La foret rouge

Microsoft Azure AZ-104 문제 풀이

Published on
Published on
Revised on
Authors
  • avatar
    Name
    신주용
Table of Contents

ExamTopics Q1-10

Question 1

Your company has serval departments. Each department has a number of virtual machines (VMs). The company has an Azure subscription that contains a resource group named RG1. All VMs are located in RG1.
You want to associate each VM with its respective department. What should you do?

  • A. Create Azure Management Groups for each department.
  • B. Create a resource group for each department.
  • C. Assign tags to the virtual machines.
  • D. Modify the settings of the virtual machines.
풀이 보기

선택: C. Assign tags to the virtual machines.
태그는 조직과 관련된 설정에 따라 리소스를 식별하는 데 도움이 되는 키-값 쌍. AZ-900 덤프에도 태그를 사용해 부서별 리소스를 구분하는 것과 관련한 문제가 많이 나왔음.
태그는 리소스, 리소스 그룹, 구독에 적용 가능하고 관리 그룹에는 적용 불가.
https://learn.microsoft.com/ko-kr/azure/azure-resource-manager/management/tag-resources

Question 2

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings. Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
multi-factor authentication 페이지가 아니라 Azure AD portal에서 Conditional Access Policy를 만들어야 된다고 함.

Question 3

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
문제에서 MFA나 AD-joined device를 요구하는 policy를 설정한다고 했으므로 session control이 아니라 grant control.
session control은 특정 클라우드 애플리케이션 내에서 제한된 환경을 사용하도록 설정 가능. 클라우드 앱으로 접속한 디바이스 정보를 전달하고 이를 사용해 사용자에게 제한된 환경이나 전체 환경을 제공.
grant control리소스에 대한 액세스를 허용하거나 차단할 수 있음. 여기에는 다단계 인증 필요, 인증 강도 필요, 준수 상태로 표시된 디바이스 필요, Entry 하이브리드 조인 디바이스 필요 등의 옵션이 포함됨.

Question 4

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy. Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: A. Yes
Q3과 동일.

Question 5

You are planning to deploy an Ubuntu Server virtual machine to your company's Azure subscription. You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA). Which of the following should you use to create the virtual machine?

  • A. The New-AzureRmVm cmdlet.
  • B. The New-AzVM cmdlet.
  • C. The Create-AzVM cmdlet.
  • D. The az vm create command.
풀이 보기

선택: D. The az vm create command.
ExamTopics 사이트는 C라고 하는데 토론에서는 D가 99%.
A, B, C는 PowerShell 명령어이고 D는 bash 명령어. 이 중 A는 옛날 버전 명령어, C는 현재 버전 명령어이고 B는 없는 명령어이다. 그러므로 일단은 C 또는 D 중 하나.
PowerShell 명령어를 쓰면 기본적으로 윈도우 머신을 생성하는 것으로 보임. 우분투 머신을 생성할 수 없는건 아니지만 복잡하다고 설명되어 있음.
그래서 시험에 이 문제가 나온다면 D를 고를듯함.

Question 6

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
MFA 제공자가 생성된 후에는 사용 모델 변경 불가

Question 7

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure CLI.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
Q6과 동일.

Question 8

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
2018년 9월 1일 이후로 새 MFA 제공자 생성 불가

Question 9

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
AD의 유저 정보를 즉시 복제해야 되는데 Initial은 Full sync이고 시간이 많이 걸리니 immediately에 적합하지 않음.

Question 10

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
Q9와 유사 문제. AD Synchronization을 -PolicyType Delta로 사용.

ExamTopics Q11-20

Question 11

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
서비스 재시작이 아니라 CLI로 Delta Sync 명령을 실행하면 됨.
Start-ADSyncSyncCycle -PolicyType Delta

Question 12

Your company has a Microsoft Azure subscription. The company has datacenters in Los Angeles and New York. You are configuring the two datacenters as geo-clustered sites for site resiliency. You need to recommend an Azure storage redundancy option. You have the following data storage requirements.

  • Data must be stored on multiple nodes.
  • Data must be stored on nodes in seperate geographic locations.
  • Data can be read from the secondary location as well as from the primary location.

Which of the following Azure stored redundancy options should you recommend?

  • A. Geo-redundant storage
  • B. Read-only geo-redundant storage
  • C. Zone-redundant storage
  • D. Locally redundant storage
풀이 보기

선택: B. Read-only geo-redundant storage
ExamTopics에서 논의되는 답은 B라는데, 논란이 조금 있어보임.

  • GRS는 primary에 장애가 발생했을 때 secondary로 액세스하는 방식.
  • Read-only GRS라는건 없고 Read-access GRS가 있음.
  • 이런 문제는 수정돼서 나올듯함.

Question 13

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany has an azure subscription that includes a storage account, a resource group, a blob container and a file share. A colleague named Jon Ross makes use of a solitary Azure Resouce Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account. You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
ARM template은 VM 블레이드가 아닌 Resource Group 블레이드의 배포 히스토리에서 확인 가능.

Question 14

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany has an azure subscription that includes a storage account, a resource group, a blob container and a file share. A colleague named Jon Ross makes use of a solitary Azure Resouce Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account. You want to review the ARM template that was used by Jon Ross.
Solution: You access the Resource Group blade.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: A. Yes
Q13과 동일한 문제.

Question 15

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany has an azure subscription that includes a storage account, a resource group, a blob container and a file share. A colleague named Jon Ross makes use of a solitary Azure Resouce Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account. You want to review the ARM template that was used by Jon Ross.
Solution: You access the Container blade.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No Q13과 동일한 문제.

Question 16

Your company has three virtual machines (VMs) that are included in an availability set. You try to resize one of the VMs, which returns an allocation failure message. It is imperative that the VM is resized. Which of the following actions should you take?

  • A. You should only stop one of the VMs.
  • B. You should stop two of the VMs.
  • C. You should stop all three VMs.
  • D. You should remove the necessary VM from the availability set.
풀이 보기

선택: C. You should stop all three VMs.
가용성 집합 내 VM 크기 조절 시 할당 실패 오류는 일반적인 문제. 주요 원인은 가용성 집합이 단일 클러스터에 할당되어 있고 해당 클러스터가 요청된 VM 크기를 수용하지 못하기 때문.
갑자기 클러스터가 나온 이유? 가용성 집합의 내부 동작 원리가 가용성 집합에 포함된 VM을 물리적인 하드웨어 클러스터에 배치하고 VM을 리사이즈할 때는 동일 클러스터에서 리소스를 조정하려 하기 때문. 그 클러스터에 리소스가 부족하면 할당 실패 오류가 발생.
그래서 가장 효과적인 해결 방법은 가용성 집합 내 모든 VM을 중지(할당 취소, deallocate)하고 다시 시작하는 것. 모든 VM을 중지하면 Azure가 충분한 용량을 가진 새 클러스터를 선택해 새로운 할당을 시도.
Microsoft Learn: Troubleshoot deployment issues with restarting or resizing an existing windows VM in Azure
Microsoft Learn: Change the size of a virtual machine

Question 17

You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM. You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible. Which of the following is the action you should take FIRST?

  • A. Stop the VM that includes the data disk.
  • B. Stop the VM that the data disk must be attached to.
  • C. Detach the data disk.
  • D. Delete the VM that includes the data disk.
풀이 보기

선택: C. Detach the data disk.
ExamTopics에서는 C 80%, A 19%. 충분히 고민될만하다. 처음에는 보기 C에서 'Detach'의 의미가 'unmount'가 아니라 아예 VM에서 떼는걸 말하는 것 같기 때문에 그렇다면 VM 종료가 먼저 아닌가?라고 생각.
PowerShell로 Hot Remove가 가능하다고 함. 문제에서 말한 **'least amount of time possible'**이 이걸 의도한 것 같기도 하고. 그래서 시험에 이 문제가 나온다면 C를 선택할 듯.

Question 18

Your comapany has an Azure subscription. You need to deploy a number of Azure virtual machines (VMs) during Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set. You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintainance. Which of the following is the value that you should configure for the platformFaultDomainCount property?

  • A. 10
  • B. 30
  • C. Min Value
  • D. Max Value
풀이 보기

선택: D. Max Value
'fabric'이 직물이라는 뜻도 있지만 '(사회, 조직 등의) 구조 또는 (건물의) 기본 구조'라는 뜻이 있음. 여기에서는 시스템의 기본 구조인 인프라를 의미하는 듯.
그래서 해석하자면 'ARM 템플릿을 구성하여 인프라 실패나 유지보수 시 최대한 많은 VM이 계속 접근 가능하도록 하려면 platformFaultDomainCount 속성값을 어떻게 설정해야 하는가?'
선택 가능한 속성값은 1, 2, 3이 있고 기본값은 3. 그래서 D를 선택.
Microsoft Learn: Choosing the right number of fault domains for Virtual Machine Scale Set

Question 19

Your comapany has an Azure subscription. You need to deploy a number of Azure virtual machines (VMs) during Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set. You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintainance. Which of the following is the value that you should configure for the platformUpdateDomainCount property?

  • A. 10
  • B. 20
  • C. 30
  • D. 40
풀이 보기

선택: B. 20
Q18과 유사한데 이번에는 Fault Domain이 아니라 Update Domain에 대해 물음.
각 Availability Set은 최대 3개의 fault domain과 20개의 update domain으로 구성될 수 있음.

ExamTopics Q21-30

Question 21

Your comapany has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premise Active Directory domain. The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers. You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs. You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?

  • A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
  • B. Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
  • C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
  • D. Place the scripts in a new virtual hard disk (VHD).
풀이 보기

선택: A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
SetupComplete.cmd 설명에는 Windows가 설치된 후 로그온 화면이 나타나기 전에 실행되는 스크립트라고 하고 시스템 재부팅 후에는 SetupComplete.cmd를 다시 실행할 수 없다고 하니 설치 후 최초 로그인 전 1회만 실행되는 스크립트라고 판단됨.
GPO는 컴퓨터가 시작될 때, 사용자가 로그인할 때 적용된다고 함.
따라서 문제에서 말하는 '새로 설치하는 VM의 설정을 자동화'하는 데 조금 더 적합한 것은 사용자가 로그인 할 때마다 그 사용자가 속한 그룹의 정책을 확인하고 스크립트를 적용하는 GPO가 아닌 단 한 번만 실행되는 SetupComplete.cmd라고 생각됨.

Question 22

Your comapany has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premise Active Directory domain. You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software requirements. You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image. You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs.
Which PowerShell cmdlets should you use?

  • A. Add-AzVM
  • B. Add-AzVhd
  • C. Add-AzImage
  • D. Add-AzImageDataDisk
풀이 보기

선택: B. Add-AzVhd
Azure PowerShell > Az.Compute 명령어 목록을 참고하면 일단 Add-AzVM이라는 명령어는 없고, VM을 생성할 때 사용 가능한 New-AzVM 명령어가 있음. 그리고 Add-AzImageDataDisk는 만들어진 이미지에 디스크를 추가하는 목적이므로 제외.
B와 C 중에 고민이 되는 이유로 문제 설명에 대한 답은 C가 더 맞을 것 같음. 레퍼런스 VM 설정도 다 했고, 이미지를 만들기 위한 일반화도 했고, 이미지를 Azure에 올려서 VM 만들 때 선택할 수 있게 하면 된다고 했으니. 그런데 문제는 Add-AzImage라는 명령어가 없고 New-AzImage 명령어만 있다...
Add-AzVhd는 VHD(Virtual Hard Disk)라는 VM이 아닌 디스크 파일을 Azure에 추가하는 명령어. 그런데 이 질의응답에 따르면 VHD로부터 VM을 만드는게 가능은 하다고 함. 그래서 ExamTopics 토론에서도 B를 선택한 사람이 92%.

Question 24~26

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany's Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB. VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company's on-premise network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premise network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.

Q24) Solution: You choose the Allow gateway transit setting on VirtualNetworkA.
Q25) Solution: You choose the Allow gateway transit setting on VirtualNetworkB.
Q26) Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation.

Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: Q24 - B. No / Q25 - B. No / Q26 - A. Yes
온프레미스의 Win10 워크스테이션에서 VirtualNetworkA에 접근 가능 확인했고, VirtualNetworkA와 VirtualNetworkB는 peering 구성했고, 온프레미스 네트워크에서 VirtualNetworkB로 접근 가능한 것까지는 확인했는데 Win10 워크스테이션에서 VirtualNetworkB로 접근은 안되는 상황. 이 상황에서 VNetA나 VNetB의 게이트웨이 설정을 바꾸는 것은 의미 없음.
VPN 클라이언트를 설정 패키지를 재설치 해보기.

Question 27

Your comapany has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1. The company has users that work remotely. The remote workers require access to the VMs on VNet1.
You need to provide access for the remote workers.
What should you do?

  • A. Configure a Site-to-Site (S2S) VPN.
  • B. Configure a VNet-to-VNet VPN.
  • C. Configure a Point-to-Site (P2S) VPN.
  • D. Configure DirectAccess on a Windows Server 2012 server VM.
  • E. Configure a Multi-Site VPN.
풀이 보기

선택: C. Configure a Point-to-Site (P2S) VPN.
P2S VPN 게이트웨이 연결을 사용하면 개별 클라이언트 컴퓨터에서 VNet에 대한 안전한 연결을 만들 수 있음. 문제에서는 문맥상 각각의 작업자가 원격 접속하는 것으로 해석됨. 만약 S2S VPN을 답으로 한다면 'Azure VNet과 On-premise Site를 연결' 같은 내용이 나왔을 것.
DirectAccess보다는 VPN을 권장.

Question 28

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You create an HTTP health prove on port 1433.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
1433은 SQL 서버 엔진 연결에 사용되는 포트로 HTTP가 아니라 TCP로 연결해야 함.

Question 29

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You set Session persistence to Client IP.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
B 59%, A 41% 정도로 갈리는 문제.
실습에서 Internal Load Balancer IP를 SQL Server 클러스터 파라미터로 설정해주기는 하지만 Session persistence에 대한 설정은 안하고 있어서 시험에 이 문제가 나오면 No를 선택할듯.

Question 30

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your comapany has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
Solution: You enable Floating IP.
Does the solution meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: A. Yes
Q29와 동일한 문제인데 Solution만 다름. 여기서는 Availability Group Listener는 한 번에 하나의 인스턴스만 소유할 수 있고, LB는 트래픽을 올바른 인스턴스로 전달해야 되는데 이를 위해서 Floating IP (Direct Server Return)를 'Enabled'로 설정해야 함.

ExamTopics Q31-40

Question 31

Your comapany has two on-premises servers named SRV01 and SRV-2. Developers have created an application that runs on SRV01. The application calls a service on SRV02 by IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?

  • A. Run the New-AzureRMVMConfig PowerShell cmdlet.
  • B. Run the Set-AzureSubnet PowerShell cmdlet.
  • C. Modify the VM properties in the Azure Management Portal.
  • D. Modify the IP properties in Windows Network and Sharing Center.
  • E. Run the Set-AzureStaticVNetIP PowerShell cmdlet.
풀이 보기

선택: C. Modify the VM properties in the Azure Management Portal.
E 55%, C 45% 정도로 갈리는 문제. Set-AzureStaticVNetIP 설명에 따르면 이 cmdlet은 가상 머신 개체에 대한 고정 VNet IP 주소 정보를 설정하는 것이므로 이 답이 맞는 것 같긴 한데, '참고'에 따르면 이 cmdlet은 레거시 Azure 리소스를 관리하기 위한 것이고 사용 중지될 예정이라고 한다. 그래서 이 문제는 나오지 않을 것 같고, 나오더라도 C를 선택하면 될 것 같다.

Question 32

Your comapany has an Azure Active Directory (Azure AD) subscription. You need to deploy five virtual machines (VMs) to your company's virtual network subnet. The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical.
Which of the following is the least amount of network interfaces needed for this configuration?

  • A. 5
  • B. 10
  • C. 20
  • D. 40
풀이 보기

선택: A. 5
VM이 5대이므로 Network Interface도 5개 (VM당 1개).

Question 33

Your comapany has an Azure Active Directory (Azure AD) subscription. You need to deploy five virtual machines (VMs) to your company's virtual network subnet. The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical.
Which of the following is the least amount of security groups needed for this configuration?

  • A. 4
  • B. 3
  • C. 2
  • D. 1
풀이 보기

선택: D. 1
Inbound, outbount rule이 다 같다고 했으므로 security group 1개로 묶을 수 있음.

Question 35

Your comapany's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016. One of the VMs is backed up every day using Azure Backup Instant Restore. When the VM becomes infected with data encrypting ransomware, you are required to restore the VM.
Which of the following actions should you take?

  • A. You should restore the VM after deleting the infected VM.
  • B. You should restore the VM to any VM within the company's subscription.
  • C. You should restore the VM to a new Azure VM.
  • D. You should restore the VM to an on-premise Windows device.
풀이 보기

선택: C. You should restore the VM to a new Azure VM.
Azure VM인데 on-premise로 복원할 필요는 없으므로 D는 제외. Windows Server VM을 Linux VM으로 복원할 수도 없으니 B도 틀림. VM을 지우는건 상관 없지만 복원 후에 지워야 함.

Question 36

You administer a solution in Azure that is currently having performance issues. You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure.
Which of the following is the tool you should use?

  • A. Azure Traffic Analytics
  • B. Azure Monitor
  • C. Azure Activity Log
  • D. Azure Advisor
풀이 보기

선택: B. Azure Monitor
Metrics와 관련된 성능 이슈를 찾기 위해서는 Azure Monitor를 사용.

Question 37

Your comapany has an Azure subscription that includes a Recovery Services vault. You want to use Azure Backup to schedule a backup of your company's virtual machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.

  • A. VMs that run Windows 10.
  • B. VMs that run Windows Server 2012 or higher.
  • C. VMs that have NOT been shut down.
  • D. VMs that run Debian 8.2+.
  • E. VMs that have been shut down.
풀이 보기

선택: A, B, C, D, E
Azure VM 백업 지원 목록에 따르면 Windows 10 지원, Windows Server 2012 이상 지원 하므로 A, B 선택. 리눅스는 CoreOS와 32bit가 아니면 지원한다고 나오므로 Debian 8.2 이상도 가능. Running 상태이든 offline 상태이든 백업 가능.

Question 38

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for each user.
Does this meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
외부 사용자는 'New', 'Create'하는게 아니라 'Invite'해야 함. 토론에서는 New-AzureADMSInvitation을 사용하면 된다고 하는데 Azure AD PowerShell은 Deprecated 되었고 graph PowerShell을 사용하라는 글이 있음. 그래서 요즘에 이 문제가 나온다면 New-MgInvitation을 선택하면 될 듯.

Question 39

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: B. No
Q38과 동일하게 Bulk 'Create'가 아니라 'Invitation'. 튜토리얼 링크 참고.

Question 40

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user.
Does this meet the goal?

  • A. Yes
  • B. No
풀이 보기

선택: A. Yes
Q38과 동일한 문제이지만, 38번 풀이에서 설명했다시피 New-AzureADMSInvitation 명령어는 Deprecated 되었고 이제는 New-MgInvitation 명령어 사용.

ExamTopics Q41-50

Question 41

HotSpot
You have an Azure subscription named Subscription1 that contains a resource group named RG1. In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2. You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.

  • To add a backend pool to LB1:
    • Contributor on LB1
    • Network Contributor on LB1
    • Network Contributor on RG1
    • Owner on LB1
  • To add a health probe to LB2:
    • Contributor on LB2
    • Network Contributor on LB2
    • Network Contributor on RG1
    • Owner on LB2
풀이 보기

선택: Network Contributor on LB1 / Network Contributor on LB2
백엔드 풀을 LB에 추가하는 일, LB에 health probe를 추가하는 일 둘 다 네트워크 작업. '최소 권한'을 할당해야 된다고 했으므로 Network Contributor 권한을 할당해주면 됨.
Contributor 권한은 네트워크 외 다른 설정 변경까지 가능하므로 최소 권한 조건을 충족하지 않고, Owner는 더 큰 권한.

Question 42

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?

  • A. From contoso.com, modify the Organization relationships settings.
  • B. From contoso.com, create an OAuth 2.0 authorization endpoint.
  • C. Recreate AKS1.
  • D. From AKS1, create a namespace.
풀이 보기

선택: B. From contoso.com, create an OAuth 2.0 authorization endpoint.
B가 많이 선택된 이유로 RBAC을 구성할 때 OpenID Connect가 사용되고 OpenID Connect가 OAuth 2.0 프로토콜 위에서 구현되어서라고 함.
그런데 최근에는 AKS에 Azure AD가 아예 통합되어서 C. 다시 생성할 때 AAD 통합 옵션을 클릭해야 된다는 의견도 있음.
참고로 AZ-104 시험범위에 AKS는 안 들어감.

Question 43

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.

  • A. a Microsoft 365 group that uses the Assigned membership type
  • B. a Security group that uses the Assigned membership type
  • C. a Microsoft 365 group that uses the Dynamic User membership type
  • D. a Security group that uses the Dynamic User membership type
  • E. a Security group that uses the Dynamic Device membership type
풀이 보기

선택: A, C
만료 정책은 Microsoft 365 그룹에만 설정 가능. 보안 그룹에는 불가.

Question 45

HotSpot
You have the Azure management groups shown in the following table:

NameIn management group
Tenant Root GroupNot applicable
ManagementGroup11Tenant Root Group
ManagementGroup12Tenant Root Group
ManagementGroup21ManagementGroup11

You add Azure subscriptions to the management groups as shown in the following table:

NameManagement group
Subscription1ManagementGroup21
Subscription2ManagementGroup12

You create the Azure policies shown in the following table:

NameParameterScope
Not allowed resource typesvirtualNetworksTenant Root Group
Allowed resource typesvirtualNetworksManagementGroup12

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  1. You can create a virtual network in Subscription1.
  2. You can create a virtual machine in Subscription2.
  3. You can add Subscription1 to ManagementGroup11.
풀이 보기

선택: No / Yes / Yes

  1. Subscription1이 속한 ManagementGroup21은 Tenant Root Group에 속해있고, 이 그룹에 대해서 vnet은 허용되지 않는 리소스 타입.
  2. VM 리소스 타입을 제한하지는 않았으므로 생성 가능.
  3. Subscription은 Management Group 간 이동은 가능하지만 오직 한 개의 Management Group에만 속할 수 있음.

Question 47

HotSpot
You have an Azure subscription that contains the resources shown in the following table:

NameTypeResource groupTag
RG6Resource groupNot applicableNone
VNET1Virtual networkRG6Department: D1

You assign a policy to RG6 as shown in the following table:

SectionSettingValue
ScopeScopeSubscription1/RG6
ExclusionsNone
BasicsPolicy definitionApply tag and its default value
Assignment nameApply tag and its default value
ParametersTag nameLabel
Tag valueValue1

To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.

  • VNET1:
    • None
    • Department: D1 only
    • Department: D1, and RGroup: RG6 only
    • Department: D1, and Label: Value1 only
    • Department: D1, and RGroup: RG6, and Label: Value1
  • VNET2:
    • None
    • RGroup: RG6 only
    • Label: Value1 only
    • RGroup: RG6, and Label: Value1
풀이 보기

선택: VNET1 - Department: D1 only / VNET2 - Label: Value1 only
RG6의 policy를 보면 Label: Value1이라는 태그와 그 값을 할당하도록 되어 있음. 그래서 VNET2를 RG6에 배포할 때 Label: Value1 태그가 붙게 됨.
하지만 VNET1의 경우 이 policy가 할당되기 전에 이미 Department: D1이라는 태그만 갖고 배포되었기 때문에 policy에 의한 태그가 추가되지 않음.
Resource Group에 추가된 태그 RGroup: RG6는 하위 리소스로 상속(inherit)되지 않음.

Question 48

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

NameType
storage1Azure Storage account
VNET1Virtual network
VM1Azure virtual machine
VM1ManagedManaged disk for VM1
RVAULT1Recovery Services vault for the site recovery of VM1

You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?

  • A. VM1, stroage1, VNET1, and VM1Managed only
  • B. VM1 and VM1Managed only
  • C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
  • D. RVAULT1 only
풀이 보기

선택: C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
위 리소스 모두 구독 이동은 가능. 단, 리소스 이동은 새로운 리소스 그룹이나 새로운 구독으로만 가능하며, 지역을 변경할 수는 없음.

Question 49

You recently created a new Azure subscription that contains a user named Admin1. Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure PowerShell and receives the following error message: User failed validation to purchase resources.
Error message: Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (https://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?

  • A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
  • B. From the Azure portal, register the Microsoft.Marketplace resource provider
  • C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
  • D. From the Azure portal, assign the Billing administrator role to Admin1
풀이 보기

선택: C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
오류 메시지를 보면 Legal terms have not been accepted ... 라고 나오는데 쉽게 말해 회원가입 같은거 할 때 약관에 동의하는 과정을 PowerShell cmdlet으로도 해줘야 함.

Question 50

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1. You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?

  • A. From the Licenses blade, assign a new license
  • B. From the Directory role blade, modify the directory role
  • C. From the Groups blade, invite the user account to a new group
풀이 보기

선택: B. From the Directory role blade, modify the directory role
AD tenant에 대해 특정 사용자의 권한을 변경해줘야 하므로 Directory role 블레이드에서 역할 수정.