AZ-104: Microsoft Azure Administrator
You have an Azure web app named App1. App1 has the deployment slots shown in the following table:
In webapp1-test, you test several changes to App1.
You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?
Redeploy App1
Swap the slots
Clone App1
Restore the backup of App1
Answer is Swap the slots
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the slots. We can easily revert the deployment by swapping back.
Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.
Deploying your application to a non-production slot has the following benefits:
1. You can validate app changes in a staging deployment slot before swapping it with the production slot.
2. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task?
Answers are both Network Contributor on RG1
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create?
a Microsoft 365 group that uses the Assigned membership type
a Security group that uses the Assigned membership type
a Microsoft 365 group that uses the Dynamic User membership type
a Security group that uses the Dynamic User membership type
a Security group that uses the Dynamic Device membership type
Answers are; a Microsoft 365 group that uses the Assigned membership type
a Microsoft 365 group that uses the Dynamic User membership type
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
From the Licenses blade, assign a new license
From the Directory role blade, modify the directory role
From the Groups blade, invite the user account to a new group
Answer is From the Directory role blade, modify the directory role
Assign a role to a user
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
From the Licenses blade of Azure AD, assign a license
From the Groups blade of each user, invite the users to a group
From the Azure AD domain, add an enterprise application
From the Directory role blade of each user, modify the directory role
Answer is From the Licenses blade of Azure AD, assign a license
Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
Device settings from the Devices blade
Providers from the MFA Server blade
User settings from the Users blade
General settings from the Groups blade
Answer is Device settings from the Devices blade
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
- The Azure AD global administrator role
- The Azure AD device administrator role
- The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: "Unable to invite user user1@outlook.com" Generic authorization exception.
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
From the Users blade, modify the External collaboration settings.
From the Custom domain names blade, add a custom domain.
From the Organizational relationships blade, add an identity provider.
From the Roles and administrators blade, assign the Security administrator role to Admin1.
Answer is From the Users blade, modify the External collaboration settings.
You can adjust the guest user settings, their access, who can invite them from "External collaboration settings"
Azure AD -> User Settings -> External Users -> Manage external collaboration settings.
Azure AD -> External Identities -> External Collaboration Settings
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
What should you do first?
From the Recovery Service vault, delete the backup data.
Modify the disaster recovery properties of each virtual machine.
Modify the locks of each virtual machine.
From the Recovery Service vault, stop the backup of each backup item.
Answer is From the Recovery Service vault, stop the backup of each backup item.
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
You have an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to configure cluster autoscaler for AKS1.
Which two tools should you use?
the kubectl command
the az aks command
the Set-AzVm cmdlet
the Azure portal
the Set-AzAks cmdlet
Answer is B & D
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.
A: kubectl command is used for configuring Kubernetes and not AKS cluster.
B: The az aks command is used for the AKS cluster configuration.
C: Set-AzVm cmdlet is used for VMs.
D: Azure portal, under node pools, press scale, then choose auto scale.
E: Set-AzAks, creates or updates an AKS cluster, the correct cmdlet is Set-AzAksCluster.
AKS clusters can scale in one of two ways:
- The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes.
- The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand.
Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
operating system
administrator username
virtual machine size
resource group
Answer is resource group
When you create a template, you may parameterize some values, like admin username, but you don't have to. The RG is impossible to put in a template, therefore you must specify this at deployment.
Creating an Azure virtual machine usually includes two steps:
- Create a resource group. An Azure resource group is a logical container into which Azure resources are deployed and managed. A resource group must be created before a virtual machine.
- Create a virtual machine.
When deploying a virtual machine from a template, you must specify:
- the Resource Group name and location for the VM
- the administrator username and password
- an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal