Microsoft Azure Administrator Associate Practice Test (AZ-104)

AzCopy is a command-line utility designed for high-performance data transfers to and from Azure Storage. It efficiently utilizes available network bandwidth, supports resuming interrupted transfers, and can be scripted for automation purposes. Azure Storage Explorer is a graphical tool suitable for smaller or manual data transfers but may not perform as well with very large datasets or provide the same level of automation. The Azure portal is not practical for uploading such a large amount of data and lacks automation capabilities. FTP (File Transfer Protocol) is not natively supported by Azure Blob Storage, and using it would require additional configurations without offering the performance benefits of AzCopy.

Shared Access Signatures (SAS) enable you to grant limited-time access to your storage resources without exposing your storage account key. SAS tokens can be configured with specific permissions and timeframes. Azure Active Directory (Azure AD) authentication provides identity-based access control but does not create temporary access tokens for storage. Secure Transfer Required enforces the use of HTTPS for data transfers but does not manage access. Network Security Groups control network traffic but do not grant access to storage resources.

An outbound rule in a network security group (NSG) blocking internet traffic is the most likely cause. NSGs control outbound as well as inbound traffic for Azure resources. If a custom outbound deny rule with a higher priority overrides the default AllowInternetOutBound rule, the VM loses internet connectivity while retaining access to resources inside the virtual network. Host-level firewalls could block traffic but would generally affect both internal and external destinations unless specifically scoped. A public IP address is not required for outbound access because Azure provides default outbound connectivity through source NAT unless it has been disabled. A gateway subnet is only required for VPN gateways, not for ordinary internet egress.

The Backup schedule (sometimes shown as Schedule settings) controls the frequency of protection jobs. Here you choose whether backups run hourly, daily, or weekly and specify the start time. Retention settings control how long completed recovery points are kept, storage replication settings define the redundancy (LRS, ZRS, GRS) for stored data, and encryption settings determine how the data is protected at rest.

By utilizing a CSV file to import updated user information, administrators can perform bulk updates efficiently in Azure AD. This method allows updating multiple user properties at once, such as department information, without the need to edit each user individually. Deploying an Azure Resource Manager template is used for provisioning Azure resources, not for updating user account attributes. Installing applications on user devices does not change Azure AD user properties. Azure Monitor is intended for monitoring and alerting on Azure resources and does not facilitate bulk user updates.

To receive automatic email notifications based on a metric threshold, the administrator should set up an Alert Rule with an Action Group in Azure Monitor. The Alert Rule monitors specific metrics, and the Action Group specifies the notification details, such as sending an email. Configuring a Log Search in Azure Monitor Logs allows querying log data but does not provide automatic notifications. Creating a Dashboard visualizes metrics but does not send alerts. Implementing Autoscaling adjusts resources based on usage but does not notify administrators.

A Premium tier Azure file share in a FileStorage account is the best fit. Premium Azure Files offers SSD-backed storage that delivers up to 100 000 IOPS and 10 GiB/s throughput with ~2-3 ms latency. Within the same FileStorage account you can create separate shares-one configured for SMB and another for NFS 4.1-giving both Windows and Linux clients the protocol they need. Azure NetApp Files provides sub-millisecond latency but tops out at 4.5 GiB/s per standard volume, so its extra cost and quota overhead aren't justified here. Azure Blob Storage and Azure Data Lake Storage Gen2 are object stores: they lack SMB support and aren't designed for low-latency file access.

To store backups for an Azure virtual machine, you must create a Recovery Services vault. A Recovery Services vault is a storage entity in Azure that houses backup data for resources like IaaS virtual machines, SQL Server in Azure VMs, and Azure Files shares. While a "Backup vault" is also an Azure resource, it is used for different workloads, such as Azure Database for PostgreSQL servers, Azure Blobs, and Azure Disks. A Storage account is used for general-purpose data storage but is not the specific resource type that integrates with Azure Backup for VM protection. "Recovery Storage vault" is not a valid Azure resource name.

To set up regular backups for an App Service, you should enable the built-in backup feature available in the App Service settings. This feature is accessible when using the Standard tier or higher. By enabling backups, you can configure a storage account where the backups will be stored. Downgrading to the Basic tier is not appropriate because the Basic tier does not support the backup feature. Configuring Azure Site Recovery is intended for virtual machines and physical servers, not for App Services. Similarly, using Azure Backup with a Recovery Services vault is designed for virtual machines and does not apply to App Services.

Configure the virtual network to use the IP addresses of your existing contoso.com DNS servers. After the VMs renew their DHCP leases, they will forward all DNS queries to those servers-allowing resolution of contoso.com records while the same servers can forward other requests to public resolvers for internet names. Azure-provided DNS resolves only Azure internal hostnames, an Azure Private DNS zone would require you to recreate and manage all records in Azure, and deploying an extra DNS server in Azure contradicts the requirement to avoid new servers.

The administrator should verify that the health probes are configured properly and that the backend VMs are responding to them. Azure Load Balancer uses health probes to determine which backend instances are healthy and able to receive traffic. If the health probes are misconfigured or the VMs are not responding correctly (e.g., because the web server service is not running), the load balancer will not send traffic to them. Checking the health probe configuration and VM responsiveness is the first step in troubleshooting this issue.

Checking if Azure Firewall is blocking traffic may not be relevant if there is no firewall configured, or if the issue is with the health probes rather than network policies. Ensuring that the load balancer's SKU matches that of the backend VMs is not relevant, as load balancer SKU does not need to match VM SKU. Increasing the instance count of the load balancer is unnecessary and will not resolve a connectivity issue; it is used for scaling purposes.

Integrating the storage account with Azure Active Directory (Azure AD) allows the company to assign permissions to users through role-based access control (RBAC) without sharing access keys. This enhances security by managing permissions centrally and reduces the risk associated with key distribution. Using Shared Access Signatures involves generating tokens that could be misused if shared improperly. Distributing access keys compromises the security of the entire storage account, and connection strings do not provide a method for assigning user-specific permissions.

Azure App Service backups are stored in an Azure Blob Storage account. This storage account provides the necessary capacity and accessibility for the backup files. Other options like local storage or databases are not suitable for storing App Service backups.

You can generate a reusable Azure Resource Manager (ARM) template from the deployment in the Azure portal. This template captures the configuration of all resources within the resource group, allowing you to redeploy them consistently. Azure Backup does not provide a template for redeployment; it is used for data backup and recovery. Diagnostic logs record activity but do not create templates for deployments. Azure Resource Explorer lets you view resource details but does not generate deployment templates.

By implementing automation to adjust the number of container instances based on demand, you can dynamically scale your application in Azure Container Instances to handle varying workloads efficiently. This approach allows you to add or remove container instances as needed, optimizing resource usage and costs. Azure Container Instances do not support native auto-scaling features, so enabling auto-scaling in settings is not possible. Simply increasing CPU and memory allocation does not address fluctuating demand and may result in unnecessary costs during low-demand periods. Migrating the application to a virtual machine with higher specifications does not provide dynamic scaling and may increase management overhead.

Configuring virtual network peering between VNetA and VNetB enables direct connectivity between resources in both virtual networks, with the lowest possible latency and without the need for additional gateways. Peering allows the virtual networks to appear as one for connectivity purposes.

Setting up a site-to-site VPN connection involves deploying VPN gateways in each virtual network, which introduces additional latency and cost. An Azure Load Balancer is used for distributing incoming traffic to resources within a single virtual network, not for connecting two virtual networks. Assigning public addresses for communication is not recommended due to security risks and does not enable direct private communication between resources.

A stored access policy allows you to centrally manage constraints for multiple access tokens. By associating access tokens with a stored access policy, you can modify or revoke the permissions or expiration dates of all associated tokens by updating or deleting the policy. This provides a flexible and efficient way to manage access without needing to individually update each token.

If outbound traffic is being routed correctly but the virtual machine still cannot reach the internet, a likely cause is that a Network Security Group (NSG) associated with the NIC or subnet is blocking egress traffic. Examine the effective NSG rules and make sure no higher-priority deny rule is overriding the default AllowInternetOutbound (or other required) rule. Being in an availability set has no impact on network connectivity. Assigning a public IP address or restarting the VM will not resolve connectivity that is explicitly blocked by NSG rules (although a public IP or NAT Gateway is required for outbound access on VMs created after 30 September 2025 if no other explicit method exists).

Importing the CSV file into Microsoft Graph PowerShell and piping the rows to Update-MgUser (or another Graph cmdlet) lets you modify any supported user attribute-such as Department-for hundreds of users in one scripted job. The portal can only edit 60 users at a time and offers no CSV-based update option for users. Self-service group management and Azure Functions are unrelated to changing user profile properties at scale.

Geo-redundant storage (GRS) replicates your data synchronously three times within the primary region and asynchronously to a secondary region, providing protection against regional outages. Since read access to the secondary region is not required and cost minimization is a priority, GRS is the appropriate choice. Read-access geo-redundant storage (RA-GRS) also replicates data to a secondary region but allows read access, which adds to the cost. Locally redundant storage (LRS) and zone-redundant storage (ZRS) do not replicate data to a secondary region and thus do not protect against regional outages.