Microsoft Azure AZ-104 문제 풀이

ExamTopics Q1-10
ExamTopics Q11-20
ExamTopics Q21-30

ExamTopics Q1-10

https://www.examtopics.com/exams/microsoft/az-104/view/

Question 1

Your company has serval departments. Each department has a number of virtual machines (VMs). The company has an Azure subscription that contains a resource group named RG1. All VMs are located in RG1.
You want to associate each VM with its respective department. What should you do?

A. Create Azure Management Groups for each department.
B. Create a resource group for each department.
C. Assign tags to the virtual machines.
D. Modify the settings of the virtual machines.

풀이 보기

선택: C. Assign tags to the virtual machines.
태그는 조직과 관련된 설정에 따라 리소스를 식별하는 데 도움이 되는 키-값 쌍. AZ-900 덤프에도 태그를 사용해 부서별 리소스를 구분하는 것과 관련한 문제가 많이 나왔음.
태그는 리소스, 리소스 그룹, 구독에 적용 가능하고 관리 그룹에는 적용 불가.
https://learn.microsoft.com/ko-kr/azure/azure-resource-manager/management/tag-resources

Question 2

Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings. Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
multi-factor authentication 페이지가 아니라 Azure AD portal에서 Conditional Access Policy를 만들어야 된다고 함.

Question 3

Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
문제에서 MFA나 AD-joined device를 요구하는 policy를 설정한다고 했으므로 session control이 아니라 grant control.
session control은 특정 클라우드 애플리케이션 내에서 제한된 환경을 사용하도록 설정 가능. 클라우드 앱으로 접속한 디바이스 정보를 전달하고 이를 사용해 사용자에게 제한된 환경이나 전체 환경을 제공.
grant control은 리소스에 대한 액세스를 허용하거나 차단할 수 있음. 여기에는 다단계 인증 필요, 인증 강도 필요, 준수 상태로 표시된 디바이스 필요, Entry 하이브리드 조인 디바이스 필요 등의 옵션이 포함됨.

Question 4

Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy. Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: A. Yes
Q3과 동일.

Question 5

You are planning to deploy an Ubuntu Server virtual machine to your company's Azure subscription. You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA). Which of the following should you use to create the virtual machine?

A. The New-AzureRmVm cmdlet.
B. The New-AzVM cmdlet.
C. The Create-AzVM cmdlet.
D. The az vm create command.

풀이 보기

선택: D. The az vm create command.
ExamTopics 사이트는 C라고 하는데 토론에서는 D가 99%.
A, B, C는 PowerShell 명령어이고 D는 bash 명령어. 이 중 A는 옛날 버전 명령어, C는 현재 버전 명령어이고 B는 없는 명령어이다. 그러므로 일단은 C 또는 D 중 하나.
PowerShell 명령어를 쓰면 기본적으로 윈도우 머신을 생성하는 것으로 보임. 우분투 머신을 생성할 수 없는건 아니지만 복잡하다고 설명되어 있음.
그래서 시험에 이 문제가 나온다면 D를 고를듯함.

Question 6

Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
MFA 제공자가 생성된 후에는 사용 모델 변경 불가

Question 7

Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure CLI.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
Q6과 동일.

Question 8

Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
2018년 9월 1일 이후로 새 MFA 제공자 생성 불가

Question 9

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
AD의 유저 정보를 즉시 복제해야 되는데 Initial은 Full sync이고 시간이 많이 걸리니 immediately에 적합하지 않음.

Question 10

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
Q9와 유사 문제. AD Synchronization을 -PolicyType Delta로 사용.

ExamTopics Q11-20

https://www.examtopics.com/exams/microsoft/az-104/view/2/

Question 11

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
서비스 재시작이 아니라 CLI로 Delta Sync 명령을 실행하면 됨.
Start-ADSyncSyncCycle -PolicyType Delta

Question 12

Your company has a Microsoft Azure subscription. The company has datacenters in Los Angeles and New York. You are configuring the two datacenters as geo-clustered sites for site resiliency. You need to recommend an Azure storage redundancy option. You have the following data storage requirements.

Data must be stored on multiple nodes.
Data must be stored on nodes in seperate geographic locations.
Data can be read from the secondary location as well as from the primary location.

Which of the following Azure stored redundancy options should you recommend?

A. Geo-redundant storage
B. Read-only geo-redundant storage
C. Zone-redundant storage
D. Locally redundant storage

풀이 보기

선택: B. Read-only geo-redundant storage
ExamTopics에서 논의되는 답은 B라는데, 논란이 조금 있어보임.

GRS는 primary에 장애가 발생했을 때 secondary로 액세스하는 방식.
Read-only GRS라는건 없고 Read-access GRS가 있음.
이런 문제는 수정돼서 나올듯함.

Question 13

Your comapany has an azure subscription that includes a storage account, a resource group, a blob container and a file share. A colleague named Jon Ross makes use of a solitary Azure Resouce Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account. You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: B. No
ARM template은 VM 블레이드가 아닌 Resource Group 블레이드의 배포 히스토리에서 확인 가능.

Question 14

Your comapany has an azure subscription that includes a storage account, a resource group, a blob container and a file share. A colleague named Jon Ross makes use of a solitary Azure Resouce Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account. You want to review the ARM template that was used by Jon Ross.
Solution: You access the Resource Group blade.
Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: A. Yes
Q13과 동일한 문제.

Question 15

A. Yes
B. No

풀이 보기

선택: B. No Q13과 동일한 문제.

Question 16

Your company has three virtual machines (VMs) that are included in an availability set. You try to resize one of the VMs, which returns an allocation failure message. It is imperative that the VM is resized. Which of the following actions should you take?

A. You should only stop one of the VMs.
B. You should stop two of the VMs.
C. You should stop all three VMs.
D. You should remove the necessary VM from the availability set.

풀이 보기

선택: C. You should stop all three VMs.
가용성 집합 내 VM 크기 조절 시 할당 실패 오류는 일반적인 문제. 주요 원인은 가용성 집합이 단일 클러스터에 할당되어 있고 해당 클러스터가 요청된 VM 크기를 수용하지 못하기 때문.
갑자기 클러스터가 나온 이유? 가용성 집합의 내부 동작 원리가 가용성 집합에 포함된 VM을 물리적인 하드웨어 클러스터에 배치하고 VM을 리사이즈할 때는 동일 클러스터에서 리소스를 조정하려 하기 때문. 그 클러스터에 리소스가 부족하면 할당 실패 오류가 발생.
그래서 가장 효과적인 해결 방법은 가용성 집합 내 모든 VM을 중지(할당 취소, deallocate)하고 다시 시작하는 것. 모든 VM을 중지하면 Azure가 충분한 용량을 가진 새 클러스터를 선택해 새로운 할당을 시도.
Microsoft Learn: Troubleshoot deployment issues with restarting or resizing an existing windows VM in Azure
Microsoft Learn: Change the size of a virtual machine

Question 17

You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM. You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible. Which of the following is the action you should take FIRST?

A. Stop the VM that includes the data disk.
B. Stop the VM that the data disk must be attached to.
C. Detach the data disk.
D. Delete the VM that includes the data disk.

풀이 보기

선택: C. Detach the data disk.
ExamTopics에서는 C 80%, A 19%. 충분히 고민될만하다. 처음에는 보기 C에서 'Detach'의 의미가 'unmount'가 아니라 아예 VM에서 떼는걸 말하는 것 같기 때문에 그렇다면 VM 종료가 먼저 아닌가?라고 생각.
PowerShell로 Hot Remove가 가능하다고 함. 문제에서 말한 **'least amount of time possible'**이 이걸 의도한 것 같기도 하고. 그래서 시험에 이 문제가 나온다면 C를 선택할 듯.

Question 18

Your comapany has an Azure subscription. You need to deploy a number of Azure virtual machines (VMs) during Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set. You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintainance. Which of the following is the value that you should configure for the platformFaultDomainCount property?

A. 10
B. 30
C. Min Value
D. Max Value

풀이 보기

선택: D. Max Value
'fabric'이 직물이라는 뜻도 있지만 '(사회, 조직 등의) 구조 또는 (건물의) 기본 구조'라는 뜻이 있음. 여기에서는 시스템의 기본 구조인 인프라를 의미하는 듯.
그래서 해석하자면 'ARM 템플릿을 구성하여 인프라 실패나 유지보수 시 최대한 많은 VM이 계속 접근 가능하도록 하려면 platformFaultDomainCount 속성값을 어떻게 설정해야 하는가?'
선택 가능한 속성값은 1, 2, 3이 있고 기본값은 3. 그래서 D를 선택.
Microsoft Learn: Choosing the right number of fault domains for Virtual Machine Scale Set

Question 19

A. 10
B. 20
C. 30
D. 40

풀이 보기

선택: B. 20
Q18과 유사한데 이번에는 Fault Domain이 아니라 Update Domain에 대해 물음.
각 Availability Set은 최대 3개의 fault domain과 20개의 update domain으로 구성될 수 있음.

ExamTopics Q21-30

https://www.examtopics.com/exams/microsoft/az-104/view/3/

Question 21

Your comapany has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premise Active Directory domain. The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers. You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs. You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?

A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
B. Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
D. Place the scripts in a new virtual hard disk (VHD).

풀이 보기

선택: A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
SetupComplete.cmd 설명에는 Windows가 설치된 후 로그온 화면이 나타나기 전에 실행되는 스크립트라고 하고 시스템 재부팅 후에는 SetupComplete.cmd를 다시 실행할 수 없다고 하니 설치 후 최초 로그인 전 1회만 실행되는 스크립트라고 판단됨.
GPO는 컴퓨터가 시작될 때, 사용자가 로그인할 때 적용된다고 함.
따라서 문제에서 말하는 '새로 설치하는 VM의 설정을 자동화'하는 데 조금 더 적합한 것은 사용자가 로그인 할 때마다 그 사용자가 속한 그룹의 정책을 확인하고 스크립트를 적용하는 GPO가 아닌 단 한 번만 실행되는 SetupComplete.cmd라고 생각됨.

Question 22

Your comapany has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premise Active Directory domain. You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software requirements. You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image. You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs.
Which PowerShell cmdlets should you use?

A. Add-AzVM
B. Add-AzVhd
C. Add-AzImage
D. Add-AzImageDataDisk

풀이 보기

선택: B. Add-AzVhd
Azure PowerShell > Az.Compute 명령어 목록을 참고하면 일단 Add-AzVM이라는 명령어는 없고, VM을 생성할 때 사용 가능한 New-AzVM 명령어가 있음. 그리고 Add-AzImageDataDisk는 만들어진 이미지에 디스크를 추가하는 목적이므로 제외.
B와 C 중에 고민이 되는 이유로 문제 설명에 대한 답은 C가 더 맞을 것 같음. 레퍼런스 VM 설정도 다 했고, 이미지를 만들기 위한 일반화도 했고, 이미지를 Azure에 올려서 VM 만들 때 선택할 수 있게 하면 된다고 했으니. 그런데 문제는 Add-AzImage라는 명령어가 없고 New-AzImage 명령어만 있다...
Add-AzVhd는 VHD(Virtual Hard Disk)라는 VM이 아닌 디스크 파일을 Azure에 추가하는 명령어. 그런데 이 질의응답에 따르면 VHD로부터 VM을 만드는게 가능은 하다고 함. 그래서 ExamTopics 토론에서도 B를 선택한 사람이 92%.

Question 24~26

Your comapany's Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB. VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company's on-premise network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premise network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.

Q24) Solution: You choose the Allow gateway transit setting on VirtualNetworkA.
Q25) Solution: You choose the Allow gateway transit setting on VirtualNetworkB.
Q26) Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation.

Does the solution meet the goal?

A. Yes
B. No

풀이 보기

선택: Q24 - B. No / Q25 - B. No / Q26 - A. Yes
온프레미스의 Win10 워크스테이션에서 VirtualNetworkA에 접근 가능 확인했고, VirtualNetworkA와 VirtualNetworkB는 peering 구성했고, 온프레미스 네트워크에서 VirtualNetworkB로 접근 가능한 것까지는 확인했는데 Win10 워크스테이션에서 VirtualNetworkB로 접근은 안되는 상황. 이 상황에서 VNetA나 VNetB의 게이트웨이 설정을 바꾸는 것은 의미 없음.
VPN 클라이언트를 설정 패키지를 재설치 해보기.