet
Az 104
220 pages
AZ 305+Official+Course+Study+Guide
No ratings yet
AZ 305+Official+Course+Study+Guide
14 pages
Az-305 V5
No ratings yet
Az-305 V5
167 pages
AZ - 104 Test 1
No ratings yet
AZ - 104 Test 1
204 pages
Az 104 PDF
No ratings yet
Az 104 PDF
24 pages
Microsoft - Pre .AZ-104.by .VCEplus.59q-DEMO PDF
No ratings yet
Microsoft - Pre .AZ-104.by .VCEplus.59q-DEMO PDF
44 pages
8.AZ 104.prepaway - Premium.5130.exam.103q 2
No ratings yet
8.AZ 104.prepaway - Premium.5130.exam.103q 2
102 pages
Az 104 1
No ratings yet
Az 104 1
82 pages
AZ-104 Exam - 05
No ratings yet
AZ-104 Exam - 05
182 pages
Az-104 Et
No ratings yet
Az-104 Et
54 pages
AZ 104.prepaway - Premium.5130.exam.103q 2
No ratings yet
AZ 104.prepaway - Premium.5130.exam.103q 2
102 pages
Lead2pass Dump1
No ratings yet
Lead2pass Dump1
49 pages
Az 104 May
No ratings yet
Az 104 May
222 pages
AZ-104 - Ans
No ratings yet
AZ-104 - Ans
112 pages
Az 104 2 Nov 2020 Q198 PDF
100% (2)
Az 104 2 Nov 2020 Q198 PDF
227 pages
Microsoft AZURE® AZ-104 Administrator Practice Tests
From Everand
Microsoft AZURE® AZ-104 Administrator Practice Tests
iCertify Training
No ratings yet
Az 104
100% (1)
Az 104
258 pages
Kubernetes A Complete Guide
From Everand
Kubernetes A Complete Guide
Gerardus Blokdyk
No ratings yet
Designing Microsoft Azure Infrastructure Solution AZ 305
From Everand
Designing Microsoft Azure Infrastructure Solution AZ 305
Manish Soni
No ratings yet
Microsoft - Exambible.az 104.practice - Test.2022 Jul 04.by - Payne.322q.vce
100% (1)
Microsoft - Exambible.az 104.practice - Test.2022 Jul 04.by - Payne.322q.vce
17 pages
Az-104 2
No ratings yet
Az-104 2
55 pages
AZ-305 - Extra Questions
No ratings yet
AZ-305 - Extra Questions
32 pages
(Sep-2024) New PassLeader AZ-104 Exam Dumps
No ratings yet
(Sep-2024) New PassLeader AZ-104 Exam Dumps
9 pages
Az 104 Part1
No ratings yet
Az 104 Part1
342 pages
AZ-104 Part2
No ratings yet
AZ-104 Part2
108 pages
Az 104
No ratings yet
Az 104
12 pages
AZ-104 Part1
100% (1)
AZ-104 Part1
125 pages
AZ-104 Exam - Free Actual Q&As, Page 3-101-150
No ratings yet
AZ-104 Exam - Free Actual Q&As, Page 3-101-150
43 pages
Expert Veri Ed, Online, Free.: Microsoft AZ-104 Exam Actual Questions
No ratings yet
Expert Veri Ed, Online, Free.: Microsoft AZ-104 Exam Actual Questions
1 page
AZ-204 Microsoft Updated Practice Questions
No ratings yet
AZ-204 Microsoft Updated Practice Questions
71 pages
Microsoft AZ-104 v2024-12-30 q139
100% (1)
Microsoft AZ-104 v2024-12-30 q139
143 pages
Bramhastra2 0
No ratings yet
Bramhastra2 0
284 pages
Az 104
100% (1)
Az 104
27 pages
Az-104 4
100% (1)
Az-104 4
35 pages
AZ-104 Exam - Free Actual Q&as, Page 2 - ExamTopics-An
0% (1)
AZ-104 Exam - Free Actual Q&as, Page 2 - ExamTopics-An
8 pages
AZ-104 Microsoft Exam Updated Dumps
No ratings yet
AZ-104 Microsoft Exam Updated Dumps
57 pages
AZ-305 Exam - Free Actual Q&As
No ratings yet
AZ-305 Exam - Free Actual Q&As
6 pages
AZ-104 V14.75-Fixed
No ratings yet
AZ-104 V14.75-Fixed
231 pages
05 Microsoft - Braindump2go - Az-305.actual - Test.2023-May-15.by - Borg.140q.vce
No ratings yet
05 Microsoft - Braindump2go - Az-305.actual - Test.2023-May-15.by - Borg.140q.vce
30 pages
Examtopics Microsoft's AZ-104 Topic6
No ratings yet
Examtopics Microsoft's AZ-104 Topic6
49 pages
Aindump2go Az-305 Dumps 2023-Oct-26 by Elmer 196q Vce
No ratings yet
Aindump2go Az-305 Dumps 2023-Oct-26 by Elmer 196q Vce
22 pages
Az 104
No ratings yet
Az 104
39 pages
AZ 104 - Exam Topics Testlet 07182023
No ratings yet
AZ 104 - Exam Topics Testlet 07182023
28 pages
AZ-104 Exam - Free Actual Q&As, Page 2 - ExamTopics
No ratings yet
AZ-104 Exam - Free Actual Q&As, Page 2 - ExamTopics
8 pages
Microsoft: Question & Answers
No ratings yet
Microsoft: Question & Answers
217 pages
AZ 204 Exam Free Actual Q As Page 41 ExamTopics PDF
No ratings yet
AZ 204 Exam Free Actual Q As Page 41 ExamTopics PDF
20 pages
Microsoft - Premium.az 305
No ratings yet
Microsoft - Premium.az 305
45 pages
AZ305 Exam Short Notes
No ratings yet
AZ305 Exam Short Notes
20 pages
AZ-104 Correct
No ratings yet
AZ-104 Correct
32 pages
Microsoft (AZURE) AZ-301 Dumps PDF - Best Study Material Ever
No ratings yet
Microsoft (AZURE) AZ-301 Dumps PDF - Best Study Material Ever
8 pages
AZ-104 Exam - Free Actual Q&As, Page 3 ExamTopics
No ratings yet
AZ-104 Exam - Free Actual Q&As, Page 3 ExamTopics
7 pages
Microsoft - Selftestengine.az 104.practice - Test.2024 Apr 25.by - Kim.124q.vce
No ratings yet
Microsoft - Selftestengine.az 104.practice - Test.2024 Apr 25.by - Kim.124q.vce
16 pages
Azure AZ-104 Certification
No ratings yet
Azure AZ-104 Certification
105 pages
Identity and Data Security For Web Development Jonathan Leblanc PDF Download
No ratings yet
Identity and Data Security For Web Development Jonathan Leblanc PDF Download
61 pages
NetSuite ReleaseNotes - 2021.16
No ratings yet
NetSuite ReleaseNotes - 2021.16
178 pages
SAP Business One Road Map
No ratings yet
SAP Business One Road Map
36 pages
Overview QSS SaaS - 2021 - 2022
No ratings yet
Overview QSS SaaS - 2021 - 2022
22 pages
SAP Cloud Identity Services - Identity Authentication, Solution Overview
No ratings yet
SAP Cloud Identity Services - Identity Authentication, Solution Overview
36 pages
Project Module Name Date Created Prepared by Start Date of Testing Date of Approval
No ratings yet
Project Module Name Date Created Prepared by Start Date of Testing Date of Approval
18 pages
Hype Cycle For Open Banking 251123
No ratings yet
Hype Cycle For Open Banking 251123
46 pages
SAML Vs OAuth 2.0 Vs OpenID Connect PDF
No ratings yet
SAML Vs OAuth 2.0 Vs OpenID Connect PDF
15 pages
MVC Authorisation
No ratings yet
MVC Authorisation
14 pages
ACI Course Descriptions
No ratings yet
ACI Course Descriptions
21 pages
Ee Draindumps 2022-Nov-07 by Sam 75q Vce
No ratings yet
Ee Draindumps 2022-Nov-07 by Sam 75q Vce
8 pages
How To Configure Keycloak For SSO in The Denodo Solution Manager 20230331-1
No ratings yet
How To Configure Keycloak For SSO in The Denodo Solution Manager 20230331-1
28 pages
Smartchat Whatsapp-Cloner
No ratings yet
Smartchat Whatsapp-Cloner
17 pages
The Qlik Cloud Platform
No ratings yet
The Qlik Cloud Platform
34 pages
Contract Express v9 - API Manual
No ratings yet
Contract Express v9 - API Manual
214 pages
Top Salesforce Integration Interview Questions
No ratings yet
Top Salesforce Integration Interview Questions
16 pages
TB Qlik Cloud Platform en
No ratings yet
TB Qlik Cloud Platform en
29 pages
MuhammadShahmeerAmir Tutorial BreakingBarriers
100% (1)
MuhammadShahmeerAmir Tutorial BreakingBarriers
117 pages
Brkucc 2664
No ratings yet
Brkucc 2664
78 pages
ReleaseNotes 2021.1.0
No ratings yet
ReleaseNotes 2021.1.0
135 pages
Lab 5 - OIDC
No ratings yet
Lab 5 - OIDC
3 pages
Identity and Access Management Tutorial PDF
100% (1)
Identity and Access Management Tutorial PDF
20 pages
Unit-5 (Cloud Federation)
No ratings yet
Unit-5 (Cloud Federation)
23 pages
AWS Certified Solutions Architect Associate (SAA-C03) Exam Notes - Coding N Conc
No ratings yet
AWS Certified Solutions Architect Associate (SAA-C03) Exam Notes - Coding N Conc
73 pages
ISC2 CISSP Domain-5 Study Notes
No ratings yet
ISC2 CISSP Domain-5 Study Notes
14 pages
Keycloak 2022
No ratings yet
Keycloak 2022
4 pages
Bonus 6 - Mastering ASP - NET Core Security
100% (1)
Bonus 6 - Mastering ASP - NET Core Security
147 pages
Understanding OpenID Connect Protocol
No ratings yet
Understanding OpenID Connect Protocol
18 pages
Instant Ebooks Textbook Kubernetes Native Microservices With Quarkus and MicroProfile 1st Edition John Clingan Ken Finnigan Download All Chapters
100% (3)
Instant Ebooks Textbook Kubernetes Native Microservices With Quarkus and MicroProfile 1st Edition John Clingan Ken Finnigan Download All Chapters
50 pages