AZ-104 Online Practice Questions and Answers

Correct Answer:

IP forwarding enables the virtual machine a network interface is attached to:

Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.

Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.

The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a

single network interface attached to it.

Box 1: Yes

The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

Box 2: No

VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

Box 3: Yes

The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding

Correct Answer:

Box 1: No

The Azure Policy will add Tag4 to RG1.

Box 2: No

Tags applied to the resource group or subscription aren't inherited by the resources although you can enable inheritance with Azure Policy. Storage1 has Tag3: Value1 and the Azure Policy will add Tag4.

Box 3: No

Tags applied to the resource group or subscription aren't inherited by the resources so VNET1 does not have Tag2.

VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET1.

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json

Correct Answer: D

Rule 2 is blocking HTTPS access (port 443) and has a priority of 500. Changing Rule 3 (ports 60-500) and giving it a lower priority number will allow access on port 443. Note: Rules are processed in priority order, with lower numbers

processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops.

Incorrect Answers:

A: HTTPS uses port 443. Rule6 only applies to ports 150 to 300. C, D: Rule 1 blocks access to port 80, which is used for HTTP, not HTTPS.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Correct Answer: B

the multi-factor authentication service settings - Correct choice There are two criterias mentioned in the question.

1.

MFA required

2.

Access from only a specific geographic region/IP range. To satisfy both the requirements you need MFA with location conditional access. Please note to achieve this configuration you need to have AD Premium account for Conditional Access policy. Navigate to Active Directory --> Security --> Conditional Access --> Named Location. Here you can create a policy with location (on-premise IP range) and enable MFA. This will satisfy the requirements.

an Azure AD Identity Protection user risk policy - Incorrect choice In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk and MFA Registration. None of those in which you can enable a location (on-prem IP

Range) requirement in any blade.

the default for all the roles in Azure AD Privileged Identity Management - Incorrect choice This option will not help you to restrict the users to access only form on prem. an Azure AD Identity Protection sign-in risk policy - Incorrect choice In the

Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk and MFA Registration. None of those in which you can enable a location (on-prem IP Range) requirement in any blade.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

Correct Answer: A

Owner : Correct Choice

The Owner role lets you manage everything, including access to resources.

Contributor : Incorrect Choice

With contributor role you can Add deployment slots and View the configuration of App service plan but you can't Modify the role assignment. For this you need User Access Administrator or Owner role. So this is incorrect.

Web Plan Contributor : Incorrect Choice

The Web Plan Contributor role lets you manage the web plans for websites, but not access to them.

So this option is incorrect.

Website Contributor : Incorrect Choice

The Website Contributor role lets you manage websites (not web plans), but not access to them. So this is incorrect option.

Note:

As per least privilege principle it is not advisable to provide owner role to any group, rather you should create custom RBAC role with custom policy and use that role for this operation. However as this option is not available here so only option

to go with owner role.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Correct Answer: C

An Administrator can block a user:

1.

Sign in to the Azure portal as an administrator.

2.

Browse to Azure Active Directory > MFA > Block/unblock users.

3.

Select Add to block a user.

4.

Select the Replication Group. Enter the username for the blocked user as [email protected]. Enter a comment in the Reason field, for example: Lost phone.

5.

Select Add to finish blocking the user.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

Correct Answer: B

The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for

VNet1.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage- peering#requirements-and-constraints

Correct Answer: A

You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.

Remove vault dependencies and delete vault

In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.

References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

Correct Answer: A

In order to read secrets from a key vault, you need to have a vault created and give your app permission to access it.

Create a key vault by following the Key Vault quickstart.

Create a managed identity for your application.

Key vault references use the app's system-assigned identity by default, but you can specify a user-assigned identity.

Authorize read access to secrets your key vault for the managed identity you created earlier. How you do it depends on the permissions model of your key vault:

Azure role-based access control: Assign the Key Vault Secrets User role to the managed identity. For instructions, see Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control. Vault access policy:

Assign the Get secrets permission to the managed identity. For instructions, see Assign a Key Vault access policy.

https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli

Correct Answer: BE

Steps:

1.

Creating a resource group, if needed.

2.

Creating a key vault. (B)

3.

Setting key vault advanced access policies. (E)

Set key vault advanced access policies

The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes.

If you didn't enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies.

1.

Select your key vault and go to Access Policies.

2.

Under "Enable Access to", select the box labeled Azure Disk Encryption for volume encryption. ((E))

3.

Select Azure Virtual Machines for deployment and/or Azure Resource Manager for template deployment, if needed.

4.

Click Save. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal