Win IT Exam with Last Dumps 2024

Microsoft AZ-104 Exam

Page 10/55
Viewing Questions 91 100 out of 549 Questions
18.18%

Question 91
HOTSPOT -
You have an Azure Load Balancer named LB1.
You assign a user named User1 the roles shown in the following exhibit.
AZ-104_91Q_1.jpg related to the Microsoft AZ-104 Exam
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
AZ-104_91Q_2.jpg related to the Microsoft AZ-104 Exam
Image AZ-104_91R.jpg related to the Microsoft AZ-104 Exam



Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

Question 92
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
- Reader
- Security Admin
- Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?



Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
- Assign User1 the User Access Administrator role for VNet1.
- Assign User1 the Owner role for VNet1.
Other incorrect answer options you may see on the exam include the following:
- Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
- Remove User1 from the Security Reader and Reader roles for Subscription1.
- Assign User1 the Network Contributor role for RG1.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Question 93
HOTSPOT -
You configure the custom role shown in the following exhibit.
AZ-104_93Q_1.png related to the Microsoft AZ-104 Exam
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
AZ-104_93Q_2.png related to the Microsoft AZ-104 Exam
Image AZ-104_93R.png related to the Microsoft AZ-104 Exam



Box 1: roletype -
You need to configure Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:
Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.
Note, example roletype:
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Box 2: assignableScopes -
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Question 94
You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1.
The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1.
What should you do first?



Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:
1. Select or create an Azure AD tenant.
2. To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant.
Etc.
Note: The Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable

Question 95
You have 15 Azure subscriptions.
You have an Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements:
- Use the principle of least privilege.
- Minimize administrative effort.
What should you do?



The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have.
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Incorrect:
Not C: A few directories that started using management groups early in the preview before June 25 2018 could see an issue where not all the subscriptions were within the hierarchy. The process to have all subscriptions in the hierarchy was put in place after a role or policy assignment was done on the root management group in the directory.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview


Question 96
HOTSPOT -
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
AZ-104_96Q_1.png related to the Microsoft AZ-104 Exam
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
AZ-104_96Q_2.png related to the Microsoft AZ-104 Exam
Image AZ-104_96R.png related to the Microsoft AZ-104 Exam



Box 1: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
Note: Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers.
AZ-104_96E.png related to the Microsoft AZ-104 Exam
Box 2: ManagementGroup1, Subscription1, RG1, and VM1
You can exclude a subscope from the assignment.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

Question 97
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
AZ-104_97Q.png related to the Microsoft AZ-104 Exam
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?



Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question 98
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
AZ-104_98Q.png related to the Microsoft AZ-104 Exam
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts.
Does that meet the goal?



Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question 99
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
AZ-104_99Q.png related to the Microsoft AZ-104 Exam
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?



Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question 100
You have two Azure subscriptions named Sub1 and Sub2.
An administrator creates a custom role that has an assignable scope to a resource group named RG1 in Sub1.
You need to ensure that you can apply the custom role to any resource group in Sub1 and Sub2. The solution must minimize administrative effort.
What should you do?



Can be used as:
"AssignableScopes": [
"/subscriptions/{Sub1}",
"/subscriptions/{Sub2}",
Note: Custom role example:
The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. This custom role can be used for monitoring and restarting virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles





Premium Version