Microsoft Azure Administrator Associate Practice Test (AZ-104)

The administrator should verify that the health probes are configured properly and that the backend VMs are responding to them. Azure Load Balancer uses health probes to determine which backend instances are healthy and able to receive traffic. If the health probes are misconfigured or the VMs are not responding correctly (e.g., because the web server service is not running), the load balancer will not send traffic to them. Checking the health probe configuration and VM responsiveness is the first step in troubleshooting this issue.

Checking if Azure Firewall is blocking traffic may not be relevant if there is no firewall configured, or if the issue is with the health probes rather than network policies. Ensuring that the load balancer's SKU matches that of the backend VMs is not relevant, as load balancer SKU does not need to match VM SKU. Increasing the instance count of the load balancer is unnecessary and will not resolve a connectivity issue; it is used for scaling purposes.

Inviting external consultants as guest users through Azure Entra ID B2B collaboration allows you to manage external access securely. This method lets you invite external users using their own credentials from their organization, while applying your organization's policies and monitoring their access. Creating new internal accounts for them is less secure and harder to manage. Sharing internal user credentials is a security risk and against best practices. Enabling anonymous access compromises security and is not suitable for sensitive applications.

AzCopy is a command-line utility optimized for high-performance data transfer to and from Azure Storage. It allows for scripting and automation of bulk data transfers, making it ideal for the task. Azure Storage Explorer provides a graphical interface, which is less suitable for automation and handling large-scale transfers. The Azure Portal is not designed for automating bulk uploads, and Azure Data Box is a physical appliance for large offline data migrations, not suitable for this scenario.

To enable replication of Azure virtual machines to a secondary region using Azure Site Recovery, you must first create a Recovery Services vault. This vault holds the configuration and management settings for site recovery and orchestrates the replication process. The other options—Azure Container Registry, Traffic Manager profile, and Network Security Group—do not facilitate VM replication for disaster recovery.

To set up regular backups for an App Service, you should enable the built-in backup feature available in the App Service settings. This feature is accessible when using the Standard tier or higher. By enabling backups, you can configure a storage account where the backups will be stored. Downgrading to the Basic tier is not appropriate because the Basic tier does not support the backup feature. Configuring Azure Site Recovery is intended for virtual machines and physical servers, not for App Services. Similarly, using Azure Backup with a Recovery Services vault is designed for virtual machines and does not apply to App Services.

To update the Kubernetes version of an existing AKS cluster, you should use the Azure CLI command to perform an in-place upgrade of the cluster. This command handles the upgrade process, ensuring that all cluster components are properly updated. Manually updating Kubernetes components is not supported in Azure Kubernetes Service (AKS). Creating a new cluster and migrating applications is unnecessary when an in-place upgrade is available. Modifying cluster configuration files does not initiate an upgrade process in AKS.

Application Security Groups allow you to group virtual machines based on their function and apply network security rules to the group. This eliminates the need to specify IP addresses when assigning policies. Network Security Groups control traffic but are applied to individual resources or subnets, not groups of virtual machines serving the same role. Azure Firewall provides centralized network protection but doesn't group virtual machines based on function. Network Interfaces connect virtual machines to a network but don't facilitate grouping for security policies.

Enabling Self-Service Password Reset allows users to reset their own passwords without administrator intervention, fulfilling the organization's requirement. Password writeback enables password changes in Azure Entra ID to be written back to on-premises AD but does not provide self-service capabilities. Multi-Factor Authentication enhances security by requiring additional verification methods but does not directly enable users to reset forgotten passwords. Conditional Access policies control user access to resources based on conditions but do not address password reset needs.

To enable advanced networking features like assigning static IP addresses to pods and implementing network policies, you should use the Azure Container Networking Interface (CNI) networking model. Azure CNI integrates with Azure Virtual Networks, allowing pods to receive IP addresses directly from the virtual network subnet, facilitating advanced networking scenarios.

The kubenet networking model provides basic networking where pods receive NAT-ed IP addresses and doesn't support assigning static IPs to pods or advanced network policies. Using the default network configuration or configuring network security groups (NSGs) alone won't fulfill the requirements for pod-level IP assignments and advanced networking features in AKS.

Creating a custom backup policy with multiple retention ranges for daily, weekly, monthly, and yearly backups allows the organization to meet their complex retention requirements within a single policy. This approach minimizes administrative overhead by automating backups and retention without the need to manage multiple policies. Using the default backup policy would not meet the specific retention needs. Configuring separate backup policies increases administrative effort, contrary to the requirement of minimal overhead. Azure Site Recovery is designed for disaster recovery, not for meeting specific backup retention policies.

Configuring Azure Entra ID authentication allows users to access the storage account using their corporate credentials, leveraging their existing identities without sharing access keys or tokens. This method enhances security and simplifies user management. Sharing account keys or SAS tokens involves managing and securing secrets, which can be less secure and harder to manage. Enabling anonymous access would not require credentials and is not secure.

Azure Resource Locks allow you to set lock levels, such as ReadOnly or CanNotDelete, on resources to prevent accidental modification or deletion. By applying a lock, even users with the necessary permissions are prevented from performing restricted actions unless the lock is removed.

Administrative Units in Azure Entra ID allow you to delegate administrative permissions to specific subsets of users or groups within your organization, such as by department or region. By using Administrative Units, you can assign administrators to manage only the users and groups within a particular Administrative Unit, without giving them broader access to other resources in Azure Entra ID. Other features like Azure Entra ID Privileged Identity Management, Management Groups, and Role-Based Access Control (RBAC) do not provide the necessary scope limitation at the department level within Azure AD user and group management.

Using the Custom Script Extension is the best method to automate software installation and configuration on an Azure virtual machine without direct connection. This extension runs scripts on the VM remotely, allowing administrators to perform tasks efficiently. Connecting via Remote Desktop Protocol (RDP) is not feasible when direct connection is not possible. While Azure Automation runbooks can automate tasks, they are typically used for orchestrating processes across multiple resources and may be more complex for this specific need. Creating a snapshot and replacing the VM is impractical and time-consuming for simply installing software.

By enabling autoscaling with custom scaling rules on the VM scale set, you can dynamically adjust the number of virtual machines based on metrics like CPU utilization, ensuring resources match the demand. Manual scaling with a fixed instance count would not adjust the number of instances automatically. Scheduled scaling changes the number of instances at predefined times, not based on current demand. Azure Traffic Manager distributes network traffic across regions but does not adjust the scale of virtual machines.