COURSE CODE: AZ-104 EXAM TIME
COURSE TITLE: Microsoft Azure Administrator — Full Practice DATE ALLOWED
Examination —/—/ 120
INSTRUCTOR: — —— Minutes
◇
Microsoft Azure — AZ-104
Azure Administrator Full Practice Examination
ALL QUESTIONS ARE COMPULSORY
A MULTIPLE CHOICE QUESTIONS (200 Marks)
Choose the single best answer for each question. Write the correct letter (A, B, C, or D) in the space provided.
1. You need to define a custom domain name for Azure AD to support the planned
infrastructure. Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.onmicrosoft.com
C. humongousinsurance.local
D. humongousinsurance.com
✦ CORRECT ANSWER: D — humongousinsurance.com.
Every Azure AD directory comes with an initial domain name in the form domainname.onmicrosoft.com. The initial
domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well.
Adding custom domain names such as humongousinsurance.com allows you to assign user names that are familiar
to your users, such as '' instead of ''.
,2. You need to prepare the environment to meet authentication requirements. Which two
actions should you perform? Each correct answer presents part of the solution.
A. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
B. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami
office.
C. Join the client computers in the Miami office to Azure AD.
D. Install the AD FS role on a domain controller in the Miami office.
E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.
✦ CORRECT ANSWER: B, E — Add the autologon URL to intranet zone and install Azure AD Connect with PTA.
Seamless SSO requires the Azure AD URL https://autologon.microsoftazuread-sso.com to be added to users'
Intranet zone settings via Group Policy. It works with any cloud authentication method — Password Hash
Synchronization or Pass-through Authentication — and is enabled via Azure AD Connect.
3. You attempt to assign a license in Azure and receive an error: "Licenses not assigned.
License agreement failed for one user." The Azure subscription has available licenses.
What should you do to resolve this?
A. From the Groups blade, invite the user accounts to a new group.
B. From the Profile blade, modify the usage location.
C. From the Directory role blade, modify the directory role.
✦ CORRECT ANSWER: B — From the Profile blade, modify the usage location.
Some Microsoft services are not available in all locations due to local laws and regulations. Before assigning a
license to a user, the Usage location property must be specified. This can be configured under User > Profile >
Settings in the Azure portal. Without a usage location set, license assignment will fail.
,4. You have an Azure subscription with resource groups RG1 (East Asia) and RG2 (East US). In
RG1 you create VM1 in East Asia. You plan to create VNET1 and connect VM1 to it. What are
two possible ways to achieve this?
A. Create VNET1 in RG2, and then set East Asia as the location.
B. Create VNET1 in a new resource group in West US, and then set West US as the location.
C. Create VNET1 in RG1, and then set East Asia as the location.
D. Create VNET1 in RG1, and then set East US as the location.
E. Create VNET1 in RG2, and then set East US as the location.
✦ CORRECT ANSWER: A, C — Create VNET1 in any RG with location East Asia.
A network interface can exist in the same or different resource group than the VM or VNet it connects to. However,
the VM and VNet must be in the same region. Therefore VNET1 must be created in the East Asia region. Resource
groups can span multiple regions, but VNets only hold resources in their own region.
5. You need to configure a storage account named account1 to allow uploading disk files
from an on-premises network using public IP 131.107.1.0/24 and attaching disks to VM1 in
VNet1 (192.168.0.0/24) while preventing all other access. Which two actions should you
perform?
A. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.
B. From the Firewalls and virtual networks blade of account1, select Selected networks.
C. From the Firewalls and virtual networks blade of account1, add VNet1.
D. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to
access this storage account.
E. From the Service endpoints blade of VNet1, add a service endpoint.
✦ CORRECT ANSWER: A, B — Add the on-premises IP range and select Selected networks.
To limit access to selected networks, first change the default action to 'Selected networks.' Then add the on-
premises public IP range (131.107.1.0/24) to allow the file upload. VNet1 should be added via the Firewalls blade
after enabling a Service Endpoint for Storage on VNet1.
, 6. You add contoso.com as a custom domain name to Azure AD. You need to ensure that
Azure can verify the domain name. Which type of DNS record should you create?
A. PTR
B. MX
C. NSEC3
D. RRSIG
✦ CORRECT ANSWER: B — MX (or TXT).
To verify a custom domain in Azure AD, you must create either a TXT record or an MX record in your public DNS zone.
Azure AD provides the specific value that must be added to the record. Once the record is created and propagated,
Azure AD verifies the domain ownership.
7. Azure collects events from VM1. You are creating an alert rule in Azure Monitor to notify
when an error is logged in the System event log of VM1. What resource type should you
specify to monitor?
A. metric alert
B. Azure Log Analytics workspace
C. virtual machine
D. virtual machine extension
✦ CORRECT ANSWER: B — Azure Log Analytics workspace.
Azure Monitor collects event log data from VMs into a Log Analytics workspace via the Log Analytics VM extension.
Alerts based on event log entries (such as errors in the System log) query the Log Analytics workspace, not the VM
directly. The workspace is the data repository for log-based alerts.
COURSE TITLE: Microsoft Azure Administrator — Full Practice DATE ALLOWED
Examination —/—/ 120
INSTRUCTOR: — —— Minutes
◇
Microsoft Azure — AZ-104
Azure Administrator Full Practice Examination
ALL QUESTIONS ARE COMPULSORY
A MULTIPLE CHOICE QUESTIONS (200 Marks)
Choose the single best answer for each question. Write the correct letter (A, B, C, or D) in the space provided.
1. You need to define a custom domain name for Azure AD to support the planned
infrastructure. Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.onmicrosoft.com
C. humongousinsurance.local
D. humongousinsurance.com
✦ CORRECT ANSWER: D — humongousinsurance.com.
Every Azure AD directory comes with an initial domain name in the form domainname.onmicrosoft.com. The initial
domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well.
Adding custom domain names such as humongousinsurance.com allows you to assign user names that are familiar
to your users, such as '' instead of ''.
,2. You need to prepare the environment to meet authentication requirements. Which two
actions should you perform? Each correct answer presents part of the solution.
A. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
B. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami
office.
C. Join the client computers in the Miami office to Azure AD.
D. Install the AD FS role on a domain controller in the Miami office.
E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.
✦ CORRECT ANSWER: B, E — Add the autologon URL to intranet zone and install Azure AD Connect with PTA.
Seamless SSO requires the Azure AD URL https://autologon.microsoftazuread-sso.com to be added to users'
Intranet zone settings via Group Policy. It works with any cloud authentication method — Password Hash
Synchronization or Pass-through Authentication — and is enabled via Azure AD Connect.
3. You attempt to assign a license in Azure and receive an error: "Licenses not assigned.
License agreement failed for one user." The Azure subscription has available licenses.
What should you do to resolve this?
A. From the Groups blade, invite the user accounts to a new group.
B. From the Profile blade, modify the usage location.
C. From the Directory role blade, modify the directory role.
✦ CORRECT ANSWER: B — From the Profile blade, modify the usage location.
Some Microsoft services are not available in all locations due to local laws and regulations. Before assigning a
license to a user, the Usage location property must be specified. This can be configured under User > Profile >
Settings in the Azure portal. Without a usage location set, license assignment will fail.
,4. You have an Azure subscription with resource groups RG1 (East Asia) and RG2 (East US). In
RG1 you create VM1 in East Asia. You plan to create VNET1 and connect VM1 to it. What are
two possible ways to achieve this?
A. Create VNET1 in RG2, and then set East Asia as the location.
B. Create VNET1 in a new resource group in West US, and then set West US as the location.
C. Create VNET1 in RG1, and then set East Asia as the location.
D. Create VNET1 in RG1, and then set East US as the location.
E. Create VNET1 in RG2, and then set East US as the location.
✦ CORRECT ANSWER: A, C — Create VNET1 in any RG with location East Asia.
A network interface can exist in the same or different resource group than the VM or VNet it connects to. However,
the VM and VNet must be in the same region. Therefore VNET1 must be created in the East Asia region. Resource
groups can span multiple regions, but VNets only hold resources in their own region.
5. You need to configure a storage account named account1 to allow uploading disk files
from an on-premises network using public IP 131.107.1.0/24 and attaching disks to VM1 in
VNet1 (192.168.0.0/24) while preventing all other access. Which two actions should you
perform?
A. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.
B. From the Firewalls and virtual networks blade of account1, select Selected networks.
C. From the Firewalls and virtual networks blade of account1, add VNet1.
D. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to
access this storage account.
E. From the Service endpoints blade of VNet1, add a service endpoint.
✦ CORRECT ANSWER: A, B — Add the on-premises IP range and select Selected networks.
To limit access to selected networks, first change the default action to 'Selected networks.' Then add the on-
premises public IP range (131.107.1.0/24) to allow the file upload. VNet1 should be added via the Firewalls blade
after enabling a Service Endpoint for Storage on VNet1.
, 6. You add contoso.com as a custom domain name to Azure AD. You need to ensure that
Azure can verify the domain name. Which type of DNS record should you create?
A. PTR
B. MX
C. NSEC3
D. RRSIG
✦ CORRECT ANSWER: B — MX (or TXT).
To verify a custom domain in Azure AD, you must create either a TXT record or an MX record in your public DNS zone.
Azure AD provides the specific value that must be added to the record. Once the record is created and propagated,
Azure AD verifies the domain ownership.
7. Azure collects events from VM1. You are creating an alert rule in Azure Monitor to notify
when an error is logged in the System event log of VM1. What resource type should you
specify to monitor?
A. metric alert
B. Azure Log Analytics workspace
C. virtual machine
D. virtual machine extension
✦ CORRECT ANSWER: B — Azure Log Analytics workspace.
Azure Monitor collects event log data from VMs into a Log Analytics workspace via the Log Analytics VM extension.
Alerts based on event log entries (such as errors in the System log) query the Log Analytics workspace, not the VM
directly. The workspace is the data repository for log-based alerts.
