AZ-104 Practice Test

A. × Incorrect: Network Manager role is incorrect because network management roles do not grant permissions to manage Microsoft Entra groups.

B. × Incorrect: Security Officer role is incorrect because s are related to security policies and compliance rather than managing user groups directly.

C. ✓ Correct: User Administrator role is correct because it is the User Administrator role includes the necessary permissions to create, modify, and manage Microsoft Entra groups.

D. × Incorrect: Application Owner role is incorrect because s focus on managing applications and their associated services, not user or group management.

A. ✓ Correct: Microsoft Entra ID with managed identities is correct because it uses Microsoft Entra ID with managed identities to securely manage access without storing secrets.

B. × Incorrect: Role-based access control (RBAC) is incorrect because although RBAC can be used for Azure Storage, it does not provide the secure secret management that managed identities offer.

C. × Incorrect: Shared key is incorrect because authentication involves storing and managing keys manually, which is less secure than using managed identities.

D. × Incorrect: Queue SAS is incorrect because (Shared Access Signatures) are specific to queue operations and do not apply to blob resources.

A. × Incorrect: Disk snapshots is incorrect because they are used for creating backups of disks at a specific point in time but do not support attaching to multiple VMs.

B. × Incorrect: Backup options is incorrect because it provide data protection and recovery capabilities but do not enable the simultaneous attachment of a single disk to multiple VMs.

C. ✓ Correct: Shared disks allow an individual managed disk to be attached simultaneously to multiple virtual machines, which is essential for deploying or migrating clustered applications in Azure.

D. × Incorrect: Encryption options is incorrect because secure data at rest and in transit but do not facilitate the deployment or migration of clustered applications.

A. ✓ Correct: DNS zone is correct because it is a DNS zone stores the record sets for a domain hosted in Azure DNS.

B. × Incorrect: Load balancer rule is incorrect because it is a load balancer rule distributes traffic but does not host DNS records for a domain.

C. × Incorrect: Private endpoint is incorrect because it is a private endpoint creates private connectivity to a service and does not contain public DNS records by itself.

D. × Incorrect: Network security group is incorrect because it is a network security group filters traffic and does not manage domain records.

A. × Incorrect: Connection Monitor is incorrect because it monitors network performance and connectivity between virtual machines but does not detect traffic filtering issues.

B. × Incorrect: Packet capture is incorrect because it captures packets for troubleshooting purposes but does not specifically address traffic filtering issues at the virtual machine level.

C. × Incorrect: Next hop is incorrect because it determines the next hop IP addresses in a route table, which is unrelated to detecting traffic filtering issues.

D. ✓ Correct: IP flow verify is correct because it verifies whether network security groups or routing rules are blocking traffic intended for a specific virtual machine.

A. × Incorrect: Monthly spending thresholds only is incorrect because it only mentions monthly spending thresholds and does not cover yearly views.

B. × Incorrect: Daily cost alerts for specific services is incorrect because daily cost alerts are a feature of budget notifications but not the type of budgets themselves.

C. ✓ Correct: Budgets with both monthly and yearly views is correct because you can create budgets with both monthly and yearly views using PowerShell in Azure.

D. × Incorrect: Customized budget templates for resource groups is incorrect because while customizable templates might be useful, they are not specifically mentioned as an option for creating budgets.

A. ✓ Correct: Block blobs and append blobs is correct because lifecycle management policies can act on supported blob types such as block blobs and append blobs.

B. × Incorrect: Page blobs only is incorrect because it is the lifecycle management scope is not limited to page blobs only.

C. × Incorrect: Azure Files shares is incorrect because they are managed by Azure Files, not Blob lifecycle management rules.

D. × Incorrect: Queue messages is incorrect because belong to Azure Queue Storage and are not blob lifecycle targets.

A. ✓ Correct: param location string = resourceGroup().location is correct because it uses the `param` keyword to define a parameter for specifying the location of a resource.

B. × Incorrect: resource location string = 'eastus' is incorrect because it uses the `resource` keyword instead of `param`, which is not used for defining parameters in Bicep files.

C. × Incorrect: variable location = 'eastus' is incorrect because it uses the `variable` keyword, which defines a variable rather than a parameter that can be passed to the deployment.

D. × Incorrect: output location string = 'eastus' is incorrect because it uses the `output` keyword, which is intended for specifying output values from the deployment and not for defining input parameters.

A. ✓ Correct: AllowVNetInBound rule is correct because allowVNetInBound is the default inbound rule for traffic from the same virtual network.

B. × Incorrect: DenyAllInBound rule is incorrect because denyAllInBound blocks remaining inbound traffic after higher-priority allow rules are evaluated.

C. × Incorrect: AllowInternetOutBound rule is incorrect because allowInternetOutBound is an outbound rule, not an inbound virtual network rule.

D. × Incorrect: AllowAzureLoadBalancerInBound rule is incorrect because allowAzureLoadBalancerInBound permits Azure load balancer probe traffic, not general virtual network traffic.

A. × Incorrect: 10 MB/s is incorrect because it underestimates the maximum data churn rate Azure Site Recovery can handle for disaster recovery purposes.

B. × Incorrect: 50 MB/s is incorrect because it also falls short of the actual limit set by Azure Site Recovery's High Churn option.

C. × Incorrect: 200 MB/s is incorrect because although it exceeds the correct value, it represents an unrealistic and unnecessarily high threshold for most disaster recovery scenarios.

D. ✓ Correct: 100 MB/s is correct because it accurately reflects the maximum data churn rate per second that Azure Site Recovery can handle with its High Churn configuration.

A. × Incorrect: Grant both users the 'Owner' role for their respective resource groups is incorrect because it grants broader permissions than necessary by assigning owner roles, which include full access to all resources in a resource group.

B. ✓ Correct: Assign the 'Virtual Machine Contributor' role to the first user and the 'Network Contributor' role to the second user is correct because it assigns the specific roles needed for each user's responsibilities: 'Virtual Machine Contributor' for VM management and 'Network Contributor' for network management.

C. × Incorrect: Create a custom role that combines VM management and network management permissions is incorrect because creating a custom role is unnecessary when Azure already provides granular roles that match the required permissions exactly.

D. × Incorrect: Enable Azure AD roles for each user based on their responsibilities is incorrect because azure AD roles are not relevant to resource-specific access control within an Azure subscription.

A. × Incorrect: Locally-redundant storage (LRS) is incorrect because it only stores data redundantly within a single Azure region and does not provide access to secondary regions for disaster recovery.

B. ✓ Correct: Geo-redundant storage with read-access (GRS or GZRS) is correct because it provides read access to data in the secondary region, which is essential for disaster recovery purposes.

C. × Incorrect: Zone-redundant storage (ZRS) is incorrect because it replicates data across multiple availability zones within a single region but does not offer read access from a secondary region.

D. × Incorrect: Read-access geo-zone-redundant storage (RA-GZRS) is incorrect because it is it, but it offers read-access geo-redundancy with zone-specific replication, GRS or GZRS specifically meets the requirement for general disaster recovery purposes.

A. × Incorrect: Revisions is incorrect because it is used to manage different versions of your application, not for scaling.

B. ✓ Correct: Scale rules allow you to automatically adjust the number of instances based on traffic and other conditions.

C. × Incorrect: Ingress rules is incorrect because define how external requests are routed to your container app, not how it scales.

D. × Incorrect: Deployment templates is incorrect because it is used to standardize and automate the creation of resources, but do not handle scaling.

A. × Incorrect: 10.1.0.0/16 is incorrect because it represents a subnet range rather than an IP address.

B. × Incorrect: 10.2.0.0/16 is incorrect because it also represents a subnet range and does not specify the next hop IP address for routing through a network virtual appliance.

C. ✓ Correct: 10.0.100.4 is correct because it specifies the exact IP address '10.0.100.4' that directs traffic through the specified network virtual appliance.

D. × Incorrect: 10.0.0.0/16 is incorrect because , like A and B, it represents a subnet range rather than an individual IP address.

A. × Incorrect: To create alert rules is incorrect because it refers to alert rules, which are a separate feature within Azure Monitor and not specifically related to storing log data.

B. × Incorrect: To manage virtual machines is incorrect because managing virtual machines involves different tools and services in Azure, such as Virtual Machine Scale Sets or the Azure Virtual Machines service, unrelated to Log Analytics workspaces.

C. ✓ Correct: To store and query log data is correct because it accurately describes the primary function of a Log Analytics workspace: to store and query log data collected from various sources within Azure Monitor Logs.

D. × Incorrect: To monitor network traffic is incorrect because monitoring network traffic typically involves using Network Watcher with diagnostics settings or other specific tools like Application Gateway, not directly related to storing and querying log data.

A. ✓ Correct: An active Azure subscription with cost management enabled is necessary to create and manage budgets in Azure.

B. × Incorrect: A dedicated budget administrator role within your organization is incorrect because it is not required; anyone with the appropriate permissions can set up budgets.

C. × Incorrect: Access to Microsoft Excel for data analysis and reporting is incorrect because while useful, is not needed to create budgets directly within Azure.

D. × Incorrect: Subscription to an external financial auditing service is incorrect because subscribing to an external financial auditing service is unrelated to creating budgets in Azure.

A. × Incorrect: Service SAS is incorrect because it provides access to a specific resource and does not support operations that require user identity.

B. × Incorrect: Account SAS is incorrect because it grants permissions across all containers and blobs within an account but lacks the ability to tie permissions to individual users.

C. × Incorrect: Container SAS is incorrect because it allows access to resources within a container, but it does not provide the flexibility of associating permissions with specific users.

D. ✓ Correct: User delegation SAS enables secure access for users by combining user identity and storage account keys.

A. × Incorrect: Deployment slots is incorrect because it is used for testing and staging applications within an app service plan, not for isolating plans.

B. ✓ Correct: Plan-scoped isolation allows Managed Instances to be isolated at the plan level, providing a dedicated environment with specific requirements.

C. × Incorrect: Scale out options is incorrect because it scale out options refer to increasing the number of instances to handle more traffic, not to isolate environments.

D. × Incorrect: Custom domain support is incorrect because it enables users to use their own domain names for their applications, unrelated to isolating plans.

A. ✓ Correct: Every 60 seconds is correct because it accurately reflects the default interval for Azure Load Balancer health probes to check backend instances.

B. × Incorrect: Every 10 minutes is incorrect because although periodic checks are important, a ten-minute interval would be too long and could result in prolonged downtime before detecting an issue with a backend instance.

C. × Incorrect: Every 5 seconds is incorrect because it is frequent checks, but it can ensure quick detection of issues, the five-second interval is shorter than necessary for most scenarios and may not provide significant benefits over the default setting.

D. × Incorrect: Every 2 hours is incorrect because it is a two-hour interval would be far too infrequent to effectively monitor and maintain the health of backend instances.

A. ✓ Correct: Next hop is correct because it is the Next hop tool reports the next hop type for traffic leaving a virtual machine.

B. × Incorrect: IP flow verify is incorrect because checks whether NSG rules allow or deny a packet, not the selected route next hop.

C. × Incorrect: Connection Monitor is incorrect because it tracks connectivity and performance over time instead of reporting a single next hop type.

D. × Incorrect: Packet capture is incorrect because records traffic packets and does not summarize route next-hop decisions.

A. × Incorrect: Policy assignment is incorrect because it is a policy assignment applies one or more policies to a scope but does not define them.

B. × Incorrect: Policy definition is incorrect because it is a policy definition specifies the rules and parameters for a single policy, not a group of related policies as an initiative does.

C. × Incorrect: Resource lock is incorrect because it is a resource lock prevents changes to resources but has no role in defining or grouping policies.

D. ✓ Correct: Initiative definition is correct because it is an initiative definition groups related policy definitions into a single unit for easier management and deployment.

A. ✓ Correct: https://<storage-account>.z[00-50].blob.storage.azure.net is correct because it represents the standard endpoint format for Azure Blob Storage.

B. × Incorrect: https://<storage-account>.z[00-50].web.storage.azure.net is incorrect because it uses 'web' instead of 'blob', which refers to a different service in Azure.

C. × Incorrect: https://<storage-account>.z[00-50].dfs.storage.azure.net is incorrect because it includes 'dfs' (Data Lake Storage), which pertains to Azure Data Lake Storage, not Blob Storage.

D. × Incorrect: https://<storage-account>.z[00-50].file.storage.azure.net is incorrect because it specifies 'file', indicating the endpoint format for Azure Files, not Blob Storage.

A. × Incorrect: Using a service principal with client secret is incorrect because it requires managing a client secret, which introduces an additional security risk and complexity.

B. × Incorrect: Deploying a private Docker registry is incorrect because it does not address the authentication method for Azure resources to access Azure container registries without credentials.

C. × Incorrect: Creating a user-assigned managed identity for Kubernetes cluster is incorrect because it is creating a user-assigned managed identity, but it can be used in Kubernetes clusters, it's more specific than necessary; assigning any managed identity to an Azure resource achieves the goal of credential-less authentication.

D. ✓ Correct: Assigning a managed identity to the resource is correct because it allows an Azure resource to authenticate directly with Azure Active Directory using a managed identity, eliminating the need for credentials.

A. ✓ Correct: Azure Load Balancer distributes incoming traffic across multiple virtual machines to ensure no single instance bears too much load.

B. × Incorrect: Azure Traffic Manager is incorrect because although Azure Traffic Manager provides global routing of domain names, it does not perform the layer-4 load balancing required for application distribution.

C. × Incorrect: Azure Application Gateway is incorrect because it is Azure Application Gateway, but it offers web application firewall and SSL offloading capabilities, its primary function is to secure and route HTTP traffic rather than balance loads at a lower network level.

D. × Incorrect: Azure Front Door is incorrect because it focuses on global delivery of applications with features like CDN integration and WAF, but it does not serve as the direct load balancer for internal application instances.

A. × Incorrect: File system backups is incorrect because it is stored in Recovery Services vaults but do not pertain to Azure Managed Disks.

B. × Incorrect: Hyper-V VM backups is incorrect because it can be managed through Recovery Services vaults but are specific to on-premises virtual machines, not Azure Managed Disks.

C. ✓ Correct: Managed Disk backups are directly supported by Recovery Services vaults for the purpose of backing up and restoring Azure Managed Disks.

D. × Incorrect: SQL Server backups is incorrect because it can be stored in Recovery Services vaults but are related to database services rather than disk storage.

A. ✓ Correct: User Administrator is correct because it includes the necessary permissions to manage groups in Microsoft Entra.

B. × Incorrect: Security Administrator is incorrect because although Security Administrators handle security policies and compliance, they do not have direct control over group management tasks.

C. × Incorrect: Network Administrator is incorrect because s focus on managing network infrastructure rather than user or group administration within Microsoft Entra.

D. × Incorrect: Application Administrator is incorrect because s manage applications and their associated permissions but are not responsible for managing groups.

A. × Incorrect: Geo-redundant storage with read-access (GRS or GZRS) is incorrect because it provides read access to a secondary region and is therefore supported for read access.

B. × Incorrect: Zone-redundant storage (ZRS) is incorrect because also supports read-access geo-zone-redundant storage (RA-GZRS), which means it does provide read access in the secondary region.

C. ✓ Correct: Locally-redundant storage (LRS) only stores data within a single Azure region and does not support read access to a secondary region.

D. × Incorrect: Read-access geo-zone-redundant storage (RA-GZRS) is incorrect because it provides read access to a secondary region, making it supported for this feature.

A. × Incorrect: Environment variables is incorrect because it is used to pass configuration data into a container but do not control how it restarts after failure.

B. × Incorrect: Volume mounting is incorrect because it allows containers to persist and share data but does not affect the restart behavior of containers.

C. ✓ Correct: Restart policy is correct because it is the restart policy in Azure Container Instances specifies how a container should be restarted if it fails, ensuring reliable operation.

D. × Incorrect: Resource usage metrics is incorrect because it track performance and utilization statistics but do not influence container restart behavior.

A. × Incorrect: To allow traffic to flow between subnets within the same VNet is incorrect because it describes traffic flow between subnets within the same VNet, which does not involve a virtual appliance.

B. ✓ Correct: To direct traffic through a network virtual appliance is correct because it accurately states that a user-defined route with a next hop type set to 'Virtual appliance' directs traffic through a network virtual appliance.

C. × Incorrect: To drop all incoming traffic from external networks is incorrect because dropping incoming traffic from external networks is unrelated to routing traffic through a virtual appliance.

D. × Incorrect: To enable communication with another VNet via peering is incorrect because enabling communication with another VNet via peering does not involve directing traffic through a virtual appliance.

A. × Incorrect: Azure Key Vault is incorrect because it manages secrets and keys but does not handle backup recovery points.

B. ✓ Correct: Recovery Services vault stores and manages recovery points for backups in Azure.

C. × Incorrect: Storage Account is incorrect because s provide storage services but do not manage the lifecycle of backup operations or recovery points.

D. × Incorrect: App Service is incorrect because hosts web applications and does not involve backup or recovery management.