Home » Exam Preparation » Certification » AZ-104: Microsoft Azure Administrator Associate Certification Exam Questions and Answers

AZ-104: Microsoft Azure Administrator Associate Certification Exam Questions and Answers

Topic-1

Question #1

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?

  • A. Yes
  • B. No

Correct Answer: A
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question #2

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts.
Does that meet the goal?

  • A. Yes
  • B. No

Correct Answer: B
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question #3

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?

  • A. Yes
  • B. No

Correct Answer: B
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question #4

HOTSPOT –
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

 

Correct Answer: 
The Network Contributor role lets you manage networks, but not access them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Question #5

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?

  • A. From contoso.com, modify the Organization relationships settings.
  • B. From contoso.com, create an OAuth 2.0 authorization endpoint.
  • C. Recreate AKS1.
  • D. From AKS1, create a namespace.

Correct Answer: B
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Question #6

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

  • A. an Office 365 group that uses the Assigned membership type
  • B. a Security group that uses the Assigned membership type
  • C. an Office 365 group that uses the Dynamic User membership type
  • D. a Security group that uses the Dynamic User membership type
  • E. a Security group that uses the Dynamic Device membership type

Correct Answer: AC
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide

Question #7

HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:

User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

Question #8

HOTSPOT –
You have the Azure management groups shown in the following table:

You add Azure subscriptions to the management groups as shown in the following table:

You create the Azure policies shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer: 
Box 1: No –
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.

Box 2: Yes –
Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.

Box 3: Yes –
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions

Question #9

You have an Azure policy as shown in the following exhibit:

What is the effect of the policy?

  • A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
  • B. You can create Azure SQL servers in ContosoRG1 only.
  • C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
  • D. You can create Azure SQL servers in any resource group within Subscription 1.

Correct Answer: B
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1

Question #10

HOTSPOT –
You have an Azure subscription that contains the resources shown in the following table:

You assign a policy to RG6 as shown in the following table:

To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer: 
VNET1: Department: D1, and Label:Value1 only.
Tags applied to the resource group or subscription are not inherited by the resources.
Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or across a whole
Azure subscription.
VNET2: Label:Value1 only.
Incorrect Answers:

RGROUP: RG6 –
Tags applied to the resource group or subscription are not inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies

Question #11

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?

  • A. VM1, storage1, VNET1, and VM1Managed only
  • B. VM1 and VM1Managed only
  • C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
  • D. RVAULT1 only

Correct Answer: C
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

Question #12

You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure
PowerShell and receives the following error message: “User failed validation to purchase resources. Error message: “Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.”
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?

  • A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
  • B. From the Azure portal, register the Microsoft.Marketplace resource provider
  • C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
  • D. From the Azure portal, assign the Billing administrator role to Admin1

Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-4.1.0

Question #13

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?

  • A. From the Licenses blade, assign a new license
  • B. From the Directory role blade, modify the directory role
  • C. From the Groups blade, invite the user account to a new group

Correct Answer: B
Assign a role to a user –
1. Sign in to the Azure portal with an account that’s a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal

Question #14

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?

  • A. From the Licenses blade of Azure AD, assign a license
  • B. From the Groups blade of each user, invite the users to a group
  • C. From the Azure AD domain, add an enterprise application
  • D. From the Directory role blade of each user, modify the directory role

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

Question #15

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?

  • A. Create an automation runbook
  • B. Deploy a function app
  • C. Deploy the IT Service Management Connector (ITSM)
  • D. Create a notification

Correct Answer: C
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the
Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

Question #16

You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?

  • A. Device settings from the Devices blade
  • B. Providers from the MFA Server blade
  • C. User settings from the Users blade
  • D. General settings from the Groups blade

Correct Answer: A
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

Question #17

HOTSPOT –
You have Azure Active Directory tenant named Contoso.com that includes following users:

Contoso.com includes following Windows 10 devices:

You create following security groups in Contoso.com:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer: 
Box 1: Yes –
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups – Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD

Box 2: No –
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential.

Box 3: Yes –
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

Question #18

You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.

SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
What should you do first?

  • A. Delete VM1
  • B. Stop VM1
  • C. Stop the backup of SQLDB01
  • D. Delete sa001

Correct Answer: C

Question #19

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin

Security Reader –

You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

  • A. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  • B. Assign User1 the Owner role for VNet1.
  • C. Remove User1 from the Security Reader and Reader roles for Subscription1.
  • D. Assign User1 the Network Contributor role for RG1.

Correct Answer: B
Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Name Server (NS)
2. Assign User1 the Contributor role for VNet1.
3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Question #20

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?

  • A. MX
  • B. NSEC
  • C. PTR
  • D. RRSIG

Correct Answer: A
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

Leave a Comment