AZ-104: Microsoft Azure Administrator
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform?
Create a container instance
Register Server1
Install the Azure File Sync agent on Server1
Download an automation script
Create a sync group
Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (B): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3 (E): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named www.contoso.com to webapp1.
What should you do first?
Create a DNS record
Add a connection string
Upload a certificate
Stop webapp1
Answer is Create a DNS record
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
You should use CNAME records for all custom DNS names except root domains (for example, contoso.com). For root domains, use A records.
Reference:
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
Box 1: can connect to the container from any device.
As public IP is mentioned, Port 80 TCP Public. The osType mentioned is for the container group definition, where it can be Windows or Linux. It is not related to the device access.
Box 2: the container will restart automatically
Mentioned clearly in restartPolicy, which is OnFailure.
When you create a container group in Azure Container Instances, you can specify one of three restart policy settings:
Always - Containers in the container group are always restarted. This is the default setting applied when no restart policy is specified at container creation.
Never - Containers in the container group are never restarted. The containers run at most once.
OnFailure - Containers in the container group are restarted only when the process executed in the container fails (when it terminates with a nonzero exit code). The containers are run at least once.
Reference:
https://docs.microsoft.com/en-in/azure/container-instances/container-instances-region-availability
You have an Azure web app named App1. App1 has the deployment slots shown in the following table:
In webapp1-test, you test several changes to App1.
You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?
Redeploy App1
Swap the slots
Clone App1
Restore the backup of App1
Answer is Swap the slots
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the slots. We can easily revert the deployment by swapping back.
Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.
Deploying your application to a non-production slot has the following benefits:
1. You can validate app changes in a staging deployment slot before swapping it with the production slot.
2. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task?
Answers are both Network Contributor on RG1
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create?
a Microsoft 365 group that uses the Assigned membership type
a Security group that uses the Assigned membership type
a Microsoft 365 group that uses the Dynamic User membership type
a Security group that uses the Dynamic User membership type
a Security group that uses the Dynamic Device membership type
Answers are; a Microsoft 365 group that uses the Assigned membership type
a Microsoft 365 group that uses the Dynamic User membership type
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
From the Licenses blade, assign a new license
From the Directory role blade, modify the directory role
From the Groups blade, invite the user account to a new group
Answer is From the Directory role blade, modify the directory role
Assign a role to a user
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
From the Licenses blade of Azure AD, assign a license
From the Groups blade of each user, invite the users to a group
From the Azure AD domain, add an enterprise application
From the Directory role blade of each user, modify the directory role
Answer is From the Licenses blade of Azure AD, assign a license
Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
Device settings from the Devices blade
Providers from the MFA Server blade
User settings from the Users blade
General settings from the Groups blade
Answer is Device settings from the Devices blade
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
- The Azure AD global administrator role
- The Azure AD device administrator role
- The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: "Unable to invite user user1@outlook.com" Generic authorization exception.
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
From the Users blade, modify the External collaboration settings.
From the Custom domain names blade, add a custom domain.
From the Organizational relationships blade, add an identity provider.
From the Roles and administrators blade, assign the Security administrator role to Admin1.
Answer is From the Users blade, modify the External collaboration settings.
You can adjust the guest user settings, their access, who can invite them from "External collaboration settings"
Azure AD -> User Settings -> External Users -> Manage external collaboration settings.
Azure AD -> External Identities -> External Collaboration Settings
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742