This article comes from an anonymous friend who successfully obtained Microsoft Azure Administrator (az-104) certification! At my request, he shared his secret to success! Contains a Microsoft AZ-104 exam guide, materials, and valuable experience! I will not introduce the value of Azure certification and the registration process here.
Show his certificate first:
Earlier, the Azure certifications were valid for 2 years from the date of the certification cleared. According to Microsoft’s recent update in policy, from June 30, 2021 (5 PM PT on June 29, 2021), all the Azure certifications (role-based and specialty ) are valid for one year.
You must pass new test questions before expiration to renew the certification. (Azure officials probably consider that the functions of their own cloud platform are constantly iteratively updated, hoping to keep you in a state of learning) For related test questions, you can see what I shared before!
AZ-104 Exam Format:
Azure supports both online exams and exam center exams
I chose the online exam! You can take the exam at home or in the office, which is very convenient. 15 minutes before the exam appointment time. Before the exam, the online invigilator will ask you to use a camera to take pictures of your exam environment (since I am in the company’s conference room, if I am at home, the desktop should be kept as simple as possible)
Examination Content:
- Module 1: Manage Azure identities and governance (20–25%)
- Module 2: Implement and manage storage (15–20%)
- Module 3 Deploy and manage Azure compute resources (20–25%)
- Module 4: Implement and manage virtual networking (15–20%)
- Module 5: Monitor and maintain Azure resources (10–15%)
Exam experience:
- The Azure exam is basically a total of 1000 points, and you can pass with 700 points.
- The number of general exam questions ranges from 41, 42, 43, 44 or 51, 52, 53.
- Personally, I feel that the more questions there are, the greater the probability of passing.
- As for which subject you want to take the exam, go to Lead4Pass to find the corresponding question bank and buy the question bank. Memorize the questions and if you pass them. 95%-100% will pass the exam.
Exam preparation process:
- First of all, register and apply for an Azure free account. It is very necessary to practice the various functions of Azure when studying each exam module.
- Official Study Materials: Nothing summarizes the exam syllabus better than official documents.
- Video tutorial:
- Microsoft Azure Administrator AZ-104 Exam course (Youtube)
- There are many AZ-104 training courses on Udemy, and the course learning will be slower.
- Review questions: The AZ-104 exam is in the form of multiple-choice questions. It is still necessary to review questions before the exam. Here are some websites that share dumps of exam questions.
- [Lead4Pass]
- [Pass4itsure]
- [Pass4lead]
AZ-104 exam questions:
*You can analyze various knowledge points from the answers
| From | Type | Number of exam questions | Related exams |
| Lead4Pass | Free online practice | 15 | Azure dumps materials |
Question 1:
You have an Azure Storage account that contains 5,000 blobs accessed by multiple users. You need to ensure that the users can view only specific blobs based on blob index tags. What should you include in the solution?
A. a role assignment condition
B. a stored access policy
C. just-in-time (JIT) VM Access
D. a shared access signature (SAS)
Correct Answer: D
Explanation:
Manage and find Azure Blob data with blob index tags Permissions and authorization You can authorize access to blob index tags using one of the following approaches:
Using Azure role-based access control (Azure RBAC) to grant permissions to an Azure Active Directory (Azure AD) security principal. Use Azure AD for superior security and ease of use. *-> Using a shared access signature (SAS) to delegate access to the blob index.
Using the account access keys to authorize operations with Shared Key.
Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs
Question 2:
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support.
What should you identify?
A. Storage1
B. Storage2
C. Storage3
D. Storage4
Correct Answer: B
ZRS currently supports standard general-purpose v2, FileStorage, and BlockBlobStorage storage account types.
Incorrect Answers:
A, not C: Live migration is supported only for storage accounts that use LRS replication. If your account uses GRS or RA-GRS, then you need to first change your account\’s replication type to LRS before proceeding. This intermediary step removes the secondary endpoint provided by GRS/RA- GRS.
Also, only standard storage account types support live migration. Premium storage accounts must be migrated manually.
D: ZRS currently supports standard general-purpose v2, FileStorage, and BlockBlobStorage storage account types.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
Question 3:
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
A. Move VNet1 to Subscription2.
B. Modify the IP address space of VNet2.
C. Provision virtual network gateways.
D. Move VM1 to Subscription2.
Correct Answer: C
The virtual networks can be in the same or different regions, and from the same or different subscriptions.
When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant. Configuring a VNet-to-VNet connection is a good way to easily connect VNets.
Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location.
Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource- manager-portal
Question 4:
HOTSPOT
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Network Contributor on RG1
To add to the backend pool, write permission is required on the Resource Group because it writes deployment information. To add a backend pool, you need a network contributor role on the LB and on the VMs that will be part of the backend pool.
For this reason, the network contributor role must be assigned to the RG where the LB and the VM reside. So the correct answer is Network Contributor on RG1.
Box 2: Network Contributor on RG1
For the Health Probe, without having access to RG1, no health probe can be added. If only the Network Contributor role is assigned to LB then the user would not be able to access the IP addresses of the member pools.
The owner/Contributor can give the user access to everything. So it will not fit into the the principle of least privilege. Hence Owner and contributor role is incorrect choices for the question.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Question 5:
HOTSPOT
You plan to use Azure Network Watcher to perform the following tasks:
1.
Task 1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
2.
Task 2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Task 1: IP flow verification The IP flow verification capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verifies then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verification tells you which security rule allowed or denied the communication, so that you can resolve the problem.
Task 2: Connection troubleshooting The connection troubleshooting capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overview
Question 6:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure web app named Appl. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated with the Free pricing tier.
You discover that App1 stops each day after running continuously for 60 minutes.
You need to ensure that App1 can run continuously for the entire day.
Solution: You change the pricing tier of Plan 1 to Basic.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
The Free Tier provides 60 CPU minutes/day. This explains why App1 stops. The Basic tier has no such cap. References: https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Question 7:
HOTSPOT
You have an Azure Resource Manager template for a virtual machine named Template1. Template 1 has the following parameters section.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Question 8:
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A. Get-EventEvent|where{$_.EventType==”error”}
B. search in (Event)”error”
C. select * from Event where EventType == “error”
D. searchin(Event)*|whereEventType-eq”error”
Correct Answer: B
To search a term in a specific table, add the table name just after the search operator Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1.
Event | search “error”
2.
Event | where EventType == “error”
3.
Search in (Event) “error”
Other incorrect answer options you may see on the exam include the following:
1.
Get-Event Event | where {$_.EventTye “eq “error”}
2.
Event | where EventType is “error”
3.
Search in (Event) * | where EventType “eq “error”
4.
select*fromEventwhereEventTypeis”error”
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/ en-us/azure/azure-monitor/logquery/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator? pivots=azuredataexplorer
Question 9:
Your company has a Microsoft Azure subscription.
The company has data centers in Los Angeles and New York.
You are configuring the two data centers as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
1.
Data must be stored on multiple nodes.
2.
Data must be stored on nodes in separate geographic locations.
3.
Data can be read from the secondary location as well as from the primary location
Which of the following Azure stored redundancy options should you recommend?
A. Geo-redundant storage
B. Read-only geo-redundant storage
C. Zone-redundant storage
D. Locally redundant storage
Correct Answer: B
RA-GRS allows you to have higher read availability for your storage account by providing “read-only” access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region. This is an “opt-in” feature that requires the storage account to be geo-replicated.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Question 10:
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error event from a table named Event. Which query should you run in Workspace1?
A. Get-Event Event | where {$_.EventType == “error”}
B. Event | search “error”
C. select * from Event where EventType == “error”
D. Event | where EventType is “error”
Correct Answer: B
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer
Question 11:
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.
You need to configure a storage service for Container 1.
What should you use?
A. Azure Files
B. Azure Blob storage
C. Azure Queue storage
D. Azure Table storage
Correct Answer: A
Microsoft has a Docker Volume Plugin for Azure file storage which provides exactly this and it is used for Azure file shares.
Azure File Storage volume plugin is not limited to ease of container migration. It also allows a file share to be shared among multiple containers (even though they are on different hosts) to collaborate on workloads, and share configuration or secrets of an application running on multiple hosts.
Another use case is uploading metrics and diagnostics data such as logs from applications to a file share for further processing.
Reference:
https://azure.microsoft.com/en-gb/blog/persistent-docker-volumes-with-azure-file-storage/
Question 12:
From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.
What caused AlexW to be blocked?
A. The user account password expired.
B. The user entered an incorrect PIN four times within 10 minutes.
C. An administrator manually blocked the user.
D. The user reported a fraud alert when prompted for additional authentication.
Correct Answer: C
An Administrator can block a user:
1.
Sign in to the Azure portal as an administrator.
2.
Browse to Azure Active Directory > MFA > Block/unblock users.
3.
Select Add to block a user.
4.
Select the Replication Group. Enter the username for the blocked user as [email protected]. Enter a comment in the Reason field, for example, Lost phone.
5.
Select Add to finish blocking the user.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Question 13:
You have an Azure subscription that contains two Log Analytics workspaces named Workspace1 and Workspace2 and 100 virtual machines that run Windows Server. You need to collect performance data and events from the virtual machines.
The solution must meet the following requirements:
1.
Logs must be sent to Workspace 1 and Workspace 2.
2.
All Windows events must be captured.
3.
All security events must be captured.
What should you install and configure on each virtual machine?
A. the Azure Monitor agent
B. the Windows Azure diagnostics extension (WAD)
C. the Windows VM agent
D. object replication
Correct Answer: A
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor\’s legacy monitoring agents.
Azure Monitor Agent replaces the Azure Monitor legacy monitoring agents:
Log Analytics Agent: Sends data to a Log Analytics workspace and supports monitoring solutions. This is fully consolidated into the Azure Monitor agent.
Telegraf agent
Diagnostics extension: Sends data to Azure Monitor Metrics (Windows only), Azure Event Hubs, and Azure Storage. This is not consolidated yet.
Reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
Question 14:
HOTSPOT
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of Windows Server 2016 Datacenter by using an Azure Marketplace image.
You need to complete the storage profile section of the template. How should you complete the storage profile section? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
“storageProfile”: {
“imageReference”: {
“publisher”: “MicrosoftWindowsServer”,
“offer”: “WindowsServer”,
“SKU”: “2016-Datacenter”,
“version”: “latest”
},
…
References:
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate
Question 15:
You need to define a custom domain name for Azure AD to support the planned infrastructure. Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.onmicrosoft.com
C. humongousinsurance.local
D. humongousinsurance.com
Correct Answer: D
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.
The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name.
Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as \’[email protected].\’ instead of \’alice@domain name.onmicrosoft.com\’. Scenario: Network Infrastructure: Each office has a local data center that contains all the servers for that office.
Each office has a dedicated connection to the Internet. Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
At the end of this article, I share some of the above simulation test questions, for reference only! Candidates can download AZ-104 dumps: https://www.leads4pass.com/az-104.html, which contains 763 latest test questions and answers and provides PDF and VCE learning methods to help you successfully pass the Microsoft Azure Administrator az-104 exam.
