AZ-104 Knowledge Check Questions (MIDTERM PREP)
Which of the following IP address ranges is routable over the internet?
215.11.0.0 to 215.11.255.255
Which of the following situations would be good example of when to use a resource lock?
A ExpressRoute circuit with connectivity back to the on-premises network.
What is an Azure Resource Manager template?
A JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for the deployment.
What are some of the typical components involved in a network design?
A VM, subnet, firewall, and load balancer
What is a role definition in Azure?
A collection of permissions with a name that is assignable to a user, group, or application
What kind of account would you create to allow an external organization easy access?
A guest user account for each member of the external team.
What type of user account allows an external organization to access your resources?
A guest user account for each member of the external team.
What type of DNS record can map one or more IP addresses against a single domain?
A or AAAA
What type of DNS record should you create to map one or more IP addresses against a single domain?
A or AAAA
Which of the following resources can you assign a public IP address to?
A virtual machine
How would you define a default inbound security rule?
Allow inbound coming from any virtual machine to any other virtual machine within the virtual network.
The company financial controller wants to identify which billing department each Azure resource belongs to. Which approach enables this requirement?
Apply a tag to each resource that includes the associated billing department.
You have three virtual machines (VM1, VM2, VM3) in a resource group. A new admin is hired, and they need to be able to modify settings on VM3. They shouldn't be able to make changes to VM1 or VM2. How can you implement RBAC to minimize administrative overhead?
Assign the admin to the Contributor role on VM3.
Suppose an administrator in another department needs access to a virtual machine managed by your department. What's the best way to grant them access to just that resource?
At the resource scope, assign the role with the appropriate access.
Which summary best describes the main purpose of Azure DNS?
Azure DNS manages and hosts the registered domain for a website and its associated records.
A new project has several resources that need to be administered together. Which of the following strategies would provide a good solution?
Azure Resource Groups
What happens if the same template is run a second time?
Azure Resource Manager doesn't change the deployed resources.
Azure Resource Manager templates are idempotent. This means that if you run a template with no changes a second time:
Azure Resource Manager won't make any changes to the deployed resources.
Suppose you're building a video-editing application that will offer online storage for user-generated video content. You'll store the videos in Azure Blobs, so you need to create an Azure storage account to contain the blobs. Once the storage account is in place, it's unlikely you would remove and recreate it because all the user videos would be deleted. Which tool is likely to offer the quickest and easiest way to create the storage account?
Azure portal
Your company is building a video-editing application that will offer online storage for user-generated video content. The videos will be stored in Azure Blobs. An Azure storage account will contain the blobs. It's unlikely the storage account would ever need to be removed and recreated. Which tool is likely to offer the quickest and easiest way to create the storage account?
Azure portal
Explain the main differences between Azure roles and Microsoft Entra roles.
Azure roles apply to Azure resources. Microsoft Entra roles apply to Microsoft Entra resources such as users, groups, and domains.
What term defines a dedicated and trusted instance of Microsoft Entra ID?
Azure tenant
Which of the following statements about Azure virtual networks is correct?
Azure virtual networks enable communication between Azure resources.
The Azure CLI can be installed on which of the following?
Both Linux and Windows
Another Administrator is managing Azure locally using PowerShell. They have launched PowerShell as an Administrator. Which of the following commands should be executed first?
Connect-AzAccount
When virtual networks are successfully peered, what's the peering status for both virtual networks in the peering?
Connected
Suppose an administrator wants to assign a role to allow a user to create and manage Azure resources but not be able to grant access to others. Which of the following built-in roles would support this?
Contributor
The company financial controller wants to be notified whenever the company is half-way to spending the money allocated for cloud services. Which approach supports this request?
Create a budget and a spending threshold.
How can you ensure that only cost-effective virtual machine SKU sizes are deployed?
Create a policy in Azure Policy that specifies the allowed SKU sizes
There are several Azure policies that need to be applied to a new branch office. What's the best approach?
Create a policy initiative
To satisfy the finance team's request for billing by department, multiple resource groups have been created and the resource tags applied. What's the next step?
Create an Azure policy
True or false: The Azure portal, the Azure CLI, and Azure PowerShell offer significantly different services, so it's unlikely that all three will support the operation you need.
False
What is the default distribution type for traffic through a load balancer?
Five-tuple hash
What's the default distribution type for traffic through a load balancer?
Five-tuple hash
What approach enables peered virtual networks to share the gateway and get access to resources?
Gateway transit
Which Microsoft Entra role enables a user to manage all groups in your Teams tenants, and also assign other admin roles?
Global administrator
Suppose a team member can't view resources in a resource group. Where would the administrator go to check the team member's access?
Go to the resource group and select Access control (IAM) > Check Access.
When does a dynamic IP address change?
In Azure, when a virtual machine is stopped and then restarted.
How can the concerns about security threats be addressed?
Install Azure Web Application Firewall.
What's a valid next hop type?
Internet
What is the main advantage of an availability set?
It allows virtual machines to be available across physical server failures.
What does Azure DNS allow you to do?
Manage and host your registered domain and associated records.
What is the inheritance order for scope in Azure?
Management group, Subscription, Resource group, Resource
Which option can you use to manage governance across multiple Azure subscriptions?
Management groups
Which choice correctly describes Microsoft Entra ID?
Microsoft Entra ID is primarily an identity solution.
What must a virtual machine have to communicate with the other resources in the same virtual network?
Network interface
What do you need to install on your machine to let you execute Azure CLI commands locally?
Only the Azure CLI
Azure Private DNS supports which of the following scenarios?
Organizations manage and resolve domain names in a virtual network without adding a custom DNS solution.
Which of the following parameters is an element in the template schema?
Outputs
Which option preserves data residency, and offers comprehensive compliance and resiliency options?
Regions
Which load-balancing strategy does Azure Application Gateway implement?
Requests are distributed to each available server in a back-end pool in turn via a round-robin technique.
Suppose a developer needs full access to a resource group. If you are following least-privilege best practices, what scope should you specify?
Resource group
Which of the following is true about resource groups?
Resources can be in only one resource group.
What security features does Azure DNS provide?
Role-based access control, activity logs, and resource locking
Suppose an administrator needs to generate a report of the role assignments for the last week. Where in the Azure portal would they generate that report?
Search for Activity log and filter on the Create role assignment (roleAssignments) operation.
What kind of group account can you create so you can apply the same permissions to all group members?
Security group
What is the purpose of the 'AssignableScopes' permissions in a role definition?
Specifies the scopes where a role definition can be assigned
What needs to be installed on your machine to let you execute Azure PowerShell cmdlets locally?
The base PowerShell product and the Az PowerShell module
Which of the security rules defined by the infrastructure team takes precedence?
The deny rule takes precedence.
What criteria does Azure Application Gateway use to route requests to a web server?
The hostname, port, and path in the URL of the request.
If you delete a user account by mistake, can it be restored?
The user account can be restored, but only if it was deleted within the last 30 days.
Which one of the following statements about external load balancers is correct?
They have a public IP address.
Why might you use virtual network peering?
To connect virtual networks together in the same region or across regions.
What is the main benefit of using a network virtual appliance?
To control incoming traffic from the perimeter network and allow only traffic that meets security requirements to pass through.
Why would you use a custom route in a virtual network?
To control the flow of traffic within your Azure virtual network.
How is Azure Virtual Network peering best described?
Traffic between virtual networks is kept on the Microsoft backbone network.
True or false: The Azure CLI can be installed on Linux, macOS, and Windows, and the CLI commands you use are the same in all platforms.
True
When you enable SSPR for your Microsoft Entra organization...
Users can reset their passwords when they can't sign in
What's a valid service tag for network security group rules?
Virtual Network
Which situation is appropriate for a public IP address?
Virtual machines accessed from the Internet.
Which configuration is required for an internal load balancer?
Virtual machines must be in the same virtual network.
Which configuration is required to configure an internal load balancer?
Virtual machines must be in the same virtual network.
How can you extend the company's private address space with direct connections to Azure resources?
Virtual network endpoints
Which statement best describes Azure routing?
When the next hop type is none, traffic is dropped.
When is a user considered registered for SSPR?
When they've registered at least the number of methods that you've required to reset a password
How might you deploy a network virtual appliance?
You can configure a Windows virtual machine and enable IP forwarding after routing tables, user-defined routes, and subnets have been updated. Or you can use a partner image from Azure Marketplace.
Which one of these is not an element of an Azure Resource Manager template?
idempotent
Which parameter value can you add to most CLI commands to get concise, formatted output?
table