Microsoft Azure Administrator Associate Practice Test (AZ-104)

To automatically register Windows 10 devices in Azure Entra ID when users sign in with their corporate credentials, you should configure Azure AD Join. Azure AD Join allows devices to be joined directly to Azure AD, enabling centralized management and access to resources. This is suitable for corporate-owned devices and simplifies the sign-in experience for users. Azure AD registered devices are typically used for personally owned devices (BYOD) and do not provide the same level of management. Windows Hello for Business is a sign-in method that enhances authentication security but does not handle device registration. Hybrid Azure AD Join is intended for devices joined to an on-premises Active Directory domain that are also registered with Azure AD; since there is no mention of on-premises Active Directory in this scenario, Azure AD Join is the appropriate choice.

Azure App Service backups are stored in an Azure Blob Storage account. This storage account provides the necessary capacity and accessibility for the backup files. Other options like local storage or databases are not suitable for storing App Service backups.

To allow internet users to access VM1 over port 80 without assigning a public address directly to the VM, you should set up an Azure Load Balancer with a public frontend. The load balancer forwards incoming traffic on port 80 to VM1's private address, complying with the security policy. Assigning a public address to a subnet is not possible and does not enable inbound traffic to the VM. A NAT gateway provides outbound connectivity for VMs without public addresses but does not support inbound connections. Azure Traffic Manager is used for DNS-based traffic load balancing across multiple endpoints and does not facilitate direct inbound access to a single VM.

To update a user's name and email address while preserving their access and group memberships, you should edit the user's properties directly in Azure Entra ID. This allows you to change the display name, username (User Principal Name), and email address without affecting the user's object ID, which maintains all associated permissions and memberships. Deleting and recreating the user account would result in loss of access to resources and require reassigning permissions. Similarly, removing the user from groups and creating a new account complicates the process unnecessarily. Using Azure AD Connect is only relevant if syncing from an on-premises Active Directory, which is not specified in this scenario.

Enabling Secure Transfer Required ensures that all requests to the storage account are made over secure connections using HTTPS. This helps protect data by encrypting it during transit between the client and the storage account. Other options like enabling Soft Delete or configuring Shared Access Signature (SAS) tokens pertain to data protection and access management but do not enforce encryption for data in transit.

To have control over the encryption keys used for data at rest in Azure Storage, you need to use customer-managed keys stored in Azure Key Vault. This allows the organization to manage the encryption keys, including key rotation and revocation, providing greater control over data security. Using Microsoft-managed keys does not provide this level of control, as the keys are managed by Azure. Disabling storage encryption is not advisable and would not meet the security requirements. Implementing Advanced Threat Protection enhances security but does not affect encryption key management.

Creating separate subscriptions for each department ensures that each receives individual invoices and billing statements. Each subscription is billed independently, allowing the company to track and manage costs per department effectively. While resource groups and tags help organize resources, they do not provide separate billing. Azure Cost Management offers cost analysis but does not separate invoices for departments.

To replicate Azure virtual machines to another region using Azure Site Recovery, you must first create a Recovery Services vault. The Recovery Services vault stores configuration and replication information and orchestrates the replication process. An Azure Storage account is not required because Site Recovery uses managed disks for VM replication. A Load Balancer distributes network traffic and is not involved in replication. A Network Security Group controls network traffic but does not facilitate replication or disaster recovery.

To assign licenses to users via a group in Azure Entra ID, you should create a Security group. Security groups are used to manage member and computer access to shared resources for a group of users, including license assignments. Office 365 groups are primarily for collaboration and include shared resources like mailboxes and calendars but are not ideal for license assignments. Distribution lists are used for email distribution and cannot be used to assign licenses. Administrative units are scopes for delegating administrative permissions and do not function as groups for license assignments.

Azure Network Watcher Packet Capture allows you to collect network packets to and from virtual machines, providing detailed network data for troubleshooting connectivity issues. By using Packet Capture, you can gather the necessary low-level data between VM1 and VM2 to diagnose the problem. Azure Monitor Logs collects and analyzes log data but does not capture network packets. Azure Traffic Analytics provides insights into network traffic flow patterns, not packet-level data. Azure Network Security Group controls network traffic but does not provide tools for capturing network packets.

Assigning the 'Storage Blob Data Reader' role to the users at the storage account level enables them to authenticate using their Azure Active Directory (Azure AD) credentials and grants them read access to the data. Distributing a Shared Access Signature (SAS) token or access keys involves sharing sensitive secrets and does not leverage Azure AD authentication. Enabling public access would expose the data to unauthorized users, compromising security.

This statement is false. An unplanned failover in Azure Site Recovery is performed when the primary site is offline or has experienced a failure. Since the primary site is unavailable, the failover is initiated from the recovery site without requiring the primary site to be online. Unplanned failover assumes that the primary site cannot participate in the failover process.

Enabling Application Insights for the web apps and configuring an alert based on the page load time meets the requirements. Application Insights provides in-depth monitoring of web applications, including performance metrics like page load times. It is cost-effective and requires minimal maintenance compared to custom solutions or third-party tools. Azure Monitor metrics and alerts based on CPU utilization do not address the specific need to monitor page load times. Deploying a Function App or installing third-party tools would require more effort to develop and maintain, making them less suitable.

You should deploy an Azure Bastion host in the virtual network. Azure Bastion provides secure remote connectivity to all VMs within the virtual network over SSL using the Azure portal. It allows administrators to access the VMs through the Azure portal without exposing the VMs to the public internet or requiring a VPN connection. This ensures that your VMs remain private while still allowing necessary remote management.

Option A is incorrect because setting up a site-to-site connection involves configuring VPN connections, which adds complexity and requires additional infrastructure. Option C is not recommended because assigning public addresses to the VMs exposes them to the internet, increasing security risks, even if Network Security Groups (NSGs) are used to restrict access. Option D is incorrect because Azure Firewall is designed for filtering and controlling network traffic, but it does not facilitate remote connectivity solutions for managing VMs.

Applying a Delete lock at the resource group level will prevent the deletion of the resource group and its contained resources while still allowing modifications. This ensures that the finance team can continue to modify resources without the risk of accidentally deleting them. A ReadOnly lock would prevent both deletion and modification, which does not meet the requirement. Changing permissions to read-only would restrict the finance team's ability to modify resources.