AZ-104: Microsoft Azure Administrator
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
From contoso.com, modify the Organization relationships settings.
From contoso.com, create an OAuth 2.0 authorization endpoint.
Recreate AKS1.
From AKS1, create a namespace.
Answer is From contoso.com, create an OAuth 2.0 authorization endpoint.
To identify the user, the authenticator uses the id_token (not the access_token) from the OAuth2 token response as a bearer token. See above for how the token is included in a request.
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.
You create two user accounts that are configured as shown in the following table.
To which groups do User1 and User2 belong?
User 1: Group1 only - City starts with M, but their department is excluded for Group 2.
User 2: Group1 and Group2 only - City starts with M, no restrictions for Group 2. Also, can belong to O365 Group regardless if user has O365 assigned or not. (Note: there might be a typo in the question about “Human resources” and “human resource”. If there is no typo, then the answer should be Group1 only)
Group 3 is a statically assigned group, so you have to manually add members. Group 3 can be removed from the equation for both users. For all the groups features, if you have an Azure AD Premium subscription, users can join the group whether or not they have an AAD P1 license assigned to them. Licensing isn't enforced.
Reference:
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.
You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD?
Box 1:User1 and User3 only
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory.
Box 2: User1, User2, and User3
Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure AD Connect).
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
Owner
Virtual Machine Contributor
Contributor
Virtual Machine Administrator Login
Answer is Virtual Machine Contributor
Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
C: Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
Adatum.com has the following configurations:
- Users may join devices to Azure AD is set to User1.
- Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.
You need to identify the local Administrator group membership on Computer1.
Which users are members of the local Administrators group?
User1 only
User2 only
User1 and User2 only
User1, User2, and User3 only
User1, User2, User3, and User4
Answer is User1 and User2 only
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners are granted local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
You have an Azure subscription named Subscription1 that contains the following resource group:
- Name: RG1
- Region: West US
- Tag: tag1 - value1
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
- Exclusions: None
- Policy definition: Append a tag and its value to resources
- Assignment name: Policy1
- Parameters:
- Tag name: tag2
- Tag value: value2
After Policy1 is assigned, you create a storage account that has the following configuration:
Name: storage1
- Location: West US
- Resource group: RG1
- Tags: tag3 - value3
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area.
Tags applied to the resource group are not inherited by the resources in that resource group.
Definition of the "Append a tag and its value to resources" policy:
- Does not modify the tags of resources created before this policy was applied until those resources are changed.
- Does not apply to resource groups
Box 1: tag1: value1 only
Tags for RG will be tag1 value 1. This RG created before the Policy. Policy will not be applicable to previously created resources (RG), unless there’s a remediation task, which is not mentioned here.
Box 2: tag2: value2, and tag3: value3 only
Tag for the Storage Account will be tag2: value2 from the policy2 and tag3: value3 from itself. Tags of RG are not inherited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
VM1
RG1
storage2
container1
Answer is RG1
View template from deployment history
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
VM1, storage1, VNET1, and VM1Managed only
VM1 and VM1Managed only
VM1, storage1, VNET1, VM1Managed, and RVAULT1
RVAULT1 only
Answer is VM1, storage1, VNET1, VM1Managed, and RVAULT1
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
Answer is The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence?
1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain