Az-104 Preguntas y Respuestas

18/2/22, 17:50 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
Topic 1 - Question Set 1
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 1/394
Question #1 Topic 1
Your company has serval departments. Each department has a number of virtual machines (VMs).
The company has an Azure subscription that contains a resource group named RG1.
All VMs are located in RG1.
You want to associate each VM with its respective department.
What should you do?
A. Create Azure Management Groups for each department.
B. Create a resource group for each department.
C. Assign tags to the virtual machines.
D. Modify the settings of the virtual machines.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
Community vote distribution

C (100%)
  Briian Highly Voted  1 month, 3 weeks ago

I took the exam on 12/22/2021 with 959 points, so I can confirm this dump is valid. 95% of the questions were from here.
Your should just check the comments and not blindly accept the main soulution given below the questions.
upvoted 40 times
  examinee22 1 month, 1 week ago

Much appreciated
upvoted 2 times
  shravan101 1 month, 2 weeks ago

appreciate it
upvoted 1 times
  Ab198817 1 month, 2 weeks ago

Great job mate
upvoted 1 times
  green_arrow Highly Voted  7 months, 2 weeks ago

C is correct, the tags ASSOCIATE the vms to each deparment, then for example it can be charged to each department.
upvoted 36 times
  Shakar Most Recent  6 days, 16 hours ago

Hi, I took exam on 11/02/22 passed with 830. Around 80-85% Qs came from this practice test. As previously mentioned by others, please
go through the discussions/comments and try to understand the topics (and decide the answer for yourself after reading comments) the
exam questions are not always in the same format as these Qs, if you understand the topics well you have more chances of answering any
questions that you haven't seen here.
Finally, thank you to everyone for their contribution to the comments, honestly I have really enjoyed studying on here last few days,
reading through the discussion and learnt so much more than I did on 2 courses I have attended for AZ-104.
Good luck to everyone who is preparing for AZ-104 :)
upvoted 1 times
  nqthien041292 1 week, 1 day ago

Selected Answer: C
Vote C
upvoted 2 times
  Happiman 2 weeks ago

If your answer is NOT C, then you're wrong.
upvoted 1 times
  Veerus_67 2 weeks, 5 days ago

Hey guys, can anyone please explain my why creating a RG for each department would be a bad idea? Thanks
upvoted 1 times
  yakko83 2 weeks, 3 days ago

too much afford. Tag are simple to aply and they do what's needed.
upvoted 2 times
  al608 2 weeks, 5 days ago

Selected Answer: C
C is the right answer
upvoted 1 times
  PassForSure007 3 weeks, 4 days ago

C using tags
upvoted 1 times
  Shabbow 4 weeks, 1 day ago

C is the correct choice.
upvoted 1 times
  Salu007 4 weeks, 1 day ago

Those giving the exams in Jan 2022 are there live labs as part of the exam?
upvoted 1 times
  pthind 1 month ago

I took the exam on 01/15/2022. I prepared using this dump. Not kidding, 95% questions were from this dump. I passed the exam with 760
marks. I didn't have any experience in Azure before. I used other materials as well and did some hands on labs.
upvoted 1 times
  jersey732 1 month ago

Passed today with 878 thank you for the info ^_^
upvoted 1 times
  cloudAzureIS 1 month, 1 week ago

can someone give us the new dumps please ?
upvoted 1 times
  kippp 1 month, 2 weeks ago

i took the exam on 2/1/2021.. overal 59 question..failed the exam 652.. not even 10 question come from this dump.. they change to new
set
upvoted 2 times
  robertparker 1 month, 1 week ago

I went through the first 190 question in this dump a couple of times and studied the discussions - scored 852 on 2nd Jan 2022. I reckon
I wouldn't have passed without study of the discussions.
Note the exam was 59 questions which includes 2 sets of case study questions, 4 in each set. The case studies are much more involved
than the 190 shown here. I ran out of time to complete the second set because I was working on the "N out of 51" shown on the
pearsonvue, that was my fault - but on the flip side side I only got 100 minutes for the exam (unlike the 120 mins shown elsewhere).
This was my second attempt at the exam, the first attempt was a disaster because I took it on a MacOS 10.13 (intel) - the personvue app
was so flaky at accepting my mouse clicks that I was only able to get through a couple of questions before I had to abandon the exam (I
got my money back). For the second attempt I ran the pearsonvue app using Windows 10, same wifi - and there were no technical
issues.
upvoted 1 times
  Sah1Rj 1 month, 1 week ago

I agree with Cisco112. Took exam January 8, 2022. I recognized most of the questions from here. Passed.
upvoted 1 times
  cisco112 1 month, 1 week ago

i had a different experience. Passed exam 1/6/22, about 75-80% of questions of this dump are still valid (enough to pass). Highly
recommend contributor access so you can see all 300+ questions
And kippp, just want to say that 652 is close to passing score of 700, so don't be discouraged! You got this!
upvoted 2 times
  cloudAzureIS 1 month, 1 week ago

Hello ,do you confirm that it's still
valid please ?
upvoted 1 times
  Bhavin_1998 1 month, 1 week ago

Really :(
upvoted 1 times
  carty 1 month, 3 weeks ago

can anyone give me full dumps, please
upvoted 2 times
  NishKum 2 months, 1 week ago

Selected Answer: C
tags gives a way to do cost based on their names

upvoted 1 times
  Iclectic 2 months, 1 week ago

Answer is definitely C
upvoted 1 times
Question #2 Topic 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result.
Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined
device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?
A. Yes
B. No
Correct Answer: B

B (100%)

B is correct,
1- the best way to enforce MFA is by Conditional Access
2- the device has to be identified by azure AD as A AD joined Device.
3- the trusted ip must be configured.
upvoted 42 times
  rzv Highly Voted  5 months, 1 week ago

brooo we lost mlantonis and tedz
upvoted 22 times
  Pamban 3 months, 1 week ago

what happened to them? mlantonis's answers are spot on!!!
upvoted 1 times
  omw2wealth 4 months, 3 weeks ago

i sit for the exam this saturday, and i really apreciate this dudes a lot!
upvoted 1 times
  PeterHu Most Recent  3 days, 19 hours ago

B is the correct choice
upvoted 1 times
  MilkGod 1 week, 1 day ago

passed the exam yesterday! Thank you examtopics!!!
upvoted 1 times

Selected Answer: B
Vote B
upvoted 2 times

Selected Answer: B
Correct answer is B
upvoted 1 times
  Shabbow 4 weeks ago

B is the correct choice.
upvoted 1 times
  elishlomo 1 month, 1 week ago

Correct answer - B. To enforce MFA from an untrusted location, you need to create a conditional access rule that requires MFA.
upvoted 2 times
  leoiq91 1 month, 2 weeks ago

yes, this is correct
B
upvoted 1 times
  hanyahmed 1 month, 3 weeks ago

Selected Answer: B
B is correct
upvoted 1 times
  Prano 2 months, 1 week ago

Ans : B
To alter the user settings, you should use Grant access policy
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa#create-a-
conditional-access-policy
upvoted 4 times
  azure_learner1329 2 months, 2 weeks ago

Selected Answer: B
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
upvoted 4 times
  John117 2 months, 3 weeks ago

B is correct,
It should be in the the grant control of the Azure AD conditional access policy.
upvoted 3 times
  Roger95 2 months, 3 weeks ago

Selected Answer: B
In order to implement Conditional Access, use below path
Home > Your Directory > Security > Conditional Access
upvoted 4 times
  poojamh4 2 months, 4 weeks ago

how to get free access for all 300 questions
upvoted 2 times
  Swathi_Devi 3 months, 3 weeks ago

Are you in the thought of learning cloud computing, especially Azure?
Are you Preparing for the Az-104 exam?
Glad you reading this!

Practice Microsoft Azure Administrator Exam Az-104 for FREE!!
WHAT IS SPECIAL? 400+ realistic Exam questions for practice with correct answers.
wHAT IS NEW? The 400+ questions are grouped "MODULE-wise". You can be prepared for one module and practice the test for that one
module before moving to the next module.
ANYTHING MORE? Each question comes with a correct answer and also the reason why the remaining answers are not correct.
ANY BONUS? Almost every question has a link to Microsoft's official pages for you to know more information.
Why wait, all the above @FREE of cost, HURRY UP!! Just click the link https://www.udemy.com/course/microsoft-azure-administrator-
practice-test/?couponCode=AZ104OFFER
Share it with your friends, Offer ends soon!!
Note: This is @FREE of cost to get your valuable feedback which is costly. Please drop in your feedback.
upvoted 2 times
  Yogarajan 2 months, 3 weeks ago

It's not free
upvoted 2 times
  nherrerab 3 months, 3 weeks ago

B is correct.
upvoted 2 times
Question #3 Topic 1
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
A. Yes
B. No
Correct Answer: B

B (100%)
  lyx Highly Voted  6 months ago

Ans: No.
You alter the grant control, not session control

upvoted 19 times
  YooOY 4 months, 3 weeks ago

Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
upvoted 11 times
  epic13131 Highly Voted  7 months ago

Was on my exam.
upvoted 11 times
  nqthien041292 Most Recent  1 week, 1 day ago

Selected Answer: B
Vote B
upvoted 1 times
  LG2240 1 week, 5 days ago

Selected Answer: B
Security > Conditional Access --> Access controls --> Grant -->
upvoted 1 times
  edengoforit 3 weeks ago

Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
Browse to Azure Active Directory > Security > Conditional Access.
Select New policy.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under Assignments, select Users and groups
Under Include, select All users
Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
Select Done.
Under Cloud apps or actions > Include, select All cloud apps.
Under Exclude, select any applications that don't require multi-factor authentication.
Confirm your settings and set Enable policy to Report-only.
Select Create to create to enable your policy.
upvoted 1 times

upvoted 1 times

Selected Answer: B
Correct answer - B. To enforce MFA from an untrusted location, you need to create a conditional access rule that requires MFA with Grant
control.
upvoted 1 times

Ans : B
You can alter the grant control and not the session control
upvoted 2 times


upvoted 1 times
  Balucl 6 days, 6 hours ago

AZ104OFFER not working and offer limit exceeded. Anyhow Thanks for contributing to community. Great job.
upvoted 1 times
  HarryKishore 3 months, 1 week ago

HI Swathi,
Thanks for sharing Link, the couponCode no longer valide. Can you please share the latest coupon please.
upvoted 2 times
  G0su 3 months, 1 week ago

reported for spam F*** off
upvoted 9 times

B is correct.
upvoted 1 times
  powerpro 7 months ago

No is correct bc Access Controls is how you get to mfa as stated in https://docs.microsoft.com/en-us/azure/active-directory/conditional-
access/howto-conditional-access-policy-all-users-mfa:
upvoted 4 times
  BenStokes 7 months, 2 weeks ago

Answer should be A
Ref # https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
upvoted 3 times

Sorry its B - NO
We need to use Grant Control and NOT the Session Control
upvoted 10 times
Question #4 Topic 1
Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.
A. Yes
B. No
Correct Answer: A

A (100%)
  ppp131176 Highly Voted  7 months, 2 weeks ago

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
upvoted 22 times
  Prashant103 4 months, 2 weeks ago

Thanks for the information
upvoted 1 times
  Loi2525 7 months, 1 week ago

This link shows it all.
upvoted 1 times
  Micah7 Highly Voted  6 months ago

Answer is A. There is another copy of this question that mentions going to the MFA page in Azure Portal as the solution = incorrect. On
that page you cant make a Conditional Access Policy.
I did this in lab step by step:
- The Answer "A" is correct
- Instead of the MFA page mentioned above, you have to go the route of Conditional Access Policy-->Grant Control mentioned here for this
question. Under Grant Control you are given the option of setting MFA and requiring AD joined devices in the exact same window.
Answer is correct.
upvoted 16 times

Selected Answer: A
Vote A
upvoted 1 times
  RavindraDevkhile 3 weeks, 1 day ago

Selected Answer: A
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
upvoted 1 times

upvoted 1 times
  timmytimtimo 1 month ago

thank you for the information
upvoted 1 times
  Sara_Mo 1 month ago

answer is no
Conditional Access Policy-->Grant Control
there is hybrid AD joined devices and not AD joined devices
upvoted 1 times
Ans : A
Access policy>Grant control
upvoted 1 times

A is correct.
upvoted 1 times
  Steve1983 7 months, 3 weeks ago

Thats not all you need to do. Missing the signal and decision part of the CA policy.
upvoted 3 times
Question #5 Topic 1
You are planning to deploy an Ubuntu Server virtual machine to your company's Azure subscription.
You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA).
Which of the following should you use to create the virtual machine?
A. The New-AzureRmVm cmdlet.
B. The New-AzVM cmdlet.
C. The Create-AzVM cmdlet.
D. The az vm create command.
Correct Answer: C
Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet, using the --custom-data parameter to provide the full
path to the cloud- init.txt file.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment

D (100%)
  theOldOne Highly Voted  4 months, 2 weeks ago

It specifically mentions clout-init.txt. This link
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init
Seems to indicate that answer D is correct. Use Az VM create.

upvoted 29 times
  elishlomo Highly Voted  1 month, 1 week ago

Selected Answer: D
The az vm create command. you need to create an Ubuntu Linux VM using a cloud-init script for configuration.
For example, az vm create -g MyResourceGroup -n MyVm --image debian --custom-data MyCloudInitScript.yml
https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
https://cloudinit.readthedocs.io/en/latest/topics/examples.html
upvoted 7 times
  arunet Most Recent  1 day, 10 hours ago

Answer D.
upvoted 1 times
  9InchPianist 6 days, 5 hours ago

Selected Answer: D
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment specificly states using 'az vm create'
upvoted 1 times

Selected Answer: D
Vote D
upvoted 1 times
  faeem 1 week, 3 days ago

D is correct - https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-create
upvoted 1 times
  pavan_rao 1 week, 5 days ago

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-cli
Answer: D
upvoted 1 times
  Fede90 2 weeks ago

Selected Answer: D
The answer C is non correct
upvoted 1 times
  SKNAZRUL 2 weeks, 1 day ago

Why wrong answers are not being updated and corrected. Hello Examtopics, I am your another premium subscriber, please make the
changes.
upvoted 2 times

cloud-init is a widely used approach to customize a Linux VM as it boots for the first time. You can use cloud-init to install packages and
write files, or to configure users and security.
upvoted 1 times
  RavindraDevkhile 3 weeks, 1 day ago

Selected Answer: D
upvoted 2 times
  Neftali 3 weeks, 1 day ago

Selected Answer: D
Selected Answer: D
upvoted 2 times
  Ds80 3 weeks, 2 days ago

D is correct answer! Have to use cloud-init.
upvoted 1 times
  Ali526 3 weeks, 2 days ago

'Cloud-init.txt' is not a part of the original question. It is mentioned in the answer ONLY, so any argument should not be based upon
'Cloud-init.txt'.
upvoted 1 times
  rohit_khandelwal 1 month ago

Selected Answer: D
upvoted 1 times
  GiJoe1987 1 month ago

Guys, why is it not B: all my research points to New-AzVM is the command used to create the VM
upvoted 1 times
  atilla 2 weeks, 3 days ago

you cannot use cloud-init with new-AzVM I think, with D you can
upvoted 3 times
  peymani 1 month ago

https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
az vm create Create an Azure Virtual Machine.
upvoted 2 times
Question #6 Topic 1
Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured
as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and
adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor
Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
A. Yes
B. No
Correct Answer: B
Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your
existing server with activation credentials from the new provider.
Reference:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/

B (100%)
  S_Steve Highly Voted  7 months ago

answer is correct
upvoted 14 times
  pakman 4 months, 3 weeks ago

No it is not.
"You cannot change the usage model (per enabled user or per authentication) after an MFA provider is created."
upvoted 3 times
  Takloy 3 months, 1 week ago

When S_Steve said answer is correct, it means the Answer is No.
upvoted 6 times
  Mozbius_ Highly Voted  1 month ago

Is it me or the grammar / text of the whole question is very poor?
upvoted 12 times

Selected Answer: B
Vote B
upvoted 1 times

Answer is B(NO): you cannot alter a per enabled user mfa after it has been created
upvoted 1 times
  Neftali 3 weeks, 1 day ago

Selected Answer: B
Ans: B
upvoted 1 times
  Alexw 1 month ago

Selected Answer: B
you cannot alter a per enabled user mfa after it has been created
upvoted 2 times
  azure_learner1329 2 months ago

Ans: B
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider#manage-your-mfa-provider
upvoted 3 times
  Marski 2 months ago

MS Documentation for this.
upvoted 1 times

Ans : B
You cannot change the usage model after an MFA provider is created
upvoted 1 times
  zankuko_tenshi 3 months, 1 week ago

B. You can't change the usage model after an MFA provider is created.
upvoted 4 times
  Timock 3 months, 1 week ago

Answer is Correct:
Manage your MFA Provider
You cannot change the usage model (per enabled user or per authentication) after an MFA provider is created.
If you purchased enough licenses to cover all users that are enabled for MFA, you can delete the MFA provider altogether.
If your MFA provider is not linked to an Azure AD tenant, or you link the new MFA provider to a different Azure AD tenant, user settings
and configuration options are not transferred. Also, existing Azure MFA Servers need to be reactivated using activation credentials
generated through the MFA Provider.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
upvoted 3 times

You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
upvoted 3 times
  GD01 3 months, 3 weeks ago

You cannot do that either.. " Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may
continue to be used and updated, but migration is no longer possible. Multi-factor authentication will continue to be available as a
feature in Azure AD Premium licenses."
upvoted 1 times
  Rahul72 7 months, 1 week ago

The answer is correct
upvoted 1 times
Question #7 Topic 1
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has
been configured as the usage model.
Authentication.
Solution: You reconfigure the existing usage model via the Azure CLI.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
  rigonet Highly Voted  4 months, 3 weeks ago

ANSWER: B - No
You cannot change the usage model after creating the provider.
upvoted 8 times

Selected Answer: B
Vote B
upvoted 1 times

No - is correct because you cannot alter in any way an already created per enable user MFA
upvoted 1 times

B. You can't change the usage model after an MFA provider is created.
upvoted 2 times

You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
upvoted 1 times
  Quantigo 4 months, 3 weeks ago

Answer B - No
can't find any references confirming the azure CLI method, the only CLI method found was for PowerShell.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
upvoted 2 times
  Mohtasham 6 months, 2 weeks ago

correct
upvoted 3 times
Question #8 Topic 1
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has
been configured as the usage model.
Authentication.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)

Yes Is correct as explained with the given link: https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-
server/
upvoted 12 times
  VeiN Highly Voted  2 months ago

For me this question is outdated and won`t show up on exam but if it showed up it would be B (No), here is why:
Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and
updated, but migration is no longer possible. Multi-factor authentication will continue to be available as a feature in Azure AD Premium
licenses.
upvoted 7 times

Selected Answer: A
Vote A
upvoted 1 times
  MSExpert 1 month, 3 weeks ago

I'll go with B.
upvoted 1 times
  ant_man 2 months ago

Selected Answer: A
You can't change the usage model after an MFA provider is created
upvoted 1 times

Ans : A
You cannot change the usage model after an MFA provider is created
upvoted 1 times
  DonationKing 2 months, 3 weeks ago

That's a good answer
upvoted 1 times
  Osmoziz 2 months, 3 weeks ago

upvoted 1 times

Isn't there official Microsoft docs guide on this? Like on the other questions. Just a thought.
upvoted 2 times
  AltHexMax 1 month, 2 weeks ago

upvoted 2 times
  Snownoodles 6 months ago

"You cannot change the usage model (per enabled user or per authentication) after an MFA provider is created."
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
upvoted 6 times
Question #9 Topic 1
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises
Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
A. Yes
B. No
Correct Answer: A
Reference:
https://blog.kloud.com.au/2016/03/08/azure-ad-connect-manual-sync-cycle-with-powershell-start-adsyncsynccycle/

B (76%) A (24%)
  imartinez Highly Voted  7 months, 1 week ago

Answer is B ( No )
Initial will perform a full sync and add the user account created but it will take time,
Delta, will kick off a delta sync and bring only the last change, so it will be "immediately" and will fulfill the requirements.
upvoted 37 times
  arunet 1 week, 1 day ago

B is the answer. https://techcommunity.microsoft.com/t5/itops-talk-blog/powershell-basics-how-to-force-azuread-connect-to-sync/ba-
p/887043
upvoted 2 times
  juniorccs 1 month ago

if the delta will be bring the last changes, so it's okay here, isn't it ? the answer should be then "YES" , correct ? where am I lost here ?
upvoted 2 times
  maxmarco71 Highly Voted  6 months, 3 weeks ago

Answer is A YES
delta:synchronize changes since last full synchronization
Start-ADSyncSyncCycle -policy initial
PS C:\Users\Administrator> Start-ADSyncSyncCycle
Result
------
Success
https://geekdudes.wordpress.com/2018/06/05/office-365-configuring-ad-synchronization/
upvoted 12 times
  SilverFox22 4 months, 4 weeks ago

Yes, this technically works, but as per the question, you want the change to be immediate. If the Initial was run against a large
directory, that could take some time. Instead, run a Delta to just capture the change made and sync it immediately: Start-
ADSyncSyncCycle -PolicyType Delta. Thus answer is B, NO.
upvoted 21 times
  mitya 2 months, 2 weeks ago

Immediate in this case can just mean that you don't need to wait of scheduled Sync, so to run the Initial sync should work also
upvoted 1 times
  Phlex Most Recent  21 hours, 4 minutes ago

the correct choice would be Start-ADSyncSyncCycle -PolicyType Delta.
Start-ADSyncSyncCycle -PolicyType Initial takes way to long and would defeat the purpose of trying to speed this up.
upvoted 1 times
  CaptainChunk 2 days, 1 hour ago

Selected Answer: B
initial sync is a full sync, takes longer
upvoted 1 times
  Hari2017 5 days, 21 hours ago

Common Guys: Answer is B - NO. Why?
The question is clear with PolicyType Initial. Please note: The DirSyncServer connection is already established with Azure AD. That means
Full sync was already run automatically for the first time when the connection is up. Here, the user was added later and needs to be
synced ASAP. Therefore,
Type Initial - Will run Full scan & Full Sync (From On-Prem)
Type Delta - Will run the sync on Newly created objects (Delta) which is True.
upvoted 2 times
  9InchPianist 6 days, 4 hours ago

Selected Answer: B
As stated by other users, delta would meet the requirements of the question better because it will be quicker. Initial would sync
everything.
upvoted 1 times

Selected Answer: A
Vote A
upvoted 1 times
  007Ali 1 week, 2 days ago

Selected Answer: A
In addition to the comments below in favour of A, looking at the other proposed solutions in the series of questions, this is the one that
would achive the desired result.
upvoted 1 times
  BeamerV 3 weeks ago

Selected Answer: A
the question is very tricky.
It wants us to start the sync ASAP. so both cmdlets will start the sync right away once entered.. It does not mention that you need the
synced account ASAP
upvoted 3 times
  Marski 3 weeks, 2 days ago

AD Connect is the synchronizer. Nice that there are solutions suggested in comments.
upvoted 1 times

Selected Answer: B
The answer is B: No
Explanation:
It could be that you have an urgent change that must be synchronized immediately, which is why you need to manually run a cycle.
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.
To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
Running a full sync cycle can be very time consuming, read the next section to read how to optimize this process.
Source:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-
scheduler#:~:text=It%20could%20be%20that%20you%20have%20an%20urgent%20change%20that%20must%20be%20synchronized%20i
mmediately,%20which%20is%20why%20you%20need%20to%20manually%20run%20a%20cycle.
upvoted 3 times

Answer : A
To initiate a Delta Sync, open Windows PowerShell and run:
Start-ADSyncSyncCycle -PolicyType Delta
To initiate a Full Sync, open Windows PowerShell and run:

Start-ADSyncSyncCycle -PolicyType Initial
As user is created new and no changes are made in existing to updated to replicate with Azure AD it should be Answer : A
upvoted 2 times
  Mozbius_ 1 month ago

Not sure what to think here... I am preparing for az-104 and followed Microsoft Delivered course in December and beginning of the month
to solidify and NEVER did the instructors mentioned anything about Star-ADSyncSyncCycle. It was basically not part of the syllabus nor in
the standards labs. They talked about CSV imports though when talking about bulk imports and also AD Connect that's it. So I am not sure
what to think. Perhaps the students are expected to expand on what was taught on their own for the exam? Who got this question the
latest?
upvoted 3 times
  peymani 1 month ago
As described here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler
Running a full sync cycle can be very time consuming, so if you need to replicate the user information to Azure AD immediately then run
Start-ADSyncSyncCycle -PolicyType Delta.
upvoted 1 times

Hi, the answers here are very diverse, could someone test this and check? I've seen answers supporting that the answer is correct, other
that is not correct.... Confusing as hell
upvoted 1 times

Selected Answer: B
The answer is NO. You need to make sure you're on the preferred domain controller in the real world. It would be best if you worked with
what Start-ADSyncSyncCycle -PolicyType Delta.
upvoted 1 times
  kevinirl 1 month, 1 week ago

NO- As that will trigger full Sync
upvoted 1 times
Question #10 Topic 1
Active
Directory domain.
Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.
A. Yes
B. No
Correct Answer: B
  j5y Highly Voted  7 months, 2 weeks ago

Ans: NO
On a server with Azure AD Connect installed, navigate to the Start menu and select AD Connect, then Synchronization Service.
1. Go to CONNECTORS tab.
2. Select RUN on the ACTIONS pane.
upvoted 39 times

Or, you could run
Start-ADSyncSyncCycle -PolicyType Delta
upvoted 16 times

thanks for this!
upvoted 1 times
  tm25 Most Recent  3 weeks, 5 days ago

It could be that you have an urgent change that must be synchronized immediately, which is why you need to manually run a cycle.
upvoted 1 times

Ans : B
AD Connect > Sychronization service > Connectors >Run on the actions pane
upvoted 2 times
  Marietto76 4 months ago

very thanks j5y for explanation
upvoted 2 times
  Adebowale 6 months ago

Hello j5y, Thanks for the explanation
upvoted 3 times
  green_arrow 7 months, 2 weeks ago

Definitely nooo. B is the correct Answer
upvoted 3 times
Active
Directory domain.
Solution: You restart the NetLogon service on a domain controller.
A. Yes
B. No
Correct Answer: B
  Steve1983 Highly Voted  7 months, 3 weeks ago

NO
Please dont restart 'Netlogon' ever, in test or production... Rather reboot the whole DC, wich wont help for starting a sync i guess. If it
does, its kinda a retarted way to force a sync to start.
upvoted 17 times
  Bere Highly Voted  3 months, 1 week ago

As described here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler
Running a full sync cycle can be very time consuming, so if you need to replicate the user information to Azure AD immediately then run
Start-ADSyncSyncCycle -PolicyType Delta.
Answer is B. No
upvoted 6 times

very important explanation
upvoted 1 times
  Jaybee22 Most Recent  2 weeks, 2 days ago

NO
you need to manually run a sync cycle on the server where you install your AAD connect, using window PowerShell to run Start-
ADSyncSyncCycle -PolicyType Delta.
upvoted 2 times

Ans : B
Netlogon will not help
upvoted 4 times

B. Turning of NetLogOn will prevent the AuthN mechanism to function properly on a server.
NetLogOn tech info: https://www.windowstechno.com/what-is-netlogon/
upvoted 2 times


upvoted 1 times
  mrjeet 3 months ago

this fool is SPAMMMMM
upvoted 5 times
  RAJETHA 3 months, 1 week ago

does not work when i applied coupon
upvoted 1 times
  muhammadiq 3 months, 2 weeks ago

AZ104OFFER
does not work when i applied coupon
upvoted 2 times
  Eltooth 3 months, 4 weeks ago

Correct answer - No
upvoted 1 times
  Teab91 4 months ago

No-Is correct
upvoted 1 times

B is the correct Answ
upvoted 3 times
Your company has a Microsoft Azure subscription.

The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?
A. Geo-redundant storage
B. Read-only geo-redundant storage
C. Zone-redundant storage
D. Locally redundant storage
Correct Answer: B
RA-GRS allows you to have higher read availability for your storage account by providing ‫ג‬€read only‫ג‬€ access to the data replicated to the
secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not
available in the primary region. This is an
‫ג‬€opt-in‫ג‬€ feature which requires the storage account be geo-replicated.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

B (100%)
  Steve1983 Highly Voted  7 months, 3 weeks ago

B
(A: "data will be available to be read-only if Microsoft initiates a failure", so its not RO if its not failed-over)
Geo-redundant storage (GRS)

As I explained above it helps us in replicating our data to another region which is far away hundreds of miles away from the primary
region. It provides at least 99.99999999999999% (16 9's) durability of objects over a given year. GRS replicates our data to another region,
but data will be available to be read-only if Microsoft initiates a failure from primary to the secondary region.
Read-access geo-redundant storage (RA-GRS)

It is based on the GRS, but it also provides an option to read from the secondary region, regardless of whether Microsoft initiates a failover
from the primary to the secondary region.
upvoted 38 times
  thesagarlee 4 months, 1 week ago

Supporting article - https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#read-access-to-data-in-the-
secondary-region
upvoted 2 times
  Saravana12g Highly Voted  5 months, 1 week ago

Answer B.
upvoted 11 times

Selected Answer: B
Vote B
upvoted 1 times
  Macko1 1 month, 3 weeks ago

Passed today. This was one of the questions
upvoted 1 times
  Vkom 1 month, 3 weeks ago
Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#read-access-to-data-in-the-secondary-region
upvoted 1 times
  arkadius 2 months, 1 week ago

Selected Answer: B
upvoted 1 times

Ans : B
Regardless of Microsoft initiates failover to secondary region. Hence RA-GRS provides option to read from the secondary
upvoted 1 times
  MavDro 2 months, 3 weeks ago

Selected Answer: B
Answer B should be correct
upvoted 1 times
  AVINASHSIN 2 months, 3 weeks ago

Selected Answer: B
B is the option
upvoted 2 times
  sboy 3 months ago

My beef is that there is nothing called (Read-Only Geo-Redundant Storage). It's called RA-GRS, not RO-GRS. I'm going with A on my test
today.
Read access to data in the secondary region

Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against
regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to
secondary region. When you enable read access to the secondary region, your data is available to be read at all times, including in a
situation where the primary region becomes unavailable. For read access to the secondary region, enable read-access geo-redundant
storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).
upvoted 6 times
  Rodcr1 4 months, 1 week ago

Question came in today's test 10/13/21
upvoted 5 times
  ghfalcon7 4 months, 1 week ago

There is no storage option called read only geo redundant storage, answer should be A, you just enable the Read-access geo-redundant
storage (RA-GRS) after you select the GRS option.
upvoted 4 times
  pkazemei 6 months, 1 week ago

This is a trick question.
I thought A, but then the question says at the end "Data can be read from the secondary location as well as from the primary location".
This means the answer is B, because only RA-GRS can do this.

upvoted 4 times
  maxmarco71 6 months, 3 weeks ago

Answer is C
Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications
requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.
With ZRS, your data is still accessible for both read and write operations even if a zone becomes unavailable
upvoted 2 times
  chaudha4 6 months, 2 weeks ago

Wrong Answer. availability zones will not provide geo redundancy. You need RA-GRS.
upvoted 3 times
  WillHayes 7 months, 2 weeks ago
With GRS or GZRS, the data in the secondary region isn't available for read or write access unless there is a failover to the secondary
region. For read access to the secondary region, configure your storage account to use read-access geo-redundant storage (RA-GRS) or
read-access geo-zone-redundant storage (RA-GZRS). For more information, see Read access to data in the secondary region.
upvoted 3 times
  jackr76 7 months, 3 weeks ago

A?
Data must be stored on multiple nodes.

Data must be stored on nodes in separate geographic locations.
upvoted 1 times
  TTTTT88888 6 months, 3 weeks ago

Its B because only RA-GRS allow read-only even when Primary is alive
upvoted 2 times
  neemz 7 months, 3 weeks ago

I think A too. Questions says "Data can be read" it does not say not indicated it must only be read
upvoted 1 times
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional
Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
A. Yes
B. No
Correct Answer: B
You should use the Resource Group blade
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template

B (100%)
  d0bermannn Highly Voted  7 months, 2 weeks ago

it is so easy =B. No ))
upvoted 9 times
  Abhinav1503 Highly Voted  2 months, 3 weeks ago

Answer must be No, as questions talk about VM and storage account both which can only be reviewed at RG level.
upvoted 7 times

Selected Answer: B
Vote B
upvoted 1 times
  edengoforit 2 weeks, 5 days ago

Answer is No: go to Resource Group Pane -> Deployment -> Check whatever required -> View Template
upvoted 1 times
  TRT007 1 month, 1 week ago

ANS is B
upvoted 1 times
  Hunk_cn 1 month, 2 weeks ago

The answer is B.
upvoted 1 times

Selected Answer: B
You can view deployments history on
- single resource level
- resource group level
- subscription level
- management group level
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history
upvoted 3 times

Ans : B
RG blade
upvoted 2 times
  tyleractivate 2 months, 1 week ago

Selected Answer: B
To export one or more resources from a resource group:
1. Select the resource group that contains the resources you want to export.
2. Select one or more resources by selecting the checkboxes. To select all, select the checkbox on the left of Name. The Export template
menu item only becomes enabled after you've selected at least one resource.
3. Select Export template.

upvoted 1 times
  thesagarlee 4 months, 1 week ago

here are two ways to export a template:
Export from resource group or resource: This option generates a new template from existing resources. The exported template is a
"snapshot" of the current state of the resource group. You can export an entire resource group or specific resources within that resource
group.
Save from history: This option retrieves an exact copy of a template used for deployment. You specify the deployment from the
deployment history.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal#choose-the-right-export-option
upvoted 6 times

There is also an "export template" link on VM blade, why cannot we use it?
So the answer should be "Yes"
upvoted 2 times
  khengoolman 5 months, 1 week ago

Because you want to review the template that Jon used, not export the current configuration of the VM, which will not include the
template for the storage, for example, additionally, the VM may have been changed, we don't know.
upvoted 13 times
  d0bermannn 7 months, 1 week ago

rg blade, as for one hundred q ago
upvoted 4 times
Solution: You access the Resource Group blade.
A. Yes
B. No
Correct Answer: A
To view a template from deployment history:
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that
you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:

A (100%)

A is correct
upvoted 15 times
  GaryJohnson Most Recent  1 week, 1 day ago

A - Yes Azure Portal -> Resource Groups -> Resource Group Name (that contains the template) -> Resource Group
Blade/Settings/Deployments -> Deployments Blade/Deployment Name (for template) -> Deployment Blade/Overview/Template
upvoted 2 times

Selected Answer: A
Vote A
upvoted 1 times

Answer: A
upvoted 1 times

Selected Answer: A
THat the correct answer
upvoted 1 times

Selected Answer: A

upvoted 2 times
  Teab91 4 months ago

Yes. Because he provisioned storage as well
upvoted 2 times
  Omar_Aladdin 4 months, 3 weeks ago

A is correct:
from Resource Group choose ----> Deployments blade
upvoted 4 times
Solution: You access the Container blade.
A. Yes
B. No
Correct Answer: B
You should use the Resource Group blade
Reference:

B (100%)

B. No, as all of us know)
upvoted 10 times

Selected Answer: B
Vote B
upvoted 2 times

Selected Answer: B

upvoted 1 times
  rrabeya 3 months, 2 weeks ago

B. No
you should go to Resource Group then --> Deployments blade
upvoted 2 times
Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?
A. You should only stop one of the VMs.
B. You should stop two of the VMs.
C. You should stop all three VMs.
D. You should remove the necessary VM from the availability set.
Correct Answer: C
If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in
the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is
that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster
is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.
Reference:
https://azure.microsoft.com/es-es/blog/resize-virtual-machines/

C (100%)
  CLagnuts Highly Voted  7 months, 3 weeks ago

C. Looks Correct
Stop all the VMs in the availability set. Click Resource groups > your resource group > Resources > your availability set > Virtual Machines >
your virtual machine > Stop.
After all the VMs stop, resize the desired VM to a larger size.
Select the resized VM and click Start, and then start each of the stopped VMs.
upvoted 22 times
  MrJR Highly Voted  4 months, 4 weeks ago

This question is deprecated. I tested and I was able to change the size of a VM, which is in an availability set with two other VMs, without
stopping any other VM. With the three VMs up you can resize any of them.
upvoted 10 times
  drainuzzo 2 months, 4 weeks ago

But the question reported: "You try to resize one of the VMs, which returns an allocation failure message." so you can only stop all the 3
vms
upvoted 2 times

c ,should Stop all the VMs in the availability set
upvoted 1 times

Selected Answer: C
Vote C
upvoted 1 times
  wondinv 2 weeks ago

After testing in lab, it's possible to change the size of a VM which is included in a Availability Set without turning it off. The restriction
comes when the physical cluster does not have anymore resources left. On this situation an error message will be showed as stated on
the question. In this case, you need to turn all the VMs down and resize the desired on. (In the background AWS will replace the VMs to a
different hardware cluster if needed).
upvoted 1 times
  RRupesh 1 month, 2 weeks ago

in exam 22/12/21 . C is correct
upvoted 1 times

C is the correct answer
Only one VM in same availability set can be resized if upgrading to same VM family.
In the question you see "allocation error" which happens if you are upgrading one VM which is not part of same VM family, or the VM is
not available. The resolution is to stop all the VMs and resize each VM. Please check troubleshooting guide for better explanation:
https://docs.microsoft.com/bs-latn-ba/troubleshoot/azure/virtual-machines/restart-resize-error-troubleshooting
upvoted 4 times

Ans : C
Stop all the VM's for deallocation then increase the size
upvoted 1 times
  verifedtomic 2 months, 3 weeks ago

Selected Answer: C
Since the VM is in an availability SET, all three VMs have to be identical. You can't resize one, but all three. To resize a VM(s), VM(s) have to
be shutdown - deallocated
upvoted 3 times

C. All VM's must be deallocated
Check it here: https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/allocation-failure#resize-a-vm-or-add-vms-to-an-
existing-availability-set
upvoted 1 times
  Marciojsilva 3 months, 1 week ago

look here
https://azure.microsoft.com/es-es/blog/resize-virtual-machines/
"Resize Resource Manager (ARM) virtual machine to size not available in current hardware cluster
If your VM(s) are deployed using the Resource Manager (ARM) deployment model and you need to change to a size which requires
different hardware then you can resize VMs by first stopping your VM, selecting a new VM size and then restarting the VM. If the VM you
wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the
availability set"
upvoted 3 times
  Rodcr1 4 months, 1 week ago

Question came in today's test 10/13/21
upvoted 5 times
  SulSulEi 6 months ago

Answer is correct based on,
https://www.examtopics.com/discussions/microsoft/view/20714-exam-az-103-topic-3-question-11-discussion/
upvoted 1 times
  Bloodwar 7 months, 1 week ago

Correct, C, you need stop all VMs to change the size in your availability set.
upvoted 1 times
  marcusaurelius124 7 months, 1 week ago

I believe the answer, C, is correct.
"When you try to start a stopped Azure Virtual Machine (VM), or resize an existing Azure VM, the common error you encounter is an
allocation failure."
"After all the VMs stop, resize the desired VM to a larger size."
Source:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/restart-resize-error-troubleshooting
upvoted 3 times

Cause
The request to resize the VM has to be attempted at the original cluster that hosts the cloud service. However, the cluster does not
support the requested VM size.
upvoted 1 times
  korben_dallas 7 months, 2 weeks ago

I believe the answer is A under the assumption that the size check was already performed on the VM
If the new size for a VM in an availability set is not available on the hardware cluster currently hosting the VM, then all VMs in the
availability set will need to be deallocated to resize the VM.
You can check which sizes are available on the hardware cluster where the VM is hosted prior to resizing. If the desired size is listed , then
you don't have to deallocate all three.
If the size you want is not listed, you have to deallocate all VMs in the availability set, resize VMs, and restart them.
upvoted 2 times
  Veerabhadra_reddy 4 months ago

I think the options should be rephrased, and you are correct, as per the MS DOCs -> If the new size for a VM in an availability set is not
available on the hardware cluster currently hosting the VM, then all VMs in the availability set will need to be deallocated to resize the
VM. You also might need to update the size of other VMs in the availability set after one VM has been resized
upvoted 1 times
  jellybiscuit 5 months, 2 weeks ago

Perhaps it depends on the age of the question.
Currently, M$ is currently encouraging people to initiate a resize without first deallocating.

- if a resize is not possible in this way, the requested size isn't available in the current cluster
- if the size isn't available in the current cluster, all the servers in the AS will need to be deallocated.
upvoted 4 times
You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM.
You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible.
Which of the following is the action you should take FIRST?
A. Stop the VM that includes the data disk.
B. Stop the VM that the data disk must be attached to.
C. Detach the data disk.
D. Delete the VM that includes the data disk.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk https://docs.microsoft.com/en-us/azure/lab-services/devtest-
lab-attach-detach-data-disk

C (100%)
  jecawi9630 Highly Voted  7 months, 3 weeks ago

Wrong. You can simply detach a data disk from one VM and attach it to the other VM without stopping either of the VMs.
upvoted 69 times
  imartinez 5 months, 2 weeks ago

Right. the correct answer is C: detach the disk is the first action.
And Also:
You can only attach a data disk to a VM that is running-
https://docs.microsoft.com/en-us/azure/devtest-labs/devtest-lab-attach-detach-data-disk
upvoted 10 times
  FrostyD 6 months, 1 week ago

Correct, tested in lab
upvoted 3 times
  jjnelo 6 months, 3 weeks ago

Correct. Just tested in lab.
upvoted 2 times
  EKTan 7 months, 2 weeks ago

Correct. Just tested in lab. Didn't have to stop the VM the detach and attach to the other.
upvoted 10 times
  theorut Most Recent  1 day, 20 hours ago

VM has a single disk (so this will be an OS disk) and therefore VM needs to be stopped first. No detach available for OS disk.
upvoted 2 times
  pawel_ski 1 day, 3 hours ago

No. It is written "data disk" no "a disk". There is a distinction between a OS disk and a Data disk.
upvoted 1 times
  Pasmo 1 day, 23 hours ago

Detach the data disk
upvoted 1 times
  raoeh 1 week, 1 day ago

tested in my machine answer c
upvoted 2 times

Selected Answer: C
Vote C
upvoted 1 times
  wondinv 2 weeks ago

Just tested in lab. You don't need to turn the VMs off. Just detach the disk and attach it to the secondary VM.
upvoted 1 times
  atilla 2 weeks, 3 days ago

second links says no need to stop a VM
upvoted 1 times
  Salu007 1 month ago

Selected Answer: C
Answer is C
upvoted 1 times

I think the answer is A.
Disks can be HOT removed yes, but before doing so you should prevent the disk from being used while doing so to avoid data corruption
and based on available answers A addresses that. Also the question implies that a minimum of downtime is ok. And from a logical point of
view who in their right mind would HOT disconnect a disk without making sure that nothing is running on the disk?!?
upvoted 2 times
  AbleApe 2 weeks, 5 days ago

A does address the data corruption but you can also just stop an app from running on the VM to prevent use of the disk. You will still
have app downtime but perhaps not VM downtime. IMO that's faster and safer than just shutting down the VM depending on how the
app is written.
upvoted 2 times
  LiMburu 1 month ago

The best practice should always assuming there are services writing to the disk, so always stop it first before detaching.
upvoted 1 times
  LeomHD 1 month ago

no es necesario apagar la máquina
upvoted 1 times
  vihanga93 1 month, 1 week ago

Selected Answer: C
correct answer is C
upvoted 1 times
  graige2 1 month, 2 weeks ago

Selected Answer: C
Ans : C
You can detach a data disk from running VM, no need stop the VM
upvoted 3 times

I'm confused...because @CellCS has a good point reflected here:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk#detach-a-data-disk-using-powershell -->
"You can hot remove a data disk using PowerShell, but make sure nothing is actively using the disk before detaching it from the VM."
Ok you can detach and attach without taking VM off but question says: "You need to make sure that your strategy ALLOWS for the virtual
machines to be offline for the least amount of time possible."
And if the VM has an App actively using the data disk... data can get corrupt... It's not just about how technically possible it is, but how we
as administrators must manage infrastructure effectively... right?
upvoted 3 times
  CellCS 1 month, 2 weeks ago

A answer is right. The VM has only one data disk. to detach this disk, need to make sure nothing is actively using the disk before detaching
it from the VM (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk).
upvoted 1 times

Sounds fair... as the question tells you can take the machines offline but for the minimum amount of time... As the actual VM can be
reading/writing to data disk it could represent a risk to detach it with the VM up... but I'm still confused.
upvoted 1 times

only one disk, So I think we should stop the VM server
upvoted 3 times

Data disk != OS Disk
upvoted 2 times
  ninjia 1 month, 3 weeks ago

Selected Answer: C
I think the correct answer is C.
You can detach a data disk without stopping the VM. Tested in Azure as below:
Preparation
1. Create a Windows VM with OS disk and one data disk.
2. Make sure the VM is running.
Detach
1. Select the virtual machine that has the data disk you want to detach.
2. Under Settings, select Disks.
3. In the Disks pane, to the far right of the data disk that you would like to detach, select the X button to detach.
4. Select Save on the top of the page to save your changes.
Now the disk has been detached from the VM.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk
upvoted 1 times
Your company has an Azure subscription.

You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the
VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric
failure or maintenance.
Which of the following is the value that you should configure for the platformFaultDomainCount property?
A. 10
B. 30
C. Min Value
D. Max Value
Correct Answer: D
The number of fault domains for managed availability sets varies by region - either two or three per region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

D (100%)

D is correct. 2 or 3 is max for a region so answer should be Max.
https://stackoverflow.com/questions/49779604/how-to-find-maximum-update-domains-fault-domains-available-in-an-azure-region
upvoted 10 times
  Kopy 6 months, 1 week ago

Wrong. The link highlights Update Domain not fault domain.
upvoted 1 times
  Phlex Most Recent  20 hours, 46 minutes ago

Selected Answer: D
Correct is D
upvoted 1 times
  Balucl 5 days, 9 hours ago

Selected Answer: D
CORRECT ANSWER IS D
upvoted 1 times

Selected Answer: D
D is correct
upvoted 2 times
  Nichols 2 months ago

Selected Answer: D
D is correct
upvoted 1 times
  Bere 3 months, 1 week ago

As described here:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-manage-fault-domains
You can set the parameter --platform-fault-domain-count to 1, 2, or 3 (default of 3 if not specified).
And as described here:

https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each
availability set can be configured with up to three fault domains and twenty update domains.
So answer is D Max Value

upvoted 3 times
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each
availability set can be configured with up to three fault domains and twenty update domains.
With CLI the platform fault domain count will default to 5 whenever a value has not been specified.
Now if they are stating the parameter accepts MAX or MIN this appears incorrect. The maximum according to the listings below are 3 and
there are no MAX/MIN parameters as an option. But if they mean choose the max amount after you find out.... then yes the answer is Max
Value. Seems best to just not to put a number and it should default to 5.
upvoted 3 times

https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-
overview#:~:text=Each%20availability%20set%20can%20be,domains%20and%20twenty%20update%20domains.
3 fault domains and 20 update domains.
upvoted 3 times

So MaX
upvoted 1 times
  Kopy 6 months ago

"up to three fault domains for Resource Manager deployments (two fault domains for Classic)."
The questions states "You plan to use Azure Resource Manager templates " Therefore if 3 fault domains are available in your region
the answer should be 3.
"“The number of fault domains for managed availability sets varies by region - either two or three per region"
upvoted 1 times

The question does not say that the max and min values are defined anywhere. Is this question missing some additional information
regarding the ARM templates ? Based on the information provided, none of the options are correct.
upvoted 2 times
  SushilJinder 1 month, 3 weeks ago

this implies that they are asking for max value .."as many VMs as possible......"
upvoted 1 times
  Rohithalkt 7 months, 2 weeks ago

Correct.
Should be D
upvoted 3 times
Your company has an Azure subscription.

You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the
VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric
failure or maintenance.
Which of the following is the value that you should configure for the platformUpdateDomainCount property?
A. 10
B. 20
C. 30
D. 40
Correct Answer: D
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. For a given
availability set, five non-user-configurable update domains are assigned by default (Resource Manager deployments can then be increased to
provide up to 20 update domains) to indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same
time.
Reference:

B (100%)
  tubby04 Highly Voted  4 months, 3 weeks ago

Correct answer is B. 20
'Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each
availability set can be configured with up to three fault domains and twenty update domains.'
upvoted 52 times
  Pradh Highly Voted  3 months, 3 weeks ago

Admin of this Website ... Please Update the answer to "B" .
its giving negative impact on people who think of buying Contributor Access seeing such mistakes .
upvoted 32 times
  Sjardi 3 months, 1 week ago

About 50% of the questions have a wrong answer to it.
upvoted 10 times
  ruterjunior Most Recent  2 weeks, 4 days ago

Set to 20
upvoted 1 times
  ddon1999 3 weeks, 1 day ago

40!!! omg. who is answering these??
upvoted 1 times
  Marski 3 weeks, 2 days ago

There is right answer 20. The text given says it but not indicated choice. Update?
upvoted 1 times
  Foow 3 weeks, 4 days ago

Selected Answer: B
It also says so in the answer reference
upvoted 1 times
  Salu007 1 month ago

Selected Answer: B
Each availability set can be configured with up to three fault domains and twenty update domains
upvoted 2 times
  elishlomo 1 month, 2 weeks ago

Selected Answer: B
The platformUpdateDomainCount is a property that defines how many update domains there are in the availability set. The upper limit is
20.
Suppose the platformUpdateDomainCount is set to 3, and you have 15 virtual machines in the availability set. In that case, it means that 5
VMs can be updated and unavailable, but the remaining 10 VMs are always available.
upvoted 2 times
  MSExpert 1 month, 2 weeks ago

Correct answer is B. 20
Admin or Moderator please change this answer to 20. Why it is still showing 40 ?
upvoted 4 times
  JIGT 1 month, 3 weeks ago

20. Each availability set can be configured with up to three fault domains and twenty update domains.
upvoted 2 times

Selected Answer: B
20 is the max value available to choose
upvoted 3 times
  Sara_Mo 1 month, 3 weeks ago

Selected Answer: B
The correct answer is B
upvoted 3 times
  rehan_k 1 month, 3 weeks ago

Selected Answer: B
Maximum update domain in Azure is 20
upvoted 3 times
  Linkjap 2 months ago

Selected Answer: B
Answer is B
upvoted 2 times
  hosseny 2 months, 1 week ago

correct answer is B 20
https://www.c-sharpcorner.com/article/availability-set-fault-domains-and-update-domains-in-azure-virtual-machie/
upvoted 2 times

Ans : B
Update domains : 20
Fault domains : 3
upvoted 2 times
  pkerley 2 months, 1 week ago

Selected Answer: B
Limit is 20
upvoted 1 times
DRAG DROP -
You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a
current VM, but must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Correct Answer:
You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the
password is never put in plain text in the template parameter file.
  pakman Highly Voted  4 months, 3 weeks ago

Key vault + access policy
upvoted 18 times
  Incredible99 Highly Voted  3 months, 2 weeks ago

This was in my exam at 10/31/2021
upvoted 12 times
  Prano Most Recent  2 months, 1 week ago

Ans : Access policy and Azure Key vault
upvoted 2 times
  LukeAldred 2 months, 3 weeks ago

Seems as though Key Vault and Access Policy would make most sense although I guessed at only Key Vault. See
https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy
upvoted 3 times
  yooi 3 months, 2 weeks ago

Why access policy? Just a key vault is enough?
You wouldn't need any of these:
Access policies only support these storage resources:
Blob containers
File shares
Queues
Tables
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
upvoted 1 times

Key Vault will store your KV pairs but you still need to configure the access policy to determine the level of access that a service
principal (ARM template will use) can perform against the key vault.
https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal
upvoted 14 times
  kkkb 3 months, 2 weeks ago

Took exam 30 Oct. This question came out
upvoted 4 times
  bcristella 4 months ago

Key vault+ Access Policy

upvoted 2 times
  kaloszertest 4 months ago

Just key vault:
Access policy does not support Key Vaults

upvoted 2 times

Kindly check https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal for Key Vault reference
of access policy.
upvoted 2 times
  ohana 4 months ago

Took the exam today, 17 Oct. This question came out: Key vault + access policy
upvoted 5 times

You'd use a Key Vault to avoid plain text passwords
upvoted 4 times

And access policy to make sure that the service principal has the right level of access. https://docs.microsoft.com/en-us/azure/key-
vault/general/assign-access-policy?tabs=azure-portal
upvoted 2 times
  ech 4 months, 3 weeks ago

Answer is correct
upvoted 3 times
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory
domain.
The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?
A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
B. Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
D. Place the scripts in a new virtual hard disk (VHD).
Correct Answer: A
After you deploy a Virtual Machine you typically need to make some changes before it‫ג‬€™s ready to use. This is something you can do manually
or you could use
Remote PowerShell to automate the configuration of your VM after deployment for example.
But now there‫ג‬€™s a third alternative available allowing you customize your VM: the CustomScriptextension.
This CustomScript extension is executed by the VM Agent and it‫ג‬€™s very straightforward: you specify which files it needs to download from
your storage account and which file it needs to execute. You can even specify arguments that need to be passed to the script. The only
requirement is that you execute a .ps1 file.
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup
https://azure.microsoft.com/en-us/blog/automating-vm-customization-tasks-using-custom-script-extension/

A (100%)

Ans: A
After Windows is installed but before the logon screen appears, Windows Setup searches for the SetupComplete.cmd file in the
%WINDIR%\Setup\Scripts\ directory
upvoted 24 times
  NZure Highly Voted  4 months, 2 weeks ago

Is this really on the AZ-104? It has nothing to do with Azure.
upvoted 21 times
  Chi1987 4 months, 1 week ago

Dude you might get a question about how you prepare omelette using VMs and LB and still you have to answer it if u want to be MS
expert
upvoted 101 times

That was funny! I had the exact same thought as NZure.
upvoted 1 times

damn right
upvoted 1 times
  d0bermannn 1 month ago

it is obvious, use
get\set\new\add\update\remove -AzRMOmlette
))
upvoted 5 times

Selected Answer: A
Vote A
upvoted 1 times

Anyone actually got that question if so when?
upvoted 2 times

Selected Answer: A
A.
Setupcomplete.cmd is a custom script that runs during or after the Windows Setup process. They can install apps or run other tasks using
cscript/wscript scripts.
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup?view=windows-11
upvoted 2 times
  LukeAldred 2 months, 3 weeks ago

Like NZure said "Is this really on the AZ-104? It has nothing to do with Azure". Plus the answer describes CustomScriptExtension which is
none of the options?
upvoted 3 times

Answer: SetupComplete.cmd
After Windows is installed but before the logon screen appears, Windows Setup searches for the SetupComplete.cmd file in the
%WINDIR%\Setup\Scripts\ directory.
If a SetupComplete.cmd file is found, Windows Setup runs the script. Windows Setup logs the action in the
C:\Windows\Panther\UnattendGC\Setupact.log file.
Setup does not verify any exit codes or error levels in the script after it executes SetupComplete.cmd.
If the computer joins a domain during installation, the Group Policy that is defined in the domain is not applied to the computer until
Setupcomplete.cmd is finished. This is to make sure that the Group Policy configuration activity does not interfere with the script.
Note:
You can't reboot the system and resume running SetupComplete.cmd. You should not reboot the system by adding a command such as
shutdown -r. This will put the system in a bad state.
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup?view=windows-11
upvoted 7 times
  Adebowale 6 months ago

Thank you for the confirmation
upvoted 4 times
  ppp131176 7 months, 2 weeks ago

A is correct
upvoted 4 times
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory
domain.
You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software
requirements.
You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image.
You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs.
Which PowerShell cmdlets should you use?
A. Add-AzVM
B. Add-AzVhd
C. Add-AzImage
D. Add-AzImageDataDisk
Correct Answer: B
The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/upload-generalized-managed

B (100%)
  Chi1987 Highly Voted  4 months, 3 weeks ago

Correct answer.
Example for how you do this:
Add-AzVhd -ResourceGroupName $resourceGroup -Destination $urlOfUploadedImageVhd `

-LocalFilePath $localPath
upvoted 16 times
  serenity404 Highly Voted  4 months, 3 weeks ago

Answer B is correct, but reference link has no mention of this command.
Look here instead: https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-6.4.0
upvoted 5 times
  pappkarcsiii Most Recent  2 weeks ago

Selected Answer: B
Correct answer.
Example for how you do this:

Add-AzVhd -ResourceGroupName $resourceGroup -Destination $urlOfUploadedImageVhd ` -LocalFilePath $localPath
upvoted 1 times
  fahadiqbal 3 weeks ago

Selected Answer: B
B is correct
upvoted 1 times
  mufflon 1 month ago

upvoted 1 times

Selected Answer: B
B. The Add-AzVhd cmdlet uploads an on-premise virtual hard disk to a managed disk or a blob storage account.
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-7.0.0
upvoted 2 times
  Snownoodles 1 month, 3 weeks ago

Selected Answer: B
Microsoft doesn't recommend to use 'add-advhd' anymore, use azcopy:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell
upvoted 3 times
  Empel 1 week, 4 days ago

From your own link "Generally, you should use Add-AzVHD. However, if you need to upload a VHD that is larger than 50 GiB, consider
uploading the VHD manually with AzCopy"
upvoted 2 times

Selected Answer: B
VHD stands for 'Virtual Hard Disk' - Add-AzVhd
upvoted 3 times
  hanahjane13 2 months ago

B. add-azvhd
upvoted 1 times

Selected Answer: B
$vhdSizeBytes = (Get-Item "<fullFilePathHere>").length
.
$diskconfig = New-AzDiskConfig -SkuName 'Standard_LRS' -OsType 'Windows' -UploadSizeInBytes $vhdSizeBytes -Location '<yourregion>' -
CreateOption 'Upload'
.
New-AzDisk -ResourceGroupName '<yourresourcegroupname>' -DiskName '<yourdiskname>' -Disk $diskconfig
.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell
upvoted 2 times
  J511 3 months ago

Answer is B. VHD stands for 'Virtual Hard Disk' - when you get asked to deploy and image to a VM think: Add-AzVhd
Reference: https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-6.6.0
upvoted 1 times

B is correct answer.
This article walks you through using PowerShell to upload a VHD of a generalized VM to Azure, create an image from the VHD, and create
a new VM from that image. You can upload a VHD exported from an on-premises virtualization tool or from another cloud. Using
Managed Disks for the new VM simplifies the VM management and provides better availability when the VM is placed in an availability set.
upvoted 4 times
  PRM 4 months ago

why isn't the letter C?
upvoted 1 times
  754a 3 months, 3 weeks ago

Because add-azimage isn't a command, new-azimage is to create an image and isn't an option, but the question asks about "upload"
image. Answer is B: https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-6.5.0
upvoted 3 times
  JohnPhan 4 months, 1 week ago

Answer: B
Add-AzVhd -ResourceGroupName $resourceGroup -Destination $urlOfUploadedImageVhd `
-LocalFilePath $localPath
https://docs.microsoft.com/en-us/previous-versions/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-
generalized-script
upvoted 2 times
  y_dev 4 months, 1 week ago

example command :
Add-AzVhd -Destination "http://contosoaccount.blob.core.windows.net/vhdstore/win7baseimage.vhd?st=2013-01
-09T22%3A15%3A49Z&se=2013-01-09T23%3A10%3A49Z&sr=b&sp=w&sig=13T9Ow%2FRJAMmhfO%2FaP3HhKKJ6AY093SmveO
SIV4%2FR7w%3D" -LocalFilePath "C:\vhd\win7baseimage.vhd"
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd?view=azps-6.4.0
upvoted 2 times
  sk1803 4 months, 3 weeks ago

Answer: B
I would like to answer New-AzImage, but that is not an option.
In order to create the image, I do have to have my VHD uploaded to azure though. I would use Add-AzVhd for that.
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azimage
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvhd
upvoted 4 times
  Rocky007 4 months, 3 weeks ago

B is the correct answer
upvoted 1 times
DRAG DROP -
Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network.
Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.
Which of the following objects that must be created to achieve this goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Correct Answer:
  weqr23wrefs Highly Voted  4 months, 3 weeks ago

For physical servers
- Storage Account
- Azure Recovery Services Vault
- Replication policy
https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-disaster-recovery
For Hyper-v server

- Hyper-V site
https://docs.microsoft.com/en-nz/azure/site-recovery/hyper-v-prepare-on-premises-tutorial
upvoted 57 times

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information
for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various
Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.
A replication policy defines the retention history of recovery points, and the frequency of app-consistent snapshots. Site Recovery
creates a default replication policy as follows:
Retain recovery points for 24 hours.

Take app-consistent snapshots every four hours.
upvoted 2 times

So the answer is
- Hyper-V site
upvoted 2 times

When you create a Recovery Services Vault, a storage account is created automatically. So I think storage account is a trick, you don't
need it
upvoted 5 times
  Snownoodles 2 months, 3 weeks ago

According to this doc, both storage account and Recovery Services Vault are required:
https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure-for-hyperv
upvoted 2 times
  NarenderSingh Highly Voted  4 months, 2 weeks ago

1. Hyper-V site
2. Azure Recovery Services Vault
3. Replication policy
https://docs.microsoft.com/nl-nl/azure/site-recovery/hyper-v-azure-tutorial
upvoted 13 times
  Mozbius_ Most Recent  4 weeks, 1 day ago

It is almost criminal for this question to be asked with those choices of answers when recovery of on-premise server is not even described
in Microsoft own instructor-led online training for az-104!!
upvoted 6 times
  RRupesh 1 month, 2 weeks ago

in exam 22/12/21 .
upvoted 4 times

It looks like a storage account is required for on-premise hyper-v site recovery:
https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure-for-hyperv
*Verify that your Azure account has replication permissions.
*Create an Azure storage account, which stores images of replicated machines.
*Create a Recovery Services vault, which stores metadata and configuration information for VMs and other replication components.
*Set up an Azure network. When Azure VMs are created after failover, they're joined to this network.
any suggestions?
upvoted 4 times
  gregigitty 2 months, 3 weeks ago

I can't see anything in Azure called 'Hyper-V Site'. Is this a real thing?
upvoted 1 times

Ok, I found that it's something you create when setting up the site recovery settings within the recovery services vault
upvoted 2 times

How to set up disaster recovery of on-premises physical Windows and Linux servers to Azure. These are the steps:
Set up Azure and on-premises prerequisites
Create a Recovery Services vault for Site Recovery
Set up the source and target replication environments
Create a replication policy
Enable replication for a server
Link: https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-disaster-recovery
How to set up disaster recovery to Azure for on-premises Hyper-V VMs
There are the steps:
Review Hyper-V requirements, and VMM requirements if your Hyper-V hosts are managed by System Center VMM.
Prepare VMM if applicable.
Verify internet access to Azure locations.
Prepare VMs so that you can access them after failover to Azure.
Link: https://docs.microsoft.com/en-nz/azure/site-recovery/hyper-v-prepare-on-premises-tutorial
upvoted 2 times

A,B,D is correct since storage account is already present "Azure File share named share1."
upvoted 1 times

sorry wrong question. Admin please delete this.
upvoted 1 times
  theOldOne 4 months, 2 weeks ago

It is the same question. Its just put into a different format on this exam.
upvoted 1 times

I'm not sure whether we're select multiple options here or just one; but in this case we'd need the following 3: Hyper-V site, A recovery
service vault and a replication policy.
upvoted 2 times
  rigonet 4 months, 3 weeks ago

ANSWER:
- Storage Account
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-disaster-recovery
upvoted 3 times
  MSFT 1 month, 2 weeks ago

This scenario is for hyper-v though. The answer is correct as is.
upvoted 1 times

1. Hyper-V site
2. Azure Recovery Services Vault
3. Replication policy
https://docs.microsoft.com/nl-nl/azure/site-recovery/hyper-v-azure-tutorial
upvoted 3 times

upvoted 1 times

correct
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
upvoted 1 times
Your company's Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your
company's on- premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network
peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premises network.
However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.
Solution: You choose the Allow gateway transit setting on VirtualNetworkA.
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

B (100%)
  Quantigo Highly Voted  4 months, 3 weeks ago

Answer B - No
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again in order for the changes to be applied to the client.
upvoted 10 times
  DesiShahrukhKhan Most Recent  1 week, 5 days ago

Correct answer is B
upvoted 1 times

DIfference between point to site and site to site. They explain a bit about why we need to install a client package for site to site
communication
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#what-is-the-difference-between-a-site-to-site-connection-and-
point-to-site
upvoted 1 times

i dont understand your answers here, my answer would be VNet1 needs to have “Allow gateway transit” and VNet2 must have “Use
remote gateways” enabled so answer is No.
upvoted 2 times
  MaxLily 4 weeks ago

"After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premises
network." This indicates the Allow/Use gateway transit is set up working.
upvoted 3 times

ok, yes, since If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for
Windows clients must be downloaded and installed again in order for the changes to be applied to the client.
upvoted 2 times

Selected Answer: B
Download and re-install the VPN client configuration package workstation.
upvoted 3 times


upvoted 2 times
  MAKINENI 2 months ago

it is not free as u mentioned.
upvoted 1 times
  cutlerwater 3 months, 1 week ago

You don't go into a bank and start recommending another bank to the customers in there so why would you do this all over the place
in here? Uncool and it makes me NOT want to use your site.
upvoted 12 times
  Sjardi 3 months, 1 week ago

idk man I really don't care about banks so if one is less corrupt or bad for the world I wouldn't mind if someone recommended it to
me though
upvoted 1 times
  hoangton 6 months ago

NO
You download and re-install the VPN client configuration package on the Windows 10 workstation.
upvoted 4 times
  d0bermannn 7 months, 2 weeks ago

recreate point-to-site VPN
upvoted 3 times
peering between
Solution: You choose the Allow gateway transit setting on VirtualNetworkB.
A. Yes
B. No
Correct Answer: B
Reference:

After reconfiguring \ creating peering existing point-to-site VPN connections need to be recreated
upvoted 21 times
  Takloy 3 months, 2 weeks ago

You're right. almost forgot about this. whenever you made some changes on the azure network, you basically need to download the
P2S client again for the client devices.
upvoted 2 times

Answer B - No
Thanks for indicating Yes or NO!
upvoted 13 times
  edengoforit Most Recent  2 weeks, 4 days ago

Site-to-Site (IPsec/IKE VPN tunnel) configurations are between your on-premises location and Azure. This means that you can connect
from any of your computers located on your premises to any virtual machine or role instance within your virtual network, depending on
how you choose to configure routing and permissions. It's a great option for an always-available cross-premises connection and is well
suited for hybrid configurations.
upvoted 2 times
  orion1024 4 months, 4 weeks ago

After changing topology the azure vpn client must be reinstalled to include the new topology information.
upvoted 2 times
  mdmdmdmd 5 months ago

If you **make a change to the topology** of your network and have **Windows VPN clients**, the VPN client package for Windows
clients must be **downloaded and installed again**"
upvoted 4 times
peering between
Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)

Answer A - Yes
upvoted 15 times
  mdmdmdmd Highly Voted  5 months ago

If you **make a change to the topology** of your network and have **Windows VPN clients**, the VPN client package for Windows
clients must be **downloaded and installed again**"
upvoted 9 times
  ddon1999 3 weeks, 1 day ago

because the vpn is set to use static route . i believe this is reason
upvoted 1 times
  toycar69 Most Recent  2 weeks, 4 days ago

its a site to site VPN, not a client VPN. Answer is still NO, as you would need to update the static routes on the site to site VPN to include
the new subnet.
upvoted 2 times
  Mozbius_ 4 weeks, 1 day ago

Another scenario/topic NOT covered during Microsoft instructor-led training...
Makes you wonder what is the point of paying for courses that don't cover everything that can be seen in the exam.
upvoted 3 times

Selected Answer: A
If you make a change to the P2S topology the VPN client package for Windows clients must be downloaded and reinstalled
upvoted 1 times

Yes
upvoted 1 times

Answer is correct. "Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes
are made to VNet peering or the network topology."
upvoted 5 times
  GodfreyMbizo 5 months ago

correct
upvoted 1 times
  manojb_72 5 months, 1 week ago

Correct
upvoted 1 times

You can configure your virtual network to use both Site-to-Site and Point-to-Site concurrently, as long as you create your Site-to-Site
connection using a route-based VPN type for your gateway. Route-based VPN types are called dynamic gateways in the classic deployment
model.
upvoted 2 times
  Rex2021 6 months, 2 weeks ago

Correct
upvoted 1 times
  Regg 6 months, 2 weeks ago

incorrect - point-to-site isn't supported for static (policy-based) VPN connections
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-have-site-to-site-and-point-to-site-configurations-
coexist-for-the-same-virtual-network
upvoted 5 times

This is not relevant to this question I believe.
upvoted 1 times

right, but where did they mentioned anything about the routing type in the question?
upvoted 1 times

correct
upvoted 2 times
Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1.
The company has users that work remotely. The remote workers require access to the VMs on VNet1.
You need to provide access for the remote workers.
What should you do?
A. Configure a Site-to-Site (S2S) VPN.
B. Configure a VNet-toVNet VPN.
C. Configure a Point-to-Site (P2S) VPN.
D. Configure DirectAccess on a Windows Server 2012 server VM.
E. Configure a Multi-Site VPN
Correct Answer: C
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

C (100%)
  StudyNerd123 Highly Voted  5 months ago

Answer C: is correct - https://docs.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support
upvoted 20 times
  lglars Highly Voted  5 months, 2 weeks ago

Correct, S2S would be better if you know that the remote workers work from one location, but we don't know that. They could be working
from different locations(like home) that's why P2S is better.
upvoted 9 times

Selected Answer: C
edengoforit Most Recent 4 days, 21 hours ago
Answer is C:
A Point-to-Site (P2S) VPN
upvoted 1 times

Answer is C:
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client
computer. A P2S connection is established by starting it from the client computer.
upvoted 1 times
  Blackpanther2255 2 weeks, 6 days ago

Correct Ans C
upvoted 1 times
  mrjeet 1 month, 3 weeks ago

had this question on 12/28/21 exam
upvoted 5 times
  You_can_call_me_X 1 month, 3 weeks ago

Bro, I am planning to appear for this exam this week. Are the questions from this site enough? please help
upvoted 2 times
  ITprof99 1 month, 2 weeks ago

Taking it tomorrow
upvoted 1 times

Ans : C
upvoted 1 times
  Quetzalcoatl 2 months, 1 week ago

I think is S2S
upvoted 1 times
  ping 1 month ago

No, s2s is between offices etc. not from end/remote users
upvoted 1 times

Selected Answer: C
C is correct. Point to Site (P2S) VPN is intended to be used by remote workers.
upvoted 4 times

Answer C
computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to
connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S
VPN when you have only a few clients that need to connect to a VNet
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
upvoted 7 times
  Ateeyah 5 months, 3 weeks ago

i guess the S2S is better in this case , because maybe there are many users works remotly at the same time
who confirm ????
if not , please till us why ?
upvoted 2 times
  byuq 1 month, 1 week ago

Please note: "The company has users that work remotely" is this case they probably work from different locations. For them to connect
to the VMs you can't configure S2S for all, it's P2S. "C" is very correct.
upvoted 1 times
  Ateeyah 5 months, 3 weeks ago

ignore my answer above
because I'm not sure
upvoted 1 times
  MrJR 6 months, 2 weeks ago

A S2S VPN also would work but they say that "the company has users that work remotely" so I guess that not all company users work
remotely in which case a S2S VPN would fit. For only some remote workers fits better a P2S VPN. But's a tricky question.
upvoted 3 times
  Jotess 6 months, 4 weeks ago

the question was on Jul 23, 2021 exam
upvoted 5 times
  dupakonia 7 months, 2 weeks ago

Looks correct to me
upvoted 4 times

seems az900 q
upvoted 1 times
Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You create an HTTP health probe on port 1433.
A. Yes
B. No
Correct Answer: B

B (100%)
  d0bermannn Highly Voted  7 months, 1 week ago

HTTP(!) health probe on port 1433 sounds ugly, assume NO
upvoted 17 times
  ohana Highly Voted  4 months ago

Took the exam today, 17 Oct. This question came out. Ans: No
upvoted 13 times
  athreya_rcs Most Recent  2 weeks ago

1433 is TCP port not http
upvoted 2 times

Each availability group uses a separate listener. Each listener has its own IP address. Use the same load balancer to hold the IP address for
additional listeners.
upvoted 1 times

Another scenario never heard about in Microsoft instructor-led training.
upvoted 4 times

Selected Answer: B
You need to configure a load-balancing rule to allow/route traffic to the SQL Server instances.
Health probe - is for monitoring the health status of the backend servers or instances.
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure#step-4-set-
the-load-balancing-rules
upvoted 2 times

Selected Answer: B
Health probe require TCP port 1433 is port used by SQL Server
upvoted 2 times
  EleChie 1 month, 3 weeks ago

Answer B
You need to configure a load-balancing rule to allow/route traffic to the SQL Server instances.
Health probe - is for monitoring the health status of the backend servers or instances.
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure#step-4-set-
the-load-balancing-rules
upvoted 2 times
  Zadi87 2 months, 1 week ago

How many labs in the 104 exam ?
upvoted 1 times
  becmade 2 months, 1 week ago

help me understand you tipically want to check if a vm got the sql service up to avoid balance to a vm that is not responding on sql 1433
port, so why you need to create a healt probe on a different port? maybe I'm missing something, thanks
upvoted 1 times

Health probing of SQL Always On availability set uses TCP on port 1433 (not HTTP even though the Health Probe works with HTTP SQL
Alway On doesn't). As seen at :
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure
upvoted 1 times
  becmade 2 months, 1 week ago

because probably in the question say http probe? :O
upvoted 2 times

Answer is correct - B
see below:
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure#step-3-
create-a-probe
upvoted 1 times

Again, no www-reference to Microsoft documentation. Why? Potsemu? Miksi? Warum? Varför?
upvoted 1 times

NO
Port: The port you created in the firewall for the health probe when preparing the VM. In this article, the example uses TCP port 59999.
upvoted 5 times
  a4andrew 4 months, 1 week ago

TCP 1433 is the standard SQL port. "The availability group listener health probe port has to be different from the cluster core IP address
health probe port. In these examples, the listener port is 59999 and the cluster core IP address health probe port is 58888. Both ports
require an allow inbound firewall rule." https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-
load-balancer-portal-configure
upvoted 6 times
  Amonurius_Diabio 4 months, 2 weeks ago

I think answer should be C
upvoted 2 times
  Insanewhip 4 months, 1 week ago

Wrong question, hermano
upvoted 3 times
  Mercator 6 months ago

B - No
You need to configure a TCP health probe on port 1433 to check if the SQL service responds
upvoted 4 times
  Mercator 6 months ago

After reading more it seems the cluster service has a port of it's own for health probes which is usually configured to tcp/59999.
So a tcp health probe to tcp/59999 would be the solution.
upvoted 1 times
  silver_bullet666 5 months ago

indeed you are correct however in the example below we create several health probes, TCP1433 is still one of them.
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-manually-configure-tutorial
upvoted 1 times

oh wait no this uses a LB rule on TCP1433 and a health probe on TCP59999 and TCP58888... https://docs.microsoft.com/en-
us/azure/azure-sql/virtual-machines/windows/availability-group-manually-configure-tutorial
upvoted 1 times
  jasonoubre 6 months, 4 weeks ago

What is the answer?
upvoted 1 times
  jimmyli 6 months, 3 weeks ago

Answer is No. The link provided in the explanation is valid. Under Step 3: Create a probe, you will find: "Port You can use any available
port. For example, 59999." You cannot use 1433, as maxmarco71 explained below TCP port 1433 is the port used by SQL server so it
cannot be reused for health probe
upvoted 6 times
Solution: You set Session persistence to Client IP.
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-listener
  pankyhun Highly Voted  6 months, 1 week ago

Answer is B. Session persistence should be set to "None"
upvoted 7 times
  J511 Highly Voted  3 months ago

Answer is B. "None"
FYI: Session persistence ensures that a client will remain connected to the same server throughout a session or period of time. Because
load balancing may, by default, send users to unique servers each time they connect, this can mean that complicated or repeated requests
are slowed down.
upvoted 6 times
  edengoforit Most Recent  2 weeks, 4 days ago

Before you create virtual machines, you need to create availability sets. Availability sets reduce the downtime for planned or unplanned
maintenance events. An Azure availability set is a logical group of resources that Azure places on physical fault domains and update
domains. A fault domain ensures that the members of the availability set have separate power and network resources. An update domain
ensures that members of the availability set aren't brought down for maintenance at the same time.
upvoted 3 times

The load balancing rules configure how the load balancer routes traffic to the SQL Server instances. For this load balancer, you enable
direct server return because only one of the two SQL Server instances owns the availability group listener resource at a time.
Therefore Floating IP (direct server return) is Enabled.
TCP 1433 is the standard SQL port. The availability group listener health probe port has to be different from the cluster core IP address
health probe port.
The ports on a health probe are TCP59999 and TCP58888.
upvoted 3 times
  santhosh007 3 months, 2 weeks ago

answer is B No. session persistence is not required since data will be same on all db vms, and there is no user affinity
upvoted 1 times

Correct Answer: B - No
Session persistence should be none
Reference:
upvoted 2 times
Solution: You enable Floating IP.
A. Yes
B. No
Correct Answer: A

A (100%)
  Bloodwar Highly Voted  7 months ago

The load balancing rules configure how the load balancer routes traffic to the SQL Server instances. For this load balancer, you enable
direct server return because only one of the two SQL Server instances owns the availability group listener resource at a time.
>> Floating IP (direct server return) Enabled
upvoted 21 times

Yes floating ip is correct ? as discussed in: https://www.examtopics.com/discussions/microsoft/view/12295-exam-az-300-topic-2-question-
11-discussion/
upvoted 10 times
  Surinam Most Recent  3 days, 4 hours ago

At a platform level, Azure Load Balancer always operates in a DSR flow topology regardless of whether Floating IP is enabled
upvoted 1 times

If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.
When Floating IP is enabled, Azure changes the IP address mapping to the Frontend IP address of the Load Balancer frontend instead of
backend instance's IP.
Without Floating IP, Azure exposes the VM instances' IP. Enabling Floating IP changes the IP address mapping to the Frontend IP of the
load Balancer to allow for additional flexibility.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
upvoted 2 times

I went to the links trying to understand it better, but gosh! only the exercise takes hours to be completed, I may try it later, but for the
exam, the knowledge in the links share is just too much! Thanks for the short explanation
upvoted 1 times

Selected Answer: A
A. If you want to use the backend port across multiple rules, you must enable Floating IP in the rule definition.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-listener-powershell-configure
upvoted 2 times

Where is the www-reference??? It is not at the bottom. Microsoft documentation.
upvoted 1 times

This is the why: Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in
the backend pool. Common examples of port reuse include: clustering for high availability/network virtual appliances/exposing multiple
TLS endpoints without re-encryption.
The is the how: The link below is a step by step guide for creating an Azure internal load blancer as a listener for an availability group...
"Backend Port 1433. This value is ignored because this rule uses Floating IP (direct server return)."
upvoted 6 times

Took the exam today, 17 Oct. This question came out. Ans: Yes! Floating IP!
upvoted 8 times

Yes
Floating IP (direct server return) Enabled

upvoted 2 times

Correct Answer A – Yes
Float IP Enabled
Reference:
upvoted 3 times
  rdsserrao 7 months, 2 weeks ago

According to the link, they're using floating IP, on the LB rule.
upvoted 4 times
  GabeCanada 7 months, 2 weeks ago

Enabling floating IP is listed in the KB but that alone does provide a full solution for it as this is just a config in a rule. But in this series
that's the correct answer.
upvoted 2 times

Not sure how a floating IP helps with this. From the series it should be something like a TCP 1433 health probe...
upvoted 3 times
  Neowarp 6 months, 3 weeks ago

In the articule it's "... 1433. This value is ignored because this rule uses Floating IP (direct server return). ..." in Step 4: Set the load-
balancing rules ...
upvoted 2 times
Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The
application calls a service on SRV02 by IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?
A. Run the New-AzureRMVMConfig PowerShell cmdlet.
B. Run the Set-AzureSubnet PowerShell cmdlet.
C. Modify the VM properties in the Azure Management Portal.
D. Modify the IP properties in Windows Network and Sharing Center.
E. Run the Set-AzureStaticVNetIP PowerShell cmdlet.
Correct Answer: E
Specify a static internal IP for a previously created VM
If you want to set a static IP address for a VM that you previously created, you can do so by using the following cmdlets. If you already set an IP
address for the
VM and you want to change it to a different IP address, you‫ג‬€™ll need to remove the existing static IP address before running these cmdlets.
See the instructions below to remove a static IP.
For this procedure, you‫ג‬€™ll use the Update-AzureVM cmdlet. The Update-AzureVM cmdlet restarts the VM as part of the update process. The
DIP that you specify will be assigned after the VM restarts. In this example, we set the IP address for VM2, which is located in cloud service
StaticDemo.
Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM

C (57%) E (43%)
  Fulforce Highly Voted  4 months, 1 week ago

Correct answer E.
FYI: For the new PowerShell cmdlets you would use: Set-AzNetworkInterface
upvoted 18 times
  SanjSL 4 months ago

$Nic = Get-AzNetworkInterface -ResourceGroupName "ResourceGroup1" -Name "NetworkInterface1"
$Nic.IpConfigurations[0].PrivateIpAddress = "10.0.1.20"
$Nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
$Nic.Tag = @{Name = "Name"; Value = "Value"}
Set-AzNetworkInterface -NetworkInterface $Nic
https://docs.microsoft.com/en-us/powershell/module/az.network/set-aznetworkinterface?view=azps-6.5.0
upvoted 7 times

Correct Answer E:
Run the Set-AzureStaticVNetIP PowerShell cmdlet.
https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/set-azurestaticvnetip?view=azuresmps-4.0.0
upvoted 11 times
  MYJ Most Recent  1 day, 5 hours ago

Selected Answer: E
upvoted 1 times
  JayJay22215 4 days, 4 hours ago

Selected Answer: E
Dunno, why so many ppl vote for C, because you cant edit stuff under "properties". You can under "settings", but it specifically states
"properties"
upvoted 1 times
  beelee6973 5 days, 7 hours ago

Correct answer E.
upvoted 1 times
  fml1996 1 week, 1 day ago
The Set-AzureStaticVNetIP cmdlet sets the static virtual network (VNet) IP address information for a virtual machine object.
upvoted 2 times
  arxxas 1 week, 2 days ago

Selected Answer: E
Run the Set-AzureStaticVNetIP PowerShell cmdlet.
upvoted 2 times
  Tom34 1 month ago

Correct answer E. But this method Set-AzNetworkInterface is obsolete. It should be like this. $vm = Get-AzVM -ResourceGroupName
$vmInfo.ResourceGroupName -Name $vmInfo.Name
$nic = Get-AzNetworkInterface -ResourceGroupName $vm.ResourceGroupName
$nic.IpConfigurations[0].PrivateIpAddress = "10.0.1.20"
$nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
$nic.Tag = @{Name = "Name"; Value = "Value"}
Set-AzNetworkInterface -NetworkInterface $nic
upvoted 2 times
  timmytimtimo 1 month ago

Correct answer is E
upvoted 1 times
  Irishtk 1 month ago

Correct Answer is E. see
upvoted 2 times
  googlearch 1 month ago

Set-NetIPAddress in the newer version
upvoted 1 times
  adrien_m59 1 month, 1 week ago

Selected Answer: C
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-networks-static-private-ip-arm-pportal
upvoted 1 times
  Allfreen 1 week ago

This is wrong, VM1->Networking->NIC to change under VM properties where as in answer section this is not described
upvoted 1 times
  Axial30z 1 month ago

Adrien, in this case, I believe the correct answer is E
I also thought C initially but when you read the option, it says 'Modify the VM properties'. You can't configure the static ip from the
properties blade of the VM. Also following your link ref https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-
networks-static-private-ip-arm-pportal
To use the portal means going through the following steps which is not the VM properties
VM>Settings.Networking
Select NIC>Settings.IP Configuration
Select NIC and change assignment
upvoted 3 times

Set-AzureStaticVNetIP is for 'legacy resource"
Correct method:Portal->VM->Networking->Network interface->IP configuration
upvoted 4 times
  londonboy 1 month, 3 weeks ago

E sounds correct to me.
upvoted 1 times

Selected Answer: C
C
You should modify VM network interface IP in Azure portal
upvoted 3 times
  LeomHD 1 month, 2 weeks ago

I agree, in Azure Portal is possible to set static IP, the both option are valid?
upvoted 1 times
  JayJay22215 4 days, 4 hours ago

Wrong, because you cant edit within the properties menu. Its specifically called "properties"!
upvoted 1 times
  rhanielcb23 4 months ago

Set-AzureStaticVNetIP PowerShell cmdlet
Correct answer E.
upvoted 5 times
  Saravana12g 5 months, 2 weeks ago

Test-AzureStaticVNetIP –VNetName xxx –IPAddress xxx
and then
Set-AzureStaticVNetIP
upvoted 3 times

You need to deploy five virtual machines (VMs) to your company's virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be
identical.
Which of the following is the least amount of network interfaces needed for this configuration?
A. 5
B. 10
C. 20
D. 40
Correct Answer: A

A (100%)
  CloudyTech Highly Voted  7 months, 2 weeks ago

5 is correct
upvoted 16 times
  samshir Highly Voted  4 months, 2 weeks ago

5 VM so 5 NIC Cards .we have public and private ip address set to them .however they needs same inbound and outbound rule so create
NSG and attach to NIC and this req can be fulfilled 5 NIC hence 5 is right ans
upvoted 15 times
  roy_ Most Recent  1 week, 4 days ago

E. 5 network interfaces
upvoted 1 times
  Tom34 1 month ago

You can assign to one network interface inbound and outbound SG, public and private IP. So answer is A.
upvoted 1 times

upvoted 6 times
  ABhi101 1 month, 3 weeks ago

5 is correct, We can assign 1 NIC to each of these VMs from a single subnet and we can apply NSG rule there.
upvoted 1 times

A
5 VM = 5 NIC - each NIC can have many IPs
upvoted 2 times
  tmub47 2 months, 1 week ago

Even if there will be ip4 and ip6 to be assigned, still one NIC per VM
upvoted 1 times
  Harssh 2 months, 2 weeks ago

Usually when we create a VM the overview sections shows both private IP as well as public IP assigned to the NIC of VM. So, 5 VMs should
require one network interface each.
upvoted 2 times

Selected Answer: A
Answer is correct. One NIC have private and public IP address. Five VMs need five NICs.
upvoted 3 times

Maybe 112 or 911 will do the trick for somebody with mental issues in big apples.
upvoted 2 times

I really thought it's 10. So I assume on the same NIC I can assign both Private and Public IPs.
upvoted 3 times

Correct Answer: A
You can add as many private and public IPv4 addresses as necessary to a network interface, within the limits listed in the Azure limits
article
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-
network/toc.json#azure-resource-manager-virtual-networking-limits
upvoted 6 times

shouldn't the answer be 10 since the VMs require both a private and public IP address?
upvoted 2 times
  KFM2020 4 months, 2 weeks ago

It sounds like it should have 10 but the answer is correct, i.e. 5 interfaces—one NIC with a private IP only, per VM.
While you can assign a public IP to a VM, it is always associated with a network interface with a private IP. The guest OS within the VM
never sees a second interface configured with the public IP address. The Azure platform then performs NAT (in the background and
transparent to the user) between the public IP and the private IP address assigned to that interface.
Hope that explanation helps!

upvoted 22 times
  robertohyena 2 months ago

thanks.. looking for this kind of explanation
upvoted 3 times
  Exam_khan 6 months, 2 weeks ago

5 Virtual machines each need a network interface to communicate
upvoted 2 times
  Doksy 7 months ago

network interface can have multiple ip addresses.
upvoted 4 times

To expand on this, it they can also have pub and priv IPs on the same NIC.
upvoted 4 times
  lazz77 7 months, 2 weeks ago

Answer is correct
upvoted 2 times

You need to deploy five virtual machines (VMs) to your company's virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be
identical.
Which of the following is the least amount of security groups needed for this configuration?
A. 4
B. 3
C. 2
D. 1
Correct Answer: D

D (100%)
  Biju1 Highly Voted  7 months, 2 weeks ago

correct Answer D
upvoted 20 times
  Exam_khan Highly Voted  6 months, 2 weeks ago

all identical security groups so you will only require 1 security group as all the settings are the same
upvoted 15 times
  mrjeet Most Recent  1 month, 3 weeks ago

upvoted 7 times

Correct..one is enough
upvoted 1 times
  tmub47 2 months, 1 week ago

One NSG will take both Inbound and outbound rule. So, same rule for all will require just one
upvoted 4 times

Ans : D
One NSG is enough as inbound and outbound rules are same
upvoted 1 times
  asixto 2 months, 1 week ago

wouldnt this be C - 2 rules. 1NSG inbound and 1NSG outbound??
upvoted 1 times
  hirenrpatel1610 3 weeks, 4 days ago

One NSG will have both inbound and outbound rules.
upvoted 1 times
  zankuko_tenshi 1 month, 2 weeks ago

Can set both inbound and outbound rules in 1 NSG.
upvoted 1 times

D should be the answer since we can attach a NSG to subnet to fulfill the security requirement.
upvoted 1 times

Selected Answer: D
Answer is correct. Since inbound and outbound rules are the same for all VMs, one NSG is enough, since you'll associate all VMs with that
particular NSG.
upvoted 2 times
Answer: 1
All require identical access so you will only require 1 security group as all the settings are the same. You can only have either 0 or 1 per
Subnet or NIC
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 2 times

All are identical security groups so you will only require 1 security group as all the settings are the same. You can only have either 0 or 1
per Subnet or NIC
upvoted 1 times
  iqlal 6 months, 2 weeks ago

if identic, just 1 NSG
upvoted 4 times
  Bloodwar 7 months ago

1 NSG for all network interfaces, indentical config.
upvoted 4 times
Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM's files.
Which of the following is TRUE in this scenario?
A. You can only recover the files to the infected VM.
B. You can recover the files to any VM within the company‫ג‬€™s subscription.
C. You can only recover the files to a new VM.
D. You will not be able to recover the files.
Correct Answer: A

B (77%) A (23%)
  rdsserrao Highly Voted  7 months, 2 weeks ago

After reading the link provided by rawrkadia, and testing for myself, it's clear that Azure Backup Instant Restore is available for all Azure
Backup VM's.
Even the OS compatibility doesn't apply, like some links say.
Test:
- I created a Windows Server 2019 VM in Azure
- Activated Backup and did Backup Now
- Did File Recovery, downloaded the script and installed it in my Windows 10 On-Prem, Azure Windows Server 2016 and 2012.
Everything worked, the drives were mounted in every OS, no problem.
Note: The script downloaded will only work for the same OS as the original VM:
Windows - Windows
Linux - Linux
upvoted 32 times

I forgot to give the answer.
Having said what i wrote above and considering the possible answers, i would agree with the answer given A.
Incorrect answers:
B: there could be Linux VM's in the subscription, we don't know:"Your company‫ג‬€™s Azure subscription includes Azure virtual machines
(VMs) that run Windows Server 2016"
C: Same reason as B
D: of course you can recover the files
upvoted 23 times

The question says that "Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016." it
doesn't say that you have Linux machines. The answer A says that "You can ONLY recover the files to the infected VM". that is
definitely WRONG as you have other VMs to recovery your files. So the answer should be B." You can recover the files to any VM
within the company's subscription"
upvoted 13 times

For the same reason answer C is wrong also because it limits our choice with New VM ONLY while we have other Windows VM in
our subscription that can be used for files restoration
upvoted 2 times
  el_chulo 1 month, 3 weeks ago

A is the correct answer for the simple fact that Azure Backup Instant Restore capability for Azure Virtual Machines has in-place
restore that will completely overwrite the affected data. This provides for a cheap and fastest recovery..
https://azure.microsoft.com/en-us/blog/instantly-restore-your-azure-virtual-machines-using-azure-backup/
upvoted 2 times

Comment; I believe this question is not correctly phrased.
upvoted 1 times
  awssecuritynewbie 2 weeks, 4 days ago

i agree with mitya! because it states recovering files to the infected machine really means you are just tied down to that machine
it self, which is not true. you are reading too much into the question.
upvoted 2 times
  HypeMan_crew 2 months, 1 week ago
the answer is B because it clearly said that all VMs are running Microsoft server 2016
upvoted 4 times
  Netspud 1 month ago

Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016. Unfortunately it
doesn't, it is possibly implied. But it basically says the subscription has some VMs running Server 2016. A is the safest answer. I
wish MS would write questions more precisely.
upvoted 2 times
  Paimon 1 week, 4 days ago

Using the same logic, you can't assume it was a Windows 2016 that was infected.
upvoted 1 times
  MichalGr 6 months, 3 weeks ago

`B: there could be Linux VM's in the subscription, we don't know:"Your company‫ג‬€™s Azure subscription includes Azure virtual
machines (VMs) that run Windows Server 2016"` - in this scenario (all) VMs run Windows, yes?
upvoted 5 times
  Larry23 4 months, 1 week ago

All you need to do is google the definition of Includes to understand why A is the correct answer... Includes does not mean all
encompassing. It means in short, part of a whole.
upvoted 3 times
  novac1111 3 months, 2 weeks ago

Answer is A: Due to the requisites to perform a file recovery from a Windows server instance the only viable choice is A. If the
machine was infected by a ransomware, there is a clean up procedure prior the file recovery. Check this page:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide
upvoted 1 times
  lazz77 Highly Voted  7 months, 2 weeks ago

According to below, we can restore the files to an alternate VM too
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server
Therefore the answer should be B

upvoted 25 times
  rawrkadia 7 months, 2 weeks ago

This is a different feature.
https://docs.microsoft.com/en-us/azure/backup/backup-instant-restore-capability
Backup instant restore is snapshotting. In order to be 'instant' tier you have to be restoring from a stored snapshot vs from the vault. I
do not believe you are correct.
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore
upvoted 3 times

In fact, I don't even know if you *can* recover files from a snapshot. You have to convert the snapshot to a managed disk then
attach that to a VM.
upvoted 3 times
  TDS_sada 5 months ago

As I understand Here the catch is new VM,any VM, means it can be any non windows OS. So in this scenario the effected os is Windows
and only the Answer A related to the windows OS.
upvoted 2 times
  momongachan Most Recent  20 hours, 44 minutes ago

i think the answer B.. Files can be deployed to any VM
upvoted 1 times
  Dingess 1 day, 23 hours ago

Snapshots taken as a part of instant restore capability are incremental snapshots. So A is correct
upvoted 1 times
  Melnur 3 days, 1 hour ago

Selected Answer: B
Correct is B
upvoted 1 times

Selected Answer: B
It states you are backing up files! no the whole VM so you can restore the files to any VM you like within the subscription.
upvoted 1 times
  Mozbius_ 4 weeks ago

I think the keyword as to why B is wrong is "INCLUDES". Including doesn't mean "all" and therefore it is unknown if ALL servers are 2016 in
the subscription. That being said to say that the backup can ONLY be restored to the same server is misleading and to be honest
somewhat of a shameful answer formulation as it is NOT true.
upvoted 1 times

I take that back. "A" is just too wrong with the word ONLY to be a valid answer. B it is.
upvoted 1 times
  celetas 4 weeks, 1 day ago

Correct Answer Option D;
Encrypted VMs can only be restored by restoring the VM disk and creating a virtual machine instance as explained below. Replace existing
disk on the existing VM, creating a VM from restore points and files or folder level restore are currently not supported."
https://docs.microsoft.com/en-us/azure/backup/restore-azure-encrypted-virtual-machines
upvoted 1 times
  miskosvk80 1 day, 1 hour ago

that link is about Azure Drive Encryption (ADE) encrypted disks, what is a wholly different thing than 'ransomware encrypted files'
upvoted 1 times

If the VM is corrupted wouldnt you just restore the entire VM? I think the Answer is B due to the fact that the VM in answer A is infected
(no one would do this)
upvoted 1 times

The In-place restore capability feature allows for instant overwrite of data that has been infected by ransonware or to restore from a bad
patch. Shttps://azure.microsoft.com/en-us/blog/instantly-restore-your-azure-virtual-machines-using-azure-backup
upvoted 1 times

Answer A
upvoted 1 times
  shumin_00 1 month, 2 weeks ago

Selected Answer: A
recovery-A:only recover the files to the infected VM
upvoted 1 times
  Zetty 1 month, 2 weeks ago

Selected Answer: B
The restore is for VM Files (not the entire VM) and since all machines in the subscription run 2016 (OS requirements met)
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm then answer is B. You'd mount the disk and extract
the files required
upvoted 1 times
  matt_dns 1 month, 3 weeks ago

Whilst you can restore to a different VM using instant restore, see here:
The answer I believe is still A because the OS must be compatible (see above link), this is a cruel and slightly silly question IMO as we can't
be sure if there are incompatible VMs in the sub.
upvoted 1 times

if we stick to the question, the answer is 'A' as its only stating about single infected VM files which we can restore it(only infected), if it
would have been asked in general the answer should go "B".
upvoted 1 times
  El_gatux 1 month, 3 weeks ago

The right answer is A and here is why. Focus on the main topic that the virtual machine is backed up everyday using Azure Instant restore.
Now I think the key is in the word "recovery". You only need at this point to recovery the file of the infected VM. It does said anything
about "Restore" the data at that point. Also you will focus on recover the infected VM you don't need to recover from any VM within the
company subscription only the infected one.
upvoted 1 times

Forgot to mention. It said "One of the VMs" is backed up every day using Azure Backup Instant Restore.
upvoted 1 times
  Cantero75 1 month, 3 weeks ago

Is A
In-place restore capability: With instant restore, users also get a capability to perform in-place restore, thus, overwriting the data in the
original disk rather than creating a copy of the disk at an alternate location. It is particularly useful in scenarios where there is a need to
rollback a patch. Once the snapshot phase is done, users can go ahead and use the local snapshot to restore if the patch goes bad.
upvoted 1 times
  Jonangar 1 month, 3 weeks ago

Selected Answer: B
Recover any combination of files to any target - Since Azure Backup provides the entire snapshot of the recovery point and relies on copy
of items for recovery, you can restore multiple files from multiple folders to a local server or even to a network-share of your choice.
upvoted 1 times
Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you are required to restore the VM.
Which of the following actions should you take?
A. You should restore the VM after deleting the infected VM.
B. You should restore the VM to any VM within the company‫ג‬€™s subscription.
C. You should restore the VM to a new Azure VM.
D. You should restore the VM to an on-premise Windows device.
Correct Answer: B

C (92%) 8%
  shamst Highly Voted  7 months, 2 weeks ago

It should be C
upvoted 29 times
  Zokko Highly Voted  7 months, 1 week ago

I belive it is the C option
A - If you delete the VM you cannot recover to that vm it must exist
B - You do not know the other VMs
C - Creating a New VM you can recover the VM
D - You can recover from the backup
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 14 times
  J4U 5 months, 3 weeks ago

Yes, VM can be restored by replacing the existing disk or in a new VM.
upvoted 5 times
  Tukarammane Most Recent  5 days, 22 hours ago

Selected Answer: C
ANS C ==
upvoted 2 times
  j777 2 weeks ago

I want to give an analogy that maybe some would better understand. when you change the oil in your car you simply dn't reuse the same
oil. You want to make sure you use brand new oil.
In this case why would you want to use the same VM? that would not make sense one should ALWAYS use a new VM after ransomeware
attack.
upvoted 2 times

Answer should be C - Create new vm from the backups
upvoted 2 times
  Jonangar 1 month, 1 week ago

https://azure.microsoft.com/en-us/blog/an-easy-way-to-bring-back-your-azure-vm-with-in-place-restore/
This feature helps roll back or fix corrupted virtual machines through in-place restore without the needs of spinning up a new VM. With
the introduction of this feature, customers have multiple choices for IaaS VM restore like create new VM, Restore Disks and Replace disks.
upvoted 1 times

But since that specific scenario is not provided as an answer and since deleting and restoring is not possible as referenced by Zokko the
next best thing is to create a new VM : "C"
upvoted 2 times

restore-C: restore the VM to a new Azure VM
upvoted 1 times
  Cantero75 1 month, 3 weeks ago
Is B, you should restore the vm into a machine in the subscription, that means, that you can create a new vm, into the subscription and
recover the vm there, you cannot do it, in a new vm that don't belong to that subscription.
upvoted 1 times

Selected Answer: C
the correct answer is C
upvoted 1 times
  kidacad 1 month, 3 weeks ago

Selected Answer: C
Answer is "C"
Here, we talk about "VM recover" ( not Files recover )
So, we need to recover all the VM ( "create new VM" Functionality ), as this docs :
https://azure.microsoft.com/en-us/blog/an-easy-way-to-bring-back-your-azure-vm-with-in-place-restore/
Compare to the "Files recover", where the IN-PLACE limitation is "on the original VM" as this docs :
https://azure.microsoft.com/en-us/blog/instantly-restore-your-azure-virtual-machines-using-azure-backup/
upvoted 2 times

A.. https://azure.microsoft.com/en-us/blog/instantly-restore-your-azure-virtual-machines-using-azure-backup/
upvoted 1 times

.. correction - B: with In-place restore capability any VM including the infected one can be used
upvoted 1 times
  Shanti 2 months ago

I think this is C - Company,s Azure subscription includes VMs that run Win 2016 and needs to be a new VM
upvoted 1 times

Ans : C
Create a new VM and recover the backup
upvoted 1 times
  BjornC 2 months, 1 week ago

Selected Answer: C
I feel this is C due to question above being only to similar VM. Windows - Windows restore. You could have linux machines in the company
subscription.
upvoted 1 times
  DMouser 2 months, 1 week ago

Selected Answer: C
Only valid provided option.
upvoted 1 times
  Andhus 2 months, 2 weeks ago

Selected Answer: C
It should be C
upvoted 1 times
  Bere 2 months, 2 weeks ago

The answer is C.
As described here:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#choose-a-vm-restore-configuration
You can Restore Virtual Machine to a new VM or replace disks on existing VM.
A => you don’t need to delete the infected VM

B => you cannot restore to any VM (Linux or Windows), but you can restore to a new Windows VM or to the existing Windows VM
C => this option is valid
D => you cannot restore to an on-premise VM
upvoted 1 times
You administer a solution in Azure that is currently having performance issues.

You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure.
Which of the following is the tool you should use?
A. Azure Traffic Analytics
B. Azure Monitor
C. Azure Activity Log
D. Azure Advisor
Correct Answer: B
Metrics in Azure Monitor are stored in a time-series database which is optimized for analyzing time-stamped data. This makes metrics
particularly suited for alerting and fast detection of issues.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform

B (100%)
  kerker Highly Voted  7 months, 2 weeks ago

Yes Correct
https://docs.microsoft.com/en-us/azure/architecture/framework/scalability/monitor-infrastructure
upvoted 11 times
  Dhrayco Most Recent  2 weeks, 5 days ago

Why is it not A - Traffic Analytics?
upvoted 1 times

Answer is correct.
Some information about Azure Traffic Analytics: Traffic Analytics is a cloud-based solution that provides visibility into user and application
activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into
traffic flow in your Azure cloud. With traffic analytics, you can:
* Visualize network activity across your Azure subscriptions and identify hot spots.
* Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and
virtual machines (VM) connecting to rogue networks.
* Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and
capacity.
*Pinpoint network misconfigurations leading to failed connections in your network.
upvoted 1 times

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
upvoted 1 times

Azure Monitor Metrics is one half of the data platform that supports Azure Monitor. The other is Azure Monitor Logs, which collects and
organizes log and performance data and allows that data to be analyzed with a rich query language.
upvoted 2 times

Selected Answer: B
Answer is correct. Azure Monitor is collecting Logs and Metrics.
upvoted 4 times

Metrics in Azure Monitor are stored in a time-series database which is optimized for analyzing time-stamped data. This makes metrics
particularly suited for alerting and fast detection of issues.
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
upvoted 2 times

Correct Answer B
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
upvoted 3 times
Your company has an Azure subscription that includes a Recovery Services vault.
You want to use Azure Backup to schedule a backup of your company's virtual machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.
A. VMs that run Windows 10.
B. VMs that run Windows Server 2012 or higher.
C. VMs that have NOT been shut down.
D. VMs that run Debian 8.2+.
E. VMs that have been shut down.
Correct Answer: ABCDE

Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.
Azure Backup supports backup of VM that are shutdown or offline.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-
machines/linux/endorsed-distros

ABCDE (100%)
  khengoolman Highly Voted  4 months, 1 week ago

Passed today with 947. This question appeared, correct Answer is All
upvoted 31 times
  dodeen 4 months ago

congrats budy
is this website enough to clear the exam ?
upvoted 4 times
  practical_93 2 months, 3 weeks ago

is this website enough to clear the exam ?
upvoted 2 times

thank you!
upvoted 1 times
  CloudyTech Highly Voted  7 months, 2 weeks ago

All..................................
upvoted 18 times
  Shanti Most Recent  2 months ago

Answer - All ( Win10 64Bit), All VMs that are shutdown or not can still be backed up
Regarding Linux Debian and other flavours of Linux, see
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros
upvoted 1 times

AB ONLY
D- WRONG - ONLY DEBIAN 8.X and above
CE- wrong , their are some VM with OS not supported which is not
see link : https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas
upvoted 1 times

sorry the correct answer - ABD
lol apologies
upvoted 2 times
CE - wrong
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas#operating-system-support-linux
upvoted 1 times

Selected Answer: ABCDE
ARS can backup everything.
upvoted 1 times
  ulranmal 2 months, 4 weeks ago

Correct Answer is All ( ABCDE)
upvoted 3 times
  pmartin 3 months, 4 weeks ago

My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Backups run when a machine is shut down. The recovery point is marked as crash consistent.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq#my-vm-is-shut-down--will-an-on-demand-or-a-scheduled-
backup-work
upvoted 2 times
  SanjSL 4 months ago

All..
Azure Backup doesn't support 32-bit operating systems.
For Azure VM Linux backups, Azure Backup supports the list of distributions endorsed by Azure, except Core OS Linux and 32-bit operating
system. Other bring-your-own Linux distributions might work as long as the VM agent is available on the VM, and support for Python
exists.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq
upvoted 1 times

Took the exam today, 17 Oct. This question came out. Ans: ALL!!!!
upvoted 5 times
  medk2021 4 months, 2 weeks ago

all true:
https://docs.microsoft.com/fr-fr/azure/backup/backup-azure-backup-faq
https://docs.microsoft.com/fr-fr/azure/virtual-machines/linux/endorsed-distros
upvoted 1 times
  asmi3342344 5 months ago

B and E are contradictory
to each other, whats the point considering these options? ABE are the right options because VM not shut down or shut down will be
backed up anyways. correct?
upvoted 1 times

I bet for ABD. Vms that has been shutdown or not is not specific enough those vms could have an incompatible OS. Not all the running or
stopped VMs can be backed up only those with a compatible OS.
upvoted 2 times
  hosseny 6 months, 3 weeks ago

answer errors
upvoted 1 times
  lemist 7 months ago

My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Backups run when a machine is shut down. The recovery point is marked as crash consistent.
upvoted 2 times
  Spandrop 7 months ago

Not sure about C, can't I have a VM not been shutdown running an unsupported OS version for the backup service?
upvoted 2 times

lol what is this?
upvoted 3 times

az900 q
upvoted 1 times
Question #1 Topic 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?
A. Yes
B. No
Correct Answer: A
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

B (83%) A (17%)
  asdf12345a Highly Voted  1 year, 2 months ago

Previous discussions were wiped from an update to the question set.
From previous discussions, answer is wrong - should be No.
upvoted 60 times
  itgg11 2 months, 1 week ago

Answer is NO.
Since the answers are divided, I tested it by creating a new tenant using a subdomain of the original tenant.
Only a user who created the new tenant was available. Other users from the original domain tenant need to be added manually as GA
or UA. Then and only then, they will be able to manage users.
upvoted 18 times

I did the same here and the answer should be "NO"
upvoted 1 times
  wewewewewe 7 months, 1 week ago

Testtttt
upvoted 2 times
  pravith Highly Voted  1 year, 2 months ago

No...As user 2 doesn't have access to the new directory...Ans is "no"...Same Q in Whizlabs
upvoted 26 times
  practical_93 Most Recent  5 days, 12 hours ago

Selected Answer: B
Answer should be NO. when User1 create new tenant, he will be the only user available on that tenant. Therefore, User1 is the only user
that have access to create users.
upvoted 2 times
  N4d114 1 week, 1 day ago

Correct answer is NO.
Only user1 do it, cause external.contoso.onmicrosoft.com created by User1.
upvoted 1 times
  LG2240 1 week, 4 days ago
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence
upvoted 1 times
  787huasheng 1 week, 5 days ago

I think the answer should be 'yes'. Because even the tenant 'test' is not created by user2, since user2 is also global administrator, she/he
should have access to sign in as user1 and manage.
"However, administrators of 'Contoso' can control access to organization 'Test' if they sign in to the user account that created 'Test.'"
from link - https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence
upvoted 1 times
  oyetd 2 weeks ago

Selected Answer: B
No... know that it is no.
upvoted 1 times
  TtotheA2021 2 weeks ago

it is NO (B)!
i can understand the misunderstanding as this has been changed when they moved from classic to new view modus.
It is now:
What can azure global administrator do?
Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others,
reset user passwords, manage user licenses, and manage domains. (update:7 days ago)
Conclusion:
A - Yes > can only manage not create user
B - No > because global admiistrator cannot create users
link = https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 1 times
  Ds80 2 weeks, 4 days ago

Selected Answer: B
Only global admins can create new users (when permissions are not assigned to other users). User2 can only create new users in the top
level tenant.
upvoted 1 times
  FTAZIT 2 weeks, 6 days ago

I say that the answer is no based on this text I found "Administrative independence
If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:
By default, the user who creates a organization is added as an external user in that new organization, and assigned the global
administrator role in that organization.
The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of
'Test' specifically grants them these privileges. However, administrators of 'Contoso' can control access to organization 'Test' if they sign in
to the user account that created 'Test.' " https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-
independence
upvoted 1 times
  glady 3 weeks ago

Selected Answer: B
Global Administrator can only manage devices, not users
upvoted 2 times
  balys_rutkauskas 3 weeks ago

not true at all.
upvoted 3 times
  Rawatvs 4 weeks, 1 day ago

Selected Answer: B
Post creating the tenant, if you switch user from User1 to User 2, you won't able to find new tenant under manage tenant properties of
User2 which would not let User2 to create any user in new tenant. Hence Answer is B (No)
upvoted 5 times
  WardJojy 1 month ago

In Azure Active Directory (Azure AD), if another administrator or non-administrator needs to manage Azure AD resources, you assign them
an Azure AD role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting
user passwords, managing user licenses, or managing domain names.
upvoted 1 times

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
upvoted 1 times
Answer is NO, User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
User2 doesnt exist in thet tenant unless it is created. So by default NO.
Key word is NEW in "creates a new Azure Active Directory tenant"
upvoted 1 times
  Gadzee 1 month ago

To add or delete users you must be a User administrator or Global administrator.
upvoted 1 times
  scottims 1 month, 1 week ago

Tested in my lab. The GA that creates the new tenant has full access however no other users exist. Other GA's would need to be invited as
a guest
upvoted 1 times
  madshark 1 month, 1 week ago

Has anyone recently seen this question in the exam? I am pretty sure the answer is B. No as User2 would need to be setup on the new
tenant
upvoted 1 times
Question #2 Topic 2

A. Yes
B. No
Correct Answer: B
Reference:

B (86%) 14%
  fedztedz Highly Voted  1 year, 2 months ago

Answer is correct . NO
Only user admin or global admin can add users
upvoted 48 times
  Miles19 10 months, 3 weeks ago

I think you are right. The subscription owner role doesn't have anything to do when it comes to users and groups. This role can by
default access all resources under the subscription, or give access to others to any resource, but definitely can't add users to Azure AD
tenant.
upvoted 9 times
  mlantonis Highly Voted  9 months, 1 week ago

User4 doesn’t have access to the new directory. Only User1 has access to the new Tenant, because User1 created the Tenant and became
GA automatically. Also, User4 is not a GA or User Administrator. User4 has RBAC Role permission and not Azure AD Role permission.
upvoted 39 times

perfect
upvoted 1 times
  awssecuritynewbie Most Recent  2 weeks, 4 days ago

Remember guys! "owner" is for a subscription not AD to create users in.
you need to be a User ADministrator or Global Admin to create users within the AD.
upvoted 1 times

Selected Answer: B
This expression that only User Admin and Global admin can add users is more confusing that helpful here. The problem is that you
created a new domain and in this new domain only User1 exists and it's the Only User and Global Administrator on the new domain,
therefore, none of the answers will work, for the other user to be able to create a user, they would have to be been added on the new
domain.
upvoted 4 times
  mirzakadric 1 month ago

Selected Answer: B
Answer is NO because the Global Admin 1 created the tenant is therefore the only one in that tenant
upvoted 1 times
  JessicaK 2 months, 3 weeks ago

Selected Answer: B
This is a new tenant, therefore the other tenants roles do not apply.
upvoted 1 times

Selected Answer: A
No. Subscription Owners can't create new users in AAD tenants.
upvoted 1 times

Fat fingers. Correct answer is B.
upvoted 2 times
  Eltooth 4 months, 1 week ago

No no no no no
upvoted 2 times
  Mukesh_Aggarwal_07 4 months, 3 weeks ago

Answer is NO (B)
upvoted 1 times
  muk_neha_ahana 4 months, 3 weeks ago

answer is B (NO)
upvoted 1 times
  silver_bullet666 4 months, 4 weeks ago

Thank you exam topics and most importantly everyone in the discussion! passed the AZ104 today!! 90% of questions are from this site.
The others are still based on the topics covered on this site. Exam content changes tomorrow FYI :(
upvoted 3 times
  Tyler2021 4 months, 2 weeks ago

Congrats, hope we have the questions updated.
upvoted 1 times
  Dingaan 5 months, 3 weeks ago

passed 27 August 2021, just do your self a favor and listen to just MLANTONIS and fedztedz otherwise people will confuse here
upvoted 2 times
  HariHaran25 4 months, 1 week ago

i can't see MLANTONIS and fedztedz in the threads
upvoted 2 times
  thuylevn 6 months, 1 week ago

No, so B is correct answer
upvoted 1 times
  Exam_khan 8 months ago

Only a Global Admin can create users
upvoted 2 times
  Deyvessh 8 months ago

What about User Administrator?
upvoted 4 times
  Tranquillo1811 8 months, 3 weeks ago

The correct answer here would be B. No!
No other user than User1 has the required rights in the NEW tenant!
User1 is "Global administrator" of the NEWLY CREATED tenant, since she created it...
upvoted 6 times
  BENISSE 9 months, 2 weeks ago

Azure Subscription doesn't have tenant permission
upvoted 2 times
  Bedmed 11 months ago

Anwer is No,
User2 is not global admin in external.contoso.onmicrosoft.com
upvoted 5 times
Question #3 Topic 2

A. Yes
B. No
Correct Answer: B
Reference:

B (89%) 11%
  Matkes Highly Voted  1 year, 2 months ago

No, as user3 is user admin in contoso.onmicrosoft.com tenant and has no rights in external.contoso.onmicrosoft.com
upvoted 77 times
  raoeh 1 week ago

exactly
upvoted 1 times
  AzurePrince 3 months, 1 week ago

what has user3 got to do with this question?!
upvoted 13 times
  breakerboyz09 2 months, 2 weeks ago

Maybe question got changed during this 11 months
upvoted 2 times
  JamesP Highly Voted  1 year, 2 months ago

From the referenced Microsoft doc: To add or delete users you must be a User administrator or Global administrator.
Answer should be A
upvoted 31 times

When you create a new Azure AD tenant, you become the first user of that tenant. As the first user, you're automatically assigned the
Global Admin role. And there is a warning in the docs "Ensure your directory has at least two accounts with global administrator
privileges assigned to them. This will help in the case that one global administrator is locked out." that means that Global Admins from
contoso.onmicrosoft.com tenant has no access to the new tenant by default.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
upvoted 1 times
  denislp 5 months, 3 weeks ago

A resposta seria A, se ele estivesse se referindo ao tenant contoso.onmicrosoft.com. Mas ele faz referência ao tenant
external.contoso.onmicrosoft.com, ou seja, somente o USER1 que criou esse tenant que tem privilégios para realizar essa ação.
upvoted 3 times
  ArgiDio 1 year, 1 month ago

external.contoso... is another tenant.
Since it is referring to ANOTHER tenant that only the creator has permissions (unless he assigns to others -there is no such statement)
the answer is "No".

upvoted 27 times

The user3 is the user admin, but for another tenant - contoso.onmicrosoft.com. Therefore, he can't add users to the new tenant,
because he doesn't have access to that tenant.
upvoted 11 times
  juniorccs Most Recent  1 month ago

This comment "Only a global administrator can add users to this tenant." doesn't help much on this scenario! This comment is perfect
"No, as user3 is user admin in contoso.onmicrosoft.com tenant and has no rights in external.contoso.onmicrosoft.com" from @matkes
upvoted 1 times
  NathanS 1 month, 3 weeks ago

I am a little lost with the answer to this question, you can not create a new tenant using the **anything**.contoso.onmicrosoft.com as the
primary domain already exists.. so they only option would be to create a custom domain which I believe that root level users
(contoso.onmicrosoft.com) would be able to manage users if they are Global Administrators or User Administrators. Can someone please
help or explain I have my exam on the 7th Jan 2022
upvoted 2 times

Selected Answer: B
User2 is not a member yet, and has no privileges on the second tenant (external.contoso.onmicrosoft.com)
upvoted 1 times
  Josty 2 months, 2 weeks ago

Selected Answer: B
B is right User 2 has no rights in the external contoso.onmicrosoft.com
upvoted 1 times
  SShamz 2 months, 3 weeks ago

Selected Answer: A
User2 is a Global Administrator.
Global Administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
upvoted 1 times

Selected Answer: B
Only user2 has permission to create user in the new tenant
upvoted 1 times

I meant only user1 has permissoin
upvoted 1 times

Selected Answer: B
No. User2 is Global Administrator only in contoso.microsoft.com tenant. Currently, only User1 is Global Administrator in
external.contoso.microsoft.com tenant.
upvoted 5 times
  MrAzureGuru 3 months, 1 week ago

Further to this, User1 is the OWNER of the new tenant as they created it.
upvoted 1 times
  santhosh007 3 months, 2 weeks ago

global admins can access all the tenants, so the answer is yes
upvoted 2 times
  Pradh 3 months, 2 weeks ago

BIG NOOOOOOOOOOOOOOOOOOOOO !!!!
When USER1 creates a new AAD tenant, USER1 becomes the first user of that tenant. As the first user, USER1 automatically assigned the
Global Admin role. USER2 is not even existing in newly created AAD tenant by USER1.
upvoted 7 times
  Eltooth 4 months, 1 week ago

No no no no no
upvoted 2 times
  Pradyumn 4 months, 1 week ago

answer is no
upvoted 1 times

ONLY THE CREATOR OF THE AAD TENANT: USR1.
upvoted 2 times
  RoboRobo 4 months, 2 weeks ago

Answer > NO
Of course, they can't. If you give a user the AAD Global Administrator role in an AAD tenant, he is the global admin in the only one tenant,
never relate to other tenants
upvoted 1 times
  tikytaka 4 months, 3 weeks ago

No, question was also 'No' in a now deleted practice paper in Udemy - only User1 has admin rights to the new tenant
upvoted 1 times
Question #4 Topic 2
HOTSPOT -
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
The Network Contributor role lets you manage networks, but not access them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
  Aghora Highly Voted  1 year, 1 month ago

I have seen to many opinions regarding this, so I decided to test it in my azure account . with Network C on LB1 or LB2 , you can not do
any of the tasks and your get a permission error, you can not even see the Vnets to add the pool from !!!.
when using Contributor access on LB1,LB2 ...same issue . the Only option from the given choices that worked is
- Network Contributor on RG1 for LB1 to add a backend pool (vms must be in place)
- Network Contributor on RG1 for LB2 to add health probe
I hope this resolves the disagreement , all of the links about Network Contributor access on Microsoft are correct but they do not work at
the LB level, they have to be at the resource group level or at every resource that you need to get the pool in place(ie. Vnet,VMs..).
upvoted 186 times
  Bursuc03 9 months, 2 weeks ago

Within RG1 you have the two LBs. You can have the rest of the resources (vNets, VMs) in a different RG, with different access rights.
There is nowhere stated you cannot have access to the other resources, that may be placed within other RGs, on which you have
different access rights. So the answer is YES.
upvoted 3 times
  comin 7 months, 4 weeks ago

Wrong. It says it has to follow the principle of least privilege to accomplish the tasks. If taken your approach then the principle is not
met.
Aghora replied ok.
upvoted 5 times
  Praveen66 5 months, 4 weeks ago

I did try the same test these things, however when the NC role is assigned to the user for the resource group , you still get an error that
you don't have permission to perform does not have authorization to perform action 'Microsoft.Network/register/action' over scope
'/subscriptions/feacddd7-6e93-4445-8**** , The only way I could perform the action was to provide the NC access to subscription as
well. has anyone has any idea as to why ?
Failed to start deployment

Registering the resource providers has failed.
Additional details from the underlying API that might be helpful: The client '[email protected]' with object id
'9ebc2924-ade9-42fa-9a3c-4eae436c589b' does not have authorization to perform action 'Microsoft.Network/register/action' over
scope '/subscriptions/feacddd7-6e93-4445-8a92-e' or the scope is invalid. If access was recently granted, please refresh your
credentials. (Code: AuthorizationFailed)
upvoted 1 times
  rsamant 5 months, 1 week ago

may be your vnet and vm were in different resource group ? hence you had to give this at subscription level ?
upvoted 2 times
  vince60370 1 year, 1 month ago

Thanks for trying it, as you said, too much divergent answers and explanations.
Clearer like this.
upvoted 6 times

Correct Answer:
1: Network contributor on RG1
upvoted 79 times
  fzn73 1 day, 4 hours ago

good answer!
upvoted 1 times
  brainysaki 4 months ago

Finally, I found you mlantonis.
upvoted 19 times
  H3adcap Most Recent  11 hours, 2 minutes ago

Was in the exam today 17/02/2022
upvoted 1 times
  AnguSummer 1 week, 6 days ago

had this question on 05/Feb/22 exam
upvoted 5 times
  hm67 1 day, 2 hours ago

got this one too
upvoted 2 times
  SkyRender21 1 week, 4 days ago

got this one too. 06/Feb/22
upvoted 4 times
  anshad666 1 week, 1 day ago

which is the correct answer ?
upvoted 2 times
  crisalwaysmusic 4 weeks, 1 day ago

Date: 20/january/2022. I have tried this in the lab, and with the Network Contribute role, you can manage LB1 and LB2 on each of them.
So It´ll be: Network contributor on LB1 /Network contributor on LB2
upvoted 3 times

I've tested this my lab and Network Contributor for RG1 is the only way for both. If Admin1 does not have access to the resource they
cannot see anything inside the RG. This role is then inherited for LB1 and LB2.
Contributor allows management of all items in the RG including assigning permissions.
upvoted 1 times
  Rohanrishi 1 month, 2 weeks ago

My prediction goes for network Contributor for LB; if we set permission at RG level it doesn't meet the principle of least privilage and the
usr will privilage for all the resources under that RG
upvoted 1 times

upvoted 2 times

upvoted 4 times

It was a picture answer:
Network Contributor on RG1 for LB1 to add a backend pool
Network Contributor on RG1 for LB2 to add health probe
upvoted 3 times
  Sara_Mo 2 months, 2 weeks ago

Network Contributor on RG1 for LB1 to add a backend pool
Network Contributor on RG1 for LB2 to add health probe
upvoted 8 times

funny scenario
https://docs.marklogic.com/cloudservices/azure/network/assign-network-contributor-role-azure.html
the vnet access also lol
upvoted 1 times

correct answer,N/W contributor on RG1 for both,
upvoted 8 times
  Michael_ATB 4 months, 3 weeks ago

The answer is :
-Network Contributor on RG1
-Network Contributor on RG1
upvoted 12 times
  COOLKIDZ 5 months ago

It came on Sep 17 exam.
upvoted 5 times
  julioglez88 5 months ago

The key point of the question is:
"You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least
privilege."
Considering that and the Network contributor role which has:
Microsoft.Resources/subscriptions/resourceGroups/read -> Gets or lists resource groups.
In case is required to see the VMs, or any other resources, with this role you are allowed to see them, but this is not the scope of the
question.
Correct answer is assign the Network Contributor role at the scope of each LB in both questions. We don't know which other resources are
in the RG, and within this we ensure that the least privilege is accomplish and the Admin1 can manage LB1 and LB2
upvoted 4 times
  Pamban 3 months, 1 week ago

Exactly. key point is least privilege. Hence network contributor role on LB1 and LB2.
upvoted 3 times
  rt_85 5 months ago

Is there a way to have all of the wrong answers removed?
upvoted 3 times
  Dave108 3 months, 3 weeks ago

Had the exam last week, failed with 6XX/1000 so doing it again. Had not enough time to prepare so its rather my fault, questions are
still valid.I am a bit frustrated with admins not updating the right answers as it takes too much time to figure out the right answer
every time when practicing. I am planning to put all the questions to a vce/simulator file and DIY with the right answers. Its a bit time
consuming..is anyone up for it to cooperate? Like 3 people 100questions each. I can share how to do it plus a vce designer.
upvoted 4 times
Question #5 Topic 2
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service
(AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
A. From contoso.com, modify the Organization relationships settings.
B. From contoso.com, create an OAuth 2.0 authorization endpoint.
C. Recreate AKS1.
D. From AKS1, create a namespace.
Correct Answer: B
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

B (60%) C (40%)
  ketan05 Highly Voted  1 year, 2 months ago

Correct! The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
https://docs.microsoft.com/en-us/azure/aks/concepts-identity
upvoted 38 times

Correct Answer: B
The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
Reference:
upvoted 31 times
  Keerthana2020 8 months, 2 weeks ago

you answers are really correct, please help me for az-220 i got failed twice after reading all the materials
upvoted 1 times
  pappkarcsiii Most Recent  1 week, 6 days ago

Selected Answer: B
The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
upvoted 2 times
  saleta 2 weeks ago

Selected Answer: B
oauth must be used
upvoted 3 times
  byuq 2 weeks, 2 days ago

Selected Answer: B
B is correct
upvoted 4 times
  mmNYC 1 month ago

azure updated no more this question valid
upvoted 1 times

Answer: B
upvoted 2 times

Selected Answer: C
Assuming that this question was written only when the (now legacy) AAD integration with AKS was an option, the integration could have
been enabled only during the cluster creation - this implies answer C.
However, the new AKS-managed AAD integration can be enabled on both existing and new cluster using (via CLI) the --enable-aad
parameter. Once this parameter is used, the App Registration is automatically created and the OAuth 2.0 authorization endpoint therefore
becomes available via that App Registration - there's literally nothing necessary from the user's side other than run àz aks update`.
Thankfully, this question was removed from the exam.
upvoted 6 times
  JohnPhan 4 months ago

B
kubectl uses the Azure AD client application to sign in users with OAuth 2.0 device authorization grant flow.
upvoted 1 times

Correct Answer: B
upvoted 1 times
  melatocaroca 5 months, 1 week ago

IMHO correct answer must be D.
Roles
Before assigning permissions to users with Kubernetes RBAC, you'll define user permissions as a Role. Grant permissions within a
namespace using roles.
Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a RoleBinding.
RoleBindings
Assign roles to users for a given namespace using RoleBindings. With RoleBindings, you can logically segregate a single AKS cluster, only
enabling users to access the application resources in their assigned namespace.
upvoted 1 times

yes, B is correct answer
upvoted 2 times

This was an exam question on 4th July 2021. I pass with 904 mrks
upvoted 8 times
  BenStokes 8 months ago

Answer is correct as per - https://docs.microsoft.com/en-us/azure/aks/concepts-identity
Excerpts from article as 1st step -
As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:
1. kubectl uses the Azure AD client application to sign in users with OAuth 2.0 device authorization grant flow.
upvoted 3 times
  db12345 8 months, 1 week ago

Ans : B
upvoted 1 times
  armandolubaba 9 months, 1 week ago

All the answer are corrects
upvoted 1 times

Is it correct to say "You have an Azure subscription that contains an Azure Active Directory ...".
According to: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-
directory?amp;clcid=0x9
subscription should be under a tenant
upvoted 3 times
  chaudha4 9 months, 1 week ago

You are correct. Azure subscription has a trust relationship with Azure Active Directory tenant not a containment relationship.
upvoted 1 times
Question #6 Topic 2
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
A. a Microsoft 365 group that uses the Assigned membership type
B. a Security group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type
Correct Answer: AC
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can
help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide

AC (100%)

Correct Answer: A and C
Only O365 groups support automatic deletion after 180 days.
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365
Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the
system and make things cleaner. When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also
deleted. You can set up a rule for dynamic membership on security groups or Office 365 groups. Incorrect Answers: B, D, E: You can set
expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide
upvoted 58 times

Answer is correct - Only O365 groups support automatic deletion after 180 days.
upvoted 31 times

Was in exam today 17/02/2022
upvoted 1 times

Why Create both when 1 will do the job?
upvoted 4 times
  fonfi 1 month, 1 week ago

Selected Answer: AC
A and C
upvoted 2 times

In exam 01.02.22
upvoted 7 times
  njain453 1 month, 3 weeks ago
o365 provides access to a shared mailbox, calendar files, SharePoint, as well as other services that are available in Office 365.
only O365 groups support automatic deletion after 180 days.
upvoted 1 times

Sorry, why 2 groups?
I think one group(MS365 assigned) is sufficient. why do we need dynamic group?
upvoted 4 times
  Incredible99 3 months, 2 weeks ago

This question was in my 10/31/2021 Exam.
upvoted 4 times
  imran_mohd 4 months ago

In exam 16/10/21
upvoted 5 times

upvoted 2 times
  Jananishree 4 months, 4 weeks ago

in exam 17/9/2021. Most of the questions are in this question bank. You should have to search for correct answers for each question
upvoted 1 times
  khismail 6 months ago

In Exam 21/08/2021, Correct Answer: A & C
upvoted 3 times

A,C are corrects
upvoted 1 times
  Meko 7 months ago

was in exam 23/7/2021
upvoted 4 times

This was an exam question on 4th July 2021. I pass with 904 marks
upvoted 2 times
  achmadirvanp 7 months, 3 weeks ago

Answer is correct, Appear On Exam July 1 2021
upvoted 2 times
Question #7 Topic 2
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
User3 is the owner of Group1.

Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

Answer is correct -
The scope is set to GUEST users only. So User3 cannot perform an access review of User1 and UserA as they are Members.
Group2 is a member of Group1 so the access review is inherited.
upvoted 103 times

Box 1: No
User 3 can only review guest users, and User1 is a member user.
Box 2: No
Box 3: Yes
Group2 is a member of Group1 and User3 is the owner of this group, therefore everyting included in Group2 can be reviewed by User3.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 56 times

Think you meant for Box2: UserA not User2. But correct in all points.
upvoted 1 times
  Koba Most Recent  2 weeks, 6 days ago

3rd question answer is no.
see source below.
https://docs.microsoft.com/en-us/azure/active-directory/governance/complete-access-review
Some denied users are unable to have results applied to them. Scenarios where this could happen include:
*Reviewing members of a synced on-premises Windows AD group: If the group is synced from on-premises Windows AD, the group
cannot be managed in Azure AD and therefore membership cannot be changed.
*Reviewing a resource (role, group, application) with nested groups assigned: For users who have membership through a nested group,
we will not remove their membership to the nested group and therefore they will retain access to the resource being reviewed.
*User not found / other errors can also result in an apply result not being supported.
upvoted 2 times
  reiny09 1 week, 2 days ago

I'm a bit on the fence for this answer for this same reason.
I believe the determining factor is that the question asks if the access review can be performed, to which the answer is yes. However,
the end result is that the access review will not yield any changes to the group access for UserB.
upvoted 1 times
  Mozbius_ 3 weeks, 5 days ago

"Access Review" is not part of Microsoft Instructor-led AZ-104 course!!! So much for spending so much money just to not have ALL the info
needed to fully cover the exam.
I would hope that Group 2 inherits from Group 1 so No, No, Yes.
upvoted 1 times
  arkadius 2 months ago

Ans. 3 is NO
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-
review
.
Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not
remove their membership to the nested group and therefore they will retain access to the role being reviewed.
.
upvoted 2 times
  LOOTF 4 months ago

Since the user3 is the owner I think he can perform access review to all users?
May I right?
upvoted 3 times

No,No,Yes - correct ans
upvoted 2 times

I just tested in lab,
Answer is correct, No, No, Yes
The users to be reviewed are the guest accounts only based on the configuration set. Additionally the guest users from group 2 are
inherited to group 1, so by default User3 can review user2 and userB
upvoted 1 times
  Shikher 2 months, 2 weeks ago

Are you implementing in Azure?? or some other service which can be used to try out
upvoted 1 times

correct answer, Scope Guest users only
upvoted 1 times
  CloudyTech 7 months, 2 weeks ago

It should be NO NO NO , User B is in Group 2 and review is for Group 1
upvoted 1 times
  Teing 7 months, 1 week ago

No No Yes is correct. User B is in Group 2, while Group 2 is member of Group 1, so it is inherited.
upvoted 4 times
  BenStokes 8 months ago

Answer is - No, No, Yes.
Explanation -
Box 1: No
Box 2: No
Box 3: Yes
Group2 is a member of Group1 and User3 is the owner of this group, therefore everyting included in Group2 can be reviewed by User3.
upvoted 11 times
  flash007 8 months, 2 weeks ago

User 3 is not part of any groups so Box 1 is defo NO
upvoted 1 times
  Didib 9 months, 2 weeks ago

Why is User 3 able to review User B, when user B belongs to Group 2, and User 3 is the owner of only Group 1. Not to mention, the policy
applies to Group 1 only?
upvoted 1 times
  coders1234 9 months, 2 weeks ago

because group 1 contains group 2 (users) also
upvoted 1 times
  HassanSarhan 9 months, 2 weeks ago

No No Yes Correct answers!
upvoted 1 times
  iamkl00t 10 months, 1 week ago

typo in 'advanced' at the bottom of the screenshot
upvoted 1 times
  mg 11 months, 2 weeks ago

NO NO YES
upvoted 2 times
  ZUMY 11 months, 2 weeks ago

N N Y is the answer
upvoted 1 times
Question #8 Topic 2
HOTSPOT -
You have the Azure management groups shown in the following table:
You add Azure subscriptions to the management groups as shown in the following table:
You create the Azure policies shown in the following table:
Hot Area:
Correct Answer:
Box 1: No -
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.
Box 2: Yes -
Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.
Box 3: Yes -
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-
us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions

Answer is Wrong : It should Be NO NO NO
- subscription should be moved by can't be added to 2 groups.
upvoted 98 times
  Ikrom 1 year, 2 months ago

Agree.
- NO: Subscription 1: is not allowed to create a VNET.
- NO: Subscription 2: Allowed to create a VNET which restricts anything else.
- NO: Subscription 1: already in one Management group called 21, so cannot add into another. A Subscription can be assigned to 1
Management Group.
upvoted 72 times
  azuremarco2021 10 months, 1 week ago

Im sorry but why is the 2nd false? All that was forbiden at the root level is lifted on Subscription 2
upvoted 2 times

because subscription 2 is under management group 12. The only allowed resource type is VirtualNetworks per the table in the
question, therefore VM creation is not allowed
upvoted 8 times
  imartinez 6 months ago

I think this is wrong, it should be No YES NO.
The first policy only restrict to create VNets not VMs, So VMs are allowed to be created if you can attach a VNET and the 2nd
policy allows you to create the VNET, So.. yes
upvoted 6 times

My bad, the whitelist will allow you to create the VNET but prevent's you to create the VM, that's the issue. second is NO, thx
upvoted 7 times
  irosh412 9 months, 1 week ago

https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
This clearly states,

"Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this
defined list."
Therefore, only allowed resource type is virtual nerwork.
SO the answer for the second question is NO.
but third is Yes, because adding subscrition and moving subscription is the same in MS docs. :)
upvoted 13 times
  vamshidhara 9 months, 1 week ago

Azure Policy is an explicit deny.
So the root management group deny the virtual network resource type to the child management groups/subscriptions/resources
groups and the policy in the question does not have any thing excluded so it will deny
upvoted 5 times
  tita_tovenaar 7 months, 2 weeks ago

not agreed for answer 2.
Only virtual networks are mentioned in the policy. Nothing is said about virtual machines.
Result: NO - YES - NO
upvoted 4 times

sorry, my bad. answer 2 is No.By allowing metworks, you deny all the rest.
upvoted 4 times
  pieronegri 1 year, 2 months ago

you are right, "move" is the right verb.
upvoted 2 times

Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this
defined list.
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in
ManagementGroup12 scope, but you cannot deploy any other resource.
Box 1: No
Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11
is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’.
Box 2: No:
You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12).
Box 3: No
You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to
ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.
upvoted 51 times
  joergsi 1 month, 2 weeks ago

Your reply for box 2 makes no sense because the question is: You can create a VM in Sun 2?
And you are saying: Box 2: No:
But then the answer needs to be yes based on your argument, correct?
upvoted 1 times

Box 1 and Box 2 are ok; however, I have a doubt that when all management groups here are under management group Tenant Root
Group which has a policy barring Virtual Networks, so how come ManagementGroup12 can allow Virtual network creation in the first
place? Do'nt member management groups inherit policies from host management group?
upvoted 1 times

My question is can a nested management group override policy defined at its parent management group level by creating its own
contradictory policy?
upvoted 1 times
  RamanAgarwal 8 months, 2 weeks ago

Policy doesnt restrict you to create a VM anywhere. It restricts you to create VNet only which is overridden at Management12 and it will
be inherited by Subscription 2. So you can create Vnet hence VM in subscription 2
upvoted 4 times
  edengoforit Most Recent  2 weeks, 1 day ago

One reason to create a management group is to bundle subscriptions together. Only management groups and subscriptions can be made
children of another management group. A subscription that moves to a management group inherits all user access and policies from the
parent management group
When moving a management group or subscription to be a child of another management group, three rules need to be evaluated as true.
https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions
upvoted 1 times
  fxliang 1 month, 1 week ago

No, Yes, Yes
1. NO, because policy states no vnet is allowed - so basically the new policy created states no *NEW * vNet can be created on ALL
Management groups. including Management Group 12 because it is nested under Tenant Root Group.
2. YES, you can create VM. because any vNET created before this no vNet policy is created are unaffected.
3. YES, because that is how you would do it. to MOVE a subscription, you would use the *Add subscription" option on the portal. this will in
turn add the subscription to new management group and remove it from old management group.
upvoted 2 times
  reiny09 1 week, 2 days ago

Question 2 is asking if a VM can be created. Since the policy is already in place, the answer to the question is No. If the question were
asking if a vNet could be created, the answer would be Yes, since vNets are the only resource type allowed in
ManagementGroup12/Subscription2.
upvoted 1 times

Option 2 is no (https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition):
Allowed Resource Type (Deny): Defines the resource types that you can deploy. *Its effect is to deny all resources that aren't part of this
defined list*.
upvoted 1 times

NO
NO
NO
upvoted 1 times

Box 1: No
Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11
is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’.
Box 2: No:
Box 3: No
You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to
ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.
upvoted 3 times

Ans. 3 YES - as it was written - MS mixes Adding and moving in DOCS
.
Move subscriptions:
Add an existing Subscription to a management group in the portal
Log into the Azure portal.
Select All services > Management groups.
Select the management group you're planning to be the parent.
At the top of the page, select Add subscription.
Select the subscription in the list with the correct ID.
Screenshot of the 'Add subscription' options for selecting an existing subscription to add to a management group.
Select "Save".
.
upvoted 1 times

answer 2 is No.By allowing metworks, you deny all the rest. NO NO NO
upvoted 1 times

NO yes NO
upvoted 1 times
  marco_aimi 2 months, 3 weeks ago

It is not possible to create an Azure VM without a vnet,
An Azure resource group cannot contain subscriptions. A subscription contains resource groups.
NO, NO, NO
upvoted 1 times
  J511 2 months, 4 weeks ago

Answers are correct as shown - see the 3x 'Box 1-2-3' explanations and comments.
upvoted 1 times
  hitmk5 3 months, 1 week ago

Tested. No, No, No.
- deny policy overrides allow policy regardless of order in which policies are applied
- trying to create vm ends with error creating a network interface
- you can only MOVE, not ADD subscription
upvoted 2 times

Box 1: No -
Virtual networks are not allowed at the Tenant Root Group. Management Group11 inherits the Deny Policy from the Tenant Root
Group. ManagementGroup21 inherits the Deny Policy from ManagementGroup11. The question states Subscription1 which includes
ManagementGroup21 and therefore ManagementGroup11.
Box 2: No -
ManagementGroup12 is in Subscription2 and in the Scope of the 2nd policy. Allowed resource types are virtualNetworks. This means all
other resources are denied by default.
Box 3: No -
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions, however, the question
states ADD to Management Group11 and not move it. Thefore, the answer is no. A subscription can only exist in one Management Group
at a time.
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 1 times

This question was in my 10/31/2021 Exam
upvoted 2 times
  fabylande 4 months ago

In exam October 16, 2021
upvoted 2 times
  hello2022 3 months, 3 weeks ago

so what was the correct answer?
upvoted 3 times

No
YES(maybe), It will probably provision/create the vm but the policy will block the provisioning of the VNET. The creation process can allow
other resources to be created, but can/will error others.
YES..Adding sadly is the same as moving : https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-
management-groups-and-subscriptions
upvoted 1 times
  a4andrew 4 months ago

Self correct.#2 is NO: Subscription 2: Allowed to create a VNET which restricts anything else.
upvoted 2 times
Question #9 Topic 2
You have an Azure policy as shown in the following exhibit:
What is the effect of the policy?
A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You can create Azure SQL servers in any resource group within Subscription 1.
Correct Answer: B
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1

B (100%)
  Nalex9ja Highly Voted  1 year, 2 months ago

The Picked Option (B) is the correct option
upvoted 53 times

Agree.
It says: Exclusions and RG1 is there.
upvoted 5 times

Answer is Correct. B
upvoted 28 times
  N4d114 Most Recent  1 week, 1 day ago

Agree with the answer, as mention in policy it appear exclusion.
upvoted 1 times
  Dipendraaaaa 3 weeks, 5 days ago

This question came today 01-22-22 and answer is B
upvoted 3 times
  hm67 1 day, 2 hours ago

got this one too
upvoted 1 times

upvoted 1 times

Selected Answer: B
B is correct
upvoted 1 times
  Jimmy_27 2 months, 3 weeks ago

Option B is correct
upvoted 1 times

Selected Answer: B
B is correct. You can't create SQL Servers anywhere in Subscription1, excluding RG1. Thereby, you can only create SQL Servers in RG1.
upvoted 4 times
  im82 3 months ago

Was on exam today 19.11.2021
Answer: B
upvoted 4 times

It states in Exclusions: Subscription 1/ContosoRG1. The rule states you cannot create Microsoft Sql/servers with the Scope of
Subscription1. So therefore, you are prevented from creating Azure SQL servers anywhere in Subscription 1 with the excception of
Subscription 1/ContosoRG1.
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
upvoted 2 times

This too obvious by just looking at the exclusions.
upvoted 1 times
  Pirulou 3 months, 4 weeks ago

Question to the first Azure exam, long time ago... B.
upvoted 1 times
  bornonthird 4 months, 3 weeks ago

Looks B
upvoted 1 times

Answer is Correct. B
upvoted 2 times
  xxxxx85xx 5 months ago

In exam 09/20/2021
upvoted 2 times
  Fayaman 5 months, 1 week ago

Question was asked on exam taken 09/10/2021
upvoted 4 times
  Kamex009 5 months, 4 weeks ago

This question was asked on exam taken on 08/22/2021
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table:
You assign a policy to RG6 as shown in the following table:
To RG6, you apply the tag: RGroup: RG6.

You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
VNET1: Department: D1, and Label:Value1 only.

Tags applied to the resource group or subscription are not inherited by the resources.
Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or
across a whole
Azure subscription.
VNET2: Label:Value1 only.
Incorrect Answers:
RGROUP: RG6 -
Tags applied to the resource group or subscription are not inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
  aymennn Highly Voted  1 year, 2 months ago

not correct vnet1 is created before assignng the policy so it doesn't heritate teh tag.
vnet1 : departement D tag only
upvoted 148 times
  OmarMac 1 year, 2 months ago

VNET1 - Department: D1 only
VNET2 - Label: Value1 only
upvoted 192 times
  GataullinRN 4 months, 4 weeks ago

This is the right answer. Tested.
upvoted 3 times
  Hibs2016 1 year, 2 months ago

Agreed!
upvoted 7 times
  itsmchina 7 months ago

Agreed. vnet1 only has tag Department: D1 only because it was created before assigning the policy.
upvoted 6 times
  Acai 7 months ago

I agree as well
upvoted 1 times
  raph90fr 9 months, 3 weeks ago

yes, i think you are right.
upvoted 2 times
  pazza112 Highly Voted  1 year, 2 months ago

Answer is wrong. Tested in MSDN lab in the order set out in the question.
After I created the policy and assigned it to the RG the existing vnet still only had the tag of Department:D1. New vnet had the tag
label:value1 only.
So the answer is Department:D1 only and Label:value1 only
upvoted 76 times
  kavg13 1 year, 2 months ago

Instead of manually applying tags or searching for resources that aren't compliant, you create a policy that automatically applies the
needed tags during deployment. Tags can also now be applied to existing resources with the new Modify effect and a remediation task.
Found in link provided by question. So it would depend if they used the "Modify" option or not.
upvoted 9 times
  N4d114 Most Recent  1 week, 1 day ago

A bit confuse, what I understand is tag are not inherited expect for policy.
The correct answer should be
Vnet1 : Department : D1 only
Vnet2 : label : Value1 Only.
Am I right?
upvoted 1 times
  Marutain 2 weeks, 3 days ago

wouldn't it be: as it said to apply the tag: RGroup: RG6 to RG6
which defines the newly made vmnet 2 as already having the tag RGroup : RG6
because the policy gets made would it also get the tag name and its value since it was just made?
wouldn't it be Vmnet2: Rgroup: RG6 and Label: Value1?
since the actual question is :

To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.
upvoted 2 times

 Aliss28 3 weeks, 6 days ago

This question dumps are very useful, whoever is preparing for Az-104 go through the discussions.
upvoted 4 times
  _punky_ 4 weeks, 1 day ago

Tags that are applied on certain service are mentioned only for the service.
upvoted 1 times

upvoted 4 times

Answer :
upvoted 1 times

The correct answers are
upvoted 2 times

VNET2: - Label: Value1
Tags applied to the resource group or subscription aren't inherited by the resources inside them nor are they applied after the fact. Policy
is only applied to newly created resources which in this example is VNET2 created within the Scope of Subscription 1/RG6. Department: D1
is applied at the Resource level directly to VNET1 and has nothing to do with RG6 itself.
upvoted 2 times

VNET1 - Department: D1 only (Because it was created before assigning the policy)
upvoted 2 times
  bcristella 3 months, 4 weeks ago

In my opinion:
Tag VNET1 - Department: D1 only
Tag VNET2 - Label: Value1 only
upvoted 2 times
  Gumer 4 months ago

I dont understand where is Vnet2 getting its tag assigned since it should not inherited from RG6
upvoted 2 times

The policy which is applied to RG has a default tag assignment mentioned, hence it VNET2 is getting that tag.
upvoted 1 times
  nsknexus478 4 months, 2 weeks ago

There are two types of policies for tags now, Require tag and append tag.
anyways answer for this question is
Box 1: Department: D1 only
Box 2: Label: Value1 only
upvoted 1 times
  ScoutP 4 months, 2 weeks ago

This question was asked on exam taken on Sept 30, 2021
upvoted 2 times
  sniper83 4 months, 3 weeks ago

Correct Answer(Test in my lab)
Vnet1
Department: D1
Vnet2
Label1: Value1
upvoted 2 times

vnet1 : departement D tag only
upvoted 1 times
You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
You create a new Azure subscription named AZPT2.

You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
A. VM1, storage1, VNET1, and VM1Managed only
B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only
Correct Answer: C
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new
subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

C (100%)

Correct Answer: C
All of them. Moving a resource only moves it to a new Resource Group or Subscription. It doesn't change the location of the resource.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftcompute
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftnetwork
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftstorage
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftrecoveryservices
upvoted 62 times
  JustMe84 Highly Voted  1 year, 2 months ago

Test today (12/10/2020), Passed, answered "C" for this question in exam
upvoted 51 times
  rubas50 4 months, 2 weeks ago

my exam is scheduled tomorrow, did you find all your questions here?
upvoted 1 times
  Fulforce 4 months, 1 week ago

How did you get on with your exam?
upvoted 3 times
  AnguSummer Most Recent  1 week, 6 days ago

had similar question on 05/Feb/22 exam
upvoted 2 times
  deltarj 3 weeks, 3 days ago

ALL! :)
upvoted 1 times
  NiltonCFC 1 month, 2 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

Correct Answer: C
upvoted 1 times
  Omar_Aladdin 5 months ago

kind reminder
a Resource that cannot be removed is Azure Disks,
Even though it is moved as part of Azure VMs
Ref:
https://docs.microsoft.com/en-us/azure/resource-mover/common-questions#can-i-move-disks-across-regions
upvoted 4 times
  ERV 5 months, 1 week ago

Correct C
upvoted 1 times

correct answer C
upvoted 1 times

The provided answer is Correct!
upvoted 1 times
  ahos 7 months, 1 week ago

Is this still a valid answer in the exam?
upvoted 1 times
  valente_sven1 7 months ago

Yes, why not?
upvoted 1 times

upvoted 5 times

C correct
upvoted 1 times
  sidharthwader 10 months ago

Correct answer. But if its moving the region of the resource then i think azure vault could not be moved. Similarly few more resource's
region cant be changed
upvoted 5 times

Moving Recovery Services vaults for Azure Backup across Azure regions isn't supported.
In Recovery Services vaults for Azure Site Recovery, you can disable and recreate the vault in the target region.
upvoted 1 times
  shnz03 8 months, 1 week ago

Good one! Thank you.
upvoted 1 times
  ddb116 10 months, 3 weeks ago

C is correct as long as we assume they are in the same tenant.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault?toc=/azure/azure-resource-manager/toc.json
upvoted 2 times
  jam7272 11 months ago

If you are not sure about Recovery Services Vaults - https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-
services-vault?toc=/azure/azure-resource-manager/toc.json - you can move them.
upvoted 3 times
  ms70743 11 months, 1 week ago

C is correct
upvoted 2 times
You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using
Azure
PowerShell and receives the following error message: Ùser failed validation to purchase resources. Error message: `Legal terms have not been
accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873)
and configure programmatic deployment for the Marketplace item or create it there for the first time.`
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?
A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
B. From the Azure portal, register the Microsoft.Marketplace resource provider
C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
D. From the Azure portal, assign the Billing administrator role to Admin1
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-4.1.0

C (100%)

Correct Answer: C
Set-AzMarketplaceTerms -Publisher <String> -Product <String> -Name <String> [-Accept] [-Terms <PSAgreementTerms>] [-DefaultProfile
<IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
Reference:
https://docs.microsoft.com/en-us/powershell/module/Az.MarketplaceOrdering/Set-AzMarketplaceTerms?view=azps-4.6.0
upvoted 85 times
  lingxian 8 months, 1 week ago

I found mlantonis's answers are the most credible.
upvoted 25 times
  xclusivetp3 Highly Voted  1 year, 6 months ago

answer is correct
upvoted 26 times
  Marski Most Recent  3 weeks, 1 day ago

There is the best MS docs how-to-do there. All MS docs should be like this, copy-paste the graphical printscreen shots MS ! Thanks. YEAH.
upvoted 2 times

Again another question/topic NOT covered in Microsoft instructor-led Az-104 course!!! I can't believe that money got spent TWICE (I went
twice to make sure that I understood everything) on that course just to see question not even covered in the online course!!!! Freakin'
annoying!!! And then they have the audacity of saying to not visit "Brain dumps"...
upvoted 3 times
  StaxJaxson 1 week, 3 days ago

You will never get enough preparation from UDEMY, or Microsoft ILT, or Whizlabs. They are a joke compared to the real exam.
upvoted 1 times
  DeepMoon 3 weeks ago

Mozbius Stop complaining. Course only have 40 hours. Exam covers the whole domain. There is no book or course that covers
everything.
upvoted 2 times
  yanhongtest 1 month, 2 weeks ago

Selected Answer: C
C is correct
upvoted 1 times

C is correct
upvoted 1 times

Ans : C
upvoted 1 times

Correct answer: C
Set-AzMarketplaceTerms
Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name). Please use Get-AzMarketplaceTerms to get
the agreement terms.
upvoted 2 times

C seems correct
upvoted 1 times
  AubinBakana 6 months, 1 week ago

I have been doing the Azure Learn course and many of these questions are not even covered there. I am glad I took the time to go
through these questions. The answer is correct.
upvoted 7 times

agree C
upvoted 1 times

upvoted 1 times

Right away the billing administrator is not correct as the question mentions powershell so you are left with 3 choices. It doesn't mention
API so again that one appears to be wrong too.
Leaving just 2 choices B & C. again it is mentioning Powershell so answer B mentions the azure portal which is no powershell. So that
leaves C because it does indeed mention powershell and mentions Marketplace which is used in the question too.
upvoted 10 times
  subhadeep_sen 5 months, 4 weeks ago

thanks
upvoted 1 times
  NigHtHunter2000 7 months ago

Lol. This kind of answering is best when you are facing it in the exam but here i dont think its suitable becaz we want to know the
process.
upvoted 6 times

Haha! exactly what I was think :)
upvoted 1 times

C is correct
upvoted 1 times

C. Set-AzMarketplaceTerms
upvoted 2 times

Answer C is correct
upvoted 1 times

Answer is correct
upvoted 2 times
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Licenses blade, assign a new license
B. From the Directory role blade, modify the directory role
C. From the Groups blade, invite the user account to a new group
Correct Answer: B
Assign a role to a user -
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as
Conditional access administrator.
4. Press Select to save.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
  dan7777 Highly Voted  1 year, 7 months ago

This is the correct answer( select Active directory --> Users--> select the username --> Assigned roles --> click on +add Assignments -->
select User administrator role
upvoted 53 times

Correct Answer: B
Active Directory -> Manage Section -> Roles and administrators-> Search for Admin and assign a user to it.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
upvoted 47 times
  ik96 5 months ago

B is correct.
upvoted 3 times
  hm67 Most Recent  1 day, 2 hours ago

got this one in exam
upvoted 1 times
  Marski 3 weeks, 1 day ago

There is the best MS docs how-to-do there. All MS docs should be like this, copy-paste the graphical printscreen shots MS ! Thanks. YEAH.
upvoted 1 times

upvoted 2 times

Ans : B
From directory role blade, modify the directory role
upvoted 2 times

Was on exam today 19.11.2021
Correct answer: B
upvoted 4 times

Tested the flow Active Directory -> Users -> pick a user -> Assigned Roles -> Add Assignments -> pick User Administrator role and it is
working as designed.
upvoted 1 times
  bornonthird 4 months, 3 weeks ago

B is correct
upvoted 1 times
  RazanT 6 months ago

this was in test 8/15/21
upvoted 2 times

agrees, B
upvoted 1 times

answer is B.the question was on Jul 23, 2021 exam
upvoted 3 times
  drexciya28 7 months, 2 weeks ago

The formulation of the answers is confusing. Under User Properties, there's the Assigned roles blade, and that's the option to use, there
you can assign both Azure AD as well as regular RBAC roles.
upvoted 3 times
  Shiven12 7 months, 3 weeks ago

This question came in the exam on 29/6/2021 - Passed the exam
upvoted 2 times

B is correct
upvoted 1 times

From the Directory role blade, modify the directory role
B is correct
upvoted 2 times

B is correct
upvoted 2 times
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
A. From the Licenses blade of Azure AD, assign a license
B. From the Groups blade of each user, invite the users to a group
C. From the Azure AD domain, add an enterprise application
D. From the Directory role blade of each user, modify the directory role
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

Correct Answer: A
Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to
it.
Reference:
upvoted 69 times
  sreekan 6 months, 2 weeks ago

yes its true!!! apart from this we need to add location of User also
upvoted 6 times
  zyta Highly Voted  1 year, 6 months ago

that's true - licences need to be assigned
upvoted 46 times
  kentarn 1 year, 6 months ago

That answer made me lol
upvoted 13 times
  timmytimtimo Most Recent  1 month ago

A is correct
upvoted 1 times

Ans : A
License blade
upvoted 1 times

Correct Answer: A
Perhaps better wording for Answer A might be: On the Assign page, select Users and groups, and
then search for and select the user you're assigning the license.
Reference:
upvoted 2 times
  JeanK 3 months, 2 weeks ago

You can also create a group then assign this group a license, create a dynamic rule to move this users automatically and therefore inherit
the P2 license, though A is correct, going more techincal and experienced it could be B.
upvoted 4 times
  Naig 6 months ago

correct A
upvoted 3 times
  mspositivityy 6 months ago

On 8/19 exam
upvoted 1 times

Sweet. I would create a group and add all the 10 users then apply the license to the group for management. Answer A is correct
upvoted 1 times
  MD9 6 months, 1 week ago

that correct - need to assign license
upvoted 1 times

agree A
upvoted 1 times
  SeanOGD 6 months, 3 weeks ago

This question is stupidly formed.
Isn't best practise RBAC and therefore licences and access should be assigned to roles or groups of which users become a member via
dynamic membership rules?
So why would you assign 'a' (as in one) license via the license tab?
You assign the licenses to a group to which you need to add the required members.
None of the answers are actually 100% correct.
upvoted 3 times

B is like invite user to a group...and then what? haha

upvoted 2 times

The answer is without doubt and quite obvious is option A.
Licence is the only way the features will be available for user.
upvoted 1 times
  Abhi1984 8 months, 3 weeks ago

A is correct
upvoted 1 times

A is correct
upvoted 1 times

A. Licence need to be assigned
upvoted 1 times
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
A. Create an automation runbook
B. Deploy a function app
C. Deploy the IT Service Management Connector (ITSM)
D. Create a notification
Correct Answer: C
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service,
such as the
Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

C (100%)

Correct Answer: C
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service.
Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and
non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional
connection between Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools:
ServiceNow, System Center Service Manager, Provance, Cherwell.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-overview
upvoted 55 times
  OmegaGeneral Highly Voted  1 year, 6 months ago

Correct, you can use the connector to bridge them together
upvoted 25 times

Agreed. But interesting to reflect why the rest is wrong.
A and B are technically possible too, but the question is what to do *first*. In both cases you'd need to create a trigger first (runbooks
and function apps don't run by themselves) eg. with a rule and webhook.
D is fairly obviously nonsense, that won't do anything to get you to Service Manager.
upvoted 5 times
  d0bermannn 1 month ago

hi! for a&b as asways ms need the simplest way to go, technically a&b may be implemented
upvoted 1 times
  H3adcap Most Recent  11 hours, 1 minute ago

upvoted 1 times

had this question on 05/Feb/22 exam ITSC as correct answer
upvoted 1 times

had this question on 05/Feb/22 exam ITMC as correct answer
upvoted 1 times
  pappkarcsiii 3 weeks, 2 days ago

Selected Answer: C
ITSMC is the goog answ
upvoted 1 times

Not covered in paid for January 2022 Microsoft Instructor-led training for az-104 exam. What is covered though is Azure Monitor (through
"Logs Analytics"). The more I go through those questions the more I get disappointed by Microsoft own training for az-104 certification
and the more I understand that Microsoft paid courses are not enough to be actually ready for the exam unless you ace everything
covered during the training which would likely get you just about passing grades.
upvoted 1 times
  atilla 1 month ago

The more you study, the more you are doubting...because there are >1 roads to Rome
upvoted 1 times

Ans : C
ITSM connector helps here
upvoted 1 times

In exam 16/10/21
upvoted 4 times

Took the exam today, 17 Oct. This question came out. Ans: C
upvoted 3 times

Passed today with 947. This question appeared, correct Answer is C
upvoted 4 times
  iamnivas 4 months, 1 week ago

Are these questions still relevant as exam changed recently?
upvoted 1 times
  Insanewhip 4 months, 1 week ago

Yes they are, there was a very minor change to the exam
upvoted 1 times
  perrito_css 5 months, 1 week ago

exam 10/09/21
upvoted 3 times
  Ashokkumarvnt 5 months, 1 week ago

correct Answer
upvoted 1 times

In Exam 21/08/2021
upvoted 2 times

I noted that the ITSM has 2 stars. Anybody else has experience using it in the real environment? What are the problems you might have
encountered. Thank you
upvoted 1 times

agree C
upvoted 1 times

The provided answer is correct, however, I think this link provides a better clarification.
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-definition
upvoted 1 times
You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named [email protected] as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade
B. Providers from the MFA Server blade
C. User settings from the Users blade
D. General settings from the Groups blade
Correct Answer: A
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
  prashantjoge Highly Voted  1 year, 2 months ago

I studied from Microsoft learn for az-104. So far all the questions look alien to me. Dont know the answer to most of them. I wonder if its
the same with others. They say that you shouldn't use dumps. But It seems like dumps is the only way to go, if they make the exams so
tough
upvoted 163 times
  barry08 4 months ago

Right? I got such a shock when reading these questions. I had done video course and all labs twice on udemy, then read MS learn, then
whizlabs practice tests feeling like i was prepared and now feel like i know hardly anything, its crazy.
upvoted 17 times

you're not alone, this is what we all have to go through. I had the same shock first time I took an exam (AZ-900), but cleared it in the
end. Did two more exams OK. Tip for you or anyone else studying:
- go through Microsoft Learn and do the exercises. It may not help to answer the questions directly, but it's a true pain to memorize
dumps without any hands on to relate to
- contrary to what you read here, the exact questions are 80% different from the dumps. No point memorizing the right answer
anyway. BUT, the exams are similar, and mix and match the same topics so it is hyper important to run through dumps to get used to
the format.
- it is *critical* to understand why one answer is correct -in other words, make sure you understand why the rest is wrong *in this
particular case*. In the exam they might change the question a bit and all of a sudden another alternative is correct.
upvoted 9 times
  aelmsieh 1 month, 2 weeks ago

same for me
upvoted 1 times
  VeiN 3 months, 3 weeks ago

It depends on your purpose. If you want to only pass exam - first read dumps and study those questions as independend topics but
probably you wont get much more than a pass from it but you`ll be ready in 1-2 weeks.
If you want to get most of it first get some basic knowledge to get around the topics, then read dumps to see on what to focus on ,
write the problematic questions and then go deep into reading, watching and DOING LABS. Overall you`ll get that you need to study
independend questions but you`ll remember much more than just few cut from reality questions but it can take 4-8 weeks depending
on the complexity of labs.
Also to ppl who are new to those type of questions - you need to get familiar with the syntax first. mostly 75% of question text can be
skipped. Please don`t compare it to AZ-900- I`ve got around 850+ just by reading MS materials and doing dumps few times, the whole
study took me 4-5 days.
upvoted 3 times

Correct Answer: A
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
upvoted 80 times
  Gde360 7 months ago

Good to know the steps.
However, please be aware that the option of "Additional local administrators on Azure AD joined devices." requires an Azure AD
Premium tenant.
upvoted 2 times
  Cervezerg Most Recent  1 week ago

you are right. Vote A by the way
upvoted 1 times
  abbas19 3 weeks ago

Note: This option requires an Azure AD Premium tenant.
upvoted 1 times

I went to user in AAD, and then assigned roles from left, and there it is, why not C ?
upvoted 1 times
  niberlungen 3 weeks, 4 days ago

I agree. The question is to add a user as administrator on all the computers that WILL be joined to the AAD domain. If a user is device
administrator, it's added as local administrator to all AAD joined devices. If 'A' is correct, how can you edit a device that doesn't exist yet?
upvoted 1 times
  AZJPK 2 months, 1 week ago

I have gone through UDEMY course most things covered there except Azure AD part is few
upvoted 1 times

AAD > Devices > Device settings > Manage Additional local administrator on all AAD Joined devices.
upvoted 1 times
  rob3rrt 3 months, 2 weeks ago

Correct answer. You can find the answer also on MD-101 materials
upvoted 1 times

Took the exam today, 17 Oct. This question came out. Ans: A
upvoted 2 times
  afathy 5 months, 2 weeks ago

Correct, From AZ AD > Devices > Device settings > chose selected > then add member that will be administrator of all the machines also
members allowed to join devices
upvoted 3 times

For some odd reasons, I initially thought it was Users' settings. Of course, it's device settings.
upvoted 1 times

agree A
upvoted 2 times
  villanz 7 months, 3 weeks ago

Can Anyone tell me do we have live lab sessions?

upvoted 3 times

https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/
Note: You'll need to have an Azure subscription, if this is your 1st time you can try the free trial with a Microsoft acc
upvoted 1 times

upvoted 4 times

I couldn't see this option in device settings blade now. probably it's moved to some other place although the docs have the screenshot
with this option.
upvoted 2 times
  alisyech 8 months ago

A is correct answer
upvoted 1 times
  londonboy 11 months, 1 week ago

A is correct. Just tried it!
upvoted 1 times

A is correct. Device settings from the devices blade
upvoted 1 times
HOTSPOT -
You have Azure Active Directory tenant named Contoso.com that includes following users:
Contoso.com includes following Windows 10 devices:
You create following security groups in Contoso.com:
Hot Area:
Correct Answer:
Box 1: Yes -
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD
Box 2: No -
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally
managed credential.
Box 3: Yes -
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
  OmarMac Highly Voted  1 year, 2 months ago

This is totally wrong. If both groups are owned by user2 then user1 cannot add device2 to group1. User1 can only delete, disable, & enable
devices. User2 is able to create/delete and add/remove group membership. Dynamic Device: Administrators create dynamic group rules to
automatically add and remove devices.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-device-administrator-permissions
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions
https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add
Owner of all groups - User2
User1 can add Device2 to Group1 - No

User2 can add Device1 to Group1 - Yes
Owner of groups - User1 (Group1) & User2 (Group2)

upvoted 172 times

OmarMac is correct.
* Cloud Device Administrator doesn't give the permission to add to groups UNLESS that user is also an owner
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-device-administrator
*User Administrator can create and manage all groups.

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
* Group owner can manage group membership of his owned group.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
* Group Dynamic assignment dont allow manual removal/addition

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
upvoted 4 times

The answer is correct:
t's No, Yes, No.
Although User2 owns the group, he is not allowed to add a registered device because that device is linked to an account that is not part
of the directory. The device is not joined, it is registered. To add that device he'd need access to the user account with which the Device
is registered.
upvoted 4 times

Please delete the above comment. I meant Yes, No, Yes
upvoted 3 times
  juniorccs 6 months, 3 weeks ago

Thanks for this
upvoted 2 times
  ph4nt0m01 8 months, 3 weeks ago

This answer is correct.
Adding additional notes that Cloud Administrator cannot add devices to groups, unless Cloud Administrator has additional permissions
through other groups or Cloud Administrator is owner of the group.
Here is what Cloud Admin can do:

- Read all properties on audit logs, including privileged properties
- Read bitlocker metadata and key on devices
- Delete devices from Azure AD
- Disable devices in Azure AD
- Enable devices in Azure AD

- Read standard properties on device management application policies
- Update basic properties on device management application policies
- Read standard properties on device registration policies
- Update basic properties on device registration policies
- Read all properties on sign-in reports, including privileged properties
- Read and configure Azure Service Health
- Read and configure Service Health in the Microsoft 365 admin center
- Read all properties on audit logs, including privileged properties
upvoted 8 times
  ph4nt0m01 8 months, 3 weeks ago

I meant OmarMac's answer is correct.
upvoted 7 times
  Giannis8 Highly Voted  1 year, 2 months ago

Correct answer is:
No (Cloud administrators can manage devices, not group membership)
Yes (User administrators can manage all aspects of security groups)
No (Dynamic membership)
Tested in lab
upvoted 90 times
  rgullini 11 months, 1 week ago

I trust this one just because you say "Tested" in lab.
upvoted 10 times
  yoelalan14 1 year, 1 month ago

If we consider that 'User 2' is the owner of Group 1, then your answer is correct; but on the explanation, it clearly states that 'User 1' is
the owner of Group 1, hence, "User 1 CAN add a device to Group 1"
upvoted 3 times

I see what the explanation says but how in the world can user1 be the owner of anything when the table clearly states that User2 is
owner of Group1 & Group2 ?!?! Care to explain?
upvoted 1 times
  kantzy 1 year, 1 month ago

I agree with this answer.
upvoted 1 times
  aaa112 1 year, 2 months ago

User1 (cloud device admin) can add DEVICE2 (it's a device) to Group1, hence it's YES
upvoted 2 times
  Az_dasappan Most Recent  1 week, 3 days ago

User2 can add Device2 to Group2 – yes . because -Owners of dynamic groups must have a global administrator, group administrator,
Intune administrator, or user administrator role to edit group membership rules .user2 is the owner of group2 and also assigned " user
administrator" role, which means user2 can modify the rule and add device2 if required
upvoted 2 times

Answers are No, Yes, No. Regarding dynamic device group (Question 3), you can't manually add a device to a dynamic group. See
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
upvoted 2 times
  263Jongaldo 1 month, 1 week ago

N
Y
N
Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10. The role does not grant permissions to
manage any other properties on the device.
upvoted 1 times
  edengoforit 1 month, 2 weeks ago

The answer is Y/Y/N. The same question appears in Whizlabs.
upvoted 1 times

This question is deserve to be discussed more in details: (Tested in LAB)
Solution 1: if User2 is owner of both groups
Answers: NO, YES, NO
Solution 2: if owners are (User1=Group1) & (User2=group2)
Answers: YES, YES, NO
User 2 (User administrator) can update the membership of both the groups, regardless of whether he is owner of the group or not
because User administrator role has the permission to update group membership. He can add users, devices, other groups to any group
in Azure AD. Below is the permission that user administrator role has:
microsoft.directory/groups/members/update - Update groups.members property in Azure Active Directory.
On the other hand User1 (Cloud Device administrator) can add members to only Group1 as he is the owner of that group and he can add
users, devices and other groups only to Group1.
upvoted 1 times

How is user1 owner of any group when the table shows that user2 is owner of group1 & group2?
upvoted 1 times

NO
YES
NO
upvoted 1 times

upvoted 4 times

Correct Answer:
Box 1: No Cloud administrators can manage devices, not group membership. Group1 is also an Assigned Group.
Box 2: Yes User administrators can manage all aspects of Security Groups. Group1 is also an Assigned Group.
Box 3: No Dynamic membership. You cannot add Members to Dynamic Groups. Group 2 is a Dynamic Group, so you cannot add devices or
users to dynamic groups. Dynamic groups can only add members by a defined rule.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://docs.microsoft.com/en-
us/azure/active-directory/enterprise-users/groups-dynamic-membership
upvoted 1 times

1) Users in this role (Cloud device admin) can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if
present) in the Azure portal. The role does not grant permissions to manage any other properties on the device. User1 is not a group
owner so NO
2) User2 owns Group1, so they can add a device manually = YES
3) User2 owns Group2, however this is a dynamic group and the group rules must match device2. As such, the device cannot be added
manually = NO (the option does not mention User2 modifying the group rules).
NO
YES
NO
This is a trick question - the use of "device manager" in the situation descrition is to test to see if you understand what that role can do.
User2 being a user admin is also designed to trick you.
upvoted 10 times
  Johnpower 3 months, 2 weeks ago

A) cloud administrator is not able to add devices in groups generally
B) user 2 is a user administrator this means that can manage user and group. That means that is able to add any device in every assigned
group either is owner or not.
C) neither global admin can add devices in dynamic group cause it is dynamic …. :)
upvoted 5 times
  Eltooth 4 months ago

No Yes No.
upvoted 2 times

upvoted 3 times

so what was the correct answer?
upvoted 4 times
  miskosvk80 23 hours, 52 minutes ago

I don't understand these types of questions. The exam does not give you correct answers.
upvoted 1 times

NO YES NO IS SUPER CORRECT FOR THIS CASE.
upvoted 1 times

No, Yes, No
upvoted 2 times
  Michael_ATB 4 months, 3 weeks ago

Answer:
No
Yes
No
upvoted 1 times
You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the
following table.
SQLDB01 is backed up to RGV1.

When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
A. Delete VM1
B. Stop VM1
C. Stop the backup of SQLDB01
D. Delete sa001
Correct Answer: C

C (100%)
  chrisNC Highly Voted  7 months, 2 weeks ago

Took my exam a few days ago and passed with a 925. All but about 4 or 5 question are covered in these dumps. Always check the
discussion for best answer.
upvoted 29 times
  karan3090 6 months, 2 weeks ago

hey ChrisNC...what percentage of questions we can expect from these dumps....70, 80 % plz confirm. It will be really helpful
upvoted 1 times

Thanks for that, I'll take the exam on 31st August, I hope the questions remain the same
upvoted 1 times
  AlooyDaBoss 5 months, 1 week ago

my exam is soon and Im studying from this dump, how's ur exam went? many questions were from the dumps?
upvoted 1 times

I do that time too
upvoted 1 times
  Vjabhishek 6 months, 3 weeks ago

Hey all the questions came from dump? if not what percentage we can expect it to be come from these dumps?
upvoted 1 times
  achmadirvanp Highly Voted  7 months, 3 weeks ago

upvoted 9 times
  Az_dasappan Most Recent  1 week, 3 days ago

Owners of dynamic groups must have a global administrator, group administrator, Intune administrator, or user administrator role to edit
group membership rules
user2 is the owner of group2 and also assigned " user administrator" role, which means user2 can modify the rule and add device2 if
required
upvoted 1 times

This answer is for another question
upvoted 1 times
  Neftali 2 weeks ago

Selected Answer: C
C - Correct answer
upvoted 1 times
  drae2210 3 weeks, 4 days ago

The name of the resource is SQLD01, not SQLDB01. Does that not affect the answer to this question? Could it just be a typo?
upvoted 1 times
  FTAZIT 1 month ago

Stop the SQL backup, delete the backup data, delete the soft delete backup date then the vault can be deleted
upvoted 2 times

Interesting how one can delete a VM - and it's disks - whilst a backup is running.
upvoted 1 times

upvoted 2 times

upvoted 3 times
  kashi1983 5 months, 3 weeks ago

Answer is C
upvoted 2 times

upvoted 4 times
  eduhazard 7 months ago

C - answer is correct
upvoted 1 times

Answer is correct - C
Ref # https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
upvoted 8 times
  villanz 7 months, 3 weeks ago

Yes correct - c
upvoted 1 times

C is correct
upvoted 2 times
  ahatem 7 months, 3 weeks ago

answer is correct
upvoted 1 times
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader and Reader roles for Subscription1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the Network Contributor role for RG1.
Correct Answer: B
Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Name Server (NS)
2. Assign User1 the Contributor role for VNet1.
3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

B (100%)
  js_indore Highly Voted  4 months, 3 weeks ago

agree, its B
upvoted 8 times

got this one, answer is B
upvoted 2 times
  Rockstar_97 1 day, 6 hours ago

Selected Answer: B
B is correct
upvoted 1 times
  PeterHu 2 days, 21 hours ago

B is correct
upvoted 1 times

Tested in lab, answer is correct.
upvoted 1 times

Selected Answer: B
Agree. it is B
upvoted 1 times
  estornudo 1 month, 4 weeks ago

Selected Answer: B
It is B
upvoted 1 times
  Prano 2 months ago

Ans : B
upvoted 1 times
  Zubaer 2 months, 3 weeks ago

Selected Answer: B
Correct answer is B.
upvoted 1 times

answer is B is correct
upvoted 1 times
  RbWaraich 3 months, 1 week ago

B is correct answer
upvoted 1 times
  benit 3 months, 3 weeks ago

why C is incorrect, as least privilege?
upvoted 2 times
  GD01 3 months, 3 weeks ago

Network Contributor role lets you manage networks, but not access to them.
Ref: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
upvoted 4 times
  jessemac 3 months, 3 weeks ago

contributor manage resources, user admin manage role policy
upvoted 2 times

becouse it doeesn`t give abiliti to give authorization to other users:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
while UAA gives: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator
upvoted 1 times

This answer is correct.
upvoted 2 times

Answer is correct.
upvoted 2 times
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
A. MX
B. NSEC
C. PTR
D. RRSIG
Correct Answer: A
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or
the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct answers:
1. MX
2. TXT
The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
  ms70743 Highly Voted  1 year, 1 month ago

TXT and MX are valid answers.
upvoted 47 times
  sidharthwader Highly Voted  9 months, 3 weeks ago

So guys i will try to give an expiation to this question.
When you add a custom domain in azure u are not allowed to use that unless u prove its your domain.So once u add the custom domain
name azure asks u to verify and you have to provide some inputs to verify that its your these inputs can be provided in TXT or MX. So its
MX in this case
upvoted 29 times
  e_karma 2 months, 3 weeks ago

I didn't know mx was there usually it is txt record ..thanks for this
upvoted 1 times
  JayBee65 8 months, 1 week ago

Thank you - the process is covered here where you can see either TXT or MX can be chosen: https://docs.microsoft.com/en-
us/azure/active-directory/fundamentals/add-custom-domain
upvoted 8 times
  Lamini 3 months, 2 weeks ago

Hopefully they update the reference; its not valid. The reference above by JayBee65 is correct as there is no mention of MX in current
reference.
upvoted 1 times
  Balram7 9 months ago

Thank you
upvoted 1 times
  GiJoe1987 Most Recent  1 month ago

This should 100% be just a txt record - MX is solely for mail flow
upvoted 1 times
  AZ_Guru_Wannabe 6 days, 5 hours ago

MX OR TXT WORKS
upvoted 1 times
  SegaUSMC 1 month ago

On number three what is "Fabrikam"?
upvoted 1 times

A "MX" is the correct answers. However TXT and MX can be both correct answers if they are mentioned in the options.
upvoted 1 times

imagine if you used MX. would choose TXT over MX first. though this depends on the scenario.
upvoted 1 times

mx is a mail exchange record for registering different domains
upvoted 1 times

Once you added your Unverified Domain (According to Azure) you need to create a TXT or MX Record to Configure DNS then you copy all
the information provided and Add your DNS Information to the Domain Registrar, Generally It takes an hour to verify domain Status, you
can go ahead in the Custom Domain Names Setting and click verify and Information will be refreshed once its Verified.
upvoted 1 times

TXT - TXT Records is a type of Domain Name System that contains Text Information for Sources outside of your Domain. Generally
Companies uses it to verify Custom Domain Ownership
MX - Mail Exchanger Record specifies the Mail Server responsible for email messages on behalf of Domain Name.
upvoted 4 times
  CARIOCA 8 months, 3 weeks ago

Will the variations of these questions always fall into the TXT or MX options, or is there any variation of the question that the answer goes
to both options or between the two, will any prevail in the final answer?
In this specific debate, the answer is MX and does not even have the TXT option in the answer, so it is correct.
upvoted 2 times
  mlantonis 9 months, 1 week ago

Correct Answer: A
TXT and MX can be both correct answers.

upvoted 23 times
  Kmesa 9 months, 1 week ago

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
upvoted 2 times

Mx is correct answer
upvoted 2 times
  nikhilmehra 9 months, 4 weeks ago

TXT in exam list
upvoted 5 times
  shnz03 8 months, 2 weeks ago

Good one! Thanks
upvoted 1 times
  farhad090 10 months ago

In the exam there is not any answer with MX record.
upvoted 1 times

It should be TXT record in dns.
upvoted 1 times

TXT or MX . In this answer list it's MX
upvoted 3 times
  I 12 months ago
The answer is correct. And here is the right reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#add-your-custom-domain-name-to-azure-ad
upvoted 3 times
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-
apps-securing-a-logic-app

B (100%)

Correct Answer: B
The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
upvoted 29 times
  Lilyli 8 months, 1 week ago

What does "let you manage logic app ,but not access to them" mean? if you can manage them ,why can't you access to them?
upvoted 4 times
  asd1234asd Highly Voted  1 year, 3 months ago

Clearly No, Azure DevTest Labs is a service that has nothing to do with Logic App
upvoted 19 times
  chaudha4 9 months, 1 week ago

Trick question. Too much use of "dev" keyword to trick people into thinking that somehow DevTest Labs is related to all these "dev"
resources !!
upvoted 7 times

upvoted 1 times
  Casperkz 1 month, 3 weeks ago

Selected Answer: B
The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
upvoted 1 times
  Plextor 2 months ago

On exam Today 17 Dec 21
upvoted 4 times

Ans : B
Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps
upvoted 1 times

Correct Answer is B. You can manage logic apps with Logic App Contributor role. DevTest Labs User role is to connect, start, restart and
shutdown virtual machines.
upvoted 1 times

In exam 16/10/21
upvoted 2 times
  wsscool 7 months, 2 weeks ago

in exam 7/3/2021
upvoted 3 times
  acmaws 7 months, 4 weeks ago

The answer is B:
DevTest Labs User: Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.
upvoted 1 times
  inemumoren 7 months, 4 weeks ago

upvoted 1 times
  nfett 9 months, 4 weeks ago

Its no. Verified it from the link provided.
upvoted 2 times

Answer is B
upvoted 2 times
  mg 11 months, 1 week ago

B is correct
DevTest Labs is a role used for Azure DevTest Labs not Logic App.
upvoted 1 times

B is correct
upvoted 1 times
  Sandroal29 12 months ago

The provided answer is correct. AD group needs to be granted a contributor role to be able to create resources in the RG.
upvoted 1 times
  toniiv 1 year ago

B. is correct (DevTest Labs is an environment which provides a service, not related to Logic Apps)
upvoted 1 times
Developers.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
A. Yes
B. No
Correct Answer: B
You would need the Logic App Contributor role.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-
apps-securing-a-logic-app

Correct Answer: B
You would need the Logic App Contributor role.
Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.
Logic App Contributor - Lets you create, manage logic apps, but not access to them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-operator
upvoted 31 times
  OmarMac Highly Voted  1 year, 2 months ago

Logic App Operator Role - Lets you read, enable, and disable logic apps, but not edit or update them.
upvoted 31 times

upvoted 1 times

The answer is correct, but the explanation is not correct.
You need resource group contributor role to create a logic app in it.
Logic apps contributor role can only allow you to manage the logic app, doesn't grant you permission to create a resource in a resource
group.
So you need a resource group contributor role to create a resource in a group.
upvoted 1 times

On exam Today 17 Dec 21 (all the series of the azure logic apps appeared on this exam )
upvoted 2 times
  eduhazard 7 months ago

Operator is not Contributor
upvoted 1 times

in exam 7/3/2021, solution was something different
upvoted 2 times

Correct answer is B
upvoted 1 times

B is correct. OmarMac provided the correct properties of this user.
upvoted 1 times

B is correct.
To be able to create logic apps, you need Logic App Contributor
upvoted 1 times

B Answer is correct
Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.
Logic App Contributor - Lets you create, manage logic apps, but not access to them.
upvoted 1 times

B is correct
upvoted 2 times

The operator role is not enough. The proper role is the contributor role.
upvoted 1 times

B. is correct (Logic App operator has no rights to add new Logic Apps)
upvoted 1 times
  mikl 1 year ago

Answer is no.
You need to be Contributor to Create - Operator cannot do that.
Logic App Contributor Lets you manage logic apps, but not change access to them.
Logic App Operator Lets you read, enable, and disable logic apps, but not edit or update them.
upvoted 1 times
  fedztedz 1 year, 2 months ago

Answer is correct . NO (B).
Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or update them.
To be able to create logic apps, you need Logic App Contributor
upvoted 3 times
  Raakezz 1 year, 2 months ago

Cum 12/05/2020
upvoted 3 times
Developers.
Solution: On Dev, you assign the Contributor role to the Developers group.
A. Yes
B. No
Correct Answer: A
The Contributor role can manage all resources (and add resources) in a Resource Group.

Answer is Correct. YES (A)
Contributor role can create logic apps
upvoted 35 times

Correct Answer: A
The Contributor role can manage all resources (and add resources) in a Resource Group. Contributor role can create logic apps.
Alternatively, we can use the Logic App Contributor role, which lets you manage logic app, but not access to them. It provides access to
view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor
upvoted 29 times

upvoted 3 times

Ans : A
Contributor can create logic apps
upvoted 1 times
  mse89 2 months, 1 week ago

answer is correct, the role contributor is applied to the resource group
upvoted 1 times

in exam 7/3/2021
upvoted 5 times
  leonmflai4exam 9 months, 2 weeks ago

Answer should be No (B). In case Contributor Role is assigned to RG => Dev. It will prompts subscription has no permission during
resource creation. We can only create the Logic Apps when Contributor role is assigned in Subsription
upvoted 1 times

A is correct answer.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints,
or share image galleries.
upvoted 2 times
  MrRom25 11 months ago

I think is NO since it should be "Logic App Contributor Role" and not only "Contributor Role"
upvoted 2 times

Sorry moderator pls rm my pre. Commt. Mistake
A is correct
upvoted 4 times

B is correct
upvoted 2 times

The contributor role set for this group is sufficient for the group to create new resources in the resource group. So, the provided answer is
correct.
upvoted 4 times

A. is correct
upvoted 1 times
  TheOne1 1 year ago

Correct. The only thing the contributor role couldn't do is change user permissions on the resource group, only the owner can do this. But
all that is required is the contributor role for this question.
upvoted 3 times
  Raakezz 1 year, 2 months ago

Cum 12/05/2020
upvoted 6 times
  KarryD 1 year ago

BOT with spell mistake?
upvoted 7 times
DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each
department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Box 1: Assign a tag to each resource.

You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the
resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs.
Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to
populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to
export the view to a
Comma-Separated Values (.csv) file.
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags https://docs.microsoft.com/en-
us/azure/billing/billing-getting-started

Correct Answer:
Box 1: Assign a tag to each resource
Box 2: From the Cost analysis blade, filter the view by tag
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
upvoted 62 times

Yup! also tested it.
upvoted 4 times
  DevOpposite 4 months, 1 week ago

thank you m'lord
upvoted 5 times
  moekyisin Highly Voted  1 year, 2 months ago

Ans is correct
upvoted 17 times

Was on exam recently.
my answer:
Assign a tag to each resource

From the Cost analysis blade, filter the view by tag
Download the usage report
upvoted 1 times

Correct Answer
upvoted 1 times

Correct Answer
upvoted 1 times
  sbade 2 months, 3 weeks ago

Don't go this dump only few questions comes from this. I have gone through all questions but still didn't cleared.. took contributor access
but it's fully waste of money
upvoted 2 times

Was on exam today 19.11.2021. Passed with 920
Correct answer:
Assign a tag to each resource

From the Cost analysis blade, filter the view by tag
Download the usage report
upvoted 2 times

was the dump questions here sufficient ? what percentage would you give on how many questions came on your exam from this
dump?
upvoted 1 times

upvoted 7 times

You tag individual resources not groups
upvoted 3 times

that is wrong you can tag resource groups https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
resources?tabs=json
upvoted 1 times
  y_dev 6 months, 3 weeks ago

This question came in exam Jul 30, 21. I failed the exam. My score was 675 :(
upvoted 5 times

That's close. you probably only missed 2 to 3 questions.
upvoted 1 times

don't lose hope, keep going!!!
upvoted 2 times

the question was on Jul 23, 2021 - passed the exam
upvoted 3 times

upvoted 7 times
  Natoc 8 months, 2 weeks ago

its correct
upvoted 1 times
  Paul74 8 months, 2 weeks ago

6-Jun-21 exam question
upvoted 12 times
  PrawinG 8 months, 2 weeks ago

Paul74 - 104 dump here alone sufficient to pass the exam ? Please confirm.
upvoted 3 times
  Paul74 8 months ago

It covers around 50 to 60% of the Questions. if we know the concept we can manage the remaining questions
upvoted 10 times
  ScreamingHand 8 months, 3 weeks ago

Confirmed in lab - answer is correct
upvoted 2 times

answer is correct
upvoted 5 times

Answer is correct
upvoted 4 times
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A. Get-Event Event | where {$_.EventType == "error"}
B. search in (Event) "error"
C. select * from Event where EventType == "error"
D. search in (Event) * | where EventType -eq "error"
Correct Answer: B
To search a term in a specific table, add the table-name just after the search operator
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Event | search "error"
2. Event | where EventType == "error"
3. search in (Event) "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. search in (Event) * | where EventType ‫ג‬€"eq "error"
4. select * from Event where EventType is "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-
query/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer

B (100%)
  GepeNova Highly Voted  4 months, 2 weeks ago

Correct B
Tested in lab Home>>Monitor>>Logs
All command queries return syntax error except Search in (Event) "error"
upvoted 16 times
  byuq Most Recent  2 weeks, 1 day ago

Selected Answer: B
B correct
upvoted 1 times

On exam 01.02.22.
Answer: B
upvoted 1 times
  techie_11 1 month, 1 week ago

Were the choices for this question the same?
upvoted 1 times

Ans : B
Search in (Event) "error"
upvoted 1 times

upvoted 4 times
  mcc 3 months, 3 weeks ago

Correct B
// 1. Simple term search over all unrestricted tables and views of the database in scope
search "billg"
// 2. Like (1), but looking only for records that match both terms
search "billg" and ("steveb" or "satyan")
// 3. Like (1), but looking only in the TraceEvent table

search in (TraceEvent) and "billg"
// 4. Like (2), but performing a case-sensitive match of all terms

search "BillB" and ("SteveB" or "SatyaN")
// 5. Like (1), but restricting the match to some columns

search CEO:"billg" or CSA:"billg"
// 6. Like (1), but only for some specific time limit

search "billg" and Timestamp >= datetime(1981-01-01)
// 7. Searches over all the higher-ups

search in (C*, TF) "billg" or "davec" or "steveb"
// 8. A different way to say (7). Prefer to use (7) when possible

union C*, TF | search "billg" or "davec" or "steveb"
upvoted 1 times
  sat128 4 months, 3 weeks ago

Wrong answer
upvoted 1 times
  ShockWaveSix 3 months, 1 week ago

You can't just say "wrong" with no explanation or justification. Wasting all the rest of our time.
upvoted 18 times

maybe try providing the right answer? otherwise don't bother commenting
upvoted 5 times
  nimeshabhinav 2 months, 1 week ago

if wrong, then share the right answer with explanation.
upvoted 3 times

Correct.
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is
connected to VNET1.
You successfully deploy the following Azure Resource Manager template.

Hot Area:
Correct Answer:
Box 1: Yes -
Box 2: Yes -
VM1 is in Zone1, while VM2 is on Zone2.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region

YES
YES
NO
upvoted 26 times

How do you know VM2-NI is connected to VNET1?
upvoted 7 times
  alex_p 4 months, 2 weeks ago

the question actualy is - "VM1 and VM2 can connect VNET1 ? - Yes, they can because both are in tha same region where VNET1 is.
upvoted 21 times
  Philly_cheese_steak 4 months ago

NO YES NO
There is no mention of VM2NI connected to VNET1??
upvoted 16 times
  awssecuritynewbie 2 weeks, 1 day ago

You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface
named VM1-NI is connected to VNET1.
You successfully deploy the following Azure Resource Manager template.
nothing about the VM2 being connected to VNET1.. don't chat shit
upvoted 1 times
  aqslatewala Highly Voted  4 months, 1 week ago
No because VM2NI is not connected to VNET1

Yes
No
upvoted 16 times

There is only one VNET mentioned. By default VM2NI is connected to VNET1. According to the template there is no explicit indication
that either NIC is assigned to the VNET1, thus my conclusion is that both are assigned to VNET1. My answer for #1 is YES
upvoted 3 times

1NI belongs to VNet1, the template mentions no other Vnet, thus it defaults VM2 to VNet1.
The question is primarily testing if you understand default routing between zones, plus availability of VM's if they exist in separate
zones.
upvoted 2 times
  Darkeh Most Recent  1 week, 5 days ago

Yes yes no. The key word is "can" vm2nic be connected to the vnet
upvoted 2 times

how can you connect to VM1 and VM2 if the Azure data center is down? They are in different Zone... that does not qualify them to be
redundant does it?
upvoted 1 times
  nidhogg 2 weeks, 2 days ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 5 times
  Allfreen 6 days, 23 hours ago

Which one you selected
upvoted 1 times

I would go for YYN but not because the VMs are in the same Region. Please correct me if I am wrong. From my understanding what would
prevent two resources from being able to connect to each other is if, by default (no peering), they share a same VNet (VNets can spread
over regions) or not. The template doesn't specify a VNet for VM2 so VM2 defaults to VM1 setup which depends on VM1-NI which is in
VNet1.
upvoted 1 times

Nevermind. Still is YYN though and indeed because of regions (VNet but Subnets can not spread over regions).
upvoted 1 times

same region means not same VNET by default, I still dont see why first is YES
upvoted 5 times
  Redimido 1 month ago

1. No - because it's not stated the VM2-NI is connected to the VNET1 in the description - the question is can they both connect to VNET1 -
so you don't know for VM2-NI
2. Yes - because the question embraces both the machines - and VM2 is spread over 2 zones, not being in the same DC.
3. No - being both machines in EastUS2 - when the region goes down - both of them sink too.
upvoted 4 times

Yes
Yes
No
VM1 and VM2 can connect to VNET1, because both are in EastUS2 region.
upvoted 3 times

answer is correct _
yes , yes, no
see : https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal#communicate-between-vms
upvoted 2 times

It took me a while to look at it but I think I get it. In the arm template neither stipulate the VLAN and are identical in format. The leading
statement states that vm1-ni is connected to VNET1 which being VM2 in the arm template is identical it would also be connected to VNET1.
upvoted 2 times
  kaloszertest 2 months, 1 week ago

Its NOT the SAME! VM-NI2 =/= VM-NI1 !

upvoted 3 times
  subhuman 2 months, 4 weeks ago

Correct,
YES, YES , NO
upvoted 1 times
  HadiKhan 3 months, 2 weeks ago

The answer is YES YES NO, question is if the VM1 and VM2 connect to VNET1 so answer is yes because these are in the same region.
upvoted 2 times

Q1 is tricky... hard to answer based on assumptions. but if you look at the template, VNET1 is not mention on both VMs. Except from the
question itself mentioning that VM1 is connected to VNET1. So, is it safe to say Yes to Q1?
upvoted 3 times
  gcpbrig01 3 months, 3 weeks ago

Question 1. Yes
I can't see why VM2 cannot connect to Vnet1, being in the same region would be a strong case for allowing connectivity.
Question 2: Yes
In the event of a datacenter down, VM2 will be available. As for the VM1, it can still be up if the datacenter in question would be the other
one in that region.
Question 3: No,
When the whole region goes down, no AZ will be able to support. hence both VMs will be unavailable.
upvoted 5 times
  jackAttew_1 2 months ago

What about availability zones which has own cooler, power etc? Also VM1 has zone1 and VM2 has zone2. Any Idea?
upvoted 1 times
  SSJunk 1 month, 2 weeks ago

The zone property is referring to the availability zone in the region - not to be confused with an availability set (within same
datacenter). Availability zones are separate datacenters in the same region.
upvoted 1 times
  HoanLac 4 months, 2 weeks ago

No Yes No
upvoted 6 times
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
Correct Answer: A
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and
geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

A (80%) C (20%)
  Cluster007 Highly Voted  1 year, 2 months ago

A is correct
upvoted 41 times

Correct Answer: A
You can only move a resource to a Resource Group or Subscription, but the location stays the same. When you move WebApp1 to RG2, the
resource will be restricted based on the policy of the new Resource Group (Policy2).
Reference:
upvoted 27 times
  H3adcap Most Recent  11 hours ago

upvoted 1 times
  edengoforit 1 week, 2 days ago

The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region. If
you want to run your app in a different region, one alternative is app cloning. Cloning makes a copy of your app in a new or existing App
Service plan in any region.
upvoted 1 times

had this question on 05/Feb/22 exam but answer of contents have a little differ
upvoted 3 times
  JJoh 2 weeks ago

Selected Answer: C
C is more reasonable
upvoted 1 times

the question talks about the web app and the policy.. regarding the policy this is from the MS website
Move an app to another App Service plan

You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and
geographical region.
upvoted 1 times
  olloczky 1 month, 1 week ago

Answer states: You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource
group and geographical region.
But in this case the App Service plan is in different RG and different region. Or the catch is that the app is not moved to an App Service
plan? Is that even possible?
upvoted 2 times

On exam 01.02.22.
Answer: A
upvoted 4 times
  johnrip84 1 month, 2 weeks ago

Selected Answer: A
This question was asked on exam taken on 26DIC2021
upvoted 2 times
  FabioVi 1 month, 3 weeks ago

Tested in a lab.
I moved an App Service Plan to a RG that was in a different region. The move went OK, and the App Service Plan retained its original
region.
So, A is correct.
upvoted 7 times
  Jay0401 2 months ago

In exam 17/12/2021.
upvoted 2 times

Selected Answer: A
A.
WebApp can be moved between RG and Subscriptions but NOT between Regions
Check here. Resource Class Microsoft.Web
Resource Type: Sites
upvoted 2 times

Ans : A
Webapp remains in west europe and only RG2 policy, ie, policy 2 will be assigning to it
upvoted 1 times

Took the exam today, 17 Oct. This question came out. Ans: A
upvoted 4 times

Passed today with 947. This question appeared, correct Answer is A
upvoted 9 times
  YooOY 5 months ago

So WebApp1 is actually not moved to another App Service Plan but only changing RG? because move app requires same RG.
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage#move-an-app-to-another-app-service-plan requires
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options
in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/resource-provider-operations#microsoftresources

The Answer is Wrong.
First part should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" . You can
specify either a subscription, specific resource group, management group or specific resource. for example it should
"/subcription/subcription_id/resourceGroups/resource_group_name"
Check https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-
structure
For second box. It is correct but missing "*". It should be "Microsoft.Authorization/*" . if you try this on az cli without "*". you will get an
error
upvoted 111 times

I don't know how you said there's no 'resourceGroups' and then put 'resourceGroups' in your example, also an asterisk/wildcard
meaning denotes "all" this could imply there are multiple other fields the could be added in place of the wildcard. Regardless, I tested
it, you can go to Subscriptions > [Your Subscription] > IAM > Custom Roles. You are correct but the explanation was quite confusing.
upvoted 5 times

You can specify either a subscription, specific resource group, management group or specific resource. for example it should
"/subcription/subcription_id/resourceGroups/resource_group_name"
So it you use "/subcription/subcription_id/resourceGroups/resource_group_name" then you need the resource_group_name

upvoted 1 times
  JayBee65 8 months, 2 weeks ago

This link https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions gives an example of
"/subscriptions/{subscriptionId1}/resourceGroups/Network"
upvoted 7 times
  tf444 8 months, 2 weeks ago

{
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
"name": "{resourceGroupName}",
"type":"Microsoft.Resources/resourceGroups",
"location": "{resourceGroupLocation}",
"managedBy": "{identifier-of-managing-resource}",
"tags": {
},
"properties": {
"provisioningState": "{status}"
}
}
upvoted 2 times
  tf444 8 months, 2 weeks ago

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{extensionResourceProviderNamespace}/{extension
ResourceType}/{extensionResourceName}
upvoted 1 times

Correct Answer:
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e”
“Microsoft.Authorization/”
upvoted 84 times
  edengoforit Most Recent  1 week ago

The second answer why authorization is that we want to exclude the authorization from the user
The AssignableScopes property specifies the scopes (management groups, subscriptions, or resource groups) where this role definition
can be assigned. You can make the role available for assignment in only the management groups, subscriptions, or resource groups that
require it. You must use at least one management group, subscription, or resource group.
Not Actions: An array of strings that specifies the control plane actions that are excluded from the allowed Actions.
upvoted 1 times
  Az_dasappan 1 week, 2 days ago

First part should be "/Subscription/subcription_id" only
Validation error: Invalid scope : /subscriptions/112cd52b-64b8-44bf-92f4-26931c25ac49/resourceGroups

The scope consists of a series of identifiers separated by the slash (/) character. You can think of this string as expressing the following
hierarchy, where text without placeholders ({}) are fixed identifiers:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers
/{providerName}/{resourceType}/{resourceSubType1}/{resourceSubType2}/{resourceName}
upvoted 1 times
  Amunix 1 month ago

tested and confiirmed
/subscriptions/{sub-ID}/resourcegroups/{RG-Name}/
upvoted 2 times

Doc page for valid assignable scopes which are 1+ subscriptions, a single resource group or a management group (in Preview). The first
part of the stated answer is incorrect, should be just the sub + its ID.
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes
upvoted 2 times

upvoted 1 times

upvoted 1 times

Correct Answer:
upvoted 1 times

To assign a policy to resource group only, you need:
1) assign the policy to subscription level
2) in policy rule, check if resource type is Microsoft.Resources/subscriptions/resourceGroups", then apply the rule
upvoted 2 times

Correct Answer:
upvoted 4 times

1st Box is correct with "subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436/resourceGroups"
2nd Box has no correct choice. It should look like this: Microsoft.Authorization/roleDefinitions/write
EXAMPLE:
"actions": [
"Microsoft.Authorization/roleDefinitions/write",
“AssignableScopes”: [
"subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups",
Microsoft.Authorization/roleDefinitions/write - Users that are granted this action on all the AssignableScopes of the custom role can create
(or delete) custom roles for use in those scopes. For example, Owners and User Access Administrators of management groups,
subscriptions, and resource groups.
The "notActions: [" reverses this into prevents management access permissions.
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.cloudaware.com/DOCS/Creating-a-Custom-Role-in-Microsoft-Azure.1831272449.html
upvoted 1 times
  HadiKhan 3 months, 2 weeks ago

/subscriptions/Subscription-id/resourceGroups/Test this is the format which allows , /subscriptions/Subscription-id/resourceGroups/ this
returns error
upvoted 2 times

Note that the options listed here reflect how they are on the actual exam
upvoted 5 times

upvoted 4 times
  AubinBakana 6 months ago

the answer is correct:
The scope is "/subscription/subcription_id/resourceGroups/resource_group_name"
Unfortunately the screenshot does not capture the name of the resource. I guess that is why many people think it's wrong. You'd have to
scroll to the right to see the name of the resource group. The top option is definitely wrong because it would reduce to scope to the
Subscripton only
notActions ["Microsoft.Authorisation/*"]
upvoted 4 times
  Kizz 3 months, 1 week ago

if the path is missing because of screenshot not capture full path, then the mark " should not be at the end likes in the question
upvoted 2 times
  Krishore 6 months, 3 weeks ago

/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e is the correct answer for assignable scope,.
Condition- "Can be assigned only to the resource groups in Subscription1"
In condition it was said to assign for resources groups of the subscription1 but not identified any resources groups name.
upvoted 1 times
You have an Azure subscription.

Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to
access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
A. an internal load balancer
B. a public load balancer
C. an Azure Content Delivery Network (CDN)
D. Traffic Manager
E. an Azure Application Gateway
Correct Answer: AE
Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the
front-end subnet of the application.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/application-gateway/overview

AE (100%)

Correct Answer: A and E
A: The customer sites are connected through VPNs, so an internal load balancer is enough.
B: The customer sites are connected through VPNs, so there's no need for a public load balancer, an internal load balancer is enough.
C: A CDN does not provide load balancing for applications, so it not relevant for this situation.
D: Traffic manager is a DNS based solution to direct users' requests to the nearest (typically) instance and does not provide load balancing
for this situation.
E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions
upvoted 155 times
  Sh4kE 1 month ago

But isn't answer B also an option which would suffice the requirements? It only states to load balance traffic to all VMs. It does not
restrict how to access the services, even though we are already connected via vpn...
upvoted 2 times
  ShaulS 3 months, 1 week ago

A: what do you mean by "internal LB is enough"?
upvoted 1 times

It means that nobody is accessing the resources through public ip ..So no need of a public load balancer.
upvoted 5 times
  Vaish310 4 months, 3 weeks ago

Thanks
upvoted 2 times

Very nice and complete explanation, thanks a lot!
upvoted 2 times
  mgladh Highly Voted  1 year, 2 months ago

i would say A and E is the correct answer.
upvoted 84 times
  Babatunde 11 months, 2 weeks ago

Agreed
upvoted 3 times

AE is the right answer
upvoted 1 times
  byuq 1 week, 3 days ago

Selected Answer: AE
A and E
upvoted 1 times
  263Jongaldo 1 month ago

A & E correct
Configuring the gateway with an ILB is useful for internal line-of-business applications that are not exposed to the Internet.
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ilb-
arm#:~:text=Azure%20Application%20Gateway%20can%20be,not%20exposed%20to%20the%20Internet.
upvoted 1 times

On exam 01.02.22.
Answer: A and E
upvoted 1 times

Ans : A & E
Internal load balancer is enough as the customers are connecting through VPN's, Hence no need to Public load balancer.
Application gateway will allow load balancing and in other terms it might a web app.
upvoted 1 times
  Edward2021 2 months, 1 week ago

A and E for sure.
VPN - internal load balancer seems good to me

Gateway valid option also, as it has already a load balancer.
So one of them is enough.

upvoted 1 times

Selected Answer: AE
In exam I would select A & E
But in reality, we need need more info - this question mentioned nothing about WEB application for app1, but application gateway is for
web application only.
upvoted 5 times

i agree with you dude!
upvoted 1 times

As connections are via VPN, you would not use a public LB.
upvoted 1 times
  JohnCox 5 months, 2 weeks ago

Azure Application Gateway only for web apps. Question doesn’t state what type of app it is. Annoying
upvoted 3 times

upvoted 5 times
  akirashetty 5 months, 3 weeks ago

Do the exam had any Labs or any hands on questions?
upvoted 1 times
  Insanewhip 4 months, 2 weeks ago

No, the format for the exam does not have any labs or hands-on questions. You can refer to the exam format on the Microsoft
website
upvoted 1 times
  zvasanth2 6 months, 1 week ago

The first real difference between the Azure Load Balancer and Application Gateway is that an ALB works with traffic at Layer 4, while
Application Gateway handles just Layer 7 traffic, and specifically, within that, HTTP (including HTTPS and WebSockets)
If you are developing a web application, then you need an application gateaway.
if you are developing some classic desktop/console application that involves UDP protocol you may need load balancer
upvoted 5 times

Correct Answer: A and E
upvoted 1 times
  mkoprivnj 8 months, 1 week ago

A & E is correct!
upvoted 1 times

A and E for sure :P
upvoted 1 times
  omhari 8 months, 2 weeks ago

A and E. Both can work as an internal load balancer for web app applications.
upvoted 1 times
  CARIOCA 9 months ago

This question is very divided in the feedback, after all what would be the answer and which justified it?
After a debate of 34 comments, is the final answer to the question the same or not?
My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should
be responsible for changing the submitted template.
I think the debate is healthy, but a better organization is needed following an established pattern because in some issues they get very
confused and generate more doubts than clarifications.
upvoted 1 times
  imartinez 6 months ago

i will not say stop using drogs coz you will not do that.. just Stop abusing..
upvoted 1 times

Can you stop putting same comment on every discussion. Moderator please take note and stop approving these comments
upvoted 17 times
  maffoo 8 months, 4 weeks ago

Its not divided, you must not have even read this before posting this.
upvoted 11 times
  xoe123 8 months ago

I think they are using a bot
upvoted 3 times

You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Monitor
B. Advisor
C. Metrics
D. Customer insights
Correct Answer: B
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
recommendations from the Cost tab on the Advisor dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

B (100%)
  waterzhong Highly Voted  1 year ago

The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display
recommendations for specific subscriptions and resource types. The recommendations are divided into five categories:
Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications. For more
information, see Advisor Reliability recommendations.
Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security
recommendations.
Performance: To improve the speed of your applications. For more information, see Advisor Performance recommendations.
Cost: To optimize and reduce your overall Azure spending. For more information, see Advisor Cost recommendations.
Operational Excellence: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For
more information, see Advisor Operational Excellence recommendations.
upvoted 51 times

Correct Answer: B
Reference:
upvoted 43 times

cost management, so B is right
upvoted 1 times
  pappkarcsiii 1 week, 6 days ago

Selected Answer: B
Correct Answer: B
Reference:
upvoted 2 times

Ans : B
Azure advisor helps to reduce and optimize the cost
upvoted 2 times

The trick here is Customer Insights, which is a service for analyzing your client's/customers business data, trends (not your own Azure
resources costs).
upvoted 1 times
  VKChaudhary 4 months, 3 weeks ago

Correct
upvoted 2 times

Answer is correct
upvoted 1 times

In Exam 21/08/2021
upvoted 4 times
  akirashetty 5 months, 3 weeks ago

Do the exam had any Labs or any hands on?
upvoted 1 times

Advisor will be used to advise on cost savings and utiliization
upvoted 2 times
  aman824985 7 months, 1 week ago

Advisor is related to cost management so correct ans is advisior
upvoted 1 times

Azure Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost
upvoted 1 times

Advisor!
upvoted 2 times

B is correct answer
upvoted 1 times

B is correct answer
upvoted 1 times
  whynotguru 9 months, 2 weeks ago

Advisor --Cost --select VMs--select Quick Fix (Preview) and it will change to recommended actions config
upvoted 1 times

B is correct
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources
upvoted 2 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

The Answer is correct .
- Select Users & Groups : Where you have to choose all users.
- Select Cloud apps or actions: to specify the Azure portal
- Grant: to grant the MFA.
Those are the minimum requirements to create MFA policy. No conditions are required in the question.
Also check this link beside the one provided in the answer
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
upvoted 134 times
  redbeardbeer 9 months, 1 week ago

Thanks for the great description. Very helpful.
upvoted 8 times
  mlantonis Highly Voted  9 months ago

Correct Answer:
- Select Cloud apps or actions: To specify the Azure portal
- Select Grant: To grant the MFA.
upvoted 49 times
  Jvp21 Most Recent  1 week, 3 days ago

- Select Users & Groups : To choose all users.
- Select Cloud apps or actions: To specify the Azure portal
- Select Grant: To grant IF only pass the MFA authentication.
upvoted 1 times

Can you believe that "Conditional Access" is barely mentioned in the paid Microsoft training for az104 and yet students are expected to
know about it in the exam!?!? Sooo frustrating!!!!
upvoted 2 times
  Empel 1 week, 1 day ago
If the official course had to cover everything it will be a 3 month course at least. There is just no time to cover everything in 4 days. I
took the course as well but the instructor told us that it was not enough.
upvoted 1 times

I literally have to GOOGLE many of the topics covered here because of how weak MS courses are toward az104 certification damn it.
upvoted 2 times
  StaxJaxson 1 week, 3 days ago

You need to let it go bro. I've been taking Microsoft tests since NT 4.0 and this is how it is.
If you download every Azure documentation PDF link at the bottom of the page, you will have over 100,000 PDF pages of material
memorize. No one can do it. I stupidly paid for $100 for Mindhub AZ-104 test. None of their questions come close to what's on the
exam.
upvoted 1 times
  bogard 4 months ago

This was ask during my AZ-500 exam.
upvoted 2 times
  JamesChan0620 5 months, 2 weeks ago

The answer is correct?
upvoted 3 times

Yes it is correct
upvoted 1 times

the question was on Jul 23, 2021 - passed the exam. I followed most of the answers given by fedztedz and mlantonis. They know this stuff.
upvoted 8 times

The question was bit modified though
upvoted 6 times

Thanks!
upvoted 1 times
  valente_sven1 7 months ago

how far from the real?
upvoted 1 times

- Select Cloud apps or actions: to specify the Azure portal
- Grant: to grant the MFA.
upvoted 3 times
  saddamakhtar 9 months, 3 weeks ago

Answer is correct
upvoted 1 times

Answer is correct
upvoted 1 times

Given answer is correct
1.user or groups
2.apps
3.grant or deny
upvoted 3 times
  taka_hawk 11 months, 2 weeks ago

The Answer is correct .Please check. "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-
access-cloud-apps " "Cloud apps or actions" - "Microsoft Azure Management" - "Azure portal"
upvoted 1 times
  alessioferrario 11 months, 3 weeks ago

Just test on my MSDN subscription.
Only onwer can assign policy on root management group. A user with qlobal admin role can't
upvoted 2 times
Solution provided is correct

upvoted 1 times

Seems correct.
New Policy.
Assignments:
Users and Groups - Select Users.
Cloud Apps - Microsoft Azure Management.
Access:
Grant - Require multi-factor authentication.
Source : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
upvoted 2 times
  QiangQiang 1 year ago

Simple policies
A Conditional Access policy must contain at minimum the following to be enforced:
Name of the policy.

Assignments
Users and/or groups to apply the policy to.
Cloud apps or actions to apply the policy to.
Access controls
Grant or Block controls
So the answer is correct
upvoted 1 times
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Ùnable to invite user
[email protected] `" Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Users settings blade, modify the External collaboration settings.
B. From the Custom domain names blade, add a custom domain.
C. From the Organizational relationships blade, add an identity provider.
D. From the Roles and administrators blade, assign the Security administrator role to Admin1.
Correct Answer: A
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742
  moekyisin Highly Voted  1 year, 2 months ago

correct answer checked in portal .
Go to Azure AD--users--user settings --scroll down.--External users
Manage external collaboration settings
upvoted 80 times

Yep Yep Yep
upvoted 3 times
  Gorl12 4 months, 4 weeks ago

Your excitement is awesome!
upvoted 6 times

Answer is correct. You can adjust the guest user settings, their access, who can invite them from "External collaboration settings"
check this link https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations
upvoted 51 times
  Rawatvs Most Recent  4 weeks ago

Trying to reproduce it but getting error like this below
"User's properties could not be updated after invitation

Guest invitations not allowed for your company. Contact your company administrator for more details."
but not exactly the same given in question.. so not sure of the answer in that case..
upvoted 1 times

Correct: A - External Collaboration Settings
This is a generic error: You will get this error if Invites settings are disabled in the External Collaborations settings.
By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. External collaboration
settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to
individual users by assigning roles that allow them to invite guests.
Azure AD -> User Settings -> External Users -> Manage external collaboration settings. Azure AD -> External Identities -> External
Collaboration Settings
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/generic-authorization-exception-inviting-azure-ad-gests/m-
p/274742
upvoted 9 times

Correct is D from Roles and administrators
In AAD\Roles and administrators there is a role : guest inviter
description: Users in this role can manage Azure Active Directory B2B guest user invitations when the "Members can invite" user setting is
set to No. It does not include any other permissions.
This way you can grant invitation only to that one admin not to everyone in whole tenant.
upvoted 1 times

Which planet are you from?
upvoted 6 times
  Gravysand 3 months, 1 week ago

It's A, not D. It clearly already states another role so your answer is wrong.
upvoted 1 times
  albertozgz 3 months, 4 weeks ago

(A open to every body in send external invitations, bad idea . . .)
D: give this permissions to ONE user
upvoted 2 times

upvoted 5 times
  Beng_ali 4 months, 2 weeks ago

Came up on my exam on 02/10/21, Answer A is correct.
upvoted 4 times
  anonza_dumps 6 months ago

in the exam 20-08-2021
upvoted 3 times

Both C and D are wrong, External user is the clue here
upvoted 2 times

answer is C, by deduction:
A and B don’t apply because that only solves acces s to the subscription. we need root tenant level
D doesn’t apply because a new management group can’t be at root either (only one group).
So C is the only valid option
upvoted 1 times

A is correct!
upvoted 2 times
  ZN 8 months, 4 weeks ago

I am trying to reproduce the given error in portal for Admin1 but unable to do so.
Kindly post the steps to get the given error.
upvoted 1 times
  mlantonis 9 months ago

Correct Answer: A
Azure AD -> User Settings -> External Users -> Manage external collaboration settings.
Azure AD -> External Identities -> External Collaboration Settings
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742
upvoted 33 times

Answer is correct
upvoted 1 times

Tested, Answer is Correct
upvoted 3 times
  FemFem 11 months ago

Users>External Identities|External Collaboration settings
Good idea to always cross-check as Microsoft update and change frequently
upvoted 4 times
You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?
A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.
Correct Answer: B
The following chart shows the list of roles and the supported actions on management groups.
Note:
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the
hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role
assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access
Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or
groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
Reference:

C (93%) 7%

Correct Answer: C
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate
themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to
other users to manage it.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group
upvoted 85 times

After looking at this for a while (cos it was doing my head in), the important bit would be for B we are assigning Owner for the
Subscription, It needs to be Owner for the Tenant Root. (which is said but was not instantly clear to me). So it has to be (C) Global
Admin which will the elevate it's self to Root owner. Another of those questions you really have to pick apart. So C is the correct answer.
upvoted 1 times

Answer is C. Just tested in the lab.
upvoted 1 times
  mumu_myk 2 months, 1 week ago

mlantonis is correct - the answer here should be C. Assign the Global administrator...
Assigning the owner role to the "tenant root" (not the subscription) or the resource policy contributor role wouldve been enough
access for user1 but that is not one of the options in the choices. so the only choice that works is C.
upvoted 1 times
  Rajash Highly Voted  9 months, 3 weeks ago

Ans C:
other users to manage
it.
upvoted 47 times
  Negrinho 9 months, 3 weeks ago

No, the correctly answer is B.
C is to control Azure AD (Global Administrators), not to control Management group.
If you need to control Management group, use: Access control (IAM)> Add role assignment> Role> Owner or Contributor (in this case
you will use Owner). Don't exist "Global Administrators" inside of Access control (IAM)> Add role assignment.
The link between Azure AD and Management group will allow that you choose an user of your Azure AD, but not will inherit Azure AD
role.
upvoted 35 times
  mdyck 9 months ago

This is right. Check the chart in this link. Owners assign policy.
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access
upvoted 5 times

How can it be right when the question specifies the root management group and B specifies a child subscription? The only way to
ensure they can make changes to the root management group is to make them a GA on the tenant and then they can assign
themselves the owner permissions to that group.
upvoted 2 times

B cant be right because the owner access is given at subscription level only.
upvoted 2 times

I agree. Basically there are 3 RBAC methods. They are for
1) Azure AD
2) Azure resources including Management group
3) Classic (used by Subscription)
upvoted 1 times
  brainmind 7 months, 2 weeks ago

The answer is C, the user should be a GA and then elevate themselves to gain access.
upvoted 3 times
  PersonT 7 months, 1 week ago

True. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 1 times
  practical_93 Most Recent  2 weeks ago

Selected Answer: C
Should be C
upvoted 1 times
  Bahubali1988 1 month ago

ALL WRONG ANSERS IN THIS DUMP!
upvoted 1 times
  Kyniska 2 weeks, 3 days ago

thats why you read the comments
upvoted 3 times

Selected Answer: C
Correct Answer: C
upvoted 2 times

Selected Answer: B
You only need to assign to user1 to the linked AD. Global administrator has a board permission within Azure.
upvoted 1 times
  sam_core 1 month, 3 weeks ago

Selected Answer: C
global admin has right in root management group
upvoted 1 times

Selected Answer: C
Correct Answer: C
upvoted 1 times

Question #33Topic 2
You have an Azure subsc
upvoted 1 times

Selected Answer: C
Reference:
upvoted 2 times
  Shanti 2 months ago

I will go with B - as you never give Global Admin roles to a user account, based on Microsoft best practices, you would always delegate
using RBAC
upvoted 3 times

C
"How does elevated access work?
However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups
in your directory. "
So You need Global Administrator
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
upvoted 1 times
  Sue04 2 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 2 times
  Greg_M 2 months, 2 weeks ago

Selected Answer: C
From mlantonis:
Correct Answer: C
Reference:
upvoted 2 times
  balakadyan 2 months, 3 weeks ago

Selected Answer: C
Check comment by mlantonis
upvoted 2 times

Correct Answer: B Never give out Global Admin rights. Owner role can perform all functions/roles.
upvoted 5 times
  xmrcdvr 1 month, 2 weeks ago

Agree.. Principle of Least Privilege
upvoted 1 times
  stevhas 3 months ago

I think in the question we have to assume that the "you" already has GA access so therefore the "you" would need to assign owner to
user1 so that user1 can assign/apply policies
upvoted 4 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.
You create two user accounts that are configured as shown in the following table.
Of which groups are User1 and User2 members? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Group 1 only -
First rule applies -
Box 2: Group1 and Group2 only -
Both membership rules apply.

Reference:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

Correct answer.
User 1: Group 1 only
User 2: Group 1 & 2
upvoted 27 times
  Lizisawhiz 1 month ago

Its wrong! User 2 doesn't have O365 license. Both users can be assigned to only Group1
upvoted 3 times
  BABRUISKWARRIOR 4 days, 11 hours ago

No, you are wrong. I just created a Microsoft 365 Group and added a user into it with no O365 license. Since it's a dynamic group,
the answer above is correct.

User 2: Group 1 & 2
upvoted 1 times
  DevOpposite 4 months, 2 weeks ago

why cant user 1 not be in grp 3 plz?
upvoted 2 times

Someone has to assign users to Group3 if they have to be part of it and there is no mention of manual assignment in the question.
upvoted 12 times

Thank you for the clarification.
upvoted 1 times

thank you
upvoted 1 times
  Chi1987 4 months, 3 weeks ago

I dont agree, User 1 is Office licensed, he can not be in Gr1. and user 2 is not with office license
Correct answer
User1 Group 3
User2 Group 1
upvoted 1 times

license has nothing to do with it.
upvoted 11 times

upvoted 3 times

Tested in lab.
User 2: Group 1 & 2
upvoted 13 times

Got this one on exam recently. my answer:
User 2: Group 1 & 2
upvoted 1 times
  anshad666 1 week ago

why Group type not considering here?
upvoted 1 times

upvoted 2 times
  drae2210 3 weeks, 4 days ago

It states that user1 was assigned an O365 license, so why doesn't user1 qualify for group 3?
upvoted 1 times

Technically user1 could be added to group 3 no problem but the question vaguely implied that the question is based on automatic
membership.
upvoted 2 times
  LCC92 1 month, 1 week ago

The answer is correct.
Dynamic user: Users which match the rule will be automatically added to the group.
Assigned: Users can only be added to the group manually.
upvoted 1 times
  Barrie 2 months ago

This answer is not case-sensitive?
upvoted 2 times

user 1: group 1
user 2: 1 & 2
upvoted 1 times
  azsan 2 months, 2 weeks ago

User1 : Group3
Reason : as user1 has office 365 license and department is Human Resource so Group2 is not applied as membership rule is not in
"Human Resources"
User2 : Group1
Reason: as this user2 is not havin office 365 and city starts with "m" as city name is Melborne
upvoted 1 times

Correct answer.
User 2: Group 1 + 2
upvoted 10 times

It's a trick question - Microsoft expects those that don't understand licensing to pick just group 1 for the 2nd answer.
upvoted 1 times

User1 - Group1 only: City starts with an "M." User1 is part of Human resources so is not allowed into Group2.
User2 - Group1 and Group2: City starts with an "M." User2 without an Office 365 license will be allowed into the group but the license will
not be assigned to it "unless that option is configured for assigning licenses to users assigned to that group" The error happens in the
background while the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately.
Instead, they're recorded on the user object and then reported via the administrative portal.
Someone has to assign users to Group3 and there is no mention of manual assignment in the question.
And as far as the Group type: There is really no difference between a Security Group and an Office 365 Group.
https://www.bdo.com/digital/insights/cloud/demystifying-office-365-groups
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-tutorial
upvoted 10 times

Thank you for the detailed explanation. This is not covered on the az104 courses provided by Microsoft.
upvoted 2 times
HOTSPOT -
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.
You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: User1 and User3 only -

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows
Server Active
Directory.
Box 2: User1, User2, and User3 -

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal

Correct Answer:
Box 1:User1 and User3 only

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is
Windows Server Active Directory.
Box 2: User1, User2, and User3
Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via
Azure AD Connect).
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
upvoted 77 times

Thank you for the clarification. I am shocked to see how little I know. I swear after following Microsoft’s course I feel like the goal wasn’t
really to prepare me for the exam at all.
upvoted 3 times
  hakanbaba Highly Voted  1 year, 2 months ago

I've checked on my AAD, answer is correct
upvoted 40 times
  Kiano 10 months, 1 week ago

I have also checked but I can see that you can change both job title and usagelacation for all type of identities. even the ones that have
been synchronized from on-prem AD.
Maybe this is an update since you published your comment, but anayways I think both answers should be User1, 2 and 3.
upvoted 4 times
  Kiano 9 months ago

The answer is actually right. Although both usagelocation and jobtitle can directly be updated in Azure AD for all type of users,
jobtitle can probably be overwritten by the synchronization process, although usagelocation is more an Azure AD type of attribute.
But the question is tricky. it asks: "For which users can you modify the attributes from Azure AD? ". Both can b updated directly in
Azure AD, although Jobtitle could be overwritten by the sync.
upvoted 2 times

Thank you for the info.
upvoted 1 times
  Somewhatbusy 1 year, 1 month ago

Yes its correct. 100% agreed
upvoted 6 times
  ayushbisht Most Recent  4 months ago

correct answer :
jobtitle :user1 and user 3
usage location : 1,2 and 3
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer
upvoted 5 times
  silver_bullet666 5 months, 1 week ago

I have tested this on 14/09/2021
JobTitle can be modified in AzureAD for;
User1 (AzureAD)
User3 (Guest)
JobTitle CANNOT be modified for User2 (Windows Server AD synced account)
Usage Location can be modified for;

User1 (AzureAD)
User2 (Windows Server AD synced account)
User3 (Guest)
tldr; the answer in the image is correct.

upvoted 6 times
  Nilz76 7 months, 3 weeks ago

I've just sync'd 2 users from On-Prem AD (via AAD Connect) and I cannot amend/edit/modify the Job title attribute (it's greyed out). I can
however, modify the Usage Location (for the On-prem sync'd user)
I also created 2 Azure AD Users including one guest user, and I can edit both job title and usage location.
upvoted 3 times
  hajurbau 3 months ago

Is the write back enabled from AAD to Ad?
upvoted 1 times

correct
upvoted 1 times

User1 & User 3
User1, User2 & User3
User2 - job info can't be modified via AAD. Option grayed out on edit.
upvoted 3 times

Provided answer is correct as per documention.

upvoted 1 times
  ajaz 8 months, 3 weeks ago

Provided answer is correct.
In the following link - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
under "Note:' section it is very clearly mentioned that Windows AD users should be modified from source and wait for sync to AAD.
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is
Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before
you'll see the changes.
upvoted 3 times

upvoted 2 times
  Raj_Rock 8 months, 2 weeks ago

I think this is a BOT or just creating SPAM messages in the discussion forum.
upvoted 5 times

A bot or somebody very lazy
upvoted 5 times

Tested, Answer is Correct
upvoted 2 times
  codingsam 10 months, 4 weeks ago

the answer should be User1 and User3 for both as in a hybrid environment where the user is on Windows Server AD then the
synchronization is only one way i.e. from on-prem AD to the AAD so changes to the job info or the usage location for User 2 should be
done through on-prem AD only.
upvoted 1 times

you actually have a point. I can see we can change both attributes for the synched identities, but I guess you are right. Both can be
overwitten by the sync progress.
upvoted 1 times

upvoted 2 times

AAD is answer
upvoted 1 times
  Neonlight8 1 year ago

JobTitle: i think the keyword here is "...modify from Azure", you can't modify Windows Server AD (on-premise attribute) from Azure under a
hybrid deployment. Therefore User 1 and User 3 only. Job Title attribute does exist for Guest account so this covers MS Account under
User 3
Usage Location: User 1, User 2, User 3. Because this attribute is an Azure AD not onpremise therefore you can modify "From Azure"
upvoted 13 times
  codingsam 10 months, 4 weeks ago

Usage Location is there on on-prem AD under attributes.
upvoted 1 times

Responses are correct:
- Job Title: for all but not Windows Server AD users
- Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via
Azure AD Connect
upvoted 6 times
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an
Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
A. Yes
B. No
Correct Answer: A
Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Correct Answer: A - Yes
Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network
Contributor.
Network Contributor role - Lets you manage networks, but not access to them.
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics
analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements
upvoted 50 times
  twambala 5 months, 2 weeks ago

how can yu
upvoted 3 times
  twambala 5 months, 2 weeks ago

how can one manage something if he does not have access to it
upvoted 2 times
  rsharma007 5 months ago

they are two different permissions- a NC role can manage the resources, but he/she can't grant access to those resources to
anyone else. That can be done by roles with 'access' permissions such as 'owner'
upvoted 2 times

Thank you for clarifying! Much appreciated.
upvoted 1 times
  RithuNethra Highly Voted  1 year, 2 months ago

correct answer
upvoted 21 times

A is right
upvoted 1 times
  CraigB83 5 months, 2 weeks ago
User access requirements

Your account must be a member of one of the following Azure built-in roles:
USER ACCESS REQUIREMENTS

Deployment model Role
Resource Manager Owner
Contributor
Reader
Network Contributor
upvoted 1 times
  jvincent 5 months, 3 weeks ago

If you provide only network contributor to admin1 then try to enable Traffic Analytics, the Storage Account and Log Analytics Workspace
value required to enable it will not be present. Hence, you cannot enable with Network Contributor.
Answer is No.
upvoted 2 times

in exam 7/3/2021
upvoted 3 times
  Radhaghosh 8 months ago

To enable traffic analytics, your account must have any one of the following Azure roles at the subscription scope: owner, contributor,
reader, or network contributor.
So Answer is Correct
upvoted 1 times

A is correct! Contributor role!
upvoted 1 times
  Mich132 8 months, 2 weeks ago

So normally a Contributor is not allowed to assign a role "Grants full access to manage all resources, but does not allow you to assign roles
in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries." But this is an exception?
upvoted 1 times

Correct Answer
upvoted 1 times

Answer is Correct
upvoted 1 times

A is correct!
upvoted 3 times
  Sandroal29 11 months, 3 weeks ago

Given answer is correct.
upvoted 1 times
  StixxNSnares 11 months, 4 weeks ago

A!
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-
faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.
upvoted 1 times

A. is correct (network contributor at subscription scope)
upvoted 2 times
  waterzhong 1 year ago

Traffic Analytics requires the following prerequisites:
A Network Watcher enabled subscription.

Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.
An Azure Storage account, to store raw flow logs.
An Azure Log Analytics workspace, with read and write access.
upvoted 1 times
  ms70743 1 year, 1 month ago

Answer is Yes.
upvoted 1 times
Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)

Correct Answer: A
Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network
Contributor.
Network Contributor role - Lets you manage networks, but not access to them.
Reference:
upvoted 28 times

correct answer
upvoted 12 times
  Tukarammane Most Recent  1 week, 4 days ago

Selected Answer: A
correct answer is A
upvoted 1 times

correct answer is A
upvoted 1 times
  JohnPhan 3 months, 3 weeks ago

Answer is A:
upvoted 1 times

in exam 7/3/2021
upvoted 3 times
  moota 7 months, 3 weeks ago

Bad practice because not doing LAC
upvoted 1 times

A is correct. Contributor or Owner role.
upvoted 1 times

Answer is Correct
upvoted 1 times

A is correct!
upvoted 2 times
  Horhe 12 months ago

Answer is correct
upvoted 1 times

A. is correct (owner at subscription scope)
upvoted 1 times
  ar_vinoth 1 year ago

Correct answer A
upvoted 1 times
  kashi1983 1 year ago

Answer is A
upvoted 1 times
  ms70743 1 year, 1 month ago

A is correct
upvoted 2 times

Answer is correct "Yes"
upvoted 8 times
  Nalex9ja 1 year, 2 months ago

the given answer is the correct answrer
upvoted 3 times
Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
A. Yes
B. No
Correct Answer: A
Reference:

B (100%)
  asmodeus Highly Voted  1 year, 2 months ago

Traffic Analytics requires the following prerequisites:
A Network Watcher enabled subscription.

Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.
An Azure Storage account, to store raw flow logs.
An Azure Log Analytics workspace, with read and write access.
upvoted 35 times
  xMilkyMan123 7 months, 3 weeks ago

https://github.com/MicrosoftDocs/azure-docs/issues/77499 Dont believe everything you read on the internet. Go and test things for
yourself. Even Microsoft official articles can misword things sometimes
upvoted 9 times

I agree with you
upvoted 2 times
  visave 1 year, 2 months ago

got it.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-
faq#:~:text=Your%20account%20must%20meet%20one,%2C%20reader%2C%20or%20network%20contributor.
upvoted 4 times
  MountainW 10 months, 2 weeks ago

The key is to enable, not to use. The article is about to use. The answer is not correct.
upvoted 6 times

The requirements above state..
Your account must meet one of the following to ***enable**** traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, ***reader***, or
network contributor.
So it is correct
upvoted 5 times
  jot2 1 month, 2 weeks ago

The article is wrong in this case. I tried it out. A user with Reader role can't enable Traffic Analytics.
upvoted 3 times
  nNeo 9 months, 1 week ago

Although the article specified, but reader role can't change (or enable) "Traffic Analytics status" setting in NSG flow log settings. IMO,
that article should be edited.
upvoted 6 times
  visave 1 year, 2 months ago

As per your description the answer is A. could you please paste the source of the information.
upvoted 1 times
  Nicodebian 1 year, 2 months ago

upvoted 3 times

Reader role - View all resources, but does not allow you to make any changes.
Reference:
upvoted 29 times
  xupiter 7 months, 3 weeks ago

"Reader role - View all resources, but does not allow you to make any changes."
So that means this role doesn't allow you to enable traffic analytics.
So it cannot be "Yes".
upvoted 6 times

Yet it is "Yes". You can blame Microsoft for the confusion.
upvoted 1 times
  hercu 7 months, 3 weeks ago

I think the answer is correct as it's assumed that the prerequisites to use traffic analytics are already met. Refering to:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-
As a result, as stated just few lines below, all following roles: Owner, Contributor, Reader, or Network Contributor are sufficient to
enable Traffic Analytics.
upvoted 1 times
  byuq Most Recent  1 week, 2 days ago

Selected Answer: B
B is the correct answer. You can't enable or disable anything with a reader role.
upvoted 4 times

Correct answer is NO. A reader role cant change settings in this question.
upvoted 2 times

Are there other network related services (other than "Traffic Analytics") that can be "changed / enabled" by a Reader account?
upvoted 1 times
  sureshGuntha 2 months ago

Answer is B for this. As in the questions its clearly asks below You need to ensure that an Azure Active Directory (Azure AD) user named
Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription. Reader can only read the things and he cannot
enable oe modify so correct answer for this is B
upvoted 3 times
  ShanYuen 2 months, 3 weeks ago

Correct.
What MS mean by "enable" is to Use, not to Create.
Traffic analytics cannot "disable" isn't ? it just a feature to view netflow log.
If you force that mean is to Create, you need to create Log Analytics workspace and storage account which even network contributor
cannot do.
Than the previous question is wrong too, because even network contributor cannot enable/create it.
upvoted 2 times

This is another Microsoft gotcha - they are testing if you understand Subscription level access; remember most sandbox environments do
not allow playing above the provided resource group, as such Microsoft love to test concepts that can only be learnt with a full tenant level
account.
upvoted 1 times
  Jungelgutten 3 months, 2 weeks ago

Enable or use? Same, same, but different...according Microsoft. Microsoft's wording is actually "Your account must meet one of the
following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network
contributor."
So A is definitely the answer.
upvoted 1 times

Answer: A
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-
upvoted 1 times

Answer must be B.
Reader role is not allowed to perform any action, and the question is clearly to enable the traffict analytics.
There is no sense to make a case question where all the options are yes, plus there is a miss conception of reader access.
Everyone could interpret this question at their own understanding, however the answer is clear.
upvoted 3 times

A little counterintuitive but a reader has the right to enable traffic analytics. Hint: How are you going to read it if you can't enable it? Is
there any security hazard if you do?
upvoted 2 times

I am still confused, how come a Reader make changes ? has anybody tested it ? which is the correct ? is A or B ? can someone confirm ?
thank!
upvoted 2 times
  Spandrop 6 months, 3 weeks ago

I'm seeing people justifying the answer based on the following article:
But the article is about "to use" and the question is to "enable", so I would go with a NO.
upvoted 1 times
  Gyanshukla 6 months ago

Recheck the article. It clearly says and same tested in lab.
contributor.
upvoted 2 times

The answer is yes. if you carefully read the faq , you would see its written as to enable traffic analytics .
****Your account must meet one of the following to enable traffic analytics:***
contributor.
upvoted 2 times

please, disregard my comment ...
upvoted 1 times

in exam 7/3/2021
upvoted 6 times
  EderAprigio 5 months ago

tks to reply
upvoted 1 times

How is this A? How can you read your way to enabling anything
upvoted 2 times
  VRK2999 7 months, 3 weeks ago

Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at
the subscription scope: owner, contributor, reader, or network contributor.
upvoted 1 times
You have an Azure subscription that contains a user named User1.

You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login
Correct Answer: B
Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're
connected to.
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
C: Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.
Reference:

C (93%) 7%
  wooyourdaddy Highly Voted  1 year, 2 months ago

Should the answer be C. Contributor? Answer B, only allows the managing of the VM's and not the Virtual Networks as stated in the
question.
upvoted 145 times
  Alim786 9 months, 4 weeks ago

Tested in lab and "Virtual Machine Contributor" cannot manage VNET. Therefore answer is "Contributor"
upvoted 56 times
  brakonda 4 months, 2 weeks ago

Admin given answer in description is B but if yo read description carefully it says B can only manage VM and not the network
upvoted 4 times
  ciscogeek 10 months, 3 weeks ago

Whatever Manage means by Microsoft standards, as per the doc they say, VM Contributor can manage.
Virtual Machine Contributor Lets you "manage" virtual machines, but not access to them, and not the virtual network or storage
account they're connected to.
I would go for B.
upvoted 2 times
  Gadzee 1 month ago

I would go for B taking into account that they say "least privilege"
upvoted 1 times
  brico 7 months, 3 weeks ago

Can't be B. As you mentioned in your response, "and not the virtual network...". C is the correct answer.
upvoted 6 times
  Hari2017 12 hours, 27 minutes ago

Answer is C because though the question says least privilege it should meet both the conditions of managing VMs & VNets.
upvoted 1 times

You are right, definitely, we need to assign a role of contributor, as the virtual machine contributor isn't enough - can't even manage
the virtual networks to which the VM is attached to. See details: https://docs.microsoft.com/en-us/azure/role-based-access-
control/built-in-roles
upvoted 1 times

Correct Answer: C
Only Owner and Contributor can perform the actions, but we need to follow the least privilege principal, so Contributor.
A: Owner- Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor - Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset
password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role
does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does
not allow you to assign roles in Azure RBAC.
C: Contributor - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in
Azure Blueprints, or share image galleries.
D: Virtual Machine Administrator Login - View Virtual Machines in the portal and login as administrator.
Reference:
upvoted 66 times

upvoted 1 times
  PeterHu 2 days, 18 hours ago

should manage VNET ,not just VM
answer shoukd be C
upvoted 1 times
  Mostwanted_Momentum 1 week, 1 day ago

Virtual Machine Contributor -Create and manage virtual machines, manage disks, install and run software, reset password of the root user
of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you
management access to the virtual network or storage account the virtual machines are connected to
Hence answer is Contributor role

upvoted 2 times
  Mostwanted_Momentum 1 week, 1 day ago

Virtual Machine Contributor - This role does not grant you management access to the virtual network or storage account the virtual
machines are connected to.
upvoted 1 times

Virtual Machine Contributor Create and manage virtual machines, manage disks and disk snapshots, install and run software, reset
password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role
does NOT GRANT YOU management access to the virtual network or storage account the virtual machines are connected to. This role does
not allow you to assign roles in Azure RBAC.
upvoted 2 times
  supernan 1 month ago

I think B is right. please refer to: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-
contributor.
Virtual machine contributor role include the create VM permission.
Microsoft.Compute/virtualMachines/* || Perform all virtual machine actions including create, update, delete, start, restart, and power off
virtual machines. Execute scripts on virtual machines.
upvoted 1 times

But the it doesn't allow management of virtual network. The question asking what is the lowest role that can be used in the list of
answers to do both creating VM but also manage VNets.
A "VM" contributor cannot manage a VNet. Therefore B is most definitely wrong.

upvoted 1 times
  madshark 1 month, 1 week ago

Selected Answer: C
I have seen this on another test exam as C. Contributor as the Virtual Machine Contributor role doesn't have permission to management
Networks. This makes sense
upvoted 1 times
  only_juans 1 month, 2 weeks ago

Selected Answer: C
You need Contributor Role to have permissions to manage VNETs and VMs with a single role.
upvoted 1 times

Selected Answer: B
There is a virtual machine contributor in role assignment.
Ref.
https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
upvoted 1 times

Selected Answer: C
the answer is C
upvoted 2 times

Selected Answer: C
C: Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.
upvoted 1 times
  din_sub077 2 months ago

Selected Answer: C
C is correct
upvoted 2 times
  merlot78 2 months ago

Selected Answer: C
Virtual machine contributor does not allow managing of virtual networks
upvoted 2 times

Ans : C
Its contributor and not VM contributor
upvoted 1 times

Contributor
upvoted 1 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click
the Access
Control tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)

Hot Area:
Correct Answer:
Box 1: No -
Only Admin3, the owner, can assign ownership.
Box 2: Yes -
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator

Correct Answer:
Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure
AD. However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root
scope.
All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC).
Admin1 has elevated access, so he is also User Access Admin (RBAC).
To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner.
Box 1: Yes
Admin1 has elevated access, so he is User Access Admin. This is valid.
Box 2: Yes
Admi3 is Owner of the Subscription. This is valid.
Box 3: No
Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
upvoted 150 times

Correct answer: Yes, Yes, No
Tested in lab after lots if time spent switching back and forward.
Initially I thought Yes/No/Yes but I was wrong
upvoted 2 times

Unless configure the elevated access for Admin 2 right? making admin2 user access administrator.
upvoted 1 times
  ashish2201 Highly Voted  8 months, 4 weeks ago

Answer is correct, tested in Lab
1. No : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription therefore cannot assign Owner Roles
2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user.
3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription thereofore cannot create resources in it.
upvoted 31 times
  ashish2201 8 months, 4 weeks ago

Kindly ignore my previous comment, below is the correct one
1. Yes : Admin1 is a Global Administrator at Tenant which does not give it permission on subscription but as per exibit it has taken
control to manage access to all Azure subscriptions therefore it now has access to manage subscription therefore can assign role to
other users.
2. Yes : Admin 3 is Global Administrator + Owner of Subscription therefore can assign Owner role to other user.
3. NO : Admin2 is Global Administrator for Tenant and do not have any rights on Subscription therefore cannot create resources in it.
upvoted 43 times

Even if your a global administrator at the Tenant level you can grant the access of owner to any other user to in tenant for the
subscription. Simple example is the default account through which you have registered is global admin, if you have created another
user account you can very well assign a owner role to him for a sub
upvoted 1 times
  FTAZIT Most Recent  3 weeks, 5 days ago

Where does it say that Admin 3 is owner at the scope subscription level? It just says owner at "this resource". What is this resource?
upvoted 1 times
  yolap31172 2 weeks, 4 days ago

"Access control for the *subscription* is configured as shown in the Access control exhibit"
upvoted 1 times
  Pradh 1 month, 1 week ago

Dont even bother to check what others say in discussion.
No
Yes
NO
upvoted 1 times

It is correct since only owner can assign ownership.
upvoted 1 times

YES
YES
NO
upvoted 1 times
  deadhead82 1 month, 4 weeks ago

On the solution page please change the Box1 to Yes. User1 has the "user access administrator" role per exhibit screenshot. Which means
User1 can assign new roles to other users on Azure subscription and/or individual resources.
upvoted 1 times

No, Yes, No
For Admin1, if you look at the exhibit, the elevation is select 'Yes' for admin1 but haven't hit 'save' yet('save' is highlighted), so admin1 still
have no permission to the subscription.
Hence the first questions is 'no'
upvoted 3 times
  yoelalan14 3 months ago

Okay, so I kept thinking that the right answer was N, Y, N until I read carefully that Admin1 is a global admin of the subscription... a-ha!
upvoted 1 times
  leotoronto123 3 months ago

no, yes, no is the correct anwser
upvoted 1 times

interesting as it clearly states in the exhibit that admin1 can manage everything
upvoted 1 times

Interesting! I always forget that Azure AD and Azure resources are secured independently from one another. Anyway, answer is Yes, Yes,
No!
upvoted 1 times

exam 10/09/21
upvoted 4 times

In Exam 21/08/2021, answer: YYN
upvoted 8 times

It's Yes, Yes, Yes
Admin3 is Owner of the subscription which means he can do anything, virtually, to the subscription
Admin1 has been set as User Access Administrator in that second screenshot. Which gives him the right to manage every single resource
in the subscription
upvoted 1 times
  barcellos 6 months, 2 weeks ago

no, yes, no is a Correct Answer! the answser is based in the in the question scope. the questions don´t make reference how to access for
admin1
upvoted 1 times
  JimBobSquare101 6 months, 3 weeks ago

In exam 30 June 2021
upvoted 4 times
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1
Correct Answer: A
Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use
this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
You can enable and disable the system-assigned managed identity for VM using the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

A (100%)

Correct Answer: A
Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can
use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can
enable and disable the system-assigned managed identity for VM using the Azure portal.
RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples
of Role Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group Policies on the other hand focus
on resource properties during deployment and for already existing resources. As an example, a policy can be issued to ensure users can
only deploy DS series VMs within a specified resource
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
upvoted 50 times
  Biswa1989 6 months, 1 week ago

Your answers are quiet correct.
upvoted 2 times
  fedztedz Highly Voted  1 year ago

Answer is correct "A" Modify Managed Identities.
upvoted 44 times

got this one on exam recently. my answer is A.
upvoted 1 times
  homer2563 2 weeks ago

Selected Answer: A
100 % a
upvoted 2 times

upvoted 9 times

You could guess what the answer is. Although, in Microsoft Learn, this topic is poorly explained. The answer is A.
upvoted 1 times
In exam 30 July 21
.
upvoted 5 times
  hard2learn 6 months, 3 weeks ago

how many questions came from this question bank in your exam?
upvoted 1 times

This question was on Jul 23, 2021 - passed the exam.Answer A is correct
upvoted 5 times
  deepu1982 7 months ago

Modify Managed Identities is the right answer
upvoted 3 times

upvoted 4 times

any labs?
upvoted 1 times

A is correct!
upvoted 2 times

Actually this is a tricky question.
However, according to this link https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-
windows-vm-access-arm
where exactly this scenario is described, they go directly to IAM of the RG and select the VM there.
I assume the managed Identity of the VM is then automatically enabled if it is not already enabled.
So the correct answer would be actually B!

upvoted 3 times
  Shailen 7 months, 3 weeks ago

Not correct since system managed identity is not automatically enabled until specify during VM creation through portal or arm
template. This first step is to enable it by going into identity settings so given answer is correct!
upvoted 3 times

I stand corrected: Under that link under prereqs they mention: "You also need a Windows Virtual machine that has system assigned
managed identities enabled."
Yes, answer A is correct!
upvoted 4 times
  Kctaz 8 months, 3 weeks ago

In case anyone still has doubt : A is correct.
When you go to VM menu and Identity, you can choose to assign an identity to the VM to register it in Azure AD. Then, you can give the
role you need to this managed identity (you can choose the scope and the role).
Easy, fast, and very practical.
upvoted 4 times

upvoted 4 times
  mdyck 9 months, 2 weeks ago

Go to VM > Identity > System Assigned > Status On > Azure role assignments > Scope Resource group > Contributor
"Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC"
I think managed identity is the way to go.

upvoted 5 times
  MayBe 9 months, 2 weeks ago
To answer the question you have to first understand the difference between Managed Identity (a.k.a RBAC) and Access Control policies
(IAM)
RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples
of Role Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group
Policies on the other hand focus on resource properties during deployment and for already existing resources. As an example, a policy can
be issued to ensure users can only deploy DS series VMs within a specified resource
(https://techcommunity.microsoft.com/t5/itops-talk-blog/governance-101-the-difference-between-rbac-and-policies/ba-p/1015556?
WT.mc_id=ITOPSTALK-reddit-abartolo)
So the answer is A
upvoted 3 times
  Moley 11 months ago

Answer A will not achieve the goal. The VM identity will not have rights to the resource group. The question implies the VM has an identity.
The correct answer is B where you use IAM to grant the identity permissions to the resource group.
upvoted 4 times
  alexandvvvvv 10 months, 2 weeks ago

You are right that answer A will not achieve the goal but the question is not about that, it is about the first action you have to do to
achieve the goal. Also for me it does not look like it is said that VM already has an identity. I think they mean just that an identity should
be used and to achieve that you have to configure it. So I think it is A.
upvoted 4 times
You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
You need to delete TestRG.

A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1
Correct Answer: C
When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and
currently stored operations.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resource-group?tabs=azure-powershell

B (70%) C (30%)
  Dips88 Highly Voted  9 months, 3 weeks ago

Answer should be B. A recovery service vault can not deleted unless all its backups are deleted permanently. And along with that definitely
resource lock has to be removed on vnet
upvoted 98 times
  mmtechsolutionsinc 1 day, 19 hours ago

true but q is what is first, vm off, delete off, then go to recovery service emty it, then remove RG
upvoted 2 times
  Allfreen 6 days, 6 hours ago

Why not answer ' A '
upvoted 2 times

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault?tabs=portal
vault manuall deleted because it stays there 14 days.. B , is corect unswer, if it was sql you need to shutdown sql instances for backup
upvoted 1 times

Disagree. The more I think about this, the less "delete all data" makes sense as step one. Step one is to modify the VM's backup
configuration, but A doesn't make sense either.
I actually think they're correct. Easiest first step is to shut stuff off (not strictly needed) and remove the resource lock. Then disable soft-
delete if on, remove the backup configuration for VM1 and any backups, then you can turn down the RG.
upvoted 4 times

Correct Answer: B
When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments
and currently stored operations.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally
deleting or modifying critical resources. The lock overrides any permissions the user might have.
You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
So you have to remove the lock on order to delete the VNET and delete the backups in order to delete the vault.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 85 times
  monus 4 months, 2 weeks ago

backup can be taken even if vm is powered off. so, I think the answer is A.
upvoted 6 times

No, this is wrong. one of the reasons why resource groups were designed is to facilitate the deletion of resources in Dev environments.
You delete the RG and all its components are gone.
C is the answer.
upvoted 1 times

sorry, I meant Dev/Test environment. Think CI/CD.
upvoted 1 times
  Gyanshukla 6 months, 1 week ago

correct
upvoted 2 times

Remove the resource lock ,then delete all data in Vault1.B
upvoted 1 times
  practical_93 5 days, 12 hours ago

Selected Answer: B
Answer should be B. turning off the VM doesnt really matter. you need to delete all the data from the vault, and remove the locks in order
to delete the resource group.
upvoted 1 times
  SrChinaky 1 week, 4 days ago

Selected Answer: C
tells you what you should do first, and the first thing is what option c says
upvoted 1 times
  SrChinaky 1 week, 4 days ago

es la c
upvoted 1 times

B is correct. Here is going to delete a resource group. so there are two things to do: 1. remove the lock 2. turn off because you can't delete
a virtual network with subnets that are still in use by a virtual machine. "If you have the required access, but the delete request fails, it may
be because there's a lock on the resources or resource group. Even if you didn't manually lock a resource group, it may have been
automatically locked by a related service. Or, the deletion can fail if the resources are connected to resources in other resource groups
that aren't being deleted. For example, you can't delete a virtual network with subnets that are still in use by a virtual machine."
upvoted 1 times

Sorry, C is correct choice. my fault at the first comment, thanks.
upvoted 1 times

b, https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault?tabs=portal
upvoted 1 times

Selected Answer: C
You need to remove the lock from the VNET1, you will need to check that no devices are connected to the virtual network. B. it is incorrect
since you don't need to delete all data in Vault1. Data will delete when you delete TestRG
upvoted 2 times

no b, u need to delete data first manually, tested removing RG while backup vm happen ones with snap , and azure said that u have to
delete soft archive invault1
upvoted 1 times
  VeiN 1 month, 3 weeks ago

Why isn`t it A ? The lock part is obvious.
But you need to modify the backup first to stop backup procedure to be able to soft delete backups ect.
In answer B if you try to delete everything you won`t be able to do it for the backup
upvoted 3 times

In order to unlock the resources you need to turn off the virtual machine. So C seem to be correct.
upvoted 1 times
  ant_man 1 month, 3 weeks ago

Selected Answer: B
Recovery service vault can not be deleted until all backups are deleted permanently.
upvoted 2 times

tht is correct, without manually deleting all data in Vault1 u cant delete testrg and deleting all data in cault1 stops all backup already.
upvoted 1 times

answer:B. Remove the resource lock from VNET1 and delete all data in Vault1
upvoted 1 times
  Sab0tage 1 week, 1 day ago

Why do you wanna delete the data before stopping VM1 which is backup up? I can't see any other choice that first stop VM1 so there is
no active link for backup up to the vault.
upvoted 1 times
  helpaws 1 month, 3 weeks ago

Selected Answer: B
Answer should be B
upvoted 1 times
  HenriKI2 1 month, 4 weeks ago

Selected Answer: B
B.
If you don't remove the lock you can't delete the resource.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
If you don't stop all backups (and delete the data permanently), you can't delete the Vault.
Vault cannot be deleted as there are existing resources within the vault. Please ensure there are no backup items, protected servers, or
backup management servers associated with this vault. Unregister the following containers associated with this vault before proceeding
for deletion.
Recovery Services vault cannot be deleted as there are backup items in soft deleted state in the vault. The soft deleted items are
permanently deleted after 14 days of delete operation. Please try vault deletion after the backup items are permanently deleted and there
is no item in soft deleted state left in the vault. For more information, see Soft delete for Azure Backup.
Turning off a VM is NOT a requirement before deleting a RG. Just try it and you will see !
upvoted 1 times
  Cynite 1 month, 4 weeks ago

Selected Answer: B
B is correct.
upvoted 2 times

Answer is B…. you do not need to power off a VM to delete it, and unless the back ups are protected which it does not state that, you do
not need to modify the back up jobs. Simply remove the lock on the vnet and delete the data in the vault. Then you can delete the RG
without any other steps.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud
upvoted 2 times

Worth mentioning on that link it stipulates the below:
If the Delete Backup Data pane appears, enter the name of the backup item (this field is case-sensitive), and then select a reason from
the drop-down menu. Enter your comments, if you have any. Then, select Delete.
….
This option deletes scheduled backups, also deletes on-demand backups.
upvoted 1 times

Has to be C as A states "modify" the resources type, you could modify it to read. C states to remove the resource lock which needs to
happen in order to delete the vnet
upvoted 1 times
You have an Azure DNS zone named adatum.com.

You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
A. Create an NS record named research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an A record named *.research in the adatum.com zone.
Correct Answer: A
You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
  chaitu1990 Highly Voted  1 year ago

All the best for your Exam guys:))
upvoted 112 times

Thank you i guess
upvoted 4 times

Correct Answer: A
An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many
NS records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.
You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
upvoted 75 times
  Tom34 2 weeks, 6 days ago

Answer A correct.
It should be "Create or edit an NS record .."
Because this record is already created after DNS zone creation.
upvoted 1 times
  suriyaswamy 6 months, 1 week ago

Nice Explanation. Many Thanks
upvoted 1 times
  im82 Most Recent  3 months ago

Correct answer: A
upvoted 9 times
  K_loves 2 months, 3 weeks ago

Was this Site and Discussion a Panel sufficient to clear the AZ-104 Exam?? Could you please tell?
upvoted 1 times
  shoaibs789 2 months, 2 weeks ago

Hi on 1 Dec im going to appear the exam so please help me some Exam trick as i l already tried and get 650 so now im trying again and
thank you
upvoted 1 times
  shujaatmcse 1 month, 3 weeks ago

Hi Shoaib, were you able to clear it this time? Any tips
upvoted 1 times
  mathurjaini 2 months, 2 weeks ago

Hi, were you able to clear the exam?
upvoted 1 times

I have just started yesterday,i have exam i 2 days time,i dont know if i will master everything
upvoted 2 times
  ShikshaGarg 6 months, 3 weeks ago

Thanks a lot ExamTopics for the questions and also this discussion panel, helps a lot to understand different ways a question can be
solved. All the best everyone!! :)
upvoted 1 times

This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis in the discussion are correct.
upvoted 5 times
  Md_Shahnawaz 9 months ago

Answer A is correct
upvoted 7 times

Good Luck! guys for your Exam...............
upvoted 4 times
  6F 9 months, 3 weeks ago

45 mins to go time, good luck all!
upvoted 3 times
  sopot 9 months, 4 weeks ago

Good luck evrybody :)
upvoted 1 times
  luiz01 10 months ago

All the best for guys:)
upvoted 1 times
  rishard 10 months ago

Got exam in 1h - Wish me luck ;)
upvoted 5 times
  jc1738 9 months, 3 weeks ago

How did it go? Was the material on here enough to get you a pass? My exam is this week!
upvoted 3 times
  RealKaiCloud34813 10 months ago

Good luck, I'm attepting tomorrow.
upvoted 4 times
  UmarQazi 10 months, 2 weeks ago

I'm going to attempt this exam in the afternoon.
upvoted 2 times
  Olijames221 10 months, 1 week ago

How did it go? Was the question set in here enough to pass? I have mine tomorrow
upvoted 2 times
  HassanSarhan 9 months, 2 weeks ago

How did it go with you? MY exam is next week! Was the question set here enough to pass ?
upvoted 1 times
  thapp 10 months, 3 weeks ago

is there any new questions ?
upvoted 1 times
  SScott 10 months, 2 weeks ago

Name Server is the correct Answer, not an A Record.
I am signed up for the exam today 4/4. Microsoft tag on the registration site says content changed 3/26. Probably just a few questions
added and/or removed.
upvoted 2 times

New scale set questions, specific to % to minute and policy effects. Know kubectl commands and syntax reference to VM resources.
New variations of app service, web apps, and specific to ASP and .NET Core. New NSG firewall rule determinations. Several curve
balls but the current set on examtopics.com will provide the study guide results to pass with success! Research, review and test in
lab to fully learn and grow your Azure field of study.
upvoted 3 times

https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB_09c-
Implement_Azure_Kubernetes_Service.html
upvoted 3 times
  LexusNX425 10 months, 3 weeks ago

Thank You ExamTopics, and thank all of you for your support in the discussions. Best of luck to everyone on the exam!!! :)
upvoted 4 times
  Techseeker 10 months, 4 weeks ago

Reached here! Thanks for the amazing support and good luck on your exam ☺️
upvoted 4 times
DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Select and Place:
Correct Answer:
1. Add the custom domain name to your directory

2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
  fene Highly Voted  9 months, 3 weeks ago

As I'm a smart guy I can confirm this to be the proper answer
upvoted 71 times
  CBIBEK 6 months, 3 weeks ago

Source: Dude trust me
upvoted 51 times
  Gorl12 4 months, 4 weeks ago

Lol ;)
upvoted 2 times
  mumu_myk Highly Voted  2 months, 2 weeks ago

I bought a domain just to test this. The answer is correct. Please like me.
upvoted 62 times

upvoted 1 times
  754a 3 months, 3 weeks ago

Add a custom name (wasn't stated you have one)-> add a record to the public contoso.com DNS zone (this will allow the requirements of
connection with 3rd party registrar) -> verify the domain based on your step 2. You already have an azure AD tenant so that's not an
option. Configuring company branding has no relationship to the question asks. You already have the DNS zone you don't need to create
one.
upvoted 4 times

upvoted 5 times
  magnoy 5 months ago

According to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
It should be the following order:
1.ADD AN AZURE AD TENANT
2.ADD A CUSTOM NAME
3.ADD A RECORD TO THE PUBLIC CONTOSO.COM DNS ZONE
(4.VERIFY THE DOMAIN)
upvoted 7 times
  Iringahn 2 months, 1 week ago

You already have a tenant in this question however so step 1 is already done.
upvoted 3 times
  dumz 4 months, 2 weeks ago

thank you so much for sharing!
upvoted 1 times

upvoted 3 times
  Cippunk 9 months ago

The question should specify if by "Add a record to the public contoso.com DNS zone" it means adding the text record to the domain
registrar's DNS zone. All that is needed is:
- Add a custom domain
- Create the Txt record (including hostname @, text value and TTL set to 3600 seconds) to DNS record on domain registrar.
- Verify the domain.
Having an Azure Public DNS zone is not required. Just tested this.
upvoted 19 times
  azlab1win 8 months, 1 week ago

Agree with this statement!
upvoted 2 times
  raulgar 9 months, 1 week ago

The internal domain name is contoso.onmicrosoft.com, the external dns is contoso.com, so the first it would be add a custom name, could
be?
upvoted 3 times
  Iroshan4 9 months, 1 week ago

Answer is correct. But the source is wrong.
Here is the correct docs link.
upvoted 34 times
  raulgar 9 months, 2 weeks ago

I'm not sure, but with external dns you must have a custom name (contoso.onmicrosoft.com isn't), so the first is create a custom name,
later add the record and verify.I haven't test it
upvoted 2 times
  crescha 9 months, 1 week ago

Custom domain already exists. Then you need to create DNS zone, add record and verify
upvoted 4 times
  Acai 6 months, 4 weeks ago

Unfortunately, that is incorrect, onmicrosoft.com indicates there using the default domain name, and they want to change the
"Suffix" from their registered domain to Contoso.com to that domain name in azure so the provided answer is correct.
If asking for a child domain of custom domain you would be correct!
upvoted 1 times

"You have a domain name of contoso.com registered at a third-party registrar."
So, they have already their own
upvoted 1 times
  Cepul 9 months, 2 weeks ago

If looking at this reference: https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal
The answer is :
Create an Azure DNS zone

Add a record to the public contoso.com DNS zone
Verify the domain
upvoted 13 times

The source is not correct for this question
"Create an Azure DNS zone" is only applicable to the case that you use Azure DNS as DNS server. But in this question, you are using 3rd
party DNS which already exist.
upvoted 3 times
  bacana 9 months, 2 weeks ago

Correct.
upvoted 2 times
  Devgela 9 months, 3 weeks ago

Create an Azure DNS zone
Add a record to the public contoso.com DNS zone
Verify the domain
My Choice
upvoted 8 times

The 2nd step is copying the TXT file to your DNS zone (adding a record). Then verify it.
upvoted 2 times
  jecah 9 months, 2 weeks ago

Create a DNS zone in Azure DNS, and delegate the zone in your registrar to Azure DNS. It is a prerequisite and should be the first step.
So I agree with you.
upvoted 3 times

Would the zone not already be created because they have the existing domain?
upvoted 2 times
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A. Get-Event Event | where {$_.EventType == "error"}
B. Event | search "error"
C. select * from Event where EventType == "error"
D. Event | where EventType is "error"
Correct Answer: B
The search operator provides a multi-table/multi-column search experience.
The syntax is:
Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
1. search in (Event) "error"
2. Event | search "error"
3. Event | where EventType == "error"
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. select * from Event where EventType is "error"
4. search in (Event) * | where EventType ‫ג‬€"eq "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-
query/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer
  Nilz76 Highly Voted  7 months, 2 weeks ago

"B" is correct
For those who selected "D", the syntax should have been:
Correct:
Event | where EventType == "error"
Incorrect:
Event | where EventType is "error"
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events#log-queries-with-windows-events
upvoted 16 times
  fatherofexam 6 months, 4 weeks ago

B is absolutely correct. Everything else is invalid syntax.
upvoted 5 times
  khismail Highly Voted  6 months ago

In Exam 21/08/2021
upvoted 8 times
  ITprof99 Most Recent  1 month, 2 weeks ago

On exam 01.02.2022
Answer: B
upvoted 3 times

upvoted 2 times
  GepeNova 4 months, 2 weeks ago

Tested in lab B is correct.
Monitor>>logs>>New query
Event | search "error" -->works fine others no.
upvoted 3 times

exam 10/09/21
upvoted 3 times

upvoted 4 times

upvoted 4 times

B is the correct answer.
Some here are saying D is the answer but that is false - "error" is not a type. That's why D results in a syntax error.
However, Event| search "error" is more generic because it searches for the string "error" in the Event table. That's why it returns true.
KQL
upvoted 2 times
  omaro 7 months, 2 weeks ago

i think it should be C.
upvoted 2 times

Answer C is an SQL syntax, Log Analytics use KQL (Kusto Query Language). B should be the Correct answer.
upvoted 2 times
  adiii123 7 months, 2 weeks ago

answer is correct
upvoted 1 times
You have a registered DNS domain named contoso.com.

You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the internet.
What should you do?
A. Create NS records in contoso.com.
B. Modify the SOA record in the DNS domain registrar.
C. Create the SOA record in contoso.com.
D. Modify the NS records in the DNS domain registrar.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
  js_indore Highly Voted  4 months, 3 weeks ago

upvoted 10 times
  Eltooth Highly Voted  4 months, 1 week ago

Correct answer - D. Registrar “owns” the tld and will have their NS registered against the domain by default. By changing the registrar NS
records to point to your Azure DNS NS records you take ownership into your Azure DNS.
upvoted 7 times
  edengoforit Most Recent  1 day, 21 hours ago

Answer is D and here is some information helpful
You can use Azure DNS to host your DNS domain and manage your DNS records. By hosting your domains in Azure, you can manage your
DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.
Suppose you buy the domain contoso.net from a domain name registrar and then create a zone with the name contoso.net in Azure DNS.
Since you're the owner of the domain, your registrar offers you the option to configure the name server (NS) records for your domain. The
registrar stores the NS records in the .NET parent zone. Internet users around the world are then directed to your domain in your Azure
DNS zone when they try to resolve DNS records in contoso.net.
upvoted 1 times
  _punky_ 1 month, 1 week ago

I do like those confusing questions from MS... Where did you registered the domain? In Azure or at third party? Which makes difference...
upvoted 1 times

upvoted 1 times

Took the exam today, 17 Oct. This question came out. Ans: D
upvoted 6 times

SOA: Start of [a zone of] authority record. Specifies authoritative information about a DNS zone, including the primary name server, the
email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
NS: Name server record. Delegates a DNS zone to use the given authoritative name servers
which leaves A and D
upvoted 5 times
HOTSPOT -
You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure
AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.
The domain contains the security principals shown in the following table.
In Azure AD, you create a user named User2.

The storage1 account contains a file share named share1 and has the following configurations.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
  ech Highly Voted  4 months, 3 weeks ago

Yo cannot give share-level priviledges to a computer object. Ans is correct.
upvoted 26 times
  nir977 2 months ago

Y-N-N because user2 is cloud-only user created in AAD and does not have netbios and other chars defined in storage
upvoted 1 times
  im82 Highly Voted  3 months ago

Correct answer: Y-N-Y
upvoted 23 times

First answer is : Y
"There are two ways you can assign share-level permissions. You can assign them to specific Azure AD users/user groups[...]"
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
Second answer is : N
"Azure AD DS and on-premises AD DS authentication do not support authentication against computer accounts."
https://docs.microsoft.com/en-us/answers/questions/542174/syncing-between-on-prem-ad-and-azure-ad-not-workin.html
Third answer is : N
User 2 is created in Azure (not in Windows Active directory) and therefore is not an hybrid. To be hybrid it must be created onprem in
Windows Active Directory and then synched.
"Only hybrid users that exist in both on-premises AD DS and Azure AD can be authenticated and authorized for Azure file share access."
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
upvoted 1 times
  Fulforce 1 month ago

Correct answer is Yes, No, No. Reason for the last answer being No below:
If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that
exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is [email protected] and you
have synced to Azure AD as [email protected] using Azure AD Connect sync. For this user to access Azure Files, you must assign the
share-level permissions to [email protected]. The same concept applies to groups or service principals. Because of this, you must sync
the users and groups from your AD to Azure AD using Azure AD Connect sync.
Share-level permissions must be assigned to the Azure AD identity representing the same user or group in your AD DS to support AD DS
authentication to your Azure file share. Authentication and authorization against identities that only exist in Azure AD, such as Azure
Managed Identities (MSIs), are not supported with AD DS authentication.
upvoted 1 times
  ZakySama 1 month, 1 week ago

I have my examen in about 2 hours...
upvoted 4 times
  ArnoldCG 1 month, 1 week ago

have you passed the exam
upvoted 2 times

correct answer.You can assign them to specific Azure AD users/user groups and you can assign them to all authenticated identities as a
default share level permission. Yo cannot give share-level priviledges to a computer object.
upvoted 2 times
  asixto 1 month, 3 weeks ago

Seems that Azure AD Authentication is supported now
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
upvoted 1 times
  9volt 1 month ago

It's Azure AD DS, not Azure AD. Similar name, still different.
upvoted 1 times

The answer should be Y-N-N.
Azure file share doesn't support AAD auth, it only supports AAD DS or AD DS.
The Azure AD sync is one-way sync: from on-premises to AAD. So the question description is not valid: "The subscription is linked to an
Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain"
upvoted 2 times
  Cristiangt 2 months ago

I have my examen in about 2 hours...
upvoted 1 times

Answer is correct . YES, NO, YES
You cant assign a privilege to a computer Object
upvoted 5 times
  camilo6to 3 months, 1 week ago

This should be YNN. If you look in the link you can find the following statement:
The selected Azure AD identity must be a hybrid identity and cannot be a cloud only identity. This means that the same identity is also
represented in AD DS.
upvoted 10 times
  MrBlueSky 3 months, 1 week ago

Yep. You appear to be correct on this. Here's a more clear line from that same link provided in the answer:
"If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that
exists in both on-premises AD DS and Azure AD"
upvoted 4 times
  imrans 3 months ago

It says New user in Azure AD, but there question also has the statement "The subscription is linked to an Azure Active Directory (Azure
AD) tenant named contoso.com that syncs to an on-premises Active Directory domain." which looks the local AD will also get the same
user account sync.. SO I believe YNY. Please correct if wrong.. Thanks.
upvoted 3 times
  testmobile18 2 months, 1 week ago

The process of Azure AD connect works only from on-premises to cloud. Whilst it is capable of things like password write back and
device writeback, you cannot create users in Azure AD and sync them back to on-premises AD.
upvoted 4 times
  Plextor 2 months, 1 week ago

Synchronization is one way only, from on-premises AD to Azure AD. Not the other way around.
Y-N-N
upvoted 1 times
  AzureTj 3 months ago

it is not cloud only. Azure AD is being Synced to Local AD
upvoted 1 times

No.
upvoted 1 times

Does it syncy from Azure AD to Active directory ..Where i work i have hybrid setup .. but snyc is one way only nameley AD to Auzre.
upvoted 2 times
  sachin007 3 months, 1 week ago

yes,correct
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains a virtual network VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: User1 and User3 only.

User1: The Owner Role lets you manage everything, including access to resources.
User3: The Network Contributor role lets you manage networks, including creating subnets.
Box 2: User1 only.
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and
recommendations, dismiss alerts and recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/resource-provider-operations#microsoftnetwork
Correct.
Security admin can't add subnets.
Only owner can assign roles.
upvoted 15 times
  Beng_ali Highly Voted  4 months, 2 weeks ago

Came up on my exam today on 02/10/21, answer is correct.
upvoted 8 times
  Tyler2021 4 months, 2 weeks ago

Thanks for sharing. Have the questions changed a lot after the exam content was updated?
upvoted 2 times
  specialdil 4 months ago

I am also having same query, anybody please confirm
upvoted 2 times
  subhuman Most Recent  2 months, 4 weeks ago

Answer is Correct
Owner : Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Security Administrator Can read security information and reports, and manage configuration in Azure AD and Office 365 (That means he
cant assign roles in Azure RBAC)
Network contributor : Lets you manage networks, but not access to them.
upvoted 5 times
HOTSPOT -
You have the Azure resources shown on the following exhibit.
You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Sub1, RG1, and VM1 only -

You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying
critical resources.
Box 2: Sub1, RG1, and VM1 only -

You apply tags to your Azure resources, resource groups, and subscriptions.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json https://docs.microsoft.com/en-
us/azure/azure-resource-manager/management/tag-resources?tabs=json

Correct answer.
Only can assign locks and tags to subscriptions, resource groups and resources. Tested in lab
upvoted 15 times
  Omar_Aladdin Highly Voted  4 months, 3 weeks ago

Answer is correct, both Tags and Locks are available to Subscriptions, Resource Groups, and Resources..
See FIRST Paragraph in both Refs

Ref Locks:
Ref Tags:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
upvoted 5 times

correct answer
upvoted 2 times
  Zeus009 2 months, 1 week ago

Subscription might not appear to be an obvious but locks are also applicable. Correct answer
upvoted 2 times

Correct
You can assign Locks or tags to resources, resource groups and subscriptions
upvoted 1 times

Correct answer.
Checked in Azure Portal
upvoted 2 times
  Aymenwerg 4 months, 3 weeks ago

Locks are applied at subscription, resource group, or resource level to prevent users from accidentally deleting or modifying critical
resources.
You can set the lock level to CanNotDelete or ReadOnly.
Also tags, the same "answer correct"

upvoted 2 times
You have an Azure Active Directory (Azure AD) tenant.

You plan to delete multiple users by using Bulk delete in the Azure Active Directory admin center.
You need to create and upload a file for the bulk delete.
Which user attributes should you include in the file?
A. The user principal name and usage location of each user only
B. The user principal name of each user only
C. The display name of each user only
D. The display name and usage location of each user only
E. The display name and user principal name of each user only
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-delete

B (100%)
  csx522 Highly Voted  2 weeks, 3 days ago

Answer correct. Tested in PROD - I think tomorrow is my last working day :D
upvoted 9 times
  Alexw Most Recent  1 month ago

Selected Answer: B
B is correct. USer prINCIPAL NAME ONLY REQD
upvoted 1 times

B is correct
Template requirement: User name [userPrincipalName] Required
upvoted 1 times

Selected Answer: B
B is correct
upvoted 2 times
  olsenOnS 2 months ago

Selected Answer: B
B is correct
upvoted 2 times
  MitchelLauwers1993 2 months, 1 week ago

B
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-delete
upvoted 3 times
  shako 2 months, 1 week ago

correct answer : B.
"Open the CSV file and add a line for each user you want to delete. The only required value is User principal name. Save the file."
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-delete#to-bulk-delete-users
upvoted 3 times
HOTSPOT -
You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.
You assign an Azure policy that has the following settings:

✑ Scope: Sub1
✑ Exclusions: Sub1/RG1/VNET1
✑ Policy definition: Append a tag and its value to resources
✑ Policy enforcement: Enabled
✑ Tag name: Tag4
✑ Tag value: value4
You assign tags to the resources as shown in the following table.
Hot Area:
Correct Answer:
Box 1: No -
The Azure Policy will add Tag4 to RG1.
Box 2: No -
Tags applied to the resource group or subscription aren't inherited by the resources although you can enable inheritance with Azure Policy.
Storage1 has Tag3:
Value1 and the Azure Policy will add Tag4.
Box 3: No -
Tags applied to the resource group or subscription aren't inherited by the resources so VNET1 does not have Tag2.
VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET1.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
  Lionred Highly Voted  2 months, 1 week ago

N, N, N
1st No: Azure policy was created before the RG1 was assigned tag, which means when RG1 was manually assigned tag Tag2:IT, the policy
will take action to append Tag4:vaule4 to RG1. Note that policy action is to "append", that means whatever else tag RG1 is given won't be
taken away. As such RG1 will have two tags, Tag2:IT and Tag4:value4
2nd No: Remember tags are not inheritable, whatever tag assigned to RG1 won't be applied to any resources under it. As such the
Storage1 should be Tag3:value1 and Tag4:vaule4.
3rd No: vNet1 is excluded from the Azure policy, hence the policy won't do anything to it. As such vNet1 should only have the tag manually
assigned: Tag3:value2. PS, I take that "Exclusions: Sub1/RG1/VNET1" does not mean both RG1 & vNet1 are excluded, only vNet1 is
excluded, the Sub1/RG1/VNET1 is merely a path to the object that is excluded.
upvoted 41 times
  AmitRoy 2 months ago

Looks correct to me. Once we update the existing resource RG, the tags(Tag4:value4) from the policy will be applied to the RG. VNET1 is
only exclusion from the policy. This is just a path of VNET1 -> Sub1/RG1/VNET1. It's N N N
upvoted 3 times
  bonya 3 weeks, 2 days ago

"Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of
resources created before this policy was applied until those resources are changed. Does not apply to resource groups. "
upvoted 2 times
  S3ktar 1 month, 4 weeks ago

Not true, if the RG1 exists before the policy is in place, it will not apply the tags. This is even true if you go into the resource to add the
tags as mentioned in the question, it will not apply the policy rules just because you are adding a tag. The result of this will be that the
resources will only be tagged as not compliant until it is fixed.
Source: I tested it in the portal

upvoted 8 times
  mufflon 3 weeks, 4 days ago

Are you sure? When you are updating the resources with tags according to "You assign tags to the resources as shown in the
following table" then , dont you update the resource and the policy activates? A policy adds the by the policy specified tag and value
when any resource missing the tag is created or updated, so it vill add Tag4 with value: value4
upvoted 1 times
  albergd 1 day, 6 hours ago

The trick is not there, the trick is in the policy: "Append a tag and its value to resources" : this policy does not apply to Resource
Groups. You can check here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
To apply the policy to a RG you need to use "Append a tag and its value to resource groups".
The answer is Y-N-N

upvoted 1 times

Correct answer is y-n-n
upvoted 10 times

As a number of people have commented Sub1/RG1/VNET1 IS A PATH (NOT A LIST), that's super important. So N,N,N is correct.
upvoted 4 times
  testmobile18 Highly Voted  2 months, 1 week ago

Wouldn't it be Y-N-N?
Y - RG1 is excluded thus retain as it is
N - Storage1 will have Tag3:value1 and Tag4:value4
N - VNET1 is excluded as well so only have Tag3:value2
upvoted 31 times
  yangxs 1 month, 2 weeks ago

RG1 is NOT excluded. Only VNET1 is excluded.
if you think RG1 is excluded by "Sub1/RG1/VNET1", then you should think Sub1 is also excluded.
upvoted 4 times
  maatksle 2 months ago

Dude, you're wrong. Please refer to Lionred's answer. RG1 has already a tag to it and the policy appends the tag not take away and add.
Guys, please upvote his answer.
upvoted 5 times

First you have the resources specified, they you assign a policy that says Tag name: Tag4 and Tag value: value4.
Then you assign tags to the resources as shown in the table.
When assigning tags to the resources, the resources gets updated and the policy gets activated and adds its tag.
https://www.examtopics.com/exams/microsoft/az-104/view/9/#
upvoted 1 times
  gofto 2 months ago

doubt that this explanation is correct
upvoted 1 times

Correct,
Y - RG1 has its own tag, and is excluded from policy
N
N
upvoted 2 times
  N4d114 Most Recent  1 week ago

I am confused on this question then I realize there are exceptions for Sub1/RG1/VNET1.
So, the policy will at run VNET1
The Tag should be like this : -
- RG1 should have Tag1: Subscription & Tag4:Value4

- Storage1 should have Tag3:Value1 & Tag4:Value4
- VNet1 should only have Tag3:Value3.
So the answer should be NO, NO, NO

upvoted 1 times
  AZ_Guru_Wannabe 1 week, 1 day ago

YES, NO, NO
please see sudocat's explanation below, but I tested what he said and it's true that Resource Groups aren't subject to this policy. Other
resources get the tags appended on modify activities, or creation. But NOT RGs
upvoted 2 times
  igorche 1 week, 2 days ago

Y, N, N
When a policy definition using the append effect is run as part of an evaluation cycle, it doesn't make changes to resources that already
exist. Instead, it marks any resource that meets the if condition as non-compliant.
upvoted 2 times

That's true BUT in this question, you apply the policy, THEN "You assign tags to the resources as shown in the following table." So at the
point of you assigning the tags, the policy would take effect and append the other one.
upvoted 1 times

y-n-n for me
upvoted 1 times
  drae2210 3 weeks ago

If you are looking for the CORRECT ANSWER, look for sudocat's reply. Lionred's answer is wrong although it is upvoted a bunch. The policy
in question SPECIFICALLY states that it doesn't apply to resource groups, so there's no way that RG1 can have tag4 appended to it.
Take a look at this link and find this specific policy name in the table. There is one for resource groups and one for resources. If you re-
read the prompt, you'll see that it specifies the one about resources
"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies"
upvoted 2 times
  amiri7171 4 weeks, 1 day ago

Tested in lab:
When you assign a tag policy as mentioned in the question, the policy will only assign tags to a newly created resources. So if I understand
the question, there were first the 3 resources and then we applied the policy on them. In this case the RG1 won't get any tag and will have
only "Tag2: IT" assigned.
So the correct answer will be:
Y
N
N
upvoted 4 times
  Kengi 1 month ago

Y, N, N
Like ralphvl said:
Policy definition: Append a tag and its value to resources
Which means, tags will be appended only to resources - RG has different Policy Definition, check the link: https://docs.microsoft.com/en-
us/azure/azure-resource-manager/management/tag-policies
upvoted 6 times
  Pak149 2 weeks, 2 days ago

Y,N,N, tested it. Append a tag and its value to resources: Does not apply to resource groups.
upvoted 1 times
  Chole22 1 month ago

Yes, agree.
Append a tag and its value to resources: Does not apply to resource groups.
Policy for tags to resource groupe:

- Append a tag and its value to resource groups
upvoted 2 times

The correct answer is Y-N-N. Tested in lab. Applying a policy doesn't add the tags on to resources that already exist. Only new ones.
upvoted 3 times
  sudocat 1 month, 1 week ago

Policy: Append a tag and its value to resources
Description: Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the
tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups.
The correct answer is YES, NO, NO.
1. This policy DOES NOT APPLY to RESOURCE GROUPS. Even if the policy was already applied BEFORE creating a new RESOURCE GROUP, IT
WILL NOT APPEND THE TAG. Tested it on Azure, I created a new RG (the policy was already applied), and the result was, it DID NOT
APPEND THE TAG. HENCE, RG1 will only have one tag, which is Tag2:IT. THE ANSWER IS YES.
2. NO. Storage1 will have Tag3:value1 and Tag4:value4 (the policy applies to this).
3. NO. VNET1 is excluded from the Azure policy. THE POLICY WON'T APPLY HERE. VNET1 will only contain the manually assigned tag which
is Tag3:value2.
upvoted 9 times

You appear to indeed have the right answers for the right reasons.
upvoted 4 times
  Paul1992 1 month, 2 weeks ago

I've just tested it in LAB.
I created the three resources (RG1,Storage1 and VNET1).

Then i created the policy that assign the TAG4 to resources in the RG1 except for the VNET1 (exclusions: SUB1/RG1/VNET1 --> this exclude
only the VNET1! ).
Now, after i applied the policy, none of the resources in the subscription have been appended with the TAG4 cause the policy has been
created after the deployment of the resources so every resources simply does not have any tags.
After i add the specific TAGS to the three resources these are the only TAGS applied.
TAG4 will be applied only to new resources. So the answers in my opinion are:
YES, NO, NO
upvoted 7 times
  ralphvl 1 month, 2 weeks ago

Answer should be Y-N-N. The first question has nothing to do with the exclusion (which wouldn't matter anyway because the exclusion is
scoped to the VNET specifically) but with the policy definition that has been assigned: Append a tag and its value to resources. This means
resources and not resourcegroups. I quote from this https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
policies article explaining the policy: Appends the specified tag and value when any resource which is missing this tag is created or
updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply
to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see
https://aka.ms/modifydoc).
upvoted 3 times
  stanloona 1 month, 2 weeks ago

I think the problem is clearly visible. First of all, the order should be seen as adding tags after policy setting.
Looking at this document, the command "Append a tag and its value to resources" does not apply to resource group. There is a separate
"Append a tag and its value to resource groups" command. Therefore, only Tag2:IT tag will be added to RG1. I also checked Sub1
separately, but it doesn't seem to be the range affected by the "Append a tag and its value to resources" command. The tag set in the
policy could not be added.
The tags of storage1 are "Tag3:value1", "Tag4, value4".

VNET1 has a tag "Tag3:value2" because it is excluded from the policy.
So I think the correct answer is Y N N.
upvoted 1 times

Lionred answer is correct, upvoted him.
upvoted 1 times
  ixl2pass 1 month, 3 weeks ago

NNN. The key is here Exclusions: Sub1/RG1/VNET1
The exclusion is ONLY for VNET1 and not for Sub1, RG1 & VNET1. Its just a path.
upvoted 1 times

Looks correct to me. Once we update the existing resource RG, the tags(Tag4:value4) from the policy will be applied to the RG. VNET1 is
only exclusion from the policy. This is just a path of VNET1 -> Sub1/RG1/VNET1. It's N N N
upvoted 1 times
Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1.
A. Yes
B. No
Correct Answer: B
Reference:
  GoldenFox Highly Voted  2 months, 1 week ago

Q.36
Assign Network Contributor role at subscription level to Admin1  Yes
Q.37
Assign Owner role at subscription level to Admin1  Yes
Q.38
Assign Reader role at subscription level to Admin1  Yes
Q.52
Assign Traffic Manager Contributor role at subscription level to Admin1  No
upvoted 32 times
  ABhi101 1 month, 1 week ago

GoldenFox is correct
upvoted 1 times

Are you sure on Q.38 - reader role can only access not enable traffic analytics
upvoted 2 times
  jackAttew_1 2 months ago

So answer is No. Read this => https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#traffic-manager-
contributor
upvoted 1 times
  Marski Most Recent  3 weeks, 1 day ago

Clever cheat question by MS. You need to know. Got to know. These are traps. I dont like these anyway.
upvoted 2 times
  NzNagaraj 1 month ago

Apologies - Traffic Manager Contributor is indeed a role but has nothing to do with Traffic Analytics
"Traffic Manager has a predefined Azure role called "Traffic Manager Contributor", which you can assign to users. This role lets you
manage Traffic Manager profiles.
upvoted 2 times

Traffic Manager is a DNS Based Load Balancer nothing to do with any RBAC role
upvoted 1 times

Traffic Manager contributor lets you manage Traffic Manager profiles, but does not let you control who has access to them.
upvoted 2 times

Traffic manager roles have nothing to do with traffic analytics
Traffic analytics requires account to have subscription level owner/contributor/reader/network contributor roles
upvoted 1 times
  adrian_borowski 2 months ago

There is no such Role 'Traffic Manager Contributor' so the answer must be NO. Please correct me if I'm wrong.
upvoted 3 times
  someonehad 2 months ago

Answer is B - NO
Required permissions are:
Microsoft.Network/connections/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/localNetworkGateways/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/routeTables/read
Microsoft.Network/virtualNetworkGateways/read
Microsoft.Network/virtualNetworks/read
And the ones provided by Traffic Manager contributor are:
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/trafficManagerProfiles/*", "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
upvoted 1 times
  okamigo 2 months, 1 week ago

so what's the right answer guys?
upvoted 1 times
  MrMacro 2 months, 1 week ago

"No" looks like the correct answer. I don't believe that the Traffic Analytics solution and creating traffic manager profiles are related.
Here are the relevant links:

https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-manage-profiles
upvoted 2 times

Answer is correct. Your account must meet one of the following to enable traffic analytics:
upvoted 1 times
  V4 2 months, 1 week ago

Correct answer : A.
With Traffic Manager Contributor role you can manage Traffic Manager profiles, do traffic analysis but does not let you control who has
access to them.
upvoted 4 times

Agreed with the 'No' answer. Prerequisite is :
"Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network
contributor."
'Azure Traffic Manager contributor' is not mentioned
upvoted 2 times
You have three offices and an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
You need to grant user management permissions to a local administrator in each office.
What should you use?
A. Azure AD roles
B. administrative units
C. access packages in Azure AD entitlement management
D. Azure roles
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
  HananS Highly Voted  2 months, 1 week ago

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use
administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the
region that they support.
upvoted 5 times
  Snownoodles Most Recent  1 month, 3 weeks ago

Why is A not correct?
Even with B(admin unit), you have to assign AAD role to administrators for an admin unit.
upvoted 2 times

I think that B is the answer because it is what the question is implying a scenario for which "Administrative Units" are specifically
tailored for...
"Deployment scenario
It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent
divisions of any kind."
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-
units#:~:text=An%20administrative%20unit%20is%20an%20Azure%20AD%20resource,any%20portion%20of%20your%20organization%
20that%20you%20define.
upvoted 1 times
  jaydee7 1 month, 4 weeks ago

Earlier OU (Organizational Unit) is not AU (Administrative Unit) :)
upvoted 1 times

I believe Administrative Units in Azure AD, are similar to Organizational Units in Windows AD.
https://4sysops.com/archives/an-introduction-to-azure-ad-administrative-
units/#:~:text=A%20user%20or%20group%20is,flat%20directory%20and%20lacks%20OUs.&text=Administrative%20units%20are%20contai
ners%20for%20users%20and%20groups%20that,administrative%20rights%20to%20specific%20users.
upvoted 1 times

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use
administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the
region that they support.
upvoted 4 times

Correct answer B
upvoted 2 times

I agree with B.
Regarding the link provided, the example fits with the use case :
"You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can
manage users only in the region that they support."
upvoted 1 times
Developers.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
A. Yes
B. No
Correct Answer: A
Reference:

B (60%) A (40%)
  cjAzure Highly Voted  1 month ago

I’m putting this at the very beginning so newcomers here are encouraged to continue. I just passed my exam (910/1000). 99.99% of
questions are from here, including the cases. Microsoft are too lazy to change them (which is a good thing for us, i guess?). Be sure to use
the comment section (especially comments from Mlantonis). Good luck guys!!
upvoted 15 times
  MrMacro Highly Voted  2 months, 1 week ago

Answer "Yes" is correct. Logic App Contributor role will allow you to create Logic Apps.
See here: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal
"Your Azure subscription requires Contributor permissions for the resource group that contains that logic app resource. If you create a
logic app resource, you automatically have Contributor access."
upvoted 13 times
  Az_dasappan Most Recent  1 week, 1 day ago

answer yes
Microsoft.Logic/* Manages Logic Apps resources.
Microsoft.Resources/deployments/* Create and manage a deployment
upvoted 1 times
  abbas19 2 weeks, 6 days ago

Yes (A)
@ RG level it allows resource deployment
Logic App Contributor
BuiltInRole
Permissions
JSON
Assignments
Description: Lets you manage logic app, but not access to them.
write
Actions
DataActions
Showing 26 of 207 permissions
Type
Permissions
Description
Microsoft.Insights
Microsoft.Logic
Microsoft.Resources
Write
Create Deployment
Creates or updates an deployment.
upvoted 1 times

Answer is YES
"Logic App Contributor

Lets you manage logic apps, but not change access to them"
Just for the hell of it I have set one account as READER and one as LOGIC APP CONTRIBUTOR in my demo Subscription. The READER
account got a "[...] does not have authorization to perform action [...]" error but the LOGIC APP CONTRIBUTOR was able to create Logic
Apps with no problem.
So if you see XYZ Contributor = That means it allows to create / delete XYZ but NOT give others permissions to access XYZ.
upvoted 2 times
  BeamerV 3 weeks, 1 day ago

Selected Answer: A
Answer is YES.
Logic App Contributor role Lets you manage logic apps, but not change access to them
Microsoft.Logic/* Manages Logic Apps resources.

The asterisk behind the service provider means you can do everything within the logic app service.
upvoted 1 times

Q.36
Assign Network Contributor role at subscription level to Admin1  Yes
Q.37
Assign Owner role at subscription level to Admin1  Yes
Q.38
Assign Reader role at subscription level to Admin1  Yes
Q.52
Assign Traffic Manager Contributor role at subscription level to Admin1  No
upvoted 1 times

Selected Answer: A
It's correct: you have 3 basic roles most of time Read => Read only, Owner => Can do read, write, create and delete + manage users,
Contributor => can only manage resources like owner without user management.
Stick with this definition and you will get permissions area really quick
upvoted 1 times

Correct YES
Q21: On Subscription1, you assign the DevTest Labs User role to the Developers group?
- NO The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic
app.
Q22: On Subscription1, you assign the Logic App Operator role to the Developers group.
- NO You would need the Logic App Contributor role.
Q23: On Dev, you assign the Contributor role to the Developers group?
- YES since The Contributor role can manage all resources (and add resources) in a Resource Group.
Q54: On Dev, you assign the Logic App Contributor role to the Developers group?
- YES The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic
app.
upvoted 5 times

Selected Answer: B
The answer should be B - NO
Please note "Logic Apps Contributor" and "Contributor" are 2 totally different roles.
I just tested, if test user only has 'Logic Apps Contributor" role assigned at subscription level, I will get the following error when creating a
logic app:
You cannot perform this action without all of the following permissions:
(Microsfot.storage/storageAccounts/Write,Microsoft.Web/ServerFarms/Write, Microsoft/Web/Sites/Write)
You have to assign "contributor" role at subscription level to enable user creating logic Apps.
upvoted 3 times

If you already created a storage account inside a resource group and you want to use this storage account for logic app, you can assign
a"contributor" role at this resource group level.
upvoted 1 times
Answer is correct.
Logic App Contributor: Lets you manage (create, edit and delete) logic apps, but you can't change access to them.
upvoted 2 times
  biankeynero 1 month, 1 week ago

The question states "the ability to create Azure logic apps". I don't believe you can create Logic Apps with the "Logic apps Contributor"
role. With that said I believe "B" is correct.
upvoted 1 times

You are incorrect. Manage includes the ability to Create and Delete.
Best way to make sure is to test for yourself.
upvoted 1 times

Correct answer.
upvoted 1 times
Question #1 Topic 3
You have an Azure Storage account named storage1 that contains a blob container named container1.
You need to prevent new content added to container1 from being modified for one year.
What should you configure?
A. the access tier
B. an access policy
C. the Access control (IAM) settings
D. the access level
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-storage-overview?tabs=azure-portal
  breakerboyz09 Highly Voted  4 months, 3 weeks ago

B is correct.
Because Access policy can set retention policy.

upvoted 18 times
  rrabeya Highly Voted  3 months, 1 week ago

Answer B
Time-based retention policies: With a time-based retention policy, users can set policies to store data for a specified interval. When a time-
based retention policy is set, objects can be created and read, but not modified or deleted. After the retention period has expired, objects
can be deleted but not overwritten.
upvoted 12 times
  rrabeya 3 months, 1 week ago

https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-storage-overview?tabs=azure-portal
upvoted 2 times
  PeterHu Most Recent  2 days ago

This is related to one year. so time-based retention policy.B
upvoted 1 times

How to set this feature. StorageAccount-> Data Protection-> Enable version-level immutability support
upvoted 2 times

StorageAccount-> Data Protection-> Access control -> Enable version-level immutability support
upvoted 1 times
Question #2 Topic 3
HOTSPOT -
You have an Azure Storage account named storage1 that contains a blob container. The blob container has a default access tier of Hot. Storage1
contains a container named conainer1.
You create lifecycle management rules in storage1 as shown in the following table.
You perform the actions shown in the following table.
Hot Area:
Correct Answer:
  NZure Highly Voted  4 months, 3 weeks ago

I don't think this is correct
Rule1 archives blobs(aka files) after 2 days of inactivity and deletes after 9
Rule2 moves to cool tier after 3 days and archive tier after 9
Of the three files, Rule1 only applies to Dep1File1.docx, while the other files have Rule2 applied.
The question asks if you can read the files on the 10th, not if they still exist. Files in the archive tier CANNOT be read as documented by
Microsoft:
"While a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must
first rehydrate it to an online tier."
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Dep1File1.docx was last updated 8 days ago, and would be in archive tier
File2.docx was last updated 5 days ago, and would be in cool tier
File3.docx was last updated 8 days ago and would be in cool tier
Dep1File1 > No cannot be read

File2 > Yes cannot be read
File3 > Yes can be read
upvoted 62 times
  evldufstr 2 weeks ago

Not sure I agree with "Dep1File1 > No cannot be read". If only Rule1 applies and this is archive, agree. However, you have not
considered that Rule2 also applies to Dep1File1.docx. This would then mean:
Oct1 - Dep1File1.docx uploaded
Oct2 - Dep1File1.docx modified
Oct5 - Dep1File1.docx moved to archive (Rule 1 kicks in - not modified for 2 days)
Oct6 - Dep1File1.docx moved to cool (Rule 2 kicks in - not modified for 3 days)
Oct10 – RESULT. Dep1File1.docx can be accessed while as this is actually in cool storage.
upvoted 2 times

Correct Answer - No - Yes - Yes
Dep1File1.docx is in archive, meaning the only way to pull it out and read it is to "rehydrate" the file
File2 and File3 can continue to be read, even in the cool tier
upvoted 9 times
  szutsattila 4 months, 2 weeks ago

Isn't it technically still readable because it still exists. You can read it, but first you have to bring it back online. I totally get your
explanation, my argument is that the question was phrased poorly. If you negate the current question with "On October 10, you can't
read Dep1File1.docx" then the answer would be No, because it implies that the file doesn't exist, thus this answer is Yes.
upvoted 8 times
  TAndrasSF 1 month, 1 week ago

Hello Attila, if you ever tried to pass an MS exam, you should know by now, that you always need to ask yourself, what the question
wants to ask from you. I guess, this time the question asks, if you know, that when a blob is in archive, it is offline, and cannot be
accessed (immediately)? Real life situations usually not applicabe to MS exam questions.
upvoted 6 times

this is good advice
upvoted 1 times
  jecaine 4 months, 3 weeks ago

i'm so sick of this site and their questionable answers. Sigh. i never know who to trust, the site or the forum.
upvoted 12 times
  TAndrasSF 1 month, 1 week ago

Hello jecaine, your post is a frequent here. But you should consider, that the value of this site, that you can read exact questions
from MS exams, and also to read a valueable debate on answers. If all the revealable solutions were correct, that would trigger an
alarm at MS, and this site would be taken down almost immediately. Is that what you want?
upvoted 10 times

You got a point there! I must admit that those discussions are actually valuable learning tools if you take the time to dig around a
bit when you have doubts and actually test and verify claims made around here.
upvoted 2 times

Why 'sick' lol, you just should trust your logic when it comes to the website answers&the discussions.
upvoted 6 times

Correct Answer N Y Y
Dep1File1 is hit by rule 1 which will archive the file by the 10th rendering it unreadable
File 2 and file3 are missed by the first rule and gets hit by the 2nd rule, which will make them still readable by the 10th
https://docs.microsoft.com/en-us/azure/storage/blobs/archive-rehydrate-
overview#:~:text=While%20a%20blob%20is%20in,the%20hot%20or%20cool%20tier.
upvoted 27 times
  itgg11 2 months ago

NYY. Agree with Quantigo. An archived file needs to be rehydrated first which may take up to 15 hours.
The question is poorly worded.
"Standard priority: The rehydration request will be processed in the order it was received and may take up to 15 hours."
https://docs.microsoft.com/en-us/azure/storage/blobs/archive-rehydrate-
overview#:~:text=While%20a%20blob%20is%20in,the%20hot%20or%20cool%20tier
upvoted 3 times

Correct Answer - No - Yes - Yes
Dep1File1.docx is in archive, meaning the only way to pull it out and read it is to "rehydrate" the file
File2 and File3 can continue to be read, even in the cool tier
upvoted 1 times

October 10:
Dep1File1.docx will be ARCHIVED
File2.docx will be COOL
upvoted 1 times

Answer is : NYY
Rule1 applies to all block blobs with names starting with "Dep1" in "container1"
Rule2 applies to all blobs in storage account "storage1"
https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
"While a blob is in the Archive tier, it can't be read or modified. To read or download a blob in the Archive tier, you must first rehydrate it to
an online tier, either Hot or Cool."
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#archive-access-tier
October 10:
Dep1File1.docx will be ARCHIVED
upvoted 1 times

**Rule2 applies to all block blobs in storage account "storage1"
upvoted 1 times

Answer: No, Yes, Yes. Cool tier files can be still read. Archived can not be read.
upvoted 1 times

Perhaps this statement from Micosoft Document is a clue
"While a blob is in the Archive access tier, it's considered to be offline and can't be read or modified" If we take the Clue as Can't be read
then The Answer to question 1 is NO - a bit more convinced now
upvoted 2 times

The question is poorly worded. What does the term "Can Read" means ? (1) You can read straight away ? (2) You have the ability to read (3)
It exists and you can access the object (Metadata)? so many questions I know. For question 1 the answer will be What Microsoft interprets
as "Can Read" means so Purist answer is NO I agree. Then again if you look at it like can we read it by re-hydrating (takes time) eventually
"Yes" - only way to find out is someone taking the exam and be able to check it was marked correct or wrong - This is my humble view -
upvoted 2 times

A: NYY
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#archive-access-tier says:
While a blob is in the Archive tier, it can't be read or modified. To read or download a blob in the Archive tier, you must first rehydrate it to
an online tier, either Hot or Cool.
upvoted 1 times

After that it says: Data in the Archive tier can take up to 15 hours to rehydrate, depending on the priority you specify for the
rehydration operation.
The length of retrieved document is not specified. !Disputable question!
upvoted 1 times
  Saksona 1 month, 2 weeks ago

Reading from https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview::
While a blob is in the Archive tier, it can't be read or modified. To read or download a blob in the Archive tier, you must first rehydrate it to
an online tier, either Hot or Cool.
This tells me, that it's only the Archive tier that cannot be read without rehydrating the data. Both hot and cool can be read, so the answer
should be No Yes Yes
upvoted 1 times
  googlearch 1 month, 2 weeks ago

Rule 1 applies only to container1/dep1, so it does not apply to the files which is uploaded in /container1, only the Rule 2 will apply to the
files uploaded. The answer is correct YES YES YES
upvoted 3 times

Answer is correct.
On Oct 10th you can read Dep1File1.docx. Answer is Yes.

 Reason, on Oct 1st file was uploaded, Rule 1 & Rule 2 will not get applied, because on Oct 2nd, file was edited. Dep1File1.docx is
available to read as on 10th Oct.
On Oct 10th you can read File2.docx. Answer is Yes.
 Reason, on Oct 1st file was uploaded, Rule 2 gets applied. On Oct 5th, file was edited. File2.docx is available to read as on 10th Oct.
On Oct 10th you can read File3.docx. Answer is Yes.
 Reason, on Oct 1st file was uploaded, Rule 1 & Rule 2 will not get applied, because on Oct 2nd, file was edited. File3.docx is available to
read as on 10th Oct.
upvoted 8 times
  okamigo 2 months ago

Guys so what's the right answer?
upvoted 1 times

what's the right answer guys?
upvoted 1 times
  micropinto 2 months, 1 week ago

No, Yes, Yes, 1. No because you need to change tier first before accessing the file
upvoted 1 times
  speed2fast 3 months ago

N/Y/Y
While a blob is in the Archive access tier, it's considered to be offline and can't be read or modified. In order to read or modify data in an
archived blob, you must first rehydrate the blob to an online tier, either the Hot or Cool tier.
https://docs.microsoft.com/en-us/azure/storage/blobs/archive-rehydrate-overview
If a data set needs to be readable, do not set a policy to move blobs to the archive tier. Blobs in the archive tier cannot be read unless they
are first rehydrated, a process which may be time-consuming and expensive.
https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
upvoted 1 times

The question says "can be read" - files in the archive "can be read" as a high level concept, just not immediately.
It's like saying "if I have a snapshot of a VM's disks, can I see the files on that disk". If you say No, then it makes snapshots pretty useless
(wide statements = a wide context).
upvoted 3 times

That is technically correct but in the context of the question could it be that what is implied is immediate access versus having to go
through a process before being able to actually read the content?
upvoted 1 times

"While a blob is in the Archive tier, it can't be read or modified. To read or download a blob in the Archive tier, you must first
rehydrate it to an online tier, either Hot or Cool."
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#archive-access-tier
upvoted 1 times
  shahid3480 3 months, 2 weeks ago

If Rule2 is not applicable then why we are considering it??
upvoted 1 times
  Marciojsilva 3 months, 1 week ago

I have the same question
upvoted 1 times

The prefix isn't applicable, the rule itself does apply.
upvoted 1 times
Question #3 Topic 3
You have an on-premises server that contains a folder named D:\Folder1.

You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.
Which command should you run?
A. https://contosodata.blob.core.windows.net/public
B. azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot
C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
D. az storage blob copy start-batch D:\Folder1 https://contosodata.blob.core.windows.net/public
Correct Answer: C
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container
by the same name.
Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in
the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs https://docs.microsoft.com/en-
us/azure/storage/common/storage-ref-azcopy-copy

C (100%)

Correct Answer: C
A: URL of the Storage Account.
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified
time in the destination is more recent.
C: The azcopy copy command copies a directory (and all the files in that directory) to a blob container. The result is a directory in the
container by the same name.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
upvoted 50 times
  naveener Highly Voted  1 year, 7 months ago

copies a directory (and all of the files in that directory) to a blob container:-
azcopy copy 'C:\myDirectory' 'https://mystorageaccount.blob.core.windows.net/mycontainer' --recursive
To copy to a directory within the container :-
azcopy copy 'C:\myDirectory' 'https://mystorageaccount.blob.core.windows.net/mycontainer/myBlobDirectory' --recursive
upvoted 35 times

Basically given answer is correct.
upvoted 3 times
  PeterHu Most Recent  1 day, 23 hours ago

Answer: C this is right syntax
upvoted 1 times

upvoted 2 times
  waxil 1 month ago

Selected Answer: C
C seems the most likely
upvoted 1 times
  AbhijeetMashale 1 month, 3 weeks ago

Selected Answer: C
Correct Answer: C
A: URL of the Storage Account.
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified
time in the destination is more recent.
C: The azcopy copy command copies a directory (and all the files in that directory) to a blob container. The result is a directory in the
container by the same name.
upvoted 1 times

Correct answer: C
upvoted 4 times
  silver_bullet666 5 months, 1 week ago

C is correct and --snapshot is NOT even a valid switch, version AzCopy 10.12.1
upvoted 1 times
  kevin9988 6 months, 1 week ago

azcopy cp instead of azcopy copy
upvoted 3 times

This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis are correct.
upvoted 7 times

Recursive!
upvoted 2 times

Answer is correct
AzCopy recursive
upvoted 5 times

C is correct
upvoted 5 times
  Wizard69 11 months, 2 weeks ago

Answer is correct.
az copy with --recursive

upvoted 2 times

C. is correct. Last command (az storage blob copy) is used only to copy blobs to a blob container. Azcopy should be used with the copy
flag.
upvoted 2 times

Answer is correct. "C"
Azcopy copy --recursive.
upvoted 7 times
  Borbz 1 year, 2 months ago

Answer is correct!
upvoted 2 times
Question #4 Topic 3

In the Azure portal, you plan to create a storage account named storage1 that will have the following settings:
✑ Performance: Standard
✑ Replication: Zone-redundant storage (ZRS)
✑ Access tier (default): Cool
✑ Hierarchical namespace: Disabled
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.
Which setting should you modify first?
A. Performance
B. Replication
C. Access tier (default)
D. Hierarchical namespace
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview https://docs.microsoft.com/en-
us/azure/storage/blobs/storage-blob-performance-tiers

A (100%)
  sk1803 Highly Voted  4 months, 3 weeks ago

Answer is correct
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal
Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for
most scenarios. For more information, see Types of storage accounts.
Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The
following types of premium storage accounts are available:
Block blobs
File shares
Page blobs
upvoted 16 times
  Bere Highly Voted  2 months, 2 weeks ago

Answer is A. Performance.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-cli
These are the supported values for the kind parameter:
StorageV2 = Standard general-purpose v2

BlockBlobStorage = Premium block blobs
FileStorage = Premium file shares
StorageV2 = Premium page blobs
Storage = legacy Standard general-purpose v1
BlobStorage = legacy blob storage
As you can see above BlockBlobStorage in only available for Premium_LRS or Premium_ZRS.
So we must change the Performance from Standard to Premium.

upvoted 6 times
  AZ_Guru_Wannabe Most Recent  1 week, 1 day ago

Selected Answer: A
A
If you go to portal and start to create new storage account - you will see that blob type won't even show up until you change it to Premium
performance.
upvoted 1 times
  atilla 1 week, 6 days ago

yes and after created you cannot change the performance anymore... so answer is correct
upvoted 1 times

Answer is correct. You need to update the performance. it will need to be Premium storage.
upvoted 2 times
  Az104us334 1 month, 2 weeks ago

Selected Answer: A
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview https://docs.microsoft.com/en-
us/azure/storage/blobs/storage-blob-performance-tiers
upvoted 1 times

Answer A - Performance
upvoted 2 times
Question #5 Topic 3
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.
What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Correct Answer: D
Azure Import/Export service supports the following of storage accounts:
✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)
✑ Blob Storage accounts
✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types:
✑ Import supports Azure Blob storage and Azure File storage
✑ Export supports Azure Blob storage
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements

Correct Answer: D


✑ Export supports Azure Blob storage. Azure Files not supported.
Only storage4 can be exported.
Reference:
upvoted 70 times

Very useful Info
upvoted 1 times
  nfett Highly Voted  9 months, 3 weeks ago

From the provided link. I assume since they table in the question notes "Storage" its being disregarded as an invalid option. Thus the
answer blob appears to be correct.
Standard General Purpose v2 storage accounts (recommended for most scenarios)
Blob Storage accounts
upvoted 8 times

please read thru and make sure your understand the questions...many of questions just revised the a little wordings in exam
upvoted 1 times
  Zephaniah 3 months, 3 weeks ago

Correct Answer: D
upvoted 1 times

Supported storage types
The following list of storage types is supported with Azure Import/Export service.
SUPPORTED STORAGE TYPES

Job Storage Service Supported Not supported
Import Azure Blob Storage
Azure Files storage Block blobs and Page blobs supported

Correct answer: D
Files supported
Export Azure Blob Storage Block blobs, Page blobs, and Append blobs supported Azure Files not supported
Export from archive tier not supported
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-requirements
upvoted 1 times

Took the exam today, 17 Oct. This question came out. Ans: D
upvoted 2 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is D
upvoted 2 times
  iamnivas 4 months, 1 week ago

are these questions in the dump still relevant?
upvoted 1 times

upvoted 3 times

upvoted 4 times

Easy, this one. Think Hard Disk. The files don't have to be in a particular order. It has to BLOB
upvoted 2 times

in exam 7/3/2021
upvoted 3 times

upvoted 3 times

Blob is correct. #4
upvoted 2 times
Question #6 Topic 3
HOTSPOT -
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: storageaccount1 and storageaccount2 only
Box 2: All the storage accounts -

Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob
storage accounts.
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per
gigabyte pricing.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options

Answer is correct.
- Storage account 1 & 2
- All storage accounts.
upvoted 71 times

Why do you say that?
upvoted 1 times

Since question 1 is to store table storage which can't be done in blob storage account (blob storage is the premium storage which is
either block blob, append blob or page blob). refer https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-
introduction#blob-storage-resources
upvoted 9 times
  Saravana12g 5 months ago

Why do you ask that?
It's correct...
upvoted 2 times
  Omar_Aladdin 5 months ago

Hey, What's the problem with asking. That's not acceptable
upvoted 11 times

Hey! stop fighting! lol
upvoted 6 times

Correct Answer:

Box 2: All the storage accounts
upvoted 23 times

upvoted 2 times
  shahid3480 Most Recent  3 months, 2 weeks ago

In the new Azure Portal No more GPv1 available. GPv2 supports all kinds of storage data
Blobs, Files, Tables and Queues.
With Premium performance you can have only Blobs and File data types available.
So I think for the 1st option only StorageAccount2 is valid and for Option 2 both StorageAccount2 & 3 valid.
upvoted 5 times

You can't create V1 any more, but you may already have it so it is still supported. So B1 is s1 and s2.
upvoted 1 times

upvoted 2 times

Came up on my exam today 02/10/21. Answer is correct.
upvoted 3 times

upvoted 3 times

Easy - The whole point of creating a storage account of type BlobStorage is so you maximize on blob service, not Queue, Table or File.
Storage type is a cheaper more basic version of Storage V2.
upvoted 1 times
  org_sam 6 months, 3 weeks ago
Answer Correct.
Standard general-purpose v2 Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files
Standard general-purpose v1 Blob, Queue, and Table storage, Azure Files
Standard Blob storage Blob storage (block blobs and append blobs only)
upvoted 3 times
  joydeep1 8 months, 1 week ago

Exam - Asked today
upvoted 17 times

Answer is correct.
- Storage account 1 & 2
- All storage accounts.
upvoted 3 times

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview shows
Standard general-purpose v2 Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files
Standard general-purpose v1 Blob, Queue, and Table storage, Azure Files
Standard Blob storage Blob storage (block blobs and append blobs only)
So 1 and 2
upvoted 1 times
  modiallo 9 months ago

Box 2: All the storage accounts
upvoted 2 times

upvoted 2 times

answers are correct
upvoted 2 times

Answer given is correct!
upvoted 3 times

Both answers are correct
upvoted 3 times

General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using
Azure Storage.
General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when
possible.
upvoted 3 times
  waterzhong 1 year, 2 months ago

✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per
gigabyte pricing.
upvoted 1 times
Question #7 Topic 3
You have Azure subscription that includes data in following locations:
You plan to export data by using Azure import/export job named Export1.
You need to identify the data that can be exported by using Export1.
Which data should you identify?
A. DB1
B. container1
C. share1
D. Table1
Correct Answer: B
  Anon6969 Highly Voted  1 year, 2 months ago

Blobs are only type of storage which can be exported.
upvoted 67 times

Answer is correct. B - Blob Container.
For Azure file share, it is tricky as it is mentioned Azure Files can be used for export and import. But I tested especially with file share and it
doesn't work. Maybe work for storage account with type file or something. but not Azure file shares.
upvoted 56 times

Only azure blob storage can be exported. Answer is B
upvoted 1 times

Correct answer: B
upvoted 7 times
  shahid3480 3 months, 2 weeks ago

Only the Blob data can be exported for details how to:
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
upvoted 2 times

upvoted 3 times

Binary Large Objects are the simplest for unstructured data. That's why they are the choice for Import/Export
upvoted 1 times

upvoted 6 times

upvoted 4 times

Container!
upvoted 1 times

Blobs are only type of storage which can be exported using Azure Import/Export
upvoted 4 times
  Bon_ 5 months, 3 weeks ago

Yes, this is right!!
Blobs == import/export
Files == import only
upvoted 3 times
  ShehuUsman 9 months ago

File share supports only import but not export. While blob supports import and export. So answer is correct
upvoted 4 times

Correct Answer: B


✑ Export supports Azure Blob storage. Azure Files not supported.
Only container1 can be exported.
Reference:
upvoted 26 times
  bacana 11 months ago

"Each app uses a managed identity" it not say what identity is using.
upvoted 1 times
  marvinconejo 11 months, 1 week ago

The response Is B
upvoted 1 times

Answer is correct.
Blob container
upvoted 1 times
  examhater 11 months, 2 weeks ago

get rid of these false answers, this stuff is unreadable.
upvoted 3 times
Question #8 Topic 3
HOTSPOT -
You have an Azure Storage account named storage1.
You have an Azure App Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed
identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
✑ Minimize the number of secrets used.
Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for each app? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
App1: Access keys -

App2: Shared access signature (SAS)
A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of
your data. With a
SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions
they have on those resources, and how long the SAS is valid, among other parameters.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
  shako Highly Voted  2 months, 1 week ago

for box 1 I would say : 'IAM' as we want to limit the secrets usage.
Agree with box 2 : Shared Access Signature
upvoted 24 times
  Acsoapps Highly Voted  1 month, 3 weeks ago

App1: IAM
https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Cprogramming-language-
csharp
Grant access to the storage account
"Using Azure RBAC, you can give the managed identity access to another resource, just like any security principal"
App2: SAS
upvoted 7 times

SAS can control how long .so the answers are IAM and SAS
upvoted 1 times

IAM
SAS
Question says "Each app uses a managed identity AND Minimize the number of secrets used."
Therefore, use IAM due to managed identity being used. In other words, authenticate via Azure AD. And SAS enables time-based usage
upvoted 1 times

upvoted 1 times
  MitchelLauwers1993 2 weeks ago

(mlantonis)Correct Answer:
Box 1: Access Control (IAM)

Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the
number of secrets used, so Access keys is not ideal.
Box 2: Shared access signatures (SAS)

We need temp access for App2, so we need to use SAS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
upvoted 1 times

App1: IAM
App2: SAS
upvoted 4 times

App1: IAM using the Apps managed identity to provide access to the storage. No requirement here to revoke the access after a period of
time.
App2: SAS as an expiration date can be set on them and will be revoked automatically
upvoted 3 times
  JavedF 2 months ago

Correct Answer: Box 1: Access Control (IAM) Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per
requirement, we need to minimize the number of secrets used, so Access keys is not ideal.
upvoted 2 times

access control iam
sas
upvoted 2 times

App1 : IAM
App2: SAS
upvoted 3 times
Question #9 Topic 3
HOTSPOT -
You need to create an Azure Storage account that meets the following requirements:
✑ Minimizes costs
✑ Supports hot, cool, and archive blob tiers
✑ Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: StorageV2 -
You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1
(GPv1) accounts do not support tiering.
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction
prices.
Box 2: Standard_GRS -
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.
Incorrect Answers:
Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.
Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to
the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs https://docs.microsoft.com/en-
us/azure/storage/blobs/storage-blob-storage-tiers
  ihavespoken Highly Voted  1 year, 2 months ago

Keep in mind the question is mentioning the minimize cost, even though Storage v2 and blob both can support the hot, cool, and archive
but Storage V2 is lowest cost. so answer is correct.
upvoted 54 times
  sidharthwader 9 months, 3 weeks ago

Yes GPv2 gives the storage in least price with latest features.
upvoted 1 times

This calculator shows the same price for Storage v2 as Blob Storage: https://azure.microsoft.com/en-gb/pricing/calculator/?
service=storage
upvoted 1 times
  Aniruddha_dravyakar 12 months ago

agreed
upvoted 1 times
  jelly_baby 1 year, 2 months ago

agreed
upvoted 2 times

Correct Answer:
Box 1: StorageV2
Box 2: Standard_GRS
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
upvoted 40 times
  Az_dasappan Most Recent  1 week, 1 day ago

Premium block blobs3 Blob storage (including Data Lake Storage1) support only LRS &
ZRS . so the answer is storageV2
upvoted 1 times
  atilla 1 week, 6 days ago

second is GRS because there is no request about readability?
upvoted 1 times

Yes - standard GRS since the question says "minimize costs." But if it said, "data must be readable in both regions", then RA-GRS
upvoted 1 times

Also GRS would be the preference over RA_GRS as minimizing cost is a priority.
upvoted 2 times

As described here:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#types-of-storage-accounts
You can have Standard general-purpose v2 or Premium Blob storage.
Premium performance storage accounts use solid-state drives (SSDs) for low latency and high throughput, so they are more expensive.
The answers are StorageV2 and Standard_GRS.

upvoted 1 times
  Zephaniah 3 months, 3 weeks ago

Agreed, correct answer
upvoted 1 times

upvoted 3 times

Wouldn't RAGRS be cheaper than GRS, while still providing the requested redundancy ?
upvoted 1 times

GRS just gives you global redundancy without read permission on the secondary location and is only used if disaster strikes the
primary region. while RA-GRS also gives you the ability to also read from the secondary location. That added functionality gives you
added cost.
upvoted 1 times
  MGegruis 3 months, 2 weeks ago

no the opposite, GRS is cheaper
upvoted 1 times

I think this question is outdated because Azure does not allow for no other than Storage V2 now. The answer is correct though: Storage
V2, Standard_GRS.
upvoted 3 times

You can create v1 through pwsh or cli
upvoted 1 times
  Kp9696 6 months, 3 weeks ago

StorageV2 and GRS are the correct answers.
upvoted 1 times
  y_dev 6 months, 3 weeks ago

Answers are correct for both questions.
upvoted 1 times

upvoted 4 times

upvoted 3 times

The question mentioned about minimizing cost, even though Storage v2 and blob both can support the hot, cool, and archive but Storage
V2 is at lower cost.
Also, GPv2 gives the storage in least price with latest features.
upvoted 1 times

StorageV2 + GRS
upvoted 1 times

upvoted 1 times
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Create a container instance
B. Register Server1
C. Install the Azure File Sync agent on Server1
D. Download an automation script
E. Create a sync group
Correct Answer: BCE

Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (B): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.
Step 3 (E): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must
contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

Correct Answer: B, C and E
Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to
be synced with an Azure file share.
Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service
establishes a trust relationship between your server and the Storage Sync Service.
Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group
are kept in sync with each other. A sync group must contain one cloud, which represents an Azure file share and one or more server
endpoints. A server endpoint represents a path on registered server.
Reference:
upvoted 87 times
  WYLC Highly Voted  1 year, 2 months ago

that's correct!
upvoted 22 times
  HananS Most Recent  1 month, 3 weeks ago

CBE in order
upvoted 3 times
  sachin007 3 months ago

B,C,E is correct
upvoted 2 times

Came up on my exam today 02/10/21, answer is correct.
upvoted 1 times
  myself222 4 months, 2 weeks ago

all hail mlantonis
upvoted 2 times
  swapmaverick 5 months, 1 week ago

Correct Answer is B, C and E
To all Azure knowledge seeker - Kindly follow mlantonis user's answer in discussion board, he has nailed all the answers correctly. Thanks
mlantonis.
upvoted 2 times

The answer is a little simplified as you've got to add endpoints, create sync groups, etc., but that's not what they wish to know. I guess
they're just trying to establish if you know the fundamentals of Azure File Sync. The answer is correct.
upvoted 1 times

in exam 7/3/2021, I think the third choice was to add server1
upvoted 5 times
  EderAprigio 5 months ago

tks for share
upvoted 1 times

BCE is correct!
upvoted 2 times

Correct
upvoted 1 times

verified answer is correct from the provided link.
upvoted 3 times

Answer Correct!
upvoted 2 times

Answer sequence should be CBE
Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to
be synced with an Azure file share.
Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service
establishes a trust relationship between your server and the Storage Sync Service.
Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group
are kept in sync with each other. A sync group must contain one cloud , which represents an Azure file share and one or more server
endpoints. A server endpoint represents a path on registered server.
upvoted 6 times

upvoted 2 times

C. B. E. Should be the correct sequence.
upvoted 2 times

Agree!
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
The status of VM1 is Running.

You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)
You assign the policy by using the following parameters:

Microsoft.ClassicNetwork/virtualNetworks
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines

Hot Area:
Correct Answer:
  bogdan89 Highly Voted  1 year, 2 months ago

Y-N-N tested today in a LAB.
upvoted 117 times

The answers have been reversed but this is 100% correct.
No - You cannot move a resource into a RG if the resource is restricted in the destination RG
No - The VM will not become deallocated, it will instead be marked as non-compliant
Yes - You can change the VNet address space, even with the virtualnetwork restriction, instead you will be prevented from making
ANOTHER VNet and the existing VNet will be marked as Non-Compliant.
Source: Tested it in my Azure Lab

upvoted 24 times
  awssecuritynewbie 1 week, 2 days ago

When a policy definition using the append effect is run as part of an evaluation cycle, it doesn't make changes to resources that
already exist. Instead, it marks any resource that meets the if condition as non-compliant.
upvoted 1 times

This is correct! The Policy is only restricted for creating new resources in RG2.
upvoted 2 times
  poosau 1 month, 4 weeks ago

I can see that the options in the question are reversed now. (order is reversed)
upvoted 4 times

Labbed just b/c so many people disagreed, you're right.
Y - Can freely change address space and subnets

N - Does not deallocate, is marked noncompliant
N - Cannot move, fails during validation due to policy restriction
upvoted 15 times

Y N N is correct. Tested in my lab.
upvoted 3 times

Woof ignore this. I started to second guess on this run through the questions and labbed it.
"Cloud lag" on policies is very high. Tested this at the 15m mark, same results. Tested again at the 1hr mark and can confirm its NNN
N - Once policy fully applies, changes to the address space (addition, deletion, modification) fail. Changes to subnets seem to
succeed.
N - Again, VM just marked noncompliant.
N - Movement still fails.
upvoted 26 times

Now that makes a lot of sense.
upvoted 1 times
  signalincode 5 months, 3 weeks ago

Lab tested, mother approved. N-N-N
upvoted 15 times
  Diego19 1 year, 2 months ago

Y-N-N is right. I have also tested it in LAB.
upvoted 17 times
  GDMalled 4 months, 3 weeks ago

Hi,
could you please tell me how to select parameters to assign a policy at subscription/RG scope??
Thank you
upvoted 1 times

You didn't test it right....I mean no offense, my guess is you choose the wrong parameters.
You can not move a virtual network into the another vnet if you apply the policy with the correct parameters.
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic

information: subscription id '1134d0949e-63f2-7b877-8f40b-e445bc202bd6e', request correlation id '8008780447c-6995-4f21-8715-
78164c23454b'.","details":
Change some numbers around because of you cheeky ba...

upvoted 3 times
  prashantjoge 1 year, 2 months ago

How can the first be yes... Does not make sense
upvoted 6 times
  Jovial 1 year, 1 month ago

at least try in azure before speaking nonsense
upvoted 13 times

Maybe explain if you understand why, as it does sound illogical,
upvoted 6 times
  idlir Highly Voted  1 year, 2 months ago

N-N-N
Policy will identify the VM as not compliant but will not put VM in deallocate
upvoted 72 times

I agree. Existing non-compliant resources can be remediated with a remediation task. But no action is taken against them other than to
mark them as non-compliant
upvoted 5 times

This is wrong. It is YNN. Moving VNET1 to RG is allowed. I've tested in my tenant.
upvoted 10 times
  Anon6969 1 year, 2 months ago

This makes the most sense. Only one I am not sure on is how the policy would modify the change to the address space?
upvoted 3 times
  _punky_ Most Recent  4 weeks ago

Simple thing at policies in Azure: N - Does not deallocate/change/stop, is marked noncompliant for everything.
upvoted 1 times
  DhanukaJ 4 weeks, 1 day ago

My azure lab gaves me the same result as provided in the Question answers.
Allowed VNet Move - No
Allowed VM Deallocation - Yes
Allowed VNet address change - No
upvoted 1 times
  Kay04 1 month ago

You can use an Azure Resource Manager template to complete the move of the virtual network to another region. You do this by exporting
the virtual network to a template, modifying the parameters to match the destination region, and then deploying the template to the new
region
upvoted 1 times
  supernan 1 month ago

anyone agree to the N N N answer?
according to: https://docs.microsoft.com/en-us/azure/governance/policy/overview#control-the-response-to-an-evaluation
the policy ckeck will happend at any object setting was updated. So when you try to update the address pace of VN2, policy will be ckecked
and device will be marked as non-complaint. But I am not sure if the setting change will happen.
upvoted 1 times
  lateralus 1 month, 1 week ago

Tested the exact same setup in LAB. Answer is No, No, No
- You can not move VNET1 to RG2 as the validation fails with error: Resource 'VNET1' was disallowed by policy. (Code:
RequestDisallowedByPolicy) Policy: Not allowed resource types
- The VM state does not change, VM remains running
- You cannot change address space on VNET2. Error: Failed to save address space changes to virtual network 'VNET2'. Error: Resource
'VNET2' was disallowed by policy.
upvoted 4 times
  adrien_m59 1 month, 1 week ago

Just tested on my Azure Portal here are the results :
BOX 1 : Resource "VNET1" was disallowed by policy

BOX 2 : VM1 is non-comliant but not deallocated
BOX 3 : Address space can be modified even many hours after plicy assignment
So Answer is NNY
upvoted 3 times

this is what i get as well, but i managed to move a VM in to the RG, but not allowed create a VM in the RG.
upvoted 1 times

Y-N-N is the correct answer
upvoted 1 times

Correct Answer:
Existing non-compliant resources can be remediated with a remediation task. But no action is taken against them other than to mark
them as non-compliant.
Box 1: Yes
You can move already existing VNETs to the RG applying this policy.
Box 2: No
Existing resources are not modified by newly created policies. VM will stay as is.
Box 3: No
New changes to existing resources will have to be compliant with the policies applying the RG, so no new changes will be allowed to
existing VNETs.
upvoted 1 times
  stanloona 1 month, 2 weeks ago

my lab test result is N N N too.
I can delete subnet of RG2.

but I can't modify address spaces of vnet2, even if it hasn't subnets.
upvoted 1 times
  mse89 1 month, 3 weeks ago

NNN
you cannot move not allowed resource type in the destination group with policy assigned
you can only edit a subnet address space, edit the vnet address space will fail
VM keep running
upvoted 2 times

I personally think the answer is N,N,N, but a generic answer is Y, N,N.
upvoted 2 times

I think the correct answer is below after testing in Azure.

Box 1 No. You can't move VNET1 to RG2.
Box 2 Yes. You can change the state of VM1.
Box 3 No. You can't change the address space of VNET2.
Here is the testing process.

Preparation
1. Created RG1, then created VNET1.
2. Created RG2, then created VNET2 and VM1.
3. Created a policy to match the question. You will need to create policy after RG1 and RG2.
Validated the policy

1. Go to Policy, there were two non-compliants, vnet2 and vm1. This indicates the policy is working.
2. I also tried to create a vnet and VM in RG2. I got validation errors which prevent me from creating vnet and VM. This is expected result
as RG2 has a policy to deny vnet and VM.
Testing.
Box 1: When I moved VNET1 to RG2. I got validation error:
Code: ResourceMovePolicyValidationFailed
'VNET1' was disallowed by policy
Box 2: I CAN change VM1 to stopped(deallocated). I can also start it.
Box 3: I tried to change address space of VNET2. I got:

Failed to save address space changes to virtual network 'VNET2'. Error: Resource 'VNET2' was disallowed by policy.
upvoted 2 times
  sudocat 1 month ago

My answer as well is NO, YES, NO.
I tried this exact same setup and scenario in Azure. Here are my results:
Box 1: I got this error -> Resource 'VNET1' was disallowed by policy. Hence the answer is NO.
Box 2: I successfully changed the status of the VM1 to deallocated. Hence the answer is YES.
Box 3: I got this error -> Failed to save address space changes to virtual network 'VNET2'. Error: Resource 'VNET2' was disallowedby
policy. Hence, answer is NO.
upvoted 1 times
  sudocat 1 month ago

My mistake, since Box 2 option was "The state of VM1 changed to deallocated". After enabling the policy, the status of the VM did
not change. It was still running even after the policy was applied.
The answer should be NO, NO, NO.
upvoted 2 times
  maatksle 1 month, 4 weeks ago

Okay, this is what I found from all the comments:
On answer being N N N - so nothing can be done, because of the policy affecting the exact same resource.
The result is that - A resource deployment restricted by a policy will also affect any change made to the existing non compliant resources
upvoted 1 times
  Panadol 2 months, 1 week ago

test in lab answer is N N N . you need to give policy 30 minutes to take in place. before applying the policy i was able to move VNET1 to
RG2 however after policy the move failed. remember you have to wait for 30 minutes or longer to see the effect of policy.
upvoted 3 times
  markv8 2 months, 1 week ago

can anyone confirm, im able to shutdown the vm and the status changes to Stopped (deallocated) with the policy applied
upvoted 1 times
DRAG DROP -
You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the
correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:
At a high level, an import job involves the following steps:

Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.
Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job.
Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you.
Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job
Update the delivery tracking number in the import job details and submit the import job.
The drives are received and processed at the Azure data center.
The drives are shipped using your carrier account to the return address provided in the import job.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
  inemumoren Highly Voted  7 months, 4 weeks ago

i just realised i don't know shit!
upvoted 144 times

That's why we are here, to memorize answer without understanding what's under the hood. :(
upvoted 20 times

True that!!
upvoted 2 times
  Aadimanav 3 months, 3 weeks ago

LOL we are on same page
upvoted 9 times
  JCSYS_001 3 months, 3 weeks ago

I have been facing the same struggle and relieved to see that I can feel better about it... :)
upvoted 8 times

Haha... I guess you've been on an MS Learn scheme huh!
I felt the samestart. The MS Learn isn't very practical, it's too much theory and not enough practice.
Going through these questions do put you in a work type of environment and therefore gives you more practical experience. It will
settle, don't give up.
Best wishes
upvoted 23 times

Ms Learn has lots of theory which helps in a way but their knowledge check is not refrective of the actual exam.With Ms learn only
you will fail
upvoted 6 times

Same applies to Microsoft paid instructor-led AZ104 courses. I can't see how somebody can successfully pass the exam
exclusively with az104 course material.
upvoted 1 times

I did the official MS course and the instructor themselves tell you that the course is not enough to pass and you need to put
way more work to pass the test.
upvoted 1 times

correction: *WAimportexport.exe
upvoted 1 times
  imartinez 7 months, 1 week ago

Congrats for you.. I realized that in question 1
upvoted 18 times

Congratz for you , i first realized that in q1 of az-900 !
but u know what that's how we progress, admitting that u know nothing is they way to know much and much more :) best of luck
learners around the globe ♥
upvoted 3 times
  Ajoelives 6 months, 3 weeks ago

hey me too
upvoted 5 times

Correct Answer:
Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe)
Step 2: Create an import job (From the Azure portal, create an import job)
Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center)
Step 4: Update the job with tracking information (From the Azure portal, update the import job)
Reference:
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 61 times
  FTAZIT Most Recent  3 weeks, 1 day ago

I went through the 11 hour video on YT for a very good overview and then came here to expand on it. Just read through the discussion
board and Microsoft Documentation to close the gap on what you don't know and also Google terms and concepts...like SMB and etc...
upvoted 2 times
  anonymous007 1 month, 3 weeks ago

LOl, same, even trough my 6-8 years study with programming languages, Cloud automation, and everything from web app
micrososervices to network engineering, I still KNOW SHIT.
upvoted 1 times
  Jeffdu 2 months ago

Attach...create...detach...update
upvoted 14 times

this is correct. For export job, it's similar process but you ship them empty drives. only for blobs
upvoted 1 times

In Exam 21/08/2021
upvoted 6 times

Correct.
Hint: When you are creating the Import/Export job you're going to need details from WAimport/Export.exe experience. Hence, that comes
first.
The same applies after the disc has been sent.
Answer is correct.
upvoted 3 times

in exam 30 July 2021
upvoted 4 times

Answer is correct. Below is the order -
1. Prepare the drive - Attach an external disk to Server1 and then run waimportexport.exe
2. Create an import job - From the Azure portal, create an import job.
3. Ship the drives to the Azure datacenter - Detach the external disks from Server1 and ship the disks to an Azure data center.
4. From the Azure portal, update the import job
Ref # https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 1 times

1. attach disk
2. create import job
3.detach disk
4. update import job
upvoted 2 times
  Tamilarasan 8 months, 2 weeks ago

upvoted 1 times

Answer is correct
Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Step 2: From the Azure portal, create an import job.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Step 4: From the Azure portal, update the import job
Update the delivery tracking number in the import job details and submit the import job.
upvoted 19 times

upvoted 3 times

Answer is correct for the Import job sequence
upvoted 1 times
Correct.
Step 1: Prepare the drives

Step 2: Create an import job
Step 3: Ship the drives to the Azure datacenter
Step 4: Update the job with tracking information
Source : https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 4 times

upvoted 2 times
HOTSPOT -
You have Azure subscription that includes following Azure file shares:
You have the following on-premises servers:
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.
Hot Area:
Correct Answer:
Box 1: No -
Group1 already has a cloud endpoint named Share1.
A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.
Box 2: Yes -
Yes, one or more server endpoints can be added to the sync group.
Box 3: Yes -
Yes, one or more server endpoints can be added to the sync group.
Reference:
  boink Highly Voted  1 year, 2 months ago

NO NO YES
upvoted 121 times
  certW1z 1 year, 1 month ago
Lab tested ... NO NO YES is correct

confirmation of second que: https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-
same.html
"Azure File Sync does not support more than one server endpoint from the same server in the same sync group."
upvoted 27 times

That's correct (NO NO YES), because to add another server endpoint from the same server you need to have another sync group...
"Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2)
and each endpoint is syncing to a unique sync group."
upvoted 16 times

I agree because I had tested it and sync group does not allow me to add the same registered server again in the endpoint.
upvoted 3 times
  gitsyn 1 year, 2 months ago

Answer is correct: NO YES YES
The documentation specifies the samve volume, not server. You can't have two server endpoints on the same volume in one sync
group, but in this question, the volumes are D: and E:, so then you can have two server endpoints.
upvoted 5 times

"A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per
registered server at any given time. Other server endpoints within the sync group must be on different registered servers." -
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal. This
is very specifically about servers not volumes, so No, No, Yes
upvoted 13 times
  aaa112 1 year, 2 months ago

But you cannot extend the existing endpoint, so you need to recreate it. Question is about adding Server 2 as an endpoint, but it
is already an endpoint. "Once you add a server as an endpoint, you can’t add it again."
upvoted 3 times

Correct Answer:
Box 1: No
A sync group contains one cloud endpoint, or Azure file share, and at least one server endpoint.
Box 2: No
Azure File Sync does not support more than one server endpoint from the same server in the same Sync Group.
Box 3: Yes
Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and
each endpoint is syncing to a unique sync group.
Reference:
https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-same.html
upvoted 86 times
  hanyahmed Most Recent  1 month, 2 weeks ago

Box 1: No
Box 2: No
Box 3: Yes
upvoted 3 times

Correct Answer:
Box 1: No
Box 2: No
Box 3: Yes
upvoted 1 times

Correct Answer:
Box 1: No
Box 2: No
Box 3: Yes
upvoted 1 times

No No Yes
upvoted 2 times

Correct Answer: (Reiterating Mlantonis answer)
Box 1: No
Box 2: No
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-same.html
upvoted 1 times
  mfvsidiangco 2 months, 2 weeks ago

NO NO Yes -A registered server can support multiple server endpoints, however, a sync group can only have one server endpoint per
registered server at any given time. Other server endpoints within the sync group must be on different
upvoted 1 times
  enslow 2 months, 3 weeks ago

NO NO YES
upvoted 1 times

*No, because share1 is already being used as cloud endpoint. You can’t have multiple cloud endpoints on a single sync group.
*Multiple server endpoints can only be added to the same sync group as long as they are coming from different servers; so 2) No, 3) Yes
upvoted 1 times

upvoted 3 times

NO NO YES
upvoted 1 times
  raydel92 5 months ago

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-
server-endpoint
The second statement is false because:

"A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered server
at any given time. Other server endpoints within the sync group must be on different registered servers."
upvoted 1 times
  signalincode 6 months ago

Lab'd this one myself. No - No - Yes is the correct answer.
Please, do everyone a favor, and only post answers if you have tested and verified them yourself.
upvoted 7 times

Answer is correct:
(An update to my previous post that was a little unclear)
Hint: You can add many different servers and enpoint to a single Sync Group; however, you can not add 2 different shares to the same
synch group. A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file share syncs, and an Azure file share
can be a member of only one cloud endpoint. Different shares, different endpoints.
That's the whole reason why they had to implement the concept of endpoint and sync groups - to sync files from different
locations/services/servers to the same share.
So, 1 cloud File Share -> 1 cloud endpoint.
And if you wish to separate the share contents, you create another File Share and assign it to a different endpoint.
upvoted 1 times

Additional: An Azure file share can be a member of only one sync group.
upvoted 1 times

Answer is correct:
Hint: You can add many different servers and enpoint to a single Sync Group; however, you can not add 2 different shares to the same
synch group. A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file share syncs, and an Azure file share
can be a member of only one cloud endpoint. Different shares, different endpoints.
That's the whole reason why they had to implement the concept of endpoint and sync groups - to sync files from different
locations/services/servers to the same share. So 1 share - 1 endpoint.
And if you wish to separate the share contents, you create a another File Share and assign it to a different endpoint.
upvoted 1 times

Update: 1 Cloud file share -> 1 cloud endpoint.
upvoted 1 times
  faysal1612 6 months, 1 week ago

I lost brain cells while reading this question
upvoted 16 times
DRAG DROP -
You have an Azure subscription named Subscription1.
You create an Azure Storage account named contosostorage, and then you create a file share named data.
Which UNC path should you include in a script that references files from the data file share? To answer, drag the appropriate values to the correct
targets. Each value may be used once, more than once or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: contosostorage -
The name of account -
Box 2: file.core.windows.net -
Box 3: data -
The name of the file share is data.
Example:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

Correct Answer:
[storageaccountname].file.core.windows.net/[FileShareName]
contosostorage.file.core.windows.net\data
Reference:
upvoted 46 times
  Hibs2016 Highly Voted  1 year, 2 months ago

Correct Answer - contosostorage.file.core.windows.net\data.
upvoted 32 times

had this question on 05/Feb/22 exam during review...i changed to wrong answer blob.core.windows.net hahahaha
upvoted 2 times

Took the exam today, 17 Oct. This question came out. Ans: contosostorage.file.core.windows.net\data
upvoted 4 times

upvoted 5 times
  Nickmeharshi 5 months, 1 week ago

Correct answer
upvoted 1 times

upvoted 4 times

I always confuse / and \ for some reason. They look the same to me; haha...
\\contosostorage.file.windows.net\data
Something good to commit to memory. I feel like I'm dwarfing a doctor with memory with the amount of stuff I've been committing to
memory.
Answer is correct
upvoted 2 times
  mdmdmdmd 5 months, 1 week ago

Your needless comments are tiresome. I know you're probably long gone but having a bunch of wrong comments or duplicate
comments on every page is super annoying and I don't have enough time to report every one.
upvoted 2 times

in exam 7/3/2021
upvoted 5 times
  VVR141 8 months ago

From the docs:
Select the drive letter and enter the UNC path, the UNC path format is:
\\<storageAccountName>.file.core.windows.net\<fileShareName>.
For example: \\anexampleaccountname.file.core.windows.net\example-share-name.
upvoted 2 times

contosostorage.file.core.windows.net\data
upvoted 1 times

Tested in my subscription.
Correct Answer - contosostorage.file.core.windows.net\data
upvoted 1 times

Answer is correct
upvoted 1 times
  samratmahe 9 months ago

Answer is correct - Tested on 22-May-2021
UNC Path syntax: \\<storageaccountname>.file.core.windows.net\<filesharename>
As per example given in question: \\contostorage.file.core.windows.net\data

upvoted 4 times
  samratmahe 9 months ago

Correct Answer: Tested (22-May-20121)
UNC Path:\\<storageaccountname>.file.core.windows.inet\<filesharename>
As per example given in question: \\contostorage.file.core.windows.net\data

upvoted 3 times
  Elavarasu 11 months, 1 week ago

Answer is correct
upvoted 3 times

Answer is correct
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains an Azure Storage account.
You plan to copy an on-premises virtual machine image to a container named vmimages.
You need to create the container for the planned image.
Which command should you run? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Correct Answer:
azcopy make 'https://mystorageaccount.blob.core.windows.net/vmimages'
Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page blobs in
Azure Storage.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
upvoted 52 times
  Tom900 Highly Voted  1 year, 2 months ago

Correct Answer. Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as
page blobs in Azure Storage
upvoted 32 times

Agree correct answer - make, blob
upvoted 12 times

had this question on 05/Feb/22 exam pls note don't let it to confuse pervious one ...file.core.windows.net/data one
upvoted 3 times
  GandhamPKumar 3 weeks, 6 days ago

Thanks
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: make, blob
upvoted 4 times

upvoted 5 times
  [Removed] 6 months, 3 weeks ago

in exam 7/26/2021
upvoted 6 times

in exam 7/3/2021
upvoted 6 times
  lucky_18 7 months, 3 weeks ago

came in exam on June 28 2021
upvoted 7 times

upvoted 6 times

Agree correct answer - make, blob
upvoted 3 times

Answer is correct make / blob.
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make?toc=/azure/storage/blobs/toc.json
upvoted 2 times
  Md_Shahnawaz 9 months ago

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-files
upvoted 1 times

answer is correct. Referencing the following URL https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
provided by miki confirmed the answer.
upvoted 2 times

Answer is correct
upvoted 1 times

upvoted 2 times

Although I selected the wrong answer at first, I realized through this forum what is the correct answer. Thank you.
upvoted 2 times
HOTSPOT -
You have an Azure File sync group that has the endpoints shown in the following table.
Cloud tiering is enabled for Endpoint3.

You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.
On which endpoints will File1 and File2 be available within 24 hours of adding the files? To answer, select the appropriate options in the answer
area.
Hot Area:
Correct Answer:
File1: Endpoint3 only -

Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier files to your Azure file shares. This converts on-
premises file shares into a cache, rather than a complete copy of the dataset, to help you manage space efficiency on your server. With cloud
tiering, infrequently used or accessed files can be tiered to Azure Files.
File2: Endpoint1, Endpoint2, and Endpoint3
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-cloud-tiering

Correct Answer:
File1: Endpoint1 only

It is a cloud endpoint, and it is scanned by the detection job every 24 hours.
File2: Endpoint1, Endpoint2 and Endpoint3

With the on-premises servers the file is scanned and synced automatically after it's being added.
Note: They changed the question in Exam from "within 24 hours" to "after 24 hours".
So, the answer is:
Reference:
https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync
upvoted 212 times
  Altera2k 5 months ago

In exam 09/20/2021 - As mlantonis mentioned, the question was changed to „After 24 hours“
upvoted 18 times

Correct, to add:
"You can make changes to any cloud endpoint or server endpoint in the sync group and have your files synced to the other endpoints
in the sync group. If you make a change to the cloud endpoint (Azure file share) directly, changes first need to be discovered by an
Azure File Sync change detection job. A change detection job is initiated for a cloud endpoint only once every 24 hours. For more
information"
upvoted 5 times
  drae2210 3 weeks ago

"If you make a change to the cloud endpoint (Azure file share) directly..."
The cloud endpoint is not the Azure file share, the server endpoint is. The cloud endpoint would be the on-premise file share
because it is in the cloud already. Azure file shares are put on on-premise servers.
If you make changes to the cloud endpoint (on-premise file share), the changes are immediately detected and replicated to the
Azure file share (the on-premise server or server endpoint in this case).
"Azure File Sync (server endpoint) has a scheduled job called a change detection job. This job is initiated every 24 hours. So, if you
change a file in the Azure file share(server endpoint), you might not see the change on the on-premises file share (cloud endpoint)
for at least 24 hours."
Mlantonis's answers are correct, but the explanation above by Mcc is not.
upvoted 1 times
  JouPa 1 month, 3 weeks ago

that cleared it up for me , thanks
upvoted 1 times

Thank you so much. That's something I thought was a little confusing as it would make their revealed answer wrong.
upvoted 3 times

Good Info
upvoted 2 times
  Skankhunt Highly Voted  1 year, 2 months ago

Should be File 1: Endpoint 1 only File 2: Endpoint 1, Endpoint 2 and Endpoint 3
upvoted 47 times

Not agree. Please read MLM0607's answer below.
upvoted 2 times

LM0607's answer are File 1: Endpoint 1 only File 2: Endpoint 1, Endpoint 2 and Endpoint 3!
upvoted 5 times

This is correct. Confirmed it in labs
upvoted 3 times

Tell me what exactly you did in your Lab
upvoted 1 times
  janshal 1 year, 2 months ago

you waited 24 hour for the job to be sync?
I think the answer is all endpoints because the syc job run every 24 hour so even if your created the file a second after the sync jobs
started it will be sync within 24 hours
upvoted 10 times
  amiri7171 Most Recent  4 weeks, 1 day ago
All is needed to understand this topic deeply is in this article.

https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/2-what-azure-file-sync
upvoted 1 times

File1: Endpoint1 only -> cloud endpoint will be scanned after 24 hrs.
File2: Endpoint1, Endpoint2 and Endpoint3-> server endpoint automatically scanned
upvoted 1 times

Why nobody is mentioning Cloud Tiering? it is just meant to ignore?
upvoted 3 times
  stdevops 3 months, 2 weeks ago

Passed Oct 29 score 940. This question was asked.
Was "after 24 hours"
upvoted 12 times

upvoted 2 times
  Mercator 4 months, 3 weeks ago

What I got wrong here as non native english speaker:
What does it mean within 1 hour?

Google: Within an hour" means "within 60 minutes." " Within the hour" means "before the next hour is reached."
So within 24 hours means the time period before (!) the 24 hours have passed.
upvoted 2 times

Within 24hours:
File1: Endpoint 1 only
File2: Endpoints 1, 2 & 3
After 24hour
File1: Endpoint 1, 2 & 3
upvoted 4 times

upvoted 1 times

The answer is wrong.
How can file 1 be in Endpoint3 only when it is already in Endpoint1?
What they are trying to establish is if you know that the online file will not be synchronized until after 24h. The only files that are sync
within that period are the On-Prem files in the sync group.
Since File1 is already in Endpoint 1, within 24 it will only be in Endpoint 1

File 2 is an on-prem file - replicate to the cloud and across all endpoints connected to the sync group
Within 24hours:
File1: Endpoint 1 only
After 24hour
Unfortunately cloud tiering has nothing to do with the answer here. It's just there to confuse you.
Thank You
upvoted 8 times
  Parry11 7 months, 1 week ago

In this case the answer is-
1. Endpoints 1,2,3
2. Endpoints 1,2,3
upvoted 3 times
  RoastChicken 7 months, 1 week ago

Correct answer:
File 1: Endpoint 2 and Endpoint 3 - When you add a file to the Cloud endpoint it takes 24 hours to be sync with the server endpoints
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-
storage-sync-service and https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq?toc=/azure/storage/filesync/toc.json#afs-
change-detection
File 2: Endpoint 1, 2 and 3

upvoted 1 times
  tzaroon 7 months, 2 weeks ago

Answers are for file1 will be endpoint 1 and 3 because file 1 is already at endpoint 1 and within 24 hours which is the file sync limit. The file
will be available within 24 at endpoint 3 only because of the enabled cloud tier.
upvoted 1 times

upvoted 4 times
  Anshul174 7 months, 4 weeks ago

Answer is File1: Enpoint3 and File2: all Endpoints. When you enable cloud teiring you get a cached copy of file1 on Ep3
upvoted 3 times
  ScreamingHand 8 months ago

Am I right in thinking that; File2, once copied to Endpoint2 will be immediately sync'd to the Cloud endpoint, - from there it may take 24
hours for it to be replicated to Endpoint3.
Therefore File2:
Endpoint2 and Endpoint3 only.
upvoted 1 times
HOTSPOT -
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: never -
The 10.2.9.0/24 subnet is not whitelisted.
Box 2: never -
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage
account as an exception to enable Azure Backup service to access the network restricted storage account.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows https://azure.microsoft.com/en-us/blog/azure-
backup-now-supports-storage-accounts-secured-with-azure-storage-firewalls-and-virtual-networks/

Correct Answer:
VNet1’s address space is 10.2.0.0/16.

The VNet1 has only 1 Subnet associated: 10.2.0.0/24. The address space of a VNet is irrelevant if there isn’t a corresponding Subnet from,
which VMs can be assigned IP addresses.
Box1: Never
VMs from 10.2.9.0/24 (10.2.9.0 - 10.2.9.255) are out of Subnet.
Subnet IP range 10.2.0.0 - 10.2.0. 255.
Box2: Never
Since the checkbox to allow trusted Microsoft services is not checked. After you configure firewall and virtual network settings for your
storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to
access the network restricted storage account.
upvoted 103 times
  Leandroalonso Highly Voted  1 year, 2 months ago

VMs from the 10.2.9.0/24 should NEVER access the storage!!!!!
Since wich the selection of the network is segmented by subnets, and not by virtual networks.
upvoted 68 times
  besha 10 months, 2 weeks ago

Technically 10.2.9.0/24 subnet is part of 10.2.0.0/16 subnet which is in the allowed subnet. but should still be Never because it's
Endpoint status is not enabled
upvoted 16 times

Allowed access is at the subnet level which is 10.2.0.0/24 which includes Ip range 10.2.0.0-10.2.0.255, this means the VM on
10.2.9.0/24 will not have access to storage account.
upvoted 12 times

I disagree. Your subnet mask understanding for network id and host id is wrong.
upvoted 4 times

@RamanAgarwal. I apologize. I misread. Your statement is correct.
upvoted 5 times

Yes, that's true. The virtual machine attached to the following virtual network 10.2.9.0/24 will never have access to the storage account,
because of the firewall rules, so the correct answer is:
-Never
-Never
upvoted 14 times
  awssecuritynewbie Most Recent  1 week ago

The answer is correct, you need to use the subnet and not allow access for the WHOLE VNET.
READ THIS FROM THE MS DOC:
You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same
subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.
upvoted 1 times

VNET1 1 10.2.0.0/16 => that means we have allowed 1 subnet in the vnet 10.2.0.0/16
Prod 10.2.0.0/24 Enabled => that is the subnet we are allowing to access the storage account
Allowed trusted Microsoft services to access this storage account => some Azure services operate from networks that can't be included in
the network rules but you can grant trusted Azure services access to the storage account.
So the first option is never, because the VM is in the subnet 10.2.9.0/24 which is not allowed.
And second option is never, since allowed trusted Microsoft services is unchecked.
upvoted 1 times

1. Never
2. Never
upvoted 3 times

upvoted 1 times

Came up on my exam today 02/10/21. Correct answer.
upvoted 1 times
  mojtabaeshkevar 5 months ago

Only one subnet (prod=10.2.0.0/24) of Vnet (range=10.2.0.0/16) has access to the storage and no any other subnets can access to the
storage, including 10.2.9.0/24 (dont be confused with Subnet and net in the picture)- So Never Never
upvoted 1 times

upvoted 1 times

Correct Answer:
VNet1’s address space is 10.2.0.0/16.

The VNet1 has only 1 Subnet associated: 10.2.0.0/24. The address space of a VNet is irrelevant if there isn’t a corresponding Subnet from,
which VMs can be assigned IP addresses.
Box1: Never
VMs from 10.2.9.0/24 (10.2.9.0 - 10.2.9.255) are out of Subnet.
Subnet IP range 10.2.0.0 - 10.2.0. 255.
Box2: Never
Since the checkbox to allow trusted Microsoft services is not checked. After you configure firewall and virtual network settings for your
storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to
access the network restricted storage account
upvoted 2 times

Never Never!
upvoted 2 times

This link shows that Azure Backup requires "Allow Trusted Microsoft...", https://docs.microsoft.com/en-gb/azure/storage/common/storage-
network-security?tabs=azure-portal#exceptions
upvoted 2 times

Never for both
upvoted 1 times
  TinaSkilled 9 months, 3 weeks ago

If virtual machine was on subnet 10.2.0.0/24 , would it get access to storage ? I think NO because the checkbox below is not enabled for
storage account. Can someone confirm this
upvoted 2 times
  gladi 11 months ago

1) Never
2) Never
upvoted 4 times

never
never
upvoted 1 times

- Never: VMs from 10.2.9.0/24 are out of subnet. Subnet IP range 10.2.0.0 - 10.2.0. 255
- Never: Since the checkbox to allow Microsoft trusted services is not checked
upvoted 11 times
HOTSPOT -
You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt.
Your on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.
You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1.
Hot Area:
Correct Answer:
Box 1: Yes -
If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other
files that are already on other endpoints in the sync group.
Box 2: No -
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning
  boink Highly Voted  1 year, 2 months ago

NO NO YES
upvoted 104 times
  allray15 11 months ago

came in exam today 3/24/21, passed 850+ score always check discussion for correct answers. answered n,n,y
upvoted 43 times
  cdc_jr3150 9 months ago

what else did you use to study? having a hard time passing.
upvoted 2 times
  jjj554 10 months, 4 weeks ago

Did most of the questions come from this list?

upvoted 3 times

Agreed... tested it myself
upvoted 6 times
  Constantinos 1 year, 2 months ago

tested on LAB and agree
upvoted 9 times
  sprons77 Highly Voted  1 year, 2 months ago

Agree, files are never overwritten. If the file exists, it will get a new name on the endpoint (file1(1).txt)
upvoted 52 times

I just tested in the lab and files are not overwritten. File that is older will get name of the hosting server added. for example: srv01
creates a new version of "file1" so older version (hosted on srv02) gets renamed to "file1-srv02"
upvoted 2 times

ok then, if your statement is correct, the 3rd is ambiguous, since you will have file1.txt and file1(1).txt on the cloud endpoint and after
24 hours, you will have both on Share2, true, but the one named file1.txt it's the original one we had on the cloud endpoint
upvoted 1 times
  pavan_rao Most Recent  1 week ago

N N Y is the correct answer
upvoted 1 times

upvoted 2 times

NO NO YES
NO (New file will create in share1 with the extension of File1-Cloud.txt) so there wont be any chance of overwritten
NO (on server1 also File1-Cloud.txt got added) so there is no chance of overwritten
upvoted 2 times

It is all about definition of overwritten. If File1.txt in cloud endpoint contained 'abcd' and file1.txt in server had 'efgh', after sync what will
be the content in file1.txt in cloud? it will be 'efgh', right?. Can't we say file1.txt in cloud is overwritten by file1.txt from server?
upvoted 1 times

NO NO YES
If the same file is changed on two servers at approximately the same time, what happens?
Azure File Sync uses a simple conflict-resolution strategy: we keep both changes to files that are changed in two endpoints at the same
time. The most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name
and the conflict number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud
endpoints, the endpoint name is Cloud.
.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq
upvoted 3 times

NO NO YES
upvoted 2 times

Correct answer: N-N-Y
upvoted 5 times
  AmrEissa 2 months ago

does this dump enough to pass the exam ?
upvoted 2 times

NO NO YES
upvoted 3 times
Files are not overwritten. So No, No.

For the last one, I think it's No. Why? because when you connect the second share as an endpoint to the same file after an hour, that file is
essentially seen as a cloud file for the Share. This means it will be sync after 24 hours.
I have not done the lab on this but I've seen a lot of people respond: No, No, Yes. So my question is: Did you wait an hour before you
connect the second share(Share2) to an endpoint in the Sync Group? Because if you didn't, of course, it would replicate to Share2. Anyone
who does a lab is encouraged to help out here. I will look to test this if I have time.
The lesson is: be very careful with naming files when using File Shares. Because you end up with many copies of the same documents.
upvoted 2 times

NO NO YES - ( we consider the time line "1 hour", it should be NO.)
The question is " if to replicate or no" else Correct Answer is N N Y
upvoted 2 times

This question was on Jul 23, 2021 - passed the exam. Answers given by zumy is correct
upvoted 3 times

First 2 boxes are NO. There is no file overwriting. Azure keeps both files, but with different names.
Box 3, if we consider the time line "1 hour", it should be NO.
Even though syncing from Share 1 to Sync1 is very quick, files from Azure to On-prem take 24 hours to sync. So syncing from Sync1 to
Share2 will happen 24 hours later.
upvoted 8 times

upvoted 5 times

what was the right answer?
upvoted 1 times
  tkt7744 8 months ago

file1.txt overwritten by file1.txt true right?....even though they renamed the old file
upvoted 1 times

NO NO YES
upvoted 2 times
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from
Azure support.
A. storage1
B. storage2
C. storage3
D. storage4
Correct Answer: B
ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.
Incorrect Answers:
A, not C: Live migration is supported only for storage accounts that use LRS replication. If your account uses GRS or RA-GRS, then you need to
first change your account's replication type to LRS before proceeding. This intermediary step removes the secondary endpoint provided by
GRS/RA-GRS.
Also, only standard storage account types support live migration. Premium storage accounts must be migrated manually.
D: ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
  diligent176 Highly Voted  1 year, 1 month ago

This is one of those ridiculous questions that would imply we should memorize the 50 different combinations of storage type, replication
type, versus live migration support. Useless info to keep in your head, why would they test for this. The support rules around live
migration support are horrendous. Bleh.
upvoted 113 times
  balflearchen 1 year, 1 month ago

Complain here is useless. And from your point of view, all certificate exams should be ridiculous.
Back to the question, answer B is correct.
"Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS, then you need to
first change your account's replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary
read-only endpoint provided by RA-GRS before migration."
"ZRS supports general-purpose v2 accounts only"
upvoted 41 times

Most certificate exams *are* ridiculous. Hardly an extreme take.
upvoted 15 times

I agree. Most Azure certification exams are ridiculous.
upvoted 9 times

Exactly. It's like a memory exercise. Totally pointless. Because you easily google it in a work environment. Even the expert will have to
google this stuff.
upvoted 7 times
  Freeze 1 month, 3 weeks ago

They should just allow google search in the exams since that is what we'll have to do in a work situation anyways, win-win for all
employer, employee, microsoft, pearson etc :D
upvoted 3 times

That's what I hate the most, I'm not studying literature for god sake!!
upvoted 6 times

100% agree
upvoted 2 times

Answer is correct. It is storage2.
The key to the answer in this question is "Live migration"
- You can do Live migration to ZRS from LRS or GRS only.
- Also this only applies on General Purpose v2 storage.
upvoted 73 times
  nidhogg Most Recent  2 weeks, 2 days ago

upvoted 4 times

upvoted 4 times
  FTAZIT 3 weeks ago

Just gotta learn it and get the bag.
upvoted 2 times

Correct answer: B
upvoted 8 times

upvoted 7 times

I'm glad I've had to get to see this in practice as it prepares not just for the exam but also helps refresh the memory, putting me in a work
environment mode. Although, it's just a memory exercise. You can just Google. But if you know it, it makes you a little more of an expert.
Let's go
upvoted 3 times

This question was on Jul 23, 2021 - passed the exam. Answer is B
upvoted 3 times

upvoted 3 times
  CLagnuts 7 months, 3 weeks ago

What did you put for the answer ?
upvoted 2 times

Back to the question, answer B is correct.
upvoted 2 times

Answer B is correct!
https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal#request-a-live-migration-to-zrs-gzrs-or-ra-
gzrs
(see 3rd section...)
upvoted 1 times

B is correct!
- You can do Live migration to ZRS from LRS or GRS only.
- Also this only applies on General Purpose v2 storage.
upvoted 2 times
  vamshidhara 9 months ago

If you need to migrate your storage account from LRS to ZRS in the primary region with no application downtime, you can request a live
migration from Microsoft. To migrate from LRS to GZRS or RA-GZRS, first switch to GRS or RA-GRS and then request a live migration.
Similarly, you can request a live migration from GRS or RA-GRS to GZRS or RA-GZRS. To migrate from GRS or RA-GRS to ZRS, first switch to
LRS, then request a live migration.
upvoted 1 times

Correct Answer:
Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS, then you need to first
change your account's replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only
endpoint provided by RA-GRS before migration. ZRS supports general-purpose v2 accounts only.
A: Incorrect - General purpose v1.

B: Correct - General purpose v2 + LRS.
C: Incorrect - RA-GRS needs to be converted to LRS before Live migration request to ZRS.
D: Incorrect - Only premium blob blocks are supported by ZRS.
Reference:
https://docs.microsoft.com/en-us/learn/modules/provide-disaster-recovery-replicate-storage-data/2-evaluate-data-redundancy-options
upvoted 28 times
  director47 10 months, 3 weeks ago

As explained only Standard is supported for live not premium. Those would be manual.
upvoted 5 times

Answer is correct
upvoted 2 times
You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP
address space of
131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1
uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
✑ Ensure that you can upload the disk files to account1.
✑ Ensure that you can attach the disks to VM1.
✑ Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution.
A. From the Networking blade of account1, select Selected networks.
B. From the Networking blade of account1, select Allow trusted Microsoft services to access this storage account.
C. From the Networking blade of account1, add the 131.107.1.0/24 IP address range.
D. From the Networking blade of account1, add VNet1.
E. From the Service endpoints blade of VNet1, add a service endpoint.
Correct Answer: AE
A: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change
the default action.
Azure portal -
1. Navigate to the storage account you want to secure.
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from
'All networks'.
4. Click Save to apply your changes.
E: Grant access from a Virtual Network
Storage accounts can be configured to allow access only from specific Azure Virtual Networks.
By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service.
The identities of the virtual network and the subnet are also transmitted with each request.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

AC (81%) Other
  chinnu_07 Highly Voted  2 months, 1 week ago

A,C IS THE CORRECT ANSWER
upvoted 10 times
  AZ_Guru_Wannabe Most Recent  1 week, 1 day ago

Selected Answer: AC
A, C, E
We all agree on A and C. But I think E is also needed.

upvoted 1 times
  Tukarammane 1 week, 1 day ago

Selected Answer: AC
Answer A & C
upvoted 2 times
  LuchianoTz 2 weeks, 6 days ago
Answer A & C
A to block access from all entities including the VNET
C is to allow access from the on-premise network/Internet IP
Go through the link below

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
On the MANAGING IP NETWORK RULES

upvoted 3 times

C&D would block access to everything except the OnPrem Vnet and VM1's Vnet, no?
upvoted 1 times
  FTAZIT 3 weeks ago

I understand why its A and C but I think E should be answer choice as well. E: You can establish a private end point connection between
the vNET and the storage account thus making sure the virtual network has only access to the storage account. "C" wouldn't be possible
without "A".
upvoted 1 times
  lateralus 1 month, 1 week ago

The way I see it is that we need to attach the disk (page blob) to our existing VM. According to this link, https://docs.microsoft.com/en-
us/azure/storage/common/storage-network-security?tabs=azure-portal#scenarios, "Virtual machine disk traffic (including mount and
unmount operations, and disk IO) is not affected by network rules". And that is why we only need to ensure the on-prem to Azure Storage
connectivity.
If we were making Rest api calls from the VM to access some data on the storage then we need to care about vnet restriction/service
endpoint (this will allow traffic coming from the vnet to be recognized from the PaaS public endpoint, although still coming via the
Internet)
Correct answers: A & C
upvoted 2 times
  EleChie 1 month, 1 week ago

I see all say that A & C correct - but still is that correct ? let see
- A: select Selected networks - Ok which networks ? not clear enough/complete though it's correct, BUT if they mean that Selected
Networks are both subnets 131.107.1.0/24 & 192.168.0.0/24 then answer A will be complete correct answer (as C & D)
- C: If we add 131.107.1.0/24 subnet address (This will allow on-premises network to access) but that is not enough since we need to add
the VNet1 subnet or IP address (192.168.0.0/24) as well ? or what do you think ?
So I see answer A as C&D together and then we need to have a service endpoint (Microsoft.Storage) as to meet requirements in the
question "Prevent all other access to account1." which is answer E.
[A virtual network service endpoint provides the identity of your virtual network to the Azure service. Once you enable service endpoints in
your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network.]
upvoted 1 times

So the correct answer should be A & E
Reference:
Answer A
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#configuring-access-from-on-
premises-networks
Answer E
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-services-to-virtual-
networks
upvoted 1 times
  yangxs 1 month, 1 week ago

Selected Answer: CE
VM gets access because "Allow Azure services on the trusted services list to access this storage account." is selected by default. Nothing
need to be done for it. So A, D is NOT needed.
C E are correct answer
upvoted 2 times

Selected Answer: AC
service endpoint makes ur service available to other services in the network
upvoted 2 times

A and C, for sure. But also Vnet1 would also need to be added as a selected network, so D would be good also. But the question is which
are the "two" actions, so... kind of confused :-(
upvoted 1 times

It is a public IP address. The VNET just need to have access outside
upvoted 1 times

Selected Answer: CD
C,D
YOu have to add Vnet
upvoted 2 times

You have to add Vnet1 too
upvoted 1 times

I think you are correct.
C&D imply that we have in fact clicked on "Selected Network" and therefore adding both VNets (Azure's & On-prem) do in fact fulfill
the requirements:
✑ Ensure that you can upload the disk files to account1 (from on-prem vnet).
✑ Ensure that you can attach the disks to VM1 (by adding VM1 Vnetwork).
✑ Prevent all other access to account1. (only selected / entered VNets can connect)
upvoted 1 times
  ShivaUdari 1 month, 3 weeks ago

Selected Answer: AC
We can add IP range as exclusion.
upvoted 1 times

What about Vnet1 from which VM attaches disk?
upvoted 1 times
  Freeze 1 month, 3 weeks ago

Selected Answer: AC
A and C
upvoted 3 times

Selected Answer: AC
A and C is correct.
upvoted 2 times

Selected Answer: AC
A and C is correct.
upvoted 3 times
  estornudo 1 month, 4 weeks ago

Selected Answer: AC
Id say A, C
upvoted 3 times
DRAG DROP -
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Select and Place:
Correct Answer:
Step 1: Install the Azure File Sync agent on Server1

Step 2: Register Server1.
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.
Step 3: Add a server endpoint -

Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must
contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
Reference:

Correct Answer:
Step 1: Install the Azure File Sync agent on Server1

Step 2: Register Server1

Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the
Storage Sync Service.
Step 3: Add a server endpoint

A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group
must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a
path on registered server.
Reference:
upvoted 62 times

Answer is correct
upvoted 29 times

had this question on 05/Feb/22 exam but require to select 4 step
please read thru and make sure your understand the questions...many of questions just revised the a little wordings in exam
upvoted 3 times

upvoted 2 times

upvoted 4 times

upvoted 1 times

upvoted 5 times

In Exam 21/08/2021
upvoted 3 times

It's a poorly designed question. What they are trying to establish here is if you are familiar with Azure File Sync service. Answer is correct
upvoted 3 times

correct, https://docs.microsoft.com/en-us/learn/modules/extend-share-capacity-with-azure-file-sync/7-set-up-azure-file-sync-windows-
server
upvoted 1 times

upvoted 6 times

Thanks for help us out
upvoted 1 times

upvoted 5 times

1. install
2. register
3. add
upvoted 2 times
  oriduri 9 months, 4 weeks ago

Answer is correct
upvoted 1 times
  Bharadhi 10 months ago

Answer is correct
upvoted 1 times

Answer is correct
upvoted 1 times

Given Answer is correct
upvoted 1 times
HOTSPOT -
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously.
✑ Remains available if a single data center in the region fails.
How should you configure the storage account? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-
us/azure/storage/common/storage-redundancy-zrs

Correct Answer:
Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single Region.
GRS protects against Zone failure, while ZRS protects against data center failure.
LRS would not remain available if a data center in the region fails.
Box 2: StorageV2 (general purpose V2)

ZRS only support GPv2.
Reference:
upvoted 48 times

>ZRS only support GPv2.
ZRS also support Premium Block Blobs an Premium file shares
upvoted 3 times
  MicroJ Highly Voted  1 year, 2 months ago

Answer describes ZRS being correct but marks GRS. From reading the description is seems like ZRS is the correct answer.
upvoted 35 times

Seems rectified now. It is showing ZRS selected as well in answer description below.
upvoted 3 times
  JohnAvlakiotis 1 year, 2 months ago

True. ZRS is correct.
upvoted 12 times

The thing is that ZRG is not Geo-redundant. it merely works within a single region.
upvoted 3 times

...and what is your point about this?
upvoted 2 times

ZRS means Zone Redundant, the only think to Introduce a G here, is if was asked about "Region Failover"
Whenever you hear a "Datacenter"; It is Z over there
upvoted 1 times
  Kamex009 Most Recent  5 months, 4 weeks ago

upvoted 4 times

In Exam 21/08/2021
upvoted 2 times

Obvious answer. Although, Microsoft doesn't use the other Storage types anymore from what I know.
StorageV2_LRS had to be the only option

upvoted 1 times

Typo correction. Answer is StorageV2_ZRS
upvoted 1 times

in exam 30 July
21
upvoted 5 times

Correct.
Just remind that ZRS is started to be available on prenium block blobs also
upvoted 2 times

upvoted 6 times

ZRS + StoregeV2
upvoted 4 times
  HTD 8 months, 3 weeks ago

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
ZRS only support GPv2

upvoted 3 times

zrs and v2
upvoted 1 times

ZRS - If single data center fails we would go for it.
GRS- this is for failure
so the answer would be
ZRS
storage V2
upvoted 3 times
  ms70743 10 months, 4 weeks ago

ZRS
V2
upvoted 6 times
  beupy 11 months ago

Agreed that it's ZRS, but why all chose V2 since ZRS supports any of V2, BlockBlob & File ?
upvoted 1 times
  thowell 10 months, 4 weeks ago

Yes, ZRS supports V2, BlockBlob and File storage. But it DOESN'T support Blob or V1 storage - which are the other 2 options. So
StorageV2 is the right answer.
upvoted 4 times
  incubutus 11 months, 1 week ago

In the question, it didn't as for redundancy over geo-locations. It asked if a data centre goes down. So ZRS is ideal "Zone-redundant
storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high
availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region." For the account type, it
must be Storage V2 as it is the only one supported on ZRS.
upvoted 3 times

ZRS
Storage v2
upvoted 3 times

Replication : ZRS ( Same Region but data avail in different(Zones) Locations)
Account Type : Storage V2
upvoted 4 times
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
A. an XML manifest file
B. a dataset CSV file
C. a JSON configuration file
D. a PowerShell PS1 file
E. a driveset CSV file
Correct Answer: BE
B: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add
entries in the dataset.csv file
E: Modify the driveset.csv file in the root folder where the tool resides.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files

Correct Answer: B and E
Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add
entries in the dataset.csv file
Modify the driveset.csv file in the root folder where the tool is.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
upvoted 52 times

Good Info
upvoted 2 times
  PPSHREE_123 7 months, 3 weeks ago

I find mlantonis's answers are correct and most reliable
upvoted 6 times
  Lobe Highly Voted  1 year, 2 months ago

It should be B and E. Explanation is right though
upvoted 51 times

Trust mlantonis
upvoted 1 times

Great. Something else that wasn't described in as much details during the paid training provided by Microsoft. Thank you ExamTopics.
upvoted 1 times

I see this specifically for Azure Files and not Azure Blob. So the questions are not clear, to be honest.
Import Blob : https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-blobs?tabs=azure-portal-

preview#step-1-prepare-the-drives
Import Files: https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal-preview

upvoted 1 times

Okay, it says to copy files. Yeah, A & E.
upvoted 1 times

Dataset csv file and driveset csv
upvoted 4 times

upvoted 1 times

upvoted 3 times

Answer is correct.
"Dataset CSV file is the value of /dataset flag is a CSV file that contains a list of directories and/or a list of files to be copied to target
drives."
"Dataset CSV file is the value of /dataset flag is a CSV file that contains a list of directories and/or a list of files to be copied to target
drives."
Microsoft Doc
https://docs.microsoft.com/en-us/previous-versions/azure/storage/common/storage-import-export-tool-preparing-hard-drives-import
upvoted 4 times

B & E.
upvoted 1 times

Correct Answer is B & E
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files?tabs=azure-portal
upvoted 3 times

upvoted 3 times
  JohnnyS20 3 months, 2 weeks ago

This guy's a bot. He just pastes the same comment on every question.
upvoted 1 times

The link provides a clear explanation of the answer :)
upvoted 1 times

Maybe you should work it out form the comments :)
upvoted 1 times

B and E
upvoted 2 times
  Skilled_Hawkeye 9 months, 2 weeks ago

Correct answer on exam topics AZ-103. Its B and E.
upvoted 1 times

B and E is correct
upvoted 2 times

It would be B and E
upvoted 1 times
  Nihar258255 10 months, 1 week ago

Dear God please help exam topics to correct there answers.
upvoted 14 times
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
A. From the Recovery Service vault, delete the backup data.
B. Modify the disaster recovery properties of each virtual machine.
C. Modify the locks of each virtual machine.
D. From the Recovery Service vault, stop the backup of each backup item.
Correct Answer: D
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is
still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure
File Servers, SQL
Servers in Azure VM, and Azure virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

D (100%)

Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#delete-protected-items-in-the-cloud
upvoted 40 times
  tuta Highly Voted  1 year, 2 months ago

correct
upvoted 23 times
  ulranmal Most Recent  2 months, 2 weeks ago

Selected Answer: D
Correct Answer is D
upvoted 1 times
  sachin007 3 months ago

Selected Answer: D
Need to stop backing up first
upvoted 2 times

upvoted 3 times

Took the exam today on 17 Oct. This question came out. Ans: D
upvoted 3 times

First, you have to stop the backup
Then unlock & shut down/deallocate the machine.
Then delete the Group
Think: CI/CD & training environment.

One of the purposes of grouping resources is to facilitate the deletion of resources.
Answer is correct.
upvoted 7 times
  thorppp 6 months, 3 weeks ago

correct
upvoted 1 times

First action is D, only then you can do A.
upvoted 4 times
  McRowdy 8 months, 1 week ago

The key statement here is "what should you do FIRST?". Answer is "D". Reason why "A" is not correct is because that is the second action.
(Trick question)
upvoted 2 times

D is correct!
upvoted 2 times

In an earlier question to remove a RG with a RSV in it the Consensus was to delete the backup data instead of stopping the backup. Here it
is stopping the backup data. Confusing... I think the answer here is correct.
upvoted 3 times
  theOldOne 4 months, 1 week ago

This answer is correct. This was also the correct answer on the other question. See the comment I posted there.
upvoted 1 times
  Govindaraj 8 months, 2 weeks ago

Correct Answer - "DFrom the Recovery Service vault, stop the backup of each backup item."
You can't delete service that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
Reference :
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault#before-you-start
upvoted 2 times

D is correct
upvoted 1 times
  cmong2005 9 months, 2 weeks ago

correct, you need to stop the backup service 1st, then delete the backup data.after that you can delete the vault
upvoted 3 times
  Dips88 9 months, 3 weeks ago

I think it should be 'A'. To complete recovery service deletion it definitely needs to stop all back ups and then delete back ups. In the
question it is never mentioned that backup is still on and moreover it contains two back ups. So for immediate deletion back up has to be
deleted.
upvoted 5 times

Its useless to delete backup data if data is continously being backed up. Think about it
upvoted 6 times
  AAKC 9 months, 3 weeks ago

Little confuse on this one. It says protected VMs. So we need to modify the lock first right?
upvoted 1 times
  AAKC 9 months, 3 weeks ago

sorry never mind. I got it
upvoted 2 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
In storage1, you create a blob container named blob1 and a file share named share1.
Which resources can be backed up to Vault1 and Vault2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: VM1 only -

VM1 is in the same region as Vault1.
File1 is not in the same region as Vautl1.
SQL is not in the same region as Vault1.
Blobs cannot be backup up to service vaults.
Note: To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines.
Box 2: Share1 only.
Storage1 is in the same region (West USA) as Vault2. Share1 is in Storage1.
Note: After you select Backup, the Backup pane opens and prompts you to select a storage account from a list of discovered supported storage
accounts. They're either associated with this vault or present in the same region as the vault, but not yet associated to any Recovery Services
vault.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault https://docs.microsoft.com/en-us/azure/backup/backup-afs

Correct Answer:
Box 1: VM1 only

VM1 is in the same region as Vault1. File1 is not in the same region as Vautl1. SQL is not in the same region as Vault1. Blobs cannot be
backup up to service vaults.
Note: To create a Vault to protect VMs, the Vault must be in the same Region as the VMs.
Box 2: Share1 only

Storage1 is in the same region as Vault2. Share1 is in Storage1.
Note: Only VM and Fileshare is allowed to Backup.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
https://docs.microsoft.com/en-us/azure/backup/backup-afs
https://feedback.azure.com/forums/217298-storage/suggestions/37096837-possibility-to-backup-blob-data-in-the-recovery-se
upvoted 82 times

good talk
upvoted 3 times

Answer looks correct it is only share1 within storage1 that can be backed up as you can't back up blobs
See: https://feedback.azure.com/forums/217298-storage/suggestions/37096837-possibility-to-backup-blob-data-in-the-recovery-se
upvoted 29 times
  FitObelix 8 months, 1 week ago

it says nothing about blobs, it talks about a blob container
upvoted 1 times

Answer is correct. Storage1 is not valid because it contains a Blob inside, so only Share1 can be backup.
upvoted 9 times

upvoted 3 times

VM Only
Share Only
upvoted 1 times

Correct answer:
Box1: VM1 only
Box2: Share1 only
upvoted 5 times
  ChrisCheck 3 months ago

Was in exam on 15/11/21
upvoted 3 times

This is what we used to be able to backup by using Azure Backup service:
On-premises
Azure VMs
Azure Files shares
SQL Server in Azure VMs
SAP HANA databases in Azure VMs
And this is what it supports now:

https://docs.microsoft.com/en-us/azure/backup/backup-overview#what-can-i-back-up
On-premises
Azure VMs
Azure Managed Disks
Azure Files shares

SQL Server in Azure VMs
SAP HANA databases in Azure VMs
Azure Database for PostgreSQL servers (preview)
Azure Blobs
Even though it now supports backup for Azure Blobs, the operational backup of blobs is a local backup solution, so the backup data isn't
transferred to the Backup vault, but is stored in the source storage account itself.
https://docs.microsoft.com/en-us/azure/backup/blob-backup-overview#how-operational-backup-works
The questions asks: Which resources can be backed up to Vault1 and Vault2?
Since backup for Azure Blobs are not transferred to Backup vault, the right answers are:
VM1 only
Share1 only
upvoted 5 times
  Greg_M 2 months, 2 weeks ago

Very thorough explanation, thanks @Bere
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans:
Box 1: VM1 only
Box 2: Share 1 only
upvoted 2 times
  zvasanth2 6 months ago

the first difference between an Azure Recovery Services Vault (ARSV) and an Azure Backup Vault (ABV) is are the available data sources of
each vault.
Blob backup is supported by Azure Backup not a Recovery service vault
https://docs.microsoft.com/en-us/answers/questions/405915/what-is-difference-between-recovery-services-
vault.html#:~:text=the%20first%20difference%20between%20an,available%20datasources%20of%20each%20vault.&text=The%20second
%20difference%20is%3A%20In,for%20Azure%20Backup%20data%20only.
upvoted 3 times

Think like Microsoft: Why back up to a different region if they can offer you (RA-/)GRS? or (RA-)ZRS.
That leaves you to only remember that Azure does not back up blobs - Use snapshots instead.
Now it's no longer a memory exercise, you have a strategy to get to the answer.
Answer is correct
upvoted 2 times

Answer Vm1 only and share only - Storage1 is not valid because it contains a Blob inside, so only Share1 can be backup.
upvoted 1 times

This question was on Jul 23, 2021 - passed the exam. Answers given by mlantonis in this dump are correct.
upvoted 3 times

upvoted 3 times

1. VM1 only
2. share1 only
upvoted 2 times
  longtech 9 months, 1 week ago

The second answer is wrong. The Recovery Services vault is back up in the same region, in the storage 1 (blob and share) so the answer is
blob and share only
upvoted 1 times

I disagree. If you go thru github az 104 lab, the option in the backup goal that is related to the question is File Share. No blob
upvoted 1 times

verified from provided articles. answer is correct.
upvoted 1 times
  Sanin 9 months, 2 weeks ago

All vaults must be with in the same Region as the Resources that are being backed up
upvoted 3 times

You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. a virtual machine
B. an Azure Cosmos DB database
C. Azure File Storage
D. the Azure File Sync Storage Sync Service
Correct Answer: C
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB.
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. Azure File Storage
2. Azure Blob Storage
The question can have other incorrect answer options, including the following:
✑ Azure Data Lake Store
✑ Azure SQL Database
✑ Azure Data Factory
Reference:

Correct Answer: C
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives
to an Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises
sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files. The maximum size of an Azure Files
Resource of a file share is 5 TB.
Note: There are several versions of this question in the exam. The question has two correct answers:
or
Reference:
upvoted 57 times
  Rodro13 Highly Voted  1 year, 2 months ago

Correct
upvoted 17 times

On exam 01.02.22
Answer: C
upvoted 1 times

upvoted 2 times

- Definitely not to a VM.

- Cosmos DB is a database for big data so it's not that either.
- What is Azure file Sync Storage Sync Svce? Never heard of it
Only 2 services supported are Azure File & Blobs.

Answer is correct. You can import the files to Azure File.
Note: Did you notice how Azure considers "importing" your exporting to them? It should be called exporting, shouldn't it?
Thank you
upvoted 1 times

C is correct!
upvoted 2 times
  Raj_Rock 8 months, 2 weeks ago

If answer is correct then why spamming the discussion forum. This forum is to be used when there is any discrepancy or any mistake in
the answer.
upvoted 5 times
  V1980 6 months ago

Also, it is pretty common for the given answer to be incorrect so the comments are affirmation.
upvoted 1 times
  V1980 6 months ago

You haven't been here long, have you? If it wasn't necessary to say it is correct, the only comments you would see are 'this is wrong!' so
then you must feel the answer is indeed wrong because nobody says it is correct.
These comments are a LIFESAVER, pls don't abuse their generosity to you.
upvoted 1 times

Confirmed from the provided url , answer is correct.
upvoted 1 times

This is Azure File Storage
upvoted 4 times

Azure file storage is the correct answer
upvoted 1 times

C. Is correct!
upvoted 1 times

C. is correct
upvoted 1 times
  waterzhong 1 year, 1 month ago

The WAImportExport tool is available in two versions, version 1 and 2. We recommend that you use:
Version 1 for import/export into Azure Blob storage.

Version 2 for importing data into Azure files.
upvoted 4 times

sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files.
upvoted 3 times
  sicmundus 1 year, 1 month ago

Qn. came on 12/21/2020
upvoted 5 times

Answer is correct
upvoted 13 times
HOTSPOT -
You create the Azure Storage account shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: 3 -
Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent
of 3 copies
(replicas) of your data within the primary location as described in our SOSP paper; this ensures that we can recover from common failures
(disk, node, rack) without impacting your storage account‫ג‬€™s availability and durability.
Box 2: Access tier -

Change the access tier from Hot to Cool.
Note: Azure storage offers different access tiers, which allow you to store blob object data in the most cost-effective manner. The available
access tiers include:
Hot - Optimized for storing data that is accessed frequently.
Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.
Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of
hours).
Reference:
https://azure.microsoft.com/en-us/blog/data-series-introducing-locally-redundant-storage-for-windows-azure-storage/

Both of them are correct.
- LRS has 3 copies of data

- Access tier has the "cool" option to store infrequently accessed data.
upvoted 17 times

Answer is Correct:
in LRS: "Three" Copies in "Three" Racks in a "Single" Datacenter
in ZRS: "Three" Copies in "Three" Datacenters in a "Single" Region
Ref:
ttps://docs.microsoft.com/en-us/learn/modules/configure-blob-storage/4-create-blob-access-tiers?ns-enrollment-type=LearningPath&ns-
enrollment-id=learn.az-104-manage-storage
upvoted 11 times
  sanbt Most Recent  2 months, 1 week ago

3 and Access tier
upvoted 2 times
You have an Azure Storage account named storage1.

You plan to use AzCopy to copy data to storage1.
You need to identify the storage services in storage1 to which you can copy the data.
Which storage services should you identify?
A. blob, file, table, and queue
B. blob and file only
C. file and table only
D. file only
E. blob, table, and queue only
Correct Answer: B
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
Incorrect Answers:
A, C, E: AzCopy does not support table and queue storage services.
D: AzCopy supports file storage services, as well as blob storage services.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
  riclamer Highly Voted  3 months, 3 weeks ago

**** The new version 7.3 version of AZCOPY, now copy Azure Table... So this question maybe was updated in exam Az-104 . Reference -->
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#download-azcopy
upvoted 14 times
  LHNing2 1 week, 6 days ago

Version 7.3 is not new, it is old version...
upvoted 1 times
  rrabeya Highly Voted  4 months, 2 weeks ago

Correct Answer B - blob and file only
Azure Import job supports: Azure Blob Storage, and Azure Files storage
Azure Export job supports: Azure Blob Storage
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-requirements
upvoted 10 times
  boom666 4 months, 2 weeks ago

Why do you refer to Import/Export here? I would refer to documentation about azcopy copy command instead -
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
upvoted 1 times
  imrans Most Recent  2 months, 4 weeks ago

So as per below Microsoft link, latest azcopy version only supports blob and file backup. Older version 7.3 was supporting table. However,
the answer options doesnt give Blob,file and table in any as a option. so Blob and file only could be selected as answer.. Hope this helps..
please suggest if incorrect. Thanks.
upvoted 4 times

upvoted 2 times
  oskirch 3 months ago

And the result? I have the exam tomorrow
upvoted 1 times
  marion192 3 months ago

Hi Chrism, is it the correct answer? What about the rest of the questions - are they the same?
upvoted 1 times

B. is correct (Blobs and Files only)
upvoted 4 times
HOTSPOT -
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the blob storage and file storage in storage1.
Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Box 1:
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2:
Only Shared Access Signature (SAS) token is supported for File storage.
Reference:

Correct Answer:
Box 1: Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2: Only Shared Access Signature (SAS) token is supported for File storage.
Reference:
upvoted 57 times
  joergsi 2 months ago

Authorize AzCopy
Use this table as a guide:
AUTHORIZE AZCOPY
Storage type Currently supported method of authorization
Blob storage Azure AD & SAS
Blob storage (hierarchical namespace) Azure AD & SAS
File storage SAS only
upvoted 3 times
  waterzhong Highly Voted  1 year, 2 months ago

Authorize AzCopy
AUTHORIZE AZCOPY
upvoted 32 times

On exam 01.02.22
Answer:
Box 1: Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2: Only Shared Access Signature (SAS) token is supported for File storage.
upvoted 5 times

by Azure AD, I assume we'll use Managed Identity. right?
upvoted 1 times

1: Azure Active Directory (AD) and Shared Access Signature (SAS) token
2: Only Shared Access Signature (SAS)
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
upvoted 1 times

upvoted 4 times
  tbalaji2001 4 months ago

How you get access to last topic questions? whether contributor access required to clear the exam?
upvoted 1 times

Here's my way of thinking to help me remember this:
If you are already syncing files, you do not really need to use AzCopy. And thus, the restrictions.
However, for Blob, because you do not have the same privilege as File Sync, there are less restrictions. As long as you have any of the
secrets, you're good.
Training my memory.
Answer is correct
upvoted 4 times

azcopy copy '<local-file-path>' 'https://<storage-account-name>.file.core.windows.net/<file-share-name>/<file-name><SAS-token>'
replace file with blob where appropriate.

upvoted 1 times

Answers are correct but
conflict with answers question 6, topic 2 (https://www.examtopics.com/exams/microsoft/az-104/view/6/)
upvoted 1 times

upvoted 2 times
  anurag4516 7 months ago

Why not access key
upvoted 2 times

upvoted 4 times

AUTHORIZE AZCOPY
upvoted 2 times

Verified from provided url answer is correct
upvoted 1 times
  Chief 9 months, 3 weeks ago

Authorize AzCopy

Authorize AzCopy
upvoted 3 times

Correct.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
upvoted 2 times

Azcopy can also use access key to access storage account:
https://microsoft.github.io/AzureTipsAndTricks/blog/tip81.html
upvoted 1 times

why not access key? access key is at storage account level, it can grant full access to both Blob and File share
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage
upvoted 2 times
  ScreamingHand 8 months, 1 week ago

We're specifically discussing AZCopy here
upvoted 1 times
You have an Azure subscription that contains an Azure Storage account.

You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL
Server instance that requires persistent storage.
You need to configure a storage service for Container1.
A. Azure Files
B. Azure Blob storage
C. Azure Queue storage
D. Azure Table storage
Correct Answer: D

A (94%) 6%

Correct answer should be Azure Files
upvoted 102 times
  abu3lia 1 year, 2 months ago

Correct, here is the proof: https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/
upvoted 23 times

I agree, Here's another link if you're still skeptical
https://docs.microsoft.com/en-us/azure/aks/concepts-storage#persistent-volumes
upvoted 5 times
  wooyourdaddy 1 year, 2 months ago

Where did you validate this from ?
upvoted 1 times
  RoastChicken 7 months ago

Azure table is unstructured data. Answer should be Azure Files.
upvoted 3 times
  ngamabe 6 months, 2 weeks ago

I agree
upvoted 1 times
  JimBobSquare101 7 months ago

I would also consider the answer to be A: Files
Reason being the word persistent in the question....
upvoted 1 times

Answer is not Correct. It should be A "Azure Files"
Azure files are used as persistent disks for docker images. It doesn't matter the type of the image or its functionality.
upvoted 66 times
  Redimido Most Recent  3 weeks, 3 days ago

A: Azure Files - this is how it's done - https://www.sqlshack.com/store-sql-server-files-in-persistent-storage-for-azure-container-instances/
upvoted 1 times

Selected Answer: A
upvoted 1 times
  madshark 3 weeks, 6 days ago

Selected Answer: A
I believe the answer is A as Azure file shares can be used as persistent volumes for stateful containers
upvoted 2 times
  alex_06 1 month ago

Selected Answer: A
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files
upvoted 1 times

Selected Answer: A
Correct answer should be Azure Files
upvoted 1 times
  shajee 1 month, 1 week ago

Selected Answer: A
upvoted 1 times
  CellCS 1 month, 1 week ago

D is correct answer. Microsoft SQL Server instance in docker image for persistent storage
upvoted 1 times

answer should be A
upvoted 1 times
  lakpj 2 months ago

Selected Answer: A
Answer should be azure file as they can be mapped as an volume to a container
upvoted 1 times
  alex88andru 2 months ago

Selected Answer: A
Correct is A, Containers comes around only with Azure Files
upvoted 2 times
  tech_curam 2 months, 1 week ago

Selected Answer: A
Azure files
upvoted 1 times

Azure Files - https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/
upvoted 1 times
  majedidi 2 months, 1 week ago

Selected Answer: A
should be A
upvoted 1 times
  lele300mlg 2 months, 2 weeks ago

Selected Answer: A
Is A here is the info:. https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage
upvoted 1 times
  WJD 2 months, 2 weeks ago

Selected Answer: A
files = persistent docker disks
upvoted 1 times
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the
hardware hosting
VM1 and VM2.
What should you include in the Availability Set?
A. one update domain
B. two fault domains
C. one fault domain
D. two update domains
Correct Answer: D
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update.
To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
Incorrect Answers:
A: An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
B, C: A fault domain shares common storage as well as a common power source and network switch. It is used to protect against unplanned
system failure.
References:
https://petri.com/understanding-azure-availability-sets
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

D (100%)

Correct Answer: D
When you create an Availability Set, the hardware in a location is divided into multiple update domains and fault domains.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
VMs in the same fault domain share common storage as well as a common power source and network switch.
During scheduled maintenance, only one update domain is updated at any given time. Update domains aren't necessarily updated
sequentially. So, we need two update domains.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates
upvoted 64 times

Planned Maintenance "FOR THE HARDWARE ((HOSTING))"
I'm SURE "two fault domains" is the correct answer
upvoted 4 times

"Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete
the update." Planned maintenance refers to update domains, not fault domains. We need two update domains, answer is D.
upvoted 4 times
  bbhagya12 1 month, 1 week ago

If it is maintinance - Update domain
If it is hardware failed - Fault Domain
Correct Ans is D
upvoted 4 times
  Parsec Highly Voted  1 year, 2 months ago

It's "planned maintenance of the HARDWARE" in the question, not OS or software update. Should be 2 fault domains imho.
upvoted 30 times
  janshal 1 year, 2 months ago

Hi the answer is D:
the Q talk about the hardware hosting VM1 and VM2.
the hardware, meaning the Server containing the VMs (Called Update domain ).
During a Planed maintenance the update domains are shootdown one at a time. so D is ther right answer
upvoted 35 times
  HuseinHasan 1 year, 2 months ago

what will happen if the fault domain crashes, thats why i would go with two fault domains
upvoted 1 times
  sandipk91 6 months ago

your assumption is wrong as they are talkin about planned maintenance
upvoted 2 times
  Alir95 10 months, 1 week ago

The question is specific to "Planned Maint", not outages and redundancy ... D is right.
upvoted 7 times

Selected Answer: D
Correct!
upvoted 1 times

Selected Answer: D
During a maintenance nobody reboots the whole rack (FD) , just the server (UD)
Answer is D
upvoted 1 times

Selected Answer: D
D is correct
upvoted 2 times
  brunomd 2 months, 2 weeks ago

I guess the correct awnser is "two fault domains" (B), because the azure don't allow only 2 update domain, the minimum is 5.
upvoted 1 times
  walkwolf3 3 months, 2 weeks ago

Preferred answer is D
Fault domains protect you from unplanned maintenance events and unexpected downtime.
Update domains protect you from planned maintenance events.
https://www.microsoftpressstore.com/articles/article.aspx?p=3089310&seqNum=2
upvoted 2 times

Correct Answer: D
upvoted 2 times

upvoted 6 times
  itsimranmalik 5 months, 4 weeks ago

D. 2 Update domain is correct
The order of update domains being rebooted may not proceed sequentially during planned maintenance, but only one update domain is
rebooted at a time. A rebooted update domain is given 30 minutes to recover before maintenance is initiated on a different update
domain.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
upvoted 2 times

In Exam 21/08/2021, thanks to Mlantonis & Fedztedz
upvoted 4 times

DDDDDDDDDDDDD
upvoted 2 times
  kbpn 8 months ago

Two update domains can be inside one fault domain. So in this case of planned hardware Maintainance if a fault domain goes down then
the app becomes unavialble. I think the answer should be 2 fault domains.
upvoted 3 times

i would say D!
upvoted 1 times

Fault is realted to Hardware ..Update is for Pacthing....
upvoted 1 times

For me, the keyword here is "planned", - so I am going for 'D' Update. Faults are not "planned". MS put the word "hardware" in the
question because they're arseholes.
upvoted 9 times

Agree with the A label ;)
upvoted 1 times
  Voravut 8 months, 4 weeks ago

D is correct answer.
I passed exam on 05/24.
80-90 % questions are from this exam. Please read it carefully. Also read in "discussion" in all questions of this website as sometimes they
showed the wrong answer.
Best of luck.
upvoted 9 times
  BennyWang 8 months, 3 weeks ago

Can you share the lab operation questions?
upvoted 1 times
  msidy2020 7 months, 4 weeks ago

I am learning for exam. Do they ask to do practical lab during exam ?
upvoted 1 times

A. an Azure Cosmos DB database
B. Azure Blob storage
C. Azure Data Lake Store
D. the Azure File Sync Storage Sync Service
Correct Answer: B
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.
Note:
✑ a virtual machine
Reference:

B (100%)

Correct Answer:
sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files. The maximum size of an Azure Files
Resource of a file share is 5 TB.
or
Reference:
upvoted 26 times
  mkoprivnj Highly Voted  8 months, 1 week ago

B is correct!
upvoted 5 times
  Neftali Most Recent  1 week ago

Selected Answer: B
correct Answer
upvoted 1 times

upvoted 2 times
  Takloy 3 months ago

This can only be an Azure Blob Storage or Azure File Storage.
upvoted 2 times

upvoted 3 times

upvoted 2 times
  Adebowale 6 months, 2 weeks ago

Correct one
upvoted 1 times
  yigido 8 months, 3 weeks ago

dublicated
upvoted 1 times
  Gromble_ziz 7 months, 2 weeks ago

Not duplicated. Just a different version.
2 correct answer possible:
upvoted 3 times

confirmed from provided link answer is correct.
upvoted 2 times
  Manimegha 9 months, 3 weeks ago

Correct
upvoted 1 times
  Alses1970 9 months, 3 weeks ago

Correct
upvoted 2 times

Correct Answer: B
upvoted 2 times
DRAG DROP -
You have an Azure subscription that contains an Azure file share.
You have an on-premises server named Server1 that runs Windows Server 2016.
You plan to set up Azure File Sync between Server1 and the Azure file share.
You need to prepare the subscription for the planned Azure File Sync.
Which two actions should you perform in the Azure subscription? To answer, drag the appropriate actions to the correct targets. Each action may
be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
First action: Create a Storage Sync Service

The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a resource group of your selected subscription.
Second action: Install the Azure File Sync agent
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.
Reference:
  gujjudesi420 Highly Voted  9 months, 3 weeks ago

I think answer should be Create Storage Sync Service, Create a Sync Group as they are asking for "Which two actions should you perform
in the Azure subscription?"
upvoted 133 times

correct:
Create Azure resources: You need a storage account to contain a file share, a Storage Sync Service, and a sync group. Create the
resources in that order.
upvoted 4 times

Agree with you, its actions on the subscription/azure portal and does not ask for actions on the server
upvoted 4 times
  J4U 6 months, 1 week ago

Yes, that is correct. The steps are given in the URL mlantonis shared.
upvoted 2 times
  mashk19 8 months, 2 weeks ago

Agreed. The question explicitly says which two actions would you perform in the Azure Subscription. You'd install the sync agent on the
on premises server so that would not be a valid choice. And you'd register the server from the server. Which leaves you with only two
choices left. Create a Storage Sync Service. Create a sync group.
upvoted 10 times

Correct Answer:

Second action: Install the Azure File Sync agent

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.
1. Prepare Windows Server to use with Azure File Sync

2. Deploy the Storage Sync Service
3. Install the Azure File Sync agent
4. Register Windows Server with Storage Sync Service
5. Create a sync group and a cloud endpoint
6. Create a server endpoint
7. Configure firewall and virtual network settings
Reference:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal#deploy-the-
storage-sync-service
upvoted 63 times
  augustogcn 1 month ago

Install the Azure File Sync agent is not an action that you can perform in the Azure Subscription. The file Sync agent is installed on your
on-premises server. This question is a tricky one.
upvoted 3 times
  mastchallapalli 1 month, 3 weeks ago

Which two actions you should perform on the azure subscription.So second action must be "Sync group creation" as we intstall agent
on the on-prem srever.please update your answer as many learners following your comments.
upvoted 5 times
  giggsie 2 months, 2 weeks ago

The Steps are correct but the answer is wrong.
Installing the agent is done on the on-prem server and the question stipulates what steps are done in the cloud. Step 2 and 5 are the
correct options here.
upvoted 3 times

But the question talks about actions on the subscription and not on the servers.
so it should be
Second action:Create a sync group
upvoted 18 times
  9InchPianist Most Recent  5 days, 1 hour ago

IF you downloaded the file sync agent from the portal then I would agree that it would be the second step, but you don't, it comes from
the MS download centre, therefore the first and second steps in the portal are:
1. Create a Storage Sync Service
2. Create a Sync Group
If we expand the whole process with WHERE each bit happens we have:
1. Create Storage Sync Service (Portal)
2. Download and install File Sync Agent (MS Download Centre & on-prem server)
3. Register Server (on-prem server)
4. Create sync group and create cloud endpoint (Portal)
5. Create Server Endpoint (Portal)
upvoted 1 times
  HenriKI2 1 month, 1 week ago

Deploy a Storage Sync Service.
Create a sync group.
Install Azure File Sync agent on the server with the full data set.
Register that server and create a server endpoint on the share.
Let sync do the full upload to the Azure file share (cloud endpoint).
After the initial upload is complete, install Azure File Sync agent on each of the remaining servers.
Create new file shares on each of the remaining servers.

Create server endpoints on new file shares with cloud tiering policy, if desired. (This step requires additional storage to be available for the
initial setup.)
Let Azure File Sync agent do a rapid restore of the full namespace without the actual data transfer. After the full namespace sync, sync
engine will fill the local disk space based on the cloud tiering policy for the server endpoint.
Ensure sync completes and test your topology as desired.
Redirect users and applications to this new share.
You can optionally delete any duplicate shares on the servers.
upvoted 3 times

On exam 01.02.22
upvoted 2 times
  AYANtheGLADIATOR 1 month, 1 week ago

you passed if yes, did you study all the questions?
upvoted 1 times
  PlumpyTumbler 1 month, 3 weeks ago

Second action: Create a sync group

A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group
must contain one cloud
endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on a registered
server. A server can have
server endpoints in multiple sync groups. You can create as many sync groups as you need to appropriately describe your desired sync
topology.
upvoted 2 times

"in the Azure subscription"
It is NOT in Azure 1. Prepare Windows Server to use with Azure File Sync
YES 2. Deploy the Storage Sync Service
It is NOT in Azure 3. Install the Azure File Sync agent
YES 4. Register Windows Server with Storage Sync Service
5. Create a sync group and a cloud endpoint
upvoted 2 times

Small correction
"in the Azure subscription"
It is NOT in Azure 1. Prepare Windows Server to use with Azure File Sync
YES 2. Deploy the Storage Sync Service
It is NOT in Azure 3. Install the Azure File Sync agent
It is NOT in Azure 4. Register Windows Server with Storage Sync Service
YES 5. Create a sync group and a cloud endpoint
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal%2Cproactive-portal
upvoted 5 times

upvoted 2 times

Just reiterating gujjudesi420's answer.
1. Create Storage Sync Service

2. Create a Sync Group
Why? The question is, "Which two actions should you perform in the Azure subscription?"
upvoted 4 times
  mshiref87 3 months, 1 week ago

sync files from on-premises to azure file share
**Step 1: Install the Azure File Sync agent on Server1
**Step 2: Register Server1.
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the
Storage Sync Service.
**Step 3: Add a server endpoint -
upvoted 1 times
  lksilesian 3 months, 2 weeks ago

This question is misleading: Which two actions should you perform ---> in <--- the Azure subscription.
+ Sync Service
- Install the Azure File Sync agent (no! this is done NOT in Azure subscription)
+ Register Server
+ Create Sync Group
upvoted 3 times

upvoted 3 times
  vimi003 4 months ago

Which two actions should you perform in the Azure subscription?
Correct Answer : Create a Storage Sync Service and Create a Sync Group
upvoted 2 times

Seems like a lot of people are getting "On the Subscription" and "On the On Premise Server" mixed up. You do not have an on premise
server kept in your Azure subscription
upvoted 2 times
  azure_104 5 months, 1 week ago

The first step you do is crate storage sync service and then download agent. Notice that you need to download the agent to add a server
before you create a sync group.
Have a look here:
https://youtu.be/nfWLO7F52-s?t=708
upvoted 5 times

Great link you shared here!!! So for sure Server Agent is done before creating the sync group. Now the question is... Does "IN AZURE"
include on-premise or not... As I have been told by an AZ104 instructor at the end of the exam you can provide feedbacks where you
can give explanations if you find questions that are dick questions and perhaps provide full explanation for 1-where only Azure is taken
in consideration and 2-when on-premise is included if IN was really a badly written question) which would show that you fully
understand the topic but couldn't make out if it was a trick question or not. Personally I would go with Azure agent second (with the
point of view of what is Microsoft really trying to verify with the question) as it is how Microsoft describes the whole process in its
documents/courses and add a note at the end of the exam that if IN was meant to be a tricked question to no include on-premise then
the second "in Azure" step would indeed be to create a sync group.
upvoted 1 times

Except it does not ask for actions on the Server side. The question ask for steps on the Subscription side.
upvoted 5 times

Totally, completely wrong.
(correcting an error from my previous post)
In Azure:
- You install the File Sync service.
On-prem
- You download and install the File Sync Agent
- You register the Server(s)
In the cloud:
- Then Create a Sync group. This syncs only to 1 single share. (this process also creates a cloud endpoint)
- Then Add a Server Endpoint. At this stage, you can add as many server endpoints to the Sync group as possible. All these files sync to the
1 file share in the syn group.
So the answer is:

Create a sync service
Create a sync group
100% sure
upvoted 8 times

Totally, completely wrong.
In Azure:
- You install the File Sync Agent.
On-prem
- You download and install the File Sync Agent
- You register the Server(s)
In the cloud:
- Then Create a Sync group. This syncs only to 1 single share. (this process also creates a cloud endpoint)
- Then Add a Server Endpoint. At this stage, you can add as many server endpoints to the Sync group as possible. All these files sync to the
1 file share in the syn group.
So the answer is:

Create a sync service
Create a sync group
100% sure
upvoted 3 times

Please read :
In Azure:
- You install the File Sync *Service.
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains the file shares shown in the following table.
You have the on-premises file shares shown in the following table.
You create an Azure file sync group named Sync1 and perform the following actions:
✑ Add share1 as the cloud endpoint for Sync1.
✑ Add data1 as a server endpoint for Sync1.
✑ Register Server1 and Server2 to Sync1.
Hot Area:
Correct Answer:
Box 1: No -
Box 2: Yes -
Data2 is located on Server2 which is registered to Sync1.
Box 3: No -
Data3 is located on Server3 which is not registered to Sync1.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-
sync-group-and-a- cloud-endpoint
  cyna58 Highly Voted  9 months, 2 weeks ago

NO - only one cloud endpoint can be added to sync1
YES - Server2 has been registered to Sync1 but data2 is not added to server endpoint. So we can add data2 as additional server endpoint
for Sync1
NO - We have to register Server3 first
upvoted 71 times

Correct
upvoted 1 times
  jecah 9 months, 2 weeks ago

Exactly. We cannot add an endpoint to an unregistered server:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
upvoted 3 times
  tita_tovenaar 7 months, 1 week ago

wrong, server registration is a required step *during* end[oint creation:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
so answer is yes
upvoted 2 times

Correct Answer:
Box 1: No
Box 2: Yes
Data2 is located on Server2 which is registered to Sync1.
Box 3: No
Data3 is located on Server3 which is not registered to Sync1.
Reference:
sync-group-and-a-%20cloud-endpoint
upvoted 50 times

Accurate Info, Thanks
upvoted 1 times

NO
YES
NO
upvoted 1 times
  JESUSBB 2 months, 1 week ago

In the exam today 11/12/2021 ans: N Y N
upvoted 4 times

Oh I misread the question, Server2 is not on Data1;
No
Yes
No
!
upvoted 2 times

No - only one cloud endpoint can be added to sync1
No - A registered server can support multiple server endpoints, however a sync group can only have one server endpoint per registered
server at any given time. Other server endpoints within the sync group must be on different registered servers.. REF:
server-endpoint
No - Data3 is located on Server3 which is not registered to Sync1
:D
upvoted 1 times
Other server endpoints within the sync group must be on different registered servers which means you can not have two endpoints
both from server1, if you have another endpoint from server2 is fine. it's Yes.
upvoted 1 times

(Updating my 2 previous comments - we an edit option)
What they are trying to establish is that you know that before you may a file from a server to a syn group, that sync group, that server
must first be registered.
They're also trying to establish that to 1 file share you can only associate 1 cloud point you and 1 sync group. Where a sync group can
contain multiple server endpoints
All the regions, share3 is just there to get us confused. I guess that helps them to see how well we can remain focus too!
Answer is correct
upvoted 1 times

correction: they also trying to establish that *you know that to 1 file share
upvoted 1 times

*before you may add a file
upvoted 1 times

They're also trying to establish that to 1 file share you can only associate 1 cloud point you and 1 sync group. Where a sync group can
contain multiple server endpoints
All the regions, share3 is just there to get us confused. I guess that helps them to see how well we can remain focus too!
Answer is correct
upvoted 1 times

All the regions, share3 is just there to get su confused. I guess that helps them to see how well we can remain focus too!
Answer is correct
upvoted 1 times

upvoted 3 times

Answer should be N/N/Y in my opinion. Critical to read https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint
carefully.
- a server registration is indeed required, but that is done while creating the endpoint. It is not a separate step upfront, hence answer 3 is
Y
- there are no registered servers without an endpoint, hence server 1 already has an endpoint. We also know that a server can only have
one endpoint to a sync service. So answer 2 should be N
upvoted 1 times

you register servers to sync service and not to the sync group isn't it ? i am confused with the order of tasks described in the question
upvoted 2 times

NO , YES, NO
upvoted 3 times
  Hit_man 8 months, 2 weeks ago

NYN is correct
upvoted 1 times
  Cippunk 9 months ago

Correct, cyna58 is right
upvoted 1 times
n - only can be 1 cloud endpoint

y - server2 is added as node and haven't any shared folder added
n - server 3 isn't added as node
upvoted 2 times

verified answers are nyn
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources shown in the following table:
You plan to configure Azure Backup reports for Vault1.

You are configuring the Diagnostics settings for the AzureBackupReports log.
Which storage accounts and which Log Analytics workspaces can you use for the Azure Backup reports of Vault1? To answer, select the
appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: storage1, storage2, and storage3

The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your
vaults exist.
Box 2: Analytics3 -
Vault1 and Analytics3 are both in West Europe.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports

storage 3
analytics 1,2 & 3
this is correct as analytics are independent of locations!
upvoted 172 times
  Bapan 5 months ago

This is the correct one.
upvoted 2 times
  Veronika1989 10 months ago

I agree! Tested on my tenant.
upvoted 9 times
  Amju 10 months, 2 weeks ago

its not recommended due to different government policies in US and Europe and thats why only workspace 3 is correct answer.
upvoted 7 times
  Jamie1337 1 month, 4 weeks ago

This is not correct, it asks what is possible not what is recommended. Others have confirmed 1,2,3 is the correct answer.
upvoted 2 times

Here is the proof: https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-
existing-one
upvoted 14 times

Confirmed.
Here is a snippet from the link:
"Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription where this Log
Analytics workspace can be created ***is independent of the location and subscription where your vaults exist***."
upvoted 19 times

Thanks for the link. That confirms it
upvoted 2 times
  ngamabe 6 months, 2 weeks ago

Yes, very helpful
upvoted 1 times

Correct Answer:
Storage accounts: Storage 3 only

Storage Account must be in the same Region as the Recovery Services Vault.
Log Analytics workspaces: Analytics1, Analytics2, and Analytics3

Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription where this Log Analytics
workspace can be created is independent of the location and subscription where your Vaults exist.
Reference:
https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one
upvoted 80 times
  aamalik7 2 months, 4 weeks ago

You are the superman!
upvoted 8 times
  Apmgoqi Most Recent  3 days, 18 hours ago

Box 1: storage3 only -
Vault1 and storage3 are both in West Europe.
Box 2: Analytics3 -
Vault1 and Analytics3 are both in West Europe.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports
upvoted 2 times

Correct Answer:
workspace can be created is independent of the location and subscription where your Vaults exist. Reference:
upvoted 1 times

storage 3
analytics 1,2 & 3
this is correct as analytics are independent of locations!
upvoted 1 times

In the exam today 11-DEC-2021 Ans: Storage3 and Analytics1,2 and 3
upvoted 6 times
  AmrEissa 2 months ago

does this dump enough for the exam ?
upvoted 1 times

Correct Answer: Reiterating mlantonis answer.

workspace can be created is independent of the location and subscription where your Vaults exist.
Reference:
https://docs.microsoft.com/en-us/azure/backup/configure-reports#1-create-a-log-analytics-workspace-or-use-an-existing-one
upvoted 2 times

upvoted 3 times
  KFM2020 4 months, 1 week ago

What do storage accounts have to do with this question? Is this an old question that refers to soon-to-be-deprecated Power BI or V1
schema functionality which require a storage account?
Reference: https://docs.microsoft.com/en-us/azure/backup/configure-reports#what-happened-to-the-power-bi-reports
upvoted 2 times

storage 3
analytics 1,2 & 3
upvoted 2 times

to config AzureBackupReports only needs log analytics workspaces, why it needs storage ?
upvoted 1 times
  NarenderSingh 5 months ago

Tested in Lab -
Storage3 Only dispite of subscription
Any Log Analytics dispite of region/subscription
upvoted 3 times

upvoted 5 times

Revealed answer is partly false:
storage 3 only
Log analytics 1, 2, & 3.
Hint: Think like Microsoft.

Why would they offer back to a different region when they have ZRs & GRS solutions? The logs analytics have a read-only effect on the
data, so they let you create them in different regions.
upvoted 3 times

*back up...
upvoted 1 times

That's right. Just reverse the justifications given.
upvoted 2 times

Storage 3
LA1,2,3
upvoted 1 times

Appear On Exam July 1 2021
upvoted 5 times
HOTSPOT -
You have an Azure subscription that contains the storage accounts shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: contoso104 only -

Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.
Box 2: contoso101, contoso102, and contos103 only
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-fileshare?tabs=azure-portal
Correct Answer:
Box 1: contoso104 only

Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.
Box 2: contoso101 and contos103 only

Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General
Purpose v1 (GPv1) accounts don't support tiering.
The archive tier supports only LRS, GRS, and RA-GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-fileshare?tabs=azure-portal
upvoted 94 times
  JayJay22215 1 week ago

Premium is available for blob as well, but it asked for "Premium File Shares"
Box 2: contoso101 and contos103 only
not available for normal storage. In addition to the ms docs list above, you can just check via the price calculator as well.
https://azure.microsoft.com/de-de/pricing/calculator/
upvoted 1 times
  Rajash Highly Voted  9 months, 3 weeks ago

Box1 - 104 only.
Box2 - 101 and 103 only ( Storage V2 and BLOB storage)
-Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General
Purpose v1 (GPv1) accounts don't support tiering.
upvoted 75 times

I agreed. Here is the article https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 4 times
  awssecuritynewbie Most Recent  5 days, 18 hours ago

that is not true i can create a new file share even in a blob storage storage account but the main file storage account needs to be
premium, which this example does not display.
upvoted 1 times
  Rick06 2 weeks, 2 days ago


Note:
Data stored in a premium block blob storage account cannot be tiered to Hot, Cool, or Archive using Set Blob Tier or using Azure Blob
Storage lifecycle management. To move data, you must synchronously copy blobs from the block blob storage account to the Hot tier in a
different account using the Put Block From URL API or a version of AzCopy that supports this API. The Put Block From URL API
synchronously copies data on the server, meaning the call completes only once all the data is moved from the original server location to
the destination location.
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
upvoted 3 times
  Az_dasappan 1 week ago

correct answer
upvoted 1 times

upvoted 1 times

upvoted 3 times

Remember blobstorage is now considered legacy; doubt it will be in exams for much longer. All V2 now.
upvoted 2 times
  photon99 4 months, 2 weeks ago
Standard general-purpose v2 ==> Blob (including Data Lake Storage1), Queue, and Table storage, Azure Files
Premium block blobs ==> Premium BLOCK Blob Store only (v1)
Premium page blobs ==> Premium PAGE Blob Store only (v1)
Premium file shares ==> Premium FILE SAHRES (v1)
upvoted 1 times

Answer is correct
upvoted 1 times
  aquarian999 7 months, 3 weeks ago

104 only
101 and 103 only
Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General
Purpose v1 (GPv1) accounts don't support tiering. You can easily convert your existing GPv1 or Blob Storage accounts to GPv2 accounts
through the Azure portal.
upvoted 2 times

upvoted 2 times

Box1 - 104 only.
Box2 - 101 and 103 only ( Storage V2 and BLOB storage)
upvoted 3 times
  Ssri 8 months, 1 week ago

https://azure.microsoft.com/en-gb/pricing/calculator/?service=storage
Box 1 - 104 only

Box 2 - 101 and 103 only.
upvoted 1 times
  ykmoh 8 months, 2 weeks ago

Box 1 - 104 only
Box 2 - 101 and 103 only. It mentioned in this link https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
"Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General
Purpose v1 (GPv1) accounts don't support tiering"
upvoted 1 times

Azure supports multiple types of storage accounts for different storage scenarios customers may have, but there are two main types of
storage accounts for Azure Files. Which storage account type you need to create depends on whether you want to create a standard file
share or a premium file share:
General purpose version 2 (GPv2) storage accounts: GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-
based (HDD-based) hardware. In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as
blob containers, queues, or tables. File shares can be deployed into the transaction optimized (default), hot, or cool tiers.
FileStorage storage accounts: FileStorage storage accounts allow you to deploy Azure file shares on premium/solid-state disk-based (SSD-
based) hardware. FileStorage accounts can only be used to store Azure file shares; no other storage resources (blob containers, queues,
tables, etc.) can be deployed in a FileStorage account.
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
upvoted 2 times
  awssecuritynewbie 5 days, 18 hours ago

that is not true you can deploy file share within general-purpose v2
upvoted 1 times
  Ptit_filou 9 months, 1 week ago

For question 1: https://azure.microsoft.com/en-us/pricing/details/storage/files/
"Premium file shares are available through the FileStorage storage account type"
vs
"Standard file shares are available in general purpose storage accounts"
contoso104 only.
upvoted 1 times
  RAY2021 9 months, 1 week ago

Premium file shares are not available from this storage account type. Create a premium file storage account for those
upvoted 2 times
HOTSPOT -
In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:
To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Box 1: Will have no access -

The IP 193.77.134.1 does not have access on the SAS.
Box 2: Will have read, write, and list access
The net use command is used to connect to file shares.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1 https://docs.microsoft.com/en-
us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

The Answer is not correct.
It should be no access for both cases.
- for first case, cause the IP is not matching the SAS requirements
- for second case, since it is using "net use" where it uses SMB. The SMB (Server Message Broker) protocol does not support SAS. it still
asks for username/password. Accordingly, it will give error wrong username/pass and will not provide access.
upvoted 142 times

Yes, the file share can be mounted using the storage access key as given in https://docs.microsoft.com/en-
us/azure/storage/files/storage-how-to-use-files-windows, however when using SAS key in place of storage access key, it fails. So I agree
that file share doesn't support SAS for SMB.
upvoted 2 times
  rrr 8 months, 3 weeks ago

you are savior, netuse dont support SAS ..
upvoted 5 times
  researched_answer_boi 8 months, 4 weeks ago

Authenticating against an Azure File Share using SAS is currently not supported. Only the Storage Account Keys would work.
https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html
upvoted 2 times
  ravigupta1 10 months ago

I think the provided answer is correct because Blob Storage doesn't support SAS but File Storage support SAS and Net USE both.
Ref: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
upvoted 5 times

Correct Answer:
Box 1: will have no access

The IP 193.77.134.1 does not have access on the SAS, because it is not matching the SAS requirements. IP is out of range.

The SAS token is not supported in mounting Azure File share currently, it just supports the Azure storage account key.
Since it is using "net use" where it uses SMB, the SMB (Server Message Broker) protocol does not support SAS. it still asks for
username/password. Accordingly, it will give error wrong username/pass and will not provide access.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
https://docs.microsoft.com/en-us/answers/questions/40741/sas-key-for-unc-path.html
upvoted 43 times

Correct Answer:

The IP 193.77.134.1 does not have access on the SAS, because it is not matching the SAS requirements. IP is out of range.

The SAS token is not supported in mounting Azure File share currently, it just supports the Azure storage account key.
Since it is using "net use" where it uses SMB, the SMB (Server Message Broker) protocol does not support SAS. it still asks for
upvoted 1 times

No access
No access
The Answer is not correct. It should be no access for both cases. - for first case, cause the IP is not matching the SAS requirements - for
second case, since it is using "net use" where it uses SMB. The SMB (Server Message Broker) protocol does not support SAS. it still asks for
upvoted 1 times
  trynapassmane 2 months ago

what is net use and why is everyone talking about it
upvoted 2 times

The key here is..... did anyone ever read of "net use" regarding SAS in any course material? The username might also be needed?
upvoted 1 times

"net use" has never been mentioned in the Microsoft instructor led trainings. So it is up to students to be aware of how "net use" works
in the background.
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans:
No access for both
upvoted 12 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is no access both cases.
upvoted 10 times

no access for both cases
upvoted 1 times

Shared access signatures should be performed only over an HTTPS connection!
upvoted 1 times

The answer might be: No access for both;
Shared access signature are keys that grant permissions to storage resources, and should be protected in the same manner as an account
key. It's important to protect a SAS from malicious or unintended use. Use discretion in distributing a SAS, and have a plan in place for
revoking a compromised SAS. Operations that use shared access signatures should be performed only over an HTTPS connection, and
shared access signature URIs should only be distributed on a secure connection such as HTTPS.
upvoted 2 times

(Amending my previous comment)
IP range 193.77.134.(10-50) only.

- 193.77.134.1 does not belong to that range.
The expiry date for SAS1 is 14th Sept and 193.77.134.50 is in the 193.77.134.(10-50) range. The scope is inclusive.
Access will be allowed.
upvoted 1 times

Answer is correct.
II range 193.77.134.(10-50) only.

this IP is outside the allowed range: Access will be denied.
The revealed answer is correct.
II range 193.77.134.(10-50) only.

upvoted 1 times

Sorry about the copy/paste and typo error. I meant *IP range
The revealed answer is correct.
IP range 193.77.134.(10-50) only.

upvoted 1 times

Answer is correct: (box 1: no access; box2: access read write list)
TESTED in Lab!
Box 1: IP is not matching the SAS requirements (obvious)
Box 2: Net use CAN mount the share with SAS (even with HTTPS protocol selected)
net use <drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /u:AZURE\<storage-account-name> <storage-
account-key>
example :
net use z: \\samples.file.core.windows.net\logs /u:AZURE\samples <storage-account-key>
Source: https://stackoverflow.com/questions/43218050/map-network-drive-to-azure-blob-storage-using-sas
upvoted 5 times
  rawrkadia 7 months, 1 week ago

The link talks about using Access Keys which are different from SAS. Don't believe you actually labbed this :)
upvoted 5 times

in exam 7/3/2021, answered will have no access for both. passed with 906
upvoted 12 times

upvoted 3 times
  Gautam123 8 months, 1 week ago

no access for both
upvoted 2 times
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is backed up to RSV1.
You need to back up VM2 to RSV2.
A. From the RSV1 blade, click Backup items and stop the VM2 backup
B. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

A (100%)

Correct Answer: A
VMs can only be backed up in a single Recovery Services Vault. You have to stop the VM2 backup from the RSV1 first. Otherwise you won't
able find the VM2 in RSV2.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault#must-preserve-previous-backed-up-data
https://docs.microsoft.com/en-in/azure/backup/backup-azure-vms-first-look-arm
upvoted 82 times
  MrRice Highly Voted  9 months, 3 weeks ago

Answer A.
from the provided reference: VMs can only be backed up in a single vault.
upvoted 37 times
  xongildon Most Recent  1 month ago

Correct Answer: A
upvoted 1 times

Selected Answer: A
Correct Answer: A
upvoted 1 times
  Arshaq 1 month, 3 weeks ago

Selected Answer: A
Answer A.
upvoted 2 times
  AyushOberoi 2 months ago

Selected Answer: A
Correct Answer :A
upvoted 2 times

In exam today 11-DEC.2021 Ans: A
upvoted 4 times
  Fulforce 2 months, 1 week ago

Selected Answer: A
Correct answer A, you can only back up to one vault. You will need to stop the backup first.
upvoted 3 times

Selected Answer: A
Correct Answer: A
upvoted 2 times
  beem84 2 months, 2 weeks ago

Selected Answer: A
VMs can only be backed up in a single Recovery Services Vault.
upvoted 3 times
  rickbern 2 months, 2 weeks ago

Selected Answer: A
VM can only be backed up to a single vault. Backup must be stopped first.
upvoted 1 times
  hmzansari 2 months, 3 weeks ago

Selected Answer: A
VMs can only be backed up in a single Recovery Services Vault. You have to stop the VM2 backup from the RSV1 first. Otherwise you won't
able find the VM2 in RSV2.
upvoted 2 times

okay so we need to stop the backup from VM2 first before we can move it to the other Vault.
So the correct answer is A!
upvoted 1 times
  vimi003 4 months ago

A is the Correct Answer
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A
upvoted 6 times

Answer A
upvoted 1 times
  wallythebos 5 months ago

Question was in the exam 9/15/2021
upvoted 4 times
You have a general-purpose v1 Azure Storage account named storage1 that uses locally-redundant storage (LRS).
You need to ensure that the data in the storage account is protected if a zone fails. The solution must minimize costs and administrative effort.
A. Create a new storage account.
B. Configure object replication rules.
C. Upgrade the account to general-purpose v2.
D. Modify the Replication setting of storage1.
Correct Answer: C
Reference:
  klamar Highly Voted  8 months, 3 weeks ago

Correct.
v1 supports GRS/RA-GRS but question was about least cost. Least cost is ZRS which is only supported for v2 and premium file/block
storage.
Source: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#supported-storage-account-types
upvoted 39 times
  mwhooo Highly Voted  5 months, 3 weeks ago

Answer is correct, and this is why :
General-purpose v2 storage accounts support the latest Azure Storage features and incorporate all of the functionality of general-purpose
v1 and Blob storage accounts. General-purpose v2 accounts are recommended for most storage scenarios. General-purpose v2 accounts
deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices. General-purpose v2
accounts support default account access tiers of hot or cool and blob level tiering between hot, cool, or archive.
Upgrading to a general-purpose v2 storage account from your general-purpose v1 or Blob storage accounts is straightforward. You can
upgrade using the Azure portal, PowerShell, or Azure CLI. There is no downtime or risk of data loss associated with upgrading to a
general-purpose v2 storage account. The account upgrade happens via a simple Azure Resource Manager operation that changes the
account type.
Hope this helps

upvoted 7 times

Nice pointing out. Also just to avoid any confusion the same doesn't apply to switching from Standard V2 to any of the Premium tiers.
Doing such a switch requires a NEW storage account to be created and data to be copied over after.
Reference : Microsoft own AZ104 certified instructor.

upvoted 1 times
  Mozbius_ Most Recent  2 weeks, 3 days ago

Microsoft doesn't even bother mentioning the existence of Standard v1 in courses. (January 2022).
upvoted 2 times

GPV1: Replication supports LRS, GRS, RA-GRS. GRS and RA-GRS would only be beneficial if there was a failure but even then, the data
would be read only. So, there isn't any replication option to reconfigure using GPV1 based on the scenario. Admin would just have to
upgrade the storage to GPV2.
upvoted 1 times

While GRS is available on GPV1 and you can choose generally using Azure Storage Price Calculator GPV2 is slightly cheaper so C seems
most suitable option of the given options
upvoted 1 times
  Kronnos 4 months, 1 week ago

Honestly I wonder if ZRS is the ask here as it clearly says „when a zone fails“. In this case shouldn‘t we look into GRS which can still be
provided with v1 storage?
upvoted 2 times
  Sukorak 3 months ago

you need to take care of least cost too.
upvoted 2 times
  Sukorak 3 months ago

and GRS is for region fails
upvoted 2 times
  hajurbau 3 months, 2 weeks ago

Yeah I feel the same.
upvoted 1 times
  GepeNova 4 months, 2 weeks ago

For your records I tried to test this.
1. Create a kind v1 account is not possible at least from my tenant.
2. Fortunately I had an old storage account v1 under SA blade 》settings 》 you can find upgrade button.
So, for me correct answer is C, because you can upgrade the account to V2 and change it to zrs.
upvoted 1 times

Modifying the replication policy in the storage account ensures you have RA-GRS. Although this is an option, StorageV2 offers ZRS, which
is a much cheaper option. Besides, Microsoft recommends to only use StorageV1 only if you have to. I think they've even discontinued
now, it does not longer appear when you add it with the portal.
Answer is correct
upvoted 1 times
  kashi1983 6 months, 1 week ago

Answer is C
upvoted 1 times
  choskar90 6 months, 1 week ago

I got 694. The correct is answer.
upvoted 4 times
  Kazie 2 months, 3 weeks ago

694? is that a pass mark?
upvoted 2 times
  pkazemei 6 months, 2 weeks ago

There's no explanation as to why this is correct, just hearing the same response.
Answer is correct.
OK!
upvoted 3 times

This question was on Jul 23, 2021 - passed the exam. answer is correct
upvoted 4 times

ZRS is only supported in GPv2 correct?
upvoted 3 times
  mooncricket 6 months, 2 weeks ago

correct
upvoted 2 times
  CloudyTech 8 months ago

Answer is correct
upvoted 1 times
  Deevine78 8 months, 1 week ago

Correct answer is C.
upvoted 1 times

C is correct!
upvoted 1 times
You have an Azure subscription that contains the storage accounts shown in the following table.
You plan to manage the data stored in the accounts by using lifecycle management rules.
To which storage accounts can you apply lifecycle management rules?
A. storage1 only
B. storage1 and storage2 only
C. storage3 and storage4 only
D. storage1, storage2, and storage3 only
E. storage1, storage2, storage3, and storage4
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal

C (50%) D (50%)
  Tamilarasan Highly Voted  8 months, 2 weeks ago

Answer is correct .
The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts,
premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.
upvoted 34 times
  MitchelLauwers1993 2 months, 4 weeks ago

jup:https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
upvoted 2 times
  AubinBakana Highly Voted  6 months ago

Lifecycle management are rules that you set to move files/folders from between tears or even delete them when they meet certain
conditions, like for example: if the file hasn't been used in 30 days move it to cool. After 365days move it to archive.
It applies to all blob types except premium file storage. I am not entirely sure if lifecycle management applies to standard files because
Azure files storage uses tiering and does not have a life cycle management like blob storage. But for all blob storage, you have the Hot,
Cold and Archive options.
The answer provided is correct.

upvoted 5 times
  rdiaz Most Recent  2 days, 7 hours ago

Selected Answer: C
Answer is correct .
premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.
upvoted 1 times

Selected Answer: D
D
"Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob
Storage accounts."
upvoted 1 times
  Aliss28 4 weeks, 1 day ago
Answer D is correct
Reason:
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob
Storage accounts.
Link: https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
upvoted 2 times
  NzNagaraj 4 weeks ago

Yes I see your point . MS doc seems to contradict itself
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#blob-lifecycle-management - Says Premium Block blobs
not supported (dated 23 Nov 2021) I see the Link you provided says supported (Dated 18 Nov 2021) - we really need someone to test
and figure out - Any body tested ?
upvoted 1 times
  Az_dasappan 1 week ago

checked , BlockBlobStorage support lifecycle , but move to cool is not supported ( only action supported is delete)
upvoted 1 times
  dangerdizzy 1 month ago

Should be B
upvoted 4 times

Good debate here - But Micosft document has the two as pwects below
(1) "Data stored in a premium block blob storage account cannot be tiered to Hot, Cool, or Archive using Set Blob Tier or using Azure Blob
Storage lifecycle management. To move data, you must synchronously copy blobs from the block blob storage account to the Hot tier in a
different account using the Put Block From URL API or a version of AzCopy that supports this API."
(2) Feature support
This table shows how this feature is supported in your account and the impact on support when you enable certain capabilities.
FEATURE SUPPORT
Storage account type Blob Storage (default support) Data Lake Storage Gen2 1 NFS 3.0 1 SFTP 1
Standard general-purpose v2 Yes Yes Yes Yes
Premium block blobs No No No No
Sthe question says "using Lyfe Cycle Management Rules" so you need to assume it is asking Automated Tiering - Then Premium
BlockBlobStorage is out so I guess the answer as B (GPV2 and BlobStorage) or Storage1 & Storage2 only
upvoted 3 times

Correct. Tested in a lab: a Premium FileStorage account does not have any Data management / Lifecycle management blade
upvoted 3 times
  Sara_Mo 2 months, 1 week ago

upvoted 1 times

It's interesting that you cannot even set tier for Premium Blobstorage, but you can set data lifecycle for it. we know that data lifecycle uses
tiers.
upvoted 1 times

upvoted 3 times
  GD01 4 months, 1 week ago

C is correct...
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob
Storage accounts.
https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview
upvoted 2 times
  Junpeng 6 months, 3 weeks ago

A is correct: The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage
accounts, premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.
upvoted 3 times

D is correct, sorry for my typo
upvoted 3 times

Correct Answer.
premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts
Ref # https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-
concepts#:~:text=The%20lifecycle%20management%20feature%20is,account%20to%20a%20GPv2%20account.
upvoted 2 times

Sorry. The correct answer is B - Storage 1 and Storage 2 only.
Reason is as mentioned above - The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2)
accounts, blob storage accounts, premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts
upvoted 2 times

Your post-comment does not make sense. The statement clearly says "premium block blobs storage accounts" so these are also
supported. The original answer D is correct. Only Premium FileStorage accounts are not suported by lifecycle management rules.
upvoted 4 times

Exactly D is correct as stated in MS documentation https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-
management-concepts#:~:text=The%20lifecycle%20management%20feature%20is,account%20to%20a%20GPv2%20account.
upvoted 1 times
  pelekafitinakwenu 8 months ago

upvoted 1 times

Storage1, Storage2, Storage 3!
upvoted 1 times

This is what I thought but its wrong, and here is why...
Storage 2 uses a Standard Page Blob legacy storage account, and the link above specifically mentions 'blob storage accounts' not
premium blob storage accounts, so the assumption must be that this includes standard blob storage accounts too. This is backed up by
the statement at the end that states 'you can upgrade an existing general purpose (GPv1) account' the only account that does not
support Lifecycle Management, further suggesting that this type of storage account is the only type not to support LM.
upvoted 1 times
  AVVARU 8 months, 2 weeks ago

Answer is correct
upvoted 3 times
You create an Azure Storage account named contosostorage.

You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
A. 80
B. 443
C. 445
D. 3389
Correct Answer: C
Server Message Block (SMB) is used to connect to an Azure file share over the internet. The SMB protocol requires TCP port 445 to be open.
Incorrect Answers:
A: Port 80 is required for HTTP to a web server
B: Port 443 is required for HTTPS to a web server
D: Port 3389443 is required for Remote desktop protocol (RDP) connections
Reference:

C (100%)

Correct answer is port 445, as this is port for SMB protocol to share files
Incorrect:
Port 80: HTTP, this is for web
Port 443: HTTPS, for web too
Port 3389: Remote desktop protocol (RDP)
upvoted 23 times
  ohana Highly Voted  4 months ago

Took the exam today on 17 Oct. Similar question came out. Know the usage for all your ports! Ans:445
upvoted 12 times
  SK_2_SK 2 months, 2 weeks ago

Thanks for the info!
upvoted 1 times
  pappkarcsiii Most Recent  3 weeks, 4 days ago

Selected Answer: C
Correct answer is port 445, as this is port for SMB protocol to share files
upvoted 1 times
  Techno_Head 1 month, 2 weeks ago

Its 445 but in the real world you shouldn't be opening it!!! get the user to connect via vpn
upvoted 2 times

A. Azure File Storage
B. an Azure Cosmos DB database
C. Azure Data Factory
D. Azure SQL Database
Correct Answer: A
Reference:

A (100%)
  JESUSBB Highly Voted  2 months, 1 week ago

In exam today 11-DEC-2021 ans: A
upvoted 9 times

Selected Answer: A
Azure File Storage - https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
upvoted 1 times
  drainuzzo 2 months, 1 week ago

correct: A
upvoted 1 times

Azure File Storage is the correct answer. Ref here: https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
"The WAImportExport tool is available in two versions, version 1 and 2. We recommend that you use:
Version 1 for import/export into Azure Blob storage.

Version 2 for importing data into Azure files."
upvoted 1 times

Selected Answer: A
"Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk
drives to an Azure datacenter."
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains an Azure Storage account named storageaccount1.
You export storageaccount1 as an Azure Resource Manager template. The template contains the following sections.
NOTE: Each correct selection is worth one point
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json
  MrMacro Highly Voted  2 months ago

Box 1- Yes. VirtualNetworkRules & IpRules are blank, with the default action Allow.
Box 2- Yes. Individual blobs can be set to the archive tier - ref.https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
Bob 3. No. To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments:
A data access role, such as Storage Blob Data Contributor

The Azure Resource Manager Reader role
Ref.https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal
upvoted 14 times

Box 2 is VERY TRICKY- Answer appears to be NO
The ARM Template storage is of type StorageV2. It is true that BLOB LifeCycles exist for "StorageV2 (which supports blobs), Premium
Page Blob, Premium Block Blob". That being said the link you provided is only subtly inferring that the "ARCHIVE" tiers can be enabled
only at hardcore Blobs storages NOT "StorageV2".
"While the Hot and Cool tiers can be enabled at the storage account level or at the blob level, the Archive tier can only be enabled at the
blob level. All three storage access tiers can exist in the same storage account and the default tier for a blob is inherited from the
account level setting."
Reference:
https://cloud.netapp.com/blog/storage-tiers-in-azure-blob-storage-find-the-best-for-your-
data#:~:text=%20How%20to%20Switch%20Between%20Storage%20Tiers%20in,account%2C%20browse%20to%20the%20Storage%20a
ccount-%3EBlob...%20More%20
upvoted 1 times

I take it back!!! In Azure I have created a Standard V2 based storage account and when I go to upload a Blob in a container "Hot",
"Cool" and "Archive" are access tiers can be selected.
So based on that test it appears that it is not possible to change the a Standard V2 based "storage account" tier to "Archive" (because
life cycles apply only to Blobs and not to Files, Tables or Queues) but it is possible to indeed set the access tier to individual blobs
within a StandardV2 storage account (which I must say makes a lot of sense).
upvoted 3 times

Box 2 is YES (moderator please delete my initial response to prevent further confusion. Thanks).
upvoted 6 times
  beem84 Highly Voted  2 months ago

1: Yes. Defaultaction is allow. IP is allowed.
2: Yes. Storagev2 allows tiering.
3: No. File share access requires SAS.
upvoted 9 times
  jackAttew_1 Most Recent  1 month, 3 weeks ago

2. NO => accessTier: Required for storage accounts where kind = BlobStorage. The access tier used for billing. VALUE: 'Cool'
'Hot' https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json
upvoted 2 times
What are you talking about ? Question asks if we can change individual blobs to archive tier, and yes we can even though the default
tier is HOT :
The following table summarizes the approaches you can take to move blobs between various tiers.
Change a blob's tier from Hot to Archive with Set Blob Tier or Copy Blob
upvoted 3 times

1. Default connectivity method is public (allow access from all networks) - "YES"
2. It is using hot access tier - "YES"
3. This one make no sense for me. You can access storage account using in ex. SAS or access keys. Using only basic credentials it won't
work. When You want only to use credentials You configure Identity-based authentication (Active Directory) for Azure file shares at the
share lvl. But it must be enabled first - "NO" but I'm not 100% sure about this.
upvoted 2 times

Where it's get the IP?
upvoted 1 times
  airwalk3r 1 month, 4 weeks ago

It specifies to allow by default and also it did not have any block rules so it was just implied.
upvoted 1 times
  yoelalan14 2 months, 1 week ago

Can someone explain this one?
upvoted 1 times

Hi, this is a difficult one!
For reference:
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/2021-04-01/storageaccounts?tabs=json
In the JSON you find: networkAcls. There is a a vallue=defaultAction: Allow => for me this is an indicator that the storage is accessible
with the Public IP!
=> Yes!
About the switch of the accessTier: Hot to Archive, this is not possible. The only allowed values are Hot/Cool
=> No!
About the last question, I can only guess, I would say YES, because it's the Global Admin.
I hope this helps!

upvoted 3 times

It is possible to set the access tier to "Archive" for an individual Blob in StandardV2 based Storage account (Hot, Cool & Archive are
listed in the advanced section when you upload a blob in a StandardV2 storage container).
So the answer is definitely Yes.

upvoted 2 times

File Share access won't be allowed simply because a user has "Global Administrator" privileges. "Global Administrator" is an Azure
Active Directory role (which for instance gives the permission to create Azure AD users / AD devices / ...) and not a RBAC role (Role-
based Access Control roles allow interactions with Azure resources such as VM / Files shares / VNets / ...). The basic Role-based
Access Control are : Owner, Contributor, Reader (from which built-in more granular roles are created such as VM Owner, VNet
Contributor, Storage Table Data Reader...).
upvoted 1 times
Question #1 Topic 4
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to
VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: B
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring Agent VM extension.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

Correct Answer:
You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct
1. Log analytics agent - Install in VM.

2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.
Reference:
upvoted 50 times
  Lapiduse Highly Voted  1 year, 1 month ago

I think the Answer should be - Yes.
You need to click the Add button on Portal-> Settings-> Extensions to Install the Extension on VM.
Azure Monitor currently has multiple agents because of recent consolidation of Azure Monitor and Log Analytics. The Azure Monitor Agent
is implemented as an Azure VM extension.
Windows/Linux name: Microsoft.Azure.Monitor
Windows type: AzureMonitorWindowsAgent
Linix type: AzureMonitorLinuxAgent
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc
upvoted 24 times

The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the
Log Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the
Dependency agent on Azure virtual machines. These are the same agents described above but allow you to manage them through
virtual machine extensions. You should use extensions to install and manage the agents whenever possible.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#virtual-machine-extensions
upvoted 1 times

so add extension does not mean the agent is installed, agent can still be missing.
upvoted 2 times

agreed, should be yes
upvoted 3 times

there is a extension called log analytics which is the MMA agent, it will auto install it you can do it via the "auto provisional " section under
the environmental settings.. so it will install the MMA agent on the machine without needing to do it. The question is old as the new
methods of installing MMA is possible.
upvoted 1 times
  deltarj 3 weeks, 1 day ago

Q1, Q2, Q22 & Q71 - remember: MONITORING AGENT! (q2 & q71: yes)
upvoted 1 times
  RRupesh 2 months, 1 week ago

dont overthink guys..adding extension doesn't meet the goal thats it..
upvoted 3 times

I would like to note that adding the MicrosoftMonitoringAgent Extension via the VM > Extensions panel is not a thing afaik, I have done
this recently and it should be done from the LAWS, "Workspace Data Sources" heading "Virtual Machines", then you click the VM where it's
not connected and click Connect... This installs the Extension and software inside the VM.
upvoted 3 times
  PtOlOmY 5 months, 3 weeks ago

the link supplied clearly states use Extensions to manage agents
Yes !! is the correct answer
Log Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the Dependency
agent on Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine
extensions. You should use extensions to install and manage the agents whenever possible.
upvoted 3 times

so add extension does not mean the agent is installed, agent can still be missing, extenstion gives a way to manage agents ?
upvoted 1 times

Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This
question is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you
know that the extension need to be installed first before it appears
It's not a trick.

upvoted 3 times

Such a tricky question to test our attention to details.
To add an extension, you first need to install it. But in real life, attempting to add an extension will lead to a promt for you to add. So you
will still get the job done. But if you answer yes her, they will mark you down. Silly huh!
Answer is correct. You need to install the extension, then add it.
upvoted 2 times

Such a tricky question to test our attention to details.
To add an extension, you first need to install it. But in real life, attempting to add an extension will lead to a *prompt for you to *install
it first. So you will still get the job done.
But if you answer yes *here, they will mark you down. Silly huh!
Answer is correct. You need to install the extension, then add it.
upvoted 2 times

(Update)
Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things.
This question is important because if you're in a work environment and try to add and it's not there, you might not know what to do
unless you know that the extension need to be installed first before it appears
It's not a trick.

upvoted 2 times

YES
The Azure Monitor agent is only available as a virtual machine extension.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
upvoted 1 times
  s1inkan 6 months, 3 weeks ago

I would think yes because of the following paragraph in the REF below:
"Virtual machine extensions

Log Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the Dependency
agent on Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine
extensions. You should use extensions to install and manage the agents whenever possible."
REF:https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
upvoted 1 times
  s1inkan 6 months, 3 weeks ago

Furthermore, not that I can find when but I believe they have rebranded the Microsoft Monitoring Agent to be the Azure Monitor
agent.
"Virtual machine extension details
The Azure Monitor Agent is implemented as an Azure VM extension with the details in the following table. It can be installed using any
of the methods to install virtual machine extensions including those described in this article."
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc
upvoted 1 times

I also think answer should be yes. You might install the agent or add the extension both methods fulfil the objective.
"The Log Analytics agent virtual machine extension for Windows is published and supported by Microsoft. The extension installs the Log
Analytics agent on Azure virtual machines, and enrolls virtual machines into an existing Log Analytics workspace"
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows
"The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the
Log Analytics agent on Azure virtual machines."
"For Windows and Linux virtual machines already deployed in Azure, you install the Log Analytics agent with the Log Analytics VM
Extension. Using the extension simplifies the installation process and automatically configures the agent to send data to the Log Analytics
workspace that you specify."
https://docs.microsoft.com/en-us/azure/azure-monitor/vm/quick-collect-azurevm
upvoted 1 times

Answer is correct - NO
Pay attention to bold words in the action- You ADD the Microsoft Monitoring Agent VM EXTENSION to VM1.
Here is the explanation - It should be INSTALL and no mention of EXTENSION respectively.
upvoted 4 times
  eduhazard 6 months, 4 weeks ago

Agree, but why MS do that? Why these tricks? This is only to catch guys without attention but if you are doing an exam, nervous,
anxiety could easily make a mistake and what it proves?
upvoted 7 times
  Shubham_KP 8 months ago

Tricky One.
When you go and try to add Extension is says in next page that.
Install Extension.
You Install an extension in the VM>Extentions>(+)Add> Install Extension (Shown in Page).
upvoted 3 times
  JoeRogersHi 8 months ago

I’m guessing this was version 1 of this question and they have since updated it. No way is this in the test.
upvoted 1 times

What in the actual uckf. I’m an industry professional, I don’t have time to nitpick over add vs install, or agent vs.extension. Come on,
Microsoft.
upvoted 16 times

Oh!! I know what you mean https://www.examtopics.com/discussions/microsoft/view/38267-exam-az-104-topic-3-question-2-
discussion/. This is just ridiculous.
upvoted 2 times

Yes is correct!
upvoted 1 times
Question #2 Topic 4
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview


Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
upvoted 35 times
  JohnAvlakiotis Highly Voted  1 year, 2 months ago

I mean what's the difference with the above? The words "add" versus "install"? That would be ridiculous...
upvoted 30 times
  j777 1 week, 1 day ago

I know it's over year since you answered, but if you look at both one said agent VM extension and the other just said agent.
upvoted 1 times
  besha 10 months, 2 weeks ago

This one is an agent, the previous one is an extension. It should be agent
upvoted 15 times
  marcusaurelius124 8 months, 2 weeks ago

"The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA)."
So "Microsoft Monitoring Agent" and "Log Analytics agent" are interchangeable.
"The Log Analytics extension for Windows and Linux install the Log Analytics agent on Azure virtual machines."
By adding the extension, you install the agent.
Read it for yourself. Source:

upvoted 2 times
  Davar39 9 months, 3 weeks ago

Nice one besha. Thanks for your input.
upvoted 1 times

Great catch! However, still it is insane they are testing such subtle stuff..
upvoted 1 times

Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things.
This question is important because if you're in a work environment and try to add and it's not there, you might not know what to do
unless you know that the extension need to be installed first, before it appears
It's not a trick.

upvoted 3 times
  Dizzu 9 months ago

outrageously ridiculous. I won't expect Microsoft to test me for English instead of technical knowledge. In a broad sense, it can even be
used interchangeably. why the confusion?
upvoted 8 times

upvoted 1 times

In exam today 11-DEC-2021 Ans: Yes
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: Yes
upvoted 3 times
  orion1024 5 months ago

I'm confused. As per https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
"The Azure Monitor agent is only available as a virtual machine extension."
So it should be B right ? Or does Microsoft considers that adding an extension is the same as installing the agent ? They shouldn't since
they clearly differentiate between this question and the previous one.
upvoted 1 times

Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This
question is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you
know that the extension need to be installed first before it appears
It's not a trick.

upvoted 1 times

If you got the previous answer wrong, you definitely have a chance to get this one right because this question brings to your attention
that the extension is to be installed first.
Answer is correct
upvoted 1 times

This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis are correct. Correct answer is Yes
upvoted 3 times

A is correct!
upvoted 1 times

upvoted 2 times
  denccc 9 months, 3 weeks ago

Is only this one correct or also the previous one?
upvoted 3 times

YES is the answer.
First u need to install azure monitor agent in vm(each) to collect logs and log analytics workspace will access it where alert also created
later
upvoted 3 times

I would say yes, Although previous one and this one are very dirty and silly worded. https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc#virtual-machine-
extension-details
upvoted 1 times

Log Analytics agent
providers, and on-premises machines. It sends data to a Log Analytics workspace. The Log Analytics agent is the same agent used by
System Center Operations Manager, and you can multihome agent computers to communicate with your management group and Azure
Monitor simultaneously. This agent is also required by certain insights in Azure Monitor and other services in Azure.
Note
The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA). The Log Analytics agent for Linux is often
referred to as OMS agent.
upvoted 2 times
  diligent176 1 year, 1 month ago

Microsoft has changed the name again... to "Log Analytics agent for Windows".
"The Log Analytics agent for Windows is often referred to as Microsoft Monitoring Agent (MMA). The Log Analytics agent for Linux is often
referred to as OMS agent."
upvoted 5 times
  SSTan 1 year, 2 months ago

one said VM extension and the correct should be Microsoft monitoring agent to be specific.
upvoted 2 times
Question #3 Topic 4
All virtual machines run Windows Server 2016.

On VM1, you back up a folder named Folder1 as shown in the following exhibit.
You plan to restore the backup to a different virtual machine.

You need to restore the backup to VM2.
A. From VM1, install the Windows Server Backup feature.
B. From VM2, install the Microsoft Azure Recovery Services Agent.
C. From VM1, install the Microsoft Azure Recovery Services Agent.
D. From VM2, install the Windows Server Backup feature.
Correct Answer: B
Reference:
  Harryboy Highly Voted  7 months, 3 weeks ago

MARS has to be installed destination machine, in this case it will be VM2. Answer is B
upvoted 26 times
  JimBobSquare101 Highly Voted  6 months, 3 weeks ago

In exam 30 July 2021
upvoted 10 times
  HenriKI2 Most Recent  1 month, 1 week ago

To all people answering other than B, please read carefully MS Docs; It's in the TITLE :
https://docs.microsoft.com/en-us/azure/backup/restore-all-files-volume-mars
Restore all the files in a volume using the MARS Agent

This article explains how to restore all backed-up files in an entire volume using the Recover Data wizard in the Microsoft Azure Recovery
Services (MARS) Agent. You can:
Restore all backed-up files in a volume to the same machine from which the backups were taken.
Restore all backed-up files in a volume to an alternate machine.
upvoted 4 times

Makes sense to install the agent from the machine you would like to recover to..
upvoted 4 times

Answer is D - not everything on the exam is Azure!
upvoted 3 times

The UI is for Windows server backup feature, not MARS agent UI
https://www.vembu.com/blog/windows-server-backup-installation-features-limitations/
So you don't have to install MARS agent in VM2, instead you should enable Windows backup feature.
The correct answer should be D
upvoted 3 times

Specifically, the UI listed in question is 'Backup Once' in Windows server backup feature. There is no such UI in MARS Agent.
upvoted 2 times
  Nikhilsr 4 months, 1 week ago

Correct Answer is B - From VM2, install the Microsoft Azure Recovery Services Agent.
upvoted 3 times
  davidworner 5 months, 1 week ago

Correct Answer: C - From VM2, install the Microsoft Azure Recovery Services Agent.
To pass the Microsoft AZ-104 exam you are required to get help from reliable and trusted platform such as JustCerts where you will get AZ-
104 exam practice test questions. The JustCerts AZ-104 questions will not only prepare you for the final exam but also ensure your success
in the final exam
upvoted 1 times

If you're going to grift, at least get something right.
You didn't even referenced an available answer.
upvoted 18 times
  Rajveers0505 5 months, 1 week ago

The answer is correct, The image is not of Windows Server Backup instead its of MS Azure Backup https://docs.microsoft.com/en-
us/azure/backup/backup-windows-with-mars-agent
upvoted 3 times

Took the test on 8/22/2021, I had a much larger Scenario question that had to do with backups and retention policies and how many
retention points/instances or however they are called, would be in a specific amount of time.
upvoted 4 times

In Exam 21/08/2021
upvoted 4 times

correct answer,
upvoted 3 times
  mousomgogoi 6 months, 3 weeks ago

i agree, but did any one get it in exam
upvoted 2 times
  ppp131176 7 months, 2 weeks ago

When install MARS, VM2 is still in a different region. shouldn't that be an issue for a restore?
upvoted 1 times

yes, we can restore from vault to different PAIRED second region (westUS<->eastUS,centralUS<->eastUS2,westCentralUS<->westUS2) It
is so called Cross Region Restore
upvoted 7 times
  amf 7 months, 3 weeks ago

Correct Answer: C - From VM2, install the Microsoft Azure Recovery Services Agent.
VM2 need also to be register in the same Vault as VM1. So the first step is to install MARS agent on VM2.
upvoted 1 times
  amf 7 months, 3 weeks ago

Sorry Correct Answer is B - From VM2, install the Microsoft Azure Recovery Services Agent.
VM2 need also to be register in the same Vault as VM1. So the first step is to install MARS agent on VM2.
upvoted 8 times
  ahatem 7 months, 3 weeks ago
answer is correct
upvoted 4 times

Question is using Windows Native backup not Azure backup. Answer is C install Windows Back from Features (not installed by default).
upvoted 5 times
  Spandrop 7 months, 1 week ago

I agree, I think that the question is talking about the Windows backup tool, not Azure backup.
upvoted 1 times
  AlexBLN 7 months, 3 weeks ago

answer is D
upvoted 5 times

Agreed, answer is D
upvoted 2 times
Question #4 Topic 4
HOTSPOT -
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Is correct: https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 22 times
  chaudha4 6 months ago

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 4 times

upvoted 14 times
  VVR141 7 months, 1 week ago

came across any LABS ?
upvoted 2 times
  _punky_ Most Recent  1 month, 1 week ago

LUN - is associated with index
upvoted 1 times

On a lighter note , you have to have a sharp memory to pass these certs.
upvoted 3 times
  Karthik3498 1 month, 1 week ago

memory is definitely required, but I don't think it should be sharp as you mean I think if we understand concepts it will be registered in
our brain
upvoted 4 times

In the exam today 11-DEC-2021 Ans: Copy - CopyIndex
upvoted 6 times

Copy
CopyIndex
https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: copy, copyIndex
upvoted 4 times

upvoted 2 times

Correct - https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times

upvoted 4 times

copy
copyindex
Add the copy element to the resources section of your template to set the number of items for a property.
Notice that when using copyIndex inside a property iteration, you must provide the name of the iteration.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 3 times

This question was on Jul 23, 2021 - passed the exam. answer is correct
upvoted 3 times
  villanz 7 months ago

Is there live lab session?
upvoted 1 times

No. You have to know this off the top of your head. All Memorization.
upvoted 3 times
Question #5 Topic 4
VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
A. Yes
B. No
Correct Answer: A
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
also referred to as a region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

upvoted 13 times

https://docs.microsoft.com/en-us/azure/virtual-network/network-overview
Each NIC attached to a VM must exist in the same location and subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
May have a typo as we dont know where VNET2 is located....

upvoted 1 times

Answer is A. Yes
If the rule that all these 3 components must be in the same location 'VM, NIC, VNET' applies, then we can tell the location of VNET2 is
West US.
The opening statement says "VM1 connects to a virtual network named VNET2 by using a network interface named NIC1." The table
also tells us VM1 is in West US so VM1 and VNET2 are in the same location.
Creating NIC2 in West US for VM1 meets the goal as all elements satisfy the rule of 'same location'
upvoted 4 times

But we may not need it to answer the question.
upvoted 1 times

Yes, tested in lab and found correct. They are basically asking you to connect a new vNIC to the VM. Now, rule of thumb is you can only
and only deploy a new vNIC in the same Region as the existing vNIC card on the same VNET wherever existing vNIC is deployed. The
resource group is just an empty container , it can be hosted in any region and you can create resources inside it which once again can be
hosted in any region as well.
upvoted 3 times

later edit: It doesn`t say where the VNET2 is located. So I assume that s why is correct.
upvoted 2 times

The NIC is in the same location, but the VNET no. Something is wrong here. Maybe MaxToRO has a point. Unsure what to vote :)
upvoted 1 times
  vaisat 2 months ago

Either there’s is typo with VNET2 or image is invalid. But the explanation is correct in my opinion.
upvoted 1 times
  MaxToRo 3 months ago

Same here:
I think this screenshot was updated. The comment seems like that VNET 1 was in West US, but at this actual screenshot is VNET in a
different Location than VM and the NIC. So the answer should be "B: no".
"...Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that
exists in the same Azure location and subscription as the NIC.."
Source:https://docs.microsoft.com/en-us/azure/virtual-network/network-
overview#:~:text=Each%20NIC%20attached%20to%20a,you%20cannot%20change%20the%20VNet.
upvoted 4 times

So going back, as long as the VM, VNET, NIC "resources" are in the same region, it doesn't really matter what region / location the resource
group belongs to.
upvoted 3 times

Answer is correct here.
"A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network
you connect it to."
upvoted 2 times

Here they want to establish that you know that it doesn't matter what region the RG is in for the resources inside. Think like Microsoft. :)
upvoted 3 times

in exam 7/3/2021
upvoted 3 times

Duplicate of #5
upvoted 2 times

Not duplicate, here you have different RG. But RG do not matter and the answer is correct, YES
upvoted 7 times
  AdiW 7 months, 3 weeks ago

No, #5 is "You create NIC2 in RG1 and West US"
upvoted 2 times
Question #6 Topic 4
Solution: You create NIC2 in RG2 and Central US.
A. Yes
B. No
Correct Answer: B
Reference:
  zvasanth2 Highly Voted  6 months ago

A network interface (NIC) is the interconnection between a VM and a virtual network (VNet). A VM must have at least one NIC, but can
have more than one, depending on the size of the VM you create. Learn about how many NICs each VM size supports for Windows or
Linux.
You can create a VM with multiple NICs and add or remove NICs through the lifecycle of a VM. Multiple NICs allow a VM to connect to
different subnets and send or receive traffic over the most appropriate interface.
If the VM is added to an availability set, all VMs within the availability set must have one or multiple NICs. VMs with more than one NIC
aren’t required to have the same number of NICs, but they must all have at least two.
Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists
in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created, but you cannot
change the VNet. Each NIC attached to a VM is assigned a MAC address that doesn’t change until the VM is deleted.
https://social.msdn.microsoft.com/Forums/en-US/c4a1410c-ca52-4acb-bb1d-d1e0ed90c82a/understanding-azure-nic?
forum=WAVirtualMachinesVirtualNetwork
upvoted 7 times

thank you for this explanation. can the NIC attached to VM exist in different resource group in same location?
upvoted 1 times

They can be different resource group. Only constraint as always is the location.
https://stackoverflow.com/questions/52051134/can-virtual-network-be-in-different-resource-group-while-creating-a-vm-in-azure
upvoted 1 times

upvoted 5 times
  raj_tandon 4 months, 1 week ago

Great! What percentages of question you saw from here ?
upvoted 1 times
  Bapan Most Recent  5 months ago

you connect it to."
upvoted 1 times

This question clarifies why they asked the previous question. Basically, they're trying to establish that you know that the NIC can only be
created in the same region as the machine to which it is attached.
Answer is correct
upvoted 4 times

in exam 7/3/2021
upvoted 3 times

Correct, VM and NIC are in the same location
upvoted 2 times

NOT in the same location.. sorry
upvoted 2 times
Question #7 Topic 4
Solution: You create NIC2 in RG2 and West US.
A. Yes
B. No
Correct Answer: A
Reference:
  jojorabbit2021 Highly Voted  7 months, 3 weeks ago

Answer is correct, it's trying to throw you off by bringing the resource group into equation which is in different region, however it is clearly
mentioned the new NIC is created in the same region as VM.
upvoted 25 times
  Gde360 7 months ago

Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that
exists in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created, but
you cannot change the VNet.
Meaning that VM <--> VNET <---> NIC. All the three resources MUST be in the same location
https://docs.microsoft.com/en-us/azure/virtual-machines/network-
According to the description....

VM1 (West US) connects to VNET2 with NIC1 ===> VM1 --- VNET2 ---NIC1 all are in West US.
when creating NIC2 to be used for VM1, NIC2 needs to be same location as VM1, which is West US.
(RG1 or RG2 is not mandatory).
So, the answer is A. Yes.

upvoted 12 times
  wsscool Highly Voted  7 months, 2 weeks ago

in exam 7/3/2021
upvoted 6 times
  MaxToRo Most Recent  3 months ago

I think this screenshot was updated. The comment seems like that VNET 1 was in West US, but at this actual screenshot is VNET in a
different Location than VM and the NIC. So the answer should be "B: no".
"...Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that
exists in the same Azure location and subscription as the NIC.."
Source:https://docs.microsoft.com/en-us/azure/virtual-network/network-
upvoted 4 times

So is it correct to say that as long as the resources (VM, VNET, and NIC) are in the same, the location or region of the resource group
doesn't matter.
upvoted 1 times
  vimi003 3 months, 4 weeks ago

so here, we have to assume that RG1 has already created in WEST US .In that case answer is yes .....Lol
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: Must be in the same region, doesn't matter if different resource group
upvoted 2 times

upvoted 2 times

where is VNET2 located?
upvoted 1 times

you connect it to."
upvoted 2 times

A network interface (NIC) is the interconnection between a VM and a virtual network (VNet). A VM must have at least one NIC, but can
have more than one, depending on the size of the VM you create. Learn about how many NICs each VM size supports for Windows or
Linux.
You can create a VM with multiple NICs and add or remove NICs through the lifecycle of a VM. Multiple NICs allow a VM to connect to
different subnets and send or receive traffic over the most appropriate interface.
If the VM is added to an availability set, all VMs within the availability set must have one or multiple NICs. VMs with more than one NIC
aren’t required to have the same number of NICs, but they must all have at least two.
in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created, but you cannot
change the VNet. Each NIC attached to a VM is assigned a MAC address that doesn’t change until the VM is deleted.
https://social.msdn.microsoft.com/Forums/en-US/c4a1410c-ca52-4acb-bb1d-d1e0ed90c82a/understanding-azure-nic?
forum=WAVirtualMachinesVirtualNetwork
upvoted 2 times

Answer is correct. However, without checking the next set of questions it's hard to see why they even asked this one.
upvoted 1 times
  pbf4444 7 months, 3 weeks ago

NO
*Resource group - Select an existing resource group or create one. A network interface can exist in the same, or different resource group,
than the virtual machine you attach it to, or the virtual network you connect it to.
*Location - The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location,
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#create-a-network-interface
upvoted 2 times

"You create NIC2 in RG1 and West US.", the same location as the VM, whats your point? The RG location does not matter, its only
metadata.
upvoted 8 times
  Hyrydar 3 months, 3 weeks ago

but the vnet is in the east region, so...this should be no
upvoted 1 times

typo...the vnet1 is in the central region...shouldnt all the resources except of course the resource group be in the same region or
location?
upvoted 1 times
Question #8 Topic 4
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure CLI, you run az aks.
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

B (100%)

Correct Answer B - No
To deploy the YAML file you need to runs kubectl apply -f file_name.yaml
upvoted 19 times

upvoted 5 times

Are there such a thing as question with no good answer in the exam? Microsoft's instructors all say that we should answer ALL questions
and that there's no penalty for guessing... A question that has no good answer is basically a question that is skipped... So is it that
Microsoft instructors are all in the wrong or some of the questions around here are bit not quite what is in the exam?
upvoted 1 times

Selected Answer: B
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: kubectl
upvoted 4 times
  kunalv9768 4 months, 2 weeks ago

B-No is the correct answer.
Reason:To deploy the YAML file you need to runs kubectl apply -f file_name.yaml
Refrence: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 2 times
Question #9 Topic 4
Solution: From Azure CLI, you run the kubectl client.
A. Yes
B. No
Correct Answer: A
Reference:
  walkwolf3 Highly Voted  3 months, 2 weeks ago

Answer is Yes.
To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl

then run "kubectl apply -f azure-vote.yaml"
upvoted 8 times

Answer: YES - To deploy a YAML file, the command is: kubectl apply -f example.yaml
upvoted 2 times

Yes
At client is run kubectl apply -f azure-vote.yaml
have kubectl
upvoted 2 times

upvoted 2 times

upvoted 3 times
  sand5234 4 months, 1 week ago

It should be No .
kubectl apply -f azure-vote.yaml
upvoted 2 times

upvoted 4 times

Reference:
upvoted 1 times

Correction:
Correct Answer A - Yes
upvoted 3 times
  oganepa 4 months ago

you're confused....A YES! B YES!
upvoted 2 times

Correct Answer B - Yes
upvoted 1 times
Solution: From Azure CLI, you run azcopy.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)

Answer: NO
To deploy a YAML file, the command is:

kubectl apply -f example.yaml
Src: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 13 times

Selected Answer: B
Answer: NO

upvoted 1 times

upvoted 4 times

upvoted 4 times

upvoted 3 times

Reference:
upvoted 1 times

upvoted 1 times

Hahahahahahaha... this cracked me up bad! azcopy? you get this wrong you are in the wrong place :D
upvoted 2 times
  Khatun 7 months, 2 weeks ago

Thank you very much for efforts.
upvoted 2 times

upvoted 3 times

i think you are a bot
upvoted 6 times
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on
VM1. You create an alert in Azure Monitor and specify the storage account as the source.
A. Yes
B. No
Correct Answer: B
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Reference:

B (100%)

Exam tomorrow. Really hope I pass. Pray for me y'all!
upvoted 17 times
  SK_2_SK 2 months, 2 weeks ago

Mine is tmr. Hope you passed and I pass
upvoted 3 times
  PioWi 2 months, 2 weeks ago

I also have tmr. you only count on those questions ot solmething else ?
upvoted 1 times
  ShariqAzeez 1 month, 2 weeks ago

Mine is tmr
upvoted 2 times
  ayasalah 4 months, 1 week ago

I hope that you passed
upvoted 3 times
  plove 4 months, 1 week ago

hi pakman i hope that you pass this exam and please tell us that howmuch questions comes feom here in exam.
upvoted 1 times

Hopefully you passed the exam. If not, Can you please advise how many questions came from this dump and do we have to purchase
contributor access?
upvoted 2 times
  breakerboyz09 Highly Voted  4 months, 3 weeks ago

Answer is correct.
You don't need SAS.

upvoted 8 times
  peymani Most Recent  1 week, 6 days ago

I think the correct answer is Yes
Log Analytics agent
Limitations of the Log Analytics agent include:
Cannot send data to Azure Monitor Metrics, Azure Storage, or Azure Event Hubs.
Difficult to configure unique monitoring definitions for individual agents.
Difficult to manage at scale since each virtual machine has a unique configuration.
upvoted 1 times
  peymani 1 week, 6 days ago

discard and ignore my explanation. I might be wrong.
upvoted 1 times
  Mwavy 2 months, 1 week ago

Siting for the exam on 14/12/2021. Pray for me y'all!
upvoted 3 times
  ITCOL2021 2 months ago

Your pass de exam?
upvoted 1 times
  SM22 3 months ago

Selected Answer: B
you create an Azure Log Analytics workspace and configure the data settings.
upvoted 4 times

Was in Exam 15/11/21
upvoted 3 times
  Zarzi 3 months, 1 week ago

Exam today at 6:30pm :( hope i pass
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: Yes
upvoted 2 times

no its not, admins please delete his comment!!
upvoted 2 times
  Philly_cheese_steak 3 months, 1 week ago

No idiot
upvoted 4 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1.
Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself while
retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets

Correct , not possible to migrate from vnet to another vnet. Must delete VM while keeping the disk. then create a new vm using the saved
virtual hard disk
upvoted 71 times
  tom999 11 months, 2 weeks ago

True. "You can change the subnet a VM is connected to after it's created, but you cannot change the VNet."
(https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview)
upvoted 13 times

Correct Answer:
We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself
while retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
Note: You can change the Subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets
https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview
upvoted 41 times

how is that the least effort option lol i know the answer is correct but come on.
upvoted 2 times
  Vladobate 2 days, 2 hours ago

I'm also curios to know... and what will happened with this custom app...
upvoted 1 times

I wish they would've specified retaining the data disk along with "Delete the virtual machine". I didn't select the "delete VM" option
because I thought it was implied that option was also deleting the data disk.
upvoted 2 times

What we need to do is identify the disk used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target
virtual network and attach the original disk to it.
https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-move-a-vm-to-a-different-vnet-on-azure
upvoted 1 times

in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created. You can't
change the virtual network. Each NIC attached to a VM is assigned a MAC address that doesn't change until the VM is deleted.
upvoted 1 times

If you create a VM and later want to migrate it into a virtual network, it isn't a simple configuration change. Redeploy the VM into the
virtual network. The easiest way to redeploy is to delete the VM, but not any disks attached to it, and then re-create the VM using the
original disks in the virtual network.
Answer is correct
upvoted 1 times

We can't just move a VM between VNETs. What we need to do is identify the disk used by the VM, delete the VM itself while retaining the
disk, and recreate the VM in the target virtual network and then attach the original disk to it.
upvoted 1 times

upvoted 2 times

In Exam 21/08/2021, thanks to Mlantonis & Fedztedz
upvoted 2 times
I haven't come across this situation before. So thank you.
But the truth is, whether it's a custom app or not, think of it like you would on any application on your PC. How would you move MS Word
from your PC to your laptop? The answer, you can't, not without a great deal of hacking anyway. You keep the data and reinstall MS Word
on your new device using App image. Copy or attach that data to your new device.
I imagine that here the sole purpose of this VM is that Application; otherwise, deleting the VM would bit of an overkill. So this answer for
me is a little unsatistactory.
upvoted 2 times
  robertohyena 2 months ago

Ur analogy is terrible. Dont you ever use onedrive or any cloud drive. It’s so easy to do nowadays.
upvoted 1 times

*unsatisfactory
upvoted 1 times

upvoted 1 times

Answer is correct.
You can change the subnet a VM is connected to after it's created, but you cannot change the VNet. "Each NIC attached to a VM is
assigned a MAC address that doesn't change until the VM is deleted."
Ref - https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview
upvoted 1 times

Delete + create
upvoted 3 times
  ms70743 11 months ago

both answer correct
1. delete the VM itself while retaining the disk,
2. recreate the VM and then attach the disk to it.
upvoted 2 times

Answer is correct. Delete the vm, keep the attached disk, create new vm in vnet2 attaché the disk
upvoted 2 times

Given answer is correct!
upvoted 3 times

Both answers are correct. You keep the VM disk and re-create a new VM in the new RG with target Vnet
upvoted 2 times
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual
machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
A. an Azure Key Vault and an access policy
B. an Azure Storage account and an access policy
C. a Recovery Services vault and a backup policy
D. Azure Active Directory (AD) Identity Protection and an Azure policy
Correct Answer: A
You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the
password is never put in plain text in the template parameter file.
Reference:
https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/

A (100%)

Correct. Answer is A using Azure Vault
upvoted 62 times

"adminPassword": {
"reference": {
"keyVault": {
"id": "GEN-KEYVAULT-RESOURCE-ID"
},
"secretName": "GEN-KEYVAULT-PASSWORD-SECRET-NAME"
}
}
upvoted 34 times

Selected Answer: A
Correct. Answer is A using Azure Vault
upvoted 1 times

Correct Answer - A.Azure Key Vault
upvoted 1 times

On exam 01.02.22
Answer: A
upvoted 2 times
  azzouz 1 month, 3 weeks ago

The access policy is a keyvault access policy:
Enable Key Vault for VM and Template secret access

After this you'll need to enable the Key Vault for template deployment.
You can do this using the following commands:
PS > Set-AzKeyVaultAccessPolicy -VaultName Contoso -EnabledForTemplateDeployment
CLI # az keyvault update --name Contoso --enabled-for-template-deployment true
Source: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-secure-password
upvoted 2 times
  enslow 3 months ago

This question appeared, correct Answer
upvoted 1 times

upvoted 3 times

upvoted 1 times

Passed today with 947. This question appeared, correct Answer
upvoted 3 times

everytime I jump to comment section, in the back of my mind...let us see what the experts have to say about this..lol
upvoted 4 times

upvoted 2 times

Easy :)
upvoted 1 times
  atrax 6 months, 1 week ago

Correct. In exam August 2021
upvoted 5 times

in exam 7/3/2021
upvoted 3 times

Was there any Labs
upvoted 1 times

upvoted 5 times

A is correct!
upvoted 1 times
HOTSPOT -
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: ASP1 ASP3 -

Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux.
Not ASP2: The region in which your app runs is the region of the App Service plan it's in.
Box 2: ASP1 -
ASP.NET apps can be hosted on Windows only.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-linux https://docs.microsoft.com/en-
us/azure/app-service/app-service-plan-manage#

Answer Correct. Web App can only created and identified in App Service plan in same region and resource group.
For ASP.NET, it only can be created with Windows App Service Plan
upvoted 69 times

Correct Answer:
Box 1: ASP1 and ASP3 only

ASP.NET Core apps can be hosted both on Windows or Linux.
The region in which your app runs is the region of the App Service Plan is in.
ASP2 is in Central US, not the same as WebApp1. Different locations.
Box 2: ASP1 only

ASP.NET apps can be hosted on Windows only. Only ASP1 is in the same Location as the WebApp2 (West US).
Reference:
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-linux
upvoted 48 times
  ABhi101 Most Recent  1 month, 1 week ago

Given answer is reverse,correct one should be like >>
Webapp1 - ASP1 and ASP3 only and Webapp2 - ASP1 only
upvoted 2 times

Ok, this was confusing so i checked in lab just now. ASP.Net app service can be hosted only on a Windows platform. Linux Option gets
grayed out. .NETCore however has the option to pick both Linux or Windows based OS. So the answer i can confrm is 100% correct. go for
it.
upvoted 4 times

On exam 01.02.22
upvoted 2 times
  fatihaxi 1 month, 2 weeks ago

Correct Answer. here is details of .net.core and .net.4.x specs
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/choose-aspnet-framework?view=aspnetcore-6.0
upvoted 1 times
  ARULRAJ 2 months, 3 weeks ago

upvoted 1 times
  KhaledMaster 3 months, 1 week ago

OMG I'm loosing my mind when I read your comments....
ASP.NET is cross-palteform supported by both OSs, then the answer is wrong WenApp1 is not ASP,Net it is .NET which is supported on
Widnows only.
So the answer is mixed up, it should be WebApp1 -> ASP1 only and WebApp2 is ASP1 & ASP3.... !!!!
upvoted 2 times

upvoted 2 times

upvoted 5 times

Answer is correct
upvoted 2 times

ASP .NET is Windows Only
https://docs.microsoft.com/en-us/dotnet/framework/get-started/system-requirements
upvoted 2 times
  raph90fr 7 months, 1 week ago

well... the question is more about basic .NET knowledge that Azure skills. Answer correct. Justification can be found here:
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/choose-aspnet-framework?view=aspnetcore-5.0
upvoted 1 times

upvoted 3 times

4+1 is correct!
upvoted 2 times

Answer correct
upvoted 1 times
  Bckz 10 months ago

4.18.21 exam*
upvoted 3 times
  KTrout 10 months ago

Did you pass? What answer did you pick?
upvoted 1 times

I often wonder why someone would come back if they did pass...
upvoted 14 times

sure am also surprised as well
upvoted 1 times
HOTSPOT -
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: 6 virtual machines -

The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to
6 when the 2 extra instances of VMs are added.
Box 2: 2 virtual machnes -

The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus
cannot be reduced to
0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
  sjccde Highly Voted  1 year, 2 months ago

Scale-out to 6 is correct.
Scale-in to 2 is also correct:
Starting with 4VMs.

Usage (25%) is below threshold, so scale-in happens to the min. of 2 machines.
(Calculate: If 4 VMs have 25%, then 2 VMs will have 50%; this does not trigger the Scale-out, so scale in will be done!)
Then for the next time it stays at 50%, so no changes are made an the set still consists 2 VMs
upvoted 78 times

correct answer and justification.
upvoted 9 times

Correct Answer:
Box 1: 6 virtual machines

The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and
rises to 6 when the 2 extra instances of VMs are added.
Box 2: 2 virtual machnes

The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus
cannot be reduced to 0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
upvoted 62 times
  matdin 3 weeks, 1 day ago

Clear explanation
upvoted 1 times

Powerful and very clear explanation
upvoted 2 times
  McRowdy 8 months, 1 week ago

Clearest explanation so far.
upvoted 4 times
  ohana Most Recent  4 months ago

Took the exam today on 17 Oct. This question came out. Ans: 6, 2
upvoted 3 times

upvoted 2 times
  AubinBakana 4 months, 3 weeks ago

Correct.
When the VMSS kicks in at 25 it will be running at minimum capacity, which is 2.

upvoted 1 times

Scale-out to 6 is correct.
Scale-in to 2 is also correct:

upvoted 1 times
  Olaf187 5 months, 3 weeks ago

one of the questions, that everyone who passed school should get :'D
upvoted 2 times

upvoted 2 times

And is correct.
It scales up above 80% and then, add 2 machines to the existing 4
Deallocate all the machines at 25%performance if performance if it lasts 6 minutes. Then add 2 machines when the demand increases to
50%.
My only worry is: if all the machines are shut down, isn't that a way to ensure that you can't cope? if no machine is running, how then are
you going to 50% performance. I would leave to at least 1 VM
upvoted 1 times

Correction.
When the VMSS kicks in at 25 it will be running at minimum capacity, which is 2.
upvoted 1 times
  Olaf187 6 months, 3 weeks ago

simple math
6
2
upvoted 2 times

in exam 7/3/2021
upvoted 4 times

came in exam on June 28 2021, with different figures
upvoted 3 times

nice, ms check our calc abilities)
upvoted 1 times

1. 6
2. 2
upvoted 1 times
  xayay74894 9 months ago

it's 4 and 4, you are missing cool down, which by default, and as it's not mentioned, it's running with default values is 10 minutes, which
means, no actions (in-out) are taken before 10 min from deployment or last scale in-out action taken.
upvoted 3 times

Cool down time is 1 minute by default.
upvoted 3 times
  mdyck 10 months, 1 week ago

Starting with 4VMs. If usage is above 80% for more than 5 minutes it scales out in an increment of 2, result 6. Starting with 4VMs. If usage
is below 30% for more than 5 minutes it scales in at an increment of 2, result 2.
upvoted 1 times

6 and 2
upvoted 2 times
  hwathan 11 months, 2 weeks ago

Answer is 4 and 4. Auto Scale are based on a 10 minute count
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal
upvoted 3 times
  airfrog 11 months ago

10 minutes is the duration that article happens to use an an example. It is not a minimum duration.
upvoted 5 times
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
A. Upload a configuration script
B. Create an automation account
C. Create an Azure policy
D. Modify the extensionProfile section of the Azure Resource Manager template
E. Create a new virtual machine scale set in the Azure portal
Correct Answer: DE
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide
a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to
configure the VMs as they come online so they are running the production software.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc

AD (88%) 13%

Correct Answer: A and D
The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration,
software installation, or any other configuration / management task. Scripts can be downloaded from Azure storage or GitHub, or
provided to the Azure portal at extension run-time.
The Custom Script extension integrates with Azure Resource Manager templates, and can also be used with the Azure CLI, Azure
PowerShell, Azure portal, or the REST API
The following Custom Script Extension definition downloads a sample script from GitHub, installs the required packages, then writes the
VM instance hostname to a basic HTML page.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
upvoted 57 times
  SilverFox22 5 months ago

For the first time, I disagree with @mlantonis answer, but not the explanation. The reference link is spot on, and it has you 1. Create
Custom Script Extension definition, which is editing the extensionProfile section So, D. Then 2. you create the Scale Set. That is E. So
answer is D and E.
upvoted 2 times

Using the page reference, the page states the following order:
Create/configure Custom Script extension
Add the script (in this case upload)
Create the scaleset
upvoted 1 times

So A and D is correct
upvoted 1 times

As per question : "You plan to automate the deployment of a virtual machine scale".... so cannot be E and you require configuration
script for post deployment installation of web server components...
upvoted 3 times

I know this is 3 months ago & I gather you must have figured out this is not the correct answer.
You're talking about a custom script extension, NOT a configuration. And you have to actually create the VMSS - your choice misses that
part completely. This option appears to be false
upvoted 2 times
  boom666 4 months, 2 weeks ago

Actually I can't see "you have to to actually create the VMSS" in the question. I see "you plan to automate the deployment of the
VMSS" and "you have to ensure..." So if we plan to automate the deployment we need to upload a configuration script and update
Resource Manager Template. Then we can deploy the VMSS using those things today, tomorrow or someday else.
upvoted 3 times
  MisterNobody Highly Voted  1 year, 4 months ago

A and D?
upvoted 53 times
  marcellov 9 months, 2 weeks ago

Yes, because of the word "automate" you can't use the portal. So A and D should be the right answer.
upvoted 14 times
  juandsanchez666 1 year, 3 months ago

Agree, the correct answer are A and D.
upvoted 9 times
  somenick 1 year, 4 months ago

Agree. Here is the step by step guide how to do that: https://adamtheautomator.com/azure-dsc-arm-template/
upvoted 10 times
  Dady9 1 year, 4 months ago

yes, AD works better here
upvoted 9 times
  9InchPianist Most Recent  4 days, 23 hours ago

Selected Answer: DE
Putting yourself into the mindset of 'what are MS asking you to prove you understand' I believe the answer is correct as the two steps in
the Tutorial are 'Create Custome Script Extension Definition' (Answer D) and 'Create a scale set' (Answer E).
upvoted 1 times
  awssecuritynewbie 1 week, 4 days ago

It states you need to deploy VMMS so therefore you need to create the VMMS and then create and upload the configuration profile.
upvoted 1 times
  awssecuritynewbie 2 days, 18 hours ago

no it says " You need to ensure that when the scale set virtual machines are provisioned" you need to ENSURE THAT WHEN!! NOT YOU
NEED TO CREATE BUT "WHEN"
upvoted 1 times

Yes it's A & D. As mentionned in the comments. It's about PLANNING not actually creating the VMSS : So E can't be right. The question is
just asking us HOW to BE READY when we will provision a VMSS. So we need to use the custom script extension and a repo for our script.
SO A & D.
upvoted 1 times

The process to automate the deployment of VMSS with Web-Server components installed like (IIS):
1. Create a VMSS in Azure portal. (if it is already created go to 2)
2. From VMSS Extensions - Add an extension / Custom Script Extension (Install)
3. Upload the file (configuration script)
upvoted 1 times

Selected Answer: AD
https://docs.microsoft.com/en-
us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetvmprofile.extensionprofile?view=azure-dotnet
upvoted 1 times
  marco_aimi 1 month, 3 weeks ago

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-template-windows
you can set scale by ARM.
so
A- D
Don't need to create on az, already exist in arm
upvoted 1 times
  Pupu2196 2 months ago

Can someone tell whether it is A,D or D,E ?
upvoted 2 times
  Fulforce 2 months ago

Selected Answer: AD
I believe the answer will be A and D. The questions asks us "when the scale set virtual machines are provisioned". This would suggest the
the scale set is already created.
Therefore to enable the automation of provisioning and installing features, you would upload a configuration script. Then you would add
an custom script extension to run that script.
upvoted 3 times
  hmzansari 2 months, 3 weeks ago

Selected Answer: AD
Correct Answer: A and D
upvoted 3 times
  plove 4 months, 1 week ago

hi, please tell me anyone if i purchase Contributor Access then howmany exam i can access?
upvoted 1 times
  balakadyan 3 months ago

which website do you prefer for all in one access to all exam?
like CCNA, CEH, Azure etc.
upvoted 1 times
  dodeen 3 months, 1 week ago

you will access the exam topic which you purchased only , not every exam
upvoted 2 times
  Ad2yy 4 months, 1 week ago

only 1 (the one you have purchased).
upvoted 2 times
  TheUltimateHac 4 months ago

thanks for the answer bro, i was planning on getting the contributor access as well.
upvoted 2 times

upvoted 5 times

The answer has to be correct. I am not entirely sure how you modify the extensionProfile or what they mean by it, but what I know for
certain is that to add a custom extension to your file you do need to add an extension script at VMSS creation. This I believe is what
modifies the extensionProfile.
You create the machine and you add an extension script. Not a configuration script.
D & E make more sense & the other options aren't very convincing to me.
The answer got to be E, D as revealed.
Need to look into this a little more.

upvoted 2 times

E create a NEW vmss, why need an extra one since the question is already given there's VMSS exists. E does not make sense.
upvoted 1 times

It does not say that the VMSS is created unfortunately. The question is a little unclear I must admit. I'm still trying to figure out what
the answer is, even though I know perfectly what steps to take to actually do the job.
upvoted 1 times
  hercu 7 months, 1 week ago

I would say that the aswer is correct:
E. Create a new virtual machine scale set in the Azure portal
When you deploy a scale set, VM extensions can provide post-deployment configuration and automation tasks, such as installing an app.
Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run-time. To apply an extension to
your scale set, you add the extensionProfile section to the ARM template.
Note: Configuration script alone is useless without the ARM template. Thus, you need to create the virtual machine scale set in Azure
which provides you with the ARM template. You can then modify its extensionProfile section to add custom adds/features via reference to
scripts (i.e. Powershell code in GitHub to install some features).
Reference: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-template-windows
upvoted 4 times
A and D are correct

Verified with other exam sources
upvoted 2 times

APOLOGIES TYPO - D & E are correct
Verified with other exam sources
upvoted 4 times

Could you mention which ones?
upvoted 1 times
  onincasimiro 7 months, 3 weeks ago

Answer:
A. Upload a configuration script
upvoted 1 times
- Expert Verified, Online, Free.
 Custom View Settings
HOTSPOT -
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has
the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
To install kubectl locally, use the az aks install-cli command: az aks install-cli
Reference:

Correct Answer:
To install kubectl locally, use the az aks install-cli command.
Note: Azure cli commands start with az. We use Install-Module to install a Powershell module.
Reference:
https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
upvoted 44 times

Answer correct
upvoted 23 times

upvoted 2 times

Correct answer: az aks install-cli
upvoted 4 times

Was in Exam 15/11/21
upvoted 2 times

az aks install-cli
upvoted 2 times

Took the exam today on 17 Oct. This question came out. Ans: az ask
upvoted 1 times

For some reason, it took me a while to notice they did say CLI, not Command prompt or Powershell :)
upvoted 1 times

Thank you.
upvoted 1 times

upvoted 3 times

upvoted 6 times
  ranajoy97 7 months, 3 weeks ago

az aks install-cli
https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az_aks_install_cli
upvoted 2 times

az + aks
upvoted 3 times

this is using cli to install and as far as i know all cli commands in azure starts with az
https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
upvoted 1 times

AZ AKS INSTLL-CLI
upvoted 2 times

answer is correct
az aks install-cli
upvoted 2 times

Answer Correct
az aks install-cli
upvoted 2 times
DRAG DROP -
You onboard 10 Azure virtual machines to Azure Automation State Configuration.
You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:
Step 1: Upload a configuration to Azure Automation State Configuration.

Import the configuration into the Automation account.
Step 2: Compile a configuration into a node configuration.
A DSC configuration defining that state must be compiled into one or more node configurations (MOF document), and placed on the Automation
DSC Pull Server.
Step 3: Assign the node configuration
Then: Check the compliance status of the node
Each time Azure Automation State Configuration performs a consistency check on a managed node, the node sends a status report back to the
pull server. You can view these reports on the page for that node.
On the blade for an individual report, you can see the following status information for the corresponding consistency check:
The report status ‫ג‬€" whether the node is "Compliant", the configuration "Failed", or the node is "Not Compliant"
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

Not correct. The right order is:
1. Upload a configuration to Azure Automation State Configuration
2. Compile a configuration into a node configuration
3. Check the compliance status of the node.
upvoted 140 times
  cloudasdfghjkl Highly Voted  1 year, 2 months ago

Correct answer:
Step 2: Compiling a configuration into a node configuration

Step 3: Onboard the virtual machines to Azure State Configuration
Step 4: Assign the node configuration.
Step 5: Check the compliance status of the node.
See Question #19 Topic 3: https://www.examtopics.com/exams/microsoft/az-400/view/13/

upvoted 46 times

Except the question says "You onboard 10 Azure virtual machines to Azure Automation State Configuration." So step 3 is already done.
upvoted 1 times
  vikki 1 year ago

Thank you for the pithy comment.
upvoted 3 times
  deadhead82 Most Recent  1 month, 2 weeks ago

Admin , please change the answer screenshot. The explanation provided however is accurate. tags make no sense.
upvoted 2 times
  Jonangar 1 month, 2 weeks ago

https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state
Azure Automation State Configuration allows you to specify configurations for your servers and ensure that those servers are in the
specified state over time.
Onboard a VM to be managed by Azure Automation DSC

Upload a configuration to Azure Automation
Compile a configuration into a node configuration
Assign a node configuration to a managed node
Check the compliance status of a managed node
upvoted 2 times

1: Upload a configuration to Azure Automation State Configuration.
2: Compile a configuration into a node configuration.
3: Check the compliance status of the node.
upvoted 2 times

Correct Answer:
1: Upload a configuration to Azure Automation State Configuration

2: Compile a configuration into a node configuration
Step 1: Create and upload a configuration to Azure Automation

Step 2: Compile a configuration into a node configuration
Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Step 5: Assign a node configuration to a managed node
Step 6: Check the compliance status of a managed node
upvoted 2 times
  wacky 4 months, 1 week ago

Just curious, what if you got all the right answer in the wrong order? how was the pointing system for that?
upvoted 4 times

Step 2: Compiling a configuration into a node configuration
Step 3: Onboard the virtual machines to Azure State Configuration
Step 4: Assign the node configuration.
Step 5: Check the compliance status of the node.
upvoted 2 times

"onboard the virtual machines to azure state configuration" should be the first step according to https://docs.microsoft.com/en-
us/azure/automation/tutorial-configure-servers-desired-state
Step 1: Onboard a VM to be managed by Azure Automation DSC
Step 2: Upload a configuration to Azure Automation
upvoted 4 times

upvoted 4 times

Tags? really? common, is this to mislead people or something? Yes we need to apply tags to every resource but for this question, I don't
see why tags will precede any of the Automation operations. It seems to me like this question is about Automation Account!
The revealed answer is not correct. Most people in the comment section have the correct answer.
upvoted 1 times

please correct the wrong answer :
upvoted 1 times
  jecawi9630 7 months, 3 weeks ago

Is this even a topic covered in AZ-104?
upvoted 8 times

Yes! Azure Automation, DSC is absolutely covered
upvoted 1 times

1. Upload a configuration to Azure Automation State Configuration
2. Compile a configuration into a node configuration
3. Check the compliance status of the node.
upvoted 4 times
  Raj_Rock 8 months, 1 week ago

Azure Automation State Configuration allows you to specify configurations for your servers and ensure that those servers are in the
specified state over time.
Onboard a VM to be managed by Azure Automation DSC

Check the compliance status of a managed node
upvoted 2 times
  ravindu123123 8 months, 4 weeks ago

is this question under the syllabus. I m sure this is another question which is out of the scope of AZ104
upvoted 2 times

Correct Answer:
1: Upload a configuration to Azure Automation State Configuration

2: Compile a configuration into a node configuration
Step 1: Create and upload a configuration to Azure Automation

Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
upvoted 39 times
  nfett 9 months, 1 week ago

https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state has the right answer.
upvoted 1 times
You have an Azure Resource Manager template named Template1 that is used to deploy an Azure virtual machine.
Template1 contains the following text:
The variables section in Template1 contains the following text:

"location": "westeurope"
The resources section in Template1 contains the following text:
You need to deploy the virtual machine to the West US location by using Template1.
What should you do?
A. Modify the location in the resources section to westus
B. Select West US during the deployment
C. Modify the location in the variables section to westus
Correct Answer: A

Correct Answer A: You can change the location in resources. Parameters used to define the value of some variables to be able to use in
different places in the template resources.
Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not mentioned
directly, then it will check parameters if it is specified in the resources.
Based on this question, the value of location is defined directly in resources. so you change the resources location value
upvoted 59 times

Correct Answer: A
You can change the location in resources. Parameters used to define the value of some variables to be able to use in different places in the
template resources. Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the
value is not mentioned directly, then it will check parameters if it is specified in the resources. Based on this question, the value of location
is defined directly in resources. so you change the resources location value.
Use location parameter. To allow flexibility when deploying your template, use a parameter to specify the location for resources. Set the
default value of the parameter to resourceGroup().location.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-location?tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax#resources
upvoted 31 times
  adrian_borowski Most Recent  2 months ago

Is the answer A still valid in Dec 2021? I test this and even if I hardcode the location of the VM in the resources group I'm still being forced
in Azure portal to choose the location during deployment of an ARM template with hardcoded locations.
upvoted 1 times

There's no reason why it would be different as long as PARAMETERS (which is implied in the question), VARIABLES & RESOURCES
sections still exist in the ARM template.
PARAMETERS : that section defines which value(s)/option(s) are available / can be input
VARIABLES : that section defines the values used throughout the template (wherever a variable is referred in the template, its
associated value will come from this section)
RESOURCES : that section defines what actual values (resources) that will be deployed
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/syntax#template-format
upvoted 1 times

In exam today 11-DEC-2021
Ans: A. Modify the location in the resources section to westus
upvoted 2 times

Took the exam today on 17 Oct. This question came out. Ans: A
upvoted 3 times

upvoted 4 times

upvoted 4 times

Correct answer. Reads like a book.
upvoted 1 times
  s_aoi 7 months, 2 weeks ago

i mean you can change it to B during deployment what kind of question is this?
upvoted 1 times

you can change it to west us during deployment so B should also be a valid answer???
upvoted 1 times

I believe that the point is that although you have a variable for the location w/ few options, in the template the "location" is hard
coded, it is not using that variable.
upvoted 4 times

in exam 7/3/2021
upvoted 3 times

upvoted 4 times

Why would you ask this question :)
upvoted 1 times

A is correct!
upvoted 1 times
  tera_baap 9 months ago

Everyone is saying A but we can change it during deployment as well.
upvoted 4 times

indeed we can, particularly deploying by az cli or az posh with parameters
upvoted 1 times

it's C, if you have an ARM template and you have also the variable section where you define which values has, this define what it will used
at deployment time, so the change must be done at the variable section
upvoted 2 times
  Lkk51 8 months, 3 weeks ago

At the resource section, location is hardcoed to Westeurope. I guess the only option is to change it there. otherwise it won't work
upvoted 3 times

A is correct answer
upvoted 1 times

A - Modify the location in resource section to westus
upvoted 3 times
You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
A. From Plan1, scale up the App Service plan
B. From webapp1, modify the Application settings
C. From webapp1, add a custom domain
D. From Plan1, scale out the App Service plan
Correct Answer: A
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn't already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged
publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates,
staging slots, autoscaling, and more.
Incorrect:
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-
up

Correct Answer: A
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots. If the app isn't
already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged
publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates,
staging slots, autoscaling, and more.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 57 times
  DA0410 Highly Voted  1 year, 4 months ago

correct . For more read https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 19 times

Yes A, and this is a better link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-
service-limits#app-service-limits
upvoted 4 times
  EleChie Most Recent  1 month ago

Changing your App Service plan (scale up)
Your App Service plan can be scaled up and down at any time. It is as simple as changing the pricing tier of the plan. You can choose a
lower pricing tier at first and scale up later when you need more App Service features.
For example, you can start testing your web app in a Free App Service plan and pay nothing. When you want to add your custom DNS
name to the web app, just scale your plan up to the Shared tier. Later, when you want to create an SSL binding, scale your plan up to Basic
tier. When you want to have staging environments, scale up to Standard tier. When you need more cores, memory, or storage, scale up to
a bigger VM size in the same tier.
The same works in the reverse. When you feel you no longer need the capabilities or features of a higher tier, you can scale down to a
lower tier, which saves you money.
upvoted 1 times
  EleChie 1 month ago
Scale up. Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and
certificates, staging slots, autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app
belongs to.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances, depending on your
pricing tier. App Service Environments in Isolated tier further increases your scale-out count to 100 instances. The scale instance count
can be configured manually or automatically (autoscale). Autoscale is based on predefined rules and schedules.
upvoted 1 times

They don't cover this section much in Az 104 Module for Apps. I struggled to understand this particular section. Still do but it's a little
clearer now that I've had to look it up. Answer is correct
upvoted 1 times

upvoted 3 times
  kkranthi 7 months, 2 weeks ago

whats the percentage of questions from the list appeared in your exam?
upvoted 1 times

A is correct!
upvoted 1 times

A is correct answer .
Scale up your pricing tier
upvoted 1 times

answer is correct according to https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 1 times

A is correct
from plan 1 scale up the service plan
upvoted 3 times

A is correct
You can create slots with Standard, Premium or isolated plans tier. However, with Free tier, you can't create other slots.
upvoted 5 times

Answer A. is correct. Scale-up the Service Plan to get the Staging Slots available. They should use UPGRADE the Service Plan but not Scale-
Up the Service Plan anyway
upvoted 3 times

The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
upvoted 4 times

Scale up your pricing tier
Note
To scale up to PremiumV3 tier, see Configure PremiumV3 tier for App Service.
In your browser, open the Azure portal.
In your App Service app page, from the left menu, select Scale Up (App Service plan).
Choose your tier, and then select Apply. Select the different categories (for example, Production) and also See additional options to show
more tiers.
upvoted 4 times
  DodgyD 1 year, 1 month ago

Honestly this is so badly worded by MS. What the customer must in fact do is UPGRADE the service offering...scale up is is just
misnaming.....and misleading....but for the purposes of this, scale up is the answer....
upvoted 4 times

When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service, you can use a separate deployment
slot instead of the default production slot when you're running in the Standard, Premium, or Isolated App Service plan tier.
upvoted 3 times

What is the difference between A and D? 'scale-out' vs 'scale-up'. Moving to a different plan would be considered as scale-out not scale-up.
upvoted 7 times
  solarwinds123 1 year, 1 month ago

See: https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and
certificates, staging slots, autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app
belongs to.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances, depending on your
pricing tier. App Service Environments in Isolated tier further increases your scale-out count to 100 instances. For more information
about scaling out, see Scale instance count manually or automatically. There, you find out how to use autoscaling, which is to scale
instance count automatically based on predefined rules and schedules.
upvoted 16 times
  patricpotter1992 7 months, 3 weeks ago

solarwinds123 thank so much for the explanation.
upvoted 1 times
  Ankigupta 1 year, 2 months ago

in exam 04/12/2020
upvoted 4 times
You plan to move a distributed on-premises app named App1 to an Azure subscription.
After the planned move, App1 will be hosted on several Azure virtual machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.
What should you create?
A. one virtual machine scale set that has 10 virtual machines instances
B. one Availability Set that has three fault domains and one update domain
C. one Availability Set that has 10 update domains and one fault domain
D. one virtual machine scale set that has 12 virtual machines instances
Correct Answer: C
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. As you create VMs
within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at
least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Reference:
http://www.thatlazyadmin.com/azure-fault-update-domains/

A (83%) C (17%)

Answer is wrong. The correct Answer is A.
First: in case you created on fault domain, you are limited with one update domain. You can test this.
Second: By default, Azure uses 5 update domains and up to 3 fault domains. So, In case you created 10 vm in scale set. then you will have
2 vm in each update domain. So once one update domain is not available, then you get 4 domains with 8 vms as required.
upvoted 115 times
  yolap31172 2 weeks ago

From https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets: "Update Domains -- Depreciated
(platform maintenance performed FD by FD)"
So answer A is not correct either...

upvoted 1 times
  jsexamprep 6 months, 1 week ago

fedztedz's answer of A is correct. I wasn't sure at first because A talks about virtual machine scale sets and C talks about availability sets
(the community answer people are referring to is about availability sets). Virtual machine scale sets and availability sets are different, so
I wasn't convinced. However, MS docs (https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-
faq#do-scale-sets-work-with-azure-availability-sets-) say the following about scale sets working with Azure availability sets:
A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update
domains. Scale sets of more than 100 VMs span multiple placement groups. For more information about placement groups, see
Working with large virtual machine scale sets. An availability set of VMs can exist in the same virtual network as a scale set of VMs. A
common configuration is to put control node VMs (which often require unique configuration) in an availability set and put data nodes
in the scale set.
This backs up fedztedz's answer as the correct answer.

upvoted 9 times
  agupt 7 months, 3 weeks ago

Answer: C is correct.
By Default 5 update domain but can have up to 20 update domain.
"Within an availability set, individual VMs are spread across up to 20 update domains. During scheduled maintenance, only one update
domain is updated at any given time. Update domains aren't necessarily updated sequentially."
https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates?bc=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fdocs.microsoft.com%2Fen-
us%2Fazure%2Fbread%2Ftoc.json&toc=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machine-scale-
sets%2Ftoc.json
upvoted 9 times
  dandynamite 1 month, 2 weeks ago

C is incorrect, you can not create 5 UP on 1 FD. So A is correct, there will be 3 FD and 5 UD as default.
upvoted 1 times

Yes C is correct as per senior member of Microsoft community forum, URL below:
https://techcommunity.microsoft.com/t5/azure/please-could-you-explain-why-the-c-option-is-the-correct-answer/m-p/2097168
upvoted 4 times
  MicroHead 6 months, 2 weeks ago

His explanation essentially says that A is correct though. Azure has 5 update domains per each scale set by default. If one is down
for maintenance, you will have 8 VMs available, given you have 2 VMs per update domain.
upvoted 1 times

Yes, we can have only one update domain if the fault domain is 1. So this negates C and A is correct.
upvoted 6 times
  Guilhermeds 2 months, 1 week ago

Exactly.
upvoted 1 times

Correct Answer: A
VM Scale Set consists of a set of identically configured VMs.

Availability Set consists of a set of discrete VMs.
No more than 20% of the Scale Set upgrading at any time, then 2 machines out of 10 will have maintenance, the 8 remaining VMs will be
up.
Virtual machine scale sets are created with five fault domains by default in Azure regions with no zones. For the regions that support zonal
deployment of virtual machine scale sets and this option is selected, the default value of the fault domain count is 1 for each of the zones.
FD=1 in this case implies that the VM instances belonging to the scale set will be spread across many racks on a best effort basis.
Reference:
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
upvoted 62 times
  AzureDev777 Most Recent  1 week, 1 day ago

Selected Answer: A
In a 10 VM scaleset atleast 80% will remain available during planned upgrades
upvoted 1 times
  Mozbius_ 1 week, 6 days ago

H0lly sh1t that is a jerk question!!!
In Microsoft AZ104 courses you are taught that availability sets are designed specifically to prevent all VMs to be down for update all at the
same time.
Therefore logically (C) would be the answer proving that you learned the topic during your courses. YET..... If you attempt to create an
availability set of only 1 fault domain Azure will generate an error message:
[* The update domain count must be 1 when fault domain count is 1.]
To make matters worst there doesn't appear to be a logical explanation for this as it is possible to have 20 update domains spread on 2
fault domains!!! Therefore that limitation is apparently simply arbitrary.
https://bettercoder.io/job-interview-questions/2035/you-are-creating-azure-availability-set-and-set-number-of-fault-domains-to-one-how-
many-update-domains-can-you-have-in-this-availability-set
So indeed (A) is the right answer as Scale Sets implicitly have update domains properties (again NEVER hinted during courses)!
(for reference search for Depreciated at):

https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
upvoted 1 times
  Silash 2 weeks, 3 days ago

Selected Answer: A
Answer is A
upvoted 1 times
  kevin9988 3 weeks, 1 day ago

C is correct
upvoted 1 times
  yangxs 1 month ago

Selected Answer: A
A is right.
The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total
instance count, subject to a minimum batch size of one virtual machine. There is no minimum scale set size requirement and scale sets
with 5 or fewer instances will have 1 VM per upgrade batch (minimum batch size).
C is wrong. With 1 FD, you only get 1 update domain

upvoted 1 times

Selected Answer: C
Correct answer C. one Availability Set that has 10 update domains and one fault domain
upvoted 1 times

A
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
See section high availability.

5 update domaines by default with scale set in UNIFORM orchestration mode. Question is poorly woorded as A and D could both work. D
is overkill but nothing is specified but having at least 8 VMs UP which both answers achieve.
upvoted 1 times
  dandynamite 1 month, 1 week ago

Selected Answer: A
A is correct, when a vmss created with 10 VMs, there are 5 FD and 5 UP (This help to achive the requirement, 4 UD always available during
maintenance, each have 2 VMS)
upvoted 1 times

Correct Answer: A
upvoted 1 times

Selected Answer: A
A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update
domains. Scale sets of more than 100 VMs span multiple placement groups. For more information about placement groups, see Working
with large virtual machine scale sets. An availability set of VMs can exist in the same virtual network as a scale set of VMs. A common
configuration is to put control node VMs (which often require unique configuration) in an availability set and put data nodes in the scale
set.
(https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#do-scale-sets-work-with-azure-
availability-sets-)
upvoted 1 times

If fedztedz and mlantonis both say it's A, I have not doubt it's A
upvoted 8 times
  mwhooo 5 months, 3 weeks ago

Its A, C is incorrect because you cannot configure an availability set with 1 FD and 10 UD, the minimum allowed of FD is 2, just checked it in
Azure. Answer C is WRONG!
upvoted 5 times

The most reasonable answer is C.
However, either the choice is terrible or they formulated this answer very bad.
Your VMs are placed in different racks for fault tolerance to avoid downtime due to an entire rack failing as a result of a power drop or
anything that might affect the whole rack. Update Domains are to protect machines against planned maintenance. Update domain
protects against routined scheduled maintenance; meaning, the VMs will be on a different server but on the same rack. VMs in the same
Update domain will be restarted together
upvoted 1 times

I'm just come back to revise this in preparation for my job interview after I passed the test; it seems like they changed this question or
something. None of the options are a fit. Not even C. 1 fault domain is not an option for availability. It doubt it's even allowed.
upvoted 1 times

The main difference is that Scale Sets have Identical VMs where in Availability Sets does not require them to be identical.
Availability set, in concept, are for enhancing application availability in case one primary VM fails/needs update another VM from
Fault/Update domain can be provisioned
Scale sets on another hand, in concept, are designed for automatic scaling (horizontal) in application where load can vary extensively to
fulfill more compute needs.
Provisioning new VM in Azure when needed is easier for Scale sets as all other VMs are same in all aspects & replica of one golden copy.
https://stackoverflow.com/questions/38112816/difference-in-azure-availability-sets-and-scale-sets
upvoted 1 times

The question are more oriented towards availability, so the closest choice will be C
upvoted 1 times

My previous comments are wrong, fedztedz is correct. The answer will be A. if it is one fault domain then we will get only one update
domain.
upvoted 2 times

In exam 30 July 21
upvoted 2 times
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source
A. Yes
B. No
Correct Answer: B
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Reference:

You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.
1. You create an Azure Log Analytics workspace and configure the data settings.
2. You install the Microsoft Monitoring Agent on VM1.
3. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Reference:
upvoted 37 times
  Pniaq Highly Voted  1 year, 1 month ago

I can confirm, answer is correct.
upvoted 13 times
  anaphm Most Recent  2 months ago

You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.
1. You create an Azure Log Analytics workspace and configure the data settings.
2. You install the Microsoft Monitoring Agent on VM1.
3. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
upvoted 1 times

Took the exam today on 17 Oct. This question came out. Ans: No
upvoted 3 times

What's an event subscription? :)
upvoted 1 times

Haha... They should have kept these questions together.
upvoted 1 times

No is correct!
upvoted 2 times

per https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview answer is correct.
upvoted 1 times

Answer is correct.
Need to specify the Log Analytics workspace as the source, not VM.
upvoted 2 times

No :
You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Azure Monitor and specify the Log Analytics workspace as the source
upvoted 1 times

Answer B. is correct. You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.
upvoted 1 times

Correct - you need log analytics workspace
upvoted 2 times
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
A. Yes
B. No
Correct Answer: B
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

B (100%)

Changing Subscription won't affect the downtime, it will just you change the billing. You would need to redeploy the VM. After you
redeploy a VM, the temporary disk is lost, and dynamic IP addresses associated with virtual network interface are updated.
From Overview there is no option to move the VM to another hardware to skip the maintenance.
Ideally you need an Availability Set and defining the Update Domains.
Reference:
upvoted 43 times

I hope MS can automatically move it to another hardware/ do maintenance once the VM is deallocated.
upvoted 1 times

Answer is correct . NO (B)
Changing Subscription won't change any change for the downtime, Just you change the billing
upvoted 24 times

Selected Answer: B
hanging Subscription won't affect the downtime, it will just you change the billing.
upvoted 1 times

You redeploy the machine. Azure fundamental question
upvoted 2 times

No is correct!
upvoted 1 times

No! changing the subscription is not the solution you need to redeploy the vm
upvoted 2 times

No is correct :
Can Redeploy
upvoted 2 times
  waterzhong 11 months, 3 weeks ago

Set-AzVM -Redeploy -ResourceGroupName "myResourceGroup" -Name "myVM"
upvoted 3 times

Answer B. is correct. From Overview there is no option to move the VM to another hardware to skip the maintenance. Also Re-deploying a
new VM doesnt guaranty you that new VM will be placed in different Update Domain, you can only set this by creating an Availability Set
and defining the Update Domains.
upvoted 4 times

Sorry, re-deploying the VM will also change the HW host as I am reading on: https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/redeploy-to-new-node
upvoted 3 times

redeploying does not make sense because 1) its a custom template 2) if the notification came from azure, isnt that why we have update
domains
upvoted 2 times

According to the question: "You need to move VM1 to a different host immediately."
So the solution will be redeploy the VM.
After you redeploy a VM, the temporary disk is lost and dynamic IP addresses associated with virtual network interface are updated.
upvoted 4 times
  gekkehenkie84 1 year, 1 month ago

you actually do a redeploy from the blade, which changes hardware. Happened to me once on our staging environment, works like a
charm.
upvoted 4 times

the answer makes no sense. We need to redeploy but the answer is B?
upvoted 2 times
  aaa112 1 year, 1 month ago

I do not get what you don't get. "Solution: From the Overview blade, you move the virtual machine to a different subscription." as the
real solution is to redeploy the machine, then the provided solution is false, hence B. Does it make sense?
upvoted 2 times
  _Jue_13 1 year, 3 months ago

Exam on 18 nov 2020.
upvoted 5 times
  DA0410 1 year, 4 months ago

I mean correct answer is B.
upvoted 9 times

correct. we need toredeply vm
upvoted 6 times
Solution: From the Redeploy blade, you click Redeploy.
A. Yes
B. No
Correct Answer: A
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your
configuration options and associated resources.
References:

A (100%)

When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your
configuration options and associated resources.
Use the Azure portal. Select the VM you wish to redeploy, then select the Redeploy button in the Settings blade. You may need to scroll
down to see the Support and Troubleshooting section that contains the 'Redeploy' button.
Reference:
upvoted 39 times

Answer Correct. YES (A)
The best solution , it will redeploy in a different location within Azure infrastructure in the same region
upvoted 11 times

Selected Answer: A
From Azure Portal
Redeploy
Support+Troubleshoot > Redeploy + Reapply
Try redeploying your virtual machine, which will migrate it to a new Azure host. If you continue, the virtual machine will be restarted and
you will lose any data on the temporary drive. While the redeployment is in progress, the virtual machine will be unavailable.Learn more
about Redeploy
upvoted 1 times
  anaphm 2 months ago

The answer is Yes
upvoted 1 times

In exam todas 11-DEC-2021.
Ans: A. Yes
upvoted 2 times

If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection or application access to Windows-based Azure
virtual machine (VM), redeploying the VM may help. When you redeploy a VM, Azure will shut down the VM, move the VM to a new node
within the Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources. This article
shows you how to redeploy a VM using Azure PowerShell or the Azure portal.
upvoted 1 times
  thiago1004 6 months, 1 week ago

It's wrong. In the DEPLOYMENTS panel, we click on REDEPLOY, not on the REDEPLOY panel
upvoted 1 times

Yes is correct!
upvoted 1 times

verified from https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node A is correct.
upvoted 1 times

Yes correct Redeploy the vm
upvoted 1 times

Yes : Redeploy
upvoted 2 times

A. is correct. As I read in https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 2 times

Use the Azure portal
Select the VM you wish to redeploy, then select the Redeploy button in the Settings blade. You may need to scroll down to see the Support
and Troubleshooting section that contains the 'Redeploy' button as in the following example:
upvoted 2 times

When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it
back on, retaining all your configuration options and associated resources.
upvoted 4 times
  _Jue_13 1 year, 3 months ago

Exam on 18 nov 2020.
upvoted 5 times
  Caphispania 1 year, 3 months ago

Correct
upvoted 3 times

True. From the "Redeploy + reapply" blade:
Redeploy - Try redeploying your virtual machine, which will migrate it to a new Azure host. If you continue, the virtual machine will be
restarted and you will lose any data on the temporary drive. While the redeployment is in progress, the virtual machine will be
unavailable.
upvoted 1 times
Solution: From the Update management blade, you click Enable.
A. Yes
B. No
Correct Answer: B
Reference:

Reference:
upvoted 21 times

Answer is Correct. NO (B)
upvoted 20 times
  AubinBakana Most Recent  5 months, 4 weeks ago

Redeploying on the portal is very easy but you're using Powershell:
Set-AzVM -ResourceGroup MyResourcesGroup -Name MyVM -redeploy

upvoted 1 times

No is correct!
upvoted 1 times

previous question answers this one. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node. No it
doesnt resolve the issue.
upvoted 1 times

Answer is correct - No.
upvoted 1 times

B :Is correct
upvoted 2 times

Answer B. is correct. Only way is to re-deploy the VM. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-
node
upvoted 2 times
You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named www.contoso.com to webapp1.
A. Create a DNS record
B. Add a connection string
C. Upload a certificate.
D. Stop webapp1.
Correct Answer: A
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
Reference:
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

Correct Answer: A
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
You should use CNAME records for all custom DNS names except root domains (for example, contoso.com). For root domains, use A
records.
Reference:
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
upvoted 43 times

Answer is correct. A.
upvoted 43 times

upvoted 2 times
  AMT23 2 months ago

Correct link: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=cname
upvoted 1 times

In exam today 11-DEC-2021.
Ans: A. Create a DNS record
upvoted 2 times

Was on exam today 19.11.2021. Passed with 920.
Correct answer: A
upvoted 3 times

Was on my exam 15/11/2021
upvoted 2 times

Some of these answers are so funny! Upload a certificate? haha
I hope my sense of humour helps relieve some stress :)

upvoted 5 times

A is correct!
upvoted 3 times

A is the appropriate answer.

upvoted 1 times

Answer is correct.
Create a DNS record
upvoted 4 times

A is correct!
upvoted 4 times

Correct - A
upvoted 2 times

Answer A. is correct.
upvoted 2 times

Correct
upvoted 3 times

Simples
upvoted 4 times
VM1 connects to VNET1.

You need to connect VM1 to VNET2.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
A. Yes
B. No
Correct Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

If you create a VM and later want to migrate it into a VNet, it is not a simple configuration change. You must redeploy the VM into the
VNet. The easiest way to redeploy is to delete the VM, but not any disks attached to it, and then re-create the VM using the original disks in
the VNet.
upvoted 37 times

Answer is correct. NO (B). Even if moved it will be still connected to VNET1.
upvoted 28 times
  Bere Most Recent  2 months, 2 weeks ago

The solution says:
You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
The right answer would be:

You delete VM1. You copy the disk from West US region to East Asia region. You recreate VM1 from the disk you have copied, and then you
can connect VM1 to VNET2.
upvoted 3 times
  Gumer 3 months, 3 weeks ago

I failed yesterday exam scored 697 and got this series of questions
upvoted 4 times
  sachin007 2 months, 4 weeks ago

So close , give it another shot .Sure pass all the best
upvoted 2 times

It says "you need to connect" not "you need to move".
So setting up the VM as multihomed should be a valid answer, hence answer A ?
Besides, it seems possible to change the primary vNIC of a VM after deployment, so I'm not getting this whole "need to delete VM to
change VNET" thing. What am I missing ?
upvoted 1 times
I found what I was missing, I mixed up VNIC and VNET. You can add multiple vNIC but they all belong to the VNET assigned to the VM at
creation, which can't be changed.
upvoted 2 times

upvoted 4 times

upvoted 6 times

No is correct!
upvoted 1 times

Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to
VNET2.
Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change
the subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.
Reference:
upvoted 22 times
  Narendragpt 1 month, 2 weeks ago

Questions Says Need to connect VM1 to VNET2 ......not saying to Move it . SO which answer is correct
upvoted 1 times

B no you will have to delete the VM and rebuild it.
upvoted 1 times

B is correct: Can't delete Vnet only subnet can be change
upvoted 1 times

Both Answer B. and explanation are correct. It is not possible to re-assign Vnet to a VM, only change the Subnet.
upvoted 1 times

Need VM recreation .
upvoted 2 times

Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
A. Yes
B. No
Correct Answer: A
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Reference:

Answer is correct. YES (A). To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new
NIC and NIC connected to VNET2
upvoted 32 times

You should delete VM1. Then recreate VM1 and add the network interface for VM1.
VNET2.
Reference:
upvoted 24 times
  panileka 5 months, 2 weeks ago

VNET1 and VNET2 are in two different regions.. I am not sure we can connect a VM to these two networks.
upvoted 3 times

We should move the OSdisk to destination region and then creating new VM will work.
upvoted 1 times
  Spandrop Most Recent  7 months, 1 week ago

You delete and recreate, fine. But the question says: you delete and recreate, and then you connect ...... recreate where?! Same RG?
Different one? ... I think that the question is not clear, but the overall idea is if you have to move a VM, delete and recreate it.
upvoted 4 times
  dumz 4 months, 1 week ago

Yes, I have same concern as yours.
We should re-creare VM1 in same region as VNET2.
upvoted 2 times
  ranajoy97 7 months, 3 weeks ago

The correct answer is NO. In order to attach a VM to a VNET the VM and the VNET needs to be in the same zone. As VNET2 is in a separate
zone it won't work
upvoted 2 times

upvoted 1 times
  RBV 10 months, 1 week ago

Is it possible to create a VM without a network interface?
I am pretty sure that you cannot create a VNIC without a VNET.
So, if you have recreated the VM the question is: Where did you create it? VNET1 ou VNET2?
upvoted 2 times

YES is correct
upvoted 3 times

Somehow the ans is correct. The solution is just not clear where you will recreate the VM.
upvoted 2 times

This question is not clear enough to provide a valid answer. If the new VM is deployed in East Asia, then Yes. If the new VM is deployed in
another Region, then No.
upvoted 4 times
  hbergun 1 year, 1 month ago

Shouldn't vm and vnet be in the same region? the question is not clear enough beacuse It does not contain an explanation that the region
of vnet should be changed.
upvoted 5 times
  DieWolke 10 months, 4 weeks ago

I agree with you. It mentions that you recreate the VM, but doesn't specify in what resource group it's recreated in either.
upvoted 2 times

Solution: You turn off VM1, and then you add a new network interface to VM1.
A. Yes
B. No
Correct Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Reference:

The answer is correct . NO (B).
Even if you added a new network interface, this interface will be connected to the same VNET1.
upvoted 18 times
  panileka 5 months, 2 weeks ago

i am not sure if we can connect a VM to two networks that are not in the same region..
upvoted 1 times

Correct specified in the constraints page at the bottom of this link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-
network-network-interface-vm
"You can connect network interfaces in the same VM to different subnets within a virtual network. However, the network interfaces
must all be connected to the same virtual network."
upvoted 5 times

VNET2.
Reference:
upvoted 12 times
  Bere Most Recent  2 months, 2 weeks ago
The solution says:

You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
The right answer would be:

You delete VM1. You copy the disk from West US region to East Asia region. You recreate VM1 from the disk you have copied, and then you
can connect VM1 to VNET2.
upvoted 1 times

Correct. answered B. In exam today
upvoted 2 times

No is the answer : Can't attach a Network in a different Vnet ( Attach NIC option will not suggest)
upvoted 1 times

Answer B. is correct. For two reasons: A VM cannot be connected to two different VNets, and second reason is VM cannot connect to a
Vnet in different region.
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.
You deploy virtual machines to Subscription1 as shown in the following table.
You plan to deploy the virtual machines shown in the following table.
Hot Area:
Correct Answer:
The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16
vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

Correct YES NO NO
The deallocated VM are still using and reserving the used 16 vCPU + 2 vCPU ,so in total we only have 2 vCPU available in the region
upvoted 80 times
  walexkino 9 months, 2 weeks ago

it makes sense.. Thanks
upvoted 6 times

Correct Answer:
Total regional vCPUs = 20

2 vCPUs (VM1) + 16 vCPUs (VM20) = 18 vCPUs, which means that only 2 vCPUs left to exceed usage limit.
Box 1: Yes
We can add 1 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 1 vCPU (VM3) = 19 vCPUs
Box 2: No
We cannot add 4 vCPUs. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 4 vCPU (VM4) = 22 vCPUs
Box 3: No
We cannot add 16 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 16 vCPU (VM5) = 34 vCPUs
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quota
upvoted 60 times
  cashey Most Recent  1 month, 2 weeks ago

yes no no quick maths
upvoted 3 times

YES
NO
NO
upvoted 1 times
  marco_aimi 2 months ago

TOTAL REGION MAX CPU: 20 ( 16 DEALLOCATED VM + 2 UP VM = 18 CPU) AVAILABLE CPU ONLY 2
upvoted 1 times

Correct answer: Y-N-N
upvoted 6 times
  rsamant 5 months ago

Correct
Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request a
quota increase or delete VMs that are no longer needed.
Reference : https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-machines/windows/quotas.md
upvoted 4 times

Yes No No
Quota is calculated based on the total number of cores in use both allocated and deallocated.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas
upvoted 3 times

For a moment I thought BS was not a B series machine. I was wrong. Revealed answer is correct
upvoted 2 times

correct answer according to Q&A:
https://docs.microsoft.com/en-us/answers/questions/40648/question-regarding-azure-vm-cpu-quota-limits.html
upvoted 1 times
  sachinvjn 9 months ago

say if I still wanted to create a 4core machine in same subscription, I should increase vcpu quota?
upvoted 1 times
  Wizaias 8 months, 3 weeks ago

Yes! You have only 2vCpus available.
upvoted 1 times
  walexkino 9 months, 2 weeks ago

correct,
The total usage = 20
2 vCPUs + 16 vCPUs = 18 vCPUs meaning 2 vCPUs left to exceed usage limit.
Here we have VM3 having 1 vCPU >>> 1 more vCPUs left..
Meanwhile the rest of the vCPU VM4 and VM5 exceeds 1vCPU
making the answer Y, N, N.
Hope i have been able to explain to someone.
Do i get a thumbs up
upvoted 7 times

4.18.21 exam*
upvoted 12 times

Yes No No
upvoted 1 times
  WillYeung 11 months, 2 weeks ago

VM4 should be the D family, and it is the first D family VM why it can not create?
upvoted 2 times
  Princy1187 10 months, 2 weeks ago

Total Regional Limit is 20 only, irrespective of B and D family.
upvoted 3 times
  WillYeung 11 months, 2 weeks ago

Sorry I miss the regional limit
upvoted 1 times

YES,NO,NO
Total quota vCPU for the region is main here to consider
Already utilised 16+2=18 & remaining vCPU for the region is 2
so we cant create VM4 & VM5
upvoted 3 times
  mvaricak 12 months ago

what counts here? number of CPUs or Number of VMs?
upvoted 1 times
  guilleabdon 11 months, 4 weeks ago

Hi mvaricak. The number of CPUs.
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.
You add 14 virtual machines to WEBPROD-AS-USE2.

Hot Area:
Correct Answer:
Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update
domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault
domain so 7 VMs will be offline.
Reference:

Correct Answer:
Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains, so 4 update domains will have 2 VMs and 6 update
domains will have 1 VM. Only one update domain is rebooted at a time.
D1 D2 D3 D4 D5 D6 D7 D8 D9 D10
vm1 vm2 vm3 vm4 vm5 vm6 vm7 vm8 vm9 vm10
vm11 vm12 vm13 vm14
Maximum Down = 2
Minimum Down = 1
Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
14 VM in 2 Fault Domain
Rack 1 Rack 2
vm1 vm8
vm2 vm9
vm3 vm10
vm4 vm11
vm5 vm12
vm6 vm13
vm7 vm14
Maximum Down = 7
Minimum Down = 7
upvoted 159 times
  PeterHu 1 day, 16 hours ago

thanks for clear explanation
upvoted 1 times

Excellent Explanation
upvoted 2 times
  maknik 1 month, 2 weeks ago

spin up your own website buddy and copy paste your answers there...will be popular one ...do it fast the idea is now public :)
upvoted 2 times
  HypeMan_crew 1 month, 3 weeks ago

Mlantonis, you are a very smart person.. Nicely explained even better than the youtube videos I have come across
upvoted 4 times
  ZUMY Highly Voted  11 months, 3 weeks ago

Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six
update domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
upvoted 50 times
  marco_aimi Most Recent  2 months ago

#UPDATE DOMAIN (nr°10) & 14 VM
UD1 : VM1 & VM11
UD2 : VM2 & VM12
UD3 : VM3 & VM13
UD4 : VM4 & VM14
UD5 : VM5
UD6 : VM6
UD7 : VM7
UD8 : VM8
UD9 : VM9
UD10: VM10
Only one update domain is rebooted at a time.

so a maximum 2 VMs will be offline.
so a minimum 1 VMs will be offline.
#FAULT DOMAIN (nr°2) & 14 VM

Rack A Rack B
VM1 VM8
VM2 VM9
VM3 VM10
VM4 VM11
VM5 VM12
VM6 VM13
VM7 VM14
Fault RACK A: 14 VM -7VM OFF = 7 VM UP

Fault RACK B: 14 VM -7VM OFF = 7 VM UP
Maximum VM Down = 7
Minimum VM Down = 7
upvoted 10 times

upvoted 4 times

Rack 1 Rack 2
VM1 VM21 ---> UD1
VM2 VM22 ---> UD2
VM3 VM23 ---> UD3
VM4 VM24 ---> UD4
VM5 VM25 ---> UD5
VM6 VM26 ---> UD6
VM7 VM27 ---> UD7
During a routine maintenance the number of machines to go down: 2

If there's a fault, a rack goes down: 7 machines will remain
upvoted 3 times

unfortunately your distribution for Update domains is wrong, check this: https://docs.microsoft.com/en-us/azure/virtual-
machines/availability-set-overview
upvoted 1 times
  Invisired 3 months, 4 weeks ago

Nice example.
upvoted 1 times

In exam 09/20/2021
upvoted 2 times
  udhdhhxhdhd 5 months, 1 week ago

Shouldn't the answer of the 2nd question be 9? As 7 vm's are down and a maximum of 2 vm's are updating making them also unavailable?
upvoted 1 times

I thought I understood availability until this. I did some research and still couldn't get a clear explanation but some very smart dude in the
comment section has been able to clear this out for me. Something I will not forget.
upvoted 2 times

availability *set
upvoted 1 times
  Steve107 6 months, 1 week ago

14 persons (VM) to fill up 10 hotel rooms (update domain), 4 rooms will be filled with 2 persons, other 6 rooms has 1 person.
2 Fault domains ~= 2 hotel floors, 14 persons live evenly each floor.
upvoted 4 times

Box 1 Answer :- 2
Fault Domain = 2
Update Domain = 10
Virtual Machines = 14
***********************
UD1=VM1 and VM11
UD2=VM2 and VM12
UD3=VM3 and VM13
UD4=VM4 and VM14
UD5=VM5
UD6=VM6
UD7=VM7
UD8=VM8
UD9=VM9
UD10=VM10
4 UD's are having 2 VM's each
6 UD's are having 1 VM's each
=>Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
upvoted 11 times

this is not correct
upvoted 1 times

Thank you
upvoted 1 times

Box 2 - 7
If One Server Rack is unavailable, then
Rack1/FD1 = VM1+VM2+VM3+VM4+VM5+VM6+VM7
Rack2/FD2 = VM8+VM9+VM10+VM11+VM12+VM13+VM14
7 VM's will be Down if One Rack/FD is Down.
upvoted 4 times

Correct remember that azure spread vm accross each update and fault domain one by one sequentialy. if for example you have 2 update
domain in an availability that contains 3 vms, then:
- VM1 will be in update domain 1
- VM2 will be in update domain 2
- VM3 will be in update domain 1 (same as VM1).
apply this to question, the maximum number of vms per update domain is 2 and the maximum number of vms per fault domain is 7
upvoted 4 times
  ShikshaGarg 6 months, 3 weeks ago

Thanks a lot! Most clear explanation :)
upvoted 1 times
  Subodh4190 7 months, 2 weeks ago

Exam 4 June 2021
upvoted 3 times
  Zuls 8 months, 2 weeks ago

I wan to understand how 14 Vms are shared across the 10 updates domains... why four update domain will have two Vms and six update
domains will have one VM????
upvoted 1 times
  binisho123 8 months, 1 week ago

just drop a VM in increment of 1 to the update domains
upvoted 3 times

kinda confusing , if there is no explanation of the way the VMs are allocated ...starting with 1 per domain and then recyling back to the
frist one...
upvoted 1 times
  Mukku2019 8 months, 3 weeks ago

Ans is correct but explanation is wrong. It should be like 14/10=1.4 means 2 will be unavailable.
Same for second 14/2 =7 will be unavailable.
upvoted 4 times
  NareshNK 10 months ago

14 VM in 10 Domain
D1 D2 D3 D4 D5 D6 D7 D8 D9 D10
vm1 vm2 vm3 vm4 vm5 vm6 vm7 vm8 vm9 vm10
vm11 vm12 vm13 vm14
Maximum Down 2
Minimum Down 1
14 VM in 2 Fault Domain
Rack 1 Rack 2
vm1 vm8
vm2 vm9
vm3 vm10
vm4 vm11
vm5 vm12
vm6 vm13
vm7 vm14
Maximum Down 7
Minimum Down 7
upvoted 8 times
  Rajash 9 months, 3 weeks ago

Thanks Naresh -
With the above depiction, the VMs are allocated to fault OR updated domains in Round Robin fashion. After allocating the 10th VM to
10th Update domain, it starts again from domain 0(D1 in the above depiction).
upvoted 3 times

4.18.21 exam*
upvoted 3 times
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.
You need to provide internet users with access to the applications that run in Cluster1.
Which IP address should you include in the DNS record for Cluster1?
A. 131.107.2.1
B. 10.0.10.11
C. 172.17.7.1
D. 192.168.10.2
Correct Answer: A

A (100%)

Correct Answer. (A).
To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 78 times

thanks for this
upvoted 1 times

Appreciate! Help a lots.
upvoted 6 times
  JulienYork Highly Voted  1 year, 2 months ago

This is the stupidest question I have ever seen :))
upvoted 31 times

Hahaha
upvoted 2 times

I second that! It cannot be real.
upvoted 2 times
  DieWolke 10 months, 3 weeks ago

To be fair, I do see quite a few people even in the professional working world that forget or get mixed up with the private IP address
ranges. Some forget that the 10.X.X.X range is private.
upvoted 5 times
  MildJason 10 months, 3 weeks ago

Class B is worse I think. If you see 10.X.X.X you know it will always be private. If you see 192.168.X.X it will always be private. BUT
if you see 172.X.X.X sometimes it is private and sometimes it is public. Only 172.16.X.X - 172.31.X.X is private, everything else in
172.X.X.X is public.
upvoted 17 times
  PurushothamaSpu 8 months, 4 weeks ago

My trainer told now there is No class A,B,C
Private ips just in bewlow 3 ranges :

10.x.x.x
172.x.x.x
192.168.x.x
Is that not correct?
upvoted 2 times

Not quite. Technically IP addressing is classless now, and the network address must be determined from the cidr notation
or the subnet mask, but its still common to refer to those as class A,B,C private addresses.
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
are the private ranges in CIDR notation.
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255 are the full allowed scopes.
upvoted 3 times
  LHNing2 Most Recent  1 week, 5 days ago

Selected Answer: A
aaaaaaaaaaaaaaa
upvoted 2 times
  prince89 1 month, 2 weeks ago

Selected Answer: A
Correct Answer : A
upvoted 1 times
  Microgen 3 months, 2 weeks ago

finally I answered correctly
upvoted 4 times

Got this question in yesterday exam, failed by the way
upvoted 4 times

I was intimidated by this one because Azure Az104 does not cover k8s much. But with common, I was able to figure the answer out. Of
course, it's the public IP address that customers would be using. The rest are internal PIPA
Answer must be righ.

upvoted 2 times
  sreekan 6 months, 1 week ago

yes its Correct (A)
In order to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 2 times

Correct Answer: A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
Note: 10.X.X.X range is private.
Reference:
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
upvoted 25 times

Plus, that’s what “front end” means.
upvoted 1 times

4.18.21 exam*
upvoted 3 times

Answer is correct. ip address of load balancer front end. - To access the applications on kubernetes, we need ip address of load balancer
front end.
upvoted 2 times

A is correct!
To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 1 times

Answer A. is correct. Fronted LB address, mostly the public IP address.
upvoted 3 times

Ez qst. Answer is A - all other IPs are private!
upvoted 6 times
  polpum 1 year, 1 month ago

Come in 15/01/2021
upvoted 3 times
  boink 1 year, 2 months ago

Correct
upvoted 4 times
You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
A. five Azure Application Gateways
B. one App Service plan
C. 10 App Service plans
D. one Azure Traffic Manager
E. one Azure Application Gateway
Correct Answer: B
You create Azure web apps in an App Service plan.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
  OmegaGeneral Highly Voted  1 year, 6 months ago

Correct: you only need a single App service plan, as your web apps will share the service plans resource availability.
Adding any of the other resources are pointless and not noted as a requirement.
upvoted 54 times

Correct Answer: B
Creating one App Service Plan, you can support up to 10 Web Apps. Adding any of the other resources are pointless and not noted as a
requirement.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 47 times
  Fulforce Most Recent  2 months ago

Correct. One App Service plan as long as they can run on the same OS as eachother. This isn't specified in the question so we could
assume it. It would need to be a Standard plan which will allow for up to 10 instances.
upvoted 3 times

In the exam today 11-DEC-2021.
Ans: B. one App Service plan
upvoted 6 times

Was in exam 15/11/2021
upvoted 4 times
  maziokey 5 months, 3 weeks ago

correct answer: B
upvoted 1 times

Correct Answer
upvoted 1 times

basically it's the app service plan that can give you details as to how much an app is gonna cost you, that's why it's the correct and most
sensible answer. the other choices are just the resources that wont give you information about the costs. the phrasing of the question
makes you think they need something more complicated like knowing what the cost of the resources are when it's basically simple, just
look at the app service plan costs lol microsoft
upvoted 1 times

in exam 7/3/2021
upvoted 5 times

upvoted 5 times

4.18.21 exam*
upvoted 4 times
  Da_G 11 months, 1 week ago

Surprised this isn't worded as to what kind of app plan is needed, given that 10 squeezes into the Standard tier quite snuggly.
upvoted 3 times

One app service plan will be recommended to reduce the cost
upvoted 1 times
  PBA1211 11 months, 2 weeks ago

in 09-03-21
upvoted 5 times

B ; App Service plan
upvoted 4 times

Answer B. is correct. To minimize the cost, one Servide App plan will be recommended. All other options will increase the cost.
upvoted 3 times
  macross 1 year ago

Just one - is sufficient. Correct answer
upvoted 2 times
HOTSPOT -
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
Hot Area:
Correct Answer:
  olsenOnS Highly Voted  2 months, 1 week ago

Correct.
Can connect from any dev.
Will restart autom.

upvoted 13 times
  Paulwryan Most Recent  1 month, 2 weeks ago

In order to connect to the container wouldn't the RDP port 3389 need to be open?
upvoted 1 times
  Odysseas 1 month, 1 week ago

It will connect via http (port 80) and will get a response from the IIS
upvoted 4 times

So does the "osType": "Windows" is there to throw you off?
upvoted 2 times
  oscarfernand 2 weeks, 2 days ago

yes, it's a trap
upvoted 2 times
  tmub47 1 month, 3 weeks ago

What is the practical scenario for a Public access with just one OS type?
upvoted 1 times
  space2201 6 days, 4 hours ago

The osType element has nothing to do with the clients connecting to the container. It specifies the container OS type.
upvoted 1 times
  testmobile18 2 months ago

Correct answer.
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-template
"port": {
"type": "int",
"defaultValue": 80,
"metadata": {
"description": "Port to open on the container and the public IP address."
}
"restartPolicy": {
"type": "string",
"defaultValue": "Always",
"allowedValues": [
"Always",
"Never",
"OnFailure"
upvoted 1 times
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a
day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
✑ Change the size to D8s v3.
✑ Add a 500-GB managed disk.
✑ Add the Puppet Agent extension.
✑ Enable Desired State Configuration Management.
Which change will cause downtime for VM1?
A. Enable Desired State Configuration Management
B. Add a 500-GB managed disk
C. Change the size to D8s v3
D. Add the Puppet Agent extension
Correct Answer: C
While resizing the VM it must be in a stopped state.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/

Correct Answer: C
While resizing, the VM must be in a stopped state, therefore there will be a downtime.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines
upvoted 44 times
  multcloud Highly Voted  1 year, 5 months ago

Correct answer. Resizing VM will cause downtime.
upvoted 34 times
  SanjSL Most Recent  3 months, 4 weeks ago

If the virtual machine is currently running, changing its size will cause it to be restarted.
If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
https://docs.microsoft.com/en-us/azure/virtual-machines/resize-vm?tabs=portal
upvoted 4 times

upvoted 1 times

In exam 09/20/2021
upvoted 2 times

Answer is C
upvoted 1 times

When you change your VM's disk it's must be in a stop state and then when u resize the VM you might have to wait for sometime then you
are good to use the VM.
upvoted 3 times

4.18.21 exam*
upvoted 4 times
Answer is correct.
Change the size to vm1 will cause the downtime
upvoted 1 times

C is correct : Resize will cause downtime.
upvoted 3 times
Yep, resize the VM will make it redeploy, in other words, downtime.
upvoted 2 times

Answer C. is correct. Changing the size of a VM will always require downtime.
upvoted 3 times

Easy. Change the VM size will cause it to be stopped.
upvoted 2 times
  leaderbud 1 year ago

For those wondering what is a Puppet Extension:
'We know that many organizations have made investments in on-premises hardware, in multiple platforms, and in automation resources
like Chef and Puppet. Azure supports all of these scenarios, and lets customers extend investments they have already made into the cloud.
Both Chef and Puppet are supported through virtual machine extensions,
allowing VMs that are created to support automation. This assumes that a Chef or Puppet environment is already set up. If you would like
to set up a new environment, images for Chef and Puppet are available for download and deployment on the Azure Marketplace.'
Source: https://info.microsoft.com/rs/157-GQE-382/images/Infrastructure-as-Code-guide-EN-v6_299129.pdf
upvoted 9 times

Come in 15/01/2021
upvoted 3 times

Answers is correct
upvoted 3 times

Answer is correct . (C)
Change the size of the machine will cause it to be restarted or even stopped.
upvoted 10 times
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users.
A. Swap the slots
B. Deploy the App1 update to webapp1-prod, and then test the update
C. Stop webapp1-prod
D. Deploy the App1 update to webapp1-test, and then test the update
E. Stop webapp1-test
Correct Answer: AD

Answer is correct.
1.Deploy the App to “webapp1-test” which is staging environment and test it there.
2.Once the test is success swap the slots, so the new changes will be available under production.
upvoted 27 times

Thanks! straight to the point!
upvoted 3 times
  Shailesh866 Highly Voted  4 months, 3 weeks ago

- Deploying an app to a slot first(Test is this case) and swapping it into production makes sure that all instances of the slot are warmed up
before being swapped into production.
- After a swap, the slot with previously staged app now has the previous production app. If the changes swapped into the production slot
aren't as you expect, you can perform the same swap immediately to get your "last known good site" back.
upvoted 10 times

upvoted 5 times
  k_ree 2 weeks, 2 days ago

Congrats! I'm nervous about this exam and have been studying a loooong time for it.
upvoted 3 times

Correct and tested, 1.We can deploy the updated App and do test on it and we can do swap of App later with production App easily.
upvoted 1 times

Was on exam 15/11/2021
upvoted 6 times

Wrong answer. The webApp1-test is obviously not the correct version if we have an new version of the App. That version needs replacing
by the new version we wish to use. But first it must be tested.
Answer is ED
upvoted 1 times
Answer is really D followed by A.

What could have thrown you off is the question formulation that seems to ask what are the two steps to be done BEFORE swapping.
But then again when you update a deployment you don't need to stop anything. Therefore E makes no sense and logical second choice
is A.
https://docs.microsoft.com/en-us/azure/app-service/deploy-best-practices
upvoted 1 times
  Bart31_Sa 3 months, 1 week ago

Answer ED looks good, but when I have read: https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots - correct answer
is AD
upvoted 3 times
  js_indore 4 months, 3 weeks ago

upvoted 2 times

correct.
upvoted 1 times
You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1.
A. Enable Azure Network Watcher in the East US Azure region.
B. Add an Azure Network Watcher connection monitor.
C. Register the MicrosoftLogAnalytics provider.
D. Create an Azure Storage account.
E. Register the Microsoft.Insights resource provider.
F. Enable Azure Network Watcher flow logs.
Correct Answer: AEF

You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
✑ In the Azure portal, enable Network Watcher
✑ Register Insights provider. NSG flow logging requires the Microsoft.Insights provider.
✑ Enable NSG flow log. NSG flow log data is written to an Azure Storage account, Subscription1 has storage.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

DEF (76%) AEF (24%)
  jackAttew_1 Highly Voted  1 month, 3 weeks ago

Answer is correct so AEF.
1.Create a VM with a network security group
2.Enable Network Watcher and register the Microsoft.Insights provider
3.Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4.Download logged data
5.View logged data
upvoted 11 times
  HenriKI2 Highly Voted  1 month, 1 week ago

Selected Answer: DEF
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual
Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher. For more
information, see Network Watcher create.
Create a VM with a network security group
Enable Network Watcher (done by default with the vnet/subnet creation)
-- and register the Microsoft.Insights provider ---------todo
Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability --todo BUT !
NSG flow log data is written to an Azure Storage account. Complete the following steps to create a storage account for the log data.
So you need to create a storage account before enable the NSG flow
Download logged data
View logged data
upvoted 6 times
  _punky_ 4 weeks ago

Checked! This ans is correct.
upvoted 1 times
  Mozbius_ Most Recent  1 week, 5 days ago

Answer is definitely AEF but DEF technically can easily be argued as a good answer too since Network Watcher gets automatically enabled
for the region where a virtual network is created or updated in a subscription and creating a storage account is also required.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-
overview#:~:text=Network%20Watcher%20is%20designed%20to%20monitor%20and%20repair,not%20work%20for%20PaaS%20monitorin
g%20or%20Web%20analytics.
That being said I believe Microsoft is looking here for a specific scenario that it has well established which is in fact taking in consideration
the possibility that (A) [Enabling Network Watched] may have already been taken cared of BUT it still puts (A) as the first step following the
creation of a VM (Network Watcher could by some fluke be disabled I guess). Hence why AEF is really the answer that Microsoft is looking
for.
upvoted 2 times
  LuchianoTz 2 weeks, 4 days ago

A,E & F
To have all the logs
1.Enable Network watcher for the particular region

2.Register insight provider
3.Create a storage account
4.Enable NSG flow logs
Step #3 is not in the answer as the subscription already has the storage account
upvoted 2 times
  NG15 3 weeks ago

Selected Answer: AEF
Answer is: AEF
Explanation on
upvoted 1 times
  Penguinyo 3 weeks, 6 days ago

Nothing called Azure Network Watcher flow logs. It should be Azure Network Watcher NSG flow logs.
upvoted 1 times

Firstly, nothing called Azure Network Watcher flow logs. It should be Azure Network Watcher NSG flow logs.
secondly, the VM is using unmanaged disk which means the existing storage account is a prenium storage performance, but the NSG
flow logs requires standard storage acount performance so you should create another standard account.
upvoted 1 times
  peymani 4 weeks ago

Create a storage account is included in Enable NSG flow log section. --> Support that A is correct and D does not need an individual part or
section. it is included when you enabling flow log.
Enable Network Watcher and register the Microsoft.Insights provider ---> support E and F
I think the answer is correct. AEF
upvoted 2 times

Network Watcher gets created automatically when you create a virtual network. This leaves the remaining answer choices to D, E and F.
upvoted 2 times


Network watcher is automatically created. so no need to do A.
upvoted 2 times
  hifihunk 1 month, 2 weeks ago

Should be DEF as Network Watcher created automatically when you create VNET for the region.
upvoted 2 times

Correct Answer: DEF
"When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual
Network's region"
upvoted 3 times
  okamigo 2 months ago

Guys in this topics
Most of them pointed to A,D,E because Azure Network Watcher is enabled by default
upvoted 2 times
  Mwavy 2 months, 1 week ago

upvoted 1 times
  olsenOnS 2 months, 1 week ago

Selected Answer: AEF
In my opinion its correct
upvoted 3 times
You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.
What should you do?
A. Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine.
B. Deploy five virtual machines. Modify the Size setting for each virtual machine.
C. Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode.
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes

D (100%)

Answer is correct (D).
the main idea is to create 5 VMs asap. To do this you should let Azure do it for you with the least steps. either by using ARM template
which is not mentioned here or VM scale set. That leaves us with 2 options C or D. C is like unmanaged Scale set where you add the VMs
manually to the scale set as a unmanaged group. while D is managed scale set by Azure where it is based on configuration set during the
setup of the VM Scale set
upvoted 99 times

Correct Answer: D
ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The
virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set
VMs are created in a single shot).
VM (virtual machines) orchestration mode: Virtual machines created outside of the scale set can be explicitly added to the scale set. The
orchestration mode VM will only create an empty VMSS without any instances, and you will have to manually add new VMs into it by
specifying the VMSS ID during the creation of the VM. (Separately VMs are created and added to scale set later)
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 55 times

thank you for this. I wandered what the difference was between the 2. They sound the same. Never came across a situation where
machines were to be added manually, which in my opinion defeats the purpose of using a scale set unless you've got legacy equipment
of something like that. But hey, it must be there for a reason and at least I know. Again, thank you
upvoted 2 times

Question is outdated.
Now its UNIFORM mode and FLEXIBLE mode.
Uniform : Uniform uses identical VM instances. = ScaleSetVMs
Flexible : Achieve high availability at scale with identical or multiple virtual machine types. = VM orchestration
upvoted 2 times

In the exam today 11-DEC-2021
Ans:D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
upvoted 1 times

Selected Answer: D
The scalesetVM has new name 'uniform' orchestration mode, which create uniform VMs and uses VMSS API to manage.
Another orchestration mode is Flexible Orchestration mode, which uses VM API to individually manages VMs.
upvoted 5 times

upvoted 1 times

Free Microsoft Learners, What's up :*
upvoted 3 times

Shouldn't option C and D be updated to something like this:
C. Deploy one virtual machine scale set that is set to “Flexible” orchestration mode.
D. Deploy one virtual machine scale set that is set to “Uniform” orchestration mode.
------------------
Description:
-------------------
Choose how virtual machines are managed by the scale set.
In flexible orchestration mode (preview), you manually create and add a virtual machine of any configuration to the scale set.
In uniform orchestration mode, you define a virtual machine model and Azure will generate identical instances based on that model.
upvoted 1 times

Hasn't this changed to Uniform orchestration or Flexible orchestration modes?
upvoted 3 times

Answer is correct
ScaleSetVm orchestration mode
upvoted 1 times

D is answer.
Vm scale set can be created in 2 ways.
Virtual machine scale sets will support 2 distinct orchestration modes:
01- ScaleSetVM – Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine
instance lifecycle - creation, update, deletion - is managed by the scale set. ( Scale set vms are created in a single shot)
02 - VM (virtual machines) – Virtual machines created outside of the scale set can be explicitly added to the scale set. (Separately vms are
created and added to scale set later)
upvoted 4 times
  superb123 11 months, 3 weeks ago

cum on 12/12/2023
upvoted 2 times

Got any other nuggets of wisdom to share with us from the future?
upvoted 3 times

Answer D. is correct. ScaleSetVM – Virtual machine instances added to the scale set are based on the scale set configuration model. The
virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set.
upvoted 2 times

ScaleSetVM – Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine
instance lifecycle - creation, update, deletion - is managed by the scale set.
VM (virtual machines) – Virtual machines created outside of the scale set can be explicitly added to the scaleset.
upvoted 3 times

Come in 15/01/2021
upvoted 7 times

ScaleSetVM – Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine
instance lifecycle - creation, update, deletion - is managed by the scale set.
VM (virtual machines) – Virtual machines created outside of the scale set can be explicitly added to the scaleset.
https://docs.microsoft.com/en-us/previous-versions/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 4 times
  Lalithadevi 1 year, 2 months ago

D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode is correct answer,.
upvoted 2 times
You plan to create the Azure web apps shown in the following table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Correct Answer: A

B (91%) 9%

Shoud be 2.
There are runtimes that run only Linux and Only Windows. Ruby on Linux, ASP.NET on Windows. .NET Core and PHP runs on both.
When you create an app ruby on linux, you cannot select a service plan tha runs on Windows.
upvoted 110 times
  hbergun 1 year, 1 month ago

I have test this situation and yes must be 2
1-Both
2-Windows Only
3-Both
4-Linux Only
and then you cant use windows and linux apps in the same App Service Plan beacuse when you create a new app service plan you have
to choose the os type.
upvoted 26 times

100% agreed
upvoted 4 times
  sn0rlaxxx 1 year, 2 months ago

Correct. Answer should be 2
upvoted 6 times
  Leandroalonso 1 year, 2 months ago

I have tested this directly on Portal.
upvoted 15 times

Correct Answer: B
.NET Core 3.0: Windows and Linux

ASP .NET V4.7: Windows only
PHP 7.3: Windows and Linux
Ruby 2.6: Linux only
Also, you can’t use Windows and Linux Apps in the same App Service Plan, beacuse when you create a new App Service plan you have to
choose the OS type. You can't mix Windows and Linux apps in the same App Service plan.
So, you need 2 ASPs.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview
upvoted 52 times
  Kkunal Most Recent  1 day, 17 hours ago

2 is correct
upvoted 1 times

Selected Answer: B
Linux + Windows... quick math
upvoted 1 times

Selected Answer: B
One for linux (.net core) and one for windows (asp.net)
upvoted 1 times

Selected Answer: B
It's B
upvoted 1 times

Selected Answer: B
This should be B. Windows can run ASP.NET and Linux can NOT. Linux can Ruby and Windows can NOT. Windows and Linux can both run
PHP.
upvoted 2 times

Ans: B. 2
upvoted 4 times
  divyansh152 2 months, 2 weeks ago

Selected Answer: A
i think a is correct
upvoted 1 times

Selected Answer: B
dgdgdbdfN fVn zfgbn DFDnbd dsg sd
upvoted 1 times
  Kiketon 2 months, 2 weeks ago

Selected Answer: B
Ruby must be on Linux and ASP .NET must be on Windows.
upvoted 1 times
  WJD 2 months, 2 weeks ago

Selected Answer: B
windows and linux = 2
upvoted 1 times

upvoted 5 times
  Ami009 2 months, 3 weeks ago

what is the correct answer? did you pass the exam?
upvoted 1 times
  rockhound 3 months ago

Selected Answer: B
There are runtimes that run only Linux and Only Windows. Ruby on Linux, ASP.NET on Windows. .NET Core and PHP runs on both.
When you create an app ruby on linux, you cannot select a service plan tha runs on Windows.
upvoted 2 times
  paliosa 3 months, 2 weeks ago

Hello, Im Study in the Microsoft Partner Training and my Instructor Answer that The Minimum are 2 App Service, because of RUBY.
upvoted 3 times

upvoted 2 times
  estherson 4 months, 1 week ago

Correct answer must be "B"
Linux supports -->Ruby, Php & .NetCore(cross-platform)
Windows supports -->ASP.net(native to windows), php, .NET Core.
upvoted 1 times
HOTSPOT -
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.
You create the budget shown in the following exhibit.
The AG1 action group contains a user named [email protected] only.

Hot Area:
Correct Answer:
Box 1: VM1 is turned off, and VM2 continues to run

The budget alerts are for Resource Group RG1, which include VM1, but not VM2.
Box 2: one email notification will be sent each month.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in
25 days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending

Correct Answer:
Box 1: VM1 and VM2 continue to run

The Budget’s scope is RG1, so only VM1 will be handled.
When the budget thresholds you've created are exceeded, only notifications are triggered.
To stop resources, you need to setup additional things, none of which are mentioned in the question.
Box 2: one email notification will be sent each month.
Budget alerts have scope in Resource Group RG1, which includes VM1, but not VM2.
VM1 consumes 20 Euro/day, so 20 euros * 30 days = 600 euros.
The 50%, 500 Euro limit, will be reached in 25 days (25*20 = 500), so an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway, because AG1 action
group contains a user.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated,
it's reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
upvoted 115 times

Yo Da'man!
upvoted 1 times

Sir, you are a rock star. I learn from you.
upvoted 4 times

I hope addressing you as sir, is correct. If not, fill it in.
upvoted 2 times

policy apply only RG1 (VM1). so only VM1 stop
upvoted 1 times

Answer is Wrong. Correct is
- VM1 and VM2 continues to run. First the Alerts is managed only for VM1 in the scope of RG1. Second, when alert hits 100%, the action
group is a Azure app, which I assume a Azure logic App. It is not clear what this app does. accordingly, we can assume no action to stop
the VM as a spending limit. It is just an alert.
- The second answer is wrong. the alert will send an two email notification , one based on Action group AG1 and another based on the
alert recipients (the admin)
upvoted 89 times
  SnakePlissken 9 months, 3 weeks ago

- VM1 and VM2 continue to run. When the budget thresholds you've created are exceeded, only notifications are triggered. None of
your resources are affected and your consumption isn't stopped.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
- Only one email will be sent each month. Only if you don’t specify a particular action group, an email is sent to the alert recipients.
https://www.codit.eu/blog/control-your-azure-costs-through-budget-alerts
upvoted 41 times
  joelabc1234 2 months, 2 weeks ago

This is the correct answer. As stated the thresholds only affect RG1 where VM1 is located and it is not scoped on RG2 where VM2
resides.
upvoted 1 times

explain why there's only 1 email.
upvoted 1 times

because if you see the daily consumption it is 20 usd.. multiply by 30 it comes around 600 usd..First alert is send around 500 usd..
Going by the current consumption it wont reach 700 usd when the second alert is triggered.
upvoted 3 times

Thank you @e_karma!
upvoted 2 times

Make more sense, upvoted.
upvoted 3 times

Did we miss 'pay-as-you-go' Azure subscription?
upvoted 1 times

That's what I thought! Thanks for the clear-cut explanation.
upvoted 4 times
  Lapiduse 1 year, 1 month ago

Agree:
- the alert will send an two email notification:
one based on Action group AG1 (admin) 50% and another based on the alert recipients (user) 100% of the budget.
upvoted 5 times

what happened if they under budget ?
=> so answer 1 email is correct (policy apply only for RG1)
upvoted 2 times

when they 100% of budget will send SMS
upvoted 1 times
  LionelM Most Recent  3 weeks, 4 days ago

Thanks to the contributors with the correct answers otherwise this website is useless with most of the answers incorrect
upvoted 2 times
  Ashwin2751 2 months, 3 weeks ago

The question there is what happens if vm1 hits Maximum budget it will stop and since vm2 is not in same RG this role won’t apply for it
and since the daily usage is 20 so 20*30 = 600 so as per rule 1 email will be sent so based on the questions it’s a least suitable ans
upvoted 1 times

The budget is scoped only to RG1. So only 1 email will be sent. And only VM1 will be turned 1 when budget is reached.
Answer is correct.
upvoted 2 times

upvoted 4 times

VM1 and VM2 continues to run. - because this is pay as you go subscription and doesnt have any limit set
upvoted 1 times

VM1 and VM2 continues to run.
upvoted 1 times

Correcr answer.
The budge applies to RG1 only.

Based on the table, 20 euro is spent daily. that makes it 560euro monthly cost. An email will be sent monthly.
upvoted 1 times

The trick is the value that appears on the screenshot does not have enough information to tell us how much it would cost daily. It's to
distract you from the table. The figure that appears there does not indicate how only the machine was used for. It could cost for 1-hour
usage, 2 hours... we don't know because we don't have access to that many details. However, they've provided us with the table and
told us how much it costs daily - So we have to go with the amount given in the table above.
upvoted 1 times

When the budget thresholds you've created are exceeded, only notifications are triggered. None of your resources are affected and your
consumption isn't stopped.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
answers will be
-> VM1, VM2 continue to run
-> one email notification
upvoted 1 times

fedztedz answer is correct, we do not know the logic of "1 Azure App" Action group. it is possible the given answers are correct
upvoted 1 times

A common budgets scenario for a customer running a non-critical workload could occur when they want to manage against a budget and
also get to a predictable cost when looking at the monthly invoice. This scenario requires some cost-based orchestration of resources that
are part of the Azure environment. In this scenario, a monthly budget of $1000 for the subscription is set. Also, notification thresholds are
set to trigger a few orchestrations. This scenario starts with an 80% cost threshold, which will stop all VMs in the resource group Optional.
Then, at the 100% cost threshold, all VM instances will be stopped.
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/cost-management-budget-scenario
all answer are corrects

upvoted 2 times

Whenever an alert is generated, it's shown in cost alerts. An alert email is also sent to the people in the alert recipients list of the budget.
Budget alerts
Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the
budget. Cost Management budgets are created using the Azure portal or the Azure Consumption API.
In the Azure portal, budgets are defined by cost. Using the Azure Consumption API, budgets are defined by cost or by consumption usage.
Budget alerts support both cost-based and usage-based budgets. Budget alerts are generated automatically whenever the budget alert
conditions are met. You can view all cost alerts in the Azure portal.
You can use the Budget API to send email alerts in a different language. For more information, see Supported locales for budget alert
emails.
upvoted 1 times
  korben_dallas 7 months, 1 week ago

VM1 and VM2 continues to run
Two emails
Budget alerts are generated automatically whenever the budget alert conditions are met. You can view all cost alerts in the Azure portal.
upvoted 3 times

Maybe I should drink a cup of coffee, but the table shows the "daily cost" and question 2 asks for "based on the ***current usage***", and
the current usage is around 5 Euros. Shouldn't be "no emails" the correct answer?
I know that the daily costs is 20 or 30, so daily costs * 30 days will be greater than or smaller than the budget, but the question saying
about the "current usage" and the gauge showing what was the current cost, let me in doubt.
upvoted 2 times

The trick is the value that appears on the screenshot does not have enough information to tell us how much it would cost daily. It's to
distract you from the table. The figure that appears there does not indicate how only the machine was used for. It could cost for 1-hour
usage, 2 hours... we don't know because we don't have access to that many details. However, they've provided us with the table and
told us how much it costs daily - So we have to go with the amount given in the table above.
upvoted 1 times

*long the machine...
upvoted 1 times

This question came in exam
upvoted 3 times
  NareshNK 8 months, 2 weeks ago

Answer:
VM1 and VM2 continue to run.
One email based on alert set only to [email protected] because RG1 alert has only 1 user ie: admin.
RG2 and RG3 alert condition will never reach thus [email protected] doesn't apply
upvoted 5 times
  tzaroon 7 months, 1 week ago

at 90% VM2 with 30x30 = 900 with send the email
upvoted 1 times

VM1 and VM2 continue to run; there's only one email notification every month, in AG1 there's only one email recipient User1.
upvoted 2 times
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.
A. Yes
B. No
Correct Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell
upvoted 28 times
  bobbywilly Highly Voted  1 year, 5 months ago

No is the correct
upvoted 13 times

Here's something I could only learn here. I often went to the Activity Log for the resource or in the Azure monitor. No wonder why it never
found a good answer. :)
upvoted 2 times

Answer is correct
To find the details of resource deployment - deployment from RG1 blade
upvoted 2 times

B is the Answer
upvoted 4 times

Answer B. is correct. You should use the Deployments blade.
upvoted 4 times

Answer is correct. NO
upvoted 8 times
  sanovi 1 year, 6 months ago

how to check the timing for the deployment ???
upvoted 2 times
  zyta 1 year, 6 months ago

select resource group you have, open blade "deployments", go through the list of the events. You will see there log of events with
statuses and timestamps of when the action was done
upvoted 9 times

Solution: You create a new network interface, and then you add the network interface to VM1.
A. Yes
B. No
Correct Answer: B
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Reference:

VNET2.
Reference:
upvoted 24 times

Answer is correct. NO (B)
upvoted 18 times
  deltarj Most Recent  3 weeks ago

q27, q28, q29 & q42 are in pack. [remember: Delete&Recreate!]
upvoted 2 times

upvoted 5 times
  Khana 3 months, 4 weeks ago

repeated question
upvoted 1 times
  nfett 9 months ago

Answer is B. repeated question.
upvoted 2 times

The provided answer is correct.
upvoted 1 times

No is correct
upvoted 2 times
  NickyDee 1 year, 1 month ago

Delete and recreate VM
upvoted 3 times
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
Adatum.com has the following configurations:

✑ Users may join devices to Azure AD is set to User1.
✑ Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.
You need to identify the local Administrator group membership on Computer1.
Which users are members of the local Administrators group?
A. User1 only
B. User2 only
C. User1 and User2 only
D. User1, User2, and User3 only
E. User1, User2, User3, and User4
Correct Answer: C
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices.
The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device.
Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners
are granted local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

Answer is correct . User 1 and User 2 only.
First the only user who can join Azure AD devices is User 1 . since User1 is admin on machine. So, the machine can be added.
Second, the ones that can be local admins on Windows 10 are managed under "Additional local administrators" , since this is not
mentioned, so we can assume default.
By default, the ones are global administrator and device owners (device administrators). This lead us to User1 and User2 only
upvoted 112 times
  ik96 4 months, 3 weeks ago

correct answer
upvoted 5 times
  kt_tk_2020 Highly Voted  1 year, 2 months ago

ans : D,
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
The Azure AD global administrator role

The Azure AD device administrator role
The user performing the Azure AD join
upvoted 28 times
  Rob89435 6 months ago

It's the 'Azure AD joined device local administrator role' not the 'Cloud Device Administrator'.
So C is correct.
The Azure AD joined device local administrator role
upvoted 11 times

Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure
portal. The role does not grant permissions to manage any other properties on the device.
answer is C
upvoted 8 times
  akash2504 9 months, 1 week ago


The Azure AD device administrator role
ans is D
upvoted 3 times
  lodo 1 year, 2 months ago

Ans C, cause the AZ AD device admin is added, not the AZ AD CLOUD device admin
upvoted 8 times
  Pukacz 1 year, 1 month ago

Yes, here are the role descriptions https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
so the answer C is correct.
upvoted 4 times

upvoted 4 times

For BuiltinRoles
upvoted 1 times

(Updating my previous comment.)
- A cloud administrator is not a built-in A AD role. It's not RBAC either - probably a custom for cloud resources at best. I did a quick search
but found nothing in the built-in roles.
- Intune Administrator is an *AAD role but only applies to devices registered with Intune.
User1 is a local administrator

- When the device is joined to AAD the Global administrator is added to the device as a local and a domain admin - has access to
everything
Revealed answer is correct.

upvoted 3 times

How I wish I could delete this - coming back here after a month. I realise this is completely wrong. A Cloud Device Administrator is a
built-in Role. I was looking at the wrong thing somehow, I must have been tired. My apologies.
upvoted 1 times

apply to devices & *users...
upvoted 1 times

A cloud administrator is not a built-in A AD role.
Intune Administrator is a RBAC role.
User1 is a local administrator -

When the device is joined to AAD the global administrator is added to the device as a local and has access to everything
Answer is correct.
upvoted 1 times

Above comment is innacure, please accept my appologies.
- A cloud administrator is not a built-in A AD role. It's not RBAC either - probably a custom for cloud resources at best. I did a quick
search but found nothing in the built-in roles.
- Intune Administrator is an *AAD role but only applies to devices registered with Intune.
- User1 is a local administrator
- When the device is joined to AAD the Global administrator is added to the device as a local and a domain admin - has access to
everything
Revealed answer is correct.

upvoted 2 times

apply to devices & *users...
upvoted 1 times

How I wish I could delete this - coming back here after a month. I realise this is completely wrong. A Cloud Device Administrator is a
built-in Role. I was looking at the wrong thing somehow, I must have been tired. My apologies.
upvoted 2 times
  Adebowale 6 months, 2 weeks ago

User1 and User2 only is correct
upvoted 1 times
  TestMaster 6 months, 3 weeks ago

Question appeared in exam today
upvoted 3 times

According to MS:

The Azure AD joined device local administrator role
Since the option "Additional local administrators on Azure AD joined devices" is set to "None", it only applies to Global Admin and the User
who joined the device.
upvoted 2 times
  nikitaniks 7 months, 3 weeks ago

The Azure AD global administrator role (User 2)
The Azure AD device administrator role (No one here it is mentioned cloud device admin )
The user performing the Azure AD join (Here it is User 1)
upvoted 1 times
  ashishg2105 9 months, 2 weeks ago

D is correct answer.
The user who joins the machine will be added the local administrator’s group on the local machine. In addition to this, any users who have
the Global Administrators role or the device administrator’s role will be added to the local administrators group on the local machine.
upvoted 2 times

https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#how-it-works
upvoted 1 times

https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
upvoted 1 times

Answer is correct
User1 and User2
upvoted 1 times
  incubutus 11 months, 2 weeks ago

Yes, Correct. User1 and User2 as when you Azure Join a computer, the user used to join will be granted Local Admin, while the global
admins can log into the computer.
upvoted 2 times
When join to Azure AD deafualt added

Global Admin
Device Admin
User who add device to AD
as per question
User 1 - who add the device
User 2- Global admin
Other admin are not in allowed list
upvoted 9 times

C. User1 and User2 only
upvoted 7 times
HOTSPOT -
You have Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following resource groups:
RG1 includes a web app named App1 in the West Europe location.
Subscription2 contains the following resource groups:
Hot Area:
Correct Answer:
Box 1: No -
RG2 is read only. ReadOnly means authorized users can read a resource, but they cannot delete or update the resource.
Box 2: Yes -
Box 3: Yes -
Note:
App Service resources are region-specific and cannot be moved directly across regions. You can move the App Service resource by creating a
copy of your existing App Service resource in the target region, then move your content over to the new app. You can then delete the source app
and App Service plan.
To make copying your app easier, you can clone an individual App Service app into an App Service plan in another region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-move-across-regions https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/move-limitations/app-service-move-limitations

Answer is Correct. Yes Yes Yes
- the lock is only effecting the resources itself with edit/delete. Which means If the resource is in a resource group with no lock types then
it is free to move to any other group even if the other group has lock type read only or delete.
However if the resource is a RG with read-only lock , it can NOT be moved. In case of no delete lock , it can be moved.
upvoted 79 times
  Gde360 6 months, 4 weeks ago

N,Y,Y.
The first question was tested on Azure.
Created RG1, RG2. both are in West Europe. RG2 has assigned READ-ONLY lock.
Created web-App name App11223344 (same location as RG1,RG2) in RG1.
Removing App11223344 to RG2 failed.
------------------------------
information: request correlation id 'fd5981c2-705b-4966-b438-cd760bd1a13f'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Web/Microsoft.Web/sites/App11223344","message":"{\"error\":
{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/2df00a78-a9c5-4c98-92ef-
aa1fbbb50e6f/resourcegroups/RG2/providers/Microsoft.Web/sites/App11223344' cannot perform write operation because following
scope(s) are locked: '/subscriptions/2df00a78-a9c5-4c98-92ef-aa1fbbb50e6f/resourceGroups/RG2'. Please remove the lock and try
again.\"}}"}]}
upvoted 60 times

Same here, can't move - N, Y, Y.
information: subscription id '082877ab-8970-41b0-8ba8-5246ccda0cbe', request correlation id 'eec62f30-ecd6-49b1-995c-
e8efc3072e0a'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Network/Microsoft.Network/virtualNetworks/test1","message":"
{\"error\":{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/082877ab-8970-41b0-8ba8-
5246ccda0cbe/resourcegroups/pk_test_2/providers/Microsoft.Network/virtualNetworks/test1' cannot perform write operation
because following scope(s) are locked: '/subscriptions/082877ab-8970-41b0-8ba8-5246ccda0cbe/resourceGroups/pk_test_2'. Please
remove the lock and try again.\"}}"}]}
upvoted 3 times

Incorrect. Tested in my account. Cannot move resources to a RG which has Read-only lock..
Ans is
N: Cant move
Y: Can move
Y: Can move
upvoted 9 times

Earlier it's possible to RG even if it has RO lock. After move the lock effects on App moved to.
upvoted 2 times

:O did fedztedz get one wrong?!?!
upvoted 10 times
  Aru23 1 month ago

no, he is rght..the correct ans is YYY
upvoted 1 times
  s9p3r7 7 months, 4 weeks ago

NYY, I just test it the first one , moving resources to a read-only RG will fail in the validation operation with "cannot perform write
operation because following scope(s) are locked..."
upvoted 25 times

Yes NYY is the correct answer, since move resources to read only RG will raise error "ResourceMovePolicyValidationFailed"
upvoted 7 times

Correct Answer:
Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything
in the resource. For this reason, all of them are 'Y'.
Box 1: Yes
Box 2: Yes
Box 3: Yes
upvoted 17 times
  osnop 8 months, 2 weeks ago

I tested the first question and i cannot move resources in a RG with a Read-Only lock, so the Box1 should be "No"
upvoted 10 times

Tried again, same. Cant move:
information: subscription id '082877ab-8970-41b0-8ba8-5246ccda0cbe', request correlation id 'eec62f30-ecd6-49b1-995c-
e8efc3072e0a'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Network/Microsoft.Network/virtualNetworks/test1","message":"
{\"error\":{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/082877ab-8970-41b0-8ba8-
5246ccda0cbe/resourcegroups/pk_test_2/providers/Microsoft.Network/virtualNetworks/test1' cannot perform write operation
because following scope(s) are locked: '/subscriptions/082877ab-8970-41b0-8ba8-5246ccda0cbe/resourceGroups/pk_test_2'. Please
remove the lock and try again.\"}}"}]}
upvoted 2 times
  Az_dasappan Most Recent  3 days, 4 hours ago

NO ,YES , YES ---tested in LAB
upvoted 1 times

N
Y
Y
LAB TESTED
upvoted 1 times
  Azam291908 3 weeks, 5 days ago

fedztedz is right.
We can move from normal-> read but not from read-> normal
upvoted 1 times
  nsotis28 1 month, 3 weeks ago

tested on LAB , NYY
upvoted 1 times
  jackAttew_1 1 month, 3 weeks ago

Regarding last two ; I think you can clone not move!!
App Service resources are region-specific and can't be moved across regions. You must create a copy of your existing App Service
resources in the target region, then move your content over to the new app. If your source app uses a custom domain, you can migrate it
to the new app in the target region when you're finished.
https://docs.microsoft.com/en-us/azure/app-service/manage-move-across-regions
upvoted 2 times
  azzouz 1 month, 3 weeks ago

The question is about moving to another RG not to another region. The service itself can remain in its region but move to an RG that is
in a different region.
upvoted 2 times
  hard2learn 2 months ago

N,Y,Y
Azure has basically two kinds of locks known as read-only and delete lock.
1- Read-only lock is something similar to assigning a reader role for your users. The authorized users will not be able to modify the
resource, but they can only read from the resource.
2- With delete lock, authorized users will be able to read and modify the resource, but will not be allowed to delete the resource.
https://www.mssqltips.com/sqlservertip/6167/locking-resources-in-azure-with-read-only-or-delete-locks/
upvoted 1 times
  sanbt 2 months, 1 week ago

We cannot move any resources to the RG with Read lock. So answer should be N,Y, Y
upvoted 2 times
  Zubaer 2 months, 1 week ago

App Service resources are region-specific and can't be moved across regions. You must create a copy of your existing App Service
resources in the target region, then move your content over to the new app. If your source app uses a custom domain, you can migrate it
to the new app in the target region when you're finished.
upvoted 1 times
  mumu_myk 2 months, 2 weeks ago

the Note in the solution says create a copy of the app - I read that as, no the app cant be moved, you created a new one. should it be N-N-
N
upvoted 1 times

NO : RG2 has Read Only lock that means write operations cant be performed
YES : RG3 Has delete lock that means you cant delete but you can definitely move to that RG
YES : RG4 Had no Locks .
upvoted 1 times
Yes, Yes, Yes

"The resource group is read only and tags on the resource group can't be modified. Not Locked resources can be added, moved, changed,
or deleted from this resource group"
https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
upvoted 1 times

Sorry, should be No, Yes, Yes.
The link I posted is irrelevant.
upvoted 1 times
  Madhavc 3 months ago

Ans: N-Y-Y
tested in lab.
we can't move resource to Read-only RG. Because if move its going to update RG metadata, which is not valid as per Read-only lock.
upvoted 2 times

Ok, we all know at this point that the answer is No, YES, YES, since you cannot move anything to a RG that is in Read-only... now what
would happen if the Read only lock was only set on RG1? Answer would be Y, Y, Y, correct?
upvoted 1 times

tested, webapp in WEurope in RG1 , RG2 locked with read-only, moving the webapp to RG2 failed.
upvoted 5 times
  Barrie 4 months ago

Very poorly worded question. Strictly speaking the answer in N, N, N as you cannot move an app across regions seamlessly as the answers
would lead you to believe
For this questions purpose it is N, Y, Y as by moves it seems to also cover the fact you clone the app in the 2nd region and move the data.
To me this is not "moving the app"
upvoted 5 times

Careful, the location is the location of the RG's metadata not the app service. So you can move between RGs and Subcriptions with
some limitations :
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations
For example you can't have another app service in the destination RGs.
upvoted 1 times

This is the exact doubt i was having ..because elsewhere it is mentioned that you cannot move the app across regions..
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the following resource group:
✑ Name: RG1
✑ Region: West US
✑ Tag: `tag1`: `value1`
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
✑ Exclusions: None
✑ Policy definition: Append a tag and its value to resources
✑ Assignment name: Policy1
✑ Parameters:
✑ Tag name: tag2
✑ Tag value: value2
After Policy1 is assigned, you create a storage account that has the following configuration:
✑ Name: storage1
✑ Location: West US
✑ Resource group: RG1
✑ Tags: `tag3`: `value3`
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: "tag1": "value1" only -

Box 2: "tag2": "value2" and "tag3": "value3" only
Tags applied to the resource group are not inherited by the resources in that resource group.
Reference:

Answer is correct.
- for RG1, nothing is changed as the policy is only applied on resources not resource groups. So, the answer is tag1: value1
- for storage account, the policy is applied as a new resource is created. Also, nothing mentioned about inheritance from RG. accordingly,
the answer is tag2:value2 from policy1 and tag3: value3 as applied directly.
upvoted 59 times

I agree but just to add that there is a typo. It says "tag3" "value2" when it should be "tag3" "value3".
upvoted 2 times

Don't you think resource group is not getting the tag because it was created first then policy was made ?
upvoted 2 times
  jimmyli 7 months ago

Nope. check out this link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
go to the Policy "Add a tag to resources" section in above link, you will find "...Does not modify tags on resource groups." in
Description
upvoted 1 times

FYI - For applying tags to a Resource Group - Adds the specified tag and value when any resource group missing this tag is
created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a
different value it will not be changed.
sidharthwader is correct
upvoted 4 times
  gggr Highly Voted  1 year, 2 months ago

Is this mistype? "tag2": "value2" and "tag3":"value3" must be for storage1
upvoted 11 times
  sjccde 1 year, 2 months ago

yes, there is a typo, but tags2+3 are applied.
upvoted 6 times

upvoted 2 times
  Juli98 1 month, 1 week ago

Append a tag and its value to resources
Built-in
Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of
resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify'
effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).
Does not affect RG. Answers are corrects

upvoted 2 times

Also note that, Tags applied to the resource group or subscription aren't inherited by the resources. That's why we use Azure Policies to
apply tags from a subscription or resource group to the resources.
upvoted 3 times

Was in exam 15/11/2021 - And an FYI: There is a case study at the start of the exam
upvoted 6 times

Answer is correct however it may interest someone to know that via Azure Policy, Tags can also now be applied to existing resources with
the new Modify effect and a remediation task. REF: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
policies
But seeing as the question doesn't mention the creation of a remediation task it wouldn't apply to existing resrouces
upvoted 2 times

The answer is wrong.
Policy1 is applied at the subscription level. Meaning, every item will be tagged with tag2:value2
RG1
- tag1value1
- tage2:value2 (by policy)
Storag1
-tag2:Value2 (policy1)
-tag3:Value3
upvoted 3 times

incorrect.... question says "Policy definition: Append a tag and its value to resources"
In this case, policy only applies to resources not resource group.
upvoted 3 times

I think you're correct. I tend to think RG are resources but they are not. Thank you for correcting me.
upvoted 1 times
  ooma_sharma 6 months ago

a- Tag1: Value1
b- "tag2": "value2" and "tag3":"value3"
Check below doc-
Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is
created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are
changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).
upvoted 2 times
  Grider 6 months, 1 week ago

Azure policy applies tag to RG. New possibilities can remediate RG and apply tag on RG.
1 Answer is wrong. It should be tag 1, tag 2
upvoted 1 times

upvoted 3 times

1. tag1 : value1
2. tag2 : value2 & tag3 : value3
upvoted 3 times

in 09-03-21
upvoted 2 times

upvoted 3 times

01 - Tag1;Value1 ->Assigned Manually (Policy not applicable for RG)
02 - Tag2;Valu2 Tag3:Value3 > Assigned from Policy 1 & Assign manually
upvoted 2 times

01- correction> 01.-Policy will not applicable to previously created RG unless a remediation.
upvoted 1 times
  Merma 11 months, 3 weeks ago

Correct, lab tested.
Box 1 tag1 : value1
Box 2 tag2 : value2 & tag3 : value3
upvoted 5 times

Both answers are correct after typo fix "tag3":"value3"
upvoted 3 times
HOTSPOT -
In Subscription1, you create an alert rule named Alert1.
The Alert1 action group is configured as shown in the following exhibit.
Alert1 alert criteria triggered every minute.

Hot Area:
Correct Answer:
Box 1: 60 -
One alert per minute will trigger one email per minute.
Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device.
Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.

✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting

Correct Answer:
Box 1: 60
Box 2: 12 or 0
-If it’s a typo and it means Alert1, then Answer = 12 (60/5 = 12)
-If it is actually Alert2 then Answer = 0
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour (60/5 = 12).
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or
device. Rate limiting ensures that alerts are manageable and actionable.

✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 89 times
  Gadzee 4 weeks, 1 day ago

Alert 2 should be 0.
upvoted 2 times

This is so much work you've done for us all. They probably meant alert1 in that next question
upvoted 14 times
  krisbla Highly Voted  9 months, 3 weeks ago

** Take another look *
BOX 1: 60
BOX 2: Not sure if its a typo.. but it says "Alert2" .. they do not mention Alert2 only Alert1.
-If they meant Alert1 then Answer = 12
-If they meant Alert2 then Answer = 0
upvoted 15 times
  Gadzee Most Recent  4 weeks, 1 day ago

Agreed
upvoted 1 times
  starseed 3 months, 1 week ago

SMS: No more than 1 SMS every 5 minutes.
Voice: No more than 1 Voice call every 5 minutes.
Email: No more than 100 emails in an hour.
Other actions are not rate limited.

upvoted 2 times

Is this a typo or are they looking for an alert2 that does not seem to exist?
upvoted 2 times

upvoted 2 times

60emails, 60sms for alert1 in 1hour
There's no alert2 mentioned anywhere.
upvoted 1 times
  jrv116psu 4 months, 2 weeks ago

this is wrong.. sms is rate limited to 1 for every 5 mins

upvoted 1 times

Answer:
Box 1: 60
Keyword in Question - Alert1 alert criteria triggered every minute.
Box 2: 12
-If it’s Alert1, then Answer = 12 (60/5 = 12)
SMS: No more than 1 SMS every 5 minutes = 12 SMS per Hour

- SMS: No more than 1 SMS every 5 minutes = 12 SMS per Hour
- Voice: No more than 1 Voice call every 5 minutes = 12 Voice Call per Hour
- Email: No more than 100 emails in an hour.
- Other actions are not rate limited.
upvoted 1 times
  sham21 9 months ago

It seems like full diagram is not there in question.
upvoted 3 times
  nfett 9 months ago

box 1 is 60. but box two has to be zero. there is no note in there about alert2.
upvoted 3 times
  Chief 9 months, 1 week ago

THE QUESTIONS SAYS ALERT2. DO WE HAVE ALERT2? UNLESS IF ITS A MISTAKE
upvoted 3 times

Correct answer..
There is a limit in azure you can send up to 100 emails in an hour
12 Sms can be sent in an hour (5 per min)
SMS: No more than 1 SMS every 5 minutes.
Voice: No more than 1 Voice call every 5 minutes.
Email: No more than 100 emails in an hour.
upvoted 3 times
  KarryD 9 months, 3 weeks ago

upvoted 1 times

They did not mention alert2 criteria scenario
upvoted 1 times
  Ario 9 months, 3 weeks ago

Box 1: 60
Box 2: 12
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
upvoted 4 times
You create virtual machines in Subscription1 as shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible.
Which virtual machines can be backed up to Vault1?
A. VM1 only
B. VM3 and VMC only
C. VM1, VM2, VM3, VMA, VMB, and VMC
D. VM1, VM3, VMA, and VMC only
E. VM1 and VM3 only
Correct Answer: D
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in
several regions, create a
Recovery Services vault in each region.
Reference:

Answer is correct. D
The following criteria is important for vault backup, the data source (VM) must be in the same region and subscription. It works with any
resource group or any Operating system. Accordingly the answer is correct.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 61 times

Correct Answer: D
To create a Recovery Services Vault to protect Virtual Machines, the vault must be in the same Region as the Virtual Machines. If you have
Virtual Machines in several Regions, create a
Recovery Services Vault in each Region. It works with any resource group or any Operating System.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 35 times
  ABhi101 Most Recent  1 month, 1 week ago

Vault <-> Same region as VM .
Hence VM1,VM3,VMA,VMC can be backed up
upvoted 1 times
  Kisna03 1 month, 4 weeks ago

In the exam today -22 DEC-2021.
Ans: D. VM1, VM3, VMA, and VMC only
upvoted 4 times

Ans: D. VM1, VM3, VMA, and VMC only
upvoted 5 times

Passed today with 947. This question appeared, correct Answer D
upvoted 3 times

Did you read the questions from here ? Thanx
upvoted 1 times

Easy :)
upvoted 1 times

upvoted 4 times

in exam 7/3/2021
upvoted 2 times

upvoted 3 times
  liviupopa1985 9 months, 1 week ago

Passed the exam today, about 95% of the questions were from here. Good luck to you all!
upvoted 7 times

Wow! I envy you!
upvoted 1 times

The provided answer are correct, VMs have to be in the same region.
upvoted 2 times

Answer D is correct. For azure vault backup , data source should be in a same region and same subscription. It's okay if resource group is
different
upvoted 3 times

D is correct!
The following criteria is important for vault backup, the data source (VM) must be in the same region and subscription. It works with any
resource group or any Operating system. Accordingly the answer is correct.
upvoted 3 times

Answer D. is correct. Vault on the same Region as the source object being protected.
upvoted 2 times

Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as
the data source.
upvoted 3 times

Agree!
upvoted 2 times

Agree D, but doesn't make sense how the table2 shows VM3 is in RG2 in West Europe, but table1 says RG2 is in North Europe??
upvoted 3 times
  Hardikm007 1 year, 1 month ago

Its not necessary for RG and resource in same region.
upvoted 2 times
You have an Azure Kubernetes Service (AKS) cluster named AKS1.

You need to configure cluster autoscaler for AKS1.
Which two tools should you use? Each correct answer presents a complete solution.
A. the kubectl command
B. the az aks command
C. the Set-AzVm cmdlet
D. the Azure portal
E. the Set-AzAks cmdlet
Correct Answer: AB
A: The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average
CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A
minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front --cpu-percent=50 --min=3 --max=10
B: Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

BD (88%) 13%

The Answer is not correct. The right is B & D.
B is for az aks command , check https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
D is for Azure portal. Under node pools, press scale, then choose auto scale.
The Answer A is not correct as it is confusing with Horizontal pod autoscale which is not asked here. The pod autoscale use kubectl.
upvoted 104 times
  jantoniocesargatica 9 months, 1 week ago

There are 2 things to understand:
a) Are we talking about pods?
b) Are we talking about nodes?
The question is regarding how to autoscale the AKS, so it means that we are talking about the nodes. As we are talking how to scale the
nodes:
a) az aks is neccesary
b) Then you scale the nodes in the portal.
The correct answers are B & D.
If we want to scale the pods, the options would be kubelet, but it is not the case. We are not talking about the containers, we are
talking about the infrastructure behind this.
upvoted 37 times

thanks for the clarification
upvoted 2 times

To corroborate with your answer, kubectl autoscale "creates an autoscaler that automatically chooses and sets the number of pods that
run in a kubernetes cluster":
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#autoscale
According to Microsoft, this is a Horizontal pod autoscale, not a Cluster autoscale:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#about-the-cluster-autoscaler
upvoted 1 times

But we are not talking about the pods, we are talinkg about the nodes, so is B and D. Think that this service is managed by Azure,
and they will not allow to do this by yourself, and this is the reason why you must choose the portal.
upvoted 1 times

The article does a good job explaining the difference of "cluster autoscaler" and "horizontal pod autoscaler"...
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
FYI also - the PowerShell command that can do this same task is "Set-AzAksCluster" (not Set-AzAks). B and D it is!
upvoted 9 times

Do you have any links for doing the scaling in the portal?
upvoted 4 times

Correct Answer: B and D
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.
A: kubectl command is used for configuring Kubernetes and not AKS cluster.
B: The az aks command is used for the AKS cluster configuration.
C: Set-AzVm cmdlet is used for VMs.
D: Azure portal, under node pools, press scale, then choose auto scale.
E: Set-AzAks, creates or updates an AKS cluster, the correct cmdlet is Set-AzAksCluster.
AKS clusters can scale in one of two ways:

- The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically
increases the number of nodes.
- The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application
needs more resources, the number of pods is automatically increased to meet the demand.
Reference:
upvoted 64 times

Thank you for the very clear explanations!!!
upvoted 1 times

https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#about-the-cluster-autoscaler
The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically
increases the number of nodes.
upvoted 1 times

Selected Answer: BD
Yes, AKS autoscaler means Azure node scale. Not pods.
upvoted 2 times
  dandynamite 1 month, 1 week ago

Selected Answer: BD
There are too type of scale in K8s
- node (The question is ask for this: so either using az cli or azure portal does help)
- pod (using kubectl)
upvoted 1 times

Selected Answer: BD
Kubectl is used for pods. not for nodes
upvoted 2 times
  Rimple 1 month, 2 weeks ago

A and B is correct
A for Auto scaler and B is manual
upvoted 1 times

Selected Answer: AB
The answer is correct: A & B
I think most are confused by the concept "AKS scale":
AKS clusters can scale in one of two ways:
1)The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then
automatically increases the number of nodes.
2)The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application
needs more resources, the number of pods is automatically increased to meet the demand.
so the correct answers should be A & B
aks is to scale nodes and kubctl is to scale pods
upvoted 1 times

From your same link.
The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then
automatically increases the number of nodes.
The question refers to Cluster Autoscaler...NOT Horizontal Pod Autoscaler. We are talking about scaling...the CLUSTER. So it's all about
NODES.
Yes from the portal it's possible either at creation of the cluster :
Scale Method : Choose between manual or automatic scaling for your cluster. Autoscaling can help ensure that your cluster is running
efficiently with the right number of nodes for the workloads present.
Or afterwards as mentioned.
upvoted 1 times

So your answers are unfortunately not corrects
upvoted 1 times
  Kisna03 1 month, 4 weeks ago

upvoted 3 times

Selected Answer: BD
The correct answer is B and D. It's talking about cluster autoscaling which can be done in the Azure Portal and the az aks command. check
kubectl is to do with the pods.

upvoted 2 times

Ans: B and D
upvoted 2 times
  anoopjoseph 3 months ago

B. the az aks command
D. the Azure portal
upvoted 1 times
  MomoLomo 3 months, 3 weeks ago

As per my understanding
To autoscale the nodes we need more pods so we need to adjust the pods autoscale as well
I will go with the given answer

upvoted 1 times

Passed today with 947. This question appeared, correct Answer B D
upvoted 4 times

The right is B & D.
upvoted 2 times

cluster autoscale is heavily impacted by the total number of pods, to have a working cluster autoscale, you have to use two tools, az aks to
enable/config cluster autoscale (portal/cli is clearly not the choice to enable autoscale for VMSS https://docs.microsoft.com/en-
us/azure/aks/cluster-autoscaler#update-an-existing-aks-cluster-to-enable-the-cluster-autoscaler), kubectl to config a reasonable pods
number increase/decrease.
upvoted 1 times
  JamesChan0620 5 months, 1 week ago

Correct answer is B & D or A & B?
upvoted 1 times
  Voldemort 5 months ago

B & D is the right answer.
upvoted 1 times
You create the following resources in an Azure subscription:

✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
A. Run the docker push command.
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Correct Answer: C
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
--image contoso-website \
--registry $ACR_NAME \
--file Dockerfile .
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app

C (50%) A (50%)

Answer is Correct . C.
The question has a lot of missing steps.
If we go with Answer A. then we need the following:
- Make sure that ACR is integrated to AKS.
- docker tag has been run with the right ACR.
- docker push
- create kubectl apply with the right deployment and right ACR.
In case we go with Answer C.
- No need for docker push or tag.
- still need to make sure that ACR is integrated to AKS.
- then run kubectl apply
upvoted 60 times
  VANSI Highly Voted  10 months ago

I have this same question in the exam (passed) and does not have the option C.
So I choose the Docker push.
upvoted 57 times
  rdiaz Most Recent  2 days, 1 hour ago

Selected Answer: C
Run the az acr build command to build and push the container image. az acr build \
--image contoso-website \
--registry $ACR_NAME \
--file Dockerfile .
upvoted 1 times

Selected Answer: A
I need to disagree with Fedzteds and Mlantonis.
Cause ACR helps build and push images to the default registry BUT the image is already built in the question.
So no need to build in again and docker push is "enough"
This assumes other requirements but pushing an image to the registry before using it should be amongst the first actions to do.
upvoted 1 times

Link for ACR build
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task
And docker push

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli
upvoted 1 times

Answer is "A" "docker push"
An Azure container registry stores and manages private Docker container images, similar to the way Docker Hub stores public Docker
images. You can use the Docker command-line interface (Docker CLI) for login, push, pull, and other operations on your container registry.
After you login to the registry you can run push command to upload the image.
Below is an sample of that command
docker push myregistry.azurecr.io/samples/nginx
Reference:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli
upvoted 6 times
  GM107 3 months, 3 weeks ago

Answer is "A" "docker push" because in text it cleary says
"You create a container image named App1 on your administrative workstation."
which means that image is already built.
Then you are asked what yo have to do next to push image to ACR.
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr?tabs=azure-cli#push-images-to-registry
upvoted 1 times
  tzaroon 7 months, 1 week ago

ans https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr?tabs=azure-cli#push-images-to-registry
upvoted 2 times
  Pietem 8 months, 2 weeks ago

What a crappy question is this? The image is ALREADY built, then why would one need to build it again? Pushing it to the registry should
suffice.
upvoted 6 times

c is correct, ref https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr?tabs=azure-cli
the image is built *locally*, which is why docker push makes sense
upvoted 1 times

sorry typo, answer A it is. docker push
upvoted 3 times

Correct Answer: C
az acr build will build and push the image at the same time. Queues a quick build, providing streaming logs for an Azure Container
Registry.
docker build/push will do the same thing, but you will have to configure docker to login to the container registry.
If we go with Answer A, then we need the following:

- docker push

Note: If answer C is missing from the exam, then select A.

upvoted 54 times

If you already have an image in your local registry would you get an error message when running "az acr build" on that already built
image? Running a build command on something that is already built doesn't seem logical to me.
upvoted 1 times
  faf16 2 months, 1 week ago

Great, explanation!
upvoted 2 times

They already said that the containter image has already been created.
upvoted 1 times
  learner 9 months, 1 week ago
Similar - different answers

You create the following resources in a subscription:
*An Azure Container Registry instance named Registry1
*An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App 1 on your administrative workstation.
You need to deploy App1 to cluster 1.
A. Create a host pool on Cluster1

B. Run the docker push command.
C. Run the kubectl apply command.
D. Run the az aks create command.
Answer??
upvoted 2 times

Fort this question I would say B.You have the image and you need to push
upvoted 1 times
  Veronika1989 9 months, 1 week ago

I would say that A Run the docker push command since the image is built already and you need to push it into Cluster.
upvoted 3 times
  Leandre 10 months, 3 weeks ago

Correct
upvoted 1 times

Answer C:
The question has a lot of missing steps.
If we go with Answer A. then we need the following:
- docker push
upvoted 2 times

Answer C. is correct
upvoted 2 times

Now that you have a registry, use ACR Tasks to build a container image from the sample code. Execute the az acr build command to
perform a quick task:
Azure CLI
Copy
az acr build --registry $ACR_NAME --image helloacrtasks:v1 .
Output from the az acr build command is similar to the following. You can see the upload of the source code (the "context") to Azure, and
the details of the docker build operation that the ACR task runs in the cloud. Because ACR tasks use docker build to build your images, no
changes to your Dockerfiles are required to start using ACR Tasks immediately.
upvoted 2 times

confused, i think A and C should be all good ??
upvoted 5 times
  ketan05 1 year, 2 months ago

The answer is correct, Run the az acr build command to build and push the container image.
upvoted 7 times
You need to configure a proximity placement group for VMSS1.

Which proximity placement groups should you use?
A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only
Correct Answer: A
Resource Group location of VMSS1 is the RG2 location, which is West US.
Only Proximity2, which also in RG2, is location in West US
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups/

Correct Answer: A
Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency
among them, for improved application performance.
Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a
deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity
placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your
applications.
The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center.
Accordingly, it should be proximity 2 only.
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups
upvoted 56 times
  Throwitawaynow Highly Voted  1 year, 2 months ago

This should be proximity 1 only, proximity 2 is not in the same region as the VMSS
upvoted 40 times
  NarenderSingh 4 months, 3 weeks ago

It should be Proximity 2 only as its in the same region.
upvoted 3 times
  Ashfarqk 9 months ago

Did you understand the table properly???
Proximity 01 is in Central US
upvoted 5 times
  Kiano 8 months, 3 weeks ago

They have changed the question and the table since the comment has been made. Basically the proximity group and the VMSS1
should be in the same region.
upvoted 25 times

Hahaha
upvoted 2 times
  Juli98 Most Recent  1 month, 1 week ago
Think to learn is that the proximity placement group and the VMs locations have to be in the SAME REGION.
Tested in LAB
Created 2 PG One in West US and One in East US.
Created One VM
If VM Location = West US, I only get West US Proximity Group, with a message saying "You should select a Proximity Group within the
Region West US.
If VM Location = East US. I can choose the other PG.
If VM Location = Something Else like West Europe, I can"t choose anything.
upvoted 1 times
  TLS1127 1 month, 2 weeks ago

So Whats the answer?
upvoted 1 times
  Zubaer 2 months, 1 week ago

To get VMs as close as possible, achieving the lowest possible latency, you should deploy them within a proximity placement group.
A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each
other.
Proximity placement groups are useful for workloads where low latency is a requirement.
If you want to use availability zones together with placement groups, you need to make sure that the VMs in the placement group are also
all
in the same availability zone.
upvoted 2 times
  HananS 2 months, 2 weeks ago

A is the answer
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/proximity-placement-groups-portal
upvoted 1 times
  anoopjoseph 3 months ago

Proximity2 only
upvoted 1 times

upvoted 2 times

Appear On Exam July 1 2021
upvoted 4 times
  BennyWang 7 months, 2 weeks ago

can you share lab ？
upvoted 1 times

Is labs included ?
upvoted 1 times

Answer is 100% correct, tested in lab
upvoted 2 times

I'm very confused with this question. Did the answer change over time? The Answer seems correct to me and the comments here point to
same region (like the answer)?
upvoted 29 times
  pkazemei 6 months, 1 week ago

ATTENTION - THIS QUESTION HAS BEEN UPDATED. PLEASE VIEW THE REPLIES HERE. CORRECT ANSWER IS A: PROXIMITY 2 ONLY.
upvoted 20 times

UPVOTEEEE
upvoted 3 times
  cyna58 9 months, 1 week ago

Yes...the graphic table has changed. The correct answer is proximity 2
upvoted 13 times

The graphic answer has change.Two weeks ago proximity 1 and proximity 2 has the locations changed.Now the answer is A, proximity 2
only, because there are in the same region
upvoted 21 times
  samgyupsal 9 months, 3 weeks ago
Did the question change? Or am I missing anything? VMSS1 is in West US. Proximity2 is in WestUS as well. So if we are going to use the
argument that they should be in the same region, the answer should be correct right? Or is my eyes letting me down and I am seeing
doble? In any case, the VMSS should be in the same region as its Proximity placement group.
upvoted 3 times
  xxz 9 months, 3 weeks ago

Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a
deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity
placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your
applications.
upvoted 2 times
  Da_G 11 months ago

Given the whole idea behind proximity groups is to keep your VMs as physically close to one another, then it only makes sense to deploy it
to the same region. Answer C.
upvoted 2 times

It's completely logical that the resource and placement group must be in the same region. So C is the most appropriate alternative.
upvoted 1 times

Proximity 1. Proximity zones cannot be in different regions
upvoted 1 times
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B

B (100%)

Reference:
powershell
upvoted 27 times
  Wizard69 Highly Voted  11 months, 2 weeks ago

I agree, you should look at the Deployments under the Resource Group
upvoted 13 times
  N4d114 Most Recent  2 weeks ago

The correct answer is B - No.
To check date and time when RG1 create, u have to go at RG1 Resource, go to setting and click at deployment.
upvoted 1 times
  deltarj 3 weeks ago

Q41, 51, 52 & 53 [remember: RG1 blade-->deployment]
upvoted 1 times
  AbhiYad 1 month, 2 weeks ago

Selected Answer: B
upvoted 1 times
  Thanishn 9 months, 2 weeks ago

upvoted 1 times
  nikhilmehra 9 months, 4 weeks ago

deployments
upvoted 2 times

NO > RG1 -> Deployment
upvoted 2 times
RG1->Deployments
upvoted 3 times
  wendysgp 1 year, 1 month ago

to check go to deployments under GROUP
upvoted 2 times

Answer is correct . NO (B)
to check go to deployments under subscription
upvoted 5 times
  LexusNX425 11 months ago

Or just go to deployments under RG1
upvoted 1 times
Solution: From the RG1 blade, you click Automation script.
A. Yes
B. No
Correct Answer: B
Reference:

Reference:
powershell
upvoted 21 times

correct. Programmatic deployment are used for API/CLI
upvoted 12 times

There's not even an automatic script blade in RGs. Not that I am aware of
upvoted 1 times
  Ant0ny 11 months, 1 week ago

Correct, tested and comfirmed
upvoted 1 times
  Sandroal29 11 months, 1 week ago

upvoted 1 times

B. No - Bcoz it's under RG1 blade Settings ->Deployment
upvoted 2 times

B. is correct. On Deployment blade you will find this information
upvoted 1 times

Correct.
upvoted 2 times

RG1 > Deployments
upvoted 10 times
Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
Correct Answer: A
Reference:

correct
upvoted 24 times

Reference:
powershell
upvoted 22 times
  deltarj Most Recent  1 month ago

I love these "clustered" questions, like these FOUR: 41, 51, 52 & 53 (remember the only positive ans: RG1 blade - Deployments)
Thanx mlantonis and fedztedz
upvoted 1 times
  MarxMazd 7 months, 4 weeks ago

There are multiple repeats of same question in previous 25 pages.
upvoted 4 times

A is correct
upvoted 2 times
  Danny1 10 months, 3 weeks ago

This question came in the exam, all three versions of this..!! Best of luck
upvoted 6 times

Correct
upvoted 2 times

Correct answer
upvoted 1 times
  Jacek_ 11 months, 3 weeks ago

correct
upvoted 1 times

A is correct
upvoted 1 times
  WYLC 12 months ago

Given Answer is Correct!

upvoted 1 times

A. is correct.
upvoted 1 times
  Nalex9ja 1 year, 1 month ago

correct
upvoted 2 times

correct
upvoted 2 times
  Malec 1 year, 2 months ago

correct
upvoted 3 times

You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
A. Azure HDInsight
B. Linux Diagnostic Extension (LAD) 3.0
C. the AzurePerformanceDiagnostics extension
D. Azure Analysis Services
Correct Answer: C
You can use extensions to configure diagnostics on your VMs to collect additional metric data.
The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on
the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-monitoring

B (86%) 14%

Not correct. Answer is B. it is linux server accordingly Linux Diagnostic Extension should be used which download the Diagnostic Extension
(LAD) agent on Linux server.
upvoted 84 times
  RRRSSS 7 months, 3 weeks ago

Cool, but probably there is a trick with LAD version?
Question refers to LAD 3.0, However this article refers to v 4.0 version.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
upvoted 2 times

no. It's actually in the link you provided, "Important
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about
version 2.3 and earlier, see Monitor the performance and diagnostic data of a Linux VM."
so LAD version doesn't matter.
B is the right answer!
upvoted 3 times
  Sanin 9 months, 2 weeks ago

upvoted 5 times

Correct Answer: B
The Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure. It has the following collection
and capabilities:
- Metrics
- Syslog
- Files
A: Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. You can use open-source
frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more.
C: Azure Performance Diagnostics VM Extension is used for Windows VM only.
D: Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud.
upvoted 56 times
  EleChie Most Recent  3 weeks, 6 days ago

Important
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about version
2.3 and earlier, see Monitor the performance and diagnostic data of a Linux VM.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
Azure Diagnostics extension overview

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview
upvoted 1 times
  never4baby777 1 month ago

Selected Answer: B
B
The Linux diagnostic extension helps a user monitor the health of a Linux VM that runs on Microsoft Azure
upvoted 1 times

Answer is B but question is outdated :
Azure Monitor recently launched a new agent, the Azure Monitor agent, that provides all capabilities necessary to collect guest operating
system monitoring data. While there are multiple legacy agents that exist due to the consolidation of Azure Monitor and Log Analytics,
each with their unique capabilities with some overlap, we recommend that you use the new agent that aims to consolidate features from
all existing agents, and provide additional benefits. Learn More
The Azure Monitor agent is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows
and Linux machines.
upvoted 2 times

Thank you! Much appreciated! I was getting confused as this is exactly what I have learned in the courses.
upvoted 1 times

Selected Answer: C
Linux Diagnostic is part or AzurePerformanceDiagnostics extension.
upvoted 1 times
  weril 2 months ago

Okay my lads. It's LAD
upvoted 3 times
  beem84 2 months ago

Selected Answer: B
Answer B
upvoted 1 times
  Mtrx 2 months ago

Selected Answer: B
Answer is B.
upvoted 1 times

Selected Answer: B
jimmyli 4 months, 2 weeks ago
no. It's actually in the link you provided, "Important
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about version
2.3 and earlier, see Monitor the performance and diagnostic data of a Linux VM."
so LAD version doesn't matter.
upvoted 1 times

Answer is Not C . Azure Performance Diagnostics VM Extension is used for Windows VM only.
B is the answer . This is Linux therefore Linux Diagnostic Extension should be used.
upvoted 1 times

Selected Answer: B
Linux Diagnostic Extension should be used which download the Diagnostic Extension (LAD) agent on Linux server
upvoted 2 times

B is correct.
upvoted 2 times
Use LAD to monitor metrics and logs. The confusion stems from knowing that LAD stands for Linux AZAURE Diagnostic extension.
When they just said Linux extension it threw many people the wrong answer simply because it missed the word - Azure. Which is a little
nasty if you asked me.
The correct answer is B.
upvoted 1 times
  zvasanth2 5 months, 4 weeks ago

Azure Performance Diagnostics VM Extension helps collect performance diagnostic data from Windows VMs. The extension performs
analysis, and provides a report of findings and recommendations to identify and resolve performance issues on the virtual machine.
This extension can be installed on
Windows Server 2019

Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows 10
Windows 8.1
Windows 8
Answer is not C -> the AzurePerformanceDiagnostics extension

upvoted 3 times
  ooma_sharma 6 months ago

B is correct. Check-
Install and configure Windows Azure diagnostics extension (WAD)
Use Linux Diagnostic Extension to monitor metrics and logs
upvoted 1 times
  hristozkov69 6 months, 3 weeks ago

AzurePerformanceDiagnostics is wrong, it is used for Winodws VM`s only! A huge amount of questions here are marked with wrong or
partially wrong answers. You have to read all the discussions in order to be sure, that you are not misled.
upvoted 2 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit:
Hot Area:
Correct Answer:
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

upvoted 23 times
  nimeshabhinav 2 months ago

It looks like all 300 questions appeared in your exam :D . I see your comments everywhere.
upvoted 16 times
  Kumud31 1 month ago

YES,I bet
upvoted 1 times
  miloashis 1 week ago

VERY TRUE BRO!!
upvoted 1 times

Correct
upvoted 6 times

Correct.
Usually :
DNS = Port 53
WEB = Port 80 (http) or 443 (https).
Rule are processed by priority order

A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because
lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked
Rule 1 Allow http (Range 50-500) First Match > http Allow.
If we delete Rule 2, Rule 1 Allows http and DNS. First match > It works.
upvoted 5 times
  Krypt11 3 months, 2 weeks ago

Correct
upvoted 1 times

new question hehe, hopefully i find it later in my exam !
upvoted 3 times

There was a similar question previously as well.
upvoted 2 times
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
What should you deploy?
A. all three virtual machines in a single Availability Zone
B. all virtual machines in a single Availability Set
C. each virtual machine in a separate Availability Zone
D. each virtual machine in a separate Availability Set
Correct Answer: C
Use availability zones to protect from datacenter level failures.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/tutorial-availability-sets
  kt_tk_2020 Highly Voted  1 year, 2 months ago

C is the correct answer - if you want Datacenter level high availability - vms should be deployed in different zones.
upvoted 78 times

Availability set - Within data centre - configure update domains and fault domains
Availability zone - Within region (usually three data centres per region)
upvoted 40 times
  FitObelix 8 months, 1 week ago

Simply adding that an availability zone can have only one datacenter. That´s why i think it can´t be option A. C option ensures the
availability, even if each zone is made of only one datacenter each
upvoted 4 times
  walexkino 9 months, 1 week ago

your explanation was simple and precise unlike other sprouting nonsense here.
upvoted 8 times
  allray15 Highly Voted  11 months, 1 week ago

i always get nervous when the discussion count hits 30-50+ . You know something isn't right :D , if its just below 20, then i just skip and
continue
upvoted 76 times
  Izee24 5 months, 3 weeks ago

Me too.
upvoted 1 times
  sarpay784 8 months, 2 weeks ago

:D :D :D :D me too
upvoted 2 times

or, 30+
upvoted 4 times

check link here : https://docs.microsoft.com/en-us/azure/architecture/reliability/architect
upvoted 1 times
  HananS 1 month, 3 weeks ago

It is obvious C is the answer
Availability Sets—running a VM with one or more replicated copies on separate hardware within the same Availability Zone, providing
resiliency against machine failure. Availability Zones—running a VM with one or more replicated copies on different Availability Zones,
providing resiliency against data center failure.
upvoted 2 times

"if a single Azure datacenter becomes unavailable."
First of all, rule-out Availability Set since the latter is inside a datacenter. If that DC goes down, all VMs go down! So the answer is Spread
VMs across each AV Zone.
upvoted 2 times

In Exam 27/10/2021 I only scored 697
upvoted 3 times
  Scorez400 3 months, 2 weeks ago

Does questions same?
what went wrong for you ?
upvoted 1 times

Something tells me he relied on only dumps. Just a hunch, though...
upvoted 1 times

upvoted 2 times

Answer is correct
upvoted 2 times
  MimeTalk 6 months, 3 weeks ago

Answer C is correct see the following diagram
https://wikiazure.com/compute/azure-availability-zones/
upvoted 3 times
  bacana 7 months, 1 week ago

For me is A
"single datacenter failure"
Availability Zones
An Availability Zone is a high-availability offering that protects your applications and data from datacenter failures. Availability Zones are
unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power,
cooling, and networking. To ensure resiliency, there's a minimum of three separate zones in all enabled regions. The physical separation of
Availability Zones within a region protects applications and data from datacenter failures. Zone-redundant services replicate your
applications and data across Availability Zones to protect from single-points-of-failure. With Availability Zones, Azure offers industry best
99.99% VM uptime SLA. The full Azure SLA explains the guaranteed availability of Azure as a whole.
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
upvoted 1 times
  scuar 7 months, 3 weeks ago

Launch instances in an Availability Zone
When you launch an instance, select a Region that puts your instances closer to specific customers, or meets the legal or other
requirements that you have. By launching your instances in separate Availability Zones, you can protect your applications from the failure
of a single location.
Answer C is correct.
upvoted 1 times
  NIk2020 7 months, 4 weeks ago

Answer C is correct
Availability zones are similar in concept to availability sets. However, there is a distinct difference. While availability sets are used to protect
applications from hardware failures within an Azure data center, availability zones, protect applications from complete Azure data center
failures.
An availability zone is a unique physical location that exists within an Azure region. Every availability zone contains at least one data center
within the region.
upvoted 2 times
  RMJ21 8 months, 1 week ago

i think the Answer C is correct.
Reference: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
upvoted 1 times

Correct Answer: C
Availability Set: Within a data centre configure Update Domains and Fault Domains. Availability Sets takes the virtual machine and
configures multiple copies of it. Each copy is isolated within a separate physical server, compute rack, storage units and network switches
within a single Data Center within an Azure Region.
Availability Zone: Within a Region, usually 3 Data Centres per Region. Use Availability Zones to protect from Data Center level failures.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/availability
upvoted 40 times

Mlantonis ... i completely agree about the AZ AS description.. but AZ's dont have limit of number of available machines do they? it says
ensure that at least 2 machines are available... if you ave VM1 in AZ1 vm2 in AZ2, vm3 in AZ3, there's nothing stopping AZ1 and 2 going
offline... AZ3 wont autocorrect and spinup new vms... thoughts?
upvoted 1 times
  Narendragpt 1 month, 2 weeks ago

We are suppose to assume the APP1 is hosted on these 3 VMs are behind a Load Balancer . and question ask You need to ensure
that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
upvoted 2 times
  Julie444 9 months, 3 weeks ago

The Q is wrong to begin with if the data center becomes unavailable does not matter how many availability set there are, they all become
unavailable.
The Q should be e.g. in the case of hardware failure or planned or unplanned maintenance, not “datacenter unavailability”!
upvoted 1 times

The answer isn't an 'availability set', it's an 'availability zone'
upvoted 1 times
  alfteezy91 9 months, 4 weeks ago

answer should be C. Different zones ensures that if a single datacenter is unavailable , others will be available in different ZONES.
upvoted 3 times
  MayBe 10 months ago

C is the correct answer.
Each Availability Zone has a distinct power source, network, and cooling. By designing your solutions to use replicated VMs in zones, you
can protect your apps and data from the loss of a data center. If one zone is compromised, then replicated apps and data are instantly
available in another zone.
https://docs.microsoft.com/en-us/azure/virtual-machines/availability
upvoted 2 times
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
A. operating system
B. administrator username
C. virtual machine size
D. resource group
Correct Answer: B
When deploying a virtual machine from a template, you must specify:
✑ the Resource Group name and location for the VM
✑ the administrator username and password
✑ an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template

D (86%) 14%

not correct. Answer is Resource Group. I tried the only ones that need to be updated manually are resource group and password.
upvoted 108 times

Confirming RG.
Manual steps: log in, deploy VM1. Accept all defaults. Go to resource > template > save to library. View library > deploy template, It pre-
populates the subscription but you have to set an RG. VM Name can be customized, admin user/pass are pulled from template.
Costs about $.15 to verify and less than 5 minutes, if you're in doubt sign up for azure pass and do it yourself.
upvoted 15 times

This is correct. Answer is Resource Group.
upvoted 3 times

yes D. Resource Group is the correct answer: Admin user, password, vm size and os are the part of ARM templates. But resource group
is not hence needs to be mentioned while deployment! Refer below sample ARM template for reference in which all above attributes
passed in parameter.
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-windows/azuredeploy.json
upvoted 3 times
  cmbkc88 8 months ago

I go adm psw. We can configure the name of rg for vm, not rg itself.
upvoted 1 times
  itmp 7 months, 4 weeks ago

what "adm psw" ? maybe in another question ...
upvoted 2 times

@itmp adm psw means administrator password
upvoted 1 times
  IvanDan Highly Voted  1 year, 2 months ago

"what can you configure"... you can't configure a resource group, but you can choose one. A resource group should be already configured.
An administrator username is not preconfigured, so you have to make a new one. I will go with B
upvoted 41 times
You are not paying attention to the fact that this was being created from an ARM template. All these can be specified in the template. It
is not however recommended to enter keys and secrets in plain text in your code.
upvoted 1 times

You can select a RG for a selection - so you are configuring which RG to use.
upvoted 3 times
  N4d114 Most Recent  2 weeks, 1 day ago

The correct answer is resource group.
resource group > Resource > template > save to library. View library > deploy template
upvoted 1 times
  NG15 3 weeks ago

Selected Answer: B
There are 2 answers. 'Resource group name' and 'admin username'.
But in options, 'Resource group' is mentioned instead of 'Resource group name'.
upvoted 1 times

Resource group comes before admin details when Deploying a VM
upvoted 2 times

Answer is RG. Indeed Two ways to export the template.
From the resource directly (VM Blade > Export template): Parameters (3) : VM_Name, Disk and network interfaces only. RG is possible when
deploying the template.
From the deployment history (RG blade > Deployment) Parameters (18) : Location, Networkinterfacename, nsg name and rule, subnet and
vnet name, publicips, vm name and computer name, rg, ostype size, disks, admin username and in my case public key too.
So Yes, it it were from the deployment you would have more options, but it's from the resource directly.
upvoted 1 times

Try in Portal. Only password ask for manual input. So no correct answer
upvoted 1 times
  Pythonlkjh 1 month, 3 weeks ago

Correct
upvoted 1 times

Selected Answer: D
D is the correct answer, Resource Group.
upvoted 1 times
  z 2 months, 2 weeks ago

Selected Answer: D
Answer is Resource Group
upvoted 1 times
  Scott990 2 months, 2 weeks ago

Selected Answer: D
Voting Resource Group
upvoted 2 times

Selected Answer: D
Resource Group is the correct answer: Admin user, password, vm size and os are the part of ARM templates.
upvoted 2 times

Hi Admin, please update the answer to resource group.
upvoted 2 times
  MrAzureGuru 3 months, 2 weeks ago

username:
"osProfile": {
"computerName": "[parameters('virtualMachines_WindowsVM1_name')]",
"adminUsername": "azureuser",
"windowsConfiguration": {.................
There is no specific ResourceGroup value.

upvoted 2 times

No Dubt, 100% Resource Group.
upvoted 1 times

There is username and password, answer is d
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer D
upvoted 9 times
  NicoPI 4 months, 1 week ago

Comment peux-tu savoir quelle réponse est correcte ou pas ??? Microsoft ne donne pas les réponses/erreurs que nous faisons pendant
l'examen.
upvoted 2 times
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not
support multiple active instances.
At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.
What task should you include in the runbook?
A. Add the Azure Performance Diagnostics agent to VM1.
B. Modify the VM size property of VM1.
C. Add VM1 to a scale set.
D. Increase the vCPU quota for the subscription.
E. Add a Desired State Configuration (DSC) extension to VM1.
Correct Answer: E
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration

B (100%)

Correct Answer: B
Here we need to modify the size of the VM to increase the number of vCPU's assigned to the VM. This can be included as a task in the
runbook. The VM size property can be modified by a runbook that is triggered by metrics, but you can schedule it monthly.
C: Scheduled vertical scaling could be a solution, but then you don't need a scheduled runbook and it states that it does not support
multiple active instances. Scale Set is not a n option.
E: DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state, not to change VM properties.
Reference:
https://www.apress.com/us/blog/all-blog-posts/scale-up-azure-
vms/15823864#:~:text=If%20you%20select%20the%20option,to%20the%20next%20larger%20size
upvoted 93 times

not correct. Answer is B. Scale up the VM using Automation virtual scale set runbooks which trigger a webhook
upvoted 91 times

I don t get it, B. Modify the VM size property of VM1. How is this a runbook? or any relation to your B answer? Thanks
upvoted 1 times

why not create a scale set and scale up?
upvoted 1 times
  sandipk91 5 months, 4 weeks ago

this the reason why we can't use scale set - "App1 that does not support multiple active instances"
upvoted 6 times
  Sunny11 5 months ago

The question says multiple active instances are not supported
upvoted 9 times
  T____T 7 months, 3 weeks ago

the question asks about runbook specifically so you have to go with that context
upvoted 5 times
  Allfreen Most Recent  6 days, 2 hours ago

B is wrong, as question clearly say to schedule not resize
correct answer is E
upvoted 1 times

upvoted 3 times
  MuralikumarCh 1 month, 1 week ago

@AjaruddinAli66 what are the right answers for these questions. Are you followed discussion/voted answers or admin provided answers.
upvoted 1 times

Selected Answer: B
answer is B
upvoted 2 times

Selected Answer: B
It's B
upvoted 1 times
  Vatz 1 month, 3 weeks ago

Selected Answer: B
Scale up the VM using Automation virtual scale set runbooks which trigger a webhook
upvoted 1 times

Selected Answer: B
Here we need to modify the size of the VM to increase the number of vCPU's assigned to the VM. This can be included as a task in the
runbook. The VM size property can be modified by a runbook that is triggered by metrics, but you can schedule it monthly.
C: Scheduled vertical scaling could be a solution, but then you don't need a scheduled runbook and it states that it does not support
multiple active instances. Scale Set is not a n option.
E: DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state, not to change VM properties.
Reference:
https://www.apress.com/us/blog/all-blog-posts/scale-up-azure-
vms/15823864#:~:text=If%20you%20select%20the%20option,to%20the%20next%20larger%20size
upvoted 1 times

Selected Answer: B
It's not support multiple instances so B. scale up is correct
upvoted 2 times

Selected Answer: B
The correct answer is B, modify the size of the VM. This can be done within a runbook. The question states that the application does not
support multiple instances, therefore we can't use a scale set.
upvoted 1 times
  AjaruddinAli66 2 months, 1 week ago

I have cleared the exam on 13thDec2021 with 772.
upvoted 1 times
  beem84 2 months, 1 week ago

Selected Answer: B
Answer is B
upvoted 1 times

upvoted 4 times

answer is ?
upvoted 2 times
Answer is B
Under the Configure Runbook option, enable the runbook and choose the config source as either built-in or user. If you select the option
'user', you get to choose from a runbook that you have created in your automation account. If you select 'Built-in', a list of runbooks is
presented in a drop-down menu. Choose 'Scale up VM' to resize the VM to the next larger size.
https://www.apress.com/us/blog/all-blog-posts/scale-up-azure-vms/15823864
upvoted 1 times

Answer is B
upvoted 2 times

Correction(please ignore my previous post): I posted an incorrect answer in my earlier post. I've come back to prepare my job interview
after I passed my exam on 31/08.
The answer is B
You don't create a Runbook in DSC as far as I know, runbooks are created in process automation. So E is false.
This is how to proceed:

- Upload a PowerShell file to increase the size of the machine at peak.
- Something that is not mentioned here but you also another Runbook to bring the machine size back to normal after peak. So you create
2 Runbooks.
- Then link a schedule for both Runbooks.
upvoted 2 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
A. Deployment Center in Azure App Service
B. A Desired State Configuration (DSC) extension
C. the New-AzConfigurationAssignment cmdlet
D. a Microsoft Intune device configuration profile
Correct Answer: B
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx
webserver. az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
Note:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
Reference:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration

B (100%)

Correct Answer: B
upvoted 88 times

Thanks
upvoted 1 times

Thanks!
upvoted 2 times

Answer is correct "B" with ARM templates, DSC is used.
upvoted 18 times
  az4o2n Most Recent  2 weeks, 2 days ago

Thank you so much, your contributions are highly valued
upvoted 1 times
  pappkarcsiii 3 weeks, 1 day ago

Selected Answer: B
upvoted 1 times
  N4d114 1 month ago

Correct answer is B : Desired State Configuration (DSC) extension
upvoted 1 times
  SoSoLiD 2 months, 1 week ago

Selected Answer: B
upvoted 1 times

Correct Answer is B. DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state.
upvoted 1 times

The answer is correct by the revealed answer has a PowerShell code to create a VM rather than a Scale Set. Correct answer would be
az vmss extension set --name

--publisher
--resource-group
--vmss-name
[--enable-auto-upgrade {false, true}]
[--extension-instance-name]
[--force-update]
[--no-auto-upgrade {false, true}]
[--no-auto-upgrade-minor-version {false, true}]
[--no-wait]
[--protected-settings]
[--provision-after-extensions]
[--settings]
[--subscription]
[--version]
upvoted 2 times

The answer is correct *but the revealed answer has a PowerShell code to create a VM rather than a Scale Set. Correct answer would be
upvoted 1 times

Correct.
upvoted 1 times

Answer "B" with ARM templates, DSC is used.
upvoted 4 times

B is correct.
From the link provided in the explanation: https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-
configuration
"The following example uses PowerShell DSC to ensure the NGINX has been installed on Linux systems."
upvoted 5 times

Nice link! It provides alternatives as well which is nice.
upvoted 1 times
  Shaarawy 1 year ago

the Previous Question was the answer of it Azure Script Extension ! why in this question different . ! ?
upvoted 4 times
  achechen 9 months, 3 weeks ago

because you can do it using both
upvoted 2 times
  GinjaNinja 1 year, 1 month ago

That's one way of doing it, but it's not one of the options here. So Correct answer here is the given answer. https://docs.microsoft.com/en-
us/azure/virtual-machines/extensions/dsc-overview
upvoted 4 times
  wolejarz 1 year, 1 month ago

answer is correct. https://docs.microsoft.com/en-us/samples/mspnp/samples/azure-well-architected-framework-sample-state-

configuration/
upvoted 1 times

The answer's explanation is good:
az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
But indeed, B has a wrong choice.
upvoted 4 times
  oooMooo 1 year, 1 month ago

Wrong answer, correct answer is: Azure Custom Script Extension.
upvoted 1 times

I've seen that option in this question as well, but its not an option here my friend :)
upvoted 10 times
HOTSPOT -
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: 10.244.0.0/16 -
The Pod CIDR.
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-
premises network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN connection.
This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this address
range once the cluster is deployed if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet

Correct Answer:
Box 1: 10.244.0.0/16
The Pod CIDR, because containers live inside Pods.
Note: You can't change this address range once the cluster is deployed, if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16
The Service CIDR is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
upvoted 51 times
  krisbla Highly Voted  9 months, 3 weeks ago

I'm writing the exam in 3 hours .. I'll go with the given selections - wish me luck!
upvoted 15 times

Im guessing you passed as you havent been back...lol
upvoted 4 times
  yellownikk 9 months, 1 week ago

what was the result?
upvoted 3 times
  walexkino 9 months ago

lol witch
upvoted 2 times

Personally amazing for me and kind of funny also
upvoted 2 times
  Voldemort Most Recent  5 months ago

Most Simplest Question in the whole of exam, the answer is literally in the question itself.
POD CIDR for address allocation and Service CIDR for internal service assignment.
upvoted 1 times

I guessed this one even though I have not studied K8s in depth. My next target is mastering K8s
upvoted 1 times

upvoted 5 times

In exam 30 July 21
upvoted 6 times

The answer is correct. Just pay attention that Pod CIDR is also called just Subnet:
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
upvoted 3 times

I think the answer is correct. A pod gets an IP. If a pod consists out of multiple containers they share the same pod IP address and can talk
to each other over localhost. I also tested with some docker container which prints it IP. When I just run it in docker it prints his container
IP. When I run it in a pod in Kubernetes he prints the pod IP.
upvoted 1 times
  Dganic 9 months, 3 weeks ago

Answer is Correct
upvoted 4 times

Can someone confirm if the answer is right. I think its fine. If not kindly explain
upvoted 2 times
  iamvandathron 9 months, 1 week ago

It's correct
upvoted 1 times
HOTSPOT -
You have the App Service plan shown in the following exhibit.
The scale-in settings for the App Service plan are configured as shown in the following exhibit.
The scale out rule is configured with the same duration and cool down tile as the scale in rule.

Hot Area:
Correct Answer:
Box 1: 5 -
The maximum 5 will kept as the CPU Usage >= 30.
Box 2: 3 -
As soon as the average CPU usage drops below 30%, the count will decrease by 1. After the 5 minute cool-down it will decrease by another 1,
reaching 3.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
  Moyuihftg Highly Voted  9 months, 3 weeks ago

I think:
2
4
upvoted 104 times

Correct Answer:
Box 1: 2
70% for 1h, and then 90% for 5 minutes. So, from the default of 1 it will scale out out 1 more. So, 2 in total.
Box 2: 4
90% for 1h and then 25% for 9minutes. So, from the default of 1 it will it scale in to the max 5 (60/5 = 12, which means 6 times scale out,
because we have 5 minutes period of cool down). Then when it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the
average of the last 5 minutes is under 30% ), so it will decrease by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling
in again, but since only 4 minutes left from 9 minutes (9-5 = 4), it won't scale in again. So, 4 in total.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
upvoted 100 times

I respect your answer mlantonis, but you explaination on box 2 confused me.
Can't we just say that while it was on 90% we all know that it stays at 5 instances. When the threshold dropped down to 25% for 9
minutes, the count decreased by 1 only since it didn't reach 10 minutes.
Nonetheless, Mlantonis is correct and explanation is also correct.
upvoted 3 times

it starts at 1. Scale out if CPU > 85% over 5 min and pause during 5 min (Cool Down).
Assuming instant scaling...and CPU still at 90% at all time (very simplified view).
If CPU is at 90% for one hour we have
0 min : 1 (default)
5 min : 2
5-10 min : Still 2 (Cooldown time)
10 min : 3 (average last 5 is still CPU>90%)
10 min-15 min : Still 3
15 min : 4
and so on until we reach 5 (maximum capacity).
The calculation provided by Fed seems not correct as it is assumed that after the cool down time, the system wait another 5 min to
collect metrics which seems not the case.
upvoted 1 times

nope, for box 2 it will stay 5 as there's the coold down as well for scale in, so after 9 mins @ 25% you have to subtract 5 mins of cool
down and you remain with only 4 mins which is not reaching the 5 mins period.
upvoted 2 times
  tmub47 1 month, 3 weeks ago

6 instances will always be the maximum, regardless of how long (it starts at 1 and scales out for maximum of 5 times) = 6 instances.
Then, it will scale in by -1 every 5 minutes. 9 minutes will mean we would have lost 2, hence 4.
upvoted 1 times
  tera_baap 9 months ago

cooldown is counted after last scale out event. So those 4 mins are gone long back.
upvoted 5 times
  anantasthana2002 Most Recent  1 week ago

2 and 4
upvoted 1 times
  ZacAz104 1 month ago

answer seems wrong correct answer is 2 and 4 you have 70% for one hour so no scale then 90% for 5 minutes so goes to 2
Then you hve 90 peercent for 1 hour so you reach 5 VM then 9 minutes at 25% decreases it to 4
upvoted 1 times
  deadhead82 1 month, 1 week ago

As per me the reason why Box2 should be 4 and not 3 is because COOL DOWN period if the time when no auto-scale action will happen,
this is required so that the scaling workloads can stabilize. Think it like a break time :) .. After COOL DOWN period Auto Scale gets into
action again. Now, since the time duration mentioned is 9 minutes - the instance count dropped from 5 to 4 after the resources were
underutilized for 5 minutes. Once that happened Auto Scaling went into BREAK MODE. So at the 9th minute nothing was happening. The
instance count stayed at 4 and did not dip any further.
upvoted 1 times
  okeyken1 1 month, 3 weeks ago

The question came out 29th Dec 2021
2 and 4
upvoted 2 times

it should be 2 and 4
upvoted 1 times
  Pythonlkjh 1 month, 3 weeks ago

2 and 4
upvoted 2 times
  ZakySama 1 month, 4 weeks ago

I think it is 2 and 4
upvoted 1 times
  weril 2 months ago

2: 1(default) + 1 (every 5 mins when over 85% cpu load)
4: 1 -> 1h load over 90 % = 5 instances - 1 (every 5 mins when under 30 % load)
upvoted 1 times
  Sara_Mo 2 months ago

Box1:2. 1 default + 1 (90%)
Box2:4 (60/5=12) which maximum is 5 - 1 (25%)
upvoted 1 times

I have cleared the exam on 13thDec2021 with 772. This question was present.
upvoted 3 times

upvoted 2 times

this question is worded rather tricky. Answer 1 should be 2, the 70% has no effect on the scale out, only the 90% does because it is greater
than 85% for 5 minutes. On the other hand, answer 2 has a scale out/scale in scenario. The cpu usage is 90% for one hour which will result
in 5 vm's, the max tha tit can scale out to. but, the scale in rule applies as well so the instance count will drop by one 5-1=4
final answer 2 & 4
upvoted 3 times

Thank God everyone agrees on 2:4 as the answer. I thought something's wrong with my brain until I opened the comment section.
upvoted 10 times

haha same brother .I thought all my study was in vain
upvoted 3 times

upvoted 4 times

Box1 : 2
Box2 : 4
upvoted 3 times
You have an Azure virtual machine named VM1 that runs Windows Server 2019. The VM was deployed using default drive settings.
You sign in to VM1 as a user named User1 and perform the following actions:
✑ Create files on drive C.
✑ Create files on drive D.
✑ Modify the screen saver timeout.
✑ Change the desktop background.
You plan to redeploy VM1.
Which changes will be lost after you redeploy VM1?
A. the modified screen saver timeout
B. the new desktop background
C. the new files on drive D
D. the new files on drive C
Correct Answer: C

Correct Answer: C
For Windows Server, the temporary disk is mounted as “D:\”.

For Linux based VM’s the temporary disk is mounted as “/dev/sdb1”.
Reference:
https://www.cloudelicious.net/azure-vms-and-their-temporary-storage
upvoted 69 times
  fabylande Highly Voted  4 months ago

upvoted 6 times

This question on exam 01.02.22
Answer: C
upvoted 2 times
  sanbt 2 months, 1 week ago

This question on 12/12/21.
Most of the questions from this dump.
upvoted 4 times

C it's D
upvoted 3 times
  mhker 8 months, 1 week ago

Correct C:D
upvoted 2 times

Correct Answer is C
Redeploy
Try redeploying your virtual machine, which will migrate it to a new Azure host. If you continue, the virtual machine will be restarted and
you will lose any data on the temporary drive. While the redeployment is in progress, the virtual machine will be unavailable.
upvoted 5 times
  DanishImam 8 months, 3 weeks ago

A. the modified screen saver timeout
upvoted 1 times

answer is D. https://azure.microsoft.com/en-us/blog/virtual-machines-best-practices-single-vms-temporary-storage-and-uploaded-disks/
upvoted 3 times

C for sure.
upvoted 3 times

It's D. D is a temporary drive
upvoted 3 times

C* sorry. thought you meant drive C. you correct
upvoted 2 times

C is the answer because in Azure by default D drive is the temp drive hence what all stored inside D drive will not be available when u
redeploy and open D drive..
upvoted 2 times
  cyna58 9 months, 3 weeks ago

Please read the question carefully. Which changes will be lost after you redeploy VM1?
Its obvious it will be "D"
upvoted 1 times
  Genshin 4 months, 3 weeks ago

lmao maybe you should read his answer carefully
upvoted 3 times

The answer is correct, as drive D is temporary.
upvoted 2 times
  samgyupsal 9 months, 3 weeks ago

Correct. D: is temporary disk in Azure and files written here will be lost during redeploy.
upvoted 1 times

Correct, the Unit D is temporal
upvoted 1 times

You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
A. the memory
B. the network adapters
C. the hard drive
D. the processor
E. Integration Services
Correct Answer: C
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machine (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or
VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the
VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image

Correct. the VIrtual hard disk is VHDx, it should be format to VHD before migration from on-premis to Azure
upvoted 44 times
  Vgopi 1 year ago
Correct
upvoted 6 times

Correct Answer: C
The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure. Azure supports only generation
1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a
generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
upvoted 36 times
  okeyken1 Most Recent  1 month, 3 weeks ago

Came out 29 Dec 2021 hard disk
upvoted 4 times
  exam999999999 2 months, 1 week ago

Good luck!!
upvoted 2 times
  rigonet 4 months, 1 week ago

Correct Answer: C
C. the hard drive
- The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure.
Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. The maximum size
allowed for the OS VHD on a generation 1 VM is 2 TB.
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX). You
can convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation.
upvoted 2 times

Answer correct, convert HDD from VHDX to VHD however the explanation is not entirely correct as Gen2 VM's are also supported, with
VHD disks only; see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 1 times

Thank you
upvoted 1 times

upvoted 1 times

Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX).
Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. The maximum size
allowed for the OS VHD on a generation 1 VM is 2 TB.
You can convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation. For
more information, see Should I create a generation 1 or 2 VM in Hyper-V? and Support for generation 2 VMs on Azure.
upvoted 2 times

In 30 July 21
upvoted 1 times
  walexkino 9 months, 1 week ago

its correct Hard Drive,,, on a serious note guys this question came in the exam and i was confused,,
upvoted 4 times

Hard disk need to be format to VHD before migration
upvoted 2 times

C : is correct (VHDX to converted to Vhd )before migrate from On-prem to Azure
upvoted 1 times

Answer is correct.
upvoted 1 times

Convert-VHD -Path C:\test\MyVM.vhdx -DestinationPath C:\test\MyNewVM.vhd -VHDType Fixed
upvoted 2 times

Use Hyper-V Manager to convert the disk
Open Hyper-V Manager and select your local computer on the left. In the menu above the computer list, select Action > Edit Disk.
On the Locate Virtual Hard Disk page, select your virtual disk.
On the Choose Action page, select Convert > Next.
To convert from VHDX, select VHD > Next.
To convert from a dynamically expanding disk, select Fixed size > Next.
Locate and select a path to save the new VHD file.
Select Finish.
upvoted 5 times

Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk.
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following
configurations:
✑ Operating system: Windows Server 2016
✑ Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit:
Hot Area:
Correct Answer:
The Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0 -
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for
all instances in the scale set.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
  solarwinds123 Highly Voted  1 year, 2 months ago

The question asks "if the administrator changes the size", not if it gets scaled up vertically. I tested this, and if you resize the scale set all
the virtual machines get resized at once, thus 4 is the correct answer. For the second part, automatic OS updates update 20% of the VMs
at once, with a minimum of 1 VM instance at a time.
upvoted 68 times
  oshoparsi 10 months, 2 weeks ago

20% 4 = 0.8 but minimum would be 1 vm.
upvoted 3 times

Most trustworthy, and correct as per other explanations and references as well.
upvoted 9 times

Correct Answer:
Box 1: 4
If you resize the Scale Set all the VMs get resized at once, thus 4 is the correct answer.
Box 2: 1
Automatic OS updates update 20% of the VMs at once, with a minimum of 1 VM instance at a time. Also 20% of 4 = 0.8.
Reference:
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
upvoted 61 times
  yoelalan14 2 months, 4 weeks ago

For Box 2, what about the Automatic Updated feature that is turned "off"? Wouldn't the answer be 0?
upvoted 2 times

That is patches where as this is os upgrades
upvoted 2 times
  EleChie Most Recent  3 weeks, 6 days ago
Explanation
the Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 1
Below is clearly mentioned in the official Website
"The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total
instance count, subject to a minimum batch size of one virtual machine." So, 20% from 4 ~1
upvoted 1 times

Box 1:
In case we want to disable the windows updates, we need to set “enableAutomaticUpdates” as false
https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246
This is not a windows update but a VM size change.

upvoted 2 times
  c64basic 3 weeks, 4 days ago

So basically, what we are looking at here is the UpgradePolicy only, as neither of the two actions (resizing the VM and upGRADING the
OS) conern Windows settings. The top command (WindowsConfiguration) doesn't have anything to do with the questions.
upvoted 1 times

For Q2
For scale sets using Windows virtual machines, starting with Compute API version 2019-03-01, the property
virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model
definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches
without replacing the OS disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows
Update is not required.
So its not 0 but
An upgrade works by replacing the OS disk of a VM with a new disk created using the latest image version. Any configured extensions and
custom data scripts are run on the OS disk, while data disks are retained. To minimize the application downtime, upgrades take place in
batches, with no more than 20% of the scale set upgrading at any time.
Its 4x0,2 = 0,8 => 1 (minimum)

upvoted 2 times

upvoted 1 times

definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches
without replacing the OS disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows
Update is not required.
upvoted 2 times
  Sara_Mo 2 months ago

Option1: 4
Option2: 1
upvoted 1 times
  magnoy 4 months, 1 week ago

0 and 4
as nothing changes simultaneously
upvoted 3 times

The correct solution is 4 and 0 since the automatic update is off.
upvoted 3 times
  Orel123 5 months, 1 week ago

The correct solution is 4 and 0 since the automatic update is off.
upvoted 2 times

(Correction - I got it mixed. Sorry)
The answer is false.
The EnableAutomaticUpdate is a property for the Windows OS configuration. Because it is set to false, the 1 VM the admin is updating will
receive an update. So the option for this option, the answer is: 1
On the other end, VM update policy is set to Automatic. This affect updates from Windows(AutomaticOSUpgradePolicy). Meaning, if
there's a new version of Windows, all machines in the scale set will receive an update. The answer here is: 4.
Option1: 1
Option2: 4
upvoted 2 times

I meant I got the previous post wrong. This is what I think is the correct answer.
upvoted 1 times

It's completely the opposite I'm afraid. The answer is false.
The EnableAutomaticUpdate is a property for the OS, Windows. Because it is set to false, none of the VM will receive an automatic update.
So the option for this is:
On the other end, VM update policy is set to Automatic. Meaning, if 1 machine is updated, the rest of the will be updated. The answer here
is: 4.
Option1: 0
Option2: 4
upvoted 3 times

(Correction - I got my answer above mixed. Sorry)
The answer is false.
Here is the correct answer...
The EnableAutomaticUpdate is a property for the Windows OS configuration. Because it is set to false, the 1 VM the admin is updating
will receive an update. So the option for this option, the answer is: 1
On the other end, VM update policy is set to Automatic. This affect updates from Windows(AutomaticOSUpgradePolicy). Meaning, if
there's a new version of Windows, all machines in the scale set will receive an update. The answer here is: 4.
Option1: 1
Option2: 4
upvoted 1 times
  Holasyaa 3 months, 3 weeks ago

Why do you even answer the questions?? To confuse peopl???
Lol
upvoted 12 times

Q1 - Answer 4 (No rolling upgrades enabled, so all the VM`s are upgraded automatically and simultaneously), for Q2 - Answer 0, the
automatic OS upgrade parameter is set to False.
upvoted 5 times

Correction, Q1 - 4, Q2 - 1: There is a missing parameter in the exhibit - RollingUpgradePolicy, which is automatically assigned, when you
enable AutomaticOSUpgradePolicy. This means 20 % by default will be the amount of instances, which will be upgraded
simultaneously. Which means 1 instance at a time.
upvoted 1 times
  AminT 7 months, 1 week ago

Yes correct answer is 4 and and 0
upvoted 3 times

should be O and 1
upvoted 6 times

For scale sets using Windows virtual machines enableAutomaticUpdates property must be set to false. This property enables applying
patches without replacing the OS disk. Neither of these questions are about applying patches, so enableAutomaticUpdates is irrelevant.
Actually the first command outputs are irrelevant for both of these questions !!
Box 1: 4
If you resize the Scale Set all the VMs get resized at once, thus 4 is the correct answer. Both the cmdlet outputs are irrelevant to this
question !!
Box 2: 1
From the second cmdlet output, you can see that OS Image upgrades are set to Automatic. To minimize the application downtime,
upgrades take place in batches, with no more than 20% of the scale set upgrading at any time.
Overall I think this is a trick question trying to fool you into thinking that since enableAutomaticUpdates is set to False, no automatic
updates will happen when the fact is that property applies only to applying OS patches.
upvoted 25 times
  dopedopedope123 7 months, 1 week ago

Agreed on 2.
n the OS Image output of the cmdlet, since most people are being misled by the "false" parameter. One must understand
enableAutomaticUpdates is within the VM and applies to things like Windows Updates and traditional updating. OS Image upgrades
being automatic means that we don't need to apply those Windows Updates within the VM, we just replace the old OS image disk with
an updated OS image disk.
This is under Requirements for configuring automatic OS Image upgrade:

definition. The above property enables in-VM upgrades where "Windows Update" applies operating system patches without replacing
the OS disk. With automatic OS image upgrades enabled on your scale set, an additional update through "Windows Update" is not
required.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#requirements-for-
configuring-automatic-os-image-upgrade
upvoted 1 times

It should be Box 1 is 0 and Box 2 is 1
Box 1 is 0 because "The enableAutomaticUpdates parameter is set to false"
You have to do it manually. Scale sets have an "upgrade policy" below three option
>Automatic
>Rolling
>Manual
Box 2 is 1 because OS image upgrade is based on maximum 20% of total instance. In this case, there is
4 instance x 20% = 0.80. So the answer is 1 instance
upvoted 4 times
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources
in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource
Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. VM1
B. RG1
C. storage2
D. container1
Correct Answer: B
View template from deployment history
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that
you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:

B (100%)

Correct answer B RG1. the only way to see both together storage and VM
upvoted 33 times

Correct Answer: B
upvoted 19 times

Selected Answer: B
Correct answer B RG1. the only way to see both together storage and VM
upvoted 2 times

yes it should be visible from resource group
upvoted 2 times
  Krypt11 3 months, 2 weeks ago

Correct answer B RG1.
upvoted 2 times

They really want to know that we know the portal inside out. And I'm definitely getting more practice. Easy, this one.
upvoted 1 times
  McRowdy 8 months ago

The clue here is that it is in the same RG (RG1). Hence the answer is "B"
upvoted 1 times

Correct answer is B
Automate deploying resources with Azure Resource Manager templates in a single, coordinated operation. Define resources and
configurable input parameters and deploy with script or code.
upvoted 2 times

Answer is correct
upvoted 4 times

B is correct!
upvoted 3 times

Answer is correct. RG contains link to last deployment done, and from there you can download resource template
upvoted 2 times

upvoted 3 times

resource group -- > deployment tab
upvoted 4 times

in exam 04/12/2020
upvoted 5 times
You have an Azure web app named App1. App1 has the deployment slots shown in the following table:
In webapp1-test, you test several changes to App1.

You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?
A. Redeploy App1
B. Swap the slots
C. Clone App1
D. Restore the backup of App1
Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the
slots. We can easily revert the deployment by swapping back.
Reference:

Correct Swap slots. this is advantage of using slots. where each slot has its own host name while the app content and configuration
elements are the one who are swapped. this is done seamlessly for traffic direction and no requests are dropped or downtime happens.
upvoted 40 times
  solomonmana 1 month, 2 weeks ago

Correct
upvoted 2 times

Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of
the slots. We can easily revert the deployment by swapping back.
Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two
deployment slots, including the production slot.
Deploying your application to a non-production slot has the following benefits:
1. You can validate app changes in a staging deployment slot before swapping it with the production slot.
2. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being
swapped into production.
Reference:
upvoted 29 times
  kippp Most Recent  1 month, 2 weeks ago

i took the exam on 2/1/2021.. overal 59 question..failed the exam 652.. not even 10 question come from this dump.. they change to new
set
upvoted 2 times

I am depressed now, i have mine tomorrow :(
upvoted 1 times
  pmzone 3 weeks, 4 days ago

@ABhu101 - Did the questions come from this dump ?
upvoted 1 times
  aliashif 1 month, 3 weeks ago

contributor access is mandatory to access content?
upvoted 1 times
  Cloudpie 1 month, 3 weeks ago

Looks like it is mandatory because i am unable to browse beyond this page...Not sure if its worth it to buy the subscription as my exam
is on 31-Dec-21
upvoted 1 times

upvoted 1 times
  cryptokrust 3 months, 4 weeks ago

I PASSED!!!!!!! 10-23-2021 YESSSSSSSSS!!!!! I F*CKING LOVE YOU SMART BASTARDS!!!
upvoted 10 times

I guess this is why it's a premium feature huh! faster than backup restore.
upvoted 1 times

In 30 July 21
upvoted 2 times

"Discover that App1 is experiencing performance issues"
if it's about performance in App1, will swapping slot help? They are in the same infrastructure. Let's say the developer create infinite loop
and eat up server memory.
I guess the answer would be Restore from backup

upvoted 2 times

No, remember that you tested on the -test slot and swapped it with -prod, meaning that the Staging slot contains the original -prod
app which has not been changed. You can now simply swap it back and the prod slot with have the original unchanged app.
upvoted 4 times

After a swap, the slot with previously staged app now has the previous production app. If the changes swapped into the production slot
upvoted 2 times
  Sam2969 9 months, 3 weeks ago

the correct answer is D : restore the backup of App1.
first : after the swap from the staging to the production, the two slots have the same content! so the best way to revert is to restore the
backup.
upvoted 1 times

swap slot is the correct answer. ... I was wrong with my first diagnostic
upvoted 2 times

Second : the only way to swap is from Staging slot to Prod slot
upvoted 1 times

B : is correct
upvoted 2 times

Answer is correct. Swapping back the slots will revert changes
upvoted 1 times

Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two
deployment slots, including the production slot.
Deploying your application to a non-production slot has the following benefits:
You can validate app changes in a staging deployment slot before swapping it with the production slot.
Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being
swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, and no requests are
dropped because of swap operations. You can automate this entire workflow by configuring auto swap when pre-swap validation isn't
needed.
After a swap, the slot with previously staged app now has the previous production app. If the changes swapped into the production slot
upvoted 3 times

Settings that are swapped:
General settings, such as framework version, 32/64-bit, web sockets

App settings (can be configured to stick to a slot)
Connection strings (can be configured to stick to a slot)
Handler mappings
Public certificates
WebJobs content
Hybrid connections *
Service endpoints *
Azure Content Delivery Network *
upvoted 4 times

in exam 04/12/2020
upvoted 3 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run
Windows Server
2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Note: The new VM must be in the same region.

Reference:

File recovery can be done from any machine on internet. for restoring the VM, you can restore the backed up disk and either restore the
disk before the malware (VM) or create a any virtual machine
upvoted 75 times

Restore (Q2) is correct VM1 or new. But Q1, file recovery a little harder, After reading:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
It constantly say VM, so they can only be restored to a VM. (Anyway the internet one says any windows PC, and support only goes back
to 7, so that not ANY windows PC).

Then there are some restrictions, that we have no idea if VM1 or WM2 comply with, along with recommendations if drivers are over a
certain size.
So assuming we can create a VM with the same OS (or client compatible OS) in the same region (which is a reasonable conclusion) we
can only recover to a New VM, because this is the only way we can be sure everything complies. But this question in my opinion is
somewhat incomplete with details.
My vote:
Q1 New Only
Q2 VM1 and New
(I am confident it is NOT internet PCs)
upvoted 1 times

the mars agent is for when we want to restore to the on-prem machine. and it says we don't have it so the option
of to any win computer is wrong .and to any new azure vm is also impossible because of the os type and region restriction concern on
both scenarios.on first it should be restored to just vms with os compatible not any new azure vm. and in second one it should be a vm
in the same azure region so again no all the new azure vms.
upvoted 4 times
  Meesaw 1 year, 1 month ago

the question is file recovery to VM1 and not from any machine on internet.
upvoted 8 times

Yes, file recovery can be done from any computer with internet connection (provided it meets a few other compatibility requirements in
this article):
2nd part - the Restore can be done to the same VM1 or to a new VM
upvoted 6 times

For file recovery, I wouldn't suggest going for the option "any computer with the internet connection" because of the OS
compatibility problem. When recovering files, you can't restore files to a previous or future operating system version. In this case,
we need either Windows Server 2016 machine or windows 10 client machines, not windows 8.1, or windows 8. Here is the link:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#for-windows-os
Therefore, I suggest the option "VM1 and VM2 only" as we definitely know that their O.S. is compatible.
upvoted 10 times
  KOSACA 1 year, 1 month ago

If you read step 3 only Windows 10 PC can be used to restore the file from Windows Server 2016. So the "Any computer with internet
activity" is not correct. So I guess the answers are correct.
upvoted 10 times

Correct Answer:
Box 1: Any Windows computer that has Internet connectivity

For files recovery, you download and run a windows executable to map a network drive. It can only run when the OS meets the
requirements. Any computer running Windows Server 2016 or Windows 10 is suitable. File recovery can be done from any machine on the
Internet.
Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.
Box 2: VM1 or a new Azure virtual machine only

For restoring a VM, you can choose 'Create new' or 'Replace existing'.
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-restore-files-from-vm.md#for-windows-os
upvoted 59 times
  Kizz 3 months, 2 weeks ago

Box 1 should be VM1 and VM2 only:
"Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery
Services vault."
Box 2: VM1 or New AZure VM only:
When restoring a VM, you can't use the replace existing VM option for ADE encrypted VMs. This option is only supported for
unencrypted managed disks.
https://docs.microsoft.com/en-us/azure/backup/restore-azure-encrypted-virtual-machines
upvoted 2 times
  SanjSL 3 months, 4 weeks ago

Answer to same question before was "You can recover the files to any VM within the company’s subscription". Therefore answer to
box1: VM1 & VM2
upvoted 2 times

The provided answer from ETopics is correct
Box1: VM1 or a new Azure virtual machine only.
You and MS docs clearly says that Windows Server 2016 or Windows 10 are suitable, but these are not all OS Windows system on the
internet.
Box2 it's correct
upvoted 1 times

VM1 is affected by ransomware that encrypts data.
Can we use VM1 to recover file?
upvoted 5 times

The fact that the notes say 'Note: The new VM must be in the same region' makes me think some detail is missing from the question and
the answer is probably correct.
upvoted 1 times

I want to point out that in the provided solution's link it is possible to restore a VM disk to a paired region not only same region.
[Cross Region restore can be used to restore Azure VMs in the secondary region, which is an Azure paired region.
You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.]
upvoted 1 times

No correct answer for the first box. the correct answer should be: any Windows2016 or Win10 computer with internet connection.
"You can restore files from a VM to the same server operating system, or to the compatible client operating system".
upvoted 1 times
  sabin001 3 months, 3 weeks ago

Correct answer
Box1: VM1 and VM2 because both vm are running same OS so we can restore file on only these two vms. (This is more specific answer)
Box2: VM1 or a new VM only
upvoted 2 times

can't restore on encrypted ransomware vm.
upvoted 1 times

Does the VM one back up without the agent have any relevance to the question?
upvoted 2 times

When I see discussions like this it really makes me question whether the provided answers are really “expert verified”. The question itself is
horrible and the discussion is all over the place as to what the answer is that they are looking for on the test.
upvoted 3 times

Top answer is false:
- From any computer on Windows you can log on to your account with your credentials to download a file. From the File recovery option
blade, you do the following:
- Download an executable
- Copy & enter enter the credentials given to you when prompted.
Then you will be presented with a file explorer from which you can select the files to download.
Second box: Answer is correct.

upvoted 1 times

In exam 09/20/2021
upvoted 1 times
  islam01 5 months ago

Guys , i think i have the Final answer for you for the 1st Question , just follow along please :
We know that we can perform a file recovery on the VM2 beacause it's got Windows Server 2016 installed (same as VM1), so we need an
answer that includes VM2 , there is only one which is : VM1 AND VM2 ONLY . thank you and good luck
upvoted 1 times
  cosine 5 months, 3 weeks ago
Box1: A new Azure virtual machine only - When VM is infected by ransomware, you should avoid do file recovery to the infected machine.
It will end up the files to be encrypted again.
Box2: VM1 or a new Azure virtual machine only - you can restore the image backup on the infected machine and new machine.
upvoted 3 times

upvoted 2 times

Answers Q`: VM1 and VM2 only (You can`t run the executable on an OS different from Win10 or Win 2016 in this case); Q2 - VM1 or New Az
VM (these are the two available options in the restore wizard).
upvoted 3 times

Box 1: VM1 or VM2.
They're both W2k16; When recovering files, you can't restore files to a previous or future operating system version. For example, you can't
restore a file from a Windows Server 2016 VM to Windows Server 2012 or a Windows 8 computer. You can restore files from a VM to the
same server operating system, or to the compatible client operating system.
Box 2: VM1 or new Azure virtual machine only.
Create New or Replace Existing https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

upvoted 11 times
  dopedopedope123 7 months, 1 week ago

VM1 or VM2 would certainly be capable, but not only. You could also create a new VM with Windows 2016 or off the VM1 snapshots
though.
upvoted 1 times
  JayBee65 8 months, 1 week ago

Since you can definitely restore to a new machine, then VM1 or a new Azure VM must be correct. See here https://docs.microsoft.com/en-
us/azure/backup/backup-azure-arm-restore-vms
upvoted 1 times
You plan to back up an Azure virtual machine named VM1.

You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?
A. VM1 is stopped.
B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
C. VM1 has an unmanaged disk.
D. A Recovery Services vault is unavailable.
Correct Answer: B
The Warning state indicates one or more issues in VM‫ג‬€™s configuration that might lead to backup failures and provides recommended steps
to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this
class of issues.
Reference:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/

Answer is Correct,
Check the REF they provided, and this REF by Microsoft also, proves that:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-manage-windows-server.md
upvoted 5 times

Correct
upvoted 1 times

[Warning: This state indicates one or more issues in the VM's configuration that might lead to backup failures. It provides
recommended steps to ensure successful backups. For example, not having the latest VM Agent installed can cause backups to fail
intermittently. This situation will provide a warning state.]
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 1 times
  JIGT Most Recent  1 month, 3 weeks ago

vm is stopped
upvoted 2 times

You can backup a stopped VM.
upvoted 4 times

Got this on 27/10 exam
upvoted 2 times
  LeomHD 4 months, 3 weeks ago

correcto según la URL
upvoted 1 times
Solution: From the Overview blade, you move the virtual machine to a different resource group.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)

Redeploy the machine, Reply If i was wrong
upvoted 6 times

As the other questions of this type have stated. Redeploy the machine.
upvoted 2 times
  j777 Most Recent  4 days, 17 hours ago

So, what is the difference between move and redeploy? Because from what I read redeploy is actually turning off the machine. While
moving is just going to another location without powering down. I would think you would still have the same settings.
upvoted 1 times

Selected Answer: B
redeploy
upvoted 2 times
HOTSPOT -
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 2 -
Use two fault domains.
2 or 3 is max, depending on which region you are in.
Box 2: 20 -
Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A
higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
Reference:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks
https://github.com/Azure/acs-engine/issues/1030

first box: platformFaultDomainCount should be 3 (since its in East US)
ref: https://stackoverflow.com/questions/49779604/how-to-find-maximum-update-domains-fault-domains-available-in-an-azure-region
second box: platformUpdateDomainCount = 20

upvoted 30 times
  MahadevVasista 3 months ago

I agree with 3 FD , since we have condition "You need to ensure that as many virtual machines needs to be available on failure"
Having 3 FD will ensure - 1FD: 17vM, 2FD : 17VM and 3FD : 16VM each.
If One FD goes down we will have max VM's available at any given time rather than choosing 2 FD 's of 25VM each.
upvoted 2 times

Yeah it is a trick; UpdateDomains are up to 20 Domains only,
there isn't 30/40 update domains available for a single availability-set, so far in azure
upvoted 1 times
  vijesh_shenoy 4 months, 3 weeks ago

Yes, but they have the below caveat:
"You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.".
East US - you could have 2-3 fault domains.

So, Correct answer is 2 and 20
upvoted 2 times
  EleChie Most Recent  3 weeks ago

Number of Fault Domains per region
Region Max # of Fault Domains
East US 3
East US 2 3
West US 3
West US 2 2
Central US 3
North Central US 3
South Central US 3
West Central US 2
Canada Central 3
Canada East 2
North Europe 3
West Europe 3
UK South 2
UK West 2
East Asia 2
South East Asia 2
Japan East 2
Japan West 2
South India 2
Central India 2
West India 2
Korea Central 2
Korea South 2
UAE North 2
China East 2
China East 2 2
China North 2
China North 2 2
Australia East 2
Australia Southeast 2
Australia Central 2
Australia Central 2 2
Brazil South 2
US Gov Virginia 2
US Gov Texas 2
US Gov Arizona 2
US DoD Central 2
US DoD East 2
Ref: https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/managed-disks-common-fault-domain-region-list.md#number-
of-fault-domains-per-region
upvoted 1 times

Availability sets can be configured by assigning a fault domain and an update domain. Fault domain represents a group of servers that
have shared power, cooling, and networking, while an update domain represents a group of servers that can be rebooted at the same
time. Each availability set can have up to 20 update domains and 3 fault domains. This reduces the impact to VMs from physical hardware
failures, such as server, network, or power interruptions on one of the physical racks. It is important to understand that the availability set
must be set at creation time of the virtual machine.
Washam, Michael . Exam Ref AZ-104 Microsoft Azure Administrator (S.153). Pearson Education. Kindle-Version.
upvoted 2 times
  Vlad_83 2 months ago

update: eastUS -> 3 fault domains ( region dependent )
update domains is 20 everywhere
upvoted 1 times
  Vlad_83 2 months ago

should be region dependent; some have 3 some have only 2 fault domains - a nice Q from microsoft as usual
upvoted 3 times

platformfaultdomaincount max
for example if it's japan: it's 2 , if it's us it will be 3
upvoted 1 times

- 3 not 3
- 20
upvoted 1 times

its 3 and 20 not 2
upvoted 2 times

USEast - Of we used 3 fault domains and 1 failed we would still have 13 devices minimum available. If we only used 2 then we would have
10 available on failure. How is the answer provided of 2 correct? The math does not show it to be so.
upvoted 1 times

can someone explain what the effect is of having 2 vs 3 fault domains in the case of a fabric failure?
upvoted 1 times
  binq 2 months, 3 weeks ago

Having 3 fault domains, will spread 50 VMs over 3 unplanned failures/maintanance. In each group you'd have apox 16VMs, so that's
how many could be affected by single failure. With 2 groups you have 25 each, and 25 VMs go out on single failure.
upvoted 2 times
  theOldOne 4 months ago

I did in my comment
upvoted 2 times
Solution: You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent
on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
  ScoutP Highly Voted  4 months, 2 weeks ago

upvoted 7 times
  odisor Most Recent  1 week, 5 days ago

upvoted 3 times

Correct.
upvoted 2 times
HOTSPOT -
You deploy a virtual machine scale set that is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic

Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal
  shravan101 Highly Voted  1 month, 3 weeks ago

box-1 : 3
box-2: 1
upvoted 10 times
why is it 1 on the second question, it decreases by 1 when CPU utilization goes below 25%, but there is no rule for when to count down
again and so on ? it only exist for the scale out rule.
upvoted 4 times
  Nichols Most Recent  1 week ago

Impossible to answer box-2, because we don't know the duration and cool down for scale in...
upvoted 2 times

It says it is for 15 minute so the minimum is 1 and add one after 10 minute then it is 2
The answer is
box-1 : 2
box-2: 1
upvoted 2 times
  cjAzure 1 month, 2 weeks ago

I think you are mistaking the initial instance count (which is 2) as the minimum (which is the number of VMs to add when the threshold
is crossed).
upvoted 4 times
  slsl 1 month, 2 weeks ago

Agree, since it says that the scale set starts at 9:00, it means it starts with 2 instances.
upvoted 4 times
  safwansalama 2 months, 1 week ago

correct
upvoted 1 times
  drainuzzo 2 months, 1 week ago

correct for me
upvoted 2 times

Scale out: 3
Scale in: 1
upvoted 2 times
You have web apps in the West US, Central US and East US Azure regions.
You have the App Service plans shown in the following table.
You plan to create an additional App Service plan named ASP5 that will use the Linux operating system.
You need to identify in which of the currently used locations you can deploy ASP5.
What should you recommend?
A. West US, Central US, or East US
B. Central US only
C. East US only
D. West US only
Correct Answer: A
Reference:

A (67%) C (33%)
  JESUSBB Highly Voted  2 months, 1 week ago

Ans: A. West US, Central US, or East US
upvoted 10 times
  LeomHD 1 month, 1 week ago

how do you know?
upvoted 2 times

He took the exam, that's how he knows that question was in his exam
upvoted 1 times
  Snownoodles Highly Voted  1 month, 3 weeks ago

Hi guys:
What does this question want to test?
I couldn't get the point.
upvoted 6 times
  JohnCox 1 month ago

I might be missing something but it seems to be an absolutely pointless question
upvoted 2 times
  oyetd Most Recent  5 days, 1 hour ago

Selected Answer: C
I think C... I believe not A though.
upvoted 1 times

Selected Answer: A
Correct.
upvoted 1 times
  blockhead72 1 month, 3 weeks ago

Selected Answer: A
Correct
upvoted 1 times
  MrMacro 2 months ago

You are creating a new App Service Plan so you can deploy to any of the locations listed, hence the correct answer is A.
upvoted 5 times
  nicepraveen 2 months, 1 week ago

i think its C?
upvoted 2 times

"You need to identify in which of the currently used locations you can deploy ASP5"
A. West US, Central US, or East US

upvoted 5 times
Manager template.
A. the New-AzConfigurationAssignment cmdlet
B. a Desired State Configuration (DSC) extension
C. Azure Active Directory (Azure AD) Application Proxy
D. Azure Application Insights
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview

B. a Desired State Configuration (DSC) extension
upvoted 10 times
  Empel Most Recent  6 days, 3 hours ago

Question 59 was the same, is repeated. Desired State Configuration (DSC) extension by the way
upvoted 1 times
  reddragondms 1 month, 1 week ago

Correct Answer: B
upvoted 4 times

Publish-AzVMDscConfiguration
upvoted 1 times

Correct. B.
upvoted 1 times
HOTSPOT -
In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the command? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-6.6.0
  ninjia Highly Voted  1 month, 3 weeks ago

Box 1: New-AzResourceGroupDeployment. This cmdlet allows you to use a custom ARM template file to deploy resources to a resource
group. For example:
New-AzResourceGroup -Name $resourceGroupName -Location "$location"

New-AzResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-
windows/azuredeploy.json" `
-adminUsername $adminUsername `
-adminPassword $adminPassword `
-dnsLabelPrefix $dnsLabelPrefix
Box 2: -ResourceGroupName RG1. It’s one of parameters of New-AzResourceGroupDeployment to specify to which resource group you
want to deploy resources.
You could use New-AzVm to create a VM, but it doesn’t use a template. You would need to provide all parameters in the command line.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azvm?view=azps-7.0.0
upvoted 7 times

I think the answer is correct.
$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
$adminUsername = Read-Host -Prompt "Enter the administrator username"
$adminPassword = Read-Host -Prompt "Enter the administrator password" -AsSecureString
$dnsLabelPrefix = Read-Host -Prompt "Enter an unique DNS name for the public IP"
New-AzResourceGroup -Name $resourceGroupName -Location "$location"

______________________________________________
-ResourceGroupName $resourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-
windows/azuredeploy.json" `
-adminUsername $adminUsername `
-adminPassword $adminPassword `
-dnsLabelPrefix $dnsLabelPrefix
-------------------------------------------------------------------------------
(Get-AzVm -ResourceGroupName $resourceGroupName).name

upvoted 7 times
  husam421 Most Recent  1 week, 5 days ago

New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile
-Name ExampleDeployment `
-ResourceGroupName RG1 `
-TemplateFile
Answer is correct
upvoted 1 times
  MaximKotov 1 month, 3 weeks ago

The answer is correct! Don't take the command name literally. It's using for custom template deployment. We specify the name of an
existing group and the path to the template.
upvoted 1 times

The resource group is already created as per the question. It is asking for the command to deploy a vm, thus the answer is "New-
AZvm".....second part "-ResourceGroupName RG1"
upvoted 1 times
  adrian_borowski 1 month, 3 weeks ago

Lab thing guys before posting! You are wrong. New-AzVm does NOT accept argument TemplateUri
upvoted 3 times
  MrBlueSky 1 month, 2 weeks ago

No. The fact that this is a VM is already specified in the ARM template. We only need to give it a command to deploy into a resource
group, and then specify which resource group.
upvoted 3 times
  Yaydel 2 months ago

Answer is correct.
https://docs.microsoft.com/ko-kr/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-0.10.0
upvoted 2 times
  hanahjane13 2 months, 1 week ago

New-AzVm `
-ResourceGroupName "myResourceGroup" `
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-powershell
upvoted 1 times

You are wrong. New-AzVm does NOT accept argument TemplateUri
upvoted 2 times
Question #1 Topic 5
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the
VPN Gateway and subnets in the following table:
Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.
You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
  Tom900 Highly Voted  1 year, 2 months ago

Answer is correct.
See the explanation below from AZ-103 source.

Address prefix- destination-> Vnet 1 (Address space of Vnet1)

2. Next Hop - VM1 ->Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
3.Assignment - This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from
Rout Table -> subnet ->Associate
upvoted 47 times

Agree!
upvoted 2 times

Correct Answer:
Box 1: 10.0.0.0/16
Address prefix
destination-> Vnet 1 (Address space of Vnet1)
Box 2: Virtual appliance

Next hop type
VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance.
Box 3: Gateway Subnet

Assigned to
This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table ->
subnet ->Associate.
upvoted 36 times
  Tokawa Most Recent  4 months, 3 weeks ago

Why is this not an IP address for Subnet1?
upvoted 1 times

Answer is correct:
- Source: 10.0.254.0
- Next Hop: NVA
- Assigned to 10.0.0.0/16. This covers 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24
upvoted 1 times

I can picture this question coming in every single test. Answer is correct
upvoted 2 times

In 30 July 2021
upvoted 4 times
  _UNA_ 7 months, 1 week ago

You can watch this video for more clarity https://www.youtube.com/watch?v=sBII38Fngmk
upvoted 4 times

thanks for sharing
upvoted 1 times

This question came in Exam
upvoted 2 times
  Raj_az104 10 months, 4 weeks ago

How did we get 10.0.0.0/16
upvoted 2 times
  SnakePlissken 9 months, 4 weeks ago

10.0.0.0/16 is the IP address space of VNET1.
upvoted 1 times

Because we want all data from the /16 to go to the router.
upvoted 6 times

Address prefix- destination-> Vnet 1 (Address space of Vnet1)
2. Next Hop - VM1 ->Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
3.Assignment - This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from
Rout Table -> subnet ->Associate
upvoted 5 times
  toniiv 12 months ago

Answer is perfectly correct. Route is assigned to GW subnet, since inbound traffic comes to that Subnet, then redirects all 10.0.0.0/16
traffic to the VM router appliance
upvoted 2 times
  fedztedz 1 year, 1 month ago

Answer is correct.
- Address Prefix, (like the target address in the subnet). The whole virtual network. Accordingly, it should be 10.0.0.0/16
- Next hop: next address to send the packets to is "Virtual appliance"
- the subnet where the routing table exists: gateway subnet, as the gateway is the one who receives the communication from on-perm
addresses.
upvoted 20 times
  dandirindan 1 year, 2 months ago

you can think of gateway subnet is the input point (all inbound traffic) for your virtual network (or virtual machine) through a routing
table. the routing table gets traffic from subnet and route to virtual appliance. the virtual appliance should be the next hop allowed traffic
is transmitted
upvoted 10 times

Called sometimes a transit gateway.
upvoted 2 times

Anyone able to explain why its the Gateway Subnet?
upvoted 2 times

Because it's routing all inbound traffic from the VPN gateway.
upvoted 11 times
Question #2 Topic 5
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
A. Floating IP (direct server return) to Enabled
B. Floating IP (direct server return) to Disabled
C. a health probe
D. Session persistence to Client IP and Protocol
Correct Answer: D
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure
Load-Balancer For
Sticky Sessions set Session persistence to Client IP.
On the following image you can see sticky session configuration:
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Idle Time-out (minutes) to 20
2. Protocol to UDP
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

Answer is correct, D - Session Persistence to Client IP and Protocol
upvoted 28 times
  fedztedz Highly Voted  1 year, 1 month ago

Answer is correct. "D"
upvoted 24 times

it is right answer "Session persistence"
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is D
upvoted 4 times

Answer is D.
upvoted 2 times
  nimz77 6 months, 1 week ago

came in 8.8.2021 exam.
upvoted 4 times
  nimz77 6 months, 1 week ago

Same in 8.8.2021 exam.
upvoted 2 times

in exam 7/3/2021
upvoted 3 times

upvoted 3 times

upvoted 2 times

Correct Answer: D
Load-Balancer for Sticky Sessions set Session persistence to Client IP.
upvoted 21 times
  allray15 11 months, 1 week ago

its WRONG! - just kidding, its correct :D
upvoted 2 times
  Nickus 10 months, 4 weeks ago

AJAJAJAJAJ ;)
upvoted 1 times

D is correct!
upvoted 3 times
  Evette 11 months, 3 weeks ago

ANSWER IS CORRECT
upvoted 2 times

Aswer D. is correct. Session persistence
upvoted 2 times
Question #3 Topic 5
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table:
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.
Hot Area:
Correct Answer:

Answer is correct . No, Yes, Yes.
No: VM1 has default rules which denies any port open for inbound rules
Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
upvoted 97 times
  Irgond07 7 months, 2 weeks ago

Ansere should be No Yes No,
No: VM1 has default rules which denies any port open for inbound rules
Yes: VM2 has custom rule allowing RDP port

No: VM1 and VM2 are in the same Vnet but associated different NSG's.
upvoted 6 times
  Mozbius_ 1 week, 1 day ago

Last is YES.
NSGs allow INBOUND & OUTBOUND traffic within a same Vnet by default [in&out rules 65000]. Any INBOUND INTERNET
connection/aka coming from the internet is denied by default [inbound Rule 65500]. Any OUTBOUND INTERNET connections /aka
going out to the internet is allowed by default [outbound Rule 65001]).
NSG2 has the added rule that it allows any inbound RDP connection [rule 100].
Therefore NSG1 allows VM1 to go OUT INSIDE the Vnet1 using all ports & protocols.
NSG2 allows all Vnet1 originating traffic on all ports & protocols by default.
The added rule 100 is explicitely opening RDP larger by allowing RDP from the internet.
upvoted 1 times
  d0bermn 8 months, 1 week ago

you are right, but for vm1->vm2 not bcoz vms are in the same vnet, but bcoz vm1->vm2 connect allowed in nsg2, assigned to vm2 nic
(as in 2nd q)
upvoted 8 times
  Ougesh 11 months, 4 weeks ago

Since VM2 is in subnet1 and NSG1 applied to subnet1 which should deny inbound connection from Internet. Therefore i guess you
cannot connect to VM2 from internet? Is it correct please?
upvoted 3 times

@Ougesh, i was bothered by this as well. but then i noticed that VM1 is in Subnet1, and VM2 is in Subnet2 from the table. So VM2 is
NOT in subnet1, accordingly RDP to VM2 is fine (as only NSG2 is applied to NIC of VM2)
upvoted 2 times

Agree, nothing to add
No, Yes, Yes.
upvoted 3 times

Correct Answer:
Box 1: No
NSG1 has default rules, which denies any port open for inbound rules
Box 2: Yes
NSG2 has custom Rule1, allowing RDP port 3389 with TCP.
Box 3: Yes
VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 47 times
  Pak149 Most Recent  1 week, 1 day ago

No, No Yes
upvoted 2 times
  Pak149 1 day, 21 hours ago

NO, Yes, Yes - since the NSG1 is assigned to subnet 1 only.
upvoted 1 times
  FabioVi 1 month ago

The answer should be NO for the 3 options.
NSG1 (that denies by default) is at the Subnet level but NSG2 (that allows) is in the NIC of VM2, so all 3389 incoming traffic would be
denied by the default rule in NSG1, because NSG rules at subnet level are processed before NSG rules at NIC level.
Same for Intra-Subnet traffic, because: "It's important to note that security rules in an NSG associated to a subnet can affect connectivity
between VM's within it"...
as stated in: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic
upvoted 2 times

Should be 'Yes' for option 3 as there are no NSGs associated to Subnet 2. The NSG is associated to the NIC of VM2, and there is a rule
allowing RDP so it should be 'Yes'
upvoted 1 times

NO , YES , YES
upvoted 1 times

Lab Tested: N-N-Y if NSG1 blocks all RDP traffic from internet.
upvoted 1 times
  SSJunk 1 month, 2 weeks ago

The second question should be Y, so N-Y-Y. The reason is that VM2 is on subnet2 that does not have an NSG assigned, the NSG2 is
assigned to the NIC of VM2 which allows RDP from the Internet.
Only subnet1 has the NSG (NSG1) assigned at that level.

upvoted 1 times

For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules
in a network security group associated to the network interface, if there is one.
This means for RDP traffic coming in from inyternet, NSG1 blocks RDP and does not even reach NSG in the NIC to allow RDP
upvoted 1 times

Correct answer: N-Y-Y
upvoted 3 times

No
Yes
Yes
upvoted 1 times

- create a new Windows VM, ensure RDP is ticked (by default), a new NSG for the NIC will be created
- create a new NSG under Network Security Groups
Go into both NSG's and look at the rules; all your answers will be there.
Extra points
- create a new Subnet with default values and see if a new NSG is created for it.
- deploy a new Windows VM into it with RDP enabled, try to connect to it
- disconnect RDP, associate that unassigned (default) NSG to the subnet. see what happens with RDP
PS. You can disable inter-subnet comms explicitly

upvoted 1 times
  VLADIM 4 months, 2 weeks ago

I think the Box 1: No
"If NSG1 has a security rule that allows port ... the traffic is then processed by NSG2. To allow port ... to the virtual machine, both NSG1 and
NSG2 must have a rule that allows port..."
upvoted 1 times

NO NO YES
upvoted 4 times

Agreed. RDP should be allowed at both subnet level NSG and NIC level NSG.
upvoted 1 times
  Ekambaram 5 months ago

correct ans:no,no,yes
upvoted 1 times

No, Yes, Yes
From the internet, you cannot connect to VM1 because the default NSG has a DenyAllOutBound except between Vnet(AllowVNetInBound)
and internal load balancers(AllowAzureLoadBalancerInBound).
VM2 network allows all RDP connect. VM1 & VM2 can connect because both subnets have not restrictions rules in their respective NSGs.
upvoted 1 times
  bb0 6 months, 1 week ago
first question - The Public IP is assigned to Nic and NSG1 is applied to subnet - Does this not mean you can bypass the VNet\Subnet VM1 is
connected to?
upvoted 1 times

upvoted 3 times
  trynapassmane 7 months, 2 weeks ago

NO YES YES
1.VM1 is using default rules. Internet inbound in default is denied from "DenyAllInbound"
2.VM2 as we can see has custom rules and is allowing any so this is YES.
3. Since this is VM1 to VM2 we have to look at if VM1 outbound is allowed and if VM2 inbound is allowed. We already know from the
custom rules everything is allowed for VM2. VM1 is by default allowed to connect to VNET outbound from default rule
"AllowVnetOutBound". So it works for both. [P.S.] Others say by default VMs on same VNET can connect automatically which is true but idk
if the question saying via RDP makes a difference.
Here is the reference and be sure to check the priority of rules to see which one comes first.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules
upvoted 5 times
  jojorabbit2021 7 months, 3 weeks ago

Don't meant to throw you guys off but:
How do you intend to RDP into VM2 from VM1 when you can't RDP into VM1 in the first place? This question is in Whizlabs and answers
are: No-Yes-No
upvoted 2 times
  kb8bo 6 months, 3 weeks ago

I also found this in Whizlabs - they say No for part 3 as you can't RDP to VM1 in the first place. If this is the answer, it's a very misleading
question.
upvoted 2 times

yea me too, I thought that was not cool.
upvoted 1 times
  Tiwenty 7 months, 2 weeks ago

The question isn't "can you RDP into VM1 then from there RDP into VM2", don't overcomplicate it.
upvoted 4 times
Question #4 Topic 5
HOTSPOT -
You have a virtual network named VNET1 that contains the subnets shown in the following table:
You have Azure virtual machines that have the network configurations shown in the following table:
For NSG1, you create the inbound security rule shown in the following table:
For NSG2, you create the inbound security rule shown in the following table:
Hot Area:
Correct Answer:
Box 1: Yes -
The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or
Subnet1 where
VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the
NSG1 rule has a higher priority (or lower value) than the NSG2 rule.
Box 2: Yes -
No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.
Box 3: Yes -
No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are
thus applied.
Reference:

I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the
subnet. There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.
upvoted 136 times
  rcdumps 1 year, 2 months ago

The NSG2 blocks INBOUND requests, not OUTBOUND, hence VM2 can reach VM1.
upvoted 6 times

thought so too but it is wrong. Look at the destination addresses.
Basically you can imagine that NSG1 covers subnet 1 and NSG2 covers VM1 specifically. Tricky question, but answer is No. VM3 could
RDP into VM1, if that makes it more clear.
upvoted 3 times
  JamesDC 1 year ago

Oh Dear!... do you understand VM2 and VM is on different subnets and both NSGs are applicable on subnet1 resources... so, there's
no concept of outbound rule... Agree with Jhon, NSG1 is on subnet and NSG2 is on NIC, even VM2 can enter to the sunbet1 but NSG2
will block while going to VM1.
upvoted 15 times
  rusll 1 year, 2 months ago

I agree, mixing the rules would create a problem : in case we have two rules with the same priority, how would we decide ...
upvoted 1 times
  aaa112 Highly Voted  1 year, 1 month ago

1. NO - VM1 has the NSG1 on Subnet1, which allows traffic over port 1433 between Subnet2 and Subnet1. BUT NSG2 also applied on NIC
level for VM1 that blocks the traffic on port 1433. Hence No traffic allowed. Answer is NO.
2. YES - For VM2 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
3. YES - For VM3 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
upvoted 90 times

Your answer is correct. NYY. Just a small correction. For traffic from VM1 two network security groups apply but both have the default
rule AllowVnetOutbound so the outbound traffic to VM2 is allowed. For VM2 no network security group applies so the inbound traffic is
allowed as well.
upvoted 2 times
  monus 5 months ago

yes, NSG at subnet as well as VM has to be open in order to allow traffic
upvoted 1 times
  LeomHD 5 months ago

Here explanation priority Subnet over NIC: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-
works
upvoted 1 times
  RogerDingo 1 year, 1 month ago

thanks for confirming.. i came to the same conclusion as you.
upvoted 7 times
  EleChie Most Recent  2 weeks, 1 day ago

I vote YES for 1st box
Since the NSG2 policy applied for inbound traffic. which means if this security rule was/is applied on Outbound security rule on NSG2 then
the answer will definitely be - NO
Inbound rule - incoming traffic
Outbound rule - outgoing traffic
upvoted 1 times

upvoted 1 times
Answer is Y, Y, Y
https://www.ccna7.com/you-have-a-virtual-network-named-vnet1-that-contains-the-subnets-shown-in-the-following-table/
upvoted 1 times

The answer should be NO for the 3 options.
NSG1 (that denies by default) is at the Subnet level but NSG2 (that allows) is in the NIC of VM2, so all 3389 incoming traffic would be
denied by the default rule in NSG1, because NSG rules at subnet level are processed before NSG rules at NIC level.
Same for Intra-Subnet traffic, because: "It's important to note that security rules in an NSG associated to a subnet can affect connectivity
between VM's within it"...
as stated in: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic
upvoted 2 times

Sorry, my comment was for the previous question: Question #3 Topic 5... :-(
upvoted 2 times

VM1 example(picture included): https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-
traffic
upvoted 1 times

No, and No=> (VM1/2) dedicated block by 125
Yes => (VM2/3) Same Subnet
upvoted 1 times

No, Yes, Yes.
upvoted 2 times

correct answer
No Yes Yes
upvoted 2 times

Tested (Revision to my previous comment)
Azure routes traffic between all subnets within a virtual network, by default.
The answer is No, Yes, Yes.
box1: vm2 cannot connect to vm1 because blocked by nsg2
box2: vm1 can connect to vm2 because vm2 doesn't have any nsg attached.
box3: vm2 can connect to vm3 because vm3 doesn't have any nsg attached.
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
upvoted 1 times

Forget about all of firewall rules, vm1 and vm2 is on different subnet and in different address range (/24) how can they connect?
There's no additional information about routing here.
For statement 3 will be Yes because nsg1 and nsg2 doesn't have rule how they connect when in the same subnet, so AllowVnetInBound
will be applied.
So think the answer is No, No, Yes.
upvoted 2 times

Within Vnet, subnets are routed by system route
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
upvoted 2 times
  walkwolf3 3 months, 1 week ago

No,No,Yes
RDP traffic from Internet to VM

Internet->subnet inbound NSG->VM inbound NSG->VM
RDP traffic between VMs

VM1->VM1 outbound NSG->VM2 inbound NSG->VM2
No - traffic is blocked on VM1 inbound NSG

No - traffic is blocked on subnet inbound NSG
Yes - traffic is allowed from both VM1 outbound NSG and VM2 inbound NSG
upvoted 2 times
  techni 2 months, 3 weeks ago

The subnet inbound rule has an "ALLOW" policy
upvoted 1 times
  Timock 3 months, 2 weeks ago

Box 1: No -
NSG2 for VM1 on the NIC card blocks anything from 10.10.2.5 which is the address for VM2. Although NSG1 on Subnet1 has an allow
action for anything coming from 10.10.2.0/24 when you have an allow and a deny... the deny will always trump allow. Denied.
Box 2: Yes -
VM2 is on Subnet2. VM2 NIC and Subnet2 have no rules for incoming traffic so the connection is allowed.
Box 3: Yes -
VM3 is on Subnet2 and has no NSG attached. And there are no NSGs on the NIC card either. Therefore, the traffic is allowed.
Note: Traffic is allowed by default when creating subnets.
upvoted 2 times

No, Yes, Yes.
upvoted 1 times

Answer is incorrect.
- 101: denies VM2 from connecting to VM1. Outbound traffic. Answer is: NO
- 125: Although VM2 can't connect to VM1 because of NSG2 rule 125, there is no rule that stops VM1 from connecting to VM2(Inbound vs
Outbound rules). The answer is: Yes
- VM2 & VM3 are on the same subnet and there are no rules that specifically restrict this connection. Answer is Yes.
No, Yes, Yes
upvoted 1 times
  mwhooo 5 months, 3 weeks ago

No, Yes, Yes. Reason : VM2 is not allowed to communicate to VM1 because there is a NSG2 that blocks that specific traffic.
upvoted 1 times
Question #5 Topic 5
HOTSPOT -
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table:
You apply RT1 to Subnet1 and Subnet2.

Hot Area:
Correct Answer:
IP forwarding enables the virtual machine a network interface is attached to:

✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
✑ Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine
needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes -
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No -
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes -
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding

Correct Answer:
Box 1: Yes
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
upvoted 68 times
  nzalex1 3 months, 4 weeks ago

Box 1 explanation is confusing (but right). Not sure what routing has to do with VM3 communicating to VM2? UDR is not enabled for
subnet 3, so it just using system VNET route to talk to subnet 1 and 2.
So routing table in Box 1 has nothing to do with ability of VM3 to talk to VM1 and VM2. It just can talk.
upvoted 4 times

IP forwarding enables the virtual machine a network interface is attached to:
✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network
interface.
✑ Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual
machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network
interface attached to it.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
https://www.quora.com/What-is-IP-forwarding
upvoted 15 times

Answer is correct. Yes, No, Yes
upvoted 38 times

upvoted 1 times
  ZacAz104 1 month ago

technicaly next hop count is exiting interface or next router interface which none of them clearly defined in this question so i dont think
that vm3 can do any routing in this senario
upvoted 1 times

I think all the answers are correct, although personally, if the goal was to only get all the subnets to communicate, then all this effort is not
required since all 3 subnets are in the same VNet.
upvoted 2 times
  Omniglass 2 months, 1 week ago

VM3 could be a firewall device with packet inspection
upvoted 2 times
  SomeGreyBloke 3 months ago

These questions are so stupid
upvoted 4 times

(Correcting my previous post - Additional.)
The RT1 configuration redirects all traffic from subnet1 & subnet2 to the virtual appliance which is VM3. If VM3 is down, traffic between
VM1 & VM2 is not possible.
You may argue that when the VM3 is off then RT1 becomes invalid, but that's an error as VM3 has IP forwarding.
Answer is Y, N, *Y
upvoted 1 times

Once IP forwarding is enabled the machine essentially becomes a router. All traffic will be routed through this device.
upvoted 1 times

(Correcting my previous post.)
Answer is Y, N, *Y
upvoted 1 times
  MJ45 2 months, 2 weeks ago

Why do you always do this? Comment on every question, find out you are wrong, then comment again on your initial comment. You
really don't have to comment on anything at all if you're not sure.
upvoted 5 times

Wrong answer:
Answer is Y, N, N
upvoted 1 times

Sorry, my answer above should read Y, N, *Y. The answer is correct.
upvoted 1 times
  Harri 7 months, 2 weeks ago

Box 1 : Yes
Box 2 : No
No need to explain above 2 box But for
Box 3 : No
Coz RT1 is attached to both subnet i.e. subnet 1 and 2, which says any traffic will receive on VM2 will directly route to VM3 which is ideally
virtual appliance.
upvoted 2 times
  Didib 7 months, 3 weeks ago

Tested in the lab, and VM1 cannot reach VM2.
upvoted 1 times
  Didib 8 months ago

For Box 3, are we also assuming there is an RT on VM1 that has a route to VM2 with VM3 as the gateway? Because otherwise how will VM3
know where to forward the traffic to VM2 if it doesn't get the destination IP in the packet that receives from VM1?
upvoted 2 times
  ronny20be 7 months, 3 weeks ago

The RT is applied to Subnet1 and Subnet2.
upvoted 2 times

Answer is correct. Y, N, Y. Initially I got tricked with the question and thought Y, N, N (incorrect), reason being I thought VM3 was still "off"
from box 2. Be mentally alert :) being tired makes you fall for mental tricks.
upvoted 3 times
  rrobb 11 months ago

We must ASSUME that the other 2 NICs of VM3 are in subnet1 and subnet2?
Weird
upvoted 4 times
  Tranquillo1811 8 months, 1 week ago

No matter to which subnet the other two NICs of VM3 are connected to: Since VM3 is in the same VNET as VM1 and VM2, VM3 can
connect to both VM1 and VM2...
upvoted 1 times
  jackr76 8 months, 3 weeks ago

Yes, it is not given that VM3 is connected to SN1 and S2. And if not so, the is no route from VM3 to VM1 or VM2 because the vNET will
route it back ti itself, VM3... so the answers cannot be correct based on the given.
upvoted 1 times
  OMSLOve 11 months, 1 week ago

sorry Yes N Yes
upvoted 2 times
  OMSLOve 11 months, 1 week ago

It is Yes yes and Yes
upvoted 5 times

in 09-03-21
upvoted 3 times
Question #6 Topic 5
Your on-premises network contains an SMB share named Share1.

You have an Azure subscription that contains the following resources:
✑ A web app named webapp1
✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?
A. an Azure Application Gateway
B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway
Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to
it.
Incorrect Answers:
B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

C (100%)

Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE
(IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally
facing public IP address assigned to it.
A: Application Gateway is for http, https and Websocket - Not SMB

B: Application Proxy is also for accessing web applications on-prem - Not SMB. Application Proxy is a feature of Azure AD that enables
users to access on-premises web applications from a remote client.
Reference:
upvoted 36 times
  Wizard69 Highly Voted  11 months, 2 weeks ago

With the answers that we have:
Application Gateway is for http, https and Websocket - Not SMB
Application Proxy is also for accessing web applications on-prem - Not SMB
So the only answer can be VPN Gateway
upvoted 33 times

Selected Answer: C
C is correct.
To achieve the goal, the web app needs to integrate with Vnet so that web app can get an IP from vnet.
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 1 times

upvoted 4 times

upvoted 5 times

C is correct
upvoted 3 times
  PektoTheGreat 11 months, 4 weeks ago

Keyword is "On-Premise" so the answer is C. VNG. Isn't it amazing? ^_^
upvoted 4 times

Answer C. is correct, you need a Virtual Network Gateway to create a site-to-site VPN connection to on-prem
upvoted 3 times

Answer is correct. "C" Virtual Network Gateway"
upvoted 13 times
  Lbaz 1 year, 4 months ago

sorry did't understand well, answer is C or A??
upvoted 2 times
  finolweb 1 year, 1 month ago

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-
available web front end in Azure.
upvoted 2 times
  kvnpri 1 year, 4 months ago

Answer is C Virtual Network gateway
upvoted 11 times
  KarthikExams 1 year, 4 months ago

YES - VNG
upvoted 6 times
  B1T3X 1 year, 6 months ago

A bit partial explanation in my opinion since in order to make this work you would also need to create a local network gateway for the site-
to-site VPN.
upvoted 10 times
  dan7777 1 year, 6 months ago

The explanation just confuse me, this is a point-to-site conection right?
upvoted 4 times
  JasonYang696 1 year, 6 months ago

site-to-site
upvoted 10 times
Question #7 Topic 5
Manager template.
A. the Publish-AzVMDscConfiguration cmdlet
B. Azure Application Insights
C. Azure Custom Script Extension
D. the New-AzConfigurationAssignement cmdlet
Correct Answer: C
Note:
✑ Deployment Center in Azure App Service
✑ a Microsoft Intune device configuration profile
Reference:

C (80%) A (20%)

Correct Answer: C
upvoted 46 times

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
https://docs.microsoft.com/en-us/samples/mspnp/samples/azure-well-architected-framework-sample-state-configuration
upvoted 6 times

upvoted 14 times
  elmertar Most Recent  3 weeks, 1 day ago

Selected Answer: C
upvoted 1 times

support the correct answer "C"
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
upvoted 1 times

Selected Answer: C
The Publish-DscConfiguration cmdlet publishes a Windows PowerShell Desired State Configuration (DSC) configuration document on set
of computers. This cmdlet does not apply the configuration. Configurations are applied by either the Start-DscConfiguration cmdlet when
it is used with the UseExisting parameter or when the DSC engine runs its consistency cycle.
https://docs.microsoft.com/en-us/powershell/module/psdesiredstateconfiguration/publish-dscconfiguration?view=dsc-1.1
upvoted 1 times
  deltarj 1 month ago

Selected Answer: C
I will go with ans C.
upvoted 1 times
  deltarj 1 month ago

if no DSC is offered than it is azCSE... right? (see Q59T4 and Q74T4)
upvoted 1 times
  johnseong97 1 month ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

Selected Answer: A
Publish-AzVMDscConfiguration cmdlet
upvoted 1 times
  brunomd 2 months, 2 weeks ago

Correct is C.
I thought that the correct was A, but does not, because of this:
"The Publish-AzVMDscConfiguration cmdlet uploads a Desired State Configuration (DSC) script to Azure blob storage, which later can be
applied to Azure virtual machines using the Set-AzVMDscExtension cmdlet."
upvoted 1 times
  mdmdmdmd 5 months, 2 weeks ago

This question is in the wrong topic, should be topic 3 "Deploy and manage Azure compute resources". It's also repeated in some form
there.
upvoted 1 times

pretty sure this question was already asked.
upvoted 1 times
  hessine 6 months, 2 weeks ago

upvoted 1 times

Answer C. is correct. With an Azure Custom Script extension you can push the NGINX installation after VMs are created using the Resource
manager template.
upvoted 6 times

Answer C. is correct. With an Azure Custom Script extension you can push the NGINX installation after VMs are created using the Resource
manager template.
upvoted 5 times

Answer is correct "C"
upvoted 6 times

I think its the Custom Script Extension because it is Resource Mnaager templates. No mention of DSC in the question, also possible to
install NGINX via DSC.
upvoted 5 times
Question #8 Topic 5
HOTSPOT -
You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.
You need to recommend a networking solution to meet the following requirements:

✑ Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
✑ Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: an internal load balancer

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common
exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

Answer is correct.
- Internal Load Balancer. check the example in https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
- Application gateway which uses WAF tier.
upvoted 52 times

Correct Answer:
Box 1: an internal load balancer

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
network with a regional scope.
Box 2: an application gateway that uses the WAF tier

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from
common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known
vulnerabilities. Application gateway which uses WAF tier.
upvoted 45 times

vulnerabilities. SQL injection and cross-site scripting are among the most common attacks
upvoted 2 times

upvoted 2 times

Correct answer:
- Internal Load Balancer
- Application gateway which uses WAF tier
upvoted 8 times

This one is super tough. I have not worked with Logic Apps that much, so I had to do some research here. But it's pretty interesting.
upvoted 1 times

correct answer
upvoted 1 times

upvoted 5 times
  inemumoren 7 months, 3 weeks ago

Answer is correct.
An internal load balancer to spread the traffic and
an application gateway with WAF tier to prevent malicious attacks.
upvoted 1 times

Always nice to see a straight forward question
upvoted 4 times

upvoted 4 times
  3abmula 9 months, 1 week ago

Might be a correct answer, but to the wrong question :D
upvoted 9 times
  Santy7 6 months, 2 weeks ago

ha ha ha
upvoted 1 times
  AlexLiourtas 10 months, 3 weeks ago

what the...?
upvoted 4 times

Answer is correct.
- Application gateway which uses WAF tier.
upvoted 3 times

Answers and explanations are correct.
upvoted 2 times

Both answers are correct as I see it.
Source : https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
vulnerabilities. SQL injection and cross-site scripting are among the most common attack
upvoted 4 times
  asaz 1 year, 1 month ago

First answer is not correct. This should be public load balancer.
Internal load balancer can be applied between the business layer and the database layer.
upvoted 3 times

If the traffic towards the web servers came from public - then yes.
But reading this : "Ensure that communication between the web servers and the business logic tier spreads equally across the virtual
machines."
I believe that the traffic comes from a business logic app inside azure - thats why a internal load balancer is correct.
upvoted 3 times

upvoted 2 times
  aither_ether 1 year, 2 months ago

I think this answer is correct, but what about?
upvoted 3 times

Agree answer is correct.
upvoted 8 times
Question #9 Topic 5
Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The
virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?
A. three Azure Application Gateways and one On-premises data gateway
B. three virtual hubs and one virtual WAN
C. three virtual WANs and one virtual hub
D. three On-premises data gateways and one Azure Application Gateway
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

B (100%)
  zeal0 Highly Voted  1 year, 5 months ago

They're all wrong because the question says there are 2 Azure regions, and the below documentation says each region only has a single
hub... Should be 2 hubs and one WAN.
"Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be
one hub per Azure region."
upvoted 35 times

The link in you answer has the answer "Multiple virtual hubs can be created in the same region.", so 1 wan, 3 hub is correct (answer B).
Obviously to create minimal latency, you are likely to want the 3rd hub in a close proximity to the 3rd region....
upvoted 1 times

I don't agree you are talking about the best design, but nothing prevents you from having only one hub to connect different vNETs in
different regions I assume. I couldn't find any restriction on the region level in the URL sent.
"VNets connect to a virtual hub via a virtual network connection. Transit connectivity between the VNets in Standard Virtual WAN is
enabled due to the presence of a router in every virtual hub."
hence the provided answer is right => one hub and 3 virtual WAN
upvoted 1 times

Agree. In the link below there is a very good architecture that shows almost the same example as in the question, and we can see 1
virtual WAN and 2 hubs:
https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#architecture
The closest answer would be 'B', 3 hubs and 1 WAN. Even if we don´t have 3 regions being used, we can still create 3 hubs in 3 different
regions.
upvoted 10 times
  bosnianserb 4 months, 3 weeks ago

Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From
your on-premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual
hub, or even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region.
Multiple virtual hubs can be created in the same region.
Multiple virtual hubs can be created in the same region.!!!

upvoted 4 times
  thetrooper84 Highly Voted  1 year, 4 months ago

This is th definition of Hub from this link https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about , and it is defined as:
Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be
one hub per Azure region.
Since we have just two region, it may be impossible to have 3 hubs.

So the right answer should be 'C' as hilighted in the examtopics answer
upvoted 27 times

Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From
your on-premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual
hub, or even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region.
I think the link has updated, you can have multiple hubs in the same regions.
upvoted 3 times
  Mozbius_ Most Recent  1 week, 1 day ago

Answer is 1000% B (Please read below with references)
* We have 3 ON-PREMISE locations.

* 1 SUBSCRIPTION covering 2 REGIONS east-us & west-us GLOBALY PEERED
NOTE1: Even though it is typical for one region to have one virtual hub it isn't a requirement as hinted here:
[...] [if the Virtual WAN Hubs are in the same region.]
https://docs.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies
NOTE2: A WAN is a security delineation hence why you will typically want to have one wan.
Watch the following for clarification (starting at 5:27)
https://youtu.be/f-GyAURZWzg?t=327
NOTE3: When multiple hubs are enabled in a single virtual WAN, the hubs are automatically interconnected via hub-to-hub links, thus
enabling global connectivity between branches and Vnets that are distributed across multiple regions.
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture
Hence why the answer is out of any doubt B.

upvoted 1 times

[You can also have multiple virtual hubs per region, which means you can connect more than 1,000 branches to a single Azure Region
by deploying multiple Virtual WAN hubs in that Azure Region, each with its own Site-to-site VPN gateway.]
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#:~:text=A%20connection%20is%20an%20active-
active%20tunnel%20from%20the,Region%2C%20each%20with%20its%20own%20Site-to-site%20VPN%20gateway.
upvoted 1 times

On exam 01.02.22
upvoted 2 times
  AM0_123 1 month, 2 weeks ago

Ans should be B
upvoted 1 times

The meaning of virtual hub has been updated to "Multiple virtual hubs can be created in the same region". So the answer is B
upvoted 2 times
  jessemac 2 months, 3 weeks ago

Selected Answer: B
B is correct, according to the latest Virtual Hub doc in
Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual
hubs can be created in the same region.
Doc changed! now on 20211126!
upvoted 9 times

Was on exam dated 15/11/2021
upvoted 1 times

From Microsoft: " Virtual WAN resources are isolated from each other and cannot contain a common hub. Virtual hubs across Virtual WAN
do not communicate with each other."
Multiple virtual WAN's cannot share 1 hub.

upvoted 1 times

This question is terrible. There are many Microsoft documentation pages that use the word hub and wan interchangeably. Its no wonder
there is so much confusion.
upvoted 4 times

upvoted 2 times
  Kizz 3 months, 2 weeks ago

then which is the correct answer?
upvoted 2 times

B without a doubt.
upvoted 1 times

B. three virtual hubs and one virtual WAN is closest
upvoted 2 times

(Correcting my previous answer)
This question was designed to confuse people. And the proposed answer is probably inaccurate. I think the best answer got to be B
Because a virtual Hub is actually called vWan. This is the part that you connect to your on-Prems branches. You can connect up to 1000
branches to a Hub but these branches are in different regions. So 1 per region.
Technically, you need

- 1 SD-Wan/VPN or Virtual WAN to connect to your peered subnets. This is what they are referring to as Virtual WANs.
- 3 vWan(Hub) to connect to Azure Virtual network. You can connect up to 1000 branches per virtual hub. But these branches are in
different regions; so we need 3.
Answer is B
upvoted 3 times

This question was designed to confuse people. Because a virtual actually called vWan.

- 3SD-Wan/VPN or Virtual WAN to connect to on-Prems. This is what they are referring to as virtual WANs.
- 1 vWan(Hub) to connect to Azure Virtual network. You can connect up to 1000 branches per virtual hub.
upvoted 1 times

Correction.
This question was designed to confuse people. And the proposed answer is probably inaccurate. I think the best answer got to be B
Because a virtual Hub is actually called vWan. This is the part that you connect to your on-Prems branches. You can connect up to 1000
branches to a Hub but these branches are in different regions. So 1 per region.

- 1 SD-Wan/VPN or Virtual WAN to connect to your peered subnets. This is what they are referring to as Virtual WANs.
- 3 vWan(Hub) to connect to Azure Virtual network. You can connect up to 1000 branches per virtual hub. But these branches are in
different regions; so we need 3.
Answer is B
upvoted 1 times

We exclude A and D because the Application Gateways have nothing to do with this requirement. Azure Application Gateway is a web
traffic load balancer that enables you to manage traffic to your web applications. So, we have to use Azure Virtual WAN. You will likely
implement the solution as shown below.
1) Create a virtual WAN.

2) Create 3 hubs - one each for the Azure region that covers Miami, Los Angeles, and New York. For each hub, specify site-to-site VPN
gateway.
3) Create 3 VPN sites. Sites correspond to your physical locations - Miami, Los Angeles, and New York.
4) Connect VPN sites to the respective virtual hubs. E.g. The New York VPN site will be connected to the eastus hub.
5) Finally connect your VNET to the hub that falls in the same region. The VNET in eastus location will be connected to the eastus hub.
So you need 3 hubs and 1 virtual WAN. I am assuming that Miami is not in eastus region and is probably served by another region.
upvoted 3 times

"The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region."
upvoted 1 times

Yes, one WAN and multiple hubs for each location (3). Moreover multiple hubs can be created for each services even for same location.
I also tested and it allows to create multiple hubs for same region. I go with answer B.
upvoted 1 times
  neemz 7 months, 3 weeks ago

Its super clear the answer is B. See the diagram in this link. There is only one Virtual-WAN which connects different VNets and Branches
(hubs).
Also see in the link the definition of WAN and HUB. its crystal clear.
upvoted 8 times

Agreed. Also the following website contains even better diagram of virtual WAN topology.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology
upvoted 1 times

The closest to the real life scenario answer is B, but we have to have only 2 HUB`s, as we can have only one HUB per region, and
here we have 2 regions (although we have 3 branches, it doesn`t matter. Miami and NY can be linked to the East US region HUB and
LA to the West US HUB)
upvoted 1 times

Hm, just tested it, you can create 2 HUB`s in one region, so answer is definitely B.
upvoted 1 times

this makes most sense
upvoted 1 times
HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Box 1: 5 -
A public and a private IP address can be assigned to a single network interface.
Box 2: 1 -
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same
network security group can be associated to as many subnets and network interfaces as you choose.
Reference:

Answer should be : 5 Network interfaces and 1 Network security group
upvoted 60 times

Box 1: 5
A public and a private IP address can be assigned to a single network interface.
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM's NIC,
you can associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the
private IP.
Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
upvoted 30 times
  ChrisCheck Most Recent  3 months ago

upvoted 1 times

upvoted 1 times

Answers correct. Ques was in exam today.
upvoted 4 times
  KenDo 9 months, 1 week ago

This is more of an English test than a technical question!
upvoted 3 times
  aboelnaga 9 months, 3 weeks ago

the answer should be 10 Network interfaces and 1 network security group
upvoted 1 times

Lol...where do you get the amount of 10 NI's from?
upvoted 1 times
  ASIMIS 7 months, 4 weeks ago

With all due respect, Please stop giving answers for the sake of posting on the chat, you are misleading people to fail. You clearly just
guessed without even research or testing it yourself. Its better to keep quiet, and I dont mean this out of dis but please respect peoples
time and stop posting just for fun.
upvoted 4 times

You can test deploy a VM with both private and public IP address and you'll figure that out. It only requires 1 NIC to have private and
public IP address.
upvoted 1 times
  ZetaZeti 10 months, 3 weeks ago

5-1
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM's NIC,
you can associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the
private IP. So 5 NICs.
https://www.loadtestingtool.com/help/how-setup-ip.shtml
Since the five VMs require the same rules you can define just one NSG and apply that SAME NSG to the 5 NICs. So 1 NSG.
upvoted 4 times

Are these guys purposely higlithing the incorrect answers??
upvoted 5 times

This is exactly what i mean. People have nothing better to do, its very childish and selfish. This is meant to help people not to confuse
and mislead.
upvoted 1 times

5 NIC
1 NSG
upvoted 3 times

5 NIC
1 NSG
upvoted 4 times

The image uploaded is wrong.jpeg.
I therefore conclude that

a) 5 - since there are 5 VNets.
b) 1 - since there are common inbound/outbound rules.
upvoted 3 times

Aswers should be 5 and 1. Explanation is correct.
upvoted 2 times

5 NICs public IP -> NAT -> private IP.
1 NSG.
upvoted 2 times

The explanation alone contradicts the answer
upvoted 1 times

Seriously! it is 5 you can add public and private per... and 1 NSG should be sufficient. Also this as explained in Whizlab and Udemy. Answer
is 5 and 1
upvoted 2 times
  Gheng 1 year, 1 month ago

This should be 5-NICS. Each NIC has both public and private ip association. NSGs are designed to be reusable so even if you bind the NSG
to each interface, you are only still creating 1 NSG.
Ans: 5-NICs, 1-NSG

upvoted 4 times
LB1 is configured as shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements:
✑ Provide Remote Desktop access to VM1 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?
A. a frontend IP address
B. a load balancing rule
C. a health probe
D. a backend pool
Correct Answer: A

A (67%) B (33%)
  Mercator Highly Voted  6 months, 2 weeks ago

I think the answer is correct. Key is port 3389 from the internet for both VMs. If we want to connect to two different machines on the same
port we need to have two different frontend IPs for the port forwarding.
upvoted 31 times
  Vlako Highly Voted  7 months, 2 weeks ago

This does not make sense. On existing LB, you can create NAT rule right away. The frontend IP address is already there.
Imho maybe B is right, you need to set the load balancing rule for port 3389.
upvoted 25 times

That is correct. You can follow this link to setup load balancing rule for both VMs. For example, you can use port 33891 for 3389 on VM1
and 33892 for 3389 on VM2. So to RDS to VM1, you can type in public IP of load balancer with port 33891 and it will NAT you to 3389 of
VM1.
link: https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal
upvoted 2 times

Yes, the LB has one public IP assigned, but this is used for the Web-Server (Port 80 is in use), now we are adding a new service on port
3389 which needs a dedicated external IP.
upvoted 1 times
I dont agree, to add "Inbound NAT rule" inside the LB, you just need the rontend IP address and port.
the answer is right.
https://docs.microsoft.com/en-us/azure/load-balancer/components#inbound-nat-rules
upvoted 3 times
  fazedenk 7 months, 2 weeks ago

Wouldn't you need a health probe first before defining a load balancing rule?
upvoted 2 times
  fazedenk 7 months, 2 weeks ago

You can try this out yourself; when creating a new load balancing rule; you have to add a health probe inside the rule. Unless you
are going to re-use the port 80 health probe which doesnt make sense.
upvoted 1 times

I also think the answer is correct, you cannot access each VM via the same port on the same IP, you therefore need a minimum of two IP
addresses, one will NAT to VM1 on TCP:3389, the other will NAT to VM2 on TCP:3389,
upvoted 1 times
  hm67 5 days, 9 hours ago

Tried in lab with both options A and B.
Option A:
After adding new IP, you still need to create new backend pool (for each VM), health check probe and load balancing rule for port 3389 as
well. So you can't just add new IP to make it work.
Option B:
While another options, a load balancing rule, you need to create new backend pool, health probe BUT NOT a frontend IP address. I just
use the same frontend IP address with different port, said 3390 and 3391, and map to two VM backend pools.
Another option is "add inbound NAT rule" but it's not in the answer.
upvoted 1 times
  KotaCoaching 3 days, 16 hours ago

100 % agree with you. This would be in inbound NAT rule but not there . well, we can select as a load balancing rule
upvoted 1 times
  EleChie 2 weeks ago

Answer B: Since we already have a Public IP add (Frontend IP) so we can use same IP and access deafferent services (web, rdp, sql, ...etc)
ex: 8.8.8.100 as an external IP address

So for Web access it will be: https://8.8.8.100:80 & backend poll on port 80
for RDP (remote desktop protocol) will need a rule with
https://8.8.8.100:3389 & backend poll on port 3389
upvoted 1 times
  whinycarebear 2 weeks, 3 days ago

The answer "frontend IP" is correct. For connecting from the internet on the same Port 3389 to both VMs (via the load balancer), the
differentiation between VMs must come from the IPs.
What confused me was that NAT is to save on public IPs by having different ports (public ports, say 50001 and 50002) map to the private IP
of a VM and the port. So
publicIP_1 50001 -> privateIP_VM1 3389

publicIP_1 50002 -> privateIP_VM2 3389
same public IP, different port -> different private IP, same port
In case of the question NAT and Load balancing are not really needed imho, you might as well just assign the public IPs to the VMs
directly.
upvoted 1 times
  yangxs 3 weeks ago

Selected Answer: A
"What should you create on LB1 before you can create the new inbound NAT ruleS?"
Notice it said ruleS. When you create 2nd rule, you have to have 2nd front IP first to use the same 3389 port
upvoted 1 times
  lateralus 3 weeks, 6 days ago

Tested in LAB. You can create the first inbound NAT rule with the existing frontend IP to forward traffic on port 3389 to the first VM. Then
you can no longer use the same FrontendIP and port combination for the second VM. You get message: "The frontend, protocol and port
combination of each load balancing rule and inbound NAT rule on a load balancer must be unique."
Answer is A
upvoted 4 times

Selected Answer: A
Correct answer: A.
I think it could not be B. Common sense tells me that even if I managed to add a Load Balancing Rule for 3389, the Load Balancer would
try to balance to any of the 2 healthy VMs, but if I want to have Remote Desktop access to VM1, OR (exclusive) to VM2, then I would need
different IPs...
upvoted 1 times

Selected Answer: B
Rule setup.
upvoted 2 times

I think the correct answer is A.
The frontend (aka VIP) is defined by a 3-tuple comprised of an IP address (public or internal), a transport protocol (UDP or TCP), and a port
number from the load balancing rule. For example:
Frontend IP address protocol port

1 65.52.0.1 TCP 80
2 65.52.0.1 TCP 8080
3 65.52.0.1 UDP 80
4 65.52.0.2 TCP 80
Frontends #1, #2 and #3 are a single frontend with multiple rules. The same IP address is used but the port or protocol is different for
each frontend. Frontends #1 and #4 are an example of multiple frontends, where the same frontend protocol and port are reused across
multiple frontends.
The question asks to use RDP to VM1 and VM2 on the same port number, which implies the protocol and port number are the same. As
such you would have to use a different frontend IP. Such as:
Frontend IP address protocol port

1 65.52.0.1 TCP 3389
4 65.52.0.2 TCP 3389
Hence, the correct answer is A
Reference:https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
upvoted 2 times

Selected Answer: A
This has be to A
Please note the following requirement from the question:
Without adding an extra frontend IP, you cannot forward port 3389 to 2 back-end VMs.
upvoted 2 times

What's more - port forwarding is not load balance, you cannot randomly direct RDP between VM1 and VM2, you have to specify which
VM you want to RDP by frontend IP+port(3389).
FrontendIP1:3389->VM1:3389
FrontendIP2:3389->VM2:3389
If the questions didn't ask by port 3389, then you don't have to add an extra frontend IP, you can do like this:
FrontendIP1:3340-->VM1:3389
FrontEndIP1:3341->VM2:3389
upvoted 1 times
  AKAKAKAK 3 months, 3 weeks ago

In my opinion Answer A is correct. The question needs to have port 3389 to be used for both VM's from the internet. This is not possible
with a single IP. The initial public IP can be used for VM1 Nat rule port 3389/tcp, then another public IP on the frontend will be needed to
allow tcp/3389 towards VM2.
Now, if the question would allow to use lets say port tcp/3389 for VM1 and port tcp/3390 for VM2, then we could get away with using a
single Public IP address on the frontend.
I would go with 'Public IP'.

upvoted 4 times
  Gerd95 4 months ago

I just tested this in Lab.
Creating the first NAT rule is not issue.
But when creating the second NAT rule (on already existing Public IP) and using the same port (as asked in the question) you get an error
pop-p that the frontend, protocol & port combination match up win an existing rule.
So answer is indeed A: you DO NEED an additional Public IP

upvoted 6 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is B
upvoted 11 times

A load balancing rule distributes incoming traffic that is sent to a selected IP address and port combination across a group of backend
pool instances. The load balancing rule uses a health probe to determine which backend instances are eligible to receive traffic.
+ add a load balancing rule
An inbound NAT rule forwards incoming traffic sent to a selected IP address and port combination to a specific virtual machine.
+ add an inbound NAT rule
My guess is B
A frontend IP configuration is an IP address used for inbound and/or outbound communication as defined within load balancing, inbound
NAT, and outbound rules.
upvoted 1 times

A. a frontend IP address Is correct.
upvoted 4 times
HOTSPOT -
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios

Answer is correct. Private/Private
check https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios#scenario-split-horizon-functionality
upvoted 37 times
  SScott 11 months ago

That's it, good reference
upvoted 4 times

Correct Answer:
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network
links).
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
upvoted 29 times

Box 1: Private
Box 2: Private
upvoted 10 times
  khengoolman Most Recent  4 months, 1 week ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is private, private.
upvoted 7 times

The question is confusing because VM2 has a different DNS connection suffix. But because they are both part of the VNet1, they'd both be
exposed to the internal DNS zone at 168.63.129.16.
-Private IP for VM1

-Private IP for VM2
upvoted 2 times

01.Private IP Address only
02.Private IP Address only
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network
links)
upvoted 6 times

The keyword is "auto-registration from VNET1".
VM1 and VM2 belongs to the same VNET. So upon VM1 and VM2 creation they will be auto registered on adatum Private DNS Zone having
A Record as their Private IPs. Cheeers yo!
upvoted 7 times

Correct, both private addresses since auto registration from VNET1 has been enabled on the Azure Private DNS zone.
upvoted 3 times

Can anyone please explain to me why a VM2 that belongs to contoso.com is registered in adatum.com ?
upvoted 7 times

adatum.com is a private DNS zone which has been 'linked' to VNET1 with autoregistration, therefore, ever VM which resides in VNET1
will have an A name record in adatum.com
upvoted 2 times
  AlexJacobson 9 months ago

OS DNS suffix has no affect on this. Private subnet is applicable to both VM1 and VM2.
upvoted 1 times

Virtual Network named "A" contains two VMs (VNETA-VM1 and VNETA-VM2). Each of these have Private IPs associated. Once you create a
Private Zone named contoso.com and link this virtual network as a Registration virtual network, Azure DNS will automatically create two A
records in the zone as depicted. Now, DNS queries from VNETA-VM1 to resolve VNETA-VM2.contoso.com will receive a DNS response that
contains the Private IP of VNETA-VM2. Furthermore, a Reverse DNS query (PTR) for the Private IP of VNETA-VM1 (10.0.0.1) issued from
VNETA-VM2 will receive a DNS response that contains the name of VNETA-VM1, as expected.
upvoted 4 times

Correct. The domain doesn't matter : "To resolve the records of a private DNS zone from your virtual network, you must link the virtual
network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. Additionally,
you can also enable autoregistration on a virtual network link. If you enable autoregistration on a virtual network link, the DNS records for
the virtual machines on that virtual network are registered in the private zone. When autoregistration is enabled, Azure DNS also updates
the zone records whenever a virtual machine is created, changes its' IP address, or is deleted." -> https://docs.microsoft.com/en-
us/azure/dns/private-dns-overview
upvoted 4 times

Correct Answer is:
VM1: Private IP address only
VM2: None (DNS suffix is contoso.com so it will not be registered)
upvoted 2 times

Sorry, tested it. Correct answer is the provided one: Private, Private.
upvoted 10 times

correct verification
upvoted 2 times
  JulienYork 1 year, 2 months ago

Correct,
OS DNS suffix has no affect on this.
Both prv ips will be listed on internal dns zone.
upvoted 12 times

Right the private subnet is applicable for both VMs
upvoted 1 times
  ihavespoken 1 year, 2 months ago

correct answer but a bit more explanation: It is VM1 and VM2 auto registered only because that was configure in the private zone ( as
mentioned in question). If it was not configure, then answer for both would have been none.
upvoted 4 times
HOTSPOT -
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one
subnet named
Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has
three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against
the collected data.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: An Azure Log Analytics workspace

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data
sources, and solutions
Box 2: ILB1 -
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-standard-diagnostics

Answer is not correct. The correct answer is
- Create a Log Analytics Workspace
- NSG
As for Internal LB, it is basic one. Basic can only connect to storage account. Also Basic LB has only activity logs which doesn't include the
connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
upvoted 70 times

but you can't enable NSG flow logs with Log Analytics Workspace, you need a storage account.
answer: storage acc and nsg
ref: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log
upvoted 4 times

ignore my previous comment as Traffic Analytics can be integrated with Log Analytics Workspace,,
upvoted 5 times

Basic LB no diagnositcs
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 2 times
  Alvaroll 1 year, 1 month ago

I think the answer given is correct.
- Azure Log Analytics workspace
- ILB1 (Standard Load Balance)
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log
upvoted 3 times
  Alvaroll 1 year, 1 month ago

sorry, it's basic LB
upvoted 4 times

Correct Answer:
Box 1: An Azure Log Analytics workspace

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository,
data sources, and solutions.
Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP
addresses that connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.
We cannot enable diagnostics on an internal load balancer to check for the IP addresses.
As for Internal LB, it is basic one. Basic can only connect to storage account. Also, Basic LB has only activity logs, which doesn't include the
upvoted 63 times

Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
upvoted 8 times
  Akman Most Recent  3 months, 3 weeks ago

I'm tired of entering capcha in every page turn
upvoted 3 times
  nzmike 3 months ago

that's why they have the subscription...
upvoted 4 times
  verifedtomic 3 months ago

Just sign-up for free account. Then you'll have to enter captcha every three or so pages.
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is LAW, NSG
upvoted 9 times

The question states that you must be able to run interactive queries from
the Azure portal against the collected data.
The Azure portal exposes the load balancer metrics via the Metrics page, which is available on both the load balancer resource page for a
particular resource and the Azure Monitor page.
To view the metrics for your Standard Load Balancer resources:

Go to the Metrics page and do either of the following:
On the load balancer resource page, select the metric type in the drop-down list.
On the Azure Monitor page, select the load balancer resource.
Hence my guess is
Log Analytics
ILB1
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
upvoted 1 times

- Create a Log Analytics Workspace
- NSG
upvoted 1 times

Correct. Thank you
upvoted 1 times
  jsexamprep 6 months ago

Box 1: An Azure Storage account. "Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any
visualization tool, SIEM, or IDS of your choice. ... While flow logs target NSGs, they are not displayed the same as the other logs. Flow logs
are stored only within a storage account..."
Box 2: NSG1
See this link for both of the above: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Logs can be exported to Traffic Analytics, not to be confused with Azure Log Analytics.
upvoted 2 times
  bacana 7 months ago

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
upvoted 1 times

in exam 7/3/2021, answered Log Analytics and NSG
upvoted 4 times

Correct answers are:
1.Storage
2. NSG1
Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing
through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool,
SIEM, or IDS of your choice.
upvoted 9 times

upvoted 2 times
  mahdi_hasan 7 months, 3 weeks ago

How many questions common in this site
upvoted 1 times
  G_Y 7 months, 3 weeks ago

@mahdi_hasan Many questions came from this site , I just passed mine today
upvoted 1 times
  Zyo 8 months, 1 week ago

You also need a storage account where the nsg log flow is written to
upvoted 3 times
  sieira 9 months, 1 week ago

The correct answer is:
- Log Analytics Workspace
- NSG1
Basic Load Balances doesn't support metrics
https://stackoverflow.com/questions/65228749/does-basic-load-balancer-monitor-metrics-in-
azure#:~:text=No%2C%20Basic%20Load%20Balancers%20don,security%20and%20health%20tracking%20capabilities.
upvoted 2 times

"Activity logs: You can view all activity being submitted to your Azure subscriptions, along with their status. For more information, see View
activity logs to monitor actions on resources. Activity logs are enabled by default and can be viewed in the Azure portal. These logs are
available for both Azure Basic Load Balancer and Standard Load Balancer."
It says the logs are available for both types of IBLs. Is there something I am missing?
upvoted 1 times

Activity logs are related to the resource and what operations were taken on the resources (add, delete, modify config, etc.). It does not
show connectivity logs, like requests and responses.
upvoted 1 times

An azure log analytics workspace
NSG1
upvoted 3 times

Create a Log Analytics Workspace
- NSG
As for Internal LB, it is basic one. Basic can only connect to storage account. Also Basic LB has only activity logs which doesn't include the
upvoted 3 times
You have the Azure virtual networks shown in the following table.
To which virtual networks can you establish a peering connection from VNet1?
A. VNet2 andVNet3 only
B. VNet2 only
C. VNet3 and VNet4 only
D. VNet2, VNet3, and VNet4
Correct Answer: C
Address spaces must not overlap to enable VNet Peering.
Incorrect Answers:
A, B, D: The address space for VNet2 overlaps with VNet1. We therefore cannot establish a peering between VNet2 and VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-networks-faq#vnet-peering

C (100%)

Correct Answer: C
VNet1 10.11.0.0/16 = 10.11.0.1 - 10.11.255.255 (overlap VNet2)

VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)
Possible peerings are:

VNet1 -> Vnet3
VNet1 -> Vnet4
If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.
upvoted 39 times

Tested, in this context answer is correct. Vnet 2 and Vnet 1 can not be peered and also Vnet 2 and vnet3 or vnet 4 can not be peered.
But tested more and discovered that Vnet1 can make a peering with Vnet 3 and Vnet4. Pay attention if there will be a modification in the
answer. The strange way of Microshit qestions.
upvoted 26 times

"also Vnet 2 and vnet3 or vnet 4 can not be peered." WHY?
upvoted 1 times

ignore
upvoted 1 times

Selected Answer: C
Possible peerings are:
VNet1 -> Vnet3
VNet1 -> Vnet4
upvoted 1 times

FYI: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 1 times

VNet1 -> Vnet3
VNet1 -> Vnet4
upvoted 1 times

upvoted 2 times

how do you work this out without pen and paper?
upvoted 2 times

Correct. Thank you
upvoted 1 times

why not 2,3, and 4, the last option?
upvoted 1 times

VNET 1 and VNET2 have an IP address overlap.
upvoted 1 times

Given that VNET1's subnet is the same space as VNET2's address space, it was an obvious overlap, - and answer C was the only one which
didn't feature VNET2, the answer popped out pretty quickly
upvoted 2 times
  boozy 10 months, 1 week ago

VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)
Possible peerings are
VNet1 -> Vnet3
VNet1 -> Vnet4
Correct answer is C
upvoted 9 times
  wesleyzhong 11 months ago

If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected. Before you define an address range, consider whether you might want to connect the virtual network to other virtual networks
or on-premises networks in the future. Microsoft recommends configuring virtual network address ranges with private address space or
public address space owned by your organization.
https://docs.microsoft.com/en-us/azure/virtual-network/manage-virtual-network
upvoted 3 times
  ReginaldoBarreto 11 months ago

From VNET1 you can make peering to VNET3 and VNET4
upvoted 3 times

Alright, i did a test with exact IP & subnet and C is correct. VNET1 was successful so when creating VNET2 i got an error below.
Address space '10.11.0.0/17 (10.11.0.0 - 10.11.127.255)' overlaps with address space '10.11.0.0/16 (10.11.0.0 - 10.11.255.255)' of virtual
network 'VNET1_TEST'. Virtual networks with overlapping address space cannot be peered. If you intend to peer these virtual networks,
change address space '10.11.0.0/17 (10.11.0.0 - 10.11.127.255)'
Basically the name space of VNET2 overlaps the space of VNET1 , however you can still continue creating VNET2 but you cannot peer it to
VNET1.
So hate to break it but i changed my answer to C

upvoted 2 times

C is correct
upvoted 2 times

Answer C. is correct. Yo cannot peer with overlapped address space Vnet.
upvoted 3 times

Forget about same region yada yada - its because they overlap, that you cant!
Answer is C.
upvoted 3 times
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and
Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the
Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
✑ The NVAs must run in an active-active configuration that uses automatic failover.
✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
A. Deploy a basic load balancer
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
E. Add a frontend IP configuration, a backend pool, and a health probe
F. Add a frontend IP configuration, two backend pools, and a health probe
Correct Answer: BCF

A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-multivip-overview

BDE (100%)
  xagiter622 Highly Voted  1 year, 3 months ago

The given answer is correct:
B - HA ports need are not supported by a basic loadbalancer
C - You need a floating ip for the active-active configuration to switch over quickly
F - You need 2 backend pools for the 2 different services
upvoted 73 times
  jsexamprep 6 months ago

Correct, this link clears up the HA ports and floating IP being enabled: https://docs.microsoft.com/en-us/azure/load-balancer/load-
balancer-ha-ports-overview
For Floating IP…This configuration does not allow any other load-balancing rule configuration on the current load balancer resource. It
also allows no other internal load balancer resource configuration for the given set of back-end instances.
upvoted 1 times
  tsss 1 year, 3 months ago

F: 1 service are the NVAs. the other service is for backend servers
upvoted 4 times

Why do you say that? It just states 2 services, e.g. web and email
upvoted 2 times

The Answer is not correct. It should be BDE. Why?
- Basically we are just want to load balance the NVM , that's all. So, we will need HA ports for HA and failover. But since we don't want to
balance the services themselves , so we go with disabled IP floating and one backend service for NVM. check
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#a-single-non-floating-ip-non-direct-server-return-
ha-ports-configuration-on-an-internal-standard-load-balancer
However, if we need to also Load Balance the production two services using the same LB, then we would need Floating IP and also
another backend pool for those 2 services. then the answer would be BCF.
But the question here, can LB send balance traffic to those production services. I think it can by using the health probe and some
monitoring to balance the requests sent to IPs.
upvoted 29 times
  Bursuc03 9 months ago

BDE:
B: we need HA -> standard LB
D: we do HA and LB on the two NVAs, not on the services. We don't need Floating IPs, because the NVAs do the actual routing to the
services.
E: only one front-end IP (no need for Floating IPs, then no need for two front end IPs), we have only one backend pool - then we use
only one health probe.
upvoted 3 times

No, take a look at this example: Rule type #2: backend port reuse by using Floating IP, from https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-multivip-
overview#:~:text=Azure%20Load%20Balancer%20allows%20you,across%20a%20set%20of%20VMs. It shows 2 rules, one for each
pool/service, (with 2 pools shown) and a floating IP for HA. So clearly BCF. If not, why not, given this is MS example.
upvoted 2 times
  PeterTest 1 year, 1 month ago

The question is clear about that LBs need to be able to failover, so we need to make sure 2 services can still working while only 1 LB is
available which means in the same LB, so BCF?
upvoted 4 times
  noppong 10 months ago

Agree with all your points except it should be BCE. The question requires a SINGLE load balancer to do two functions ( NVAs, and
services). So it must be using HA port with IP floating. The most important part is that all traffic should be inspected by NVAs.
Therefore, it should only have a single backend pool of NVAs , and two load balancing rules including one for NVA, and one for services.
upvoted 4 times

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview#rule-type-2-backend-port-reuse-by-using-
floating-ip
upvoted 1 times
  MekkX Most Recent  2 weeks, 1 day ago

B,C,E:
A standard load balancer is required for the HA ports.
– Two backend pools are needed as there are two services with different IP addresses.
– Floating IP rule is used where backend ports are reused.

upvoted 1 times
  matt_dns 4 weeks ago

I think it's this scenario here:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#multiple-ha-ports-configurations-on-an-internal-
standard-load-balancer
So from above we need:

B: Standard Load Balancer
C: floating IP because we are re-using ports, we also need two rules as we have two frontend IPs to support the two services
E: a single pool which contains the NVAs, they will forward traffic on to the services after inspection
upvoted 2 times
  durel 2 months ago

the answer is correct. BCF - you need floating IP for active active.
upvoted 1 times

Selected Answer: BDE
I read through all related docs and did a lab(this is why I like examtopics, it forces me to do deep-dive)
1. It should be a standard LB, it seems all support this
2. HA port - if you read the Azure docs about HA port, when the question mentions NVA & active/Acive, or all-ports, you should think about
HA port
3. Floating IP - Floating IP is for port re-use. this question didn't mentioned port-reuse, so we don't have to use floating IP.
4. One LB pool vs Two LB pools? LB pool is a collection of VMs, nothing to do with service & ports, service & ports are defined in LB rules.
So we only need to create one pool for 2 services.
The trick part is probe, each service require one probe, but one probe also works for 2 service(e.g. use Ping as probe).
Summary:
Standard LB, HA port, Floating IP disabled, one LB pool, one or two Probe.
B, D, E
upvoted 9 times

"NVAs must run in an active-active configuration" means that no floating IP required. Floating IP is cluster IP which presented to clients in
active-passive configuration, like it is in Windows file or SQL server clusters.
How do you do active-active if you have one IP sitting in front, which server to redirect?
So it is D, not C.
upvoted 1 times
  JirkaM 4 months, 2 weeks ago

Eh , again question where the topic is not about the design but about understanding. Where is input and output of the LB? Reading
several times and not clear for me whether i should balance NVA or Production , diagram can help
upvoted 1 times

upvoted 2 times

I'm still not clear why HAports should be used even I read "The NVA subnet contains two network virtual appliances (NVAs) that will
perform network traffic inspection between the Perimeter subnet and the Production subnet." So basically all ports in the traffic must be
check by NVAs.
upvoted 1 times

BCE
B - HA ports are not supported by basic sku
C - "Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend
pool. Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS
endpoints without re-encryption. If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule
definition."
E - A single backend pool is needed for the NVAS only. The services can't be in the backend pool it is only for VMs. The services are the
destination of the load balancing. There are two services with two different IP Addresses so we need two load balancing rules. Only one
backend pool.
upvoted 2 times

Correct. Thank you
upvoted 2 times

I was checking and trying to figure it out, and at the end I found this video, which kind of explains, what should happen:
https://www.youtube.com/watch?v=LrshfXfz29Y
The only thing I don`t understand is why we need to have two backend pools. To set every NVA in a single backend pool? The services are
not concerned here, as they will be contacted after the NVA inspection is done, but their IP addresses are different, so we will have to have
the Floating IP in order to use the active - active scenario for the NVA`s,
upvoted 1 times
  Xjoe 6 months, 3 weeks ago

The given answer is correct:
B-HA ports is for NVA and are not supported by basic LB.
C-You need a floating IP for backend port reuse.
F- You need 2 backend pools, one for NVA, one for production services.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
upvoted 1 times
  qyy 6 months, 4 weeks ago

B, C, E
Two services have different (public) IP addresses. Check the following section.
Multiple HA-ports configurations on an internal Standard Load Balancer

If your scenario requires that you configure more than one HA port front end for the same back-end pool, you can do the following:
- Configure more than one front-end private IP address for a single internal Standard Load Balancer resource.
- Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.
- Select the HA ports option, and then set Floating IP to Enabled for all the load-balancing rules.
upvoted 1 times

BCE you need to configure more than one front-end private IP address for a single internal Standard Load Balancer resource
upvoted 1 times

This question is one of those trick questions IMHO. Easier than how it reads. You can instantly eliminate D and E. I had for gotten the
difference between basic and standard load balancer as I thought a basic will be enough (I was wrong). Answer is B, C, F
upvoted 1 times
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN
gateway named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1
is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
A. Download and re-install the VPN client configuration package on Client1.
B. Select Allow gateway transit on VNet1.
C. Select Allow gateway transit on VNet2.
D. Enable BGP on VPNGW1
Correct Answer: A
Reference:
  Coldriver Highly Voted  1 year, 6 months ago

"If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must
be downloaded and installed again"
I would go with À` is the correct option as the S2S config has been changed AFTER the P2S client installation was performed. Installation
of the client software package needs installing again post S2S config changes.
upvoted 70 times
  bleepbl0p 1 year, 2 months ago

100% correct. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 4 times
  Sacs 1 year, 4 months ago

I agree, This is the exact verbiage from Microsoft: If you make a change to the topology of your network and have Windows VPN
clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to
the client.
upvoted 6 times
  Bl4ck 1 year, 6 months ago

I think this is correct: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered
upvoted 5 times

Correct Answer: A
downloaded and installed again.
Reference:
upvoted 25 times

Answer is correct. The VPN client on the PC is no longer valid because the network topology has changed
upvoted 3 times
  Adebowale 6 months, 1 week ago

100% correct
upvoted 1 times

"A" is the correct answer. The trick here is "You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to
connect to VNet2.". - This tells us the network is actually connected fine, it is just the client (in this scenario the Win10 PC) that cannot
connect to VNet2.
upvoted 1 times
  sargis1177 11 months ago

Actually in this case both A and B are correct answers
upvoted 3 times

No B is not correct. "You verify that you can connect to VNet2 from the on-premises network" suggests gateway transit is already
configured correctly, so B is not required.
upvoted 4 times
  NeerajY 11 months ago

Without allowing gateway transit, can client1 connect to vnet2 even after re-installing package?
upvoted 2 times

"You verify that you can connect to VNet2 from the on-premises network" suggests it is already configured
upvoted 2 times

A is correct
upvoted 3 times

Answer A. is the good one. VPN clien re-installation is the key here.
upvoted 3 times

Multiple peered VNets
In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 is peered with VNet2. VNet 2 is peered with VNet3. VNet1 is
peered with VNet4. There is no direct peering between VNet1 and VNet3. VNet1 has “Allow gateway transit” and VNet2 and VNet4 have
“Use remote gateways” enabled.
Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet
peering or the network topology. Non-Windows clients can access directly peered VNets. Access is not transitive and is limited to only
directly peered VNets.
upvoted 2 times

Answer is correct. It should be "A".
upvoted 24 times

Azure currently supports two protocols for remote access, IKEv2 and SSTP. IKEv2 is supported on many client operating systems including
Windows, Linux, macOS, Android, and iOS. SSTP is only supported on Windows. If you make a change to the topology of your network and
have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes
to be applied to the client.
upvoted 4 times

READ THIS.
Question says,
"You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises
network"
That means connection VNet2 through VNet1 is working. You need to re-install the vpn client, to update the route table to reach VNet2.
Instead you can run route add command on win 10 to reach that way...
Answer is correct, same question on az-103 exam
upvoted 9 times

upvoted 5 times
  Alizadeh 1 year, 2 months ago

A 100% correct
upvoted 7 times
  petar_petrovic 1 year, 3 months ago

Link might be ok, but that means it works from VNet1 to on-premise, if you want VNet2 to work with on-premise you need to enable
transit gateway on VNet1 and use remote gateway on VNet2.
upvoted 1 times
  Thi 1 year, 3 months ago

True study given link. P2S connection Windows computer from on prem can connect peered Vnets .
upvoted 2 times
HOTSPOT -
You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the
following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
You create a virtual network link for contoso.com as shown in the following exhibit.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
  NickyDee Highly Voted  1 year, 1 month ago

1. The PRIVATE zone contoso.com is linked to VNET1
2. All three VMs are in VNET1
3. All of the VMs will auto-register their host records to contoso.com
4. None of the VMs will auto-register to a public DNS zone. You cannot register private IPs on the internet (adatum)
The answer given is correct

Yes, Yes, No
upvoted 49 times
  cruisey 9 months, 1 week ago

You mean VNET 2 nor VNET 1
upvoted 13 times

Correct Answer:
All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So,
VM1, VM2 and VM3 will auto-register their host records to contoso.com.
None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet
(adatum.com)
Box 1: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 2: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 3: No
None of the VM will auto-register to the public Azure DNS zone named adatum.com
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 40 times

YES
YES
NO
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is Y Y N
upvoted 5 times

VM3 will be added to contoso.com, the connection suffix will change to contoso.com
upvoted 2 times

Correct. Thank you
upvoted 2 times
  sandipk91 5 months, 4 weeks ago

I think it should be Y-Y-Y
ref: https://docs.microsoft.com/en-us/azure/dns/dns-faq-private#i-have-configured-a-preferred-dns-suffix-in-my-windows-virtual-
machine--why-are-my-records-still-registered-in-the-zone-linked-to-the-virtual-network-
upvoted 1 times
  maxmarco71 7 months ago

answer is
yes
yes
yes
Why? solution below
I have configured a preferred DNS suffix in my Windows virtual machine. Why are my records still registered in the zone linked to the
virtual network?
The Azure DHCP service ignores any DNS suffix when it registers the private DNS zone. For example, if your virtual machine is configured
for contoso.com as the primary DNS suffix, but the virtual network is linked to the fabrikam.com private DNS zone, the virtual machine's
registration appears in the fabrikam.com private DNS zone.
https://docs.microsoft.com/en-us/azure/dns/dns-faq-private
upvoted 3 times
  Empel 6 days ago

Wrong! On the last one they are asking if it will register in adatum. If they where asking about contoso then it will be Yes
upvoted 1 times

in exam 7/3/2021
upvoted 5 times

Answers Y-Y-N
upvoted 5 times

The three answers are correct.
upvoted 2 times
  d0bermn 8 months ago

do not think so, only prZone contoso linked to subnet
upvoted 1 times

All 3 VMs will register in contoso.com due to the fact that they are all in VNET2.
"I have configured a preferred DNS suffix in my Windows virtual machine. Why are my records still registered in the zone linked to the
virtual network?
The Azure DHCP service ignores any DNS suffix when it registers the private DNS zone. For example, if your virtual machine is configured
registration appears in the fabrikam.com private DNS zone."
Source : https://docs.microsoft.com/en-us/azure/dns/dns-faq-private
upvoted 4 times

Answer is correct Yes, Yes, No
Since adatum.com is a public zone and nothing mentioned about auto registration there. then VM3 won't automatically register to VNET2
upvoted 8 times
  Dylan 1 year, 2 months ago

I think this is wrong...should be YYY
"The Azure DHCP service ignores any DNS suffix when it registers the private DNS zone. For example, if your virtual machine is configured
registration appears in the fabrikam.com private DNS zone."
upvoted 7 times
  immortalstrong 11 months, 4 weeks ago

Should be YYN. In your example, fabrikam.com is a private DNS zone. In this case, Adatum.com is public.
upvoted 3 times
I disagree. In the faq example, contoso.com VM is registering to fabrikam, and contoso could be public like adatum.com. Therefore,
the registration would still occur. Thus answer is Y Y Y.
upvoted 1 times

I am incorrect, please disregard.
upvoted 1 times

amazing - thanks for the link!!!
upvoted 1 times

When you link an virtual network with a private DNS zone and enable auto registration for all the virtual machines, the DNS records for
the virtual machines deployed in the virtual network are automatically created in the private DNS zone.
upvoted 3 times

DNS auto registration is configured for private zone which is linked to VNet2 so answer looks correct.
upvoted 9 times

Anyone got an explanation for this one?
upvoted 4 times
  VipinP 1 year, 2 months ago

Well Adatum.com is a public DNS zone and DNS auto registration is configured for private zone which is linked to VNet2 so answer
looks correct.
upvoted 5 times

I agree.
upvoted 2 times

All 3 VMs will register in the contoso.com DNS - no matter the DNS Suffix.
upvoted 5 times
  viking1 11 months, 1 week ago

Correct, all 3 will register in contoso.com, none will register in adatum.com as it is a public zone. It is irrelevant in this situation
and is present in the question only to separate those who know from those who don't but try to apply logic to arrive at the
hopefully correct answer.
upvoted 5 times

Correct Correct Correct
upvoted 1 times
To which subnets can you apply NSG1?
A. the subnets on VNet1 only
B. the subnets on VNet2 and VNet3 only
C. the subnets on VNet2 only
D. the subnets on VNet3 only
E. the subnets on VNet1, VNet2, and VNet3
Correct Answer: D
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same
region and subscription as the resource.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

D (100%)

Answer is correct. "D". VNET3 only
upvoted 27 times

Correct Answer: D
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 25 times

Selected Answer: D
Correct Answer: D
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 2 times
  Redimido 3 weeks ago

Selected Answer: D
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to resources in the target region.
https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-nsg-portal
upvoted 2 times

Region boundary. Answer is correct.
upvoted 1 times

628/1000 23/07/21 failed :(
upvoted 10 times

I also failed first time...thought I could just wing it and get by..I got 567...
Rewrite tomorrow....
upvoted 5 times
  Bertleman 3 months, 2 weeks ago
Same! Taking it 2nd time on Friday

upvoted 2 times

did you pass?
upvoted 1 times

in exam 7/3/2021
upvoted 6 times
  acmaws 7 months, 3 weeks ago

Correct is D:
Azure network security groups can't be moved between regions
upvoted 4 times

"D" is correct. Easiest way to remember is NSG must follow region AND subscription.
upvoted 7 times
  BinSelman 8 months, 1 week ago

the given answer is correct.
upvoted 1 times
  ckconsulting 10 months ago

D is correct.
upvoted 1 times

D is correct
upvoted 3 times

Answer D. is correct. You can apply NSG to the Vnet in the same region where NSG is.
upvoted 4 times

You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with
another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the
peering. To add address ranges to, or remove address ranges from virtual networks, see Manage virtual networks.
upvoted 2 times

In the Create network security group page, under the Basics tab, set values for the following settings:
TABLE 1
Setting Action
Subscription Choose your subscription.
Resource group Choose an existing resource group, or select Create new to create a new resource group.
Name Enter a unique text string within a resource group.
Region Choose the location you want.
upvoted 3 times
  certprep2021 1 year, 1 month ago

Answer is correct
upvoted 2 times
  Neostar 1 year, 2 months ago

Answer is correct
upvoted 4 times
DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Select and Place:
Correct Answer:
Step 1: Remove peering between Vnet1 and VNet2.

You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

COrrect Answer:
Step 1: Remove peering between Vnet1 and VNet2

You can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with
peering.
Step 2: Add the 10.33.0.0/16 address space to VNet1
Step 3: Recreate peering between VNet1 and VNet2
Reference:
upvoted 35 times

Answer is correct.
upvoted 17 times
  husam421 Most Recent  1 week, 5 days ago

peering. To add address ranges to, or remove address ranges from virtual networks
upvoted 1 times

upvoted 2 times
  ahmedageba 2 weeks, 2 days ago

How many questions from this dumb
upvoted 1 times

The answer is correct, although there's a new way of the things happening now:
"Updating the address space of a virtual network that has peers will cause the peered virtual networks to not be able to connect to this
new address space until you perform a sync operation on the peerings. You can sync the peered virtual networks in the peerings tab, but
requires you have contributor permissions on the peered virtual networks."
https://azure.microsoft.com/en-us/blog/how-to-resize-azure-virtual-networks-that-are-peered-now-in-preview/
So now, it would be:

1. Change the address range
2. ReSync the Peerings
upvoted 1 times

You can check it yourself in the portal. This is the exact message it shows, once you change the address space.
upvoted 1 times

Correct answer:
- Remove peering between Vnet1 and VNet2
- Add the 10.33.0.0/16 address space to VNet1
- Recreate peering between VNet1 and VNet2
upvoted 6 times

The only problem with this answer is that peering is set from both sides. While this answer is correct in the selection, It neglects what the
impact will be on the peer from VNet2.
upvoted 2 times
  1Sri 7 months, 2 weeks ago
Received this question on 4th July exam.

There were many other questions from this list(around 16). I could clear the exam.
Thanks :-)
upvoted 6 times

Many organizations deploy a virtual networking architecture that follows the Hub and Spoke model. At some point, the hub virtual
network might require additional IP address spaces. However, address ranges can't be added or deleted from a virtual network's address
space once it's peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering manually.
https://docs.microsoft.com/en-us/azure/architecture/networking/prefixes/add-ip-space-peered-vnet
upvoted 2 times
  jitkv20 10 months, 2 weeks ago

But it doesnt say peering exist already to remove one? Please correct me if im wrong.
upvoted 5 times

in the table peering column.
upvoted 5 times

Tested! Correct answer
upvoted 3 times

Is Gateway Peering required to be enabled ?
upvoted 2 times

upvoted 3 times

Answer is correct. Before adding address space to Vnet, remove the peering, then add the address space, and finally re-create the peering.
upvoted 2 times

peering. To add address ranges to, or remove address ranges from virtual networks, see Manage virtual networks.
upvoted 14 times

Answer is correct with the right order
upvoted 6 times

To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the resources shown in the following table.
VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.
RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.
Hot Area:
Correct Answer:
Box 1: Yes -
You can move storage -
Box 2: No -
You can't move to a new resource group a NIC that is attached to a virtual machine.
Box 3: No -
Azure Public IPs are region specific and can't be moved from one region to another.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources https://docs.microsoft.com/en-
us/azure/virtual-network/move-across-regions-publicip-powershell

Tested this in an identical lab:
1. YES. I was able to move the storage from RG1 to RG2, however it stayed in the West US region.
2. YES. I was able to move NIC1 from RG1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US
region.
3. NO. The location of IP2 did not change. However I was able to move LP2 from RG2 to RG1 as it isn't associated with any other resource,
however it stayed in the East US region.
All resources moved to the new resource groups, but the region did not change
upvoted 118 times
  itgg11 1 week, 1 day ago

YYN. tested in lab
upvoted 2 times
  rgullini 10 months, 3 weeks ago

Also tested, you are correct.
upvoted 10 times

I also tested and was able to move the NIC attached to a running VM to a different RG. Took a while though!
upvoted 4 times

Correct Answer:
Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate
the Storage Account.
Box 2: Yes
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can
move a NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new
Subscription, you must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example,
you must also move the virtual machine, and other virtual machine-related resources.
Box 3: No
You can move IP2 to RG1, as it isn't associated with any other resource, however it stayed in the East US region. The location will not
change.
upvoted 43 times
  manortmar 7 months ago

"as it isn't associated with any other resource" really? According to the above explanation being associated shouldn't be a problem to
move between RGs.
upvoted 1 times

Note: Resources can be everywhere regardless of the resource group they belong to. The resource group is only a collection of
metadata relative to the resources defined inside it. You can move a resource from one resource group to another group. The
resources in a resource group can be located in different regions than the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 9 times
  Redimido Most Recent  3 weeks ago

1. YES -
2. YES - I tested it personally. It will work, although you will have to update your scripts (if you have any associated with the moved NIC) to
use the new NIC's resourceID, as this one will change also.
3. NO
upvoted 1 times

Yes
No - You can move HDInsight clusters to a new subscription or resource group. However, you can't move across subscriptions the
networking resources linked to the HDInsight cluster (such as the virtual network, NIC, or load balancer). In addition, you can't move to a
new resource group a NIC that is attached to a virtual machine for the cluster.
No
upvoted 1 times

You can't just move the NIC, it's part of the VM.
upvoted 1 times

I am referring to NIC1 in RG1.
upvoted 1 times

upvoted 4 times

"In addition, you can't move to a new resource group a NIC that is attached to a virtual machine for the cluster."
upvoted 1 times
  slsl 1 month, 1 week ago

Apply only to Microsoft.HDInsight no VMs
upvoted 1 times
  guptavishal7982 9 months, 2 weeks ago

YYN - Tested!
upvoted 2 times

YES - You can move resources across resource groups
YES- Even though NIC1 is connected to demovm1 and vnet1, you can still change the resource group for the resource
NO- When you change the resource group for the resource , the location of the resource does not change.
upvoted 2 times
  AlexLiourtas 11 months ago

Y-Y-N tested in labs
upvoted 1 times
  Ant0ny 11 months ago

There's really no argument here, you just need to test. box two is YES. I have tested and moved the NIC from one RG to another without
issue while attached to a VM. The NIC stays in the same region, but it still successfully moves across resource groups
YYN
upvoted 1 times
  ZetaZeti 11 months ago

Resources can be everywhere regardless of the resource group they belong to. The resource group is only a collection of metadata relative
to the resources defined inside it.
"You can move a resource from one resource group to another group. " "The resources in a resource group can be located in different
regions than the resource group." https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
Yes: you are moving storage1 from RG1 to RG2 so you are modifying metadata inside RG1 and RG2 to reflect the group resource moving
but storage1 doesn't move physically from where it is
Yes: same as above this time for NIC1
No: again IP2 doesn't physically move and there is only a modification in the metadata of RG1 and RG2 to accomodate the resource group
moving.
upvoted 4 times
  ReginaldoBarreto 11 months, 1 week ago

Test in LAB - Y-Y-N
upvoted 4 times
  Siblark 11 months, 1 week ago

The answer is YYN. I just did a lab and I moved my NIC from a resource group in Central US to South Africa North.
upvoted 6 times

Answer Y-Y-N
upvoted 5 times

VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.
upvoted 2 times

Second answer is not correct. Y-Y-N. You can move NIC to another RG (will not move location, just will relocate the resource into new RG).
upvoted 3 times
You have an Azure web app named webapp1.

You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
A. Deploy an internal load balancer
B. Peer VNET1 to another virtual network
C. Connect webapp1 to VNET1
D. Deploy an Azure Application Gateway
Correct Answer: D

C (100%)
  Az209co Highly Voted  1 year, 4 months ago

I think the answer should be C.
<https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet>
upvoted 68 times

You are unable to connect a Webapp to a Vnet, if the Vnet is not empty. In this case there is a VM.
upvoted 3 times
  luxaflow 4 months, 2 weeks ago

This is correct, tested in Lab:
Was able to connect webapp to a VNet containing a VM. During connection creation, was requested to create a new subnet.
upvoted 4 times

correct but the network integrator in app service lets you create a subnet in the same vnet, precisely for this scenario.. check the ref
above ;-)
upvoted 3 times
  slimjago 8 months, 1 week ago

based on that, webapp needs it's own VNET, right? which could be peered with VNET1. what do you think?
upvoted 1 times

webapp only needs it own empty(not delegated nor has any resources within) subnet, not VNET (which can contain many
subnets) and a /29 subnet is the smallest you can use for such a service.
upvoted 2 times

Answer is wrong. It should be "C"
Connect the webapp to VNET using webapp VNET integration. where webapp can access the resources in the VNET.
upvoted 53 times

Answer is C. tested in the lab. web app pricing plan needed to be upgraded to Standard. There must be a vnet with a subnet that is not
being used. If the subnet is used, you can create a new one.
upvoted 1 times
  Appu008 2 months, 3 weeks ago

Wrong, the answer is D only. Because there is no mention that VM1 is in Vnet1, its is said that VM1 only connects to Vnet1 (it is
mentioned to distract students towards wrong answer)
upvoted 1 times

Correct! VNet integration feature enables your apps to access resources in or through a VNet.
upvoted 1 times
  PersonT 6 months, 3 weeks ago

True
https://docs.microsoft.com/nl-nl/azure/application-gateway/overview
upvoted 2 times
  yangxs Most Recent  2 weeks, 5 days ago

Selected Answer: C
D is wrong. App Gateway cannot pass SQL traffic
upvoted 1 times
  vihanga93 1 month ago

Selected Answer: C
I think the answer should be C.
upvoted 1 times

C. Connect webapp1 to VNET1
upvoted 1 times

C:Connect webapp1 to VNET1
upvoted 1 times
  zakbrowld 1 month, 3 weeks ago

Selected Answer: C
it's C
upvoted 1 times

Selected Answer: C
Connect app to vnet
upvoted 1 times

Selected Answer: C
Connect webapp1 to VNET1
upvoted 1 times
  ganeshcanada 1 month, 3 weeks ago

Answer is Connect webapp1 to VNET1
The VNet Integration feature has two variations:

- Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the same region, you must have a
dedicated subnet in the VNet you're integrating with.
- Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you
need an Azure Virtual Network gateway provisioned in the target VNet.
Note: If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
The resources inside a VNet can communicate.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
upvoted 1 times

Selected Answer: C
C is correct.
upvoted 1 times

I connected the webapp to an empty subnet within the VNet without trouble. And the connection works.
Deploying an application gateway is not the foolproof method to ensure that webapp can access data on vm1
So the answer should be C - Connect Webapp to VNET1
upvoted 3 times
  stack120566 4 months, 2 weeks ago

The answer is C . The webapp needs to connect to an "empty subnet" in an existing vnet
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
upvoted 1 times
  eduardomartinez 4 months, 3 weeks ago

Omg stop posting discussion because this is very confusing for people that are studying
upvoted 2 times
  MomoLomo 3 months, 3 weeks ago

Omg go and study somewhere else the discussions are super useful !
upvoted 13 times
  rohitmedi 5 months ago

Answer is C
upvoted 1 times

Obviously C
upvoted 1 times
  khengoolman 5 months, 3 weeks ago

You can't use vnet1 because it's not empty.
https://stackoverflow.com/questions/62062214/azure-web-app-connect-to-vm-service-on-private-network
You also can't do peering, this is another article
https://stackoverflow.com/questions/51195286/azure-web-app-cant-see-vm-through-vnet-to-vnet-connection
The same article suggest using gateway, so I'm going with D
upvoted 2 times
  khengoolman 4 months, 3 weeks ago

I'm not entirely correct, should be C
upvoted 1 times
You create an Azure VM named VM1 that runs Windows Server 2019.
VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You need to enable Desired State Configuration for VM1.

A. Connect to VM1.
B. Start VM1.
C. Capture a snapshot of VM1.
D. Configure a DNS name for VM1.
Correct Answer: B
Status is Stopped (Deallocated).
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
The VM needs to be started.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
  sri1972 Highly Voted  1 year, 1 month ago

Came in 01/09/21 exam. Passed exam with 906 marks. 98% of the questions are from this dump.
upvoted 49 times

I don't consider this "a dump", actually. I believe the vast majority of people here (me included) are actually studying for the exam hard
(reading online documentation, experimenting in their Azure subscription, etc.) and using this just as a way to plug the holes in their
knowledge (as one simply can't know every single detail and possible scenario regarding Azure).
upvoted 82 times

You are 100% right, I actually think the creators of this put wrong answers intentionally, in order to challenge you and make you
work and study hard to find the correct solution. Going in the exam without study at all and depend on this THING is suicide!
upvoted 24 times
  smaa 2 months ago

Hi, is it 98% from the whole set? Or 98 % from topic5 questions? Thanks.
upvoted 1 times

Correct Answer: B
Status is Stopped (Deallocated). The DSC extension for Windows requires that the target Virtual Machine is able to communicate with
Azure. First you start the VM, because you need VM online to deploy DSC Extension.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
upvoted 33 times

Correct answer: B
upvoted 4 times

Correct..
upvoted 1 times

I can't believe I read you need to disable the DSC. Haha... Answer is correct
upvoted 1 times

B is correct!
upvoted 4 times

Answer B. is correct. First you start the VM. You need VM online to deploy DSC Extension
upvoted 4 times

The extension uploads and applies a PowerShell DSC Configuration on an Azure VM. The DSC Extension calls into PowerShell DSC to enact
the received DSC configuration on the VM.
upvoted 4 times
  dadageer 1 year, 1 month ago

Answer correct! you cannot apply DSC if VM is shut.
upvoted 4 times

Answer is correct. "B" Start the VM
upvoted 7 times

Wish I see that easy question in my session :)
upvoted 13 times
  emv 1 year ago

I wish that too :d
upvoted 2 times

The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
upvoted 6 times
A. Floating IP (direct server return) to Disabled
B. Session persistence to None
C. Floating IP (direct server return) to Enabled
D. Session persistence to Client IP
Correct Answer: D
Load-Balancer For
Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
On the following image you can see sticky session configuration:
Note:
✑ Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the
same virtual machine.
✑ Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

D (100%)
  mtec2017 Highly Voted  7 months, 3 weeks ago

This is correct
upvoted 8 times
  Dajmahn Highly Voted  7 months, 1 week ago

On exam 7/13/21
upvoted 5 times

Selected Answer: D
Ans: D. Session persistence to Client IP
upvoted 2 times

Ans: D. Session persistence to Client IP
upvoted 3 times

Passed exam today 11/19/21 only about 25-30% of the question are in this dump. Suggestion, do not rely solely on dumps. MS learn,
udemy etc. had like 5 different case scenarios where they throw a lot of white noise in to confuse.
upvoted 3 times

Correct D
upvoted 2 times
  Kp9696 5 months, 3 weeks ago

This is correct answer. What we have to do after Topic4 Q-30 ? Does anyone has valid discount code to unlock next set of questions ?
upvoted 2 times

upvoted 4 times
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
A. Yes
B. No
Correct Answer: B
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

A (82%) B (18%)
  ihavespoken Highly Voted  1 year, 2 months ago

My comments were incorrect, late night study :-). The answer is Yes. The main point i miss was that NSG-Subnet 1 is correctly modified
with TCP 3389 and NSG-VM1 is removed. In this case you should be able to connect.
- "Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port
range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1."
upvoted 67 times

ans=YES. I just tested in my lab. Since NSG-VM1 was removed, all traffic hitting vmnic is allowed. Adding RDP allow rule to NSG-subnet
did the trick.
upvoted 1 times

we only want to have RDP to VM1, but with this rule, we would allow RDP to all VMs in the Network, because of this I would go for No
(B)
upvoted 1 times

does anyone note that this is a UDP-RDP service???
upvoted 4 times
  Junhui74 6 months, 2 weeks ago

reference to https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works , answer is yes
upvoted 1 times

This answer, like so many others, is incorrect
upvoted 31 times

Selected Answer: A
I read the question too quickly and initially thought the answer was B. But I missed the bit where we ADD TCP:3389 to the Subnet NSG
AND remove the NSG from the VM.
upvoted 1 times

Selected Answer: B
The only rule in vigor here is the one declared by NSG-VM1, after you explicitly remove the other one.
As the port for an RDP connection defaults to TCP, it means UDP paint no solution there, at least not without a registry tweaks.
upvoted 2 times
  abbas19 3 weeks, 2 days ago

Remove NIC NSG and added subnet NSG with RDP allow. Unable to connect.
Got this message when tested the connection.
Network connectivity blocked by security group rule: DefaultRule_DenyAllInBound
So the Answer is No.
upvoted 1 times
  ddon1999 3 weeks, 4 days ago

answer is NO. Because you need to add the matching rule both on subnet and nic. in this case allow TCP at subnet and NIC
upvoted 1 times

If you have default inbound rule so 3389 is allowed by default. Modifying other rules do not affect the RDP to VM1. So the correct one is A
upvoted 1 times

Selected Answer: A
Cor Ans: Yes
upvoted 2 times

Selected Answer: A
A is correct. The updated NSG rule allows RDP traffic.
upvoted 2 times

I think the correct answer is A (Yes). Here is why.
The solution has removed NSG-VM1. As such, the effect inbound rules will be only NSG-Subnet1 as VM1 is on Subnet1. So, what NSG-VM1
had is irrelevant. We only need to check if NSG-Subnet 1.
The solution adds an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range
3389 and uses the TCP protocol.
Note it’s TCP and port 3389. Now NSG-Subnet1 has the right inbound rule for RDP. Hence, you can RDP to VM1 from internet.
upvoted 2 times

The answer is most certainly NO.
upvoted 3 times
  danito 3 months ago

Selected Answer: A
add udp to nsg-subnet1 and remove nsg-vm1(which was wrong due to udp protocol). Answer A
upvoted 4 times
  starseed 3 months ago

Answer is Yes..
upvoted 2 times
  stack120566 3 months, 2 weeks ago

The proposed solution has no mention of the destination ip address for the allowed RDP traffic Therefore this cannot be a valid solution.
Without mention of the target ip belonging to VM1. The rule is incomplete. Answer No
upvoted 1 times

Tricky question. RDP will work, but RDP acceleration on UDP will not. Both somehow correct, but I would answer "no" becuase we reduce
functionality of RDP by this tcp-only config.
upvoted 1 times

Answer: NO
VM1 has two NSG
1. NSG-VM1 that does not allow TCP 3389
2. NSG-subnet that allow TCP 3389
and that NSG-VM1 subnet will drop the packet there.
upvoted 3 times
  ejml 3 months, 3 weeks ago

Agree with you
upvoted 1 times

The question says ....You remove NSG-VM1 from the network interface of VM1.
so the correct answer is A

upvoted 7 times
  fathomle55 4 months, 3 weeks ago

NO is Correct.
be careful- from "Internet to VM1"
internet connection is not allowed by df
upvoted 2 times
✑ Priority: 100
✑ Source: Any
✑ Destination: *
Destination port range: 3389 -
✑ Protocol: UDP
✑ Action: Allow
Subnet1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for
port range 3389 and uses the UDP protocol.
A. Yes
B. No
Correct Answer: B
Reference:

A (75%) B (25%)

The default port for RDP is TCP port 3389.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 22 times
  aMiPL Highly Voted  1 year ago

Such a silly question :).
By default it will not work but you can make it work so there isn't really a good answer xD.
By default servers accepts on both TCP and UDP.
UDP will work as long as client machine(the one you are connecting from) will have registry updated to use UDP by default :>
So the answer is "No" in but you can actually make it work if you change settings outside of azure.
upvoted 9 times
  hm67 Most Recent  4 days, 14 hours ago
Selected Answer: A
RDP default TCP not UDP. Traffic is denied by the DenyAllInbound default security rule.
upvoted 2 times

Click the wrong answer, should be B.
upvoted 1 times
  csgx 5 days, 2 hours ago

Selected Answer: B
UDP is the key to choose B..
upvoted 1 times
  yangxs 2 weeks, 5 days ago

Selected Answer: A
Should be Yes. There is nothing block the traffic.
upvoted 1 times

I tested now , first an inbound rule create to nsg1-vm with custom service and protocol udp - port 3389. Only with this I CANNOT connect
with the server. Once I change this to tcp I am able to connect. Making the same for NSG1-Subnet with the same udp rule is not
connecting....
upvoted 1 times

While RDP can be configured to run on UDP3389 it is not configured by default in Windows.
upvoted 2 times

Answer is correct
upvoted 1 times

https://en.wikipedia.org/wiki/Remote_Desktop_Protocol
Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, macOS, iOS, Android, and other operating
systems. RDP servers are built into Windows operating systems; an RDP server for Unix and OS X also exists. By default, the server listens
on TCP port 3389[2] and UDP port 3389.[3]
upvoted 1 times
  tobychuks 8 months, 4 weeks ago

Correct Answer B
upvoted 1 times
  jgray 10 months ago

Given answer B is correct. Tested in a lab and an NSG set to 3389 UDP does not work by default. There are ways to make UDP work but by
default a RDP connection uses TCP.
upvoted 2 times

NO is the answer- Should be TCP not UDP
upvoted 4 times

Answer B. Is correct.
upvoted 2 times

RDP is TCP_3389, NOT UDP_3389.
Probably the easiest question I have ever seen in a MS Exam. :)

upvoted 2 times

Answer is correct. "NO"
upvoted 4 times

UDP, UDP, NO NO
upvoted 2 times
  nwu 1 year, 1 month ago

No, RDP should use TCP 3389 not UDP 3389
upvoted 4 times
✑ Priority: 100
✑ Source: Any
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
Subnet1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork
destination for port range 3389 and uses the TCP protocol.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)

Answer is correct. YES.
To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol. this is matches the given suggested solution.
For the existing custom rule, priority doesn't matter if it is 100 or not. As "Network security group security rules are evaluated by priority
using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic." So Azure
checks the first rule, it finds that it has UDP. then It will check the second rule, it will find allow TCP on port 3389. So it will allow. Since the
protocols are different, so those are totally different rules.
Please read the page https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 38 times
  boozy 10 months, 1 week ago

Agree! YES!
Because RDP TCP is allowed at subnet and on VM level NSGs.
"You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the
VirtualNetwork destination for port range 3389 and uses the TCP protocol."
upvoted 3 times

Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
upvoted 1 times

but what the guy is saying is valid as they are both different rules (protocols)
upvoted 2 times
  lcdr_scl 9 months ago

Agree!! Yes and tested
upvoted 3 times

Exactly this! The rule is evaluated, if the rule is not matched it moves on to the next rule. So in this case the UDP rule is effectively
ignored because the traffic is TCP. The TCP rule then permits the traffic.
upvoted 1 times

RDP TCP is allowed at Subnet and on VM level NSGs.

The default port for RDP is TCP port 3389.
To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 15 times
  Jonangar Most Recent  1 month, 1 week ago

Selected Answer: A
You add the rule to both NSG. So it will pass the RDP connection to the VM
upvoted 1 times

Answer is correct
upvoted 2 times

The answer is yes but it seems like there's a redundant rule on the VM1 NIC NSG
upvoted 1 times

ans is obviosly Yes, but why '..VirtualNetwork destination..' for nsg attached to vm?)
upvoted 1 times

Everyone those who recreated in lab, need to also make sure they had a subnet level NSG attached with UDP 3389 allow rule, and test RDP
access from the internet. There are quite a few key points here. My answer is NO, as subnet level NSG would not allow RDP.
upvoted 1 times
  cgmaxmax 8 months, 3 weeks ago

Answer is No.
Example:
VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. Unless you've created a rule that
allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is
associated to the network interface. If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. To allow port 80
to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
upvoted 6 times

The answer is clearly yes as others have indicated. The question calls to create TCP/3389 allow rules on both NSG.
upvoted 3 times
  stepient 10 months, 1 week ago

Tested in lab, the answer is NO. It seems everyone here is missing that the catch here is the destination - you need to set it to "Any" or
specific IP address; if you set it to "VirtualNetwork", the destination will not match. Use Network watcher > NSG diagnostic to verify this.
upvoted 7 times

You are totally wrong, the answer is YES.
"VirtualNetwork" value does exists and can be used as source or destination. check the URL below.
upvoted 2 times

I tested in lab, this person is wrong. VirtualNetworks works for both NSGs. https://images2.imgbox.com/05/ba/wqVbhmFI_o.png
upvoted 3 times

There is no practical difference between VirtualNetwork and Any for destination for inbound.
upvoted 2 times
  gbx077 9 months ago

confirmed and tested in the lab - same results as stepient.
You have to change the destination to "Any" instead of "VirtualNetwork" to make it work.
The answer is NO
upvoted 1 times
  uo2021 10 months, 2 weeks ago

Just recreated in lab, answer is yes, after you add the allow rule RDP on TCP for NSG-VM, it allows the connection, I was also thinking it
would be a conflict of rules, but I guess it checks the first rule with UDP and then the TCP rule with lower priority and still works.
upvoted 2 times

Answer is correct, I tested this in lab by adding an RDP port 3389 rule with priority 100 using UDP as the protocol, could not connect. After
that, I added an RDP port 3389 rule with priority 110 using TCP, and I could connect :)
upvoted 2 times
  trifid 11 months, 1 week ago

Tested, result is : NO
upvoted 4 times
  Elrath 11 months, 1 week ago

Also tested with my lab environment, and I can confirm that the answer is NO.
You are not able to login using RDP with the UDP allow port 3389 on the NSG-VM1 level (assuming it has a higher priority than the TCP
allow port 3389)
upvoted 2 times

Correct A. Yes - for inbound rules, the NSG associated with the subnet is evaluated before the NSG of the NIC that's associated with the
VM. Therefore the Allow RDP, TCP on port 3389 wins. Outbound traffic is the opposite with the NSG of the NIC being evaluated before the
NSG associated with the subnet.
upvoted 1 times

Yes is correct!
upvoted 1 times

Answer is incorrect. Unless NSG-VM is removed, or rule 100 in NSG-VM is removed, the RDP will be forbiden.
upvoted 2 times
  MFT88 12 months ago

Why forbidden? The initial rule in the description for NSG-VM1 and has the Allow action. RDP does not work because it needs to be on
TCP, not UPD. Since we are adding a rule in there for TCP 3389 on BOTH NSGs (for subnet and VM), then RDP will be allowed. I see no
reason why RDP would not be allowed with this solution.
upvoted 3 times

That is right. The UDP rule for 3389 on the NSG-VM1 will not work and thus be ignored. Hence, RDP is allowed coz of the NSG at
subnet level.
upvoted 1 times

You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections
upvoted 1 times
  Ozguraydin 1 year, 1 month ago

The answer is correct. Because we request TCP. NSG will block UDP requests. We create a TCP rule then we can access RDP port. and I
tested also ;)
upvoted 4 times
HOTSPOT -
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: add an address space -

Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you
specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a network interface -

The 10.2.1.0/24 network exists. We need to add a network interface.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas

Also wrong, the subnet range being created is 10.2.0.0 - 10.2.0.255 . So if you want to add an IP address from 10.2.1.0/24 you need to add
a new subnet.
Why are so many of these wrong?

upvoted 117 times
  Nicksin 8 months ago

Yeah there's tons, dunno how anyone is passing, lol.
upvoted 8 times

Using these questions to provoke research and learn the material, not memorise answers, which is ridiculous
upvoted 7 times

You can almost ignore the answers / look at the questions, discussions, do your own research, and at the end if you didn’t already
lose your mind, then pass the exam 🤦🏻‍♂️
upvoted 19 times

start to like this place. Tried some other sites with “correct” answers without comments and didn’t trust it, lol.
upvoted 6 times
  zewenwu 1 year ago

don't you mean that the vnet range originally created is 10.2.0.0 - 10.2.255.255?
upvoted 3 times

There is no dissent. Throw says the initial _subnet_ is 10.2.0.0 - 10.2.0.255. You say the initial vnet _address space_ is 10.2.0.0 -
10.2.255.255. Both is true.
However, in the first question you have to _first_ add an address space. (and then a subnet)
In the second question you only have to add a subnet as 10.2.1.0/24 is within the vnet's address range 10.2.0.0/16
upvoted 8 times
  JamesDC 1 year ago

so what?... if you don't have any subnet how can you use those IPs?... Throw is correct!
upvoted 6 times
  vojehol452 Highly Voted  1 year, 2 months ago

- Add an address space
- Add a subnet
upvoted 104 times
  ZacAz104 Most Recent  1 month ago

10.2.1.0./24 has to be added as subnet so second one is wrong
upvoted 2 times

1: add an address space
2: add a subnet
upvoted 2 times
  Sharathjogi 1 month, 2 weeks ago

1. Add an address space
2. Add a subnet
upvoted 2 times

1: add an address space
2: add a subnet
upvoted 2 times

Box 1: add an address space
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically
receive a private IP address from a range that you specify, based on the address space of the
subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a subnet
Address space is present but need to add subnet
upvoted 7 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is Address Space, Subnet
upvoted 9 times

- Add a subnet
upvoted 2 times

Answer is wrong.
The first one add subnet

Second add address space
upvoted 2 times

- Add an address space. Then add a subnet in that range
- Add a subnet. Address space exists but subnet 10.2.1.0/24 does not exist.
Too many wrong answers now. Somebody needs to fix. I know, I know, it's free but you're here to help, aren't you?
upvoted 4 times

Are these answers given wrongly on purpose or what? Common, who does such things! This is supposed to help people prepare, not
confuse
upvoted 3 times
  nzmike 3 months ago

A bit rich coming from the person who posts about five wrong/updated/corrected answers to each question....
upvoted 4 times

upvoted 5 times
  wjmkjhlx 6 months, 1 week ago

Tested in portal:
- Add a subnet
upvoted 1 times
  Dajmahn 7 months, 1 week ago

On exam 7/13/21, glad I read this discussion yesterday.
upvoted 3 times

in exam 7/3/2021, answered "add a subnet"
upvoted 4 times

upvoted 4 times
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
Each virtual machine uses a static IP address.

You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
A. 1
B. 3
C. 4
D. 12
Correct Answer: C
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual
Networks (VNet).
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

A (100%)

Correct Answer: A
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many
subnets and NICs as you choose.
So, you can create 1 NSG and associate it with all 3 Subnets.
- Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4,
VM5 and VM6 static IP addresses.
- Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without
even configuring NSG.
- Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
- Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in
every NSG.
upvoted 138 times

A is correct. Initially, I thought 3 NSGs were needed . but I was mixed up rules with NSGs. Only 1 NGS needed
upvoted 1 times

Guys! Please prefer mlantonis answer
upvoted 7 times

so if we allow web requests from the internet to VM3, VM4, VM5 and VM6 by adding an inbound rule AND adding an inbound rule to
allow RDP 3389 in VM1's static IP address....isn't that two NSG rules rather than one?
upvoted 1 times
Agree with you. 1 NSG should be able to do it as you describe. Even if the VMs did not have a static address, you could still do it using
Application Security Groups. Create ASG1 that contains VM3, VM4, VM5, and VM6. Create ASG2 that contains VM1. Now create a 1 NSG
and allow web requests to ASG1, allow RDP to ASG2 and so on.
upvoted 2 times

I believe it's wrong. I would go with 1 NSG only. NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG.
My penny.
upvoted 98 times

as one time solution agreed, 1 nsg will work,
but in enterprise network rules better to implement: 1 rule =1 service
upvoted 1 times
  Hafeezzahidi 1 year, 1 month ago

keyword to this question is "Minimum NSG", so you are right
upvoted 6 times

Hmm... now that I think of it, the last prereq of deny all other traffic makes it to go for 4.
upvoted 2 times

NO NO NO, by default there will be a deny all at the bottom of all the rules. You dont need to create any deny traffic after adding
allow statements. By default there is an implicit deny all at the end. So JohnAvlakiotis is correct.
upvoted 3 times

Sorry i meant to say that your first statement was correct. You only need one NSG with several allow rules.
upvoted 1 times

Damn!.. I think I will choose 1 NSG, because based on priorities I believe you can answer all the requirements.
upvoted 10 times
  canbe20 1 year, 2 months ago

How it's possible with 1 NSG? Web requests for those 4 VMs require 1 NSG and RDP for VM1 requires 1 NSG, so at least 2 are
required.
upvoted 1 times

They have the STATIC IP,
So you will provide the static ips of the vms as destinations and create rules per vm on ONE NSG
upvoted 14 times

You attach a single NSG to each subnet.
upvoted 1 times

upvoted 3 times

Selected Answer: A
A is correct
upvoted 1 times
  FabioVi 4 weeks, 1 day ago

Selected Answer: A
1 NSG would be enough. Key here is that the VMs have static iPs, and that there are not conflicts between rules.
upvoted 1 times
  vihanga93 1 month ago

Selected Answer: A
Only 1 NSG is enough.
upvoted 1 times

correct answer A
upvoted 1 times
  Fulforce 1 month, 4 weeks ago

Selected Answer: A
This question has asked for minimum number of NGS. None of the rules conflict so therefore we can just use one NSG
upvoted 1 times
  beem84 2 months ago

Selected Answer: A
Answer A, 1 NSG. it may not be best practice but it is the minimum.
upvoted 1 times

I would create 1 NSG only for this requirement and apply it to all subnets.
Within the NSG I can explicitly define the source and destination for each rule that I'm creating. I want to give examples here but it's too
long. hehehe I hope you know what I mean.
upvoted 1 times

upvoted 3 times

Guys! Please prefer mlantonis answer
upvoted 2 times

Wrong answer.
Only one NSG is needed.
upvoted 1 times

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine.
Hence 4
upvoted 1 times

jantoniocesargatica agree with you
upvoted 1 times

The minimum is 3.
Firstly you must "Allow web requests from the internet to VM3, VM4, VM5, and VM6." For that we need 1 NSG associated to subnet 2 and
subnet 3.
Secondly you must "Allow Remote Desktop connections to VM1." For that we need another NSG associated to the NIC of VM1.
Lastly we need to "Prevent all other network traffic to VNET1." This is done by default when we are using NSG but with the current
configuration VM2 does not have NSG associated, we need to associate and empty NSG to the NIC of VM2 so the default security rules
apply and all other network traffic is prevented in VNET1.
The other requirement "Allow all connections between VM1 and VM2." does not require an NSG.
On the other hand some people say that we could do this with only one NSG associated to the three subnets but it would not meet the
requirements because we would be allowing web requests in VM1 and VM2, which is not a requirement, also we would be allowing
remote desktop connections to VM2, VM3, VM4, VM5 and VM6 which is not a requirement either.
Definitively with 3 NSG we could meet all the requirements.

upvoted 6 times
  GuyForget 5 months, 1 week ago

You can create a separate rule in the same NSG that allows RDP and specifies only VM1 as the destination. Likewise, you can have a
separate rule created to allow access to VM3, 4, 5, & 6. All other traffic would be blocked by default. You don't need 3 NSGs, just 1 NSG
with 2 custom rules.
upvoted 1 times
  Matt090 7 months, 1 week ago

I don't agree
upvoted 1 times

Answer is 1
upvoted 2 times
The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
A. Remove Microsoft.Compute/virtualMachines from the policy.
B. Create an Azure Resource Manager template
C. Add a subnet to VNET1.
D. Remove Microsoft.Network/virtualNetworks from the policy.
Correct Answer: A
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to
block.
Virtual Networks and Virtual Machines are prohibited.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A
upvoted 16 times
  yoelalan14 Highly Voted  2 months, 3 weeks ago

Answer is A because we already have the VNET in place, so the only thing that would get blocked by this policy would be the NEW vm we
are creating
upvoted 6 times

upvoted 3 times

A, no need to add the vnet
upvoted 3 times
  filipov1 2 months, 4 weeks ago

so dump question
upvoted 1 times

Love what you did here : )
upvoted 4 times

upvoted 3 times

Correct answer, asked on my exam today 02/10/21
upvoted 3 times
Your company has an Azure subscription named Subscription1.

The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server
that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
✑ The DNS Manager console
✑ Azure PowerShell
✑ Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console
Correct Answer: B
Step 1: Installing the DNS migration script
Open an elevated PowerShell window (Administrative mode) and run following command install-script PrivateDnsMigrationScript
Step 2: Running the script -

Execute following command to run the script
PrivateDnsMigrationScript.ps1 -
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide

A (100%)

Answer is incorrect, it should be A - Azure CLI.
https://docs.microsoft.com/en-us/azure/dns/dns-import-export
- Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
supported via Azure PowerShell or the Azure portal.
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
upvoted 91 times

Agree. Besides, prerequisites of using PrivateDNSMigrationScript were lack to provide in the question:
1. Make sure you have installed latest version of Azure PowerShell.
2. Make sure that you've Az.PrivateDns module for the Azure PowerShell installed.
I think the point of this question is "The solution must minimize administrative effort." without proper scenario.
upvoted 2 times

Due to the statements in the document: The migration process is simple, and we've provided a PowerShell script to automate this
process.
upvoted 3 times

Windows Server 2016 is a legacy server, isn't it? :)
upvoted 1 times
  Anurag_Azure Highly Voted  9 months, 4 weeks ago

so basically we are just paying for a collection of questions and ability to ask others for answers....EXAMTOPICS has no responsibility to at
least mark right answers...otherwise give that access to us so that as community we correct answers too
upvoted 47 times
  Makkee 5 months, 4 weeks ago

You're not paying anything...

upvoted 4 times
  rockhound 5 months, 1 week ago

i did pay 15 euros...
upvoted 9 times
  safwansalama 2 months ago

Me too
upvoted 1 times

Access to information is free though
upvoted 1 times
  VM090 2 weeks ago

Not 100%, only 70% access for free and remaining 30% requires sub
upvoted 3 times

Yes, - and I am very happy with that, I enjoy reading the discussions
upvoted 16 times

I agree which is very much exciting. ExamTopics already provided their answers and almost of their explanations
upvoted 2 times
  Fulforce Most Recent  1 month, 4 weeks ago

Selected Answer: A
Azure CLI is correct answer
upvoted 3 times

Selected Answer: A
Correct answer is A.
upvoted 2 times

Correct answer: A
upvoted 6 times

Selected Answer: A
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI)
upvoted 4 times

A: Azure CLI
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI).
Zone file import is not currently supported via Azure PowerShell or the Azure portal.
References: https://docs.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 1 times

A. Azure CLI
upvoted 4 times

Wrong.
It support only Azure CLI

upvoted 2 times
  EdinaldoJunior1981 5 months ago

incorrect... Azure CLI
upvoted 1 times

I didn't know the answer, had to research. But from what I've seen, you can achieve by using either Azure CLI or Powershell. So the answer
should be A & B.
If I had to choose one in the exam I will go for B. Windows Server 2016 is a legacy server.
upvoted 1 times
  AKT80 6 months, 1 week ago

great content
upvoted 1 times

Comparing the Azure CLI and Powershell, using CLI has less steps:
upvoted 2 times

Answer: "The solution must minimize administrative effort."
A. Azure CLI
upvoted 1 times
  Yiannisthe7th 8 months, 1 week ago

Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
So, correct Answer: A
upvoted 4 times
  Rana_G 8 months, 2 weeks ago

Azure CLI should be the answer. See the below article from MS.
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is currently not
supported with Azure PowerShell or the Azure portal.
upvoted 1 times

Correct Answer: A
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
Reference:
upvoted 43 times
You have a public load balancer that balances ports 80 and 443 across three virtual machines named VM1, VM2, and VM3.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
A. an inbound NAT rule
B. a new public load balancer for VM3
C. a frontend IP configuration
D. a load balancing rule
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azure-
load-balancer-for-rds/

A (100%)
  GD01 Highly Voted  4 months ago

A is correct .... An inbound NAT rule forwards incoming traffic sent to frontend IP address and port combination. The traffic is sent to a
specific virtual machine or instance in the backend pool.
https://docs.microsoft.com/en-us/azure/load-balancer/components
upvoted 7 times
  magnoy Highly Voted  4 months, 1 week ago

An inbound NAT rule forwards incoming traffic to a specific virtual machine
Service: RDP
Protocol: TCP
Port: 3389
Target VM =VM3
upvoted 6 times

Selected Answer: A
An inbound NAT rule forwards incoming traffic to a specific virtual machine
upvoted 2 times
  Waltwhiteman 4 months, 3 weeks ago

Correct.
Inbound Network Address Translation (NAT) rules are an optional setting in Azure Load Balancer. These rules essentially create another
port mapping from the frontend to the backend, forwarding traffic from a specific port on the frontend to a specific port in the backend.
upvoted 3 times
  natka1130 4 months, 3 weeks ago

The difference between inbound NAT rules and port mapping in load balancer rules is that inbound NAT rules apply to direct forwarding
to a VM, whereas load balancer rules forward traffic to a backend pool.
upvoted 2 times

Discussion button says: Exam AZ-104 topic 5 question 31 discussion.
But I see nothing
upvoted 1 times

Because there is no discussion for this question yet
upvoted 2 times

????????????????????????????
upvoted 3 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.
Subscription1 contains the virtual machines in the following table.
In Subscription1, you create a load balancer that has the following configurations:
✑ Name: LB1
✑ SKU: Basic
✑ Type: Internal
✑ Subnet: Subnet12
✑ Virtual network: VNET1
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
  Aghora Highly Voted  1 year, 2 months ago

answer is correct
y: vm1 and vm2 is same scale set
no : both vms are in single VMs not in scale set or Av set
no: same as 2
you can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set
upvoted 53 times

Correct my friend!
"They are the machines or services that create a backend pool. The Basic Tier is quite limiting. It can only have a single availability set,
virtual machine scale set or a single machine. The Standard Tier can span any virtual machine in a single virtual network which includes
blends of scale sets, availability sets, and machines."
upvoted 6 times

Correct Answer:
Basic Load Balancer: Backend pool endpoints for Virtual machines in a single availability set or virtual machine scale set.
Subnet12 association will be used to assign an IP for the internal load balancer, not to load balance the VMs in the Subnet.
Box 1: Yes
VM1 and VM are in the Availability Set.
Box 2: No
Both VMs are not part of any Availability Set or Scale Set.
Box 3: No
Both VMs are not part of any Availability Set or Scale Set.
Reference:
upvoted 47 times

upvoted 2 times

Correct answer: Y-N-N
upvoted 6 times

A VM can only be added to an availability set when it is created. To change the availability set, you need to delete and then recreate the
virtual machine.
So the revealed answer is correct.

upvoted 2 times
  PeeKay79 6 months, 3 weeks ago

What is the relevance of Subnet:Subnet12?
upvoted 3 times

Subnet12 association will be used to assign an IP for the internal load balancer, not to load balance the VMs in the Subnet.
upvoted 1 times

The backend pool instances can be Azure Virtual Machines or instances in a virtual machine scale set.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
upvoted 1 times
  gerryboy 7 months ago

I agree the fact that we are talking about 'Basic' SKU, and VM3-VM6 are not in AS or VMSS rules them out immediately regardless of any
other considerations.
upvoted 1 times

I agree with Y, N, N.
Since the LB SKU is Basic, it can only have VMs that are in the same AV Set.
But one question comes to mind is that the Subnet for the LB is Subnet12 and both VM1 and VM2 are on Subnet11.
upvoted 4 times
  KarimaMaf 8 months ago

Answer is correct.
Basic support only VM from same scale-set or same availability set (like VM1 and VM2)
upvoted 2 times
Key here is the basic Load Balancer and as per documentation it can load balance only -- Virtual machines in a single availability set or
virtual machine scale set.
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/skus
So Ans will be Y-N-N

upvoted 5 times

Yes/No/No - see https://docs.microsoft.com/en-us/azure/load-balancer/skus
Backend pool endpoints for the basic LB: "Virtual machines in a single availability set or virtual machine scale set.". VM1 & VM2 are in the
availability set AS1.
upvoted 1 times
  marko_s 9 months, 3 weeks ago

Answer is correct, basic SKU only balances VMs in Availability Set or a Scale Set
upvoted 2 times

The links you guys reference say nothing about availability sets, it only says availability zones (not sets) are not supported by basic load
balancer SKU. As for the subnet, it apparently defines the subnet you can access the LB front-end IP from, not the subnets of the VMs that
can be load-balanced. (I even mistakenly put the VM I RDP'd to on the default subnet initially and indeed the LB front-end IP was not
reachable). As long as the VMs are on the same VNET, however, the load balancer worked for all listed scenarios.
For those who disagree - test this scenario thoroughly yourseleves, and then if you think I missed something we can discuss this further.
upvoted 4 times
  stepient 9 months, 3 weeks ago

I tested this further, and it turns out that the statement "basic SKU load balancer only supports availability sets" means that you cannot
load balance traffic between VMs that are in availability ZONES. You surely can add single VMs to pools in both Basic and Standard SKU.
The wording in the documentation is very misleading, though. Test it yourselves, it doesn't take much time.
upvoted 2 times
  MountainW 10 months ago

Thanks for testing and share here.
upvoted 1 times

It seems I am the only one who tested this in lab. The results were YES-YES-YES.
I created Vnets, subnets, VMs and a private load balancer as specified in the question.
Then I created three backend pools:
pool1: VM1 and VM2
pool2: VM3 and VM4
pool3: VM5 and VM6
I installed IIS and made the default website display the VM hostname per these instructions: https://docs.microsoft.com/en-
us/azure/virtual-machines/windows/tutorial-automate-vm-deployment
I created a load balancing rule for TCP port 80 and set the backend pool to pool1.
I created another VM with a public IP that I RDP'd to and went to 10.0.2.6 (my LB frontend IP) in Internet Explorer. The displayed page read
"VM1". I shut down VM1 and refreshed the page. The message displayed changed to "VM2". Then I modified the load balancing rule to
test the remaining two pools. Each time the webpage was served from a different VM as expected.
upvoted 6 times

It says here (https://docs.microsoft.com/en-us/learn/modules/improve-app-scalability-resiliency-with-load-balancer/2-load-balancer-
features) that "Basic load balancers can be used only with availability sets." It is a basic LB, and the only machines in an availability set
are VM1 and VM2...
upvoted 1 times

Nice, Thank you for testing and sharing your results.
upvoted 1 times

What I don't like about this question is says Availability Set vs Scale Set. If take that literally then is No-No-No. Could be a test to know if
you are able to tell the difference between a Scale Set and Availability Set?
upvoted 2 times
  wesleyzhong 11 months ago

Y, N, N
y: vm1 and vm2 is same scale set
no : both vms are in single VMs not in scale set or Av set
no: same as 2
you can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set
upvoted 2 times

Y,N,N. This is correct. URL https://docs.microsoft.com/en-us/azure/load-balancer/skus. Clearly states 'Backend pool endpoints : Virtual
machines in a single availability set or virtual machine scale set.'
upvoted 1 times
HOTSPOT -
You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:
✑ Name: VM1
✑ Location: West US
✑ Connected to: VNET1
✑ Private IP address: 10.1.0.4
✑ Public IP addresses: 52.186.85.63
✑ DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:

Answer is correct. Private zones only / Private zones only.
You can only link Virtual networks to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
check https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
upvoted 50 times

Correct Answer:
Box 1: Private
Box 2: Private
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones
can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-
registration option set.
To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual
networks have full access and can resolve all DNS records published in the private zone.
upvoted 45 times
  JIGT Most Recent  1 month, 3 weeks ago

Box 1: Private
Box 2: Private
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
upvoted 1 times

I think it is not correcxt
1 = Private zones
2 = Adatum.com since it is set to the server , thus the nic
that takes precedent over other dns settings.
If the settings did not sauy adatum.com on the server lver, than it was both private dns
upvoted 1 times

well Adatum.com could be correct if mention auto register is enabled.
upvoted 1 times

Answer is correct. Private zones only / Private zones only.
You can only link Virtual networks to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
check https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
upvoted 5 times

Both answers are correct. Private DNS zones can be linked with Vnets (not public ones). And VM can auto-register to any private DNS zone
linked with the Vnet and with auto-registration option set.
upvoted 9 times

Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to
add a custom DNS solution.
upvoted 2 times
  nasa1515 1 year, 1 month ago

Is this the right answer?
upvoted 1 times

networks have full access and can resolve all DNS records published in the private zone.
upvoted 3 times

If you enable autoregistration on a virtual network link, the DNS records for the virtual machines on that virtual network are registered in
the private zone. When autoregistration is enabled, Azure DNS also updates the zone records whenever a virtual machine is created,
changes its' IP address, or is deleted.
upvoted 5 times

Anyone got an explantion for this?
upvoted 4 times
  VipinP 1 year, 2 months ago

Auto registration happen only on private DNS and specific to region.
upvoted 9 times
DRAG DROP -
You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that
uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:

The answers are in order and are correct.
Always work from the Azure side first, it's a dependency. Dependency is the key to all order obviously...
1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created
next.
2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what
is available for answers, the prem side is now configured)
Now for the premice side.
3. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection
upvoted 120 times
  ErenYeager 9 months, 3 weeks ago

I hereby declare this answer fit for viewership🙃
upvoted 25 times
  LeomHD 4 months, 1 week ago

according this url, a vpn gateway is created first and then the subnet gateway, could you help me to clarify it?
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times
  ShaulS 3 months ago

What's the fourth answer?
upvoted 1 times

4. then you can create a VPN connection
upvoted 1 times

Correct Answer:
As per documentation:
1. Create a virtual network
2. Create a VPN gateway
3. Create a local network gateway
4. Create a VPN connection
5. Verify the connection
6. Connect to a virtual machine
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal
upvoted 42 times
  FabioVi Most Recent  4 weeks ago

Creating the gateway subnet is not mandatory, because if you go straight to create the VPN gateway and you have not previously created
the gateway subnet, Azure suggests a range for creating the gateway subnet on the fly along with VPN gateway creation... But as the
questions requires 4 responses, and there are 2 that does not make sense, so creating a gateway subnet is the first in order, and the
following 3 are OK, so answer is correct :-)
upvoted 2 times

upvoted 8 times

Easy! :)
upvoted 1 times

Good work guys on this discussions. Very very educator and enlightening
upvoted 4 times

in exam 7/3/2021
upvoted 5 times

upvoted 6 times

Thank you Zumy! Wish all answers were so clearly explained!
upvoted 2 times

Incorrect Order.
1. First you have to define a gateway subnet for the virtual network.
2. Then create a local gateway to represent the on-premise routing device’s public IP address.
3. The create a VPN gateway resource.
4. And then finally create the VPN connection.
upvoted 3 times
  DamianoPark 12 months ago

Correct You can check specific details in here
https://docs.microsoft.com/ko-kr/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 2 times

Answer is correct/ And the "Create local network gateway" can go at the beginning or in third place.
upvoted 3 times

Valid answer!
upvoted 2 times

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a
name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You
also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are
the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for
the VPN device, you can easily update the values later.
upvoted 2 times

The answers are in order and are correct.
Always work from the Azure side first, it's a dependency. Dependency is the key to all order obviously...
1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created
next.
2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what
is available for answers, the prem side is now configured)
Now for the premice side.
3. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection
4. Create the VPN connection

upvoted 10 times

Answer is correct. with the correct order
upvoted 11 times

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address
range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and
services use.
Create a virtual network

Create a VPN gateway
Create a local network gateway
Create a VPN connection
Verify the connection
Connect to a virtual machine
upvoted 7 times
  admin220 1 year, 1 month ago

Correct. The gateway subnet is not listed on the all resources page. You have to provide the address range explicitly at the creation of
VPN gateway, not from the list of gateway subnets.
upvoted 1 times
VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?
A. Disassociate the NSG from a network interface
B. Change the Port_80 inbound security rule.
C. Associate the NSG to Subnet1.
D. Change the DenyWebSites outbound security rule.
Correct Answer: C
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

Correct Answer: C
Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, "Associated
with: 0 subnets, 0 NIC's", so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC
or Subnet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
upvoted 42 times

Answer is correct - C. Outbound rule: DenyWebSites is setup correctly to block outbound internet traffic over port 80.
upvoted 19 times
  Skankhunt 1 year, 2 months ago

Agreed, in screenshot it states "Associated with: 0 subnets, 0 NIC's" ;)
upvoted 9 times
  ScoutP Most Recent  4 months, 2 weeks ago

upvoted 4 times

Easy :)
upvoted 1 times
  sourav4312 6 months, 1 week ago

Probably the easiest answer in the series.
upvoted 1 times

One of the easiest question I guess. Associate the NSG to subnet1
upvoted 4 times

C is correct
Oubound rule blocking port 80 is configured correctly
upvoted 5 times

Answer C. is correct. Outbound rule is right, you only need to associate the NSG to the Subnet to apply the rules.
upvoted 2 times

Valid question - answer is correct.
Microsoft just wants us to know that a NSG has to be associated with something, to actually work.
Associated with : 0 subnets, 0 nic interfaces.

upvoted 3 times
  kannan8685 1 year, 1 month ago

yes i agree
upvoted 2 times

Answer is correct. "C"
upvoted 9 times

is this the type of questions that will come up in the exam (hopefully) ? i feel like im wasting my time
upvoted 1 times
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of
10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of
10.10.0.0/24.
You need to connect VNet1 to VNet2.
A. Move VM1 to Subscription2.
B. Move VNet1 to Subscription2.
C. Modify the IP address space of VNet2.
D. Provision virtual network gateways.
Correct Answer: D
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from
different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the
VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity
types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local
network gateway in order to route traffic.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal

D (100%)

Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists. Also, No need to have the same Azure AD. They
just need to have a Virtual network gateway to communicate using Public IP where it is secured using SSTP or IKEv2
upvoted 50 times

Correct Answer: D
There is no overlap between the VNets:

VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255
VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255
Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.
You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from
different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the
same Active Directory tenant.
Reference:
upvoted 43 times

Selected Answer: D
Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists.
upvoted 1 times
  Barrie 3 months, 4 weeks ago

Got to think this question is out of date.
I wouldn't do any of the provided options. A global VNET peer achieves the required outcome, without the need for additional
infrastructure.
upvoted 7 times
  maxmarco71 4 months, 1 week ago

ANSWER IS "D" CORRECT
NO Overlapping. Proof using
https://network00.com/NetworkTools/IPv4CheckOverlappingNetworks/
upvoted 1 times

They should have asked - what's the best way. Because top 2 options do lead to the solution, with a little more effort.
Answer is correct
upvoted 1 times
  riccardo 7 months, 1 week ago

sorry but in order to create an vpn gateway subnet should be bigger, not /24 but at least /27. because you have to create the gateway
subnet. so I would modify the address space of vnet 2 and answer C
upvoted 1 times
  GuyForget 5 months, 1 week ago

It doesn't say anything about the subnet taking up the entire /24 address space.
upvoted 1 times

The smallest peering size is actually /29. Largest /2
upvoted 1 times
  Cosy 7 months ago

/24 is actually bigger than /27
upvoted 4 times

Haha... I guess he worked out that 27 is bigger than 24 and therefore... haha. Good call. I hope he reads your comment.
upvoted 1 times
  JayBee65 7 months ago

and you would get it wrong. The question doesn't mention subnets that the VNETs contain, so they may already have vpn gateway
subnets. There is no need at all to modify the VNETs unless you are guessing that they contain no space for a vpn gateway subnet.
There is nothing in the question to suggest this is the case.
upvoted 1 times
  Wizard69 11 months, 2 weeks ago

There is no overlap here:
10.0.0.0/16 - 10.0 is the network
10.10.0.0/24 - 10.10.0 is the network
Since there is no option to do a straight peering, gateway must be correct

upvoted 8 times

Answer given is correct
if you want to connect two vnets, you have two options: peering and vpn,
Virtual network gateway is required to establish vpn on this case
upvoted 7 times

The answer is "C. Modify the IP address space of VNet2." You can modify the address space of VNet2 by adding an address space that does
not have IP overlap. Lets say 13.0.0.0/16, adding a new subnet 13.0.0.0/24 and then attaching the resources to the new subnet and finally
delete the old subnet and VNet with the overlapping IP range.
upvoted 1 times

Oops, I was so wrong. 10.0 vs. 10.10 No overlap. D. Correct answer.
upvoted 3 times

Overlap?
10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255, Subnet mask 255.255.0.0
10.0.0.0/24 - CIDR IP Range 10.0.0.0 - 10.0.0.255, Subnet mask 255.255.255.0
upvoted 1 times

They're in entirely different regions and have different subscriptions. And they are not overlapping it's 10.0.0.0/16 vs 10.10.0.0/24( not
10.>0<.0.0/24)
upvoted 1 times
  Rambogan12 8 months ago

10.10.0.0/24 *
upvoted 1 times

Answer D. is correct.
upvoted 2 times
  toniiv 11 months, 3 weeks ago

Sorry, I correct myself. There is an IP overlapping, so correct answer is: C. Modify the IP address space of VNet2.
upvoted 1 times
  toniiv 11 months, 3 weeks ago

No no no no. Sorry again, there is no overlap!!! answer D is correct.
upvoted 2 times
  TheOGMrBee 11 months, 3 weeks ago

Please explain. I'm not fully understanding this concept. 10.0.0.0\16 and 10.10.0.0\24 do in fact overlap, more accurately, the \16
subnet contains the \24 subnet. What prevents them from overlapping? Is it because the \16 incorporates the \24?
upvoted 2 times

When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. If you
update the address space for one VNet, the other VNet automatically routes to the updated address space. It's typically faster and easier
to create a VNet-to-VNet connection than a Site-to-Site connection.
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like
traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.
Azure supports the following types of peering:
Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.
upvoted 2 times
  PegasusForever 1 year, 1 month ago

D is correct!
upvoted 3 times

ip overlap, can not peering, just vnet-vent vpn is option.
Link: https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/
upvoted 2 times

There is no overlapping
upvoted 1 times
  Aghora 1 year, 1 month ago

no overlapping here !
upvoted 5 times
  Aghora 1 year, 2 months ago

Ips do not over lap . you can use Vnet peering or Gateway across AD
upvoted 3 times

Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when
communicating.
upvoted 1 times
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.

Which two settings should you modify? Each correct answer presents part of the solution.
A. Use managed disks
B. OS disk type
C. Availability options
D. Size
E. Image
Correct Answer: AC
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone
dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/create-portal-availability-zone

AC (100%)
  MicroJ Highly Voted  1 year, 2 months ago

Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 46 times

A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability
zone dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones
upvoted 31 times

Selected Answer: AC
A and C are correct answer.
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A C
upvoted 6 times

so I am drunk and I am not reading whole questions, but only reading last 3-4 lines of questions, answering questions and getting them
right. Am I ready to take exam?
upvoted 7 times
  nimeshabhinav 1 month, 4 weeks ago

Buddy , have you cleared the exam ? As I am doing the same , so asking you the same :P
upvoted 1 times
  michaelknight 4 months ago

Absolutely, you just need to make sure that you are also drunk during the exam.
upvoted 28 times

Ease :)
upvoted 1 times

in exam 7/3/2021
upvoted 5 times

upvoted 5 times

Answer:
A. Use managed disks
upvoted 1 times

Explanation is correct but the shown answer "A" and "B" are incorrect.
"A" and "C" are correct

upvoted 1 times

A and C are correct options, explanation is correct but an error on selected answers should be Availability options not OS disk type
upvoted 3 times
  Sud1 10 months, 1 week ago

came in exam today - Managed Disk and Avaialabilty zone is correct.
upvoted 6 times

Availability Options
Use managed disks
upvoted 3 times

A, C are correct
upvoted 6 times

upvoted 3 times

Explanation is correct, but not the answers given: Answer should be A and C.
-Managed Disks
-Availability Zones
upvoted 2 times

Correct answer is A + C.
upvoted 2 times
HOTSPOT -
VMSS1 is set to VM (virtual machines) orchestration mode.

You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: RG1, RG2, or RG3 -

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that
metadata is stored.
Box 2: West US only -

Note: Virtual machine scale sets will support 2 distinct orchestration modes:
ScaleSetVM ‫ג‬€" Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance
lifecycle - creation, update, deletion - is managed by the scale set.
VM (virtual machines) ‫ג‬€" Virtual machines created outside of the scale set can be explicitly added to the scaleset.
Reference:

Answer is correct. The location of the RG doesn't influence the choice of the location of VM. The location of the VM should be the same like
the VM Scale set (single zone or zone redundant )
upvoted 39 times

Answer is Correct - Can be put in any RG but must be in same region as Scale Set.
upvoted 33 times

There are many things you can do and then some things you should do. We can use any RG but the question says “should”. We should
use RG1 if for no other reason than to provide continuity in the namespace or to follow best practice. Why would we ignore it here just
because we can.
upvoted 1 times

To be honest, I dont trust MS.
I know we can use any RG, but they are not asking "which ones you can use", instead they are asking "SHOULD" and that is RG1 only as
MS best practices suggest for resources life cycle ..
"Which resource group and location should you use to deploy VM1"
upvoted 4 times

Can you provide a link for prove here?
upvoted 2 times

The first answer is not correct, it should be RG1 - same resource group as VMSS:
https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
"When you create a VM, you can optionally specify that it is added to a virtual machine scale set. A VM can only be added to a scale set at
time of VM creation. The newly created VM must be in the same resource group as the Flexible scale set regardless of deployment
methods"
So the VM should be in same RG, same location
upvoted 3 times

BTW "Flexible scale set" should be the new name of "VM orchestration mode"
upvoted 1 times

The few times RGs affect each content is when there's a lock on it. It's usually safe to ignore its location.
upvoted 1 times
  Harishsk 8 months, 2 weeks ago

we have flexible mode.
Before you can deploy virtual machine scale sets in Flexible orchestration mode, you must first register your subscription for the preview
feature. The registration may take several minutes to complete. You can use the following Azure PowerShell or Azure CLI commands to
register.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#register-for-flexible-
orchestration-mode
upvoted 2 times
  Harishsk 8 months, 2 weeks ago

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#get-started-with-
flexible-orchestration-mode
Add your VM to the scale set in Flexible orchestration mode by selecting the scale set in the Availability options. You can add the virtual
machine to a scale set in the same region, zone, and resource group.
upvoted 2 times
  darsy2001 8 months, 3 weeks ago

VM orchestration mode does not exist anymore. The new orchestration mode is called Flexible and with this mode, when adding VMs, you
have to choose the RG where the VMSS is located. So, RG and location must be the same. Tested in lab. And also:
Add your VM to the scale set in Flexible orchestration mode by selecting the scale set in the Availability options. You can add the virtual
machine to a scale set in the same region, zone, and resource group.
upvoted 9 times

Virtual machine scale sets in Flexible orchestration mode is currently in public preview. An opt-in procedure is needed to use the public
preview functionality described below. This preview version is provided without a service level agreement and is not recommended for
production workloads.
So in my opinion the answers are correct and yours is not
upvoted 3 times

Correct Answer:
Box 1: RG1, RG2, or RG3

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where
that metadata is stored. The location of the RG doesn't influence the choice of the location of VM. best practice would be to create the VM1
in the RG1 because the scale set is in RG1. And Microsoft recommends that resources contained in a Resource Group share the same
resource lifecycle.
Box 2: West US only

You can add the virtual machine to a scale set in the same region, zone, and resource group.
Reference:
upvoted 27 times
  Saterial 10 months ago

The answer is correct but best practice would be to create the VM1 in the RG1 because the scaleset is in RG1. And Microsoft recommends
that resources contained in a Resource Group share the same resource lifecycle.
upvoted 3 times
  Rueben 10 months, 1 week ago

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes Note the statement:
You can add the virtual machine to a scale set in the same region, zone, and resource group.
upvoted 1 times
  Horsema 11 months, 1 week ago

The require is “You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.” Why can you chose RG1 and
RG3？ RG1 and RG3 are obviously can‘t attach the target。
upvoted 1 times
  barry12 11 months, 2 weeks ago

Answer is correct.
Explanation for part1- The resources in a resource group can be located in different regions than the resource group. See
2- Scale sets require same region, like explained earlier here above
upvoted 4 times

Given answer correct
The location of the RG doesn't influence the choice of the location of VM. The location of the VM should be the same like the VM Scale set
(single zone or zone redundant )
upvoted 2 times

Should make sense.
The location of the RG itself - only holds metadata, but the location of the VM should be same place as the VMSS1 - which is West US.
upvoted 1 times
  Beitran 1 year ago

And the worst thing is that Orchestration mode is not even available anymore...
upvoted 1 times

That seems to be not true exactly:
https://azure.microsoft.com/nl-nl/updates/new-orchestration-mode-for-azure-virtual-machine-scale-sets-now-in-public-preview/
upvoted 1 times
  amex0878 1 year, 1 month ago

I will choose RG2 for box 1 and as for box 2 i will choose all 3 locations based on my findings. https://docs.microsoft.com/en-
us/azure/resource-mover/move-region-within-resource-group
upvoted 1 times

DEFINITELY WRONG...
Must be in the same resource group and same Location...
Try and you will see I am right.
upvoted 1 times
  Aghora 1 year, 1 month ago

please dont be too sure without providing links or testing . the answer is correct as tested . location of VM must be same as VMSS but
the can be any resource group as thats is only meta data holder
upvoted 14 times
  bogdan89 1 year, 1 month ago

i don't see anything to sustain your point.
https://docs.microsoft.com/en-us/previous-versions/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 2 times
  gargaditya 1 year, 1 month ago

This link does not mention about the location or RG.
upvoted 1 times

The resource group stores metadata about the resources
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3.
Peering for VNET1 is configured as shown in the following exhibit.
How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1. VNET2 and VNET3 -
Box 2: VNET1 -
Gateway transit is disabled.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Correct Answer:
VNet1: Peered with VNet2 and VNet3

VNet2: Peered with VNet1
VNet3: Peered with VNet1
Box 1. VNET2 and VNET3

VNet1 is peered with VNet2 and VNet3. Also Gateway transit is disabled.
Box 2: VNET1 only

Gateway transit is disabled, so it can only communicate with the connected VNET1.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 41 times
  mdyck Highly Voted  9 months, 3 weeks ago

Answer Correct. Gateway transit is disabled so they can only communicate with VNET1.
upvoted 18 times
  fedev21 4 weeks, 1 day ago

As far as I know virtual peering is not transitive and Spoke-to-Spoke traffic is not allowed. Enabling Gateway transit allows for cross-
premises communication but not for Spoke-to-Spoke traffic. The only way to make possible spoke-to-spoke traffic is to use an NVA in
the HUB VNet
upvoted 2 times

If Gateway Transit was enabled, then they all would be able to communicate between eachother, since VNET1 is Peering with both
VNET2 and VNET3?
upvoted 1 times

Agree with mdyck
upvoted 4 times
  vaisat Most Recent  1 month, 3 weeks ago

Second port is INCORRECT -
1. Packets from VNET1 can be forwarded VNET2 and VNET3.
2. Packets from VNET2 can be routed to BOTH VNET1 and VNET3.
This is insured by default parameter "Traffic forwarded from remote virtual network".
Please note, "Gateway Transit" parameter has nothing to do with this. Gateway might not even exist in this example.
upvoted 1 times

Correct answer:
-VNET2 and VNET3
- VNET1 only
upvoted 4 times

If we were to enable GW Transit, which VNET? Is it VNET1?
upvoted 1 times

What would happen if Gateway Transit was enabled?
upvoted 1 times

Then all three vnets can talk to each other.
upvoted 1 times

upvoted 3 times

Easy :)
upvoted 1 times

Answer is correct, but explanation is not.
Gateway transit only applies when there is a VPN gateway created.
Since there is no mention of that, all that matters are the peerings between the Vnets.
Vnet1 -> Vnet2 and Vnet3
Vnet2 -> Vnet1
Vnet3 -> Vnet1
This means that Vnet2 cannot see Vnet3.
Am I wrong?
upvoted 4 times
  amf 7 months ago

You are right. Gateway transit only applies when there is a VPN gateway created. So the explanation given is not correct.
upvoted 1 times

Correct answer. Gateway transit is disabled so they only communicate with the connected VNETs
upvoted 3 times
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site
connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
A. Yes
B. No
Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 26 times

Reference:
upvoted 5 times

B is correct:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate
from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication
fails.
upvoted 13 times

The solution was so dull I got confused for a moment. Who would think of that? haha...
upvoted 2 times

"A client certificate that is generated from the root certificate. The client certificate installed on each client computer that will connect to
the VNet. This certificate is used for client authentication." - see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-
point-to-site-resource-manager-portal
upvoted 2 times

Answer B. is correct as well as the explanation.
upvoted 3 times

Copy the cert from the first computer and install it on the 2nd
upvoted 2 times
Answer is correct. B
upvoted 6 times

Create a self-signed root certificate
Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. For additional parameter information, see New-
SelfSignedCertificate.
upvoted 4 times

B is correct
upvoted 10 times
Solution: You join Computer2 to Azure Active Directory (Azure AD).
A. Yes
B. No
Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Reference:

Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed. Instead export the client certificate
from Computer1 and install the certificate on Computer2.
VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 15 times

Reference:
upvoted 4 times

Answer is correct No
upvoted 11 times

Correct answer: B
upvoted 1 times

Haha... Easy
upvoted 1 times
  anoj_cha 5 months ago

What's the point of these comments in all these questions?
upvoted 6 times

B is Correct
upvoted 1 times

B is Correct
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
upvoted 2 times

Answer B. is correct as well as the explanation.
upvoted 2 times

B is correct. You need to install the certificate on computer2.
upvoted 5 times
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
A. Yes
B. No
Correct Answer: B

You need to use a custom policy definition, because there is not a built-in policy and Resource Lock is an irrelevant solution.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 36 times
  arseyam Highly Voted  1 year, 4 months ago

An example of such policy is found here
https://markgossa.blogspot.com/2018/11/azure-policy-deny-inbound-rdp-from.html
upvoted 16 times

as they said there is more than one way to skin a cat, that is a developer style)
upvoted 1 times

haha... Common, please!
upvoted 1 times

No is answer
upvoted 3 times
  Aniruddha_dravyakar 11 months, 3 weeks ago

Lock is used to restrict creattion or accidental deletion of any resource. .. I dont think it is used for blocking traffic
upvoted 2 times

Correct - B
upvoted 3 times
In NSG, create a inbound security rule that set TCP8080 -> Deny and the priority number should be smaller.
upvoted 3 times

Answer B. is correct. Nothing to do with RG locks
upvoted 4 times

Allow-Deny 8080 (NSG) answer is correct
upvoted 2 times

by default NSG blocks all the ports. it has to be explicitly defined which port to open.
upvoted 3 times
  janshal 1 year, 1 month ago

There is no Connectivity Between different Vent so unless you connect them trough VPN Gatway or Vnet Peering there will be No access
from any Ports so i say A
Tricky One
upvoted 1 times

There is no Connectivity Between different Vent so unless you connect them trough VPN Gateway or VNet Peering there will be No access
from any Ports so i say A
Tricky One
upvoted 2 times

I hate you
upvoted 3 times

What is Azure Policy
Azure Policy is a new Azure feature where you can assign policies to your Azure subscriptions or management groups (groups of Azure
subscriptions). Using Azure Policy, you can specify what Azure resources should be denied, which should be audited and which should be
automatically remediated by deploying an additional ARM template you specify. For example you can block all storage accounts that don’t
use encryption.
upvoted 3 times

Need custom policy
upvoted 3 times
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
A. Change the priority of the RDP rule
B. Attach a network interface
C. Delete the DenyAllInBound rule
D. Start VM1
Correct Answer: D
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.
B: The network interface has already been added to VM.
C: The Outbound rules are fine.
Reference:
  prashantjoge Highly Voted  1 year, 2 months ago

nevertheless a stupid question
upvoted 95 times

The more stupid questions they give, the higher chances of passing the exam!
upvoted 8 times

Correct Answer: D
Αny resource with a dynamically assigned public IP address will display the 'name' you gave it when the resource it is assigned to is offline.
A static address will be shown regardless of the resource state. This means that we need to start the VM1.
A: RDP rule has the highest priority. priority.

B: The network interface has already been added to VM1.
C: DenyAllInBound has really low priority.
Reference:
upvoted 40 times
  Allfreen 1 week, 1 day ago

Good Explanation
upvoted 1 times
  ron_azenkot Most Recent  1 month ago

look i am no expert but i am pretty sure that to use something you need to start it
answer is d
upvoted 1 times
  Sharathjogi 1 month, 2 weeks ago

Wow...common..question has to be like this :)
upvoted 1 times
  TheBody 2 months, 3 weeks ago

This is not a question about knowing an obscure fact about whether a public IP address shows when a VM is on or off, it's a pure problem
solving question.
The RDP rule already has the highest priority so it can't be A or C.
The question states the network interface has been added and that's shown in the exhibit so it can't be B.
That leaves D. And if the virtual machine is not switched on then the symptom described(can't connect via RDP) would be present.
Even in Azure checking that stuff is plugged in and turned on is a good first troubleshooting step.
upvoted 3 times
  ShockWaveSix 3 months ago

Even in Azure... "Is it plugged in? Is it turned on?"
upvoted 5 times

Haha... You know they never even said that the machine was off.
upvoted 4 times

accelerated networking is disabled
upvoted 1 times
  matapolillas 3 months, 4 weeks ago

you can tell the VM is off by looking at the public IP address field of the machine. When the VM is offline/powered off it displays the
name of the public IP resource
upvoted 5 times
  matapolillas 3 months, 4 weeks ago

and what that does have to do with anything?
upvoted 1 times

A really trickish question though
upvoted 2 times
  Da_G 11 months, 1 week ago

This isn't obvious unless you've seen it before, any resource with a dynamically assigned public IP address will display the 'name' you gave
it when the resource it's assigned to is offline. A static address will be shown regardless of the resource state. Answer is D.
upvoted 8 times

But where is the error? it's not quoted in the question.
upvoted 1 times

Never mind, it's in the exhibit.
upvoted 1 times

Thanks for the explanation
upvoted 1 times
  ReginaldoBarreto 11 months, 1 week ago

Troubleshooting, first check if vm is ON
upvoted 4 times

D is correct!
upvoted 2 times
Check public IP address on the list then you can see there has no public IP here, which means the VM deallocated. So solution is to start
the VM.
upvoted 3 times

By discarding rest of replies D. should be the solution, so answer is correct.
upvoted 3 times
  Hi2ALL 1 year ago

Another cleverly tricky question to brainstorm
upvoted 1 times
  ckyap 1 year ago

Come in exam 1st Feb 2021. Correct answer
upvoted 3 times

The answer is - public IP is not showing therefore the VM is shut done- not because D is the only option. Look at the public - IP by the
Network Interface. D is the correct answer
upvoted 3 times

please noted, the networking is disabled, means the vm is stopped.
upvoted 8 times
  crescha 9 months, 2 weeks ago

accelerated networking is disabled but it does not mean that vm is stopped, however D is correct
upvoted 2 times
You have the Azure virtual machines shown in the following table.
A DNS service is installed on VM1.

You configure the DNS servers settings for each virtual network as shown in the following exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?
A. Configure a conditional forwarder on VM1
B. Add service endpoints on VNET1
C. Add service endpoints on VNET2 and VNET3
D. Configure peering between VNET1, VNET2, and VNET3
Correct Answer: D
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP
addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-peering-overview

D (100%)

Answer is correct. D.
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs
upvoted 61 times

Correct Answer: D
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs. Virtual network peering
enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The
traffic between virtual machines uses the Microsoft backbone infrastructure.
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the
Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service
Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the
VNet.
upvoted 32 times

Selected Answer: D
a: A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as contoso.com, to forward
queries to.
b-c no
upvoted 1 times

In exam today! October 16, 2021
upvoted 5 times

D does look like the best answer but there's a lot more to do after the peering.
Answer is correct
upvoted 3 times
  bsdhjbfu3423asdfd 7 months, 2 weeks ago

Correct answer is A. Configure a conditional forwarder on VM1
Virtual Peering doesn't help to resolve DNS
upvoted 3 times
  Mack279 5 months, 3 weeks ago

It does help, in what sense that you set the DNS server if you cant reach that virtual server hosting the dns server role in the first place?
So Peering is needed before everything else works for VM1 as the dns server.
upvoted 1 times
  CloudyTech 8 months ago

Answer is A
upvoted 1 times

Correct answer is A. Configure a conditional forwarder on VM1
Virtual Peering doesn't help to resolve DNS
A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such
as contoso.com, to forward queries to. Instead of the local DNS server trying to resolve queries for records
in that domain, DNS queries are forwarded to the configured DNS for that domain
upvoted 3 times

You would use a conditional forwarder to forward requests from one DNS server to another DNS server in a another namespace.
upvoted 4 times

but the devices can't reach the DNS server, so peering between vnets must be first
upvoted 4 times
  armandolubaba 9 months ago

upvoted 1 times
  Aniruddha_dravyakar 11 months ago

Enabling peering is must
upvoted 4 times

Answer is correct
peering enables connectivity between Vnets with different subnets
upvoted 5 times
  Ayman79 11 months, 2 weeks ago

Name resolution between VMs in different virtual networks or role instances in different cloud services. Azure DNS private zones or,
Customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). See Name resolution
using your own DNS server. FQDN only
Should configure conditional forwarder
upvoted 3 times
  Ayman79 11 months, 2 weeks ago

Name resolution between VMs in different virtual networks or role instances in different cloud services. Azure DNS private zones or,
Customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). See Name resolution
using your own DNS server. FQDN only
upvoted 3 times

D is correct - Peering enables the communication among Vnets with different subnets.
upvoted 6 times

Answer D.
"Forward DNS resolution is supported across virtual networks that are linked to the private zone. For cross-virtual network DNS resolution,
there's no explicit dependency such that the virtual networks are peered with each other. However, you might want to peer virtual
networks for other scenarios (for example, HTTP traffic)."
upvoted 4 times

Answer D. is correct. Without peering there will be no inter-Vnet connectivity.
upvoted 5 times
  zengzhen 1 year, 1 month ago

What about VM4?
upvoted 7 times
  moooosi 1 year, 1 month ago

Is in Vnet3, so gets peered
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
You run Azure Network Watcher as shown in the following exhibit.
You run Network Watcher again as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: No -
It limits traffic to VM2, but not VM1 traffic.
Box 2: Yes -
Yes, the destination is VM2.
Box 3: No -
Reference:

Correct Answer:
Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.
Box 2: Yes
Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2.
We can understand for sure, that it is not applied to VM1.
Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
upvoted 74 times

Box 2 - what if the 8080 port on VM2 was not open on any service ?
upvoted 2 times
  matt_dns 1 month ago

I agree box 2 is Yes but not because of anything network watcher is showing, network watcher contradicts the NSG. Rather I read this
as another cruel question that simply means the NSG would affect routing for VM2 were it applied, it clearing hasn’t been applied here
(unless there’s a subnet NSG we know nothing about which we have to assume there isn’t).
upvoted 1 times

Ans: NNY. Box 2: yes the NSG1 should be applied to VM2 to allow correct communication as it is in exhibit2. But there is problem the
VM1 cannot connect to VM2. On last image we can see that VM1 is reachable from VM2.
Therefore the conclusion of this is NSG1 hasn't been applied yet.
upvoted 3 times
  NalChi 3 days, 11 hours ago

I Agree his opinion. NGS1 only allows TCP traffic but its ICMP commnication was succeed : it means VM2 does not applies to NGS1
upvoted 1 times
  Andersonalm Highly Voted  1 year, 2 months ago

N-Y-Y
upvoted 35 times

This answer is wrong.
upvoted 2 times

2nd question asks if NSG is applied to VM2. The NSG allows all TCP traffic from VM1 subnet to VM2 subnet, yet TCP connectivity test
on port 8080 is showing unreachable from VM1. The image also shows ICMP traffic is reaching and returning from VM2 to VM1.
Therefore, the NSG is not applied to VM2.
upvoted 6 times
  Ali1982 1 week ago

icmp is not the tcp/udp
upvoted 1 times

Please explain why you say this.
upvoted 2 times
  Redimido Most Recent  3 weeks ago

IMHO it's NO,NO,NO!
There's no evidence that the NSG1 is applied to VM2.
The NSG should allow the traffic between those virtual networks, and not only allow IMCP echo requests. This is the only difference in
those queries in Network Watcher.
upvoted 1 times

Box 3 --> Yes
support the answer, look at the View a connection monitor section in this link https://docs.microsoft.com/en-us/azure/network-
watcher/connection-monitor
upvoted 1 times
  stl75 1 month ago

Box 1 - Yes
On the bottom you can see you can ping from VM1 to VM2, but not VM2 to VM1. If blockage is on inbound, that's mean ping is stop from
VM2 to VM1. So NSG is apply to VM1 inbound.
Box 2 - No
If NSG is apply to VM1, then it's not apply to VM2
Box 3 - Yes
It's not on same subnet/network, but it's on same VNET, as all subnets on same VNET are connected. If they would be on separate VNET,
then you would need peering between them.
upvoted 2 times

NO
YES
YES
upvoted 1 times

NYY is the correct answer:
1. The NSG1 is not limiting the traffic from VM1
2. If NSG1 was applied to VM2, the TCP probe should have not failed.
3. As the ping (ICMP) probe is successful that means both subnets are within the same VNET.
upvoted 5 times

NNY is the correct answer
upvoted 3 times
  ejml 4 months, 1 week ago

Subnets in same virtual network are routed by default. With default NSG's plus these two rules in the NSG, the communication between
them are allow. So:
Box1: No
Box2: Yes or Not, if it is Yes, the traffic is allow, if it is not the traffic is allow. The problem in Netwatcher hasn't nothing to do with it.
Box3: Yes, but we don't really because they could be peered.
upvoted 1 times

Correction, I made a typo. Sorry:
I previously said the answer is correct, but I was wrong. The answer is No, Yes, Yes.
The first 2 options are evident.

Option3:
VM2 seems to be working as a virtual appliance for VM1 as it is the next hop, as per network watcher. I wouldn't put my next hop in a
different network. Also, the address spaces do indicate that they are closely related. If you create another network in the subscription it
will not be in the 172.16.0.0/16.
Although they are indifferent subnets, they happen to be in the same VNet. Also, the address spaces indicate they are in the same VNet.
upvoted 1 times

I previously said the answer is correct, but I was wrong. The answer is No, Yes, No.

Option3:
Although they are indifferent subnets, they happen to be in the same VNet. Also, the address spaces indicate they are in the same VNet.
upvoted 1 times

(Correction, I entered the wrong answers in my previous comment. Sorry:)
I previously said the answer is correct, but I was wrong. The answer is No, Yes, *Yes.

Option3:
Although they are indifferent subnets, they happen to be in the same VNet. Also, the address spaces indicate they are in the same
VNet.
upvoted 1 times
  Laax 5 months, 3 weeks ago

The third box is No
It's because upon the first loading of Network Watcher, the connectivity between VM1 and VM2 was unreachable, this is because the NSG
was not yet fully applied - it also indicates that without the NSG fully applied, VM1 cannot reach VM2 by default, hence they are not in the
same VNet; Many of you ignored why the question provided two screenshots - they indicate a default flow and a flow after the NSG is
applied
upvoted 1 times

It is possible that the port in the destination VM is not available.
upvoted 1 times

Answer is correct.
upvoted 1 times

N-Y-N. Given answer is correct
Because in the Network Watcher we don't see next hop for VM2, if VM1 and VM2 are in the same VNET you will see next hop for VM2
upvoted 1 times
  KelvinLam1 6 months ago

I think the answer is N Y Y
1) NSG1 limits traffic to 172.16.2.0/24 which is never going to apply to VM1
2) I think that it's unreachable is totally not related to the NSG (because in the NSG it allows TCP 8080). The only explanation is that on VM2
port 8080 is not listening. And the fact that in (3) ICMP to VM2 is reachable further proves that - VM1 and VM2 are directly connectable and
both machines are up.
3) They should be in the same VNET therefore VM1 can directly connect to VM2.
upvoted 8 times

I think that the second statement of the question is wrong as they do not give enough information to determine if it is YES or NO. It could
be NYY or NNY.
1. YES - NSG1 does not limit VM1 traffic as NSG1 allows traffic from VM1 subnet to VM2 subnet, if VM1 cannot reach VM2 there must be
another NSG blocking this connection as we know for the information provided that they are in the same vnet.
2. Could be both YES or NO. For the information provided we know that there is a NSG that is blocking the connection between VM1 and
VM2. So whether NSG1 is applied to VM2 or not the result is the same, TCP connections are blocked by another NSG and ICMP
connections are allowed by both. I don´t get why microsoft made this question. It is imposible to know.
3. YES - They are on different subnets on the same vnet as there is only one hop between them.
upvoted 4 times

This is how I see it:
Box1 -> Regardless of which VM the NSG is applied, it should only limit the VM in the receiving end, which is VM2, since the rules are
inbound.
Box 2 -> Rule 100 says allow, so TCP packets sent from VM1 should reach VM2, if NSG1 is applied to VM2.
Box 3 -> Since VM1's next hot is the VM2 subnet's IP, it probably means they are in the same Vnet, otherwise, the next hop would be the IP
of another Vnet with a different subnet mask.
NO
NO
YES
upvoted 22 times
  Pradh 1 month, 2 weeks ago

How can you guys be so Dumb to say NO to second question ?
Open you eyes wide and check the question ..see what question says.
===================================
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
===================================
In that Table dont you see Rule 101 apply to VM2 subnet IP ?? Dont you ??
how the F can the answer be NO ? NSG1 does apply to VM2.

upvoted 1 times
  ExG2 1 week ago

What about Priority rule 100 which allows traffic from VM1 subnet to VM2 subnet over TCP whereas Network Watcher is showing
that it cant be reachable on TCP port 8080
upvoted 1 times

Totally agree. Correct answers are:
Box1: NO
Box2: NO
Box3: YES
NSG is not applied to VM2. As per 100 priority rule, all TCP ports from 172.16.1.0/24 are allowed. If so, then the first output from
Network Watcher would show that the destination is reachable, but it says the opposite. Probably some other NSG with completely
seperate set of rules is applied to VM2.
NOTE: Ping uses ICMP which is neither TCP or UDP. Thus, it's irrelevant in our discussion against the security rules table. ICMP is denied
by default security rules.
upvoted 5 times

I agree too
upvoted 1 times

Agreed NNY
upvoted 1 times
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each
virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises
network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises
network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
A. Modify the address space of the local network gateway
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1
Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by
using the RDP or
SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network
connect by using the RDP or
SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
upvoted 42 times
  jmartinezm Highly Voted  1 year, 4 months ago

Definitely B. A makes no sense
upvoted 32 times
  patoalcorta Most Recent  8 months ago

Definitely B. Why would anyone think of A?
upvoted 4 times
  raulgar 11 months ago

B is correct, configure a nsg rule.C can't be because vm need access through internet
upvoted 2 times
  tux_alket 11 months, 1 week ago

I would say B is the correct Answer
upvoted 3 times

Tested - B correct and only place where you can allow source which can connect to RDP.
upvoted 2 times

Answer is correct.
Create a deny rule in NSG connected to subnet1
upvoted 2 times

B is correct.
add a port 3389 blocking rule to NSG in Vnet
upvoted 3 times

Answer B. is correct
upvoted 2 times
  CloudyTexas 1 year ago

B is the answer. others choices make no sense
upvoted 2 times

Answer is B - Create a deny rule in a network security group (NSG) that is linked to Subnet1
upvoted 2 times

B is correct. Change the NSG - to allow only on-prem. Good explanation and document.
Scenario: Enable users on your on-premises network to connect to VMs on your Azure virtual network.
Option: A site-to-site VPN connects an entire network to another network over the internet. You can use a site-to-site VPN to connect your
on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the
site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
upvoted 2 times
  Vgopi 1 year ago

The easiest way is to create a Deny rule in the Network Security Group. Create a Deny rule for port 3389 and ensure the source is
mentioned as the Internet.
upvoted 4 times

Answer is correct. B
upvoted 8 times
  0ptimus 1 year, 2 months ago

B is the Answer
upvoted 4 times

Answer- B
upvoted 6 times
  Haam 1 year, 3 months ago

answer B
upvoted 5 times
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.

You need to apply ASG1 to VM1.
What should you do?
A. Associate NIC1 to ASG1
B. Modify the properties of ASG1
C. Modify the properties of NSG1
Correct Answer: A
Application Security Group can be associated with NICs.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups

Full explanation:
Correct Answer is A:
Associate Virtual Machines

An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group,
and then use the application security group as a source or destination in NSG rules.
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the
virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups
that this NIC should join, and then click Save to commit the change.
https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 65 times

Correct Answer: A
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without
manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing
you to focus on your business logic.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group
upvoted 32 times

ASG are not much covered in the Learn module, not that I remember. Answer is correct
upvoted 2 times

Answer is correct.
Application security group ASG can be associated with NIC
upvoted 3 times

A is answer
Associate Virtual Machines
An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group,
and then use the application security group as a source or destination in NSG rules.
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the
virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups
that this NIC should join, and then click Save to commit the change.
https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 5 times
  aMiPL 1 year ago

ASG cannot only be added to NIC so the only option according to MS docs.
upvoted 2 times

Came in exam 1st Feb 2021. Selected A
upvoted 5 times

All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface
assigned to the application security group is in. For example, if the first network interface assigned to an application security group
named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1.
You cannot add network interfaces from different virtual networks to the same application security group.
upvoted 3 times

Good explanation - thank you.
upvoted 1 times
  Hardikm007 1 year, 1 month ago

ASG are NOT in exams. Check on site.
upvoted 3 times

Answer is correct. "A"
ASG is a virtual grouping of VMs through their NIC. Accordingly, you need to connect NIC to ASG.
upvoted 17 times

Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups
upvoted 4 times
  chenmat 1 year, 2 months ago

Answer: A
Refer https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/
upvoted 5 times
  Andersonalm 1 year, 2 months ago

Answer C
upvoted 1 times

Don't spam answers without an explanation. Everyone's saying A but you say C but don't explain why? Shut up.
upvoted 61 times
  az104bd 11 months, 2 weeks ago

I can feel that brother !!!!! :D
upvoted 3 times
  antonio_ferraz 1 year, 2 months ago

Answer A.
In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3 is a member of the AsgLogic
application security group. NIC4 is a member of the AsgDb application security group. Though each network interface in this example is a
member of only one network security group, a network interface can be a member of multiple application security groups, up to the Azure
limits. None of the network interfaces have an associated network security group. NSG1 is associated to both subnets and contains the
following rules:
upvoted 3 times

Answer is correct it is A. This blog discusses it well:
https://medium.com/awesome-azure/azure-application-security-group-asg-1e5e2e5321c3
Also in comments here: https://azure.microsoft.com/en-us/blog/applicationsecuritygroups/
upvoted 7 times
What you can do is to put a ASG into a NSG, by inbound or outbound rules.
But not directly on NIC
upvoted 2 times

Navigating on the portal, Network Interface are only assossiable with NSG, not with ASG.
On the VM networking blade, there are an another blade ASG that you can assossiate a ASG there.
None alternative are correct. Maybe there is something dismissed here.
upvoted 3 times
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises
network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
D. Create a gateway subnet
E. Create a VPN gateway that uses the Basic SKU
Correct Answer: ADE

Reference:

ABC (83%) ADE (17%)

Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.
So, answers should be A, B and C.

upvoted 95 times

I think you are 100% right
upvoted 6 times

Do you have a link for Basic not working with ExpressRoute?
upvoted 1 times
  jimmyli 1 year, 2 months ago

here: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
in which it reads, "Next, create your Site-to-Site VPN gateway. For more information about the VPN gateway configuration, see
Configure a VNet with a Site-to-Site connection. The "GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and
HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The
VpnType must be RouteBased."
upvoted 12 times

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#add
upvoted 1 times

Correct Answer: A, B and C
For a site to site VPN, you need:

- a local gateway
- a gateway subnet
- a VPN gateway
- a connection to connect the local gateway and the VPN gateway
However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute
connection, VNET1 must already be configured with a gateway subnet so we don't need another one.
Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN
gateway.
upvoted 73 times

Reference:
https://azure.microsoft.com/es-es/pricing/details/vpn-gateway
upvoted 10 times

upvoted 2 times
  embarba 2 weeks, 1 day ago

A,B,C correct?
upvoted 1 times
  FabioVi 4 weeks ago

Selected Answer: ABC
Here is the URL where it is stated that "ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU":
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations
upvoted 1 times

Selected Answer: ADE
I think A,D and E are correct. We are not using the basic sku with express route. we are setting up a failover vpn, the cheapest way would
be a basic sku, new vpn gateway for the new vpn and creating a connection - local gateway is already created because of the Express
route.
upvoted 2 times

Ignore this ABC is correct.
upvoted 2 times

This is the correct answer
upvoted 1 times

A,B,C is definately the correct answer. Express route by default defines the gateway subnets.
I am starting to feel very unconfident with so many wrong answers. Anyway thanks to all for the implication. Cheers!
upvoted 1 times

A, B, C.
no need to create gateway subnet as Vnet1 was already available
upvoted 1 times

Correct answer A, B, C
upvoted 2 times
  mathewscott06 2 months, 3 weeks ago

Answer is A B C
upvoted 5 times

Was in exam dated 15/11/2021
upvoted 1 times

What did yo choose?
upvoted 1 times

- Gateway subnet already exists. You can only have 1 per VNet.
- Cannot use basic SKU for VPN gateway for coexistence.
That leaves A, B, & C. If Local site VPN gateway is another way for them to say Local network gateway, then the answer is definitely A, B &
C
upvoted 1 times

This series of the wrong answers does us no service.
upvoted 2 times
  Neowarp 6 months, 3 weeks ago

The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. ExpressRoute-VPN
Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased.
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 1 times

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
check
upvoted 1 times

Answer:
A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
upvoted 2 times

Route-based VPN gateway types are offered in three SKUs: Basic, Standard, and High performance. Standard or High performance must
be chosen if the gateway is being created to coexist with an ExpressRoute gateway. High performance SKU must be selected in order for
active-active mode to be enabled. Learn more: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
upvoted 4 times
HOTSPOT -
You have peering configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: vNET6 only -

Peering status to both VNet1 and Vnet2 are disconnected.
Box 2: delete peering1 -

Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/
The Answer is correct.

- Since both peerings are disconnected. then only communication inside VNet6
- It should be to create peerings on Vnet1 to enable. However, since it is an option here. Then the nearest one is to delete the peering also
on Vnet6 then recreate again.
upvoted 46 times

Confirmed.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-
disconnected
upvoted 6 times

Correct Answer:
Box 1: vNET6 only

Peering status to both VNet1 and Vnet2 are disconnected. So, only communication inside vNET6.
Box 2: delete peering1

Peering to vNET1 is enabled but disconnected. We need to delete the peering from both virtual networks, and then re-create them. You
can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 31 times
  Appu008 Most Recent  2 months, 3 weeks ago

most dumb options for second question
upvoted 2 times

Correct answer:
- VNET6 only
- Delete peering 1
upvoted 2 times
  _cube_ 4 months, 3 weeks ago

Box 1: vNET6 only is not correct imho.
The NSG default rules allow communication in between the virtual networks within the same subscription and I just tested it so the last
option (all vnets in the same subscription) is in my opinion the correct one.
upvoted 1 times

Honestly, I didn't even notice that the peerings were disconnected because it seemed too easy.
upvoted 1 times

"The peering status is "Disconnected"
To resolve this issue, delete the peering from both virtual networks, and then re-create them." - https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 2 times
  Crhistian 9 months, 4 weeks ago

Why they dont include the complete answer...
delete and recreate the peering.
upvoted 4 times

upvoted 1 times

Given answers are correct
1.peering status disconnected so connection with other VNETs
upvoted 3 times

Both answers are correct. To re-create peering first you need to delete current one.
upvoted 5 times

peering1/2 shows "disconnected" so only VNet6.
Other options are not valid - so delete, and re-create.

upvoted 4 times

Came in exam 1st Feb 2021.
upvoted 3 times
  boomie 1 year ago

what is the answer!
upvoted 1 times

I don't see the VNET peering other then 1 and 2. So Vnet6 only till peering is done. You want to change the peering- remove or delete the
existing one - to establish peering. Answer is correct.
upvoted 2 times

Also Vnet1 shows disconnected.
upvoted 2 times

The peering status for the peering that exists in the other virtual network is Disconnected. You cannot recreate the peering until you re-
create the peering in the first virtual network and the peering status for both virtual networks changes to Connected.
upvoted 3 times
  david76x 1 year, 1 month ago

I don't understand why the 1st question isn't Vnet6 & Vnet1?
upvoted 5 times

Peering Status is "Disconnected"
upvoted 5 times
  Tom900 1 year, 2 months ago

To change the address space, need to delete the peering.
https://docs.microsoft.com/en-us/azure/architecture/networking/prefixes/add-ip-space-peered-vnet
peering.
upvoted 10 times
HOTSPOT -
You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1.
LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.)
Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.)

Hot Area:
Correct Answer:
Box 1: Yes -
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.
Box 2: Yes -
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend
endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows.
You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health
probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop
sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

Correct Answer:
Box 1: Yes
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.
Box 2: Yes
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the
backend endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive
new flows. You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom
response to a health probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails,
Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound
connectivity is impacted.
Box 3: No
There will be no loadbalancing between the VMs.
Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
upvoted 47 times

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
upvoted 7 times
  denccc Highly Voted  9 months, 3 weeks ago

Answer seems correct to me:
- For Basic Sku load balancer, network interface and load balancer have to be in the same availability set. (Y)
- Principal of LB (Y)
- Deletion of rule: there will no loadbalancing to the VM's (N)
upvoted 13 times
  Snownoodles Most Recent  6 months, 3 weeks ago

I think Box 1 should be 'No'. Basic Load Balancer supports "Virtual machines in a single availability set or virtual machine scale set", so
availability set is not the only option to Basic LB.
I just did a test, if you put 2 VMs in a VMSS that in a single placement group, you can add this VMSS into Basic LB's backend pool.
Any suggestions?
upvoted 1 times
  J_Dawg 8 months, 4 weeks ago

Y-Y-Y
Check the link provided in the answer: LB Basic SKU is "Open by default. Network security group optional."
upvoted 3 times

I checked based on your comment. You are totally wrong and misreading the documentation .
"TCP connections stay alive on an instance probe down. All TCP connections end when all probes are down."
What you find is related to NSGs protecting the LB!!
upvoted 1 times

How will it know what to load-balance? :)
upvoted 3 times
  mashk19 9 months ago

Am I missing something here? If you delete the load balancing rule, surely you'd still have the load balancer? And the Load Balancer's job
is to spread traffic between the machines sitting behind it?
upvoted 2 times
  nzmike 3 months, 2 weeks ago

You've got the load balancer still sure, but what's telling it what to do? No rule(s), no balancing.
upvoted 1 times
  Moyuihftg 9 months, 3 weeks ago

Answer is correct
upvoted 2 times
  fdelacortina 9 months, 3 weeks ago

I would say that is Y, Y, Y. Because if you delete rule 1, LB would not balance traffic from port 80 to port 80.
upvoted 1 times
  hamzajeljeli 9 months, 3 weeks ago

Any confirmation that this is a correct answer ?
upvoted 1 times

yes answer is correct
upvoted 2 times
HOTSPOT -
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1.
You need to configure slb1 to allow connectivity to VM1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Change the private IP address of VM1 to static

Box 1: Remove the public IP address from VM1
Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are
accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to
your VMs.
Box 2: Create and configure an NSG
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not
allowed to reach this resource.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

Correct Answer:
Box 1: Remove the public IP address from VM1

Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections
are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet
traffic to your VMs. Load balancer and the public IP address SKU must match when you use them with public IP addresses. Only Basic SKU
IPs work with the Basic SKU load balancer and only Standard SKU IPs work with Standard SKU load balancers.
Box 2: Create and configure an NSG
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is
not allowed to reach this resource.
upvoted 59 times

Box 1: Remove Publilc IP.
But not seen anything that was forcing this as the option. Found this "The default outbound access IP is disabled when a public IP
address is assigned to the virtual machine, or the virtual machine is placed in the backend pool of a Standard Load Balancer with or
without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the default
outbound access IP is disabled." here : https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-
portal?tabs=option-1-create-load-balancer-standard.
My big issues is I don't see any of the answers as a "MUST". Typical MS question.
upvoted 1 times

Note: You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Also, when adding
them to a backend pool, it doesn’t matter in which status are the VMs.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-addresses
https://stackoverflow.com/questions/52882024/cannot-add-vm-to-standard-azure-load-balancer
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
upvoted 15 times
  Kiano Highly Voted  9 months, 2 weeks ago

"Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with Standard SKU Load Balancers as they require
Standard SKU IP Addresses" The IP Addresses are Dynamically assigned, therefore making them, "Basic SKU."
Ans1: remove Public IP
Ans2: Create & configure NSG
upvoted 10 times

This applies to the LB not the VM!!! - "Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with Standard SKU
Load Balancers as they require Standard SKU IP Addresses" The IP Addresses are Dynamically assigned, therefore making them, "Basic
SKU."
Therefore its irrelevant here.
upvoted 2 times

Standard SKU Public IPs cannot have Dynamic assignments. We cannot associate Basic SKUs IPs with Standard SKUs LBs.
Standard LBs are secure by default (like Standard IPs), so we won't be able to connect to them without explicitly allowing such
connections via NSG... So, bottom-box must be "Create and configure NSG".
upvoted 2 times
  MorningStar 9 months ago

But why to use NSG as NGS default rule NO.2 allows traffic from Load balancer.
upvoted 1 times

The question says there is no NSG. So, When you don't have a NSG, you don't have the default rules defined in the NSG.
upvoted 4 times
  FabioVi Most Recent  3 weeks, 6 days ago

Correct. Regarding box 2, reason is because Standard Load Balancer is "Closed to inbound flows unless allowed by a network security
group"
https://docs.microsoft.com/en-us/azure/load-balancer/skus#skus
upvoted 1 times
  Pradh 1 month, 2 weeks ago

Guys !! its simple! Don't get confused with complicated text book explanation in comment section .
1) Remove Public IP address from VM1 --> Reason being when you create a LB and add VM to backend pool make sure VM doesn't have a
Public IP assigned to it .
2) Create and configure an NSG . --> key thing to notice in question is "STANDAR LB " . Backend pool VM in standard LB should
compulsorily have NSG associated to it and configured with required port to be allowed.
I created an LB with Basic sku and not standard..
Example :
With basic sku LB i was able to connect vm via rdp without any nsg..
Now when I tested with standard LB I had to configure and NSG for the vm nic and allow port 3389 to rdp it.. Without nsg it won't allow to
connect
upvoted 4 times

guys, joke? Dinamic for LB??????????????
upvoted 1 times

Verified it in Azure by setting this up.
Box 1: Remove the public IP address from VM1 - You can only attach virtual machines in the backend pool that have a standard SKU public
IP configuration or no public IP configuration. Since the Public IP of VM is dynamic, the IP must be a Basic SKU IP. You cannot add such a
VM (with Basic SKU IP) to a standard SKU load balancer. The VM does not even show up in the backend pool portal for selection unless you
remove the public IP or convert it to a Standard SKU IP.
Box 2: Create and configure an NSG - Standard load balancer is built on the zero trust network security model. Standard load balancers
and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs are used to
explicitly permit allowed traffic.
upvoted 4 times

Why not:
Create and assign an NSG to VM1
Change the private IP address of VM1 to static
?
upvoted 3 times

Before you can create the backend pool you must set the private IP to static, otherwise this may change on reboot, and the backend pool
would not be valid..
Before you connect as many people have called out - "Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with
Standard SKU Load Balancers as they require Standard SKU IP Addresses" The IP Addresses are Dynamically assigned, therefore making
them, "Basic SKU.". So remove the public IP address.
You don't NEED a NSG.

upvoted 2 times

Actually you do :) "Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by
Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual
machine resource, traffic isn't allowed to reach this resource. "
So answer must be 1) Change private IP 2) Create NSG
upvoted 3 times
  ranbhule 8 months, 3 weeks ago

Answer is correct,
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-
balancer-standard
upvoted 2 times

I think you need to assign a private IP to the VM, then create and assign a NSG.
If you restart the VM, you cannot be sure it will receive the same IP (it's dynamic) - then the backend pool will be unreachable (or
unhealthy, due to failed probe).
The standard LB needs a NSG to function ("secure by default")
upvoted 4 times

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-
balancer-standard
upvoted 1 times

Standard load balancer is built on the zero trust network security model.
Standard Load Balancer is secure by default and part of your virtual network. The virtual network is a private and isolated network.
Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups.
NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine resource, traffic isn't
allowed to reach this resource. To learn about NSGs and how to apply them to your scenario, see Network Security Groups.
Basic load balancer is open to the internet by default.
Load balancer doesn't store customer data.

upvoted 3 times

But if u read the doc of NSG on microsoft with those ( 3 subnet diagram and 4 nsg ) the last subnet had no NSG attached to it . And i
reads that as No NSG attached to it so it can take all communication .
And also it says its advisable to atach NSG to ur VM but no Mandatory
upvoted 1 times

for the explanaitions the answers look correct
upvoted 4 times
  MohnR 9 months, 2 weeks ago

what's the answer for Box 1 ?
Is it Change the Private IP address to Static or Remove Public IP from VM1?
upvoted 2 times

I think that the most apropiate is remove public ip and leave only the private.There are limitations about sku basic ip public, but the
question doesn't say nothing about it
upvoted 1 times
You need to create a network interface named NIC1.

In which location can you create NIC1?
A. East US and North Europe only
B. East US only
C. East US, West Europe, and North Europe
D. East US and West Europe only
Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
Reference:

Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
If you try to create a NIC on a location that does not have any Vnets you will get the following error: "The currently selected subscription
and location lack any existing virtual networks. Create a virtual network first."
Reference:
upvoted 34 times
  farasatkhan Highly Voted  9 months, 3 weeks ago

Correct.
"Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a
network interface in."
upvoted 19 times

upvoted 3 times
  areza 1 month, 3 weeks ago

passed 902. in exam 29.12.21 - answer B
upvoted 2 times

The correct answer is B
upvoted 1 times

Can only create a NIC in a region that has a VNet. Since we've only been told of 1 VNet, that will be the only option.
upvoted 1 times

Correct answer. Ques was in exam today
upvoted 4 times

How did you find the exam overall?
upvoted 1 times
  Davar39 9 months, 3 weeks ago

Correct answer. If you try to create a NIC on a location that does not have any Vnets you will get the following error :
"The currently selected subscription and location lack any existing virtual networks. Create a virtual network first."
upvoted 11 times
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)
You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?
A. Update the DNS suffix on VM1 to be adatum.com
B. Configure the name servers for adatum.com at the domain registrar
C. Create an SRV record in the contoso.com zone
D. Modify the Access control (IAM) settings for link1
Correct Answer: A
If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must
either use Fully
Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.
Reference:

B (100%)

Correct Answer: B
Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for
adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.
upvoted 84 times

I think the answer should be B
upvoted 30 times

you are absolutely right
upvoted 1 times

Selected Answer: B
Correct Answer: B
upvoted 1 times
  kyu1979 2 weeks ago

the answer is b
upvoted 1 times
  Redimido 2 weeks, 4 days ago

Selected Answer: B
You have to register your public DNS zone.
upvoted 1 times
  pooya2008 2 weeks, 5 days ago

upvoted 1 times

Selected Answer: B
The correct answer is B.
Documentation: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
upvoted 2 times

Selected Answer: B
Correct answer:B
upvoted 2 times

Selected Answer: B
Correct Answer: B
upvoted 2 times

Selected Answer: B
Definately B, is not the first time I see this question on the internet.
upvoted 2 times
  Riven 2 months, 1 week ago

Selected Answer: B
Majority vote
upvoted 3 times

Creating a public DNS zone in Azure allows you to host records in there but it doesn't register the domain so you would need to register
the domain at a registrar and update the name servers at the registrar to use those provided by Azure, like ns1-09.azure-dns.com
upvoted 2 times

I will have to agree that the answer is A.
Changing the Domain-specific DNS Suffix does help the computer resolve to the public DNS. It will still resolve names is contoso.com
because it belongs to a VNet1 that is linked to the private DNS server, but because it has an adatum.com Domain-specific DNS suffix it will
also resolve addresses in contoso.com.
My impression is that in the comment section people do not seem to realise that when you change the DNS suffix on VM1, you do not
affect the fact that the VNet is still linked to the contoso.com private DNS.
upvoted 2 times

What's the purpose of VM2 here again? still thinking...
upvoted 1 times

Are they giving these answers wrongly on purpose or something? I am paying now, so I demand a higher standard. Think is frustrating.
upvoted 5 times

Follow Mlantonis.
upvoted 3 times

i think A correct , consider this statement (a private Azure DNS zone named contoso.com)
upvoted 1 times

B, if aint find it local it will go public. All other public works so why not for Adatum. Cuz is missing.
upvoted 2 times
HOTSPOT -
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: IP flow verify -

At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables
you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify
then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Box 2: Connection troubleshoot -

Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and
another VM, an FQDN, a
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at
a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using
connection-troubleshoot.
Reference:

Correct Answer:
Box 1: IP flow verify

At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability
enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP
flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you
which.
Box 2: Connection troubleshoot

Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and
another VM, an FQDN, a
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the
connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot
connections using connection-troubleshoot.
upvoted 55 times

IP Flow Verify
"You might override Azure's default rules, or create additional rules. At some point, a VM may become unable to communicate with other
resources, because of a security rule. IP flow verify then tests the communication and informs you if the connection succeeds or fails."
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#diagnose-network-traffic-filtering-
problems-to-or-from-a-vm
Connection Troubleshoot
"The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4
address"
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#connection-troubleshoot
upvoted 14 times

On exam 01.02.22
Answer:
Box 1: IP Flow Verify
Box 2: Connection Troubleshoot
upvoted 2 times
  Tshetu 2 months, 2 weeks ago

The question came in the exam today 03/12/21.
upvoted 2 times

upvoted 1 times

Nice Explanation, Well done Guys!!!
upvoted 1 times
  chaewon 8 months, 2 weeks ago

What is the difference between NSG diagnostic and IP flow verify?
upvoted 1 times
  Lkk51 8 months, 1 week ago

I guess you mean NSG flow logs and IP Flow Verify
NSG flow logs is to show the actual traffic that happens from/to VM.
For IP flow verify is more on testing. You can validate and see if the connection between each resources. If the connection fails, IP flow
verify tells you which security rule allowed or denied the communication
upvoted 3 times

Explanation/Reference: Task 1: IP flow verify IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the
name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators
quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Task 2: With the addition of Connection Troubleshoot, Network Watcher will see an incremental increase in its capabilities and ways for
you to utilize it in your day to day operations. You can now, for example, check connectivity between source (VM) and destination (VM, URI,
FQDN, IP Address). References: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
https://azure.microsoft.com/en-us/blog/networkwatcher- connection-troubleshoot-now-generally-available/
upvoted 6 times
  fdelacortina 9 months, 3 weeks ago

I think it is correct.
upvoted 3 times
HOTSPOT -
You configure the network interfaces of the virtual machines to use the settings shown in the following table.
From the settings of VNET1 you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP
address of
193.77.134.10.
Hot Area:
Correct Answer:
Box 1: Yes -
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
Box 2: No -
You can set DNS servers per VM or cloud service to override the default network settings.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns

Correct Answer:
NIC configured DNS servers takes precedence over VNET configured DNS servers.
Box 1: Yes
VM1 uses the VNET configured DNS 193.77.134.10.
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
The DNS is set on the VNET level.
Box 2: No
VM2 uses the NIC configured DNS 192.168.10.15.
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
Box 3: Yes
VM3 uses the NIC configured DNS 192.168.10.15
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
upvoted 46 times
  Kent_020 3 months, 1 week ago

Where did you get the '192.168.10.5' from the info given?
----------------
VM1 uses the VNET configured DNS 193.77.134.10
upvoted 2 times
  odisor 1 week, 4 days ago

Both VMs have 192.168.10.15 assigned to their NICs
upvoted 1 times

Great Explanation Buddy!
upvoted 2 times
  Alses1970 Highly Voted  9 months, 3 weeks ago

1. Yes - as per link the DNS is set on the VNET level
2. No - this VM has 192.168.10.5 set as DNS server so it overrides the default DNS set on VNET1
3. Yes - this VM has 192.168.10.5 set as DNS server so it overrides the default DNS set on VNET1
upvoted 27 times
  TtotheA2021 Most Recent  6 days, 2 hours ago

Common guys thi question is so easy. you have too look right to the DNS, see explanation MLANTONIS he is 100% correct.
most of you are confusing on the NIC and DNS, the dns ip of vm2 192.168.10.15 overrules custom ip.
YNY
upvoted 1 times

upvoted 1 times

passed 902. in exam 29.12.21 - answer y/n/y
upvoted 3 times

upvoted 1 times

Andwer correct . Ques in exam today
upvoted 3 times
  riri5678 9 months ago

Am I missing something? VM 2 and VM 3 have the exact same info, so how can VM2 be no and VM3 be yes?
upvoted 1 times
  Franpb90 9 months ago

Different IP in the question.
upvoted 1 times
  riri5678 9 months ago

*Same info DNS serverwise
upvoted 2 times

Different question, different answer
upvoted 1 times

YNY from me
upvoted 1 times

The network interface can inherit the setting from the virtual network the network interface is assigned to, or have a custom setting that
overrides the setting for the virtual network it's assigned to (https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-
network-interface) so Y-N-Y seems correct to me
upvoted 2 times

Answer seems correct. Y-N-Y
NIC configured DNS servers takes precedence over VNET configured DNS servers

upvoted 13 times
  hamzajeljeli 9 months, 3 weeks ago

I think this can be Y-Y-Y ?
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the resources shown in the following table.
You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: IP1, Storage1 -

IP addresses and storage accounts can be moved.
Virtual networks cannot be moved.
There is no lock on RG1.
Box 2: None -
There is a delete lock on RG2.
Note: When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the
lock from the parent.
The most restrictive lock in the inheritance takes precedence.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all
authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://docs.microsoft.com/en-us/azure/azure-
resource-manager/management/move-support-resources

Don't see a table with IP1, storage1 and VNET1. To test anyway, I created storage2, VNET2 and IP2 in RG1. Then I applied the locks as
stated in the tables. I was able to move all resources from RG1 to RG2. After that I could also move all resources from RG2 back to RG1.
So based on the current information, I go for answer:

IP1, VNET2, and storage1
IP2, VNET2, and storage2
upvoted 62 times

I made some tests too and I can move VNET from 1 RG to another RG even there is lock.
upvoted 7 times
  lksilesian 3 months, 1 week ago

This is the first question I tested in lab - because I could not find a definitive answer and could not take it on faith. But you are right, no
matter what lock is set - I was able to move resources. The -> ONLY <- situation where I was NOT able to MOVE resources is when i set
READ-ONLY lock on the DESTINATION resource group.
upvoted 4 times
  pmzone 2 weeks, 5 days ago

If the Read-only Lock is applied on either Source or target RG, the movement of resources won't happen.
upvoted 1 times
  cyna58 9 months, 2 weeks ago

Your answer is correct. We can move all resources
upvoted 6 times

Correct Answer:
Box 1: IP1, VNET2, and storage1

Box 2: IP2, VNET2, and storage2
Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything
in the resource.
upvoted 53 times

Sorry, you have a logic error in your statement!
What is a "move"? A copy of the resource to a destination, after a successful copy the resource will be deleted!
https://pediaa.com/difference-between-copying-and-moving/
In this case, only the IP-Address can be moved, the only resource without a lock!
upvoted 1 times
  PeeKay79 6 months, 3 weeks ago

RG2 does not contain any resources so Box2:None
upvoted 6 times
  madshark Most Recent  3 weeks, 1 day ago

I found this question on another exam sheet and it is missing the RG2 resources. Both RG1 and RG2 have the same resources with the
same locks. The answer on the other exam sheet is that you can move ALL resources from RG1 to RG2 and then ALL from RG2 to RG1. The
logic is that Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not
changing anything in the resource.
upvoted 3 times
  FabioVi 3 weeks, 3 days ago
Conclusions, after TESTING in a lab:

A resource with readonly lock, can be moved to another RG, because the resource attributes do not change with the move.
A resource with delete lock, can be moved to another RG, because the resource by itself is not deleted and keeps on existing despite the
move.
But if the resource is a RG and it has a readonly lock, its child resources can’t be moved to another RG, because the RG attributes (in this
case, the child resources’ list) would try to be modified, hence, prevented by the lock.
If the RG has a delete lock, its child resources can be moved to another RG.
upvoted 3 times

We're missing a portion of the question. Full question and answer here:
exam4training.com/which-resources-should-you-identify-12/
upvoted 10 times

all
none-no RG2 table
upvoted 1 times

In exam 09/20/2021
upvoted 3 times

Here's the Full Question - https://vceguide.com/which-resources-should-you-identify/
upvoted 26 times

There's no storage2. Then it quickly became clear it was a typo. Considering that, answer is correct
upvoted 2 times

The question is not complete, check the real question here (also with wrong answers, but anyway) - https://vceguide.com/which-
resources-should-you-identify/
upvoted 9 times
  gerryboy 6 months, 4 weeks ago

Having tested this out myself, i concur that all resources can be moved. I am concerned with the accuracy of the official answers.
upvoted 3 times

as long as there's no readonly on the RG, you can move. when there's a lock @ resource level; it doesn't matter. when there's a lock on the
RG, you get: "please remove the lock and try again'
upvoted 4 times

rg1->rg2:IP1, VNET2, and storage1, bcoz we just change metadata
rg2->rg1:none,bcoz there is not any resources in rg2
upvoted 2 times
  itmp 8 months, 2 weeks ago

You can move ALL resources. (moving a resource in Azure is not the same as moving a file in windows, like copy+delete)
Complete tables are:
RG1 contains the resources shown in the following table:

storage1 |Lock Type = Delete
VNET1 |Lock Type = Read-only
IP1 |Lock Type = None
RG2 contains the resources shown in the following table:

storage2 |Lock Type = Delete
VNET2 |Lock Type = Read-only
IP2 |Lock Type = None
upvoted 3 times
  wolke89 9 months ago

Cant move vnet2 it has read only lock
upvoted 4 times

Test it, and you will find you can move it. You are not changing the resource, so the lock will not stop you moving groups
upvoted 1 times
  mashk19 9 months ago

You can move stuff around regardless of locks. So that's everything in RG1. What's in RG2 however? Is the question complete? If it is, you'd
have to say 'none' from RG2 to RG1 because there's nothing there.
upvoted 4 times

My thoughts exactly!!!!?????
upvoted 1 times
  Yiannisthe7th 9 months, 1 week ago

I also made tests, all the above resources can be moved.
upvoted 4 times
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
A. Yes
B. No
Correct Answer: B
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference:

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 23 times

It's not valid, because:
LB1: Standard SKU
VM1: Basic SKU public IP
upvoted 8 times

B. No
Tested this and as you are creating the back end it says:
"You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP."
-It does not matter if the VM is stopped or started.
-The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network.
-When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-
load-balancer-standard#create-virtual-machines
upvoted 22 times
  Takloy Most Recent  2 months, 1 week ago

The moment I saw Basic SKU for the Public IP, I know it's a NO straight away.
upvoted 2 times

So you need a standard sku public IP address and not basic Sku.
upvoted 1 times
  stepient 9 months, 3 weeks ago

Tested, you can't add a VM with a public IP address to an internal LB backend pool.
upvoted 7 times

I would say yes you can connect the VM. The actions will put the VM1 into the same state as VM2.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs. Vms
can only be from a single network.
When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-
load-balancer-standard#create-virtual-machines
upvoted 1 times

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
A. Yes
B. No
Correct Answer: B
Reference:

upvoted 19 times

It's not valid, because:
LB1: Standard SKU
VM1: Standard SKU public IP
upvoted 14 times
  cowboy Most Recent  9 months, 2 weeks ago

Tested only Standard sku public IP can be added to backend pool.
upvoted 1 times

Both Vm should have standard sku ip address.
upvoted 4 times

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You create two Standard public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual
machine.
A. Yes
B. No
Correct Answer: A
Reference:

A (50%) B (50%)

upvoted 31 times
  stdevops 4 months ago

you need to start VM also
upvoted 1 times

One of the few slip-ups from Azure Jesus. The provided answer is correct, the reasoning is correct but missed that VM1 has a basic SKU.
upvoted 2 times

Nope AJ is correct, thought it was the other question.
upvoted 2 times

It's valid, because:
LB1: Standard SKU
upvoted 10 times

Answer correct.
You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP.
upvoted 11 times
  Oskarma Most Recent  1 week, 2 days ago

Selected Answer: A
Tested in Lab:
Correct: A. Yes
You can only attach virtual machines in same location that have a standard SKU public IP configuration or no public IP configuration. All IP
configurations must be on the same virtual network.
upvoted 1 times

upvoted 3 times
  wafferrr 2 weeks, 5 days ago

Selected Answer: B
VM is off so answer is B
upvoted 1 times
  asmi3342344 5 months, 1 week ago

what about starting the VM1, that is not mentioned in the steps so the answer is No.
upvoted 2 times

My problem here is that VM2 has a basic Public IP. They are not saying that this has been removed and they don't say there's an additional
NIC to VM2 either.
I understand they are trying to establish that we know that basic IP SKU can not be associated to a backend pool of Standard LB.
upvoted 3 times

VM1 is deallocated. Does it change anything?
upvoted 2 times
  Spandrop 7 months ago

well, I would say that yes: "You need to ensure that you can add VM1 and VM2 to the backend pool of LB1." ... how would you add
something that is deallocated?
upvoted 1 times
  nicksu 9 months, 1 week ago

how come that INTERNAL load balancer can serve backend of PUBLIC IP addreses?
upvoted 2 times
  gbx077 9 months ago

The public IP(with standard SKU) are associated to the NICs of the VMs. The internal load balancer(with standard SKU) can
communicate with the VMs on their private IP. See requirements mentioned by Moyuihftg below
upvoted 1 times
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
A. Yes
B. No
Correct Answer: A
Reference:

Export the client certificate from Computer1 and install the certificate on Computer2.
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate
from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication
fails.
upvoted 30 times

Same certificate can be used on multiple client machines ?
upvoted 4 times

upvoted 6 times
  ExameHero Most Recent  3 weeks, 1 day ago

ExamTopics is the Best!!!
upvoted 1 times

Correct answer: A
upvoted 3 times

Good Job , best wishes :)
upvoted 1 times

upvoted 1 times

Answer seems correct "If you want to install a client certificate on another client computer, you can export the certificate."
upvoted 2 times

Correct
upvoted 3 times
  lock12333 9 months, 3 weeks ago
aaaaaaaaaaaaaaaaaaaaaaaaaaaa
upvoted 4 times

you jammed a finger in keyboard, so pity)
upvoted 1 times

Correct
upvoted 1 times
You have an Azure virtual machine named VM1.

The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server
only.
You need to ensure that users can connect to the website from the Internet.
What should you do?
A. Modify the protocol of Rule4
B. Delete Rule1
C. For Rule5, change the Action to Allow and change the priority to 401
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Correct Answer: C
HTTPS uses port 443.
Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
✑ Modify the action of Rule1.
✑ Change the priority of Rule6 to 100.
✑ For Rule4, change the protocol from UDP to Any.
Reference:

Correct Answer: C
HTTPS uses port 443.

Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher
numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with
lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
upvoted 36 times

Note: There are several versions of this question in the exam.
The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
✑ Modify the action of Rule1.
✑ Change the priority of Rule6 to 100.
Reference:
upvoted 12 times

Why it works with destination set to Virtualnetwork not the PublicIP ?
upvoted 1 times

Answer C is correct
Although not the best solution (opening range 50-5000, when you only whant to allow https/443)
upvoted 25 times
  Sharathjogi 1 month, 1 week ago

Absolutely agree...that's what I am thinking, we are unnecessarily opening lot of ports here, instead of allowing just 443.
upvoted 1 times
  mufflon Most Recent  3 weeks, 1 day ago

completely crazy solution, it would be best to open rule 2 and possibly change the destination if it is crucial
upvoted 1 times

ONLY MEANS 443 ONLY
ONLY DON'T MEANS 50-500 RANGE
MUST ADD RULE FOR PERMIT 443 : D
upvoted 2 times

Korek!
upvoted 1 times

- C is correct
- Microsoft needs to stop encouraging poor admin behavior in it's exams (AWS correct answers always encourage best practice / lowest
cost)
upvoted 4 times

Correct Answer for Exam is C. However, doing C in the real world will likely get you sacked lol
upvoted 4 times

While C is the best answer in the given choice, I still think this is bad practice as you leave too many ports open.
upvoted 3 times
  TTTTT88888 6 months, 4 weeks ago

All the options is wrong. The answer in the question seems to have changed as C is deny traffic
upvoted 4 times
  anoj_cha 4 months, 1 week ago

You're right. It's confusing. It seems that the screenshot has been updated.
upvoted 1 times
Question looks like it was changed? Rule5 is in the graphic is a DENY rule, changing its priority will just change which rule is blocking the
traffic.
upvoted 3 times

I am illiterate
upvoted 2 times

The answer states that you also change the action to Allow, so therefore it will work. However, it is bad admin practice opening up
that many ports when we only need 443. But unfortunately, it's the only answer given that will actually allow this to work, so we're
forced to choose it.
upvoted 1 times
  chaewon 8 months, 2 weeks ago

why this is incorrect option? I thought 'Any' include TCP Protocol.
upvoted 2 times

Because Rule2 has higher priority, port 443 already blocked.
upvoted 3 times

D, why open all the ports in 50-5000 vs only creating a new one for port 443?
upvoted 2 times

D is not correct, because Rule2 still have a higher prio and will deny the traffic.
Answer C is correct (but not a real world prefered solution).
upvoted 6 times

C for sure
upvoted 4 times
  lock12333 9 months, 3 weeks ago

ccccccccccccccccccccccccc
upvoted 2 times

Correct
upvoted 3 times
  Rafi_007 4 months, 2 weeks ago

Best answer should be "Change rule 2 to Allow".Already mentioned that vm only used as web server and opening unwanted port is
never a good practice.
upvoted 3 times
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
A. Yes
B. No
Correct Answer: B
You should use a policy definition.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:

You need to use a custom policy definition, because there is not a built-in policy.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing
when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your
resources.
Reference:
upvoted 30 times
  dasnc Highly Voted  1 year, 5 months ago

Answer is correct
upvoted 13 times

haha... sorry I couldn't help it :)
upvoted 1 times

Answer is No
upvoted 1 times
  tg01234 11 months, 1 week ago

Answer is No.
upvoted 2 times

NO is the answer
upvoted 3 times

Answer B. is correct, this is more related to Policies
upvoted 2 times

Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the
resources in that resource group.
upvoted 2 times

Tricky one but Vnets cannot communicate with other Vnets by default....
upvoted 3 times

Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a
condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by
using aliases. When a resource property field is an array, a special array alias can be used to select values from all array members and
apply a condition to each one. Learn more about conditions.
upvoted 4 times
  Akanyang 1 year, 3 months ago

what is the answer yes or no?
upvoted 1 times
  Bhaskardegala 1 year, 2 months ago

Answer is No
upvoted 2 times
  raBLar 1 year, 2 months ago

answer: no
upvoted 2 times
HOTSPOT -
You manage two Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following virtual networks:
The virtual networks contain the following subnets:
Subscription2 contains the following virtual network:

✑ Name: VNETA
✑ Address space: 10.10.128.0/17
✑ Location: Canada Central
VNETA contains the following subnets:
Hot Area:
Correct Answer:
Box 1: Yes -
With VNet-to-VNet you can connect Virtual Networks in Azure across different regions.
Box 2: Yes -
Azure supports the following types of peering:
✑ Virtual network peering: Connect virtual networks within the same Azure region.
✑ Global virtual network peering: Connecting virtual networks across Azure regions.
Box 3: No -
The virtual networks you peer must have non-overlapping IP address spaces.
Reference:
https://azure.microsoft.com/en-us/blog/vnet-to-vnet-connecting-virtual-networks-in-azure-across-different-regions/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints

Correct Answer:
VNET1: 10.10.10.0 - 10.10.10.255

VNET2: 172.16.0.0 - 172.16.255.255
VNETA: 10.10.128.0 - 10.10.255.255
Box 1: No
To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a
Gateway Subnet and thus to establish a VNet to VNet VPN connection.
Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 84 times
  Thuncroow Highly Voted  9 months, 3 weeks ago

The answer should be N-Y-Y :
1: No because to create a Vnet to Vnet VPN you need to have a special gateway subnet. Here the Vnet has only /24 CIDR blocks of address
space and this space is already taken by its Subnet. Hence there is no sufficient address space to create a gateway subnet and thus to
establish a Vnet to Vnet VPN connection.
For 2 & 3 : They address spaces for the Virtual network don't overlap, we can thus establish a peering connection between the Virtuals
Networks.
upvoted 53 times
  kansaj 4 months, 2 weeks ago

i think its
1.:YES u can do site to site because there is nothing that blocks that option
2.: YES u can peer vnet1 to vnet2
3.:no because its different subscription
upvoted 1 times
  Marciojsilva 2 months, 3 weeks ago

If the virtual networks are in different subscriptions, and the subscriptions are associated with different Azure Active Directory
tenants, complete the following steps before continuing:
Add the user from each Active Directory tenant as a guest user in the opposite Azure Active Directory tenant.
Each user must accept the guest user invitation from the opposite Azure Active Directory tenant.
upvoted 2 times

I disagree. Address space /24 can create /27 or /28 for gateway subnet which btw is the recommended prefix by MS. Also I have tested
it. So Y Y Y
upvoted 7 times

You didn't look at the subnet breakdown for VNet1 close enough. Subnet11 takes up the entire address space provided by VNet1, so
there's no room to add a gateway subnet. Therefore, the first answer is NO.
upvoted 5 times

In theory yes you can break down the /24 subnet into smaller subnets, then use one of the subnets as Gateway subnet, but in reality
you will not have enough addresses left to use for users and devices. Besides the question does NOT mention subnetting the
addresses. The key to answering questions is to use only what is mentioned in the question. So no, you cant use that subnet.
Box 1 - NO
Box 2 - Yes
Box 3 - Yes
upvoted 5 times

That's nonesense.
If you did what you are suggesting you would have, for example:
subnet1: 10.10.10.0 - 10.10.10.255
gateway subnet: 10.10.10.0/27 which would be 10.10.10.0 - 10.10.10.31 which would clearly overlap with subnet1
upvoted 4 times
Well you could create the gateway subnet in VNET2 but would that be a S2S connection between VNET2 and VNET1 instead of VNET1
and VNET2. Is the question saying that the connection must be established from VNET1. That's tricky.
upvoted 1 times

First box is Yes:
"Configuring a VNet-to-VNet connection is a simple way to connect VNets. When you connect a virtual network to another virtual
network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises
location"
upvoted 1 times
  Sara_Mo Most Recent  1 month, 2 weeks ago

Correct Answer: VNET1: 10.10.10.0 - 10.10.10.255 VNET2: 172.16.0.0 - 172.16.255.255 VNETA: 10.10.128.0 - 10.10.255.255
Box 1: No To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to
create a Gateway Subnet and thus to establish a VNet to VNet VPN connection.
Box 2: Yes For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 1 times

On exam Today 17 Dec 21
upvoted 1 times

upvoted 6 times

I tested and confirmed you cannot create a subnet that overlaps with another subnet address space in the same VNET.
upvoted 1 times

Update
The answer is Yes, Yes, Yes.

10.10.128.0/17 does NOT overlap with 10.10.10.0/24
>0000 1010 . 0000 1010 . 1<000 0000 . 0000 0000
>0000 1010 . 0000 1010 . 0000 1010 .< 0000 0000
upvoted 1 times

The answer is Yes, Yes, Yes.
10.10.128.0/17 does NOT overlap with 10.10.10.0/24
upvoted 2 times
  Akhib 5 months, 3 weeks ago

First one is Yes. I tested this out in my lab just. I can create multiple subnets with /24 mask.
I created gateway Subnet with 10.10.10.248/29 and then i create subnets with /25 till /28 mask and it will not overlap. Please test this out
by yourself instead of speculating.
2 is Yes and 3 is Yes
upvoted 2 times

> I created gateway Subnet with 10.10.10.248/29 and then i create subnets with /25 till /28 mask and it will not overlap.
So you changed the configuration as described by the question. This is not valid, you're supposed to work with the setup as is, which
prevents you from creating a gateway subnet without shrinking the existing network. So first one is NO
upvoted 5 times
  Mercator 6 months, 1 week ago

I think you could create a secondary address space in vnet1 and then create the gateway subnet inside. So the answer to first question
would be yes.
upvoted 1 times

Can confirm from Whizlabs: N-Y-Y, you can't create a gateway subnet (which is required for vnet to vnet connection) for Vnet1 as all the
address space has been used for subnet 1
upvoted 3 times

Answer:
- No
- Yes
- Yes
upvoted 3 times

I love Bill Gates
upvoted 6 times

The answer is Y Y Y
Box 1 - VNET1 (10.10.10.1-10.10.10.254) / VNET2 (172.16.0.1-172.16.255.254)
Box 2 - same as above. No overlapping
Box 3 - VNET1 (10.10.10.1-10.10.10.254) / VNETA (10.10.128.1-10.10.255.254). No overlapping
upvoted 4 times

What are you using for a VPN subnet?
upvoted 3 times
  carsa81 9 months ago

The answer should be Y-Y-Y
upvoted 4 times

Tested N-Y-Y
upvoted 3 times
  jantoniocesargatica 9 months, 2 weeks ago

The answer is N-Y-Y.
There are 2 things only to consider in this question:
a) Can I create the gateway subnet for the VPN? No, because I took all ip addresses and I have no option to create a gateway subnet, as
has been commented by Thuncroow. First one is 'N' due to this.
b) For peering you only need that the Vnets do not overlap, so second and third are 'Y'.
upvoted 5 times
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an
Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
A. Yes
B. No
Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/
  IHensch Highly Voted  9 months ago

"Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated!
upvoted 36 times

Very good observation !!!
upvoted 7 times

You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound
rule with low priority. It doesn’t make any sense.
Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load
balancer. The destination port and address range are for the destination computer, not the load balancer.
AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where
the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be
overridden.
upvoted 26 times

The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons:
- Load Balancer backend pool VM is unhealthy.
- Load Balancer backend pool VM is not listening on the probe port.

- Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs.
- Other misconfigurations in Load Balancer.
Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 5 times

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules
http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
upvoted 4 times
  AbhiYad Most Recent  1 month, 2 weeks ago

There is no Public IP for VM2 to establish connection from external computer.
As rule already allows inbound connection, need to create Public IP for VM2 to facilitate connections.
upvoted 1 times

Correct answer: B
upvoted 2 times

No.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the Load Balancer traffic is also not
reaching to access the App.
upvoted 1 times
  qyy 6 months, 4 weeks ago

ALB forwarded the request to VM1. VM1 should have a similar inbound rule configured.
upvoted 1 times

answer it would B for me. There is no Public IP address assigned, that means the VM is stopped and deallocated. We have to start first the
VM
upvoted 3 times
  taenoz 9 months, 2 weeks ago

Answer is B. There is no public IP assigned on the VM, how can an external connection from 131.107.100.50 to access the VM at all?
upvoted 2 times

in a lb you don't need the vm with public ip, you only need need that the lb can comunicate with the vm (blockallother rule deny
it).Maybe putting this rule the last one you have enough, or maybe deletting it
upvoted 4 times

yeah u corrected him right BUT there is one thing that bothering me
We know there are by default 3 rules in which the 2ns rule state that LB can communicate with appliances and other network . So
why we have to define it explicitly.
upvoted 1 times
  rreus 9 months, 2 weeks ago

It's B. You want to establish a connection, and the solution wants a deny rule.
upvoted 4 times

I would say B for me
upvoted 1 times
Azure Load
Balancer.
Solution: You delete the BlockAllOther443 inbound security rule.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)

Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) and it allows inbound traffic over TCP 443 from source
131.107.100.50. App1 (VM1 and VM2) is in a VNet, so this rule applies. Unfortunately, we still cannot access App1, so the issue is
somewhere else, maybe the VMs are off, or the firewall is blocking it.
upvoted 26 times

It's a tricky question. It might also be YES.
The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons:
- Load Balancer backend pool VM is unhealthy.
- Load Balancer backend pool VM is not listening on the probe port.
- Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs.
- Other misconfigurations in Load Balancer.
Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 11 times

also the destination is for virtual network only so its doesn't matter still wouldn't work
upvoted 1 times

Answer should be A (yes) I think. Because deleting rule BlockAllOther441, would cause default rule 65001 to allow the traffic from the
loadbalancer reach VM1/VM2
upvoted 22 times
  MichalGr 7 months ago

you could be right... I just wonder if there's a typo...
BlockAllOther441 [screen] / BlockAllOther443 [ans.]
upvoted 2 times

You could be right, its hard to tell (insufficient info). That rule could be blocking health probes as explained in a later discussion in the
series. It could also be that its off or something else blocking the connection.
upvoted 1 times

Question is ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
upvoted 1 times

An active "Attach network interface" suggests that VM2 is not running.
upvoted 2 times
  pino1 Most Recent  3 weeks, 6 days ago

Rule 'Blockallother441' blocks health probes, preventing the LB from verifying the state of the VMs. Once the rule is remove the health
probes will work and the load balancer will get back on its feet.
upvoted 1 times

Selected Answer: B
There are 2 reasons why access to app1 failed:
1)VM not started - this is obvious since 'attach network interface' is highlighted. But I don't think this is the point MS wants to test us.
2) Rule 'Blockallother441'. 'Allow_131.107.100.50' only allows traffic to reach LB(remember VM1 doesn't have public IP), but
'Blockallother441' doesn't allow traffic from LB to VMs.
So we have to remove 'Blockallother441'.
upvoted 1 times

Sorry, I just did a test, the second point I listed above is not accurate:
Rule 'Blockallother441' only blocks health probe, not block traffic from 131.107.100.50 since 'Allow_131.107.100.50' takes precedence.
upvoted 1 times
  pino1 3 weeks, 6 days ago

Rule 'Blockallother441' blocks health probes, preventing the LB from verifying the state of the VMs. Once the rule is removed, the
health probes will work and the load balancer will get back on its feet.
upvoted 1 times
  JavedF 2 months, 1 week ago

Selected Answer: B
Need to focus on VM..."Attach network Interface", this option is ONLY ENABLE when VM is Stopped, Hence in this scenario VM2 is stop and
that's why Rule 100 is not working , otherwise Rule 100 will work...hence all 3 ANS is No..and this one also NO.
upvoted 2 times

PS. If it was 'delete BlockAllOther441', then this is really a test to see if you understand LB > VM traffic flow and where the firewall sits.
upvoted 1 times

There is no BlockAllOther443 rule - it's not a typo as the exhibit is a screenshot. It's a Microsoft lets-see-if-you're-sober question.
upvoted 1 times

The Answer for This Question just need attention. Read: "You delete the BlockAllOther443 inbound security rule", but the name of the Rule
is BlockAllOther441 on Port 443, there no Rule called "BlockAllOther443". Correct Answer is NO.
upvoted 3 times
  michaelknight 4 months ago

Answer is Yes.
Rule BlockAllOther443 has higher priority than AllowAzureLoadBalancerInbound rule, therefore it blocks all 443 traffic. When this rule is
removed, traffic from Load Balancer is allowed.

With all traffic blocked on port 443 Load Balancer won't be able to send health probes and it will mark VM as unhealthy.
All Load Balancer health probes originate from the IP address 168.63.129.16 as their source. You can use IP address space inside of a VNet
that is not RFC1918 space. Using a globally reserved, Microsoft owned IP address reduces the chance of an IP address conflict with the IP
address space you use inside the VNet. This IP address is the same in all regions and does not change and is not a security risk because
only the internal Azure platform component can source a packet from this IP address.
The AzureLoadBalancer service tag identifies this source IP address in your network security groups and permits health probe traffic by
default.
upvoted 2 times

Answer : B "NO"
the destination is for virtual network only so its doesn't matter still wouldn't work
upvoted 1 times

Yes.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the LoadBalancer traffic is also not
Delete the Rule and the inbound traffic will be allowed.
upvoted 2 times

It may be but our task is to enable traffic over TCP from 131.107.100.50 and allow is already having high priority than the deny rule.
Moreover the current NSG is attached to Subnet and not on the VM.
upvoted 1 times
  s9p3r7 8 months, 1 week ago

you can completely remove the LB from the equation when evaluating this rule, just saying!
upvoted 1 times
  sagag 8 months, 1 week ago

No one sees the rule name is BlockAllOther441???
upvoted 5 times
  IHensch 9 months ago

"Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated!
-B
upvoted 16 times

that is the correct answer
upvoted 1 times
  wooyourdaddy 8 months, 1 week ago

I noticed that the same 3 questions in a row have the same image, doesn't make sense they would have 3 questions with the same
image and same answer. I wonder if that image means anything in regards to the answer?
upvoted 1 times

Doubt they'll give you all 3 variations of this same question in the actual exam
upvoted 2 times
  hgdlyl 8 months, 3 weeks ago

you are smart. so the answer should be B
upvoted 3 times

I think answer is correct, B (no). The rule Allow_131.107.100.50 has a higher priority and it allows inbound to the vnet. App1 (VM1 and
VM2) is in a vnet, so this rule applies. Still, we cannot access App1, so the issue is something else, maybe the VMs are off or the firewall is
blocking it.
upvoted 14 times

You have forgotten that there is a Load Balancer. If the Load Balancer rules are not working you will never reach the destination. So
that is the reason why is not reaching with the Deny rule. Once you remove it, it will work, so answer is A.
upvoted 5 times

I think Marcellov is correct. The question states that: "You need to ensure that connections to App1 can be established successfully
from 131.107.100.50 over TCP port 443."
Rule nr 100 should have been enough to allow the locadbalancer to work (access the APP using port 443)
The reason it is not working is something completely else that inaccurately configured NSG rules. for example: firewall rules or the
VMs being shut down. So removing rule 200 is not going to help solving the issue.
upvoted 2 times
  ronsav80 9 months ago

But rule 100 ONLY allows access from 131.107.100.50. Rule 200 will block all 443 traffic from EVERY other IP address, including
internal, so wouldn't rule 200 be blocking 443 from the LB to VM2 as well?
upvoted 1 times

I'm sorry, You might be right. There is actually a rule called: AllowAzureLoadBalancerInbound with the piority 65001, which I thinks
might not be taking effect, because of the rule with priority 200.
upvoted 3 times
  pitIOuStou 9 months, 1 week ago

marcellov is wrong. The correct answer is YES.
upvoted 1 times

Answer is A.If the first two rules to read are Allow_13_107_100_50 and AllowVnetInbound the lb can access completly to the vm's
upvoted 1 times
  rreus 9 months, 2 weeks ago

B Is correct. There is no allow from any source rule if the deny any rule is deleted.
upvoted 1 times

default rule 65001 will allow the traffic
upvoted 2 times
Azure Load
Balancer.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
A. Yes
B. No
Correct Answer: B
The rule currently has the highest priority.
Reference:

Allow_131.107.100.50 rule has a higher priority (100). The issue is not related with the priority of the rule.
upvoted 16 times
  Dalias Highly Voted  9 months, 2 weeks ago

Answer is correct.
Current rule is already at the highest priority.. i hope such questions appear in the exams to take away some of the stress.
upvoted 15 times
  MrAzureGuru Most Recent  3 months, 1 week ago

Beware that "You modify the priority" can also mean increasing the number, not just decreasing (as other questions usually demand you
do).
upvoted 2 times

As observed by IHensch in the 2 previous questions, the VM is stopped ("Attach network interface" is enabled). So unless the VM is started
nothing will change.
upvoted 4 times

No.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the LoadBalancer traffic is also not

upvoted 2 times
  kerker 7 months, 2 weeks ago

VM is not running
So Start the vM
:))
upvoted 8 times

Allow_131.107.100.50 already has the highest priority so making this higher will have zero effect.
upvoted 1 times

An active "Attach network interface" suggests that VM2 is not running.
upvoted 4 times

answer is correct.
upvoted 1 times
Solution: You assign a built-in policy definition to the subscription.
A. Yes
B. No
Correct Answer: B
Reference:
  STH Highly Voted  1 year, 7 months ago

there is no such built-in policy (yet), that is why we need a custom one
upvoted 56 times

Exactly. I will memorise ALL of the built-in policies to ensure I am well prepared for the MS exam.
upvoted 30 times

lol... too funny.
upvoted 3 times
  zzzzzz12345 5 months, 2 weeks ago

MS almost leads everyone to cheating with exam-dumps, I see no other reasonable way of understanding questions like this :)
upvoted 14 times
I cannot agree you more!
upvoted 3 times

Not sure what you are referring to ..There are many Built-in Policy Definitions for you to choose from. Sorting by Category will help you
locate what you need..
I'd say ans: B, too - as a custom policy would be required for specific ports.
upvoted 5 times

agreed, if there is no device drivers [for winmodem for example], write it yourself [true unixway] ))
upvoted 1 times

resources.
Reference:
upvoted 22 times

I would have answered A here. Thank heavens I have spent time going through these. So there's no such a built-in role huh?! :)
upvoted 3 times

Me too...
upvoted 1 times

Hello STH, Well done for the clarification
upvoted 1 times

Sorry ignore previous
No is answer
when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs . unless you peer the networks or create
VPN gateway
upvoted 3 times

No is correct!
when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs So i think that the answer to All Q in this
series is YES. unless you peer the networks or create VPN gateway
upvoted 2 times

Answer B. is correct. You need to create a custom policy
upvoted 4 times

again, when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs So i think that the answer to All Q in
this series is YES. unless you peer the networks or create VPN gateway between them, they will NOT be able to Talk to each other
upvoted 3 times
  Laurent_Byanjira 1 year ago

AllowVNetInBound
ALLOWVNETINBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow
I think you are not right. This default rule will allow Vnet to communicate by default
upvoted 1 times

You need to use a custom policy definition.
upvoted 11 times

You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the
IP address of the pod.
For the AKS cluster, you need to choose a network type that will support App1.
What should you choose?
A. kubenet
B. Azure Container Networking Interface (CNI)
C. Hybrid Connection endpoints
D. Azure Private Link
Correct Answer: B
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your
network space.
Incorrect Answers:
A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure
virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes.
Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking
Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-network

Answer is correct "B". To have previously reserved IP address for a certain Pod, you should use Azure Container Networking Interface (CNI)
upvoted 45 times
  zzzzzz12345 5 months, 2 weeks ago

The answer for this question is "B", correct.
However, in real world, this is many times seen as a bad-practice: in k8s you should prefer connect to "services" instead of "pods-ips".
Very bad practice...
upvoted 7 times

Correct Answer: B
upvoted 21 times

upvoted 2 times

Correct answer: B
upvoted 7 times

B is correct
upvoted 2 times

With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly.
upvoted 5 times

CNI is correct
upvoted 2 times

In AKS, you can deploy a cluster that uses one of the following two network models:
Kubenet networking - The network resources are typically created and configured as the AKS cluster is deployed.
Azure Container Networking Interface (CNI) networking - The AKS cluster is connected to existing virtual network resources and
configurations.
upvoted 12 times

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You disassociate the public IP address from the network interface of VM2.
A. Yes
B. No
Correct Answer: B

A (100%)

You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations
must be on the same virtual network.
ALso, VMs do not have to be powered on when adding them to a backend pool.
So answer should be A (Yes)

upvoted 54 times

That's what I thought!
upvoted 1 times

upvoted 37 times

It's valid, because:
LB1: Standard SKU
VM1: No public IP
VM2: No public IP
upvoted 18 times
  KelvinTan 6 months, 1 week ago

disassociate the public IP address from the network interface of VM2
upvoted 2 times
Selected Answer: A
My ans
upvoted 1 times

Selected Answer: A
Correct answer is A. VM2 is using a Basic SKU public IP address which is not compatible with a Standard ILB. Therefore you must remove
the public IP.
upvoted 1 times

Selected Answer: A
love this voting comment feature.
upvoted 1 times
  Aramis10 2 months ago

Selected Answer: A
Answer Yes
upvoted 1 times

Selected Answer: A
Answer Yes
There's 2 correct answers for this set of questions. Either both of them have to have standard SKU public IP address or neither of them!
upvoted 1 times

Selected Answer: A
Answer Yes
upvoted 1 times

Selected Answer: A
Answer is YES
upvoted 1 times
  Josty 2 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 2 times

Correct Answer: A
Explanation
You can only attach virtual machines in the same region and that have a standard SKU public IP configuration or no public IP
configuration. All IP configurations must be on the same virtual network.
upvoted 3 times

This is not entirely false. You do need to disassociate that IP but there are more steps. So, while this is a step in the right direction, it does
not yet help achieve the goal.
So the answer given is correct because you have to choose A or B. B is the answer
upvoted 3 times

Answer is YES
upvoted 3 times

Yes for sure.
upvoted 3 times
  r3tr0penguin 9 months ago

Why have a lot of wrong answers in this websites ? , it's understood for complicate or tricky question but this is honest and untrick one
why still wrong ?
upvoted 4 times

I honestly wasted money on this. I'm just grateful for this discussion group, otherwise this is digging your own grave if you don't study
and read these comments.
upvoted 4 times
  northgaterebel 4 months ago

Not a waste imo. You are supporting the site that has the most test dumps, all ad-free, plus discussion with highly learned people.
The admin cannot possibly know all the right answers. It's up to us to solve them. :-)
upvoted 1 times

The site admin should just remove the reveal solution button and we can discuss the answers rather. At least you will know what
you're getting into, and it will definitely improve the pass rate, because I can guarantee you that there are guys out there that wont
bother to read discussions and take the assigned answers as final.
upvoted 3 times

It's one of lifes many mysterys my learned friend....
upvoted 1 times

Answer is A (Yes) 100%. If there is no Public IP address associated in VM Backend pool, you will be able to add the VM to Backend Pool. I
would like to understan why people answer with incorrect solutions without testing. This does not benefit to this site and the responsibles
of this site would have to remove those answers which do not contribute. There are many confusing answers.
upvoted 32 times

answer is YES.- 100%
This will work. You don’t need to have a public IP address assigned to the load balancer to ensure it gets added to the backend pool of the
load balancer.
upvoted 3 times
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
A. Yes
B. No
Correct Answer: A
Reference:

resources.
Reference:
upvoted 33 times
  tuta Highly Voted  1 year, 2 months ago

given answer is correct
upvoted 15 times

I sure won't forget this one, ha!
upvoted 6 times

A is correct!
upvoted 8 times

Answer A. is correct. Custom policy is the key
upvoted 4 times

Correct
upvoted 3 times

Answer is correct
upvoted 3 times
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure
virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?
A. IP flow verify
B. Connection troubleshoot
C. Connection monitor
D. NSG flow logs
Correct Answer: C
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
changes between the VM and the endpoint
Incorrect Answers:
A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction
(inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails,
IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.
B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address.
The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather
than monitoring it over time, as connection monitor does.
D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied
by an NSG.
Reference:

Correct Answer: C
Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the
connection every 60 seconds, so you can monitor latency over time.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 38 times
  hstorm Highly Voted  1 year, 5 months ago

I was really not sure, but found this about connection monitor:
"Lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every 60 seconds,
so you can monitor latency over time."
So guess answer is right

upvoted 36 times
  areza Most Recent  1 month, 3 weeks ago

passed 902. this question in exam 29.12.21 - answer C
upvoted 2 times

Connection Monitor.
Please check this link:
upvoted 2 times

Answer is C
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal
The monitoring data includes the percentage of checks that failed and the round-trip time (RTT).
upvoted 2 times

C answer
upvoted 5 times

C
Ref: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
Jump to Create a connection monitor - Test section
upvoted 2 times

Answer C. seems to be correct. Although there is way to get latency on the Network Troubleshoot tool, you cannot get the "Average RTT"
as requested in the question statement
upvoted 2 times

For sure its C : Connection monitor.
Read the Question "You need to view the average round-trip time (RTT) of the packets from VM1 to VM2."
Only Tool that mentions RTT is Connection Monitor, even though that Connection Troubleshoot mentioning latency, it says nothing about
RTT.
Source :
https://azure.microsoft.com/es-es/blog/network-watcher-connection-troubleshoot-now-generally-available/
upvoted 3 times

Came in exam 1st Feb 2021. Selected A
upvoted 3 times

Wrong - P flow verify checks if a packet is allowed or denied to or from a virtual machine.
Source : https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
upvoted 3 times

Monitor communication between VMs with the connection monitor capability of Network Watcher
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
upvoted 3 times
  heroofmightandmagic 1 year ago

simplest way to see RTT for traffic between two VMs is Connection Troubleshoot, answer B
Connection Monitor requires deploying additional resources and monitoring, so would be beyond the scope of the question
upvoted 2 times

Connection Monitor provides unified end-to-end connection monitoring capabilities in Azure Network Watcher for hybrid and Azure cloud
deployments.
upvoted 2 times
  DavidChin 1 year, 1 month ago

view the average round-trip time (RTT) of the packets from VM1 to VM2 => B
upvoted 1 times

Answer is correct. Connection Monitor.
upvoted 9 times

The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network
topology changes between the VM and the endpoint.
upvoted 3 times
  examexpert 1 year, 3 months ago

C. Connection Monitor Network Watcher Connection Monitor enables you to configure and track connection reachability, latency, and
network topology changes. If there is an issue, it tells you why it occurred and how to fix it.
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains the public load balancers shown in the following table.
You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual
machines.
You need to create the virtual machines for the planned solution.
How should you create the virtual machines? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: be created in the same availability set or virtual machine scale set.
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine.
Box 2: be connected to the same virtual network
The Standard tier can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines.
Reference:
https://www.petri.com/comparing-basic-standard-azure-load-balancers

Correct.
upvoted 10 times
  HGD545 Highly Voted  4 months ago

Correct:
Standard SKU: any virtual machines or virtual machine scale sets in a single virtual network.
Basic SKU: Virtual machines in a single availability set or virtual machine scale set.
https://docs.microsoft.com/en-us/azure/load-balancer/skus>
upvoted 7 times
  googlearch Most Recent  1 month ago

The VMs should be in same VNet is applicable for both cases Basic nd standard LB, what a crap question
upvoted 3 times

passed 902. this question in exam 29.12.21 - answer C
upvoted 2 times
  cktck 1 month ago

XD??????
upvoted 3 times

What's the point of load balancing a single machine?
upvoted 1 times

There is no point which is why you wouldn't. But for a basic SKU load balancer it can only be attached to a single availability set. So you
would create an availability set, then when you create your VMs add them to that availability set. At which point, you can now load
balance multiple VMs with a Basic SKU availability set.
upvoted 1 times

You are NOT LOAD balancing single machine but a set of same machines that were created by scaling out due to LOAD. Just sayin'
upvoted 3 times
HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure
virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises
VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select
the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 4 -
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 2 -
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption
that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.
Box 3: 2 -
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
  Darkren4eveR Highly Voted  9 months ago

2
2
2
Appear in the Microsoft Exam Test Prep
upvoted 58 times
  magichappens 2 weeks ago

I also got these answers in my exam prep but I don´t get it. As you only need to deploy one virtual network gateway instance this is
very misleading. You even can´t deploy more that one per virtual network if I am not mistaken.
upvoted 2 times

I agree mostly, 2,2,2.
Details are here:
But the questions state failure of a single azure or local gateway. So we need to use "Dual-redundancy: active-active VPN gateways for
both Azure and on-premises networks". As best I can tell (because it is not explicit), we only need two public IP's on the premises
gateways. The reason for this being Azure will "dial out" or "connect" to the premises gateways, thus Azure not needing public IPs to
create the circuit. This should also be OK for the other requirements too.
upvoted 1 times

CHANGE MY MIND
Although after seeing this: https://azure.microsoft.com/en-gb/blog/vnet-peering-and-vpn-gateways/, which even for a vnet to vnet
vpn requires 2 ips (for a single ipsec gateway).
I am going to switch to 4,2,2
upvoted 1 times
  Gadzee 3 weeks, 6 days ago

4,2,2
Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and
two connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec
tunnels between your Azure virtual network and your on-premises network.
All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously,
upvoted 1 times

What is the minimum number of public IP addresses, virtual network gateways, and local network gateways "required in
Azure"?
Only 2 in Azure.
upvoted 1 times

How could this be, if I have 2 times 2 Gateways I would need 4 public IP-Addresses, correct?
upvoted 1 times
  albertozgz 4 months, 1 week ago

" longer than two minutes", Thus, we dont need Active - Active, we are in "Multiple on-premises VPN devices", thus 2-2-2 is the correct
upvoted 4 times

As you can read at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable:
"For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection
recovery will be longer, about 1 to 3 minutes in the worst case."
So, with active/passive the connection recovery can take up to 3 minutes. We need and active/active scenario.
· 2 Public IPs
· 2 Virtual Gateways
· 2 Local Gateways
upvoted 3 times

Correct Answer:
The questions asks how many are required in Azure, so the on-premise ones should not be counted.
Box 1: 2
2 public IP addresses in the on-premises data center, and 2 public IP addresses in the VNET for the active-active. The most reliable option
is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 1
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned
disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or
VNet-to-VNet connections.
Box 3: 1
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
upvoted 42 times
  yangxs 1 week, 5 days ago

I totally agree with you that "The questions asks how many are required in Azure, so the on-premise ones should not be counted."
Base on this box 3 should be 0 since it is not in Azure, but there is no such choice.
They should make the question/answer more clear.
upvoted 1 times
  tweedo 6 months, 1 week ago

2-1-2:
2 Public IP addresses (each Azure VPN gateway spawns 2 VPN endpoints, each with its own IP
1 - single Azure VPN gateway is redundant by default
2= two on-premise VPN devices are mentioned, and single local network gateway can only be set up with a SINGLE ip for on-premise
VPN device, two local network gateway are needed for redundancy.
upvoted 11 times
  Harshul 7 months, 3 weeks ago

It Should be 4-2-1
upvoted 1 times
  Harshul 7 months, 3 weeks ago

Sorry, It Should be 4-1-2
upvoted 3 times

Agree with you.
FOR IP Addresses: 2 for the VPN gateways and 2 for the local network gateways which are also configured in Azure - 2+2!
FOR VPN Gateways: 1 only - You specify inside the VPN Gateway that it is ACTIVE-ACTIVE
FOR LOCAL VPN Gateways: 2 - The local Gateways must be confired separately.
upvoted 2 times
  jeffdoc 3 months, 2 weeks ago

For the IP ADDRESS part, it mentions number of IPs "required in Azure". That would only mean 2 (one for each VPN gateway).
The other 2 public IPs on the on-prem/local gateways won't be required (as resources) on Azure per se although part of the
configuration.
upvoted 1 times
  darsy2001 8 months, 3 weeks ago

you are mixing active-active with active-standby in your explanation
upvoted 1 times

Should be 4-1-2!!
upvoted 1 times
  anikolov 1 month, 1 week ago

I believe that the answers are
3x Public IPs
1x Azure VPN GW (included Active/Standby instances)
2x Local Network GW (one for each HW device)
Architecture should be like mentioned on the link: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-

highlyavailable#multiple-on-premises-vpn-devices
upvoted 1 times

I think the correct answer is 2-2-2.
The question requires no longer than two minutes interruption if

1. An Azure VPN gateway fails or
2. Single on-premises device fails
In other word, it requires Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks.
This implies redundancy for both Azure VPN gateway and on-premises VPN devices. As such, you would need two on-premises VPN
devices. Hence Box 3 is 2.
Single Azure VPN gateway only provides active-standby. For unplanned issues, the connection recovery will be longer, about 1 to 3
minutes in the worst case. This rules out single Azure VPN gateway. As such, you would need two Azure VPN gateways. Hence Box 2 is 2.
Each Azure VPN gateway needs 1 public IP. As such, you would need two public IP addresses in Azure . That is Box 1 – 2. (You would also
need two public IP addresses in on-premises VPN devices. The question asks what you need in Azure. )
Reference:
upvoted 3 times
  Brillianty 3 months, 1 week ago

Provided answer is correct 4,2,2
In Active/Active configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S
VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. Both VPN tunnels are actually part of
the same connection. You will still need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two
Azure VPN gateway public IP addresses. So we will need two public ip addresses for our Azure VPN gateways and two public addresses for
the on-premise networks, overall four public address are required.
upvoted 2 times
  Brillianty 3 months, 1 week ago

Reference- https://docs.microsoft.com/en-us/learn/modules/configure-vpn-gateway/11-determine-high-availability-scenarios?ns-
enrollment-type=LearningPath&ns-enrollment-id=learn.az-104-manage-virtual-networks
upvoted 1 times
  ejml 4 months, 4 weeks ago

is not possible two Gateways for virtual network... so, 2, 1, 2
upvoted 1 times

each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises
VPN device specified in your local network gateway and connection.
2-1-2 very clear in the documentation, just read:
upvoted 3 times

"When you connect multiple VPN devices from the same on-premises network to Azure, you need to create one local network gateway for
each VPN device, and one connection from your Azure VPN gateway to each local network gateway."
upvoted 1 times
  Junhui74 6 months, 3 weeks ago

from the reference below , the answer seem to be 1-1-2. The question asking for requirement in Azure. unless my interpretation is wrong.
ref: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#activestandby
upvoted 1 times

I would go with 2-1-2 as well.
Active-Active require 2 IPs and 1 GTW.
And you would need 2 Local Gateways for redundancy.
upvoted 1 times

The correct answer is 212. By default Every Azure VPN gateway consists of two instances in an active-standby configuration so you don't
need two virtual network gateways. Please note that Azure VPN Gateway is a Virtual network gateway.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-
vpngateways#:~:text=A%20VPN%20gateway%20is%20a,location%20over%20the%20public%20Internet.&text=Each%20virtual%20network
%20can%20have,to%20the%20same%20VPN%20gateway.
upvoted 3 times
  C6H6 7 months, 1 week ago

Your above links are so helpful and clearly elaborated ASIMIS. However the downtime required in this scenario is no more than
"2mins". The active-standby instance from Azure VPN GW recovers from "1 to 3mins" in worst case, which eliminate your option.
Answer is 2-2-2.
upvoted 3 times

Please read both links it will change your mind.
2-1-2 is the best answer to meet the "minimum number" NOTE Minimum
upvoted 1 times
  KarimaMaf 7 months, 4 weeks ago

2 => we need 2 public ip in azure (the question ask about azure not in on-prem)
2=>2 virtual network gateways for active/active
2=>Local network gateway cause we will use 2 vpn devices in on-prem and 2 vpn GW in azure
upvoted 11 times

In this configuration, each Azure gateway instance will have a unique public IP address. <<There's 2 instances, so "2".>>
The local network gateways corresponding to your VPN devices must have unique public IP addresses in the "GatewayIpAddress"
property. <<"public IP addresses" is plural, so "2">>
Total: 4.
Box 1: 4
Box 2: 2
Box 3: 2
upvoted 7 times

You are correct, It's funny how they say "In Azure" and ask for Local Network Gateways but whatever, right.
Public IP Addresses: 4 (one for each device sorta speak)

Virtual Network Gateways (In Azure): 2
Local Network Gateways (On Prem): 2
This is a Dual Redundancy active-active config as this will survive 1 failure from either on-prem or in Azure.
upvoted 4 times
  vharsh16 8 months, 2 weeks ago

2-2-2
we requires 4 Public ip, 2 on premises and 2 on azure. And question is asking:: in Azure.
upvoted 12 times

trick question.. Again.., is saying "Azure" as you mentioned but which are the "local" azure networks?
upvoted 4 times

The question is: What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in
Azure? Not clear what they mean by IN AZURE. There are no local network gateways in Azure. They are On-prem. So answer should be
zero. But that is not an option. So 2. But that means the other answers should also be for Azure and On-prem combined. So 4-2-2
upvoted 2 times

Local Gateway is created in Azure
upvoted 3 times

It says public IP in Azure so On Prem VPN device public IPs are not part of Azure. That means needs 2 public ips for VPN Gateway in active-
active mode. So right ans should be 2 IPs, 2 VGW, 2 Local gateway (As we have 2 VPN devices on-prem).
upvoted 1 times
You have an Azure subscription that contains two virtual machines as shown in the following table.
You perform a reverse DNS lookup for 10.0.0.4 from VM2.

Which FQDN will be returned?
A. vm1.core.windows.net
B. vm1.azure.com
C. vm1.westeurope.cloudapp.azure.com
D. vm1.internal.cloudapp.net
Correct Answer: B

D (100%)

Answer D
Tested in lab, and got vm1.internal.cloudapp.net.
upvoted 45 times
  t1ck3ts Highly Voted  9 months ago

Correct Answer: D
testadmin1@VMTEST1:~$ ping -c 5 VMTEST1

PING VMTEST1.qb3monnoaiyubgstehdkra0paa.ax.internal.cloudapp.net (10.0.0.4) 56(84) bytes of data.
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=1 ttl=64 time=0.013 ms
--- VMTEST1.qb3monnoaiyubgstehdkra0paa.ax.internal.cloudapp.net ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4073ms
rtt min/avg/max/mdev = 0.013/0.036/0.044/0.012 ms
testadmin1@VMTEST1:~$
upvoted 29 times
  Jitu1989 3 months ago

Thanks for response. Do you all use PAYG service or is there service provided like AWS for a year.
upvoted 1 times
  beem84 2 months, 2 weeks ago

Look up Azure pass or you can get a free account with 200USD credit which you can convert to PAYG after 30 days.Free account has
some restrictions but should be fine for labs.
upvoted 1 times
  JudeSharp Most Recent  4 weeks, 1 day ago

Answer should be D
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#reverse-dns-
considerations
All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
upvoted 1 times
  fumeta 1 month ago

tem cenário na prova para testar isso ?
upvoted 1 times

Selected Answer: D
Correct answer D
upvoted 1 times
Selected Answer: D
Answer is D
upvoted 1 times

On exam 01.02.22
upvoted 1 times

Selected Answer: D
Answer is D
upvoted 1 times

Selected Answer: D
The answer is D, internal.cloudapp.net
upvoted 1 times

vm1.internal.cloudapp.net
upvoted 1 times

Selected Answer: D
Answer is D
upvoted 1 times
  Marciojsilva 2 months ago

Selected Answer: D
Answer D
upvoted 1 times

Selected Answer: D
Answer is D
upvoted 1 times

Selected Answer: D
Answer is D
upvoted 1 times

Selected Answer: D
Answer is D
upvoted 1 times

Selected Answer: D
Internal.cloudapp.net
upvoted 1 times
  mathewscott06 2 months, 3 weeks ago

Selected Answer: D
Right answer is D
upvoted 1 times
Azure Load
Balancer.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
A. Yes
B. No
Correct Answer: A
Reference:

B (75%) A (25%)
  Bursuc03 Highly Voted  9 months ago

The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in
VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows
the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 63 times

Thanks, true. The issue here is deeper than it looks and the issue is broken health probes by rule 200, you are right
upvoted 3 times

Very good, the first answer that explains the correct reason for the failure
upvoted 8 times
  biglebowski 7 months, 4 weeks ago

The question is about connections "from 131.107.100.50". Why do you try to fix it by adding LB traffic? We don't know the IP of LB.
Let's focus on 131.107.100.50 only.
upvoted 2 times

The load balancer is the reason the traffic is being blocked. Read the OP this chain replies to it explains it about as simply and
clearly as possible.
upvoted 2 times

The answer is correct. 1- The fact the VM2 is offline does not mean anything, question states App1 is hosted on VM1 too so we
can't assume both are offline (that's the exact reason a LB is deployed in the first place so you can shut down one VM and keep
services running). 2- The question is displaying the NSG (required if using LB) so we can verify the rules, it will show up the
same way if looked from VM1 so offline VM is irrelevant. 3- Rule 1 allows 443 from an specific IP, rule 2 deny all including LB 4-
its suggested by the question a new rule that will allow LB traffic on 443 as well, before the deny which makes the answer
correct. This could be done by moving rule 2 down just below the LB allow any rule.
upvoted 6 times

good explanation. However, my only confusion is why it mentioned a cost of 150.. I think, it's a typo and it meant to say "priority"
instead of "cost". If so, you perfectly explained the answer to this question. thanks!
upvoted 1 times
  darsy2001 Highly Voted  8 months, 3 weeks ago

the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped.
Should this be the problem in the whole series of questions?
upvoted 20 times
  mbravo 8 months, 2 weeks ago

"The effective network security configurations for VM2 are shown" - this doesn't mean that the NSG is attached to the VM. From the
show exhibit, it is clear that this NSG is attached to a subnet which renders your comment obsolete.
upvoted 2 times

why ? if VM is off no traffic is ever going to get there.
upvoted 2 times
  s9p3r7 8 months, 1 week ago

how so?! if the VM is powered off that mean the whole NSG rules stuff is misleading, the admin should start the VM before even
begin to start NSG rules evaluation
upvoted 6 times
  csgx Most Recent  3 days, 1 hour ago

Selected Answer: A
Reason: please refer to Aki110 comments.
upvoted 1 times
  Jvp21 2 weeks, 2 days ago

Selected Answer: B
No, the NIC is detached so the rules shown do not apply
upvoted 1 times

Selected Answer: B
NO! - With a NIC detached, no rule helps.
upvoted 2 times

NO! - With a detached NIC, no rule will help here.
upvoted 1 times
  VBS123 4 weeks, 1 day ago

I agree here on basis of priority 200 block connection which has least priority as compared to custom configuration with priority 150 so we
can go ahead with Yes
upvoted 1 times

The answer is YES , if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
upvoted 1 times

The virtual IP address 168.63.129.16 for the host tagged as the Azure infrastructure Load Balancer where the Azure Health Probes
originate. When configuring backend instances, they must allow traffic from this IP address to successfully respond to health probes,
when the new rule allows all the traffic,hope it can be accessible
upvoted 2 times
  Aki110 1 month, 1 week ago

Answer is yes.
Traffic flow is:
step1
External ips --> 131.107.100.50 (Load balancer external IP)
step2
load balancer --> backend pool
rule 100 - allows traffic up to public IP of Load balancer

rule 200 - is stopping all 443 traffic including the required flow in step2
by creating a rule with priority 150, it allows the load balancer to send traffic to the backend.
upvoted 2 times
  JavedF 2 months ago

"AzureLoadBalancer source and has a cost of 150" Focus on word COST..it should be Priority 150. Hence Answer is NO.
upvoted 3 times

Horrible question. We are told App1 is hosted on two machines and that connections are failing. We are given a screenshot that one of the
machines is turned off. Is the other machine also turned off? If both machines are turned off then no amount of rule changes will help. We
must turn at least one machine on for the load balancer to sent the traffic.
upvoted 3 times

With this type of question it seems as if the answer is a crap shoot so to say. From studies of this test and others, questions in this
format have a much higher percentage of being "No" than yes. I think I will just go with the odds of probability. Without further info we
are just guessing anyway.
upvoted 1 times

cost 150 => wrong
priority 150=> correct
upvoted 3 times

Its Priority 150, not cost 150 - Typo
upvoted 1 times

Update:
There's not a place where it states what 131.107.100.50 is. And please note that it says cost. Rule 100 is allowing connection from
131.107.100.50 to the virtual network and block anything else.
Question needs to be corrected.

upvoted 1 times

There's not a place where it states what 131.107.100.50 is. And please note that it says cost.
upvoted 1 times

Has a cost of 150?
upvoted 2 times
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
A. Add a service endpoint to VNet1
B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
Correct Answer: CE
C: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It
is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec
tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet
filtering and processing engine.
Incorrect Answers:
F: Point-to-Site connections do not require a VPN device or a public-facing IP address.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-connect-multiple-policybased-rm-ps
  MikeHugeNerd Highly Voted  1 year, 6 months ago

Answer in proper order: E, C
upvoted 31 times

Correct Answer: C and E
upvoted 23 times

passed 902. this question in exam 29.12.21
upvoted 4 times
  Eltooth 3 months ago

Answer C + E.
Policy based VPN Gateway do not support P2S connections.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#config
upvoted 6 times
  diotmac 5 months ago

Answer is C and E. "You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN Gateway
configurations require a RouteBased VPN." https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-
settings
upvoted 3 times

Route based VPN Gateway is required for P2S VPN. Each virtual network can have only one VPN gateway.
upvoted 1 times

"The VPN type you select must satisfy all the connection requirements for the solution you want to create. For example, if you want to
create a S2S VPN gateway connection and a P2S VPN gateway connection for the same virtual network, you would use VPN type
RouteBased because P2S requires a RouteBased VPN type" https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-
gateway-settings
upvoted 6 times

Ans: C, E
E - Delete GW (policy based)
upvoted 7 times

Answer is correct since P2S VPN requires the Route-based GW
upvoted 4 times

I still don't know why I have to delete the GW1. Does that automatically exist in order for me to delete it? I am so confused here.
upvoted 3 times

You can only have 1 VPN gateway in your network.
upvoted 5 times

I'm not 100% sure, but I would presume because you are now using a route based gateway that the current policy based gateway can
be deleted
upvoted 3 times

Create a virtual network gateway using the following values:
Name: VNet1GW
Region: East US
Gateway type: VPN
VPN type: Route-based
SKU: VpnGw1
Generation: Generation1
Virtual network: VNet1
Gateway subnet address range: 10.1.255.0/27
Public IP address: Create new
Public IP address name: VNet1GWpip
Enable active-active mode: Disabled
Configure BGP: Disabled
upvoted 2 times

Policy-based vs. route-based VPN devices differ in how the IPsec traffic selectors are set on a connection:
Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec
tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the
packet filtering and processing engine.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec
tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
RouteBased VPN Gateway

VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5
upvoted 5 times

policy based VPN doesnt support P2S connection. So it has to be route based VPN. therefore deleting GW1 is right option .
upvoted 2 times

Answer is correct. C & E .
Based on the answers above.
upvoted 9 times

Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?
Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment
model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.
upvoted 2 times
  chenmat 1 year, 2 months ago

Ans: C, E
E - Delete GW (policy based)
upvoted 10 times

The policy or traffic selector for route-based VPNs are configured as any-to-any (or wild cards).
policy-based (static-routing)
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains the resources in the following table:
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is
configured as shown in the following exhibit:
Hot Area:
Correct Answer:
Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration
virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong
to a resolution virtual network.
Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from
any of the virtual machines within the registration virtual network.
Reference:
  Borbz Highly Voted  1 year, 2 months ago

I think the Answer is correct.
NO, NO, YES.
the second answer is NO because VM5 belongs to Vnet1 and the DNS is registered to Vnet2 therefore VM5 cannot reach the DNS service.
upvoted 59 times
  Skankhunt 1 year, 2 months ago

Agreed, there is no mention of Vnet peering, thus we can assume the two Vnet's is not connected.
upvoted 10 times

Correct Answer:
VNet1 (NOT A Registration Netvork) : VM5

VNet2 (IS A Registration Netvork) : VM1, VM6 and VM9
So here we go:
1. VM5 is in VNet1 - answer is NO.

3. VM6 is in VNet2 - answer is YES.
upvoted 36 times
  spoondev1 Most Recent  3 months ago

Is this not a AZ303 question?
upvoted 1 times

In my opinion Answer is:
NO: Since no mention that the private DNS zone is connected to VNET1. Thus VM5 will not be registered automatically in the adatum.com
zone.
NO: Same rationale. Since it's not mentioned the VNET1 is linked to private zone, hence VM5 will not be able to ressolve VM9.adatum.com
YES: Since VM6 is part of VNET2 and VNET has auto-registeration of DNS enabled on this zone which means VNET2 is linked to this private
Zone, hence it can ressolve all the records populated in this zone.
upvoted 1 times

upvoted 3 times

upvoted 2 times

Why don't you appoint yourself as official moderator?
upvoted 6 times

I think No, No, No
1. VM5 is in Vnet1
2. VM2 is in Vnet1
3. V9 record already exists
upvoted 1 times

So why does that make 3 No? Please explain your logic
upvoted 2 times

NO,NO,YES
Answers are correct: To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the
zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. VNet1 is not linked to the
Private DNS, so cannot resolve
upvoted 9 times
  johanc68 7 months ago

How do you know that VNET1 is not linked as a resolution virtual network only? It's not stated in the question I believe.
upvoted 1 times

ZUMY is correct have a look at this link below
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal
upvoted 2 times

Answers are correct: To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the
zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. VNet1 is not linked to the
Private DNS, so cannot resolve
upvoted 2 times

This seems pretty simple.
How I see it.
VNet1 (NOT A - Registration Netvork) : VM5

VNet2 (IS A - Registration Netvork) : VM1, VM6 and VM9
So here we go:

3. VM6 is in VNet2 - answer is YES.
upvoted 24 times
  mhmyz 1 year, 1 month ago

No,Yes,Yes
Hostname resolution between virtual networks. Unlike Azure-provided host names, private DNS zones can be shared between virtual
networks. This capability simplifies cross-network and service-discovery scenarios, such as virtual network peering.
upvoted 1 times
  leaderbud 1 year ago

For the second answer, VM5 does not connect to the VNET2 where the DNS is registered. As per your link: 'To resolve the records of a
private DNS zone from your virtual network, you must link the virtual network with the zone.' So, you must have a connection to the
Private DNS Zone still to resolve hostname. The line you highlighted just mentioned that it is possible to share a Private DNS zone
among VNETs so in case of VNET peering (which is NOT the case here), you can use that Private DNS Zone for resolution with VNETs
being peered (but at least one connected to the Private DNS Zone). Again, here no VNET peering.
upvoted 2 times

Answer is correct No, No, yes
upvoted 12 times
  Justin0020 1 year, 2 months ago

No, Yes, Yes
upvoted 4 times
  Kiluminati 1 year, 2 months ago

whats the answer to this question?
upvoted 1 times
  nzwasp 1 year, 2 months ago

I think that the question is missing a bunch of info - we don't have enough context to understand what needs to be done.
upvoted 6 times
HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the private DNS zones shown in the following table.
You add virtual network links to the private DNS zones as shown in the following table.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links https://docs.microsoft.com/en-us/azure/dns/private-dns-
autoregistration
  az_21 Highly Voted  7 months, 3 weeks ago

A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.
Registration virtual network:

A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it.
Resolution virtual network:

One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated
to it.
1. Yes
No registration zone for VNET2.
2. Yes
A virtual network can have multiple resolution zones associated to it.
3.Yes
No registration zone for VNET2.
upvoted 46 times

Sorry I don't agree.
ref: https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
1. Yes - "When you link a virtual network with a private DNS zone with this setting enabled", suggested is needs to be done when
created, but you could recreate the link to do it.
2. No - "A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled", so if
auto VM enabled only one zone.
3. No - as above, only one zone with Auto VM, although technically you could delete the other link and it would then work, but that
seems out the scope of the question.
Again another somewhat poorly written question. But I would say Yes, No, No.
upvoted 2 times
  az4o2n 1 week, 3 days ago

I think this solution is wrong, the question laid emphasis on virtual network not vm. az_21 is making sense. read
upvoted 1 times
  giggsie 2 months, 2 weeks ago

Tested this in Lab and it works.
upvoted 4 times
  hercu 6 months ago

Correct and well written.
upvoted 2 times
  mashk19 Highly Voted  8 months, 1 week ago

1. Yes
2. Yes. You can link VNET1 to Zone3.com A private DNS zone can have multiple registration virtual networks. However, every virtual
network can only have one registration zone associated with it.
3. No. Auto registration is already enabled on Zone 1. When you add a link from VNET2 to Zone
upvoted 40 times

3. Yes. Going by (2), a zone can have multiple registrations while a VNET can have only one. So VNET2 can register to Zone 1.
upvoted 4 times
  ppp131176 8 months ago

For 2. are you sure? shouldn't this be no? Wouldn't zone3 be the second registration zone?
upvoted 6 times

No, because zone 3 does not have autoregistration enabled, so this would be a resolution zone not a registration zone
upvoted 2 times

The 3rd question must be yes. after adding the 3rd question to the existing list looks below:
Link1 - Zone1 - VNET1 - Yes
Link2 - Zone2 - VNET2 - No
Link3 - Zone3 - VNET3 - No
Link4 - Zone1 - VNET2 - Yes
This is the definition for "Registration virtual network"

point 1- A private DNS zone can have multiple registration virtual networks.
point 2- However, every virtual network can only have one registration zone associated with it.
Link1 and Link4 satisfies the point1 and point2

point1 - Zone is having multiple registration virtual networks like VNET1, VNET2
point2 - VNET2 is not associated with any other zone registered.
Link2 has VNET2 but that is a resolution not a registration
So answer must be Y Y Y
upvoted 9 times
  fedev21 Most Recent  2 weeks ago

Tested in lab: Yes, Yes, Yes
upvoted 1 times
  abbas19 3 weeks, 1 day ago

Failed to create virtual network link
Failed to create virtual network link 'test6'. Error: A virtual network can only be linked to 1 Private DNS zone(s) with auto-registration
enabled; conflicting Private DNS zone is 'xxxxxxxx.co.uk'.
upvoted 1 times
  amiri7171 3 weeks, 3 days ago

Tested in lab:
1. Yes - We can enable auto registration for Link2, each vNet can set to auto-register in only 1 Private zone, thus same vNet can be
associated to different Private DNS zones, but can be assign as Auto-Register in only 1 vNet.
2. Yes - Same vNet can be associated to more than 1 Private DNS zone.
3. Yes - Same vNet can be associated to more than 1 Private DNS zone, and because VNET2 is assign to Zone2.com with Disabled Auto
Registration , VNET2 Auto Registration on Zone1.com can be enabled.
Good Luck All In The Exam :)

Mine is in 31.1.22. Hope to not visit this questions again.
upvoted 3 times
  Mayank1988 3 weeks, 1 day ago

Good luck for the exam :)
upvoted 1 times

correct answer is y-y-y
upvoted 1 times

Registration virtual network:
A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it.
Resolution virtual network:

One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated
to it.
so the correct answer :

YES
YES
YES
upvoted 1 times

The correct answer for this is Yes Yes Yes.
upvoted 1 times
  Shnash 1 month, 3 weeks ago

1. Yes.
2. Yes.
3.Yes.
Resource: Virtual Networks Links per private DNS zones with auto-registration enabled
Limit: 100
Resource: Number of private DNS zones a virtual network can get linked
Limit: 1000
Resource: Number of private DNS zones a virtual network can get linked to with auto-registration enabled
Limit: 1
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-dns-limits
upvoted 3 times

I'm sticking with YYY on this one. Got no time to understand and test it as today is my exam.
upvoted 3 times
  ShanYuen 2 months, 1 week ago

Tested.
box1: Y (will be No if there is another link with auto registration enabled to vnet2 / box3 with error conflicting Private DNS zone is
'zone1.com'.)
box2: Y
box3: Y (will be No if auto registration in link2 at box1 still enabled because link2 using vnet2 with this error: A virtual network can only be
linked to 1 Private DNS zone(s) with auto-registration enabled; conflicting Private DNS zone is 'zone2.com'.)
The Private DNS Zone is global and not bound to a location.

After you create a private DNS zone in Azure, you'll need to link a virtual network to it.
Once linked, VMs hosted in that virtual network can access the private DNS zone.
A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however,
link multiple virtual networks to a single DNS zone.
Reference:
upvoted 4 times

Due to the restriction: https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
"A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however,
link multiple virtual networks to a single DNS zone"
1 - Yes
2.- No. since Vnet1 already is already linked to Zone1 and enabled auto-registration, it cannot be linked to Zone3
3. No. Since Vnet2 is already linked to Zone2 already, it can be linked to Zone1, but cannot enable Auto-registration
upvoted 3 times

Sorry, 1 should be 'No' due to the restriction:"A specific virtual network can be linked to only one private DNS zone when automatic VM
DNS registration is enabled"
Answer should be No, No, No
upvoted 1 times

It's Y Y Y if each question is taken separately, or Y Y N* if you do actions step by step. Tested on Azure.
If you first enable auto reg for link2, then you will fail with adding VNET2 to Zone1.com and enable auto reg, as it already has auto reg
with Zone2.com with first "YES".
WIth the way question is formulated, can't really tell what MS wants us to answer.
upvoted 1 times

Yes, Yes, Yes.
Labtested, please ignore my previous comment. early i mentioned No, because i have enabled autoregistration for Link2 as part of first Q.
If we consider changes made as part of Q1 then it should be Yes,Yes,No. Because a virtual n/w can only be linked with one private DNS
zone with auto-registration enabled.
upvoted 1 times

Correct Ans:
Yes, Yes, No
Lab tested.
The last one is No because of autoregistration. As VNET1 to Zone1.com is already have autoregistration enabled we can't create another
link with autoregistration enabled for Zone1
upvoted 1 times
  Timock 3 months ago

1. No: You would have to delete and recreate the link because like most Azure objects you cannot enable or add anything after the fact.
When creating a link between a private DNS zone and a virtual network you have the option to enable autoregistration. With this setting
enabled, the virtual network becomes a registration virtual network for the private DNS zone. A DNS record gets automatically created for
any virtual machines you deploy in the virtual network. DNS records will also be created for virtual machines already deployed in the
virtual network.
2. No: You can create only one link between a private DNS zone and a virtual network. VNET1 already has a link.
3. No: You can create only one link between a private DNS zone and a virtual network. VNET2 already has a link.
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-
links#:~:text=%20What%20is%20a%20virtual%20network%20link%3F%20,deployed%20using%20classic%20deployment%20model%20isn
%27t...%20More%20
upvoted 3 times
  vestibule 3 months, 1 week ago

3. is a NO for me.
According to RTFM : https://docs.microsoft.com/bs-latn-ba/azure/dns/private-dns-autoregistration#restrictions
A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however,
link multiple virtual networks to a single DNS zone.
As VNET2 is already linked to Zone2, you cannot link it to Zone1 AND enable auto-reg WHILE it is still linked to Zone2.
upvoted 1 times
HOTSPOT -
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://medium.com/charot/deploy-azure-bastion-preview-using-an-arm-template-15e3010767d6
  dookiecloud Highly Voted  8 months, 3 weeks ago

answer is correct
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a /27 subnet mask. For example, 10.1.1.0/27.
https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 28 times
  rigonet Highly Voted  3 months, 2 weeks ago

This question is outdated.
At this very moment you can read at documentation:
+ Subnet Name | AzureBastionSubnet
AzureBastionSubnet addresses | A subnet within your VNet address space with a subnet mask /26 or larger.
For example, 10.1.1.0/26.
upvoted 9 times

Correct. Have just gone to create a new Bastion resource in my lab. This info message is given:
To associate a virtual network with a Bastion, it must contain a subnet with name AzureBastionSubnet and a prefix of at least /26.
Also see documentation here:

https://docs.microsoft.com/en-gb/azure/bastion/quickstart-host-portal
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24,
etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to
work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of
host scaling in the future.
upvoted 2 times

Question is outdated - READ IMPORTANT SECTION IN LINK: https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 1 times

Correct answer:
- AzureBastionSubnet
- 10.1.1.0/27
upvoted 7 times
  Exam_khan 6 months, 1 week ago

Azure Bastion will always need to be called AzureBastionSubnet and this is not changeable and Bastion needs /27 too
upvoted 4 times
  forrestwanderer 8 months ago

Need at least /27 or higher subnet for Azure bastion. So if the option of /25 /26 if it was there would have done okay as long as its not
overlapping with the vlan subnet which /25
upvoted 5 times

https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal#createhost
+Subnet and create a subnet using the following guidelines:
The subnet must be named AzureBastionSubnet.

The subnet must be at least /27 or larger.
upvoted 3 times
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture.
A. Yes
B. No
Correct Answer: B
Use the Connection Monitor feature of Azure Network Watcher.
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

A (100%)
  mashk19 Highly Voted  8 months, 1 week ago

If you initiated a packet capture from VM1 to VM2 and ran a capture for three hours, wouldn't you have file which contained all traffic
between VM1 and VM2?
upvoted 20 times

Ans is YES.
upvoted 1 times

yes you would, considering you didn't specify any filtering which is optional.
upvoted 3 times

Yes exactly
upvoted 2 times

No
Should use connection monitor for a period of time

upvoted 13 times
  loganharris 8 months ago

this link supports yes. links to more information about packet capture
upvoted 4 times
  saleta Most Recent  2 weeks, 1 day ago

Selected Answer: A
should be A!
upvoted 1 times

After capturing all the packets, you can definitely examine the traffic.
YES is the answer!
upvoted 1 times

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal
correct answer is A(Yes)

upvoted 1 times

Selected Answer: A
The correct answer is Yes. Running a packet capture would capture all the traffic between those VMs for 3 hours. This satisfies the goal
and because the question states that we need to be able to 'inspect' the traffic. This would require packet capture.
There is also available another feature in network watcher though called Network Connection Monitor that would help you monitor the
traffic between two devices but not inspect.
upvoted 3 times
  Taku 1 month, 1 week ago

how practical is to run a PCAP for 3hours ,the amount of data capture can collapase the storage.
upvoted 2 times
  Sothuballs 1 month, 3 weeks ago

Selected Answer: A
Packet capture can satisfy the requirement
upvoted 1 times
  Bialguos 2 months, 1 week ago

the answer is A.) Yes
upvoted 1 times

should be YES
- Packet capture is the Network Watcher tool that allows you to capture traffic for a period of time so that you can analyze the packets, not
determine the traffic that is allowed or denied inbound or outbound from a VM.
upvoted 1 times
  scrummyegg 3 months, 3 weeks ago

I am vengeance. + the answer is A.) Yes
upvoted 2 times
  GepeNova 4 months, 1 week ago

Yes is correct
Azure Network Watcher - Packet Capture track traffic from and to VM using advance filters you can set time limit.
upvoted 2 times

Yes
upvoted 1 times

The answer here says No, but really it is not completely false. You can inspect your traffic with packet monitor. But there's a feature that
was designed for this in Network Watcher: Connection monitor.
That's what they are trying to establish in my opinion, that you know that you can monitor traffic with connection for a specific period
from Connection Monitor. Packet capture doesn't quite do the job as easy.
upvoted 2 times
  Loi2525 7 months, 1 week ago

With the word 'inspect' answer should be yes as stated in MS docs:
Packet capture helps to diagnose network anomalies both reactively and proactively.
upvoted 1 times

I would go with A - Yes.
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics,
gaining information on network intrusions, to debug client-server communications and much more.
Ref # https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 8 times
  nicknamefordiscussionsonly 7 months, 3 weeks ago

"Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource."
"Packet Capture enables you to capture all traffic on a VM in your virtual network."
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions
guess answer is NO
upvoted 3 times

Keyword here is: INSPECT traffic, meaning check packets, sniff traffic = Packet Tracer
Answer is: YES - Period
upvoted 5 times
Solution: From Azure Network Watcher, you create a connection monitor.
A. Yes
B. No
Correct Answer: A
Reference:

B (100%)
  Deevine78 Highly Voted  8 months ago

No.
We need to inspect all the network traffic "from" VM1 "to" VM2 and not between the 2 VMs.
Even if we were using Connection monitor, this one would inspect only network traffic over a specific port.
And for a period of 3 hours, packet capture session time limit default value is 18000 seconds or 5 hours.
upvoted 24 times
  ShaulSi 3 months ago

I have checked this and indeed connection monitor setup asks you for port and indeed the question asks you for all traffic.
upvoted 6 times

Yes
upvoted 6 times

It's no, the question says that we need to inspect all the network traffic. This doesn't allow for that. Packet Capture does however.
upvoted 2 times
  Fulforce Most Recent  1 month ago

Selected Answer: B
Incorrect. Question specifies that you need to inspect the packets. Correct Answer B
upvoted 2 times
  NinjaPenguin 1 month, 4 weeks ago

It's NO. Question is "You need to inspect all the network traffic from VM1 to VM2 for a period of three hours." per
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview "he connection monitor capability
monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM
and the endpoint." This does NOT capture all traffic, just checks it at intervals.
upvoted 1 times

Answer is No.
Azure Network Watcher - Connection Monitor analyze connectivy-related metrics only.
upvoted 2 times

No.
The keyword is 'inspect', which you will not find in the connection monitor documents. You will find this word used to describe packet
captures here:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-deep-packet-inspection
upvoted 3 times
Yes
The Connection Monitor feature in Azure Network Watcher is now generally available in all public regions. Connection Monitor provides
you RTT values on a per-minute granularity. You can monitor a direct TCP connection from a virtual machine to a virtual machine, FQDN,
URI, or IPv4 address.
upvoted 1 times
  Tisi 7 months, 1 week ago

B. No - With Packet capture, You can Set a time constraint on the packet capture session. The default value is 18000 seconds or 5 hours.
upvoted 1 times

Connection monitor requires Network Watcher extension installed on VM (which is not mentioned). Traffic inspection happens at the
packet level. The Packet Capture can be filtered by source and/or destination IP and also limited by a specific time frame < 5 hours. So with
the information given (filter VM1 to VM2 traffic) and limit to less than 5 hours (3 hours) gives the only correct option for this series: Packet
Capture.
upvoted 3 times

I would go with B - No.
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics,
gaining information on network intrusions, to debug client-server communications and much more.
Ref # https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 2 times

Answer is: No - need to use packet capture for this
upvoted 3 times
  scuar 7 months, 3 weeks ago

https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor#create-a-connection-monitor This uses Port configuration,
not all network traffic.
Answer No.
upvoted 2 times
  Curiousity 7 months, 4 weeks ago

Yes
For a period of time - Connection Monitor
Pasting discussion of another question
Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 6 times

keyword here is "ALL network traffic" not "regular interval", so the answer is packet capture.
upvoted 4 times
  Seyf 8 months, 1 week ago

No
topology changes between the VM and the endpoint.
upvoted 4 times
  yuvraj404 8 months, 2 weeks ago

yes
Connection monitor is used for packets, RTT, etc
upvoted 4 times
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
A. Yes
B. No
Correct Answer: B
Use the Connection Monitor feature of Azure Network Watcher.
Reference:

B (100%)
  SilverFox22 Highly Voted  4 months, 2 weeks ago

At least we can agree that this one is No :)
upvoted 13 times
  Wilchelm 2 weeks, 5 days ago

laughed on that :D
upvoted 1 times

Me too. This were exactly my thoughts. :)
upvoted 1 times
  ScreamingHand Highly Voted  8 months, 1 week ago

Nice try, but no banana. You need the trusty Connection Monitor in this scenario
upvoted 6 times

Sorry, my cocky answer above is incorrect, - Connection Monitor will only inspect traffic on a specific port, - we need Packet Capture, -
which will capture all traffic
upvoted 22 times

Selected Answer: B
Here it is a definitive NO! ... hopefully :)
upvoted 1 times

upvoted 2 times

Performance Monitor and a Data Collector Set huh. RIP Windows Server 70-410.
upvoted 4 times
  AravindITGuy 8 months, 2 weeks ago

Answer No - Connection monitor is used for packets, RTT, etc
upvoted 1 times
DRAG DROP -
You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zone-redundant-portal
  Aymenwerg Highly Voted  4 months, 3 weeks ago

The Answer is correct :
Create a backend pool.
Create health probes.
Create a load balancer rule.
upvoted 10 times

That is not the answer provided, and your answer is wrong (the one provided is correct).
1 is remove the Public IPs (basic IP's can't be used with a standard LB). Also a pool is only NEEDED for a basic LB.
2. and 3. are correct.
2. Create a health probe

3. Create a lb rule.
upvoted 5 times
  Fulforce Highly Voted  1 month, 2 weeks ago

Answer is correct:
1) Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
2) Create a backend pool and health probes.
3) Create a load balancer rule.
upvoted 9 times

Answer is correct
upvoted 2 times

Regarding availability set - you can only add a VM into an availability set when the VM is being created, you cannot add a VM into an
availability set after the VM is created.
upvoted 2 times

I forgot to post the link:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/change-availability-
set#:~:text=A%20VM%20can%20only%20be,both%20Linux%20and%20Windows%20VMs.&text=If%20your%20VM%20is%20attached,scr
ipt%20to%20handle%20that%20case.
upvoted 1 times
  Invisired 3 months, 1 week ago

Create Availability Set - to acomotade vms
Health probes
Load Balancer rule
upvoted 1 times

The given answer is correct. No need for Availability Set since LB1 is a Standard Load Balancer, and Standard LBs can balance traffice to
VMs that are in the same vNET. Availability Set is needed only for Basic Load Balancers
upvoted 4 times
  ppavank06 4 months ago

correct
upvoted 1 times
  nirujogi 4 months, 3 weeks ago

Correct
upvoted 1 times
Solution: From Azure Monitor, you create a metric on Network In and Network Out.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
  pappkarcsiii 2 weeks, 1 day ago

Selected Answer: B
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 1 times
  Lincoln01 3 weeks, 1 day ago

This is not right. Should be the connection Monitor feature of the Network watcher.
upvoted 1 times
  MrBlueSky 1 month, 2 weeks ago

God bless all you people putting the wrong answers on these so we can have people confidently correct you.
upvoted 3 times

As described here:
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine.
upvoted 4 times
  Aymenwerg 4 months, 3 weeks ago

Need to use connection monitor
upvoted 3 times

nope, you create a packet capture.
upvoted 28 times
Azure Load
Balancer.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999.
A. Yes
B. No
Correct Answer: B
Reference:

Correct answer: B
upvoted 7 times
  Zarzi Highly Voted  3 months, 2 weeks ago

i'm not a robot
upvoted 5 times
  JJoh Most Recent  1 week, 1 day ago

The screen cap already work, you do not need to do anythings
upvoted 1 times
  hberesford 1 month, 2 weeks ago

you need to change the priority of the inbound rule
upvoted 1 times

I mean the priority should not be 6995
upvoted 1 times

64999 it should be 150
upvoted 1 times
  SK_2_SK 2 months, 1 week ago

Answer is No. You need to start VM.
upvoted 1 times

Answer is correct :
No.
upvoted 3 times
DRAG DROP -
You have an Azure subscription that contains two om-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
  Sirkhunz Highly Voted  4 months, 2 weeks ago

Doing my AZ-104 this month, please pray for me
upvoted 16 times
  bogard 4 months ago

did you pass?
upvoted 2 times

We need to know! :-)
upvoted 3 times
  nimeshabhinav 1 month, 2 weeks ago

If he is not back to this site, he passed the exam 😊
upvoted 19 times
  j777 1 day, 14 hours ago

You got that right lol
upvoted 1 times

good look for me tomorrow
upvoted 2 times

**luck
upvoted 2 times

Correct answer:
1. Create Azure Virtual WAN

2. Create Virtual Hub
3. Create VPN sites
4. Connect VPN sites to virtual hub
upvoted 8 times

upvoted 2 times
  practical_93 6 days, 3 hours ago

Looks like you got all the 341 questions on your exam. I see your comment on every single question lol
upvoted 3 times

Correct Answer.
Kind of tricky is that the remaining action "Connect a VNet to a hub" is also part of the Azure Virtual WAN setup, but it would definitely go
after the others, and question asks for the first four...
upvoted 1 times
  ron_azenkot 1 month ago

i have my exam tommmorow lets hope the comments here are correct becuase i went by them
upvoted 1 times

Yes answer is correct
1. Create Azure Virtual WAN
2. Create Virtual Hub
3. Create VPNs for 2 sites
4. Connect 2 sites vpns to virtual hubs
Arquitecture shown in this URL help me to understand better. https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-
spoke-topology
upvoted 5 times

Answer is correct, according to the link provided.
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
Hot Area:
Correct Answer:
  speed2fast Highly Voted  4 months, 3 weeks ago

Solution seems wrong. Should be No/Yes/No (not tested)
No: Server2 uses Server1 for DNS. Server1 has no host2.contoso.com record for 131.107.50.50. It would work if VNET1 hat a virtual
network link to the private zone contoso.com.
Yes: Server2 uses Server1 for DNS. Server1 has a host1.contoso.com record for 131.107.10.15
No: Server3 uses 10.10.0.4 as DNS (inherited from VNET2). 10.10.0.4 (Server1) has no record for host2.contoso.com. The virtual network
link for the private zone contoso.com on VNET2 won't be used since the DNS from VNET1 is set on VNET2. VNET1 DNS is not aware of the
private zone contoso.com. It would work if VNET1 had a virtual network link to the private zone contoso.com.
upvoted 32 times

I agree with this. The answer should be No, Yes, No.
upvoted 1 times
  csm198611 3 months, 3 weeks ago

Same results as my labs.
upvoted 5 times

I got the same thing
upvoted 3 times

How Server3 uses 10.10.0.4 for DNS Server!? Could you explain, please? For NIC3 we have DNS settings "Inherit from virtual
network". In addition Server3 is in VNET2. VNET2 is linked to the private zone contoso.com which has a record for
host2.contoso.com. So Server3 would be able to resove it. I think the 3th is YES!
N-Y-Y
upvoted 13 times

Vnet2 has DNS 10.10.10.4 configured. Unless forwarder on this DNS configured to Azure (and we don't have this info), the linked
private zone will not have an effect
upvoted 3 times

VNET2 don't have 10.10.10.4 as DNS server. That DNS server is of NIC2, which belong to VNET1. VNET2 is linked to
private.contoso.com, which as a record for host2.contoso.com. Hence it should resolve.
upvoted 2 times

Alex-p I can see where you are coming from
upvoted 1 times
  slimshady Highly Voted  4 months, 2 weeks ago

I just tested this for myself, results were:
server 2 resolve host2.contoso.com - NO - only host1 exists in the server1-hosted DNS zone, so cannot resolve - and setting server2 to use
server1 as a DNS server means it does not use any other DNS servers.
server 2 resolve host1.contoso.com - YES to the server1 hosted DNS address ie. 131.107.10.15
server3 resolve host2.contoso.com - YES to the Azure hosted DNS address ie. 131.107.50.50.
server3 can also resolve host1.contoso.com to the Azure hosted DNS address (of course).
hope this helps :)
upvoted 16 times
  slimshady 4 months, 2 weeks ago

actually I just noticed after reading the comments again that i forgot to set the server1 DNS server on VNET2 - when i did this and
updated the servers, server3 could no longer resolve host2.contoso.com as it was using the server1 hosted DNS server. so i say the
answer is NO-YES-NO
upvoted 10 times

slimshady, in your test, have you peered the vnet's?. Thanks
upvoted 1 times

upvoted 3 times

I agree with this. The answer should be No, Yes, No.
upvoted 1 times

NO Server2 --> NIC2 ---> VNET1 --> DNS setting on NIC2 is 10.10.0.4 "DNS server1"
YES Server2 --> NIC2 ---> VNET1 --> DNS setting on NIC2 is 10.10.0.4 "DNS server1"
YES Server3 --> NIC3 ---> VNET2 --> DNS settings on Virtual network "virtual link with Azure Private DNS"
upvoted 2 times

No (server2 has NIC2 that using internal dns to resolve)
Yes (server2 has NIC2 that using internal dns to resolve)
No (server3 has NIC3 that connect to VNET2, and custom dns applied to VNET2, so server3 resolving using internal dns)
upvoted 2 times
  alihk79 2 months, 2 weeks ago
N/Y/N
Tested
upvoted 3 times
  yoelalan14 2 months, 2 weeks ago

Box 1: NO. Server2 uses Server 1 for DNS. Server1 resolves to host1, not host2.
Box 2: YES. Server2 uses Server1 for DNS. Server1 resolves to host1.
Box 3: NO. Server3 uses 10.10.0.4 (Server1) as DNS. Server1 has no record for host2.contoso.com
upvoted 3 times

Y-N-Y
server2 uses the records in 10.10.0.4 because NiC2 said that.
Server3 uses the records linked to VNET2 because it is inherit the records in 10.10.0.4
So the questions are solved using the last table (host1 and host2)
in my opinion....
upvoted 1 times
  danito 2 months, 4 weeks ago

please don't take into account my comment I didn't understand the tables, so the answer is:
N-Y-N
upvoted 2 times
  Ash3250 3 months, 4 weeks ago

Fabylande,, What was your Answer
upvoted 2 times

upvoted 4 times

Hahaha..nobody knows
upvoted 5 times
  breakerboyz09 4 months, 2 weeks ago

NO NO YES
First 2 answers: NIC DNS takes precedence
3rd answers: Server 3 inherits VNET DNS and NIC DNS is not setup
upvoted 3 times

I think the answer is Y Y Y
VNET1 peers with VNET2 and vice versa basically, all resources should be able to see each other.
according to this reference :
Server2 will query server1 1st for DNS resolution, if Server1 cannot resolve the query the next hop will be the gateway, which will use the
azure provided DNS and will get the answer from there, which is 131.107.50.50 for host2.
Since server1 has an A record for host1, it will resolve the IP 131.107.10.15 for host1.
Server3 should get DNS resolution from the azure provided DNS server for host2 which would resolve to 131.107.50.50
That's how I understand it. maybe there are better explanations out there.
upvoted 5 times
  imrans 2 months, 2 weeks ago

I believe it should be N-Y-N. The link below says Peering is not recognized for Private DNS zone
DNS Private Zones are not supported across VNET Peering. However a DNS Private Zone can be linked to multiple virtual network which
allows you to provide the same DNS records across mulitple virtual networks.
Now since private DNS Zones are only available within a virtual network it means that you can define any type of DNS Zone and attach
it to the virtual network. For instance you can use Microsoft.com as a DNS private Zone
https://msandbu.org/architecture-of-azure-private-dns-and-name-lookup-in-azure/
Hope this helps or suggest if wrong.
upvoted 1 times

I think so
upvoted 1 times
  Charlie2019 4 months, 3 weeks ago

should be: yes, no, no
upvoted 3 times
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
A. Modify the address space of VNet1.
B. Add a gateway subnet to VNet1.
C. Create a subnet on VNet1 and VNet2.
D. Configure a service endpoint on VNet2.
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of
10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

A (100%)

Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 17 times
  Efficia Most Recent  2 weeks, 2 days ago

Selected Answer: A
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 1 times

upvoted 3 times

Correct A
Both VNETs have the same address space
upvoted 1 times
You have the Azure virtual machines shown in the following table.
VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table.
You need to ping VM2 from VM1.

Which DNS names can you use to ping VM2?
A. comp2.contoso.com and comp4.contoso.com only
B. comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com
C. comp2.contoso.com only
D. comp1.contoso.com and comp2.contoso.com only
E. comp1.contoso.com, comp2.contoso.com, and comp4.contoso.com only
Correct Answer: B
Reference:
https://medium.com/azure-architects/exploring-azure-private-dns-be65de08f780 https://simpledns.plus/help/dns-record-types

C (100%)

Correct Answer C: comp2.contoso.com only
A record: Is used to map a DNS/domain name to an IP
Ref:https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/
TXT records in a lot of cases get used to prove ownership of a domain, it has other purposes too.
Reference:
https://support.google.com/a/answer/2716800?
hl=en#:~:text=TXT%20records%20are%20a%20type,and%20to%20ensure%20email%20security.
PTR: A Reverse DNS lookup is used by remote hosts to determine who 'owns' an IP address.
Reference:
https://www.mailenable.com/kb/content/article.asp?ID=ME020206
CNAME records get used to redirect a DNS name or subdomain name to another DNS name or domain name or subdomain name.
reference: https://support.dnsimple.com/articles/cname-record/
It would do good to read up on DNS record types and what they are used for, you will be lost if you don't have a basic understanding of it.
https://ns1.com/resources/dns-types-records-servers-and-queries
DNS is a key component In the IT field.
I hope this info will help.
upvoted 36 times

So agree man! you just reminded me to review DNS and DNS alone.
upvoted 1 times
  slimshady Highly Voted  4 months, 2 weeks ago

tested this, i say it is C - comp2.contoso.com ONLY. i created each of the records in my Azure DNS zone, a TXT record is not resolvable, an A
record is resolvable, the CNAME is pointing to comp1 which again is not resolvable, and the PTR record should be an IP to a name, when i
created the PTR record it wanted me to enter a domain name eg. contoso.com, not an IP address but i put the IP address in anyway, and it
did not resolve. So i say it is C - comp2 ONLY
upvoted 14 times

good testing thx
upvoted 1 times
  Empel Most Recent  4 days, 23 hours ago
Selected Answer: C
Correct Is C
upvoted 1 times

upvoted 2 times

a Respota é B
upvoted 1 times

Selected Answer: C
Correct answer is C. Comp2 only
upvoted 2 times

Selected Answer: C
C ONLY
upvoted 1 times

Selected Answer: C
C - comp2.contoso.com only
upvoted 2 times

Selected Answer: C
Correct Answer C: comp2.contoso.com only
upvoted 2 times

Correct Answer: C
upvoted 8 times
  Madhavc 3 months, 1 week ago

C is correct answer.
tested Results:
root@VM1:~# ping comp1.contoso.com
ping: comp1.contoso.com: No address associated with hostname
root@VM1:~#
PING comp2.contoso.com (10.0.0.5) 56(84) bytes of data.
64 bytes from vm2.internal.cloudapp.net (10.0.0.5): icmp_seq=1 ttl=64 time=1.74 ms
64 bytes from vm2.internal.cloudapp.net (10.0.0.5): icmp_seq=2 ttl=64 time=1.81 ms
--- comp2.contoso.com ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.742/1.776/1.811/0.034 ms
root@VM1:~#
root@VM1:~#
ping: comp3.contoso.com: Name or service not known
root@VM1:~#
root@VM1:~#
ping: comp4.contoso.com: No address associated with hostname
root@VM1:~#
upvoted 5 times

The question asks you need to ping vm2 from Vm1.So with ping and not with ping -a
Only the a record is working. Tested too.. So the correct answer is C 1000%
upvoted 1 times

Answer is C. a PTR record is a reserve lookup from IP, it's not how you would ping the device by name.
a TXT cannot be used to ping and CNAME resolves to different device
upvoted 1 times

networks have full access and can resolve all DNS records published in the private zone. You can also enable autoregistration on a virtual
network link. When you enable autoregistration on a virtual network link, the DNS records for the virtual machines in that virtual network
are registered in the private zone. When autoregistration gets enabled, Azure DNS will update the zone record whenever a virtual machine
gets created, changes its' IP address, or gets deleted.
upvoted 1 times

Wrong Answer
Record type TXT pointing to 10...5 is not valid I think, so CNAME pointing to TXT record is also not valid.
In this case only comp2 and comp4 (ptr)
upvoted 1 times

why B and why C?
upvoted 1 times

All four DNS entries resolve back to VM2. All four entries are listed in answer B. The answer C adds “only” to the end as if the other 3
entries did not exist. That makes C an incorrect answer.
upvoted 2 times

Answer is B.
upvoted 5 times
HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)
NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.
You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Reference:
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/
  speed2fast Highly Voted  4 months, 3 weeks ago

Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege.
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 104 times

This is what I had in mind. I thought I'm going nuts when I saw the answer. Admin should change it.
upvoted 5 times
  Fananico 3 months, 2 weeks ago

I test it your answer is current
upvoted 2 times

What about inbound? Keep the rest the same.
upvoted 1 times

Both the VMs are from the same Vnet. So inbound is allow by default within the n/w.
upvoted 2 times

The inbound/outbound threw me a bit as well. "rules in inbound direction affect traffic that is being initiated from external sources,
such as the Internet or another VM, to a virtual machine. Outbound security rules affect traffic sent from a VM." The ICMP traffic is
being sent from VM1, so outbound.
upvoted 4 times

I was thinking the same. The given answer threw the least privilege out of window.
upvoted 3 times

Correct answer:
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
the given solution is not correct.
upvoted 13 times

What about inbound? Keep the rest the same.
upvoted 1 times
  yolap31172 1 week, 5 days ago

Since VM1 and VM2 are in the same subnet, NSG would apply both inbound and outbound rules to traffic. Your inbound rule could
let the ICMP request reach VM2, but existing outbound rule would prevent it from going out of VM1 in the first place.
Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 1 times

upvoted 2 times
  KamalB 1 month ago

Answer is correct. Since this is within subnet. So least privilege includes the entire subnet.
upvoted 1 times
  Zubaer 1 month, 3 weeks ago

why Priority is 110???
can you explain
upvoted 1 times
  MAB3030 1 month, 2 weeks ago

because, in the rule, ICMP DENIED has a 100 Priority
upvoted 1 times
  Jay0401 2 months ago

Was on exam 17.12.2021.
upvoted 2 times
I would think this question is not valid, or the question should be changed 'nsg is applied to VM1', instead of 'subnet' level.
Since VM1 and VM2 are in same subnet, traffic between them doesn't go through subnet level NSG
Azure NSG is stateful, meaning if inbound is allowed, then outbound is allowed automatically(https://docs.microsoft.com/en-
us/azure/virtual-network/network-security-groups-overview)
upvoted 1 times

Apologize. The subnet level NSG does impact intra-subnet communication:
In this case Quantigo's answer is correct:
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
upvoted 2 times

Correct Answer:
- Outbound
- 10.1.0.10 VM1
- 10.1.0.11 VM2
- 110
upvoted 7 times
  Timock 3 months, 2 weeks ago

All the virtual machines within the same virtual network can communicate with each other when it comes to Inbound traffic by default so
this means an Outbound direction rule is needed. 10.1.0.10/10.1.0.11 for both source and destination as the ICMP packet would have to
go in both directions. Priority has to come before the ICMP blocking of 111.
upvoted 8 times
  Timock 3 months ago

Like to adjust that the Outbound rule because of least privilege. should be more narrowed from 10.1.0.11 to 10.1.0.10. Rule 110 should
say the same.
upvoted 1 times

In my opinion:
Direction: Outbound
Source 10.1.0.10 (VM1) and 10.1.0.11 (VM2)
Destination: 10.1.0.10 (VM1) and 10.1.0.11 (VM2)
Priority: 110
Ping is not completed one way, for ping to complete VM2 should respond with a pong which it willn't unless the Outbound rule allows
VM2 source to vm1 dest. Hence, source and dest fields would need both IPs.
upvoted 3 times
  Lionred 2 months, 1 week ago

That is not correct.
Remember NSGs are stateful, when the Ping request (technically ICMP Echo request) is passed through NSG, NSG registers it on its
state table, then when Pong (ICMP Echo reply) shows up from VM2, NSG will find it matches the incoming Ping hence will allow it to go
through.
If VM2 sends an ICMP Echo reply to VM1 without VM1 initiating it first, subnet-level NSG will simply block it since there is no matching
entry on its state table.
Moreover, the correct answer will only allow VM1 to ping VM2, not the other way around. If we want VM2 to be able ping VM1, we will
then need a reciprocal rule in place.
upvoted 1 times

upvoted 6 times

There is no way any expert looked at the provided answer and thought for second that it was correct. Look at what speed2fast provided
for the real answer.
upvoted 4 times
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)

Correct Answer: B
the certificate needs to be installed on the machine you are counting from.
upvoted 17 times
  nileshlg Most Recent  1 month, 1 week ago

Selected Answer: B
Answer is B
upvoted 1 times
A. Session persistence to Client IP and protocol
B. Protocol to UDP
C. Session persistence to None
D. Floating IP (direct server return) to Enabled
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal

The following options are available:
None (hash-based) - Specifies that successive requests from the same client may be handled by any virtual machine.
Client IP (source IP affinity two-tuple) - Specifies that successive requests from the same client IP address will be handled by the same
virtual machine.
Client IP and protocol (source IP affinity three-tuple) - Specifies that successive requests from the same client IP address and protocol
combination will be handled by the same virtual machine.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal
The answer is A
upvoted 2 times
  Sukorak 2 months, 1 week ago

Anser is correct :A
upvoted 3 times
  Sukorak 2 months, 1 week ago

Answer is correct: A
upvoted 3 times
You have an Azure subscription that uses the public IP addresses shown in the following table.
You need to create a public Azure Standard Load Balancer.

Which public IP addresses can you use?
A. IP1, IP2, and IP3
B. IP2 only
C. IP3 only
D. IP1 and IP3 only
Correct Answer: C
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU
resources.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses

C (100%)
  Sukorak Highly Voted  2 months, 1 week ago

Answer is correct: C
upvoted 7 times

Selected Answer: C
BASIC SKU not an option here.
upvoted 1 times

Selected Answer: C
Answer is correct: C
upvoted 1 times
  Fulforce 1 month, 1 week ago

Weird question this one, because IP1 is an iPv6 Basic address but it says that it's Static. That is not supported as part of the Basic SKU. But
regardless, the answer is correct: C. Because you can't mix SKUs with Load Balancers.
upvoted 1 times

Selected Answer: C
C is correct
upvoted 1 times

You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
You need to restrict network traffic between the pods.
What should you configure on the AKS cluster?
A. the Azure network policy
B. the Calico network policy
C. pod security policies
D. an application security group
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/aks/use-network-policies

B (100%)
  ITprof99 Highly Voted  1 month, 2 weeks ago

On exam 01.02.22
Answer: B
upvoted 7 times
  daniel1ionut Most Recent  1 week, 4 days ago

On exam 05/02/22
Asnwer:B
upvoted 2 times

Answer: B
" The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster."
reference: https://docs.microsoft.com/en-us/azure/aks/use-network-policies
upvoted 1 times
  deltarj 3 weeks, 6 days ago

Where are mlantonis and fedztedz? ...demo version ended? :(
upvoted 4 times

Hahahahaha, very few comments now.
upvoted 4 times
  _punky_ 1 month ago

Hey, but in Kub u can get rid off Calico and use alternative networking solution. So idk
upvoted 1 times

https://docs.microsoft.com/en-us/azure/aks/use-network-policies#network-policy-options-in-aks
upvoted 1 times

The answer is correct because azure kubernates network policy works only in Linux so calico is the one who works in Linux or windows
upvoted 2 times

Selected Answer: B
I think the correct answer is B.
The question describes “the pods will use kubernet networking.”
To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).
Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and
kubenet (Linux).
Hence, the correct answer is B.
Reference
upvoted 3 times
  streethawk 2 months ago

Correct Answer : B
The choice was between 'A' and 'B', the key is 'kubenet' networking, which is supported in Calico network policy.
upvoted 1 times
  ahmads08 2 months, 1 week ago

This was in exam today. 12/12/2021
upvoted 2 times

Looks like the correct answer. Here is a more relevant link (note the limitations & considerations for Kubenet mention that Calicio network
policies are supported on Kubenet). https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
upvoted 4 times

Features not supported on kubenet include:
-Azure network policies, but Calico network policies are supported on kubenet
-Windows node pools
-Virtual nodes add-on
thx extracted from the link:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet#limitations--considerations-for-kubenet
upvoted 1 times
Question #1 Topic 6
HOTSPOT -
You have the web apps shown in the following table.
You need to monitor the performance and usage of the apps by using Azure Application Insights. The solution must minimize modifications to the
application code.
What should you do on each app? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
  Timock 1 week, 6 days ago

Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces
Status Monitor. Telemetry is sent to the Azure portal, where you can monitor your app.
Note:
The module currently supports codeless instrumentation of .NET and .NET Core web apps hosted with IIS. Use an SDK to instrument Java
and Node.js applications.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
upvoted 2 times

Correct.
Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces
Status Monitor.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-detailed-instructions
upvoted 4 times
  haitao1234 2 months, 1 week ago

Correct, key is to minimize code change to application.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
upvoted 1 times

Answer looks correct based on the link provided.
Agent-based application monitoring (ApplicationInsightsAgent).
This method is the easiest to enable, and no code change or advanced configurations are required. It is often referred to as "runtime"
monitoring. For Azure App Services we recommend at a minimum enabling this level of monitoring, and then based on your specific
scenario you can evaluate whether more advanced monitoring through manual instrumentation is needed.
The following are support for agent-based monitoring:
.NET Core
.NET
Java
Nodejs
upvoted 3 times
Question #2 Topic 6

You use Azure Backup to create a backup of VM1 named Backup1.
After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1.
You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?
A. Modify the size of VM1.
B. Reset the password for the built-in administrator account.
C. Add a data disk.
D. Copy Budget.xls to Data.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore

C (100%)
  ninjia Highly Voted  1 month, 3 weeks ago

If it's a single selection, I would select D. However, the test result reveals it should be two (C and D).
I have tested this in Azure.

Prepare
1. Create a Windows VM with size D2S_v3.
2. Backup the VM.
Made changes after the backup.
1. Modify the VM size to DS1_v2.
2. RDP to the VM and create a new file.
3. Reset the password for the built-in administrator.
4. Add a data disk to the VM.
Restore the VM from the backup. Here are the results:

1. VM size remains as DS1_v2.
2. RDP to VM with the changed password.
3. Data disk is gone.
4. A new file is gone.
Conclusion, VM size and password will not be overridden by the restore process.
You will need to perform the changes again:
1. Add a data disk
2. Copy the file.
upvoted 12 times
  Nilvam 6 days, 22 hours ago

Data disk will not gone (deleted). It will be unmapped.
upvoted 1 times

Sadly I agree.
Ref: https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks-from-a-restore-point
Suggest all disks are replaced by the ones in the snapshot.
ALTHOUGH the disk is not deleted, and still available in the RG (but you have to assume it needs added back).
For me the safest answer is D, that file is defo gone.
upvoted 1 times
  Darkeh Most Recent  1 week, 6 days ago

Selected Answer: C
You can recopy the file to the folder named data. They don't specify where the file currently exists so I'd go with the data disk on this one.
upvoted 1 times

Given answer doesn't provide an explanation.
From the scenario mentioned in the question, we are using the replace option. So, in this case we would lose the existing data written to
the disk after the backup was
taken. The file was copied to the disk after the backup was taken. Hence, we would need to copy the file once again.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks
upvoted 3 times

Replace existing: Use this option if you want to replace disks on an existing VM.
-You can restore a disk, and use it to replace a disk on the existing VM.
-The current VM must exist. If it's been deleted, this option can't be used.
-Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks
connected to the VM are replaced with the selected restore point.
-If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM
configuration.
I think the given answer is correct or maybe there are 2 answers: .xls and password reset ?
upvoted 1 times

For me, the answer is B. Let me explain:
The question makes reference to the 'Replace Existing option" which according to the link, explains that the current VM must exist. The
Replace Existing option doesn't replace the VM with whatever SKU the original VM was, so it can't be option A.
The data disk will still be attached to the restored VM, as it wasn't present in the Backup so it is not replaced, hence the answer isn't C.
Since the original data disk remains attached, the Budget.xls data remains on the data disk, so it isn't D.
This leave the answer as B - this would not have been captured in the restore option.
Here is the KB article that describes the Replace Existing option:

upvoted 2 times

Surely the password for the VM is stored in AZ AD, not the hard disc of the machine. Password should not be effected by the restore. So
not B. I think D.
upvoted 1 times
  StaxJaxson 13 hours, 40 minutes ago

Built in administrator creds are not stored AZ AD. Built in means local. Not AD.
upvoted 1 times
  streethawk 2 months ago

I agree with most of the interpretation except one: Budget.xls is copied to a folder named "Data", which appears to be present on the
same disk which has been backed up. And hence after using "Replace Existing Option" the disk data will be overwritten by backed-up
data, that would leave "Budget.xls" missing so it has to be copied to restore the state. Whereas there would not be any impact on newly
added disk. Hence for me correct answer will be "D"
upvoted 2 times

"You need to ensure that all the changes to VM1 are restored" what does this sentence meaning? Does it mean all changes made after
backup was taken are to be reinstated since the "replace existing" restore process will undo all of them?
If my understanding is correct, then all these changes were undone when an administrator performed "replace existing" restore from
Backup1, that means VM sizes back to old one, local admin password back to old one, Budget.xls file gone, and newly added data disk
gone.
Now if you want them all to be reinstated, you cannot just add the Budget.xls file back, you will need to do all of them.
upvoted 2 times
  Lionred 2 months ago

Ok, after thinking about this more I now have the following ideas:
1. "You need to ensure that all the changes to VM1 are restored" does mean reinstating all the changes made after taking Backup1
2. Out of the 4 changes made, only "copying Budget.xls file..." will be overwritten by the restore process. In other words, restoring VM1
from Backup1 will undo the change "copying Budget.xls file...".
3. #2 implies these changes persist after restoring the VM from backup:
1) Changing VM size
2) Changing local administrator password
3) Attaching a data disk
I couldn't confirm 1) & 3), but I can confirm 2) change is supposed to be done outside of VM (through Azure Portal or PowerShell) hence
will not be undone by VM restore process.
upvoted 3 times
Question #3 Topic 6
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)
You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods
tab.)

Hot Area:
Correct Answer:
Box 1: No -
Two methods are required.
Box 2: No -
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: Yes -
As a User Administrator, User3 can add security questions to the reset process.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-
directory/authentication/active-directory-passwords-faq

Answer is not correct. It should be
- NO: User2 needs 2 authentication methods. Security questions are not enough to reset password
- NO: User1 is not part of the SSPR Group1
- NO: to be able to add security questions to the process. you need Global admin role
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
& https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions
upvoted 70 times
  ZacAz104 3 weeks, 5 days ago

2 methods available not mandatory so the correct answer i think is Yes-No-No
upvoted 1 times
  mrshegz 6 months, 2 weeks ago

what is SSPR
upvoted 1 times

Sometimes, Some People Remember...
upvoted 13 times
  raydel92 5 months ago

Self Service Password Reset
upvoted 8 times

Besides the Global Admin role, that you should not give to anyone, if you want to configure MFA for non-admin users only use
Authentication Administrator role and if you want to configure MFA for all users including admin users, use Privileged Authentication
Administrator role.
upvoted 6 times

Did not see exactly the information regarding to add security questions to the process, however I do find that User Administrator
permission is able to reset password from the link.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#password-reset-permissions
upvoted 1 times

C0rrect Answer:
Box 1: No
Two methods are required (Mobile phone and Security questions).
Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: No
To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot
add security questions to the reset process. User Administrator doesn’t have MFA permissions.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
upvoted 34 times
  ZacAz104 Most Recent  3 weeks, 5 days ago

correct answer i think is Yes-No-No because user2 is only member of Group2
upvoted 1 times
  ravi000001 5 months, 4 weeks ago

NO
NO
NO
Reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 2 times
  Kpup 6 months, 3 weeks ago

Still learning azure so excuse the lack of knowledge but the sspr is targetted at group 2, user 1 is not a member, so could they not reset
using the mobile app?
upvoted 2 times

NoNoNo , User admin cannot add
upvoted 1 times

1. Y
Authentication methods
When a user is enabled for SSPR, they must register at least one authentication method. We highly recommend that you choose two or
more authentication methods so that your users have more flexibility in case they're unable to access one method when they need it. For
more information, see What are authentication methods?.
The following authentication methods are available for SSPR:
Mobile app notification
Mobile app code
Email
Mobile phone
Office phone (available only for tenants with paid subscriptions)
Security questions
2.NO
NO: User1 is not part of the SSPR Group1
3. NO - You need Global Admin role
upvoted 2 times

in exam 7/3/2021, answered NNN
upvoted 2 times

upvoted 4 times

To confirm 3 is No: https://docs.microsoft.com/en-us/answers/questions/356305/in-azure-could-the-user-administrator-have-permiss.html
upvoted 2 times
  TiredofTesting 10 months, 4 weeks ago

Answer is
NO
NO
NO
3) User3 = user administrator
With a two-gate policy, administrators don't have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. A two-
gate policy applies in the following circumstances:
All the following Azure administrator roles are affected:
Helpdesk administrator
Service support administrator
Billing administrator
Partner Tier1 Support
Partner Tier2 Support
Exchange administrator
Mailbox Administrator
Skype for Business administrator
User administrator
upvoted 3 times
  JohnPC 11 months, 1 week ago

First two are No, for obvious reasons. Third is No, user administrator doesn't have the ability to access Password Reset in Azure AD, as the
option is greyed out - tested and confirmed. Only Global admins can add security questions from a predefined or custom created list of
security questions. Also, user admins have an admin role so their ability to change their own security questions are not available, as
stated, "With two-gate policy, administrators don't have the ability to use security questions".
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
This was tested by setting up a new account with user admin role; security questions wasn't an option when setting up other
authentication methods during first sign in.
upvoted 6 times

No-No-No
upvoted 5 times
  RNZLR 12 months ago

it says "number of questions required to reset = 3". why is everyone stuck on the two METHODS? you need to answer 3 questions. the
security question option itself is ONE METHOD. i'd say yes,no,no
upvoted 1 times

It says Number of methods required to reset - 2 (Mobile and Security questions)
That being said, just answering the sec questions is not enough.
upvoted 2 times

Last answer is NO also, User Administrator cannot modify this settings: https://docs.microsoft.com/en-us/azure/active-
directory/roles/permissions-reference#user-administrator-permissions
upvoted 4 times

1. No - requires 2 methods.
2. No - Group1 can't.
3. No - User Administrator doesnt have MFA permissions.
Source : https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions
upvoted 3 times
  PBA1211 1 year ago

it is No,No No
1st no, because 2 methods requierd
2nd no, because wrong groupmembership

3td no, User 3 is not "An account with Global Administrator privileges.'
upvoted 7 times
Question #4 Topic 6
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?
A. Assign the User administrator role to User1.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
C. Create a point-to-site VPN from the home network of User1 to Azure.
D. From the Device settings blade, modify the Users may join devices to Azure AD setting.
Correct Answer: B
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected
and None. The default is All.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azure-
ad-join/
  balflearchen Highly Voted  1 year ago

For those who choose D, please read the question carefully, "You verify that User1 was able to join devices to Azure AD in the past." So the
join device setting should be ok, but he already reach the maximum number of devices per user. Answer B is correct.
upvoted 39 times

agree.
by default the maximum number of devices per user is 50
upvoted 1 times

Agree.
upvoted 2 times

Correct Answer: B
Keyword: "user was able to connect the device in the past".
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed. By default, the
maximum number of devices per user is 50.
Azure portal -> Azure Active Directory -> Devices

Azure portal -> Azure Active Directory -> Users > Select a user > Devices
upvoted 36 times

Damn! keep forgetting this one. Answer is B!
upvoted 1 times

in exam 7/3/2021
upvoted 4 times

Answer B is correct. Nothing has changed, so max devices user quota has reached.
upvoted 2 times

Manage devices
There are two locations to manage devices in Azure AD:
Azure portal > Azure Active Directory > Devices

Azure portal > Azure Active Directory > Users > Select a user > Devices
upvoted 2 times
  shankatna 1 year ago

I believe D is the answer. Reason "user was able to connect the device in the past", probably the setting have changed recently and he is
not able to connect now.
for B to be the answer, question would have been like, the user was able to connected his computer and now trying to connect his mobile
etc. hinting for max number of devices settings
upvoted 1 times

If ans is B then this would only be arrived at with more information, like somewhere a log reporting exceeded maximum number of
devices.
Seem to be a pointless exam q.
upvoted 2 times
  DavidChin 1 year, 1 month ago

D. From the Device settings blade, modify the Users may join devices to Azure AD setting
upvoted 1 times

Answer is correct. "B"
upvoted 9 times

B looks correct
upvoted 2 times
  tezawynn 1 year, 3 months ago

It was working before. Now its not working, not able to join.
maybe because he got more devices. Increase the number of connected devices will do the trick.
upvoted 5 times
  BuckLee 1 year, 3 months ago

B definitely 100% absolutely correct for sure no doubt
upvoted 7 times
  Caphispania 1 year, 3 months ago

B Seems correct
upvoted 3 times
Question #5 Topic 6

A. Yes
B. No
Correct Answer: A
Reference:
  aaa112 Highly Voted  1 year, 1 month ago

Correct, but the explanation is not. User1 is global admin of contoso.onmicrosoft.com. As he created the new tenant called
external.contoso.onmicrosoft.com, he will be the OWNER. Check the scope not just the role, tho.
upvoted 40 times
  r3tr0penguin 8 months, 3 weeks ago

Then if User2 want to create new user on external.contoso.onmicrosoft.com , he can't right ? because User2 is not the one who create
tenant external.contoso.onmicrosoft.com that mean User 2 don't be OWNER
upvoted 3 times

Yes because user2 wont have any role or connection with the new tenant unless added by user1 specifically.
upvoted 4 times

Thank you for clarifying
upvoted 2 times

Only User1 has access to the new Tenant, because User1 created the Tenant and became automatically Global Admin.
upvoted 25 times
  EricMaes 5 months, 1 week ago

Didn't he become owner?
upvoted 2 times

Creating a user has nothing to do with being an owner of the subscription.
Simply, Since user 1 created the new tenant, hence user1 automatically gets Global Admin on that tenant.
upvoted 1 times

The (Global Admin) who create a new Tenant has only right to create users at first.
He is the owner of the tenant.
upvoted 6 times

GA is kinda one ring to rule em all!
upvoted 2 times

So long as the Global Admin actually exist in the tenant. User2 is also a Global Admin of the original tenant but does not exist in the
new tenant created by User1. User2 could not create users in the new tenant unless first added to it by User1. Understand this as one
of the other questions regards having User2 create new users in the new tenant.
upvoted 1 times
  Justin0020 1 year, 2 months ago

Only the user that creates the new tenant will be in the new tenant. Only User1 can do this job. Answer A is correct and the other scenario
questions about this about User2, 3 and 4 are No.
upvoted 17 times

upvoted 1 times
  JustMe84 1 year, 2 months ago

I have tested this, the answer is correct.
upvoted 5 times

Then you tested it wrong
upvoted 1 times

Apologise, I misread the question, User 1 being the Owner of the new tenant as well as a GA is able to add users to this tenant
upvoted 1 times
  wksjiajhuioahkenka 1 year, 2 months ago

Must be global or user admin, as says in source.
upvoted 1 times

wrong - user admin cant - neither can GA, has to be the owner - which happen to be user1 with GA permissions in this scenario.
upvoted 4 times
Question #6 Topic 6
You have an existing Azure subscription that contains 10 virtual machines.

You need to monitor the latency between your on-premises network and the virtual machines.
A. Service Map
B. Connection troubleshoot
C. Network Performance Monitor
D. Effective routes
Correct Answer: C
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between
various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor
the performance of Azure ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and
mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 106 times
  jimmyli 10 months, 1 week ago

great summary, thank you!
upvoted 3 times

Correct Answer: C
Network Watcher is a Suite of tools offering but not limited to the following:
- Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
- Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
- IP Flow - latency and network issues at the VM LEVEL
- Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
upvoted 35 times
  Adebowale Most Recent  6 months, 1 week ago

@NickyDee Thank you for the Summary
upvoted 1 times

Network Performance Monitor is correct
upvoted 1 times

C is okay
upvoted 4 times

Answer is correct. Network Performance Monitor is the tool: https://docs.microsoft.com/fr-fr/azure/network-watcher/migrate-to-
connection-monitor-from-network-performance-monitor
upvoted 3 times

Configure the solution

Add the Network Performance Monitor solution to your workspace from the Azure marketplace. You also can use the process described in
Add Azure Monitor solutions from the Solutions Gallery.
Open your Log Analytics workspace, and select the Overview tile.
Select the Network Performance Monitor tile with the message Solution requires additional configuration.
upvoted 2 times
  tinyflame 1 year, 1 month ago

Network monitoring is out of scope for the exam, is this still a question?
upvoted 2 times
  balflearchen 1 year ago

Ha ha, funny, if this happened in your exam session, can you ignore it and say it should not be in my exam?
upvoted 3 times

I believe network monitoring is included in exam per the exam guide.
upvoted 2 times

Answer is correct. "C" Network Performance Network
upvoted 6 times

Connection Troubleshoot from Network Watcher can monitor latency. you can test all 10 VMs from one place in Azure, and its minimal
effort.
upvoted 1 times
  balflearchen 1 year ago

In question, you need to monitor the latency between your "ON-PREMISES" network and the virtual machines. So connection
troubleshooting is wrong.
upvoted 3 times

Network Performance Monitor is a cloud-based hybrid network monitoring solution
upvoted 7 times
  dandirindan 1 year, 2 months ago

topology changes between the VM and the endpoint
the answer should be connection monitor

upvoted 2 times

Connection monitor is the improved version of Network performance Monitor, what you see in the answers is connection troubleshoot
which is another thing.
Reference: https://docs.microsoft.com/fr-fr/azure/network-watcher/migrate-to-connection-monitor-from-network-performance-
monitor
upvoted 1 times
Question #7 Topic 6
DRAG DROP -
You have an Azure Linux virtual machine that is protected by Azure Backup.
One week ago, two files were deleted from the virtual machine.
You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.
Select and Place:
Correct Answer:
Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer
Generate and download script to browse and recover files:
Step 4: Copy the files using File Explorer!
After the disks are attached, use Windows File Explorer to browse the new volumes and files. The restore files functionality provides access to
all files in a recovery point. Manage the files via File Explorer as you would for normal files.
Step 1-3 below:
To restore files or folders from the recovery point, go to the virtual machine and perform the following steps:
1. Sign in to the Azure portal and in the left pane, select Virtual machines. From the list of virtual machines, select the virtual machine to open
that virtual machine's dashboard.
2. In the virtual machine's menu, select Backup to open the Backup dashboard.
3. In the Backup dashboard menu, select File Recovery.
The File Recovery menu opens.
4. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is
already selected.
5. Select Download Executable (for Windows Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to download
the software used to copy files from the recovery point.
Running the script and identifying volumes:
For Linux machines, a python script is generated. Download the script and copy it to the relevant/compatible Linux server.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm https://docs.microsoft.com/en-us/azure/backup/backup-
azure-vms-automation#restore-files-from-an-azure-vm-backup
  biglebowski Highly Voted  7 months, 3 weeks ago

Restore of Linux VM can be only performed on compatiblie Linux client.
In my opinion correct order is:
Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer (LINUX!!!)
Step 4. Copy the files by using AZCopy (yes, to blob storage and next to Windows 2016)
upvoted 23 times
  Alses1970 Highly Voted  9 months, 3 weeks ago

seems to be correct
https://charbelnemnom.com/how-to-restore-files-and-folders-from-azure-linux-vm-using-azurebackup-linux-azure-azurebackup/
upvoted 15 times
  gabrielegue 7 months, 3 weeks ago

Did you even read the link? In the getting ready section there is written that Windows OS it's not supported for a file recovery for linux
machines.
upvoted 2 times

and so what do you suggest, just leave the question unanswered!
upvoted 4 times
  rustamsariyev94 Most Recent  2 months, 2 weeks ago

To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.
Step 0. In the virtual machine’s menu, click Backup to open the Backup dashboard.
Step 1. In the Backup dashboard menu, click File Recovery.
Step 2. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest
recovery point is already selected.
Step 3: To download the software used to copy files from the recovery point, click Download Executable (for Windows Azure VM) or
Download Script (for Linux
Azure VM, a python script is generated).
Step 4: Copy the files by using AzCopy
AzCopy is a command-line utility designed for copying data to/from Microsoft Azure Blob, File, and Table storage, using simple commands
designed for optimal performance. You can copy data between a file system and a storage account, or between storage accounts.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy
upvoted 4 times

The file provided to download is a Python script - it won't run on Windows?
upvoted 1 times

Seems many people commenting are confused as to the difference between restoring a VM and restoring some files from a backed up
VM. In this instance we are only interested in the files that were stored during the backup. The original OS requirements are handled by
Azure and the script. The OS used for recovery here is a Windows machine. The steps shown are correct
upvoted 3 times
  JirkaM 4 months, 1 week ago

And what about
restore VM (disk)
select restore point
map VHD (to existing linux)
AZcopy (twice)
Nice Microsoft adventure game. But no sense in test without question study.
upvoted 1 times
  iamLucilfer 5 months, 2 weeks ago

AZCOPY is for linux
File explorer is for Windows
upvoted 4 times
  omgsurething0 4 months, 1 week ago

You can use AZCopy on Windows via PowerShell. Just need to install it first
upvoted 4 times

no, it's also available for windows
upvoted 3 times

Is correct!
"You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible."
upvoted 2 times

Watch out for below context:
"You need to restore the deleted files to an on-premises Windows Server 2016 computer"
Answer would be: Copy the files by using File Explorer.
"You need to restore the deleted files to an on-premises computer"

Answer would be: Copy the files by using AZ Copy.
upvoted 10 times
  Deevine78 8 months ago

It is correct.
Source: https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 3 times

Everywhere I search it only mentions that you should use a Linux local machine to restore files from Linux VM. Don't find the option to
restore Linux files to Windows Machine. So I don't understand why here it says you can run the script to restore linux files to windows
server.
upvoted 5 times

It is related to the script type you're downloading:
"Select Download Executable (for Windows Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to
download the software used to copy files from the recovery point."
Source: https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 2 times
  biglebowski 7 months, 3 weeks ago

Mich132 has valid doubts. Linux VM can be only restored to compatibile client which is Linux, not Windows 2016. I assume the
answer is wrong.
upvoted 3 times
  dumdada 6 months, 2 weeks ago

I think because we're not trying to restore the whole VM but just a few files. We should be able to restore a few .pdf files and
restore them from a Linux backup to a Windows VM (would surprise me if Azure couldn't handle this)
upvoted 1 times

I assume the question is garbled. If this is not possible, then answering the correct sequence of steps to perform the action is
likewise not possible. Many questions ask what to do 'first', this one simply asks for the entire series of steps.
upvoted 1 times
  igm82 8 months, 2 weeks ago

Correct!
upvoted 1 times
  chuck0719 9 months ago

Nope, the last should be mount VHD as it is linux OS.
upvoted 2 times
  Billabongs 9 months ago

The computer, where the file is being restored, is a Windows Server 2016.
upvoted 6 times
  Hathuguay 9 months ago

You're right. Source link : https://charbelnemnom.com/how-to-restore-files-and-folders-from-azure-linux-vm-using-azurebackup-linux-
azure-azurebackup/
upvoted 2 times

The given answer looks correct
upvoted 1 times

correct
upvoted 2 times
Question #8 Topic 6
HOTSPOT -
You purchase a new Azure subscription named Subscription1.
You create a virtual machine named VM1 in Subscription1. VM1 is not protected by Azure Backup.
You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.
Hot Area:
Correct Answer:
Box 1: A Recovery Services vault

You can set up a Recovery Services vault and configure backup for multiple Azure VMs.
Box 2: A backup policy -

In Choose backup policy, do one of the following:
✑ Leave the default policy. This backs up the VM once a day at the time specified, and retains backups in the vault for 30 days.
✑ Select an existing backup policy if you have one.
✑ Create a new policy, and define the policy settings.
Reference:

Correct Answer:
Box 1: A Recovery Services vault

You can set up a Recovery Services vault and configure backup for multiple Azure VMs.
Box 2: A backup policy

In Choose backup policy, do one of the following:
✑ Leave the default policy. This backs up the VM once a day at the time specified, and retains backups in the vault for 30 days.
✑ Select an existing backup policy if you have one.
✑ Create a new policy, and define the policy settings.
Reference:
upvoted 43 times
  denccc Highly Voted  9 months, 3 weeks ago

Answers are correct
upvoted 7 times
  JimBobSquare101 Most Recent  6 months, 3 weeks ago

In 30 July 2021
upvoted 3 times

Answers are correct to me
upvoted 3 times
Question #9 Topic 6

Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.
Which target resource should you monitor in the alert rule?
A. virtual machine extension
B. virtual machine
C. metric alert
D. Azure Log Analytics workspace
Correct Answer: D
For the first step to create the new alert tule, under the Create Alert section, you are going to select your Log Analytics workspace as the
resource, since this is a log based alert signal.
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor

Correct Anser: D
For the first step to create the new alert tule, under the Create Alert section, you are going to select your Log Analytics workspace as the
resource, since this is a log based alert signal.
The log data goes to the analytics workspace and it is from there that the alert is triggered.
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor
upvoted 31 times

Answer is correct D
upvoted 31 times

upvoted 4 times

Was in exam dated 15/11/2021
upvoted 2 times

in exam today! October 16, 2021
upvoted 5 times
  FrostyD 6 months, 1 week ago

I have managed directly to choose VM as target and I have created a rule to notify me with email if cpu usage is more than some %. So B
(VM) is possible answer
upvoted 1 times
  Gerd95 4 months ago

No, because it specifies event log data.
You cannot get that directly from the VM as source
upvoted 1 times

I think answer is B:
If you try to create a new alert rule to a VM, this is what shows:
"Scope
Select the target resource you wish to monitor.
Resource
Vm12"
upvoted 1 times

Correction, answer should be D
upvoted 2 times

D:
upvoted 6 times

Answer D. is correct. Log Analytics
upvoted 3 times

Setting up alerts using Windows Admin Center
In Windows Admin Center, you can configure default alerts that will apply to all servers in your Log Analytics workspace.
upvoted 3 times
  jimbobcooter 1 year ago

the answer is correct, go create a Log Search alert in azure monitor, the first thing it wants is the log analytics workspace, and then you
create your alert under the Event table and specify your computer under the event table.
upvoted 4 times
  AzJJ 1 year ago

Ans : D
"Which target resource should you monitor in the alert rule?"

upvoted 5 times
  saponazureguy 1 year, 1 month ago

Wrong given answer - Keywords here are "which target resource should you monitor". Since we are monitoring the system event log of
VM1 the correct answer should be B. Virtual Machine
upvoted 2 times

Ans: D
upvoted 6 times
  LeeVee 1 year, 1 month ago

I think its B, it says that "Which target resource should you monitor in the alert rule?" so its Virtual machine.
upvoted 11 times

you are right, q is about target, so asn is d, not b, bcoz vm is a source of info)
upvoted 2 times
  enuka 11 months ago

"Azure collects events from VM1." - i think this means that event collection is already configured, and that's why correct answer should
be analytics workspace.
upvoted 5 times

Yes, exactly. It says that Azure is collecting data from VM1, so this means work analytics is already in place. Doesn´t it? So what is
missing is the alert and thereby a virtual machine as a target. So I think the answer should be B: Virtual machine.
upvoted 1 times
  vandergun 1 year, 1 month ago

Seem corrrectly
upvoted 3 times
You have an Azure subscription that contains 100 virtual machines.

You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?
A. From Azure Cost Management, view Cost Analysis
B. From Azure Advisor, modify the Advisor configuration
C. From Microsoft Azure Storage Explorer, view the Account Management properties
D. From Azure Cost Management, view Advisor Recommendations
Correct Answer: D
From Home ‫ג‬€"> Cost Management + Billing ‫ג‬€"> Cost Management, scroll down on the options and select View Recommendations:
Azure Cost Management / Advisor -

From here you will see the recommendations for your subscription, if you have orphaned disks, they will be listed.
Reference:
https://codeserendipity.com/2020/07/08/microsoft-azure-find-unattached-disks-that-can-be-deleted-and-other-recommendations/

C (100%)

Correct Answer: D
From Home -> Cost Management + Billing -> Cost Management, scroll down on the options and select View Recommendations
upvoted 47 times
  raulgar Highly Voted  9 months, 2 weeks ago

I think the answer is correct, azure panel recommend you delete resources that are'nt in use, and if you have a lot of vm's it could be the
easiest way
upvoted 14 times
  TtotheA2021 Most Recent  1 week ago

if it is related to costs saving > it is C
the question is only asking what you can identify and the simple method > it is D
so it is for this question answer D

upvoted 1 times
  oskirch 3 months ago
Selected Answer: C
I think is C
upvoted 1 times
  PRM 4 months, 1 week ago

"C"
https://docs.microsoft.com/pt-br/azure/virtual-machines/disks-find-unattached-portal
upvoted 1 times

The link you have provided doesn't even mention Storage Explorer.
By the way, the Account Management properties doesnt give the info we want in Storage Explorer:
https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
upvoted 2 times

It is a trick question. Most people will know that you have to use Advisor. I picked B without reading all other options. That is obviously
wrong since there is no option to modify Advisor configuration. The correct answer would be:
1) From Azure Advisor, view the Cost Recommendations
2) From Azure Cost Management, view Advisor Recommendations
upvoted 6 times
  Vadlamua 4 weeks ago

The question only talks about identifying only. So option D
upvoted 2 times

Answer D is correct
upvoted 1 times
  nguyenhung1121990 9 months, 2 weeks ago

It should C - From Microsoft Azure Storage Explorer, view the Account Management properties
upvoted 3 times
  jantoniocesargatica 9 months, 2 weeks ago

Azure Storage Explorer does not provide any information about unused disks. You can test it downloading the software and connecting
to your account. Create a virtual machine and stop it. The go to Storage Explorer. You will see the the disk, but this is all. There is no
information regarding unused.
upvoted 3 times

The URL is irrelevant!!!
upvoted 1 times
  SumanKumarP 6 months, 2 weeks ago

Correct - Advisor for some reason doesn't give recommendations for unused disks.
Through Storage Explorer we can look for the disk state i.e. if its left unattached.
upvoted 1 times

No, it should be D, see https://feedback.azure.com/forums/919474-azure-advisor/suggestions/18963412-have-azure-advisor-show-up-
unused-disks-resources
upvoted 2 times
You have an Azure web app named webapp1.

Users report that they often experience HTTP 500 errors when they connect to webapp1.
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error
details.
A. From webapp1, enable Web server logging
B. From Azure Monitor, create a workbook
C. From Azure Monitor, create a Service Health alert
D. From webapp1, turn on Application Logging
Correct Answer: A
  zyta Highly Voted  1 year, 6 months ago

I think A as well. You need to catch connection error. When the connection fails it happens on web server, not within application. You can
do it openining the web application >> Application Service logs >> Web server logging (there are multiple switches there)
You can also see the errors live going to "Log stream" pane
upvoted 46 times

Correct Answer: A
Raw HTTP request data is provided by Web server logging and the question mentions 500 error codes.
You need to catch connection error. When the connection fails it happens on web server, not within application. You can do it opening the
web application -> Application Service logs -> Web server logging (there are multiple switches there).
You can also see the errors live going to "Log stream" pane.
Web server logging Windows App Service file system or Azure Storage blobs Raw HTTP request data in the W3C extended log file format.
Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.
upvoted 42 times
  barcellos Most Recent  6 months, 3 weeks ago

Correct Answer: A
Raw HTTP request data is provided by Web server logging and the question mentions 500 error codes.
the error 500 is proved form web server,
The error 500 is proved from web server. the application do not response.
Error 500 is an Internal Server Error (HTTP) status. It indicates that some type of issue is affecting the performance of the server of the site
you are trying to access.
does not mention for windows or linux. however Correct Answer A

upvoted 3 times

A is correct
upvoted 6 times

Final answer A is correct. For more insight on web server logging vs. application logging:
https://stackify.com/azure-app-service-log-files/
upvoted 4 times
  barry12 11 months, 2 weeks ago

indeed, this explanation shows that weblogging is more or less the only option to help with real-time troubleshooting
upvoted 2 times

Answer is correct. Web server logging to see HTTP logs, App logging if it were App logs
upvoted 3 times

Web server logging
Raw HTTP request data in the W3C extended log file format. Each log message includes data such as the HTTP method, resource URI,
client IP, client port, user agent, response code, and so on.
upvoted 2 times
  portabrothers 1 year ago

https://docs.microsoft.com/en-us/learn/modules/capture-application-logs-app-service/2-enable-and-configure-app-service-application-
logging
Windows or Linux? It’s not specified.

App logs are the output of runtime trace statements in app code.
App logs are the output of runtime trace statements in app code. App logging is primarily for apps in pre-production and for troublesome
issues.
So the only answer is Application Logging.
upvoted 2 times
  unixman 1 year, 1 month ago

5xx error is web server issue. A is correct
upvoted 4 times

Ans: A is correct.
This is a MS trick question to make you think all answers are to use an Azure feature.
upvoted 3 times
  igm82 9 months, 2 weeks ago

I couldn't be more agree!
upvoted 1 times
  Ozguraydin 1 year, 1 month ago

My opinion, answer is D.
https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs
upvoted 4 times

That might be step 2, but "The solution must provide all the connection error details." You need to see what the 500 is about first from
weblogs then move into app logs if appropriate.
upvoted 1 times

The Answer is correct "A". Enable web server logs. It is mentioned for "AppServiceHTTPLogs " , you use Web server logs. Basically it gives
all the details about the error
Check the https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#supported-log-types
upvoted 11 times

Web server logging Windows App Service file system or Azure Storage blobs Raw HTTP request data in the W3C extended log file format.
Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.
upvoted 3 times

Web Server logging provides a lot of details that can help the developers of the web app narrow down the root cause. Azure App Service
W3C format web server logs do provide sufficient detail leading up to OSI Layer 7.
upvoted 1 times
  maj1155 1 year, 2 months ago

https://www.youtube.com/watch?v=6Ji7HIIZjnQ
upvoted 1 times

Answer is Correct - A. Connections error would happen on web server not in application logs. Agree with zyta.
upvoted 3 times
  SScott 1 year, 2 months ago

With this example, it seems likely you'd have to start more basic before drilling in deeper. Begin with Web Server logging as a 500 error is
fairly generic. Ruling out the general connection failure makes sense before moving onto the application coding itself. Web Server logging
provides a lot of details that can help the developers of the web app narrow down the root cause. Azure App Service W3C format web
server logs do provide sufficient detail leading up to OSI Layer 7.
https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
https://www.lifewire.com/500-internal-server-error-explained-2622938
Going with A
upvoted 5 times
You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the
following table:
You plan to schedule backups to occur every night at 23:00.

Which virtual machines can you back up by using Azure Backup?
A. VM1 and VM3 only
B. VM1, VM2, VM3 and VM4
C. VM1 and VM2 only
D. VM1 only
Correct Answer: B
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-
machines/linux/endorsed-distros

B (100%)

Answer is Correct. "B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while
VM is offline or shutdown
upvoted 48 times

Correct Answer: B
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
The Backup service installs the backup extension whether or not the VM is running.
upvoted 31 times
  Netspud Most Recent  1 month ago

Selected Answer: B
I agree, all of them
upvoted 1 times

upvoted 3 times

in exam 7/3/2021
upvoted 5 times
  Devgela 10 months ago

This is a logical problem.
upvoted 3 times
"B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while VM is offline or
shutdown
upvoted 4 times

upvoted 3 times

Answer is correct. All VMs including Powered off ones
upvoted 3 times

This is such a trick questions - yes you can still back it up even when the vm is turned off.
upvoted 6 times

Ans B: And I never knew that - it wasn't mentioned in the MS training! Amazing stuff!
Reference: https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare#apply-a-backup-policy
After enabling backup:
The Backup service installs the backup extension whether or not the VM is running.
An initial backup will run in accordance with your backup schedule.
When backups run, note that:
A VM that's running has the greatest chance for capturing an application-consistent recovery point.
However, even if the VM is turned off, it's backed up. Such a VM is known as an offline VM. In this case, the recovery point will be crash-
consistent.
upvoted 8 times

Answer is Correct - B. The Azure Backup supports back up of VMs that are shutdown or offline.
upvoted 12 times
HOTSPOT -
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:
Hot Area:
Correct Answer:
Box 1: 10 years -
The yearly backup point occurs to 1 March and its retention period is 10 years.
Box 2: 36 months -
The monthly backup point occurs on the 1
of every month and its retention period is 36 months.
st

Answer is correct. 10 years and 36 months.
Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.
upvoted 51 times

Please do explain the difference between these two jobs then?
1 March
1 November
upvoted 2 times
  Nilf 11 months, 1 week ago

All 1-st of each Month will be store for 35 weeks like monthly backup. Only -1st March will be stored like Years backup for 10 years
upvoted 6 times
  Nilf 11 months, 1 week ago

36 weeks*
upvoted 6 times

Correct Answer:
Box 1: 10 years
The yearly backup point occurs to 1 March and its retention period is 10 years.
Box 2: 36 months
The monthly backup point occurs on the 1
of every month and its retention period is 36 months.
Note: Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide
upvoted 38 times

in exam 29.12.21 - answer 10 years, 36 months
upvoted 4 times

Got it! 10 years and 36 months!
Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.
Thanks fedztedz and mlantonis.
upvoted 1 times

upvoted 4 times

In exam 09/20/2021 - Answer 100% correct. (Got 100% in this part)
upvoted 2 times
  nasraaqan 10 months, 3 weeks ago

in exam 21 of march 2021 the answer was right
upvoted 4 times

Where do we see the second date as Nov 1. It screen shot it just says '1'. How do you know month as Nov.
upvoted 5 times

It doesn't matter. The monthly backup is taken on 1st day of each month and it's retained for 36 months, so whether it's November,
December or whatever, as long it's 1st of the month, the answer would be 36 months. And the "Sunday" was just to add more
confusion as well.
upvoted 4 times
  allray15 11 months ago

The answer is correct, you will get confused if you just read on the wordings ''Sunday" , "November" , March 1st. The answer is easy if you
read and understood the question well.
upvoted 2 times

10 Y
36 M Retention occurs on 1st day of every month ( So it could be a November +a Sunday)
upvoted 3 times
  TheOGMrBee 11 months, 3 weeks ago

Ok, Maybe I'm missing something, and if I am, please correct me. If the Azure retention uses the longer retention period to store the
backup, then surely both would be 10 years? The reason I say this, is because the backups all occur on the first. The retention policy for
the Yearly backup, stored for 10 years occurs on the 1st of March. If the system is creating and keeping all the backups created on that
day, then the question is not specific enough to be answered with any certainty. This is not the case as the Azure retention policy takes the
longes rentention period the 'winning' retention, in the event of a conflict, which makes sense else you will fail audits or compliance
checks.
upvoted 1 times

The 10 year retention period is specifically set for March 1st, not any other 1st day of the month. It's like an extra factor to check for
when setting a retention period (I.e. for the 10 year retention, is it the first day of the month, and is that day in March?). It must qualify
for both criteria before the retention period is applied to it.
upvoted 1 times

Answers are correct.
upvoted 2 times

the answer was just there... in the screen shot. I was like.. cannot be that easy
upvoted 2 times
  dadageer 1 year, 1 month ago

I never understand this backup policy questions...why the first one is 10 years and second one is 36 weeks? why the 2nd one is not also 10
years? Retention policy for backups is 10 years so does it matter if I take a backup today or in November, the retention will be 10 years!
can someone explain this please.
upvoted 1 times
  MadMarc 11 months, 1 week ago

the retention periods are selected upon a condition, and that condition is strictly a specific date (at least for this excercise). So in the
picture you can see in the Yearly backup section, that there is ONLY one specific day that a backup is considered Yearly. That day is
March 1st. So on March 1st the backup is done and when it's done, RVS will check to which retention period rules the backup apply. As
it is March 1st, the rule of Yearly will apply and it states that the retention period will be for 10 years.
In one month, April 1st, the backup runs, but again, if you look at the condition for what is considered a Yearly backup, you will
understand that a backup done on April 1st is NOT considered yearly backup, hence it WON'T apply for 10 year retention period.
The same applie to all the other rules for calculating the effective retention period.
upvoted 2 times

There will be a precedence applied to the backup options selected.
upvoted 1 times
  carterbest 1 year, 1 month ago

how do you know which backup applies for which time period?
upvoted 1 times
  PegasusForever 1 year, 1 month ago

Answer is correct!
upvoted 3 times

in exam 04/12/2020
upvoted 4 times
You have the Azure virtual machines shown in the following table:
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy
Correct Answer: A
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines
(VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replicatio

Answer is correct. "A" Create a new Recovery Services Vault. As the VM3 and VM4 are in a different region. then we need to create a new
one in the same region of VM3 and VM4 (data source). For storage account, it is created automatically by Azure.
for more details checl https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault#create-a-recovery-services-vault
upvoted 55 times

Correct Answer: A
VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with
VM3 and VM4.
For storage account, it is created automatically by Azure.
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure
services.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication
upvoted 32 times

upvoted 2 times

On exam 01.02.22
Answer: Create a new Recovery Services Vault
upvoted 4 times
  MaxToRo 3 months ago

Is right!
upvoted 1 times

A - Vm3 and vm4 are in a different region.
upvoted 1 times
  Merkur76 6 months, 3 weeks ago

came in exam 07/30/2021 - passed
A my answer
upvoted 3 times

Recovery Services Vault and the VMs need to be in the same Region and Subscription for backups.
The Storage account must be in the same region as the Recovery Services vault to store the reports.
The Log Analytics workspace can be in any region. It does not need to be in the same region as the recovery services vault.
Blobs cannot be backed up to service vaults.
upvoted 2 times

A is correct- A recovery service vault from the same Region
upvoted 2 times

Answer is correct. Recovery Services Vault should be available on the same region as target VMs to be protected.
upvoted 2 times

Came in exam 01 Jan 2021
upvoted 2 times

Really? You took exam on New Years Day? Was this moderated by someone on holiday???
upvoted 5 times
  wooyourdaddy 1 year ago

It's a bot, annoying. The people who own this site should remove these nonsense comments
upvoted 4 times

The question says "You HAVE a Recovery Services vault that protects VM1 and VM2". Why create a new RSV if you already have one. Tricky.
upvoted 2 times

NM, I reread the question. one only exists for VM1 and VM2
upvoted 1 times
  bogdan89 1 year, 2 months ago

Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as
the data source.
Important
If you're not sure of the location of your data source, close the dialog box. Go to the list of your resources in the portal. If you have data
sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create the
vault for another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure
Backup handle that automatically.
upvoted 8 times
HOTSPOT -
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Correct Answer:
You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
upvoted 78 times
  Chisom_J 9 months ago

thanks for the explanation
upvoted 9 times

Answer is correct. 4 Alert rules and 3 action groups
upvoted 37 times

upvoted 3 times

Correct Answer:
-4
-3
upvoted 3 times

4
3
upvoted 6 times

in exam 7/3/2021
upvoted 4 times

upvoted 4 times

Since 'You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.' there needs to be 4
alert rules, one for each signal. Since there are 3 different combinations of users to be alerted, you need 3 groups
upvoted 2 times

I Would go for 3 , 3
Rule ActionGroup
1.Ingress+Restoreblob User1+User3
2.Engress User1
3.Delete Storage User1+User2+User3
upvoted 5 times

upvoted 2 times
  enuka 11 months ago

This is correct
upvoted 1 times

Answer is correct.
upvoted 3 times
  Tanzz 1 year ago

Alert rules should be 3, as both metric alerts can be combined into one rule but both activity rules have to be defined separately (checked
in the portal).
upvoted 5 times

but you need to send notification for 2 different action groups !
upvoted 2 times
  Ghostwheel208 1 year ago

Hmm, I would say 4 alert rules (as we have 4 different "triggers") and 1 notification group (send email to me, for example). Different action
rules can use the same not.group. We are not sending the notifications to the different users, but to us.
upvoted 1 times
  Kiookr 1 year, 1 month ago

It should be :
Alert rules :4
Action Groups : 2
* Look at the Storage 1 Table Box * it say (User 1 Group 1 and User 3 Group 1)
that is 2 groups only
upvoted 6 times
  Sorrynotsorry 1 year, 2 months ago

I need to understand how this is the correct answer. any link?
upvoted 2 times

The answer is correct. You need 1 laert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage Account and 1xRestore blob..).
The Action Groups, you need 3 as 2 sets of the users are exactly the same which is (User1 and User3 only).
upvoted 40 times

Presuming the 3 action gorups come from the variations of the users to notify i.e. an aciton group for User1 and User3, User1 only, User1
User2 and User3?
upvoted 8 times

upvoted 2 times
You have an Azure subscription that contains the identities shown in the following table.
User1, Principal1, and Group1 are assigned the Monitoring Reader role.
An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role.
You create an alert rule named Alert1 that uses AG1.
You need to identity who will receive an email notification when Alert1 is triggered.
Who should you identify?
A. User1 and Principal1 only
B. User1, User2, Principal1, and Principal2
C. User1 only
D. User1 and User2 only
Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

D (100%)

Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service
principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 59 times

Did you actually test this? The question doesn't involve sending an email to a group but is instead concerned with role assignment
inheritance from the group. The link you're all posting isn't necessarily relevant. User 2 should inherit the role assignment from the
group, you can easily validate that in the portal.
I am waiting out the 24hr lag period before testing. Alert group scoped to email on VM creation or deletion, one user assigned role
directly and one via group. Will report back.
upvoted 8 times
  panjie_s 4 months, 2 weeks ago

result?
upvoted 1 times

Thanks for this Info
upvoted 2 times
  complexxL9 Highly Voted  8 months, 3 weeks ago

Answer is D.
AG sends to users that have 'reader' role, User2 inherits that role through Group1 membership.
upvoted 29 times

I'm agree
upvoted 3 times
  AZ_Guru_Wannabe Most Recent  5 days, 4 hours ago

Selected Answer: D
D
User 1 and User 2 - I can't figure out how it would only be User 1.
ActionGrp 1 sends email to Monitoring Reader role which has User1 and Group1 as members and Group1 has User2 as a member.
upvoted 1 times
  a7p11t 1 week ago

Selected Answer: D
User2 is also Monitoring Reader as it inherits the role from Group1
upvoted 1 times
  FabioVi 3 weeks, 1 day ago

Selected Answer: D
User2 is also Monitoring Reader as it inherits the role from Group1
upvoted 3 times

C
User1, Principal1, and Group1 are assigned the Monitoring Reader role.
upvoted 2 times
  Dreeves14 7 months, 3 weeks ago

Labbed this by making a new user and adding them to a group. Then assigned the monitoring reader role to the group. Signed in as the
user and did the "Check my access" and the role was assigned to the user despite their only affiliation was being in the group that was
assigned.
upvoted 6 times

After reading again, I guess this statement "Send email to the members of the subscription's role. Email will only be sent to Azure AD user
members of the role. Email will not be sent to Azure AD groups or service principals." can imply that only individual users will receive email
that are assigned the reader role, not those who inherit it through group membership.
upvoted 8 times

The answer should be "D. User1 and User2 only"
When you assign a role to a group, all users within that group have that role.
That being said, AG1 will also send an email notification to User2 since he/she inherited the 'Monitoring Reader' role through Group1
membership.
source: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-works
upvoted 12 times
  adi142 8 months, 2 weeks ago

Why not User2 too?
upvoted 5 times

ONly emails member of the monitoring Reader role. "User1, Principal1, and Group1 are assigned the Monitoring Reader role."
upvoted 2 times

I believe User2 will inherit the reader role by being in group 1
upvoted 3 times

corrected: User2 inherits role from Group2
upvoted 3 times

corrected!: Email will not be sent to Azure AD groups or service principals
upvoted 2 times

Answer C
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
"Send email to the members of the subscription's role. Email will only be sent to Azure AD user members of the role. Email will not be sent
to Azure AD groups or service principals."
upvoted 4 times
  anupam77 9 months, 3 weeks ago

Correct Answer - C
upvoted 3 times
HOTSPOT -
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)
You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.
You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 6 -
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
Box 2: 8 -
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
Reference:
https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-471c4d422e94/daily-monthly-yearly-recovery-points-and-
storage-used? forum=windowsazureonlinebackup

Answer is correct in case yearly backup is also in the question.
If we assumed we have yearly, then the answer will be:
- @8 JAN: 5 daily backups ( 1 weekly backup included) + 1 monthly = 6
- @ 15 JAN: 5 daily backups ( 1 weekly backup included) + 1 weekly + 1 monthly +1 yearly = 8 backups
upvoted 69 times
  XolexHp 5 months, 2 weeks ago

I totally dont understand why only 6 - 8 recovery point??? Why we have daily backup, it means that everyday, each day has a point
=> Then means, from 1 JAN to 8 JAN we had 8 days <=> 8 points?!?!
Please help meeeeee
upvoted 4 times

Check for retention of daily backup point, in the daily case is set to 5, that means that every daily BK, called recovery points by Azure,
oldest than 5 days will be deleted.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq
upvoted 7 times
  XolexHp 5 months, 2 weeks ago

Thank you, imartinez, understood
upvoted 3 times
  jimmyli 10 months, 1 week ago

in other words, 2nd box should be 7 which is not included in the four choices. because yearly backup is not mentioned, the correct
answer should be 5 daily backups including the latest weekly backup + 1 weekly for the previous weekend + 1 monthly backup
upvoted 2 times
  Thomas_L 10 months ago

its 6. We retain the 5 daily backups from January 4th - January 8th. There is a weekly backup on the 4th that we do NOT include in the
count because it's already backed up by the 5-day retention period of the daily backups.
Then we have a monthly backup on the 2nd, that is outside the 5-day retention period.
5 daily backups + 1 monthly backup = 6 backup points.
upvoted 2 times
  nbudummies 8 months ago

Where is the yearly backup? it's should be 7 as jimmy comment.
upvoted 2 times
  msidy2020 7 months, 3 weeks ago

why does yearly backup run before Jan 8th 2 PM ? it is not even scheduled
upvoted 1 times

correct.
upvoted 2 times
  PRabiu 1 year, 1 month ago

15th Jan is a Friday = 5 daily backups (Monday - Friday) + 2 Weekly (2 sundays) + 1 Monthly = 8 backups
upvoted 10 times
  Franpb90 9 months ago

15th Jan is a Thursday, and 1 weekly backup is the same that 1 daily backup. It should be 7 the second answer.
upvoted 1 times

Correct Answer:
Box 1: 6
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
8th January = 5 daily backups (1 weekly backup included) + 1 Monthly = 6 backups
Box 2: 8
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
15th January is a Friday = 5 daily backups (Monday - Friday) + 2 Weekly (2 Sundays) + 1 Monthly = 8 backups
upvoted 23 times
  jose 4 months, 3 weeks ago

The answer is correct, but the explanation is not because 15th January is Thursday. So:
5 daily backups (11th Sunday weekly backup included) + 1 weekly backup (4th Sunday) + 1 Monthly + 1 Yearly = 8 backups
Box 2: 8.
upvoted 9 times
  husam421 Most Recent  1 week, 1 day ago

Question in exam today 10/2/2022
Answer is Correct
upvoted 1 times
  KamalB 1 month ago

Both the answer should be 6
- @8 JAN:
2 JAN - FRI - MONTHLY BACKUP

3 JAN - SAT - DAILY BACKUP
4 JAN - SUN - WEEKLY BACKUP
5 JAN - MON - DAILY BACKUP
6 JAN - TUE - DAILY BACKUP
7 JAN - WED - DAILY BACKUP
8 JAN - THU - DAILY BACKUP
1MONTHLY BACKUP [2-JAN] + 1 WEEKLY BACKUP [4-JAN] + 4 DAILY BACKUP [MON-THU]
- @15 JAN:
2 JAN - FRI - MONTHLY BACKUP

9 JAN - FRI - YEARLY BACKUP
1YEARLY BACKUP [9-JAN] + 1 WEEKLY BACKUP [11-JAN] + 4 DAILY BACKUP [MON-THU]

upvoted 1 times

Pessoal essas questão são reais a prova ou do measureap
upvoted 1 times
  jeffdoc 3 months, 1 week ago

Box 1 Ans: 6
> Jan 1 to Jan 8 is equal to 7 days or 1 week
> Daily backups = 5 (maximum based on daily retention policy)
> Weekly Backup = 1 (since it's only been 1 week)
> Total = 5 + 1 = 6
Box 2 Ans: 8
> Jan 1 to Jan 15 is equal 14 days or 2 weeks
> Daily backups = 5 (maximum based on daily retention policy)
> Weekly Backup = 2 (since it's been 2 weeks)
> Yearly Backup = 1 (happens every Jan 9)
> Total = 5 + 2 + 1 = 8
upvoted 5 times

Backup on January 8 contains 6 backups as follows:
08/Jan (daily) - Thu
07/Jan (daily) - Wed
06/Jan (daily) - Tue
05/Jan (daily) - Mon
04/Jan (daily/weekly) - Sun
02/Jan (monthly) - Fri

04/Jan (weekly) - Sun
Then they mention 8 backups because there is a yearly backup which is not mentioned in this question but it is supposed to be mentioned
in the exam.
upvoted 2 times


Then they mention 8 backups because there is a yearly backup which is not mentioned in this question but it is supposed to be mentioned
in the exam.
upvoted 1 times


17/Jan (daily) - Sat
16/Jan (daily) - Fri
upvoted 1 times

1 thu
2 Fri Monthly
3 Sat
4 Sun Weekly-1
5 Mon
6 Tue
7 Wed
8 Thu
9 Fri Yearly
10 Sat
11 Sun Weekly-2
12 Mon
13 Tue
14 Wed
15 Fri
this may clear your doubt.
upvoted 2 times
  iamLucilfer 5 months, 1 week ago

Answer here should be
Box1: 7
Box2: 9
upvoted 2 times
  Saravana12g 5 months, 1 week ago

01 Jan 2:00 AM(Thursday) - Daily Backup Retention for 5 Days until 6 Jan 2:00 AM
02 Jan 2:00 AM(Friday) - Daily Backup Retention for 5 Days until 7 Jan 2:00 AM + Monthly Backup Retention for 24 months.
03 Jan 2:00 AM(Saturday) - Daily Backup Retention for 5 Days until 8 Jan 2:00 AM
04 Jan 2:00 AM(Sunday) - Daily Backup Retention for 5 Days until 9 Jan 2:00 AM + Weekly Backup Retention for 20 weeks.
05 Jan 2:00 AM(Monday) - Daily Backup Retention for 5 Days until 10 Jan 2:00 AM
06 Jan 2:00 AM(Tuesday) - Daily Backup Retention for 5 Days until 11 Jan 2:00 AM
07 Jan 2:00 AM(Wednesday) - Daily Backup Retention for 5 Days until 12 Jan 2:00 AM
Box1: Answer = 6
Jan 8th 14:00 =
Daily Backup policy from 04 Jan 2:00 AM to 08 Jan 2:00 AM = 5 Recovery Points(Includes the Weekly Backup Policy from 04 Jan 2:00 AM)
+
Monthly Backup Policy from 02 Jan 2:00 AM = 1 Recovery Point
upvoted 2 times
  Saravana12g 5 months, 1 week ago

09 Jan 2:00 AM(Friday) - Daily Backup Retention for 5 Days until 14 Jan 2:00 AM + Yearly Backup Retention for 5 years.
10 Jan 2:00 AM(Saturday) - Daily Backup Retention for 5 Days until 15 Jan 2:00 AM
11 Jan 2:00 AM(Sunday) - Daily Backup Retention for 5 Days until 16 Jan 2:00 AM + Weekly Backup Retention for 20 weeks.
12 Jan 2:00 AM(Monday) - Daily Backup Retention for 5 Days until 17 Jan 2:00 AM
13 Jan 2:00 AM(Tuesday) - Daily Backup Retention for 5 Days until 18 Jan 2:00 AM
14 Jan 2:00 AM(Wednesday) - Daily Backup Retention for 5 Days until 19 Jan 2:00 AM
Box2: Answer = 8
Jan 15th 14:00 =
Daily Backup policy from 11 Jan 2:00 AM to 15 Jan 2:00 AM = 5 Recovery Points
+
Weekly Backup Policy from 04 Jan 2:00 AM = 1 Recovery Point
+
Monthly Backup Policy from 02 Jan 2:00 AM = 1 Recovery Point
+
Yearly Backup Policy from 09 Jan 2:00 AM = 1 Recovery Point
upvoted 2 times

in exam 7/3/2021
upvoted 3 times
  KS2020 7 months, 2 weeks ago

As per me Answer for both boxes should be 5
-@8 JAN; 5 daily backups (1 weekly backup and 1 monthly backup included - all the backup timings are 2:00AM)
-@15 JAN; 5 daily backups (1 weekly backup and 1 monthly backup and 1 yearly backup included - all the backup timings are 2:00AM)
Please correct me if I am wrong.
upvoted 1 times
  KS2020 7 months, 2 weeks ago

moderator Pls delete this. My answer is not correct.
upvoted 1 times
  trynapassmane 7 months, 3 weeks ago

how is the weekly included in the first one? if monthly is regarded as an extra day then weekly should be too
upvoted 1 times

upvoted 3 times
  mc3 11 months ago
Makes ZERO sense.
Box 1: 6 - 5 latest daily recovery points, **which includes the weekly backup from the previous Sunday**, plus the monthly recovery point.
Box 2: 8 - 5 latest daily recovery points, **plus two weekly backups**, plus the monthly recovery point.
Why does Box 1 answer INCLUDE the weekly backup in the daily backup total...and the Box 2 answer ADD the weekly backups to the daily
backup total? Seems like the answer should be EITHER: 7,8 (add weekly to both) OR 6,7 (include weekly in both). Either the weekly is
included in the daily, or it is not. Can't have it both ways.
upvoted 8 times
  jeremyburrows 11 months ago

my thoughts exactly. by the sounds of it there is a missing reference/picture regarding a yearly backup. the weekly backup on the same
say as a daily only counts as 1
upvoted 6 times

Since you have to count latest 5, so you cannot count yearly backup in daily backup. you will be counting from 11 to 15.
upvoted 1 times
Topic 7 - Testlet 1
Question #1 Topic 7
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study
before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem
statements. If the case study has an
All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to
answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier -
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.
Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
HOTSPOT -
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Box 1: Selected -
Only selected users should be able to join devices
Box 2: Yes -

Correct Answer:
Box 1: Selected
As per User requirements “Ensure that only users who are part of a group named Pilot can join devices to Azure AD.”
So, “Selected” must be selected for “User may join devices to Azure AD”
Box 2: Yes
As per User Requirements “Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to
verify their identity”.
So, “Yes” must be selected for “Require Multi-Factor Auth to join devices”.
upvoted 37 times
  Alim786 Highly Voted  9 months, 2 weeks ago

Correct Answer
upvoted 8 times

On the exam today, 1.feb.2022, 1st question!
upvoted 4 times
  ilagnadod 3 weeks, 6 days ago
How about this...

First Setting:
“User may join devices to Azure AD”: change All -> Selected
“Ensure that only users who are part of a group named Pilot can join devices to Azure AD.”
Second Setting:
“Additional local administrators on Azure Ad joined devices”: change None -> Selected
“Designate a new user named Admin1 as the service admin for the Azure subscription.”
upvoted 1 times
  vasko85 2 months ago

Correct answer! Was on the exam today 15/12/2021. Passed with 927.
upvoted 2 times

Correct Answer:
- Selected for "User may join devices to Azure AD"
- Yes for "Require MFA to join devices"
upvoted 2 times
  AghaZulfiqar 2 months, 4 weeks ago

how much questions came from these questions?
upvoted 1 times
  nathk 4 months, 4 weeks ago

Was on exam 21/9/21
upvoted 3 times
  Hatsh 6 months ago

in exam 17/aug/2021
upvoted 3 times

upvoted 2 times

Selected
User may join devices to Azure AD
Require Multi-Factor Auth to join devices
upvoted 3 times

upvoted 2 times
  Dim3 7 months, 2 weeks ago

I think the option to register uses devices should be set to no. Because only joined devices
are allowed.
upvoted 3 times

But registering a device is different from joining a device.
upvoted 1 times
Question #2 Topic 7
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
You need to meet the user requirement for Admin1.
What should you do?
A. From the Azure Active Directory blade, modify the Groups
B. From the Azure Active Directory blade, modify the Properties
C. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings
D. From the Subscriptions blade, select the subscription, and then modify the Properties
Correct Answer: D
Scenario:
✑ Designate a new user named Admin1 as the service admin for the Azure subscription.
✑ Admin1 must receive email alerts regarding service outages.
Follow these steps to change the Service Administrator in the Azure portal.
1. Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
2. Sign in to the Azure portal as the Account Administrator.
3. Open Cost Management + Billing and select a subscription.
4. In the left navigation, click Properties.
5. Click Service Admin.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

Correct Answer: D
As per User Requirements “Designate a new user named Admin1 as the service admin for the Azure subscription.”
So, In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of
your subscription.
Check this: https://i.imgur.com/fKzqPKq.png

upvoted 58 times

thanks legend..
upvoted 10 times
  sri1972 Highly Voted  1 year, 1 month ago

Came in 01/09/21 exam. Passed exam with 906 marks. 98% of the questions are from this dump.
upvoted 35 times

Thanks for input. I also passed. many of questions from the dump
upvoted 11 times

in exam 29.12.21 - answer D
upvoted 3 times
  zb99 1 month, 3 weeks ago

Question may not be "wrong" but is completely out of date. Real answer should be C: IAM.
upvoted 2 times
  FabioVi 3 weeks ago

Nope... Service Admin is changed at Subscription Properties blade, option "Change service admin" at the top of the page.
upvoted 1 times

Are the case studies coming in exam exactly same like these ones? word to word, or do they change few things around?
upvoted 1 times
  Zarzi 3 months, 1 week ago

i pass the az900 and the question are word to word the same
upvoted 3 times

upvoted 2 times

Was on exam 21/9/21
upvoted 1 times
  jellybiscuit 5 months ago

D
https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#change-the-service-administrator
upvoted 1 times

Why would a question on classic administrator and classic subscription feature in exams. Aren't these functionalities discouraged and will
be phased out !! I hope this question is retired soon. I spent a lot of time looking for the properties tab in my subscription and it is not
even there !!
upvoted 6 times

Yeah, this completely threw me off, I could not find it either. I don't even see a place to look at the Classic Administrator options. I go to
try the Classic Administrators tab and I get a message saying "This type of subscription does not support classic administrators."
upvoted 1 times

In 30 June 21
upvoted 1 times

Cam in exam 16june21. Passed.
upvoted 7 times

D is correct.
In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the Classic administrators tab.
In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of your
subscription.
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-
roles
upvoted 2 times

D is correct. Checked
upvoted 1 times

m the Subscriptions blade, select the subscription, and then modify the Properties to add admin as service admin
upvoted 2 times

D
https://i.imgur.com/fKzqPKq.png
upvoted 9 times

From the Subscriptions blade, select the subscription, and then modify the Properties to add Admin1 as Service Admin
upvoted 3 times
  fedztedz 1 year ago

Answer is correct "D"
Check https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 5 times
Topic 8 - Testlet 2
Question #1 Topic 8
Introductory Info
Case study -

Overview -
General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Requirements -
Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Associate NSG2 to VNET1/Subnet2.
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
HOTSPOT -
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical
requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
  areza Highly Voted  1 month, 3 weeks ago

passed 902. in exam 29.12.21 - resource policy contributor for sub1, resource contributor for rg2
upvoted 5 times
  pappkarcsiii Most Recent  2 weeks, 1 day ago

U1: resource policy contributor for sub1,
U4: resource contributor for rg2
upvoted 2 times

upvoted 3 times

https://docs.microsoft.com/en-us/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy
upvoted 1 times

Correct,
I was thinking that maybe the contributor would be enough for the latter but no:
Many Built-in roles grant permission to Azure Policy resources. The Resource Policy Contributor role includes most Azure Policy
operations. Owner has full rights. Both Contributor and Reader have access to all read Azure Policy operations. Contributor may trigger
resource remediation, but can't create definitions or assignments.
https://docs.microsoft.com/en-us/azure/governance/policy/overview
upvoted 4 times
  haitao1234 2 months, 1 week ago

Answer is correct, resouce policy contributor is able to create and assign policy initiation
upvoted 4 times
Topic 9 - Testlet 3
Question #1 Topic 9
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
A. a recovery plan
B. an Azure Backup Server
C. a backup policy
D. a Recovery Services vault
Correct Answer: D
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup
job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

Correct Answer: D
As per requirements:
- Move all the tiers of App1 to Azure.
- There are three application tiers, each with five virtual machines.
- Ensure that all the virtual machines for App1 are protected by backups.
Before starting the backup process, you must create a Recovery Services Vault as an initial step, as a place for the backups, or restore
points, to be stored. Later steps include downloading recovery services agent, installing and registering the agent.
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the
backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Reference:
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure
upvoted 40 times
  SandipSingha Highly Voted  1 year, 5 months ago

correct
upvoted 18 times

upvoted 2 times

passed 902. in exam 29.12.21 - answer D
upvoted 3 times

Correct Answer: D
upvoted 5 times

in exam 17/aug/2021
upvoted 4 times

B. was my answer
upvoted 4 times
  Alitahir 6 months, 2 weeks ago

It’s D mate !!
upvoted 3 times
  Kopy 6 months, 2 weeks ago

congrats! How many cases were there in the exam?
upvoted 2 times
  Bloodwar 7 months ago

D. a Recovery Services vault
upvoted 2 times

In exam today. Given answer correct
upvoted 6 times

D is correct
upvoted 4 times

Recovery Services vault is the first step to protect any Azure resource.
upvoted 3 times

Answer is correct "D" Recovery services vault.
upvoted 14 times

upvoted 2 times

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the
backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
upvoted 3 times

The key in this case study is a solution moving all tiers of App1 to Azure and ensuring all VMs for App1 are part of the backup. If VMs and
web front end were left out of the requirements and only the SQL database was referenced, then an App Service plan tier subscription in
the Azure storage account and container would be a less expensive DR to implement.
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
With this case and all of the requirements needed D would be the best choice.
upvoted 5 times
  Amyrah 1 year, 3 months ago

Why not Back up server?
upvoted 2 times

Creating a Recovery Services Vault would be the initial step to configure the back up of a workload or an app. Downloading the client,
extracting and installing the Backup server is later in the process.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-microsoft-azure-backup
upvoted 2 times
  TBah 1 year, 4 months ago

Correct
upvoted 2 times
Question #2 Topic 9
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
You need to move the blueprint files to Azure.
What should you do?
A. Generate an access key. Map a drive, and then copy the files by using File Explorer.
B. Use Azure Storage Explorer to copy the files.
C. Use the Azure Import/Export service.
D. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
Correct Answer: B
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can
use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
Reference:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

Answer is correct. "B" using Azure Storage Explorer.
It matches all the requirements:
- Move the existing product blueprint files to Azure Blob storage.
- Copy the blueprint files to Azure over the Internet.
upvoted 54 times
  NinjaPenguin 1 month, 4 weeks ago

And you can use SAS in Azure Storage Explorer
upvoted 1 times

And you can add that it matchs the requirement "Minimize administrative effort whenever possible." Other solutions need more admin
actions.
upvoted 11 times

Valid point there mr.
upvoted 3 times
  sn0rlaxxx 1 year, 1 month ago

best and shortest explanation of the answer.
upvoted 2 times

Correct Answer: B
- Ensure that the blueprint files are stored in the archive storage tier.
- Ensure that partner access to the blueprint files is secured and temporary.
- Minimize administrative effort whenever possible.
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You
can use it to upload and download data from Azure blob storage. It’s the best solution, because copies data through Internet and
minimizes administrative effort.
C: Azure Import/Export service is not using Internet, but ships data drives using a shipping carrier such as FedEx, UPS, or DHL.
D: You can't use SAS with a mapped drive.
upvoted 44 times

I was for D, thinking than the best approach was to use a SAS.
It is possible to use a SAS on "Azure Storage Explorer" but option D also mentions map a drive, and that's different, it's using Windows
Explorer and it doesn't support SAS.
upvoted 5 times

upvoted 3 times

passed 902. in exam 29.12.21 - answer B
upvoted 1 times

I think what missed in discussion - the archive storage is available only for blobs. And blueprints should be on archive storage. So Storage
Explorer is the only option.
upvoted 2 times

upvoted 3 times

in exam 17/aug/2021
upvoted 4 times

B was my answer
upvoted 3 times

upvoted 2 times

Explicitly mentioned copy Giles over the Internet
upvoted 5 times

Thanx here, I was using import / export, keyword here indeed is copy over the internet.
Once again a good trigger to read very carefull , it is very human to think already ...aahhhh I know.. and then get busted because of the
quick assumption.
Very good learning point for me..:-)
upvoted 3 times

B is correct
upvoted 3 times

Key here is: - Ensure that partner access to the blueprint files is secured and temporary
So only available is using SAS with temporary access. And since you cannot map drive using SAS, the only alternative solution is to use the
Azure Storage Explorer.
upvoted 4 times

upvoted 2 times
  pieronegri 1 year, 2 months ago

why not A. Map the drive and you are good to go. Access Key does not even need to be generated.
upvoted 2 times
  tzaroon 7 months ago

https://stackoverflow.com/questions/56010675/how-can-we-mount-azure-blob-storage-as-a-network-drive-in-windows
upvoted 1 times

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You
can use it to upload and download data from Azure blob storage.
upvoted 2 times
  YeJune 1 year, 3 months ago

Answer B is correct because it has mentioned in the technical requirement that Copy the blueprint files to Azure over the Internet.
upvoted 7 times
Question #3 Topic 9
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
HOTSPOT -
You need to identify the storage requirements for Contoso.
Hot Area:
Correct Answer:
Box 1: Yes -
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
Box 2: No -
Box 3: No

Answer is correct:
- Yes: As mentioned, move the files to blob storage , in addition the unmanaged storage is used for VM's disks.
- NO: Azure files is not required here. As it is basically used for managed file shares accessed by NFS or SMB protocols. In addition, you
can't archive them https://feedback.azure.com/forums/217298-storage/suggestions/35343037-add-cold-and-archive-tiers-to-azure-files
- NO: Azure tables are not needed as they act as structured NoSQL which is not required with SQL on VM.
upvoted 58 times

- Ensure that the blueprint files are stored in the archive storage tier.
- Use unmanaged standard storage for the hard disks of the virtual machines.
- App1 is comprised of SQL database.
Box 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage and requires using unmanaged standard storage for the hard
disks of the virtual machines. We use Page Blobs for these. As mentioned, move the files to blob storage , in addition the unmanaged
storage is used for VM's disks.
Box 2: No
Azure Tables are not needed as they act as structured NoSQL, which is not required with SQL on VM.
Box 3: No
Azure Files is not required here. As it is basically used for managed file shares accessed by NFS or SMB protocols. In addition, you can't
archive them.
upvoted 38 times

upvoted 3 times

Correct Answer: Y-N-N
upvoted 7 times

Was on exam 21/9/21
upvoted 3 times
  MrJR 5 months, 1 week ago

What about "Create a hybrid directory to support an upcoming Microsoft Office 365 migration project."? Does it not mean that we require
a Azure Files directory?
upvoted 2 times

Not needed for O365 migration.
upvoted 1 times

in exam 17/aug/2021
upvoted 2 times

In 30 July 21
upvoted 3 times

Y-N-N was my answer
upvoted 3 times

And what about the Contoso file servers? Shouldn't that indicate the need of Azure files?
upvoted 2 times
  saschgo 5 months, 4 weeks ago

The existing product blueprint files that are stored on Contoso file servers (on premise) are supposed to be moved to Azure Blob
storage.
upvoted 2 times

the question was on Jul 23, 2021 exam.
upvoted 3 times

Y-N-N
upvoted 3 times

Key here is: Use unmanaged standard storage for the hard disks of the virtual machines.
- Only Blob storage
upvoted 3 times
  DRBKK 1 year ago

Answers look fine to me. My only doubt is in the last question because Contoso has file servers, but in the requirements they do not
mention anything regarding file service (a part from the blob archive for the blueprints). So, NO should be OK.
upvoted 2 times
  mhmyz 1 year ago

Answer is correct.
>Ensure that partner access to the blueprint files is secured and temporary.
I think that is SAS.
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
upvoted 2 times

upvoted 2 times

I believe the given answer is correct because they explicitly mention wanting blob storage.
* Unmanaged disks use blob storage
*The existing multi-tiered on-prem webapp that contains the SQL server back-end is an IaaS lift and shift of 5 VMs so no tables, queues. It
makes no sense to me to rebuild it from scratch. IT also makes no scene to me to create a custom CMS with NOSQL, there are already
plenty of resources out there that offer that.
upvoted 4 times

There is also the mention of archive tier which is cool storage, offered as a blob storage tier only. Files, queues, and tables offer no hot,
or cool storage tiers.
upvoted 2 times

Files can now offers cool storage tier -> https://docs.microsoft.com/en-us/azure/storage/files/storage-files-planning#storage-tiers
upvoted 2 times
Topic 10 - Testlet 4
Introductory Info
Case study -

Overview -
General Overview -
Environment -
premises Active
Requirements -
Planned Changes -

Question
HOTSPOT -
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers https://docs.microsoft.com/en-
us/azure/storage/common/storage-account-overview
  Bere Highly Voted  3 months, 1 week ago

Storage (general-purpose v1) doesn’t support tier.
Standard (general-purpose v2) supports tier for Blob service and for Azure file.
Premium BlockBlobStorage doesn’t support tier.

Legacy Standard BlobStorage supports tier.

https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#default-account-access-tier-setting
Premium FileStorage doesn’t support tier.

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
Container1 with tier: Can be created in storage2 (storagev2) and storage3. The question refers to BlobStorage (standard legacy one that
supports tier) and not to BlockBlobStorage (Premium one that doesn’t support tier).
Share1 with tier: Can be created in storage2 (storagev2) only.

upvoted 9 times

But if you go through Storagev2 account creation process, you will find storagev2 only support blob storage tier, doesn't support Azure
files tier(You can find this in 'advaince' option).
upvoted 1 times

I apologize, please disregard my comment.
Azure StorageV2 does support Fileshare hot/cool tier when the fileshare is created in portal
upvoted 1 times
  Timock Highly Voted  3 months, 1 week ago

Objective: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Container1: Needs to be in a cool Storage Tier capable of supporting a container/vm.
In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as blob containers, queues, or
tables. File shares can be deployed into the transaction optimized (default), hot, or cool tiers.
Storage accounts that support tiering Object storage data tiering between hot, cool, and archive is simply supported in Blob storage and
GPv2 accounts. General Purpose v1 aka GPv1 accounts don’t maintain tiering. Therefore, customers should easily convert their existing
GPv1 or Blob storage accounts into GPv2 accounts through the Azure portal.
Storage1: No: Although GPv1 can do fileshares it cannot be used for tiering.
Storage2: Yes: Blob containers can be stored in GPv2 and tiering is supported
Storage3: Yes: This is literally blob storage and a blob container and supports tiering.
Storage4: No: Can only be used to storage Azure file shares.
upvoted 6 times
  ilagnadod Most Recent  3 weeks, 5 days ago

Am I wrong here?
Box 1: Objective: Create a blob container named container1 – storage has to support Blob sources.
For container1 (blob container) use: storage 1, storage2 and storage3 only.
storage1 (storage or general purpose V1): supports Blob sources

storage2 (storageV2 or general purpose V2): supports blob resources
storage3: BlobStorage - supports blob resources
storage4: FileStorage – doesn’t support Blob sources
box 2: Create a file share named share1 that will use the Cool storage tier – storage has to support file sharing and tiering.
For share1 use: storage2 only
storage2 (storageV2 or general purpose V2): supports file shares and tiering.
storage1 (storage or general purpose V1): does not support file shares or tiering.
storage3: BlobStorage – supports tiering, but not file shares.
storage4: FileStorage – Supports only files shares, therefore, doesn’t support tiering.
upvoted 1 times
  polinoma 1 week, 4 days ago

The condition is container 1 to use Cool tier (container1 and a file share named share1 that will use the Cool storage tier). With V1 you
are able to create a blob storage, but the tier is only HOT. That's why storage 1 shouldn't be part of the answer. The correct answer is
storage2 and storage3 only
upvoted 1 times

Storage1: No: Although GPv1 can do fileshares it cannot be used for tiering.
Storage2: Yes: GPv2 can handle both file shares and tiering
Storage3: No: BlobStorage cannot be used for FileShares.
Storage4: No: This is a FileStorage account and will ONLY handle file shares and does not provide tiering.You can select a Premium model
but that is not a cool tier. If you need a cool tier you would have to go with a file share on a GPv2 storage account.
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-cloud-tiering-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-upgrade?tabs=azure-portal
upvoted 3 times
  rigonet 3 months, 1 week ago

Storage accounts that support tiering
Object storage data tiering between hot, cool, and archive is simply supported in Blob storage and GPv2 accounts. General Purpose v1 aka
GPv1 accounts don’t maintain tiering.
Box 1 : storage2 and storage3 only

Box 2 : storage2 only
upvoted 1 times
  SanjSL 3 months, 2 weeks ago

Passed exam on 01/11/2021 with 894. This one came up and my answer was 2&3 and 2&4
upvoted 5 times
  Zarzi 3 months, 2 weeks ago

how mane % of questions of this topic did you get on your exam ?
upvoted 1 times
  Lionred 4 months, 2 weeks ago

For the Share1, why Storage4 cannot be used? Storage4 is a file share storage account that supports Cool tier.
upvoted 5 times
  zodraz 4 months, 2 weeks ago

No. They don't. Tried on lab. No possibility and is misleading...
upvoted 3 times
  az10411 4 months ago

This link suggests that Premium File Share does support cool tiering:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-planning#storage-tiers
upvoted 1 times
  alex_p 4 months ago

This is for GPv2 File Storage- Not for Storage4 which Premuim File Storage type.
upvoted 2 times
  vivekchandra09 4 months, 3 weeks ago

Correct, Agree
upvoted 4 times

Correct.
upvoted 5 times
Introductory Info
Case study -

Overview -
General Overview -
Environment -
premises Active
Requirements -
Planned Changes -

Question
HOTSPOT -
You need to create storage5. The solution must support the planned changes.
Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the
appropriate options in the answer area.

Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal
  zodraz Highly Voted  4 months, 2 weeks ago

Answer is correct: Storage V2 and Storage 2. We want to use replication for blobs and only that storage type is available. The other one is
in Premium, which should never apply to the exams.
Quoting from https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal:
"Before you configure object replication, create the source and destination storage accounts if they do not already exist. The source and
destination accounts can be either general-purpose v2 storage accounts or premium block blob accounts (preview). "
upvoted 14 times
  DevOpposite Highly Voted  4 months, 2 weeks ago

I m very lonely here
upvoted 10 times
  hifoda9249 4 months ago

Exam in 4 hours
upvoted 3 times

Good. Its impossible to study with a lot of people around.
upvoted 5 times
  DevOpposite 4 months ago

true, exam tomorrow. wish me luck O Old one..
upvoted 4 times

lucky or not ?
upvoted 1 times

upvoted 3 times

On exam 17/12/21 I selected this storagev2 and storage2 approved, not sure if it is correct
upvoted 1 times

Answer is correct.
One more thing I want to bring your attention is the difference between Storage account redundancy vs replication, which confuses me a
while.
Storage account redundancy GRS/RA-GRS support v1 and v2
but storage account replication only supports v2.

https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
upvoted 4 times

Objective: Create storage5 and configure storage replication for the Blob Service.
Account Kind: Storage GPv2. It says nothing about Premium block blob accounts.
Destination: Storage2 is the only GPv2 account.
Azure Blob Storage contains three types of blobs: Block, Page and Append. A block is a single unit in a Blob.
Object replication is supported for general-purpose v2 storage accounts, and for premium block blob accounts in preview. Both the source
and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs
only; append blobs and page blobs are not supported.
Note: Object replication is supported when the source and destination accounts are in the hot or cool tier. The source and destination
accounts may be in different tiers.
In the question it states Blob Service but it literally means blob block as there are three types of blob storage and only block blobs are
supported for replication.
https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
upvoted 5 times
  Ash3250 3 months, 3 weeks ago

DevOppsite, Have you received the questions from this Dump?
upvoted 1 times
Introductory Info
Case study -

Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements -
Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
A. Diagram in VNet1
B. Diagnostic settings in Azure Monitor
C. Diagnose and solve problems in Traffic Manager profiles
D. The security recommendations in Azure Advisor
E. IP flow verify in Azure Network Watcher
Correct Answer: E
Scenario: Contoso must meet technical requirements including:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP,
remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While
any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

E (100%)

correct
use
Test-AzNetworkWatcherIPFlow to get NSG security rule which blocked traffic +
Get-AzEffectiveNetworkSecurityGroup to get details of NSG rules
https://docs.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem-powershell
upvoted 15 times
  fabylande Highly Voted  4 months ago

upvoted 9 times
  pappkarcsiii Most Recent  2 weeks, 1 day ago

Selected Answer: E
IpFlow can check port traffic
upvoted 1 times
Introductory Info
Case study -

Overview -
tenant uses the
Requirements -
Planned Changes -
Question
You need to ensure that VM1 can communicate with VM4. The solution must minimize the administrative effort.
What should you do?
A. Create an NSG and associate the NSG to VM1 and VM4.
B. Establish peering between VNET1 and VNET3.
C. Assign VM4 an IP address of 10.0.1.5/24.
D. Create a user-defined route from VNET1 to VNET3.
Correct Answer: C
Reference:
  Lionred Highly Voted  4 months, 2 weeks ago

I think this question is missing some critical info. Where does the VNET3 and 10.0.1.x/24 come from? No mentioning of them at all in the
question!
upvoted 24 times
  JCSYS_001 Highly Voted  3 months ago

It appears that this question is for one of the other Case Studies. 'Topic 9 - Testlet 3'. It makes more sense and the answer would then be
'B. Establish peering between VNET1 and VNET3.'
upvoted 10 times
  Sharathjogi Most Recent  3 weeks ago

Stupid question
upvoted 1 times

alguém pegou algum estudo de caso, além desses mencionados aqui no Exmetopics? qual o peso dessas questão no exame az-104? vou
fazer a prova na proxima semana que Deus me ajude.
upvoted 2 times

I`ve passed the exam today with 900 and had this question. It was connected to testlet which has VNET1-4 and VM1-5.
Few maybe helpful info:

I got two case studies (testlests), each having 5 questions , one at the begining and one at the end (and in between 53 questions).
As you can see there is a lot missing questions in testlets but some of those were the same as previous "normal" cut from the case study
content - I got some with storage that I think I saw earlier.
From the rest questions I got about 4-5 new ones.

upvoted 7 times
  Lionred 2 months ago

This question apparently is missing critical info regarding vNet3. I think the missing part contains something like "vNet3 was created in
Azure then VM1 was migrated to vNet3, vNet3 isn't peered with any other vNets, now what to do if we want VM1 to be able to talk to VM4
that is on vNet1?"
If I am correct, the correct answer should be B Establish peering between vNet1 and vNet3.
upvoted 2 times
  Marciojsilva 2 months, 3 weeks ago

we need a vpn site-to-site to communicate Azure and on Premisses, look de answer

upvoted 1 times
  John117 2 months, 4 weeks ago

where does it state the IP information?
upvoted 1 times
  ShockWaveSix 3 months ago

Absurd question.... The planned changes specify migrating VM1 to Azure. But no mention of where they're getting VNet3 from, or what IP
space is in use by... anything.
upvoted 1 times
  shamsay 3 months, 3 weeks ago

which one is correct answer?
upvoted 2 times

It could be A
"Create an NSG and associate the NSG to VM1 and VM4"
upvoted 1 times

Based on given scenario, VM1 is located in VMware (on-premise). You cannot associate a NSG to a VM in VMware. In my opinion, the
question is probably messed up or missing some essential information.
upvoted 3 times

VM1 is on-premise - you can't associate the NSG
Based on purely the fact this can't be right, and there is no mention of VNET 3 at all, C is an only viable answer (although still not really
great)
upvoted 3 times

A - Create a network security group and apply it to the two machines.
upvoted 1 times
  jose 4 months, 3 weeks ago

VNET3?
upvoted 3 times
  Plextor 2 months, 2 weeks ago

Yes exactly, I was going to comment the same. No reference to VNET3 on the scenario.
upvoted 1 times
  Charlie2019 4 months, 3 weeks ago

should be: D
upvoted 4 times
  danito 2 months, 4 weeks ago

wind direction? xD
upvoted 1 times

How do you get this?
upvoted 1 times
Introductory Info
Case study -

Overview -
tenant uses the
Requirements -
Planned Changes -
Question
HOTSPOT -
You need to meet the connection requirements for the New York office.
Hot Area:
Correct Answer:
Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more
information, see
Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
✑ Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the
VNet.
✑ Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises
network is routed through this gateway.
✑ Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance
to encrypt traffic.
✑ Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the
Recommendations section below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not
go over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn
  wsscool Highly Voted  7 months, 2 weeks ago

in exam 7/3/2021
upvoted 10 times
  dj88456 Highly Voted  6 months ago

Answer is correct.
upvoted 5 times

in exam 10/2/2022
upvoted 2 times
  mfvsidiangco 2 months, 1 week ago

Does AZ-104 have labs or just case studies?
upvoted 1 times
  Oulmy1 2 months ago

just case studies, no labs
upvoted 3 times

Good to know! my first AZ104 had labs 3 years ago. I should have renewed it last year.
Now, I'm going through this review again :(
upvoted 1 times
  Pamban 3 months ago

in exam 15/11/2021
upvoted 1 times

upvoted 4 times

How do you create a local net work gateway inside of the Azure portal?
upvoted 3 times

Search for local network gateway and create.
This is essentially a reference point for Azure to know how to connect to the remote endpoint. This is used when establishing the VPN
connection
upvoted 1 times
  chopper563 5 months ago

The first is create a virtual network gateway & a local network gateway in the Azure Portal. Please see the steps for S2S VPN Connection at
upvoted 4 times
  SongOTD 6 months, 1 week ago

It says from Azure portal, I think it should be virtual network gateway only for the first quesiton.
upvoted 4 times

Nope, you need to create a local network gateway, it's a common mistake I've made before as well. The wording is tricky with "local" in
there.
"The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes."
upvoted 6 times
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
HOTSPOT -
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows
for the data tier.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Technical requirements include:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

- You have a public-facing application named App1. App1 is comprised of the following three tiers: A SQL database, A web front end and A
processing middle tier. Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
- Move all the virtual machines for App1 to Azure.
- Minimize the number of open ports between the App1 tiers.
Box 1: 1
1 VNET and then follow the N-tier application architecture.
Box 2: 3
3 Subnets (1 Subnet for each tier of the App1). The tiers can communicate each other, because they are inside the same VNET. Of course
you would need additional NSGs to restrict traffic.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server
upvoted 42 times

Answer is correct.
1 VNET
3 subnets
upvoted 29 times
  ScreamingHand Most Recent  8 months, 1 week ago

These case studies are huge, and yet you could just skip to the end, read the question, and very quickly ascertain the correct answer by
going back and skim reading the requirement.
upvoted 11 times
  Sharathjogi 3 weeks ago

Absolutely, I realized the same. If we read the complete question, we end up wasting so much time, lol :)
upvoted 1 times

Agreed. Don't waste time reading through the whole blurb. A lot of it is extra fluff to distract you. Read the question first, and then go
back to the case study description to determine what information needs to be gathered to answer the question.
upvoted 4 times

This is probably the right play because it tells you specifically which pieces of info actually are relevant to the question at hand
upvoted 2 times

"Minimize the number of open ports between the App1 tiers.", With 1 VNET, we have all ports open between the App1 tiers. With 3 VNETs
and 1 Subnet for each VNET, it can be solved.
upvoted 4 times
  nicksu 9 months, 1 week ago

1 x Vnet, 3 x Subnet and 3 x NSGs might solve this as well
upvoted 4 times
  EricJason 10 months, 2 weeks ago

I am a SA and I never did that design in my last two years.... nobody wants 3 vnet peering solutions for this..
upvoted 7 times

You want the 3 subnets so that the tiers can communicate freely with each other. If you and 1 VNet and 1 Subnet you would need to create
a bunch of NSGs. That would create more administrative effort.
upvoted 6 times
  Vole51 11 months, 1 week ago

1 VNET and 3 Subnets. 1 Subnet for each Tier of the App1

upvoted 3 times

Given Answer is correct
1 Vnet
3 Subnet for 3 Tiers
upvoted 4 times

Key here is: Minimize administrative effort whenever possible.
So One Vnet, three Subnets to separate the 3 tiers.
upvoted 8 times

1 VNET - 3 subnets
upvoted 2 times
  DRBKK 1 year ago

Although you could place all VMs in a single subnet, that does not seem to be a recommended configuration.
upvoted 2 times

It sure does not : "Minimize the number of open ports between the App1 tiers."
upvoted 4 times

upvoted 3 times
  maymaythar 1 year, 2 months ago

Anyone? Is that right answer plz? Thanks
upvoted 2 times
  rcdumps 1 year, 2 months ago

Yes, 1 VNET can contain the 3 Subnets for the 3 Tiers.
upvoted 8 times
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
A. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
B. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
Correct Answer: A
Incoming and the web server subnet only, as users access the web front end by using HTTPS only.
Note Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
  mcleavin Highly Voted  1 year, 1 month ago

Congrats to anybody that got this far! Answer is correct
upvoted 131 times

Nothing to congrate mate. I am taking exam day after tomorrow and are sh*ting my pants because I know how much I do not know...
upvoted 9 times
  scouttyper 3 months ago

howd it go?
upvoted 2 times

Hahahaha, this section is boring.
upvoted 4 times
  Jasonwcc Highly Voted  1 year ago

All the best to everyone that has arrived at this final page. My first comment tho. Good Luck and Good Health to everyone! Cheers!
upvoted 63 times

Yes, everyone's discussion, comments and supportive opinions really make the forum and questions extremely constructive. Best of
luck as well to your future endeavors!
upvoted 28 times

passed 902. in exam 29.12.21 - answer A
upvoted 6 times

Taking the exam today, wish me luck! will update in the main page for this exam.
https://www.examtopics.com/exams/microsoft/az-104/
upvoted 1 times

Correct answer is A, however in real world scenario the needed NSG rule will be allowing traffic from the public load balancer / application
gateway to all web servers in the web server subnet, not directly allowing HTTPS traffic from the Internet to the web server subnet. In
addition there will be rule allowing HTTPS traffic from the Internet to the public load balancer / application gateway.
upvoted 2 times
  csarti01 2 months, 1 week ago

Correct and it was on exam on Dec 10th.
For all of you wondering whether it is enough to study with these materials, I can say yes. Of course you also have to investigate a little
more on each topic.
I've passed the AZ-104 today with 878 points at the first attempt. The majority of the questions can be found here.
upvoted 5 times
  MakaSihle 2 months, 1 week ago

Taking the exam today and I am doing final touches to my preparations. Hope I make it
upvoted 1 times

upvoted 3 times

Was on exam 21/9/21
upvoted 4 times
  Sriharikg 6 months, 1 week ago

I passed exam on 10/08/2021(10th Aug 2021) and 98% question was from exam topics questions. Please go through all questions and
answer twice before you take up the exam.
upvoted 11 times

Incoming rule is needed here not outgoing
upvoted 1 times
  Leo128 6 months, 2 weeks ago

Correct
upvoted 1 times

In 30 July 21
upvoted 2 times

Wishing everyone Wealth, Health & Happiness!!!
upvoted 18 times

Correct Answer: A
- You have a public-facing application named App1. App1 is comprised of the following three tiers: A SQL database, A web front end and A
processing middle tier. Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
- Move all the virtual machines for App1 to Azure.
- Minimize the number of open ports between the App1 tiers.
You must create at least one NSG and associate with the Subnet that contains the web front-end, because user should be able to access
the web front end by using HTTPS only. By default NSG blocks all incoming traffic, so you need to create an inbound security rule to allow
traffic for port 443 from the Internet.
upvoted 30 times
  Santhosh75 6 months, 2 weeks ago

why did u not replied to the Question set 5 and 6
upvoted 5 times
  Anand044 3 months, 3 weeks ago

He only replied about 5 months ago. If question were added recently you will not see his answers
upvoted 1 times
  viking1 11 months, 1 week ago

A is correct. Outbound rules are not relevant for this particular task, and assigning the NSG to all subnets would open more ports than
required in subnets where they should not be. 443 would not be required for the data storage tier, and 1433 would have to be added to
the NSG in case it was assigned to all the subnets, which would also open it for the other tiers. Option A is the only solution that meets the
requirements.
upvoted 9 times

A is correct
upvoted 5 times
Introductory Info
Case study -

Overview -
tenant uses the
Requirements -
Planned Changes -
Question
HOTSPOT -
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
  Gromble_ziz Highly Voted  7 months, 2 weeks ago

Get-AzRoleDefinition -name "Reader" |ConvertTo-Json
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list?tabs=roles
upvoted 27 times

Addition:
Create customer azure role from Json
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azroledefinition?view=azps-6.2.0#example-2--create-using-
json-file
upvoted 6 times

in exam 10/2/2022
upvoted 2 times

Correct. As the requirement states "Create a custom Azure role named Role1 that is based on the Reader role"...
... then you first need to know what the Reader role implies.
upvoted 2 times
  kandovn 1 month ago

Correct answer
upvoted 1 times
On exam 01.02.22
Answer: Get-AzRoleDefinition <role_name> | ConvertTo-Json
upvoted 4 times
  Pamban 3 months ago

in exam 15/11/2021
upvoted 4 times

upvoted 3 times

Answer is correct
Get-AzRoleDefinition <role_name> | ConvertTo-Json
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list?tabs=roles
upvoted 2 times
Introductory Info
Case study -

Overview -
tenant uses the
Requirements -
Planned Changes -
Question
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical
requirements.
What should you include in the recommendation?
A. Azure AD B2C
B. dynamic groups and conditional access policies
C. Azure AD Identity Protection
D. an Azure logic app and the Microsoft Identity Management (MIM) client
Correct Answer: B
Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups of users, specific applications, or other
conditions.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
  imartinez Highly Voted  7 months, 1 week ago

Answer is correct: "dynamic groups and conditional access policies"
Last question, wish you all the best!
upvoted 50 times

And all the best to you, if you took the exam - I hope you have passed!
upvoted 6 times
  Merkur76 Highly Voted  6 months, 3 weeks ago

Congratulations!
For reaching this end.
07/30/2021 AZ 104 passed with 909 points.
About 70% of the questions were from here.
Many given answers here are wrong.

Look carefully in the comments, there are more often the correct answers.
If you work through Microsoft Learn like I did, I'll give you a tip: Do everything you learn directly in Azure once yourself. This is the only
way to have a chance to answer the questions that are not listed here.
upvoted 31 times

Congrats on passing the exam. Comments and discussion are the main reasons why I am here. Apart from 1 course I could not find any
place with authoritative answers. Many places where you can BUY a test exam - they have questions from here with WRONG answers. I
have learned more from reading discussions here and FOLLOWING links attached to the official Microsoft documentation that I did
from going through a course that should prepare me for 104
upvoted 4 times
I don't thinkg that many given answers are wrong here. I bought the Measure Up for$100 and got 206 questions there, none of those
questions were in my exam which I failed with 640, after taking it and coming back here, ExamTopics have more relevant questions.
Going through all Microsoft Learn is good, but it can take you months and it's huge, the knowledge there. For passing the exam, only
dumps like these are good, even though you pass the exam, doesn't mean you can work with azure without properly working with it!
upvoted 3 times
  distantamilan Most Recent  1 week ago

Took the exam yesterday and passed.
Most questions were from here. Good Luck!
upvoted 2 times
  husam421 1 week, 1 day ago

in exam 10/2/2022
upvoted 2 times
  danutzz 2 weeks, 2 days ago

I barely passed today, Feb 01, 2022. Many of the test questions came from this dump, but there were also several questions that were not
listed here. Be familiar with the Case studies, they are very relevant.
upvoted 5 times
  larsmattim 2 weeks, 3 days ago

Passed the exam today. Like everyone says 80% is covered with this pool. So perfecting it here might just be fine for passing the exam, but
additional studies to understand in depth will assure you not only passing the exam but also your azure expertise for long time to come.
upvoted 2 times
  Gadzee 3 weeks ago

Good luck guys, passed my exam yesterday 27/ 01/ 2022.
Please check comments under Fedztedz, Mlantonis and Zumy.
upvoted 2 times
  NguoiNgu 3 weeks, 1 day ago

Pass my exam today. Thanks for all the contributions. Everything questions but 2 are from here. Highly recommend memorizing the
answers from the case study. It saves me lots of time. It is challenging to take the exam in the current environment without the ability to
map out the data freely. Good luck everybody.
upvoted 3 times
  Jonny6233 1 month ago

Passed exam yesterday with 891 points. Thanks to you all for discussing! 80-90% of the questions are in this catalog. A difficult exam in my
opinion...
upvoted 2 times
  zielzky 1 month, 4 weeks ago

Thank you guys so much!! Passed with 927 marks. 90-95% of questions were from this dump. Again - read all comments to make sure
which answer is correct :) Love you all!!!!
upvoted 6 times
  Takloy 1 month, 4 weeks ago

Passed 813/1000! I took a break for a week and just studied the last 100 question from this dumps and surprisingly passed. Also, I think
90% of the questions are here. So just study hard and surely you'll get 900+/1000.
upvoted 1 times

Good luck everyone, passed today with 894/1000 - 80% of the questions from examtopics, same case studies aswell.
upvoted 2 times
  vasko85 2 months ago

Just passed today 15/12/2021 with 927 points.
There were 62 questions in total on the exam. Only 3-4 were not from this dump. Paying for a contributor access was worth it :)
I wish luck to everyone that is still to take the exam. Make sure to read the discussions and I'd suggest to go throw all the questions at
least twice before the exam.
upvoted 1 times

Congrats for making this far! My exam is still on Monday though. Wish me luck.
Btw, are there labs in the exam?
upvoted 1 times
  Lost_now_Found 3 months ago

I'm taking the exam tomorrow, wish me luck!!!!
upvoted 3 times
  timtim589 3 months, 1 week ago

Good luck guys, I'll be taking the exam in two days, I hope I pass!
upvoted 2 times
  timtim589 3 months, 1 week ago
Passed with 920 points! :)

80% of questions were from here. I studied using Pluralsight and I had read al the relevant Azure Docs. After that I browsed this dump
in a couple of days (2 or 3 pages daily) and read all the discussions. Good luck champs!
upvoted 5 times
  TheHunter52 3 months, 1 week ago

Hey Guys
You are on a good path.
11/10/2021 AZ-104 passed with 818 points.
80-85% of the questions from this dump.
Good luck you guys.
upvoted 6 times

Az-104 Preguntas y Respuestas

Uploaded by

Copyright:

Available Formats

Az-104 Preguntas y Respuestas

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Az-104 Preguntas y Respuestas

Uploaded by

Copyright:

Available Formats

18/2/22, 17:50 AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Question Set 1

A. Create Azure Management Groups for each department.

B. Create a resource group for each department.

C. Assign tags to the virtual machines.

D. Modify the settings of the virtual machines.

Community vote distribution

  Briian Highly Voted  1 month, 3 weeks ago

  examinee22 1 month, 1 week ago

  shravan101 1 month, 2 weeks ago

  Ab198817 1 month, 2 weeks ago

  green_arrow Highly Voted  7 months, 2 weeks ago

  Shakar Most Recent  6 days, 16 hours ago

  nqthien041292 1 week, 1 day ago

  Happiman 2 weeks ago

  Veerus_67 2 weeks, 5 days ago

  yakko83 2 weeks, 3 days ago

  al608 2 weeks, 5 days ago

  PassForSure007 3 weeks, 4 days ago

  Shabbow 4 weeks, 1 day ago

  Salu007 4 weeks, 1 day ago

  pthind 1 month ago

  jersey732 1 month ago

  cloudAzureIS 1 month, 1 week ago

  kippp 1 month, 2 weeks ago

  robertparker 1 month, 1 week ago

  Sah1Rj 1 month, 1 week ago

  cisco112 1 month, 1 week ago

  cloudAzureIS 1 month, 1 week ago

  Bhavin_1998 1 month, 1 week ago

  carty 1 month, 3 weeks ago

  NishKum 2 months, 1 week ago

tags gives a way to do cost based on their names

  Iclectic 2 months, 1 week ago

Community vote distribution

  green_arrow Highly Voted  7 months, 2 weeks ago

  rzv Highly Voted  5 months, 1 week ago

  Pamban 3 months, 1 week ago

  omw2wealth 4 months, 3 weeks ago

  PeterHu Most Recent  3 days, 19 hours ago

  MilkGod 1 week, 1 day ago

  nqthien041292 1 week, 1 day ago

  PassForSure007 3 weeks, 4 days ago

  Shabbow 4 weeks ago

  elishlomo 1 month, 1 week ago

  leoiq91 1 month, 2 weeks ago

  hanyahmed 1 month, 3 weeks ago

  Prano 2 months, 1 week ago

  azure_learner1329 2 months, 2 weeks ago

  John117 2 months, 3 weeks ago

  Roger95 2 months, 3 weeks ago

  poojamh4 2 months, 4 weeks ago

  Swathi_Devi 3 months, 3 weeks ago

Glad you reading this!

  Yogarajan 2 months, 3 weeks ago

  nherrerab 3 months, 3 weeks ago

Community vote distribution