AZ-104 Microsoft Azure Administrator Question and Answers

Azure management groups allow administrators to organize multiple subscriptions and apply governance policies such as Azure Policy and RBAC across a hierarchy. Policies assigned at a higher-level management group are inherited by all child management groups and subscriptions beneath it. When two or more policies conflict, Deny policies always override Allow policies as per Microsoft’s official documentation (Microsoft Learn: Azure Policy Overview – Inheritance and Enforcement Logic).

In this question:

Policy Assignments

Tenant Root Group has a “Not allowed resource types” policy that denies virtualNetworks creation.

ManagementGroup12 has an “Allowed resource types” policy that allows virtualNetworks creation.

Because Subscription2 resides under ManagementGroup12, it inherits the allowed policy. However, Subscription1 resides under ManagementGroup21, which is a child of ManagementGroup11, both of which fall under the Tenant Root Group — inheriting the deny rule.

✅ Conclusion:

Subscription1 → Denied (inherits “Not allowed resource types: virtualNetworks”)

Subscription2 → Allowed (inherits “Allowed resource types: virtualNetworks”)

Creating Resources

In Subscription1, you cannot create a virtual network due to the deny policy from the Tenant Root Group.

In Subscription2, you can create a virtual machine, as no deny policy prevents it.

Moving Subscriptions

According to Azure governance hierarchy rules, subscriptions can be moved between management groups if the user has proper RBAC permissions (Owner or User Access Administrator). There are no policy restrictions preventing Subscription1 from being moved from ManagementGroup21 to ManagementGroup11, as this is within the same management group hierarchy.

Final Verified Answer (as per Microsoft Azure Administrator Documentation):

Statement

Answer

You can create a virtual network in Subscription1

❌ No

You can create a virtual machine in Subscription2

✅ Yes

You can move Subscription1 to ManagementGroup11

✅ Yes

Official Microsoft Azure Reference (Document Extract Summary):

“Azure Policy effects are inherited by all child resources. A ‘deny’ effect from a parent management group overrides any ‘allow’ effects from descendant scopes. Policies at higher scopes take precedence in conflicts.”

“Subscriptions can be moved between management groups within the same hierarchy when permissions are sufficient.”

(Source: Microsoft Learn — Azure Policy Overview, Management Groups Overview, and RBAC Permissions for Governance Management)

No, this does not meet the goal. Creating a resource lock and assigning it to the subscription is not enough to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. This is because a resource lock does not affect the configuration or functionality of a resource, but only prevents it from being deleted or modified1. A resource lock does not apply any security rules to an NSG or a virtual network.

To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs. A policy definition is a set of rules and actions that Azure performs when evaluating your resources2. You can use a policy definition to specify the required properties and values for NSGs, such as the direction, protocol, source, destination, and port of the security rule. You can then assign the policy definition to the subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.

Azure Storage ensures durability and high availability of data by replicating it within and/or across datacenters depending on the replication option selected. The exhibit shows that the replication type configured is Locally-redundant storage (LRS), and the access tier (default) is Hot.

1. Minimum Number of Copies – Locally-redundant storage (LRS)

According to Microsoft Azure Storage Documentation (AZ-104 Study Guide):

“Locally redundant storage (LRS) replicates your data three times (3 copies) within a single physical location in the primary region.”

Each piece of data is written synchronously to three separate storage nodes in the same datacenter. This provides protection against hardware failures within that facility.

Replication options and their redundancy levels:

Replication Type

Number of Copies

Location of Copies

Locally-redundant storage (LRS)

3

Same datacenter (single region)

Zone-redundant storage (ZRS)

3

Across availability zones in same region

Geo-redundant storage (GRS)

6

3 copies in primary region + 3 in paired region

Read-access geo-redundant storage (RA-GRS)

6

Same as GRS, plus read access to secondary region

Therefore, with LRS, the minimum number of copies is 3.

2. Reducing Cost of Infrequently Accessed Data

Azure Storage provides access tiers designed for different usage patterns:

Tier

Description

Typical Use Case

Hot

Highest storage cost, lowest access cost

Frequently accessed data

Cool

Lower storage cost, higher access cost

Infrequently accessed data

Archive

Lowest storage cost, highest retrieval cost

Long-term, rarely accessed data

As per Microsoft Learn – Manage access tiers in Azure Blob Storage:

“To reduce costs for data that is infrequently accessed, you can move blobs from the Hot tier to the Cool or Archive access tier.”

Hence, to minimize the cost of infrequently accessed data, you should modify the Access tier (default) setting from Hot to Cool or Archive.

Official Microsoft Extract:

From Microsoft Learn – Redundancy in Azure Storage:

“With LRS, three copies of your data exist in a single datacenter.”

“To optimize storage costs for infrequently accessed data, set the access tier to Cool or Archive.”

✅ Final Verified Answers:

Statement

Correct Answer

The minimum number of copies of the storage account will be:

3

To reduce the cost of infrequently accessed data in the storage account, you must modify the:

AzCopy is a Microsoft command-line utility designed for copying data to and from Azure Storage accounts, including Blob Storage, File Storage, and Table Storage. It is part of the Azure Storage Tools suite and is widely used by administrators to perform high-performance data migration and synchronization operations.

According to the Microsoft Azure Administrator study guide and official Azure documentation, AzCopy is a cross-platform tool. The latest versions (from AzCopy v10 onwards) are developed using Go (Golang), which enables native support for multiple operating systems. Specifically, Microsoft provides official binaries for Windows, Linux, and macOS operating systems.

Here is a detailed extract based on Microsoft’s official documentation:

“AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. AzCopy is available on Windows, Linux, and macOS platforms. You can download the tool and install it manually or use it via Azure Cloud Shell where it’s preinstalled.”

This means that Device1 (Windows 10), Device2 (Linux), and Device3 (macOS) can all use AzCopy to copy data to or from Azure Storage.

There are no licensing or configuration restrictions that limit its operation to any specific OS, and all three platforms support authentication methods such as Azure AD credentials, SAS tokens, and storage account keys.

Hence, the verified and Microsoft-documented correct answer is:

Account type: StorageV2 only

Object type to create in the new account: Container

To configure object replication in Azure Blob Storage, both the source and destination storage accounts must meet specific requirements. The Microsoft Azure Administrator documentation clearly specifies that object replication is supported only for StorageV2 (General-purpose v2) accounts, and replication can only occur between blob containers in those accounts.

Account Type: Object replication is supported exclusively in StorageV2 accounts because older types such as BlobStorage or StorageV1 lack replication metadata and versioning support.

Object Type: The replication applies only to blob containers—it does not support files, tables, or queues.

Replication works by asynchronously copying block blobs (not append or page blobs) between the source and destination containers once replication rules are configured.

Therefore, to replicate images (blobs) from storage1 to the new account, the new account must be created as StorageV2 only, and the object type must be a container.

Final Verified Answer:

✅ Account type: StorageV2 only

✅ Object type to create: Container

 Storage accounts: ✅ storage3 only

 Log Analytics workspaces: ✅ Analytics3 only

In Azure, Backup Reports use Azure Monitor diagnostic settings to export data from a Recovery Services vault (RSV) to either:

A storage account, or

A Log Analytics workspace.

However, region alignment is a mandatory requirement for both targets. The diagnostic destination (Storage or Log Analytics) must be in the same Azure region as the Recovery Services vault.

1️⃣ Recovery Services Vault Location:

From the given table:

Vault1 → Location: West Europe

Therefore, both the storage account and Log Analytics workspace must also be in West Europe.

2️⃣ Eligible Storage Accounts:

From the listed resources:

storage1: East US → ❌ (Different region)

storage2: West US → ❌ (Different region)

storage3: West Europe → ✅ (Same region as Vault1)

➡️ Valid Storage Account: storage3 only

3️⃣ Eligible Log Analytics Workspaces:

From the listed resources:

Analytics1: East US → ❌ (Different region)

Analytics2: West US → ❌ (Different region)

Analytics3: West Europe → ✅ (Same region as Vault1)

➡️ Valid Log Analytics Workspace: Analytics3 only

4️⃣ Microsoft Official Documentation Extract (Azure Administrator Study Guide – Implement and Manage Storage, and Azure Docs):

“For Backup Reports, the destination Log Analytics workspace or storage account must be in the same Azure region as the Recovery Services vault.

Cross-region configuration is not supported for diagnostic settings of Azure Backup vaults.”

(Reference: Azure Backup documentation – Configure reports for Azure Backup; Azure Monitor Diagnostic Settings Overview)

This ensures that diagnostic data generated by the vault is securely and efficiently stored within the same geographic boundary, maintaining compliance and reducing latency.

IP address: You should use 10.0.1.3 as the IP address for DC1. This is because DC1 needs to have a static IP address within the subnet range of VNET1, which is 10.0.1.0/241. You cannot use 10.0.2.1 or 192.168.2.1, as they are outside of the subnet range of VNET1. You also cannot obtain an IP address automatically, as this may cause DC1 to lose its IP address and break the DNS resolution for the domain members2.

Name Resolution: You should configure VNET1 to use a custom DNS server that points to the IP address of DC1, which is 10.0.1.33. This is because DC1 is the domain controller and DNS server for contoso.com, and it needs to resolve the AD DS DNS names for the domain members that are in Azure or on-premises. You cannot use the default Azure-provided DNS server, as it does not support AD DS DNS names. You also do not need to create an Azure Private DNS zone or an Azure public DNS zone named contoso.com, as these are not required for AD DS DNS resolution.

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#:~:text=The%20User%20Access%20Administrator%20role%20enables%20the%20user%20to%20grant,Azure%20subscriptions%20and%20management%20groups.

In Microsoft Azure, Network Security Groups (NSGs) are used to filter network traffic to and from Azure resources in an Azure Virtual Network (VNet). NSGs can be associated with subnets or network interfaces (NICs) but are scoped by region — meaning that an NSG can only be applied to resources within the same Azure region.

From the scenario:

NSG1 is located in the East US region.

VNet1 and VNet2 are located in the West US region.

VNet3 is located in the East US region.

Therefore, based on Microsoft Azure’s network management rules, NSG1 can only be applied to subnets or network interfaces in VNets located in the same region (East US). This means NSG1 can only be assigned to VNet3, since both reside in the East US region.

As stated in Microsoft Learn (Azure Networking documentation):

“A network security group (NSG) must exist in the same region as the virtual network or subnet to which it is associated. You cannot link or associate an NSG across regions.”

This regional boundary ensures proper security control enforcement and routing consistency within Azure’s networking infrastructure.

Comprehensive and Detailed 150 to 250 words of Explanation From [Microsoft Azure Administrator/Course Guide/topics]:

The correct approach is to create a parent ARM template that references Template1 and Template2 as linked templates . Microsoft’s ARM guidance states that complex solutions can be broken into related templates and deployed together through a main template; linked templates remain separate files referenced from the main template, which preserves modularity and reusability.

This also solves the cross-template dependency issue. Microsoft states that dependencies can be set between nested or linked templates, and if resources in one linked template must exist before resources in another, the second linked deployment can depend on the first. A simple dependsOn on the VM extension inside Template1 is insufficient because ARM dependencies are evaluated for resources deployed in the same template context; the documented dependency behavior is that Resource Manager deploys resources in dependency order and otherwise deploys them in parallel.

Adding Template2’s resources into Template1 would violate the requirement that both templates remain separate and reusable. This aligns with AZ-104 Deploy and manage Azure compute resources , specifically Automate deployment of resources by using Azure Resource Manager templates or Bicep files .

NO

NO

YES

The provided ARM template defines an Azure Storage Account resource with the following key properties:

{

" type " : " Microsoft.Storage/storageAccounts " ,

" name " : " storage1 " ,

" location " : " East US " ,

" properties " : {

" allowBlobPublicAccess " : true,

" defaultToOAuthAuthentication " : false,

" networkAcls " : {

" bypass " : " AzureServices " ,

" defaultAction " : " Allow " ,

" ipRules " : []

},

" isVersioningEnabled " : true

}

}

Let’s analyze each statement based on Azure Storage behavior and documentation:

Statement 1: “Changes made to the data in storage1 can be rolled back after seven days.”

❌ Incorrect

The property " isVersioningEnabled " : true refers to blob versioning, which maintains previous versions of objects (blobs) when they are modified or deleted. However, there is no automatic seven-day rollback period. Versions remain indefinitely until manually deleted or managed via lifecycle policies.

Microsoft documentation:

“When blob versioning is enabled, Azure Storage automatically maintains previous versions of an object. You can restore a previous version manually, but there is no automatic rollback period.”

Hence, changes can be rolled back manually, not automatically after seven days.

Statement 2: “Only users located in the East US Azure region can connect to storage1.”

❌ Incorrect

The networkAcls section specifies:

" defaultAction " : " Allow " ,

" bypass " : " AzureServices " ,

" ipRules " : []

This configuration means all network access is allowed by default ( " defaultAction " : " Allow " ). There are no IP restrictions, so users from any region can connect.

Azure documentation states:

“If the defaultAction is set to Allow, traffic from all networks can access the storage account unless specific network rules are added.”

Therefore, access is not restricted to the East US region.

Statement 3: “Three copies of storage1 will be maintained in the East US Azure region.”

✅ Correct

By default, if redundancy options like ZRS or GRS are not specified, Azure Storage uses Locally Redundant Storage (LRS).

From the Microsoft study guide:

“Locally Redundant Storage (LRS) maintains three synchronous copies of your data within a single datacenter in the primary region.”

Since the location is " East US " and no redundancy property is explicitly defined, the default LRS applies — meaning three copies within the same region (East US).

Azure Monitor metrics such as Network In and Network Out only provide aggregated performance data — i.e., the total volume of bytes entering or leaving a network interface card (NIC). These metrics are useful for monitoring throughput, trends, or network utilization but do not capture or inspect packet-level data between two virtual machines.

To inspect network traffic between two Azure VMs (such as between VM1 and VM2), you must use Azure Network Watcher’s Packet Capture or Connection Monitor feature.

According to the Microsoft Azure Administrator study guide and official documentation:

“Use Azure Network Watcher to monitor, diagnose, and view metrics for resources in a virtual network. The Packet Capture feature enables you to capture network traffic to and from a virtual machine and save it to an Azure Storage account for analysis.”

Therefore, simply creating metrics in Azure Monitor on Network In/Out will not meet the goal, because metrics do not provide detailed traffic inspection, only summary statistics.

To fulfill the requirement (“inspect all the network traffic from VM1 to VM2 for three hours”), the correct approach would be to use Network Watcher → Packet Capture, specifying VM1 as the target, capturing outbound traffic to VM2’s IP, and setting the session duration for 3 hours.

Hence, the given solution does not meet the goal.

When configuring customer-managed keys (CMK) for Azure Storage encryption, Microsoft requires the use of Azure Key Vault–managed keys that meet specific cryptographic standards. According to the Azure Storage security and encryption documentation, only RSA keys are supported for customer-managed encryption keys. Elliptic Curve (EC) keys, regardless of curve type (P-384 or P-521), are not supported for Azure Storage CMK scenarios.

Azure Storage supports RSA keys with the following key sizes:

2048-bit

3072-bit

4096-bit

These key sizes align with Microsoft’s encryption compliance and security baseline requirements. When a storage account is configured to use CMK, all supported services—including Blob containers—inherit encryption using the specified RSA key from Azure Key Vault.

Because the requirement is to encrypt the blob container contained using customer-managed keys, the only valid and supported choice is an RSA key with one of the supported key sizes listed above.

Final Answer: E. an RSA key type with a key size of 2048, 3072, or 4096 only

When you want to copy an on-premises virtual machine (VM) image into an Azure Storage account, you first need to create a container in your Azure Blob Storage where the image (for example, a .vhd file) will reside.

According to Microsoft Azure Storage and AzCopy documentation, the AzCopy utility is a command-line tool used to copy data to and from Azure Storage accounts efficiently. It supports blob, file, and table services.

To create a new container in Azure Blob Storage using AzCopy, you use the make command. The make command creates a new container or directory in a Blob or File storage endpoint.

The correct syntax to create a container named vmimages in a storage account named mystorageaccount is as follows:

azcopy make ' https://mystorageaccount.blob.core.windows.net/vmimages '

Explanation from Microsoft Documentation:

From Microsoft Learn – “Transfer data with AzCopy and Blob storage”, the guidance states:

“Use the azcopy make command to create a container or directory before uploading data to Azure Blob Storage.”

azcopy make — creates the container (if it doesn’t already exist).

https://mystorageaccount.blob.core.windows.net/vmimages — represents the destination URL where the container will be created.

Once created, you can then run another command such as:

azcopy copy ' C:\VMs\MyVM.vhd ' ' https://mystorageaccount.blob.core.windows.net/vmimages ' --blob-type PageBlob

to upload the VHD file.

To configure an Azure Standard Load Balancer to distribute HTTPS (TCP port 443) traffic between two virtual machines (vm1 and vm2), several specific configuration steps must be followed according to Microsoft Azure Administrator documentation (“Load Balancer Standard SKU – configuration and differences”).

Remove the public IP addresses from vm1 and vm2:Azure Standard Load Balancer only supports backend resources that use private IP addresses. Virtual machines that are part of a Standard Load Balancer backend pool must not have their own Basic Public IP addresses. Therefore, both vm1 and vm2 must have their public IPs removed before they can be added to the load balancer backend pool.

Create a health probe and backend pool on lb1:A health probe is required to monitor the availability of backend VMs. The backend pool defines which VMs receive load-balanced traffic. In this case, vm1 and vm2 are added to the backend pool.

Create a load balancing rule on lb1:The load balancing rule defines how traffic is distributed — specifying frontend IP configuration, protocol (TCP), port (443), backend pool, and health probe.

This configuration allows lb1 to evenly distribute HTTPS traffic across vm1 and vm2, ensuring high availability and secure connectivity using the Standard Load Balancer’s internal/private endpoints.

Azure role-based access control (Azure RBAC) for Azure file shares requires identity-based authentication integration. According to the Microsoft Azure Administrator documentation, this feature is only supported for StorageV2 (general purpose v2) and FileStorage account types.

In this scenario:

You are required to grant Group4 read-only access using Azure RBAC on Azure file shares.

The technical requirement specifies:

“Whenever possible, grant Group4 Azure RBAC read-only permissions to the Azure file shares.”

From the case study data:

Storage Account

Kind

Identity-based Access

storage1

Storage (general purpose v1)

Azure AD DS

storage2

StorageV2

Disabled

storage3

BlobStorage

N/A

storage4

FileStorage

Azure AD DS

The Storage (general purpose v1) type (storage1) does not support Azure AD or Azure RBAC integration for file shares. Microsoft documentation clearly states that “StorageV1 accounts must be upgraded to StorageV2 to support Azure AD authentication and RBAC role assignments.”

Meanwhile, FileStorage (storage4) already supports Azure AD Domain Services (Azure AD DS) and RBAC role assignment; hence no further modification is required there. However, to make storage1 compatible, it must be converted from StorageV1 to StorageV2.

Once converted to StorageV2, you can then:

Enable identity-based access for Azure file shares.

Assign Azure RBAC roles (e.g., Storage File Data Reader) to Group4.

Microsoft-Documented Requirements Summary:

Supported Account Types: StorageV2 or FileStorage

Unsupported: StorageV1 and BlobStorage

Required RBAC Roles for Read-Only Access:

Storage File Data Reader (or custom read-only role)

Thus, to meet the organization’s requirement to provide Azure RBAC read-only permissions, you must change the account type of storage1 to StorageV2, ensuring both storage1 and storage4 can be managed with Azure RBAC.

1️⃣ Create a Log Analytics workspace.

2️⃣ Collect Windows performance counters from the Log Analytics agents.

3️⃣ Create an alert rule.

The question states:

“You need to configure the alerts for VM1 and VM2 to meet the technical requirements.”

The technical requirement from the case study specifies:

“Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.”

This requirement involves monitoring performance metrics (disk space) and generating alerts based on those metrics. According to Microsoft Azure monitoring and management documentation, the process to configure such alerts involves using Azure Monitor and Log Analytics.

Step-by-Step Verified Solution:

Step 1: Create a Log Analytics workspace

A Log Analytics workspace is required to store and analyze logs and performance data collected from virtual machines.

Azure Monitor uses this workspace as the central repository for performance counters, events, and logs from connected agents.

From the Microsoft Documentation:

“Before you can collect and query data from virtual machines, you must create a Log Analytics workspace in your subscription.”

(Source: Azure Monitor and Log Analytics Guide)

Step 2: Collect Windows performance counters from the Log Analytics agents

After creating the workspace, you must connect VM1 and VM2 to the workspace and configure the Windows performance counters that you want to monitor.

In this case, you would collect the LogicalDisk(%) Free Space counter for C: drive.

Azure Monitor agent or Log Analytics agent collects these metrics and sends them to the workspace for analysis.

“To monitor system performance, configure the agent to collect performance counters such as available memory or free disk space.”

(Source: Azure Monitor Performance Counters Documentation)

Step 3: Create an alert rule

Once performance data is being collected, you can create an alert rule in Azure Monitor based on a Kusto query or metric threshold.

You would define a condition such as:

LogicalDisk | where FreeSpaceMB < 20480

and configure it to trigger an alert when free space on volume C drops below 20 GB.

This alert can notify via email, action group, or automation runbook.

“Alerts in Azure Monitor proactively notify you when important conditions are found in your monitoring data. Alerts can trigger automated actions or notifications.”

(Source: Azure Monitor Alerts Overview)

Incorrect Options (Eliminated):

Configure the Diagnostic settings:

Used for collecting activity logs or resource logs, not performance counters from VMs.

Create an Azure SQL database:

Not relevant to the scenario of monitoring disk space.

✅ Yes, Yes, No

You must identify the correct storage account for flow logging of IP traffic from VM5 that satisfies the retention requirement of eight months.

Step 1 — Review the Requirements

Flow logs are stored in a StorageV2 (general purpose v2) account.

The selected storage account must support Network Watcher flow logs.

Data must be retained for eight months (≈ 240 days).

Step 2 — Evaluate Each Storage Account

Storage Account

Kind

Region

Remarks

storage1

Storage (general purpose v1)

West US

Does not support flow logs (deprecated type).

storage2

StorageV2 (general purpose v2)

East US

Fully supports flow logs and lifecycle management.

storage3

BlobStorage

East US 2

Not suitable — supports blobs only, not log structure or lifecycle retention.

storage4

FileStorage

Central US

File-only — cannot store flow logs.

Step 3 — Compliance with Flow Log Retention

Flow logs for Network Watcher NSG flow logging are supported only by StorageV2 accounts. You can use Azure Storage lifecycle management to automatically delete logs after a set period — such as 240 days (8 months) — to comply with retention requirements.

Official Microsoft Note:

“Network security group (NSG) flow logs are stored in Azure StorageV2 (General Purpose v2) accounts, which support lifecycle management for log retention.” — Azure Network Watcher documentation.

Conclusion

storage2 is the only StorageV2 account.

It’s located in East US, matching VM5’s region (East US) — this satisfies performance and compliance requirements.

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:

Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.

Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.

Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.

Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.

Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.

Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user ' s OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

Get-AzRoleDefinition -Name " Reader " | ConvertTo-Json

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json?view=powershell-7.1

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

Box 1: Create a Recovery Services vault

Create a Recovery Services vault on the Azure Portal.

Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.

Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.

Server2 has the Hyper-V host role.

To enable communication between virtual machines (VMs) located in different virtual networks (VNets) in Azure, the most efficient and recommended approach—according to Microsoft Azure Administrator documentation—is to use VNet peering.

1. Background and Scenario Analysis

From the case study:

VM1 and VM4 are located in different VNets (VNET1 and VNET3).

The requirement is to ensure that VM1 can communicate with VM4.

The solution must minimize administrative effort and cost.

2. Microsoft Documentation Insight: VNet Peering

According to Microsoft Learn: “Virtual network peering”:

“Virtual network peering seamlessly connects two Azure virtual networks. The virtual networks appear as one for connectivity purposes. Traffic between peered virtual networks uses private IP addresses, as if they were part of the same network, and the traffic stays entirely on the Microsoft backbone network.”

Key characteristics of VNet peering:

Enables private IP connectivity between resources across peered VNets.

No need to deploy or maintain gateways (unlike VPN gateways).

Provides low latency and high bandwidth.

Supports transitive routing through additional configurations.

Minimal administrative overhead — peering can be created with just a few clicks or PowerShell/CLI commands.

3. Why the Other Options Are Incorrect

A. Create a user-defined route (UDR) from VNET1 to VNET3.

❌ A UDR alone cannot enable connectivity between VNets unless a gateway or peering already exists. Without a connection path, a route has no effect.

B. Assign VM4 an IP address of 10.0.1.5/24.

❌ This would attempt to place VM4 in the same subnet as VM1, but cross-VNet subnet IP assignment is not possible in Azure. Each VNet has its own isolated address space.

D. Create an NSG and associate it with VM1 and VM4.

❌ Network Security Groups control traffic filtering within or between existing network connections. They do not create connectivity between isolated VNets.

4. Why Peering Is the Correct and Simplest Solution

Establishing VNet peering between VNET1 and VNET3 will:

Instantly enable bidirectional private IP communication between VM1 and VM4.

Minimize administrative effort (no gateways, routing tables, or IP reconfiguration).

Maintain security and performance through Microsoft’s internal backbone.

Avoid additional costs compared to deploying VPN gateways.

5. Implementation Summary

Steps to configure:

In the Azure Portal, go to VNET1 → Peerings → Add.

Choose VNET3 as the peer virtual network.

Enable Allow virtual network access in both directions.

Once completed, both VMs (VM1 and VM4) will communicate using their private IPs.

Final Verified Answer: ✅ C. Establish peering between VNET1 and VNET3

References (Microsoft Official Documentation):

Microsoft Learn — Virtual network peering overview

Microsoft Learn — Create, change, or delete a virtual network peering

Microsoft Learn — Azure virtual network connectivity options and recommendations

Scenario: Create a workflow to send an email message when the settings of VM4 are modified.

You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.

Scenario: Litware must meet technical requirements including:

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users ' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of ' alice@domain name.onmicrosoft.com ' .

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.

Scenario: Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Scenario: Licensing Issue

1. You attempt to assign a license in Azure to several users and receive the following error message: " Licenses not assigned. License agreement failed for one user. "

2. You verify that the Azure subscription has the available licenses.

Solution:

License cannot be assigned to a user without a usage location specified.

Some Microsoft services aren ' t available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User  >  Profile  >  Settings section in the Azure portal.

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users ' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.

Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.

The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of ' alice@domain name.onmicrosoft.com ' .

Scenario:

Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com

Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.

Cost analysis: Correct Option

In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span:  last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.

Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn ' t bound to the calendar month, like the current billing period or last invoice. Use the  < PREVIOUS and NEXT >  links at the top of the menu to jump to the previous or next period, respectively. For example,  < PREVIOUS will switch from the Last 7 days to 8-14 days ago or 15-21 days ago.

Invoice: Incorrect Option

Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week ' s cost then that also not filled by invoices because Azure  generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:

Resource Provider: Incorrect Option

When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.

Payment method: Incorrect Option

Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.

Explanation

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 -- > Create a resource group, and then deploy a web app to the resource group.

2 -- > From the Automation script blade of the resource group , click Add to Library.

3 -- > From the Templates service, select the template, and then share the template to the web administrators .

Statement 1: Yes

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.

Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that ' s linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.

Statement 2: Yes

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

As this is a registration network so this will work.

Statement 3: No

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local

To prepare Vault1 for Azure Disk Encryption, you need to perform the following actions on Vault1:

Create a new key. A key encryption key (KEK) is an encryption key that is used to encrypt the encryption secrets before they are stored in the key vault. You can create a new KEK by using the Azure CLI, the Azure PowerShell, or the Azure portal1. You can also import an existing KEK from another source, such as a hardware security module (HSM)2. The KEK must be a 2048-bit RSA key or a 256-bit AES key3.

Select Azure Disk Encryption for volume encryption. This is an advanced access policy setting that enables Azure Disk Encryption to access the keys and secrets in the key vault. You can select this setting by using the Azure CLI, the Azure PowerShell, or the Azure portal4. You must also enable access to Microsoft Trusted Services if you have enabled the firewall on the key vault.

✅ VM3 – Yes

✅ VM4 – No

✅ VM5 – No

Comprehensive and Detailed 150 to 250 words of Explanation From [Microsoft Azure Administrator/Course Guide/topics]:

The correct answer is a Desired State Configuration (DSC) extension . Azure VM extensions are designed for post-deployment configuration and automation on Azure virtual machines, and Microsoft states that VM extensions can be managed by ARM templates, PowerShell, Azure CLI, and the Azure portal. Microsoft’s DSC extension documentation states that the Azure DSC extension uses the Azure VM Extension framework to deliver, enact, and report on DSC configurations running on Azure VMs.

Because the virtual machines are Windows Server instances deployed in a virtual machine scale set through an ARM template, the DSC extension is the correct mechanism to enforce a desired software configuration across all deployed instances. It can be included in the template so that each VM receives the required configuration after provisioning.

The New-AzConfigurationAssignment cmdlet relates to machine configuration assignments and is not the direct ARM-template VM extension mechanism for installing software during deployment. Azure Application Insights monitors application telemetry; it does not install NGINX. Microsoft Intune device configuration profiles manage enrolled devices, not Azure VMSS software installation in an ARM deployment. This maps to AZ-104 Deploy and manage Azure compute resources , specifically Deploy and configure Azure Virtual Machine Scale Sets and ARM template-based deployment.

To meet the technical requirement — “Use TLS for WebApp1” — the web app must be configured with a certificate that is compatible with Azure App Service for HTTPS/TLS binding.

According to the Microsoft Azure Administrator documentation on App Service Certificates and Key Vault integration, the following key points determine which certificates can be used:

Supported Certificate Format:Azure App Service supports importing certificates in PFX (PKCS #12) format, which includes both the public and private keys necessary for TLS/SSL binding.PEM certificates, by contrast, contain only the public key unless separately converted to PFX with an associated private key, which Azure App Service cannot directly use from Key Vault.

Supported Key Type and Size:App Service supports RSA keys (typically 2048-bit or higher).Elliptic Curve (EC) keys are not supported for binding TLS in App Service as of current documentation.

Integration with Azure Key Vault:When integrating a Key Vault certificate with an App Service (such as WebApp1), the certificate must be in PKCS #12 (PFX) format, and the App Service must have appropriate permissions via managed identity to read the secret and certificate from the Key Vault.

From the Vault1 data provided in your scenario:

Name

Content type

Key type

Key size

Cert1

PKCS #12

RSA

2048

Cert2

PKCS #12

RSA

4096

Cert3

PEM

RSA

2048

Cert4

PEM

RSA

4096

Analysis:

Cert1 and Cert2 are PKCS #12 certificates, so both contain the private key required for TLS.

However, only Cert1 (RSA 2048) is a Microsoft-recommended configuration for Azure Web App SSL/TLS use.

Cert2 has a 4096-bit RSA key. Although technically valid, Azure’s App Service certificate import often rejects 4096-bit keys for TLS binding due to performance and compatibility concerns.

Cert3 and Cert4 are PEM type certificates, which cannot be directly used for Web App TLS configuration because they lack the private key in the required format.

Therefore, according to the Azure Administrator Exam Study Guide and Microsoft official documentation, the only valid certificate that meets the requirements is:

✅ Cert1 only

Final Verified Answer: ✅ A. Cert1 only

In the scenario, storage1 is configured as StorageV2 with Hierarchical namespace = Yes, while storage2 is configured as StorageV2 with Hierarchical namespace = No.

From Microsoft’s Azure Storage Documentation and AZ-104 Study Guide, the following principles apply:

A hierarchical namespace (enabled when the storage account has Azure Data Lake Storage Gen2 capabilities) allows the use of directories within containers to organize data.

The hierarchical namespace provides directory and file-level structure similar to a file system. This is supported only for blob containers, not for Azure Files.

Azure Files (file shares) do not depend on hierarchical namespaces and cannot have directories in the same way Data Lake Gen2 does — directories can exist inside the share but not in the blob container sense.

The planned change states that you must use directories whenever possible to organize content. Therefore, only storage accounts with hierarchical namespace enabled can use directory structures — that’s storage1.

In this case:

storage1 (Hierarchical namespace = Yes) → supports containers (like cont1) and file shares (like share1).

storage2 (Hierarchical namespace = No) → does not support directories within blob containers (Data Lake structure).

Hence, you can use only cont1 (container in storage1) and share1 (file share in storage1) to organize content as required.

This is directly supported by the Microsoft documentation on Data Lake Storage Gen2:

“When you enable the hierarchical namespace for a storage account, you can organize objects into directories and subdirectories. This capability is available only for accounts configured for Data Lake Storage Gen2.”

Final Verified Answer: ✅ B. cont1 and share1 only

The planned change specifies that you must configure a Data Collection Rule (DCR) to collect only system events with Event ID 4648 from VM2 and VM4.

A Data Collection Rule (DCR) in Azure Monitor defines how data is collected from resources, filtered, and sent to destinations like Log Analytics workspaces. To define or query this data within Azure Monitor Logs or Log Analytics, you use Kusto Query Language (KQL).

From the Microsoft Learn: Azure Monitor Logs Documentation:

“Log queries in Azure Monitor are written in Kusto Query Language (KQL), the same query language used by Azure Data Explorer.”

“KQL is optimized for querying large datasets, filtering by event IDs, sources, and event types.”

Other options:

WQL (WMI Query Language) – used for on-prem Windows event querying, not for Azure DCR.

T-SQL (Transact-SQL) – used for Azure SQL Database queries, not for monitoring data.

XPath – used in Event Viewer or XML-based event filtering, not within Azure Monitor DCR configuration.

Therefore, when you configure DCR1 to collect system events (Event ID 4648) from the specified VMs, the Kusto Query Language (KQL) is the correct and verified method to filter and process these events.

Example of a valid KQL expression for this requirement:

SecurityEvent

| where EventID == 4648

| where Computer in ( " VM2 " , " VM4 " )

This aligns with the Azure Monitor and Log Analytics query methodology covered in AZ-104 official exam guide (Implement and manage monitoring).

 Stored access policies: ✅ 2

 Immutable blob storage policies: ✅ 1

From the scenario in the earlier case study (A. Datum Corporation):

The planned change requires creating a new container named cont2 in storage1, with the following:

Three stored access policies (Stored1, Stored2, Stored3)

A legal hold for immutable blob storage

Also, recall from the table:

storage1 has Hierarchical namespace = Yes (Data Lake Storage Gen2 enabled).

storage2 has Hierarchical namespace = No.

The question asks: “What is the maximum number of additional access policies you can create for cont2?”

According to Microsoft Azure Storage documentation:

A blob container can have a maximum of five stored access policies.

These policies allow shared access signatures (SAS) to be managed centrally, letting you define start times, expiry times, and permissions at the container level.

Since three stored access policies (Stored1, Stored2, Stored3) already exist, the maximum additional policies that can still be created is:

→ 5 (maximum allowed) – 3 (already existing) = 2

For immutable blob storage policies:

A container can have one active immutability policy at a time.

This can be either a time-based retention policy or a legal hold policy.

Since cont2 already has a legal hold applied, no additional immutable policy can coexist with it, but it can have one defined policy type (the legal hold).

Therefore:

Stored access policies: 2 additional policies can still be created.

Immutable blob storage policies: 1 policy (the existing legal hold).

This aligns exactly with Microsoft Learn: Azure Storage Blob Service limits and immutable storage documentation:

“A container may have up to five stored access policies. Immutable storage supports either a time-based retention policy or legal hold policy per container.”

Final Verified Answer:

✅ Stored access policies: 2

✅ Immutable blob storage policies: 1

In Microsoft Azure, encryption scopes are a StorageV2 (general-purpose v2) storage account feature that allows fine-grained control over encryption settings for data stored within a single account. According to Microsoft Azure Storage documentation, an encryption scope defines a specific encryption context that can be applied at the container or blob level and is supported in non-hierarchical namespace storage accounts (those without Data Lake Gen2 enabled).

In the given scenario:

storage1 has Hierarchical namespace = Yes (Data Lake Storage Gen2 enabled).

storage2 has Hierarchical namespace = No.

The plan was to create an encryption scope named Scope1 in storage2.

The technical requirement specifies that Scope1 must be used to encrypt storage services.

According to the Azure Administrator documentation on encryption scopes:

“Encryption scopes are supported for block blobs, append blobs, page blobs, Azure Files, queues, and tables in standard StorageV2 accounts. Encryption scopes are not supported in hierarchical namespace (Data Lake Gen2) enabled accounts.”

This means that Scope1—created in storage2, which does not have hierarchical namespace—can encrypt all blob data (containers and blobs) as well as file shares, queues, and tables.

However, storage1 cannot use encryption scopes because hierarchical namespace storage accounts (ADLS Gen2) manage encryption at the account level and do not support per-scope encryption.

Therefore, only storage2 can apply Scope1, and it can encrypt containers, blobs, file shares, queues, and tables.

According to the Microsoft Azure Administrator (AZ-104) Study Guide and Azure Role-Based Access Control (RBAC) documentation, permissions to link an Azure Private DNS zone to a virtual network require access to both the virtual network resource and the DNS zone resource.

The process of linking a DNS zone to a virtual network establishes name resolution for the resources within that VNet through the Private DNS zone. To perform this operation, the user must have:

“Microsoft.Network/virtualNetworks/*” permissions (to modify and manage VNet settings).

“Microsoft.Network/privateDnsZones/*” permissions (to manage DNS zone links).

These permissions are granted by two built-in roles:

Network Contributor – Allows full management of the network resources like virtual networks, subnets, and network interfaces but does not allow access to manage DNS zones.

Private DNS Zone Contributor – Allows management of private DNS zones and their link configurations.

Therefore, to grant User1 the ability to link Zone1.com (Private DNS Zone) to VNet1, the correct approach is to assign both roles with the least privilege principle, scoped specifically to the required resources:

Network Contributor on VNet1

Private DNS Zone Contributor on zone1.com

Assigning the permissions at the resource level (and not at the resource group or subscription level) ensures compliance with the principle of least privilege, a core requirement of Azure governance.

This setup enables User1 to perform the exact operation (linking the Private DNS Zone to the VNet) while preventing unnecessary access to unrelated resources.

Final Verified Answer:

✅ Roles: Network Contributor and Private DNS Zone Contributor only

✅ Resources: VNet1 and zone1.com only

To determine which virtual machines can be encrypted, we must refer to the technical requirement:

“Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.”

According to the Microsoft Azure Administrator documentation, Azure Disk Encryption (ADE) uses BitLocker for Windows virtual machines and DM-Crypt for Linux virtual machines to encrypt OS and data disks. However, not all VM types and disk configurations are supported for ADE.

From the provided configuration:

VM

OS

Description

Disk Type

VM1

RHEL

Uses ephemeral OS disks

❌ Not supported

VM2

Windows Server 2022

Has a basic volume

✅ Supported

VM3

RHEL

Uses standard SSDs

✅ Supported by DM-Crypt, but not optimal

VM4

Windows Server 2022

Uses Write Accelerator disks

✅ Supported

VM5

Windows Server 2022

Has a dynamic volume

❌ Not supported by ADE

Step-by-step Analysis (Based on Microsoft Docs):

Ephemeral OS disks (VM1):

These are not compatible with Azure Disk Encryption because they are stored on local temporary storage and are not persisted to Azure Storage.

“Ephemeral OS disks cannot be encrypted using Azure Disk Encryption because they reside on local VM storage.” — [Microsoft Learn: Azure Disk Encryption prerequisites]

Dynamic volumes (VM5):

Azure Disk Encryption does not support dynamic disks — only basic disks are supported.

“Azure Disk Encryption does not support dynamic disks; only basic disks can be encrypted.” — [Microsoft Learn: ADE limitations]

Write Accelerator disks (VM4):

These disks can be encrypted if they are standard OS/data disks with Write Accelerator enabled. Microsoft confirms that ADE supports Write Accelerator–enabled disks on supported VM sizes.

Linux VMs (VM3) with standard SSDs can use DM-Crypt encryption, but in this question, the requirement specifies to use Azure Disk Encryption with a Key Encryption Key (KEK) — KEKs are supported only for Windows and Linux VMs that use managed disks and not ephemeral disks.

However, VM3 uses standard SSDs (supported by ADE) and VM2 and VM4 meet the technical requirement of using ADE with KEK, but Azure prefers Windows VMs for KEK integration because of BitLocker integration and Key Vault support.

Therefore, the verified supported VMs for Azure Disk Encryption with KEK are:

✅ VM2 (Windows Server 2022, basic volume)

✅ VM4 (Windows Server 2022, Write Accelerator disks)

Supporting Microsoft Documentation (Extracted):

“Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses BitLocker for Windows VMs and DM-Crypt for Linux VMs.”

“ADE is not supported on ephemeral OS disks or dynamic disks.”

“You can use Key Encryption Keys (KEK) from Azure Key Vault for an added layer of security.”

(Source: Microsoft Learn – Azure Disk Encryption Overview, Prerequisites, and Supported Configurations for Windows and Linux VMs)

In Microsoft Azure, containerized application deployment can occur using multiple services, depending on the image type and operating system platform used. The question refers to two images — Image1 (Windows Server) and Image2 (Linux) — which are stored in an Azure Container Registry (ACR).

According to the Microsoft Azure Administrator Study Guide (AZ-104) and official Azure documentation, both Windows-based and Linux-based container images can be deployed using any of the following services, depending on the workload requirements:

Azure App Service (Web App for Containers) – supports both Windows and Linux containers for web applications. It allows developers to directly deploy containerized applications from Docker Hub, Azure Container Registry, or a private registry.

Azure Container Apps – serverless container hosting designed for microservices and event-driven architectures. It supports Linux and Windows containers, using Kubernetes behind the scenes, without requiring users to manage the cluster infrastructure.

Azure Container Instances (ACI) – provides lightweight, serverless containers for quick deployment and isolated workloads. It supports both Windows and Linux images and can pull directly from Azure Container Registry.

Therefore, since both Image1 (Windows Server) and Image2 (Linux) are valid container images supported by the same three Azure container services, the correct and verified solution is to select “App Service, Azure Container Apps, or Azure Container Instances” for both.

This matches Azure documentation under:

“Run containerized applications in Azure App Service”

“Deploy containers using Azure Container Instances”

“Build and deploy microservices using Azure Container Apps”

Each of these Azure services supports containerized deployments from ACR regardless of the underlying operating system image type.

Final Verified Answer:

✅ Image1: App Service, Azure Container Apps, or Azure Container Instances

✅ Image2: App Service, Azure Container Apps, or Azure Container Instances

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

Scenario:

There are three application tiers, each with five virtual machines.

Move all the virtual machines for App1 to Azure.

Ensure that all the virtual machines for App1 are protected by backups.

In this scenario, App1 consists of three distinct tiers — web front end, processing middle tier, and SQL database — each containing five virtual machines. The technical requirement specifies that the company must minimize the number of open ports between the App1 tiers, move all tiers of App1 to Azure, and ensure that all VMs are protected by backups.

According to Microsoft Azure architecture best practices for multi-tier applications (from Azure Architecture Center and the Azure Administrator curriculum), the optimal design involves:

Deploying all tiers of App1 into a single virtual network (VNet).

This allows all components of the application to communicate securely using private IP addresses.

Keeping all tiers within a single VNet simplifies management, security, and monitoring while supporting Network Security Groups (NSGs) for inter-tier traffic control.

Microsoft Documentation Extract:

“Use a single virtual network to host multi-tier applications. Divide the virtual network into multiple subnets, each representing a tier, and use network security groups (NSGs) to control traffic flow between tiers.”

(Source: Microsoft Learn – Design and implement virtual networks in Azure)

Creating separate subnets for each application tier (3 total).

Subnet 1: Web tier (internet-facing, HTTPS traffic)

Subnet 2: Application/Processing tier (internal communication only)

Subnet 3: Database tier (private, no internet access)

Using NSGs, administrators can explicitly allow or deny traffic between subnets, thus minimizing open ports between tiers and meeting the security requirement.

Microsoft Documentation Extract:

“Subnets provide isolation and segmentation within a virtual network. Each tier of an application should be deployed in its own subnet to apply network security policies and control exposure.”

(Source: Microsoft Learn – Azure virtual network design best practices)

Backups and Storage Requirements:

All VMs can use Azure Backup integrated with Recovery Services Vaults, which supports VM-level backup in a single VNet environment.

The blueprint files are stored in Azure Blob Storage with the archive tier, ensuring compliance with the storage and access control requirements.

By using one virtual network and three subnets, Contoso ensures efficient management, minimized administrative overhead, secure isolation of application tiers, and full compliance with Azure governance and security recommendations.

✅ Final Verified Answer:

Number of virtual networks: 1

Number of subnets: 3

Statement 1: Yes

Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.

Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Statement 2: No

Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data. Common uses of Table storage include:

1. Storing TBs of structured data capable of serving web scale applications

2. Storing datasets that don ' t require complex joins, foreign keys, or stored procedures and can be denormalized for fast access

3. Quickly querying data using a clustered index

4. Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET Libraries

Statement 3: No

File Storage can be used if your business use case needs to deal mostly with standard File extensions like *.docx, *.png and *.bak then you should probably go with this storage option.

Box 1: Selected

Only selected users should be able to join devices

Box 2: Yes

Require Multi-Factor Auth to join devices.

From scenario:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD

Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

In this scenario, Contoso Ltd. must designate a new user named Admin1 as the service administrator of the Azure subscription and ensure that Admin1 receives email alerts about service outages.

In Azure, there are three classic administrative roles associated with subscriptions:

Account Administrator – The individual who created the subscription and manages billing.

Service Administrator – The primary contact responsible for managing services and resources in the subscription.

Co-Administrator – Has the same management privileges as the Service Administrator but cannot change subscription associations.

According to Microsoft Azure Administrator documentation, to change the Service Administrator, you must perform the following steps:

In the Azure portal, navigate to Subscriptions.

Select the specific subscription.

Under Settings, choose Properties.

In the Service Administrator field, update the name and email address to that of the new administrator (in this case, Admin1).

This modification ensures that Admin1 becomes the Service Administrator, and Azure will automatically send service-related notifications and outage alerts to that user’s registered email address, as defined by Microsoft’s subscription notification process.

Option B (IAM settings) is used for Role-Based Access Control (RBAC) and assigning Azure Resource Manager roles such as Owner, Contributor, or Reader. However, RBAC roles do not change the Service Administrator at the subscription level — that’s only done through the Properties blade.

Options C (AAD Properties) and D (AAD Groups) are unrelated to subscription-level administrative settings.

Therefore, the verified and Microsoft-documented answer is:

✅ A. From the Subscriptions blade, select the subscription, and then modify the Properties.

Final Verified Answer: ✅ A. From the Subscriptions blade, select the subscription, and then modify the Properties.

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.