Microsoft Azure Administrator (AZ-104) Free Practice Test
Question 1
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer NOTE Each correct selection is worth one point.
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer NOTE Each correct selection is worth one point.
Correct Answer:
Explanation:
In Microsoft Azure, Azure Policy allows administrators to enforce rules and compliance standards across management groups, subscriptions, resource groups, and individual resources. Policies can be assigned at multiple scopes, and the scope determines which resources the policy affects.
According to Microsoft Azure Governance and Policy documentation, an Azure Policy definition can be assigned to any of the following hierarchical scopes:
Tenant Root Group
Management Group
Subscription
Resource Group
All resources within the assigned scope, including nested resources (e.g., virtual machines within a resource group), inherit the policy. Therefore, a policy can be assigned at any level from the Tenant Root Group down to the Resource Group level, but not directly to individual resources such as a virtual machine (VM).
However, policy exclusions can be applied at any child scope under the assigned level. This means that if Policy1 is assigned at a higher level (for example, Tenant Root Group), you can exclude any lower-level scope, including:
A specific Subscription
A specific Resource Group
A specific Resource (e.g., VM)
Hence, Policy1 can be assigned at the Tenant Root Group, Management Group, Subscription, or Resource Group level, and excluded from lower levels (Subscription, RG1, or individual resources such as VM1).
Summary based on Microsoft Azure Policy design:
Assignable scopes: Tenant Root Group # Management Group # Subscription # Resource Group Excludable scopes: Any child scope within the hierarchy, including specific resources (VMs).
Therefore:
You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, and RG1 You can exclude Policy1 from: Subscription1, RG1, and VM1 only
Question 2
You have the Azure resources shown on the following exhibit.
You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
Box 1: Sub1, RG1, and VM1 only
You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
Box 2: Sub1, RG1, and VM1 only
You apply tags to your Azure resources, resource groups, and subscriptions.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
Question 3
You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?
Correct Answer: B
Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).
Question 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2.
Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2.
Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?
Correct Answer: B
Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).
Question 5
You plan to deploy several Azure virtual machines that will run Windows Server in a virtual machine scale set by using an Azure Resource Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?
Correct Answer: A
Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).
Question 6
You have an Azure subscription that contains the resources shown in the following table.
LB1 is configured as shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements:
Provide Remote Desktop access to VM2 from the internet by using port 3389.
LB1 is configured as shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements:
Provide Remote Desktop access to VM2 from the internet by using port 3389.
Correct Answer: A
Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).
Question 7
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Correct Answer:
Explanation:
Scenario:
1. Web administrators will deploy Azure web apps for the marketing department.
2. Each web app will be added to a separate resource group.
3. The initial configuration of the web apps will be identical.
4. The web administrators have permission to deploy web apps to resource groups.
Steps:
1 -- > Create a resource group, and then deploy a web app to the resource group.
2 -- > From the Automation script blade of the resource group , click Add to Library.
3 -- > From the Templates service, select the template, and then share the template to the web administrators .
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-templates-use-the- portal
Question 8
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
Allow web requests from the internet to VM3, VM4, VM5, and VM6.
Allow all connections between VM1 and VM2.
Allow Remote Desktop connections to VM1.
Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
Allow web requests from the internet to VM3, VM4, VM5, and VM6.
Allow all connections between VM1 and VM2.
Allow Remote Desktop connections to VM1.
Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
Correct Answer: C
Question 9
You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10.
You need to join the virtual machine to an Active Directory domain.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE Each correct selection is worth one point.
You need to join the virtual machine to an Active Directory domain.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE Each correct selection is worth one point.
Correct Answer:
Explanation:
In Azure, to automate domain join operations for virtual machines through an Azure Resource Manager (ARM) template, you must configure the JsonADDomainExtension-a VM extension provided by Microsoft.
This extension allows a Windows virtual machine to be automatically joined to an Active Directory domain after deployment.
According to the Microsoft Azure documentation ( " JsonADDomainExtension for Windows " ), the extension must be defined under the Microsoft.Compute/virtualMachines/extensions resource type, because it is a child resource of a specific VM. This structure allows Azure to attach and configure the extension directly to the virtual machine during or after deployment.
The correct syntax within the ARM template must include:
* Type: " Microsoft.Compute/virtualMachines/extensions " # Specifies the extension resource type.
* Publisher: " Microsoft.Compute " # Specifies the vendor of the extension.
* Type: " JsonADDomainExtension " # Specifies the type of extension.
* ProtectedSettings: used to securely store sensitive information like domain passwords (encrypted automatically by Azure).
The ProtectedSettings section ensures credentials such as the domain password remain confidential, while Settings contain non-sensitive configuration parameters (domain name, username, etc.).
This configuration ensures the VM automatically joins the target domain securely upon creation.
# Final Verified Answer:
* Type: " Microsoft.Compute/virtualMachines/extensions "
* ProtectedSettings: " ProtectedSettings "
Question 10
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
Correct Answer: A
Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).
Question 11
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?
Correct Answer: B
Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).
Question 12
You have an Azure subscription that contains the virtual networks shown in the following table.
The subnets have the IP address spaces sho wn in the following table.
You plan to create a container app named contapp1 in the East US Azure region.
You need to create a container app environment named con-env1 that meets the following requirements:
* Uses its own virtual network.
* Uses its own subnet.
* Is connected to the smallest possible subnet.
To which virtual networks can you connect con-env1, and which subnet mask should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
The subnets have the IP address spaces sho wn in the following table.
You plan to create a container app named contapp1 in the East US Azure region.
You need to create a container app environment named con-env1 that meets the following requirements:
* Uses its own virtual network.
* Uses its own subnet.
* Is connected to the smallest possible subnet.
To which virtual networks can you connect con-env1, and which subnet mask should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
Virtual Network: You can connect con-env1 to VNet2 and VNet3 only. This is because VNet1 is in a different region than the container app, which is East US. According to the web search results, you can only connect a container app environment to a virtual network that is in the same region as the container app1.
Therefore, VNet1 is not a valid option. VNet2 and VNet3 are both in the same region as the container app, and they have enough available IP addresses to support a container app environment.
Subnet mask: You should use /28 as the subnet mask for con-env1. This is because /28 is the smallest possible subnet mask that can accommodate a container app environment. According to the web search results, a container app environment requires a minimum of 16 IP addresses in a subnet2. A /28 subnet mask provides
16 IP addresses, while a /26 subnet mask provides 64 IP addresses, a /24 subnet mask provides 256 IP addresses, a /23 subnet mask provides 512 IP addresses, and a /16 subnet mask provides 65,536 IP addresses.
Therefore, /28 is the most efficient choice for minimizing the subnet size.